Azure Resources API (v4) internal tests

extension.bundle.ts

@@ -18,10 +18,12 @@ export { LocationListStep } from '@microsoft/vscode-azext-azureutils';
 export * from '@microsoft/vscode-azext-utils';
 export * from './api/src/AzExtResourceType';
 // export * from './api/src';
-export * from './api/src/extensionApi';
+export * from './api/src/auth/credentialManager/AzExtCredentialManager';
+export * from './api/src/auth/credentialManager/AzExtUUIDCredentialManager';
 export * from './api/src/resources/azure';
 export * from './api/src/resources/base';
 export * from './api/src/resources/workspace';
+export { apiUtils, AzureExtensionApi } from './api/src/utils/apiUtils';
 export * from './api/src/utils/getApi';
 export * from './api/src/utils/wrapper';
 export { convertV1TreeItemId } from './src/api/compatibility/CompatibleAzExtTreeDataProvider';
@@ -34,6 +36,8 @@ export { createResourceGroup } from './src/commands/createResourceGroup';
 export * from './src/commands/deleteResourceGroup/v2/deleteResourceGroupV2';
 export { activate, deactivate } from './src/extension';
 // Export for testing only - not part of public API
+export * from './api/src/extensionApi';
+export * from './src/api/auth/createAzureResourcesAuthApiFactory';
 export { AuthAccountStateManager, getAuthAccountStateManager } from './src/exportAuthRecord';
 export * from './src/extensionVariables';
 export * from './src/hostapi.v2.internal';

src/api/auth/authApiInternal.ts

@@ -27,7 +27,8 @@ export async function createAzureResourcesApiSessionInternal(context: IActionCon
 
     try {
         const clientApi = await apiUtils.getAzureExtensionApi(ext.context, clientExtensionId, clientExtensionVersion);
-        await clientApi.receiveAzureResourcesApiSession?.(await credentialManager.createCredential(clientExtensionId), clientExtensionCredential);
+        const azureResourcesCredential: string = await credentialManager.createCredential(clientExtensionId);
+        await clientApi.receiveAzureResourcesApiSession?.(azureResourcesCredential, clientExtensionCredential);
     } catch (err) {
         const failed: string = localize('createResourcesApiSession.failed', 'Failed to create Azure Resources API session for extension "{0}".', clientExtensionId);
         ext.outputChannel.error(failed);

src/api/auth/createAzureResourcesAuthApiFactory.ts

@@ -5,15 +5,12 @@
 
 import { apiUtils, AzureExtensionApiFactory, callWithTelemetryAndErrorHandling, GetApiOptions, IActionContext } from '@microsoft/vscode-azext-utils';
 import { AzExtCredentialManager } from '../../../api/src/auth/credentialManager/AzExtCredentialManager';
-import { AzExtUUIDCredentialManager } from '../../../api/src/auth/credentialManager/AzExtUUIDCredentialManager';
 import { AzureResourcesAuthApiInternal } from '../../hostapi.v4.internal';
 import { createAzureResourcesApiSessionInternal, getApiVerifyError, verifyAzureResourcesApiSessionInternal } from './authApiInternal';
 
 const v4: string = '4.0.0';
 
-export function createAzureResourcesAuthApiFactory(coreApiProvider: apiUtils.AzureExtensionApiProvider): AzureExtensionApiFactory<AzureResourcesAuthApiInternal> {
-    const credentialManager: AzExtCredentialManager = new AzExtUUIDCredentialManager();
-
+export function createAzureResourcesAuthApiFactory(credentialManager: AzExtCredentialManager, coreApiProvider: apiUtils.AzureExtensionApiProvider): AzureExtensionApiFactory<AzureResourcesAuthApiInternal> {
     return {
         apiVersion: v4,
         createApi: (options?: GetApiOptions) => {

src/extension.ts

@@ -11,6 +11,8 @@ import { AzureSubscription } from 'api/src';
 import { GetApiOptions, apiUtils } from 'api/src/utils/apiUtils';
 import * as vscode from 'vscode';
 import { AzExtResourceType } from '../api/src/AzExtResourceType';
+import { AzExtCredentialManager } from '../api/src/auth/credentialManager/AzExtCredentialManager';
+import { AzExtUUIDCredentialManager } from '../api/src/auth/credentialManager/AzExtUUIDCredentialManager';
 import { DefaultAzureResourceProvider } from './api/DefaultAzureResourceProvider';
 import { ResourceGroupsExtensionManager } from './api/ResourceGroupsExtensionManager';
 import { ActivityLogResourceProviderManager, AzureResourceProviderManager, TenantResourceProviderManager, WorkspaceResourceProviderManager } from './api/ResourceProviderManagers';
@@ -264,6 +266,8 @@ export async function activate(context: vscode.ExtensionContext, perfStats: { lo
         v3ApiFactory,
     ]);
 
