Merge remote-tracking branch 'origin/dev' into test/release-pipeline-preview

Author: RyAuld

msal/broker.py

@@ -45,13 +45,17 @@ class TokenTypeError(ValueError):
     pass
 
 
-_redirect_uri_on_mac = "msauth.com.msauth.unsignedapp://auth"  # Note:
+_default_redirect_uri