+    const credentialManager: AzExtCredentialManager = new AzExtUUIDCredentialManager();
+
     return createApiProvider(
         [
             // Todo: Remove once extension clients finish migrating
@@ -272,7 +276,7 @@ export async function activate(context: vscode.ExtensionContext, perfStats: { lo
             v3ApiFactory,
 
             // This will eventually be the only part of the API exposed publically
-            createAzureResourcesAuthApiFactory(coreApiProvider),
+            createAzureResourcesAuthApiFactory(credentialManager, coreApiProvider),
         ]
     );
 }

test/api/auth/MockUUIDCredentialManager.ts

@@ -0,0 +1,38 @@
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+
+import { AzExtCredentialManager, maskValue } from "../../../extension.bundle";
+
+/**
+ * A mock credential manager with the same implementation as `AzExtUUIDCredentialManager`,
+ * but with a public getter to inspect the UUIDs during test.
+ */
+export class MockUUIDCredentialManager implements AzExtCredentialManager {
+    #uuidMap: Map<string, string> = new Map();
+
+    get uuidMap() {
+        return this.#uuidMap;
+    }
+
+    createCredential(extensionId: string): string {
+        const uuid: string = crypto.randomUUID();
+        this.#uuidMap.set(extensionId, uuid);
+        return uuid;
+    }
+
+    verifyCredential(credential: string, extensionId: string): boolean {
+        if (!credential || !extensionId) {
+            return false;
+        }
+        return credential === this.#uuidMap.get(extensionId);
+    }
+
+    maskCredentials(data: string): string {
+        for (const uuid of this.#uuidMap.values()) {
+            data = maskValue(data, uuid);
+        }
+        return data;
+    }
+}

test/api/auth/mockApiProvider.ts

@@ -0,0 +1,25 @@
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+
+import { apiUtils, AzureExtensionApi, AzureExtensionApiFactory, createApiProvider, GetApiOptions } from "../../../extension.bundle";
+
+/**
+ * Creates a mock API provider with API factories matching the versions provided.
+ * Only the values required by the interface will be implemented.
+ */
+export function createMockApiProvider(versions: string[]): apiUtils.AzureExtensionApiProvider {
+    const apiFactories: AzureExtensionApiFactory<AzureExtensionApi>[] = versions.map(version => {
+        return {
+            apiVersion: version,
+            createApi: (_options?: GetApiOptions) => {
+                return {
+                    apiVersion: version,
+                };
+            },
+        };
+    });
+
+    return createApiProvider(apiFactories);
+}

test/api/auth/v4.test.ts

@@ -0,0 +1,109 @@
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+
+import * as assert from "assert";
+import { apiUtils, AzExtCredentialManager, AzureResourcesExtensionAuthApi, createAzureResourcesAuthApiFactory, nonNullValue, parseError } from "../../../extension.bundle";
+import { assertThrowsAsync } from "../../wrapFunctionsInTelemetry.test";
+import { MockUUIDCredentialManager } from "./MockUUIDCredentialManager";
+import { createMockApiProvider } from "./mockApiProvider";
+
+const extensionId: string = 'ms-azuretools.vscode-azureresourcegroups';
+const extensionVersion: string = '^4.0.0';
+const coreApiVersions: string[] = ['0.0.1', '2.0.0', '3.0.0'];
+
+suite('v4 API auth tests', async () => {
+    test('v4 API should be defined', async () => {
+        const apiProvider = await apiUtils.getExtensionExports<apiUtils.AzureExtensionApiProvider>(extensionId);
+        assert.ok(apiProvider, 'API provider is undefined');
+
+        const v4Api = apiProvider.getApi(extensionVersion, { extensionId: 'ms-azuretools.vscode-azureresourcegroups-tests' });
+        assert.ok(v4Api);
+    });
+
+    // NOTE: `createAzureResourcesApiSession` is not normally intended to be called directly by Azure Resources itself; however, I've found that it
+    // kind of still works for testing.  It will basically run everything exactly the same except at the end - the exported API for Azure Resources will be missing
+    // the receiver method so the credential has no way to be passed back to the extension through its API.
+    // Since we inject and hold a copy of the credential manager during tests, we can simply grab the generated credential from the manager.
+    // Client side handshake testing should be done separately to ensure that the receiver method is being called and passed the correct credential.
+
+    test('createAzureResourcesApiSession should provide a credential but not return it directly', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+
+        const apiSession = await authApi.createAzureResourcesApiSession(extensionId, extensionVersion, crypto.randomUUID());
+        assert.equal(apiSession, undefined);
+        assert.ok(credentialManager.uuidMap.get(extensionId));
+    });
+
+    test('createAzureResourcesApiSession should throw if an unallowed extension id is provided', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+        assertThrowsAsync(async () => await authApi.createAzureResourcesApiSession('extension1', extensionVersion, crypto.randomUUID()))
+    });
+
+    test('createAzureResourcesApiSession should not spill sensitive extension credentials in errors', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+        credentialManager.createCredential('extension1');
+        credentialManager.createCredential = () => {
+            throw new Error(credentialManager.uuidMap.get('extension1'));
+        }
+
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+
+        try {
+            await authApi.createAzureResourcesApiSession(extensionId, extensionVersion, crypto.randomUUID());
+            assert.fail('We expect the credential manager to throw in this test.');
+        } catch (err) {
+            const perr = parseError(err);
+            assert.doesNotMatch(perr.message, new RegExp(nonNullValue(credentialManager.uuidMap.get('extension1')), 'i'));
+        }
+    });
+
+    test('getAzureResourcesApis should return matching APIs if provided a valid credential', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+        await authApi.createAzureResourcesApiSession(extensionId, extensionVersion, crypto.randomUUID());
+
+        const resourcesApis = await authApi.getAzureResourcesApis(extensionId, nonNullValue(credentialManager.uuidMap.get(extensionId)), ['0.0.1', '^2.0.0']);
+        assert.match(resourcesApis[0]?.apiVersion ?? '', /^0.0.1$/);
+        assert.match(resourcesApis[1]?.apiVersion ?? '', /^2./);
+    });
+
+    test('getAzureResourcesApis should throw if provided an invalid credential', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+        const coreApiVersions: string[] = ['0.0.1', '2.0.0', '3.0.0'];
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+        assertThrowsAsync(async () => await authApi.getAzureResourcesApis(extensionId, crypto.randomUUID(), ['^2.0.0']));
+    });
+
+    test('getAzureResourcesApis should not spill sensitive extension credentials in errors', async () => {
+        const credentialManager = new MockUUIDCredentialManager();
+        const authApi: AzureResourcesExtensionAuthApi = createAuthApi(credentialManager, coreApiVersions);
+
+        credentialManager.createCredential('extension1');
+        credentialManager.createCredential('extension2');
+        credentialManager.createCredential('extension3');
+
+        try {
+            await authApi.getAzureResourcesApis(extensionId, crypto.randomUUID(), ['^2.0.0']);
+            assert.fail('Should throw if requesting Azure Resources APIs without a valid credential.');
+        } catch (err) {
+            const perr = parseError(err);
+            for (const credential of credentialManager.uuidMap.values()) {
+                assert.doesNotMatch(perr.message, new RegExp(credential, 'i'));
+            }
+        }
+    });
+});
+
+/**
+ * Use to quickly bootstrap a testable auth API with core API factories matching the provided versions.
+ */
+function createAuthApi(credentialManager: AzExtCredentialManager, coreApiVersions: string[]): AzureResourcesExtensionAuthApi {
+    const coreApiProvider = createMockApiProvider(coreApiVersions);
+    const authApiProvider = createAzureResourcesAuthApiFactory(credentialManager, coreApiProvider);
+    return authApiProvider.createApi({ extensionId: 'ms-azuretools.vscode-azureresourcegroups-tests' });
+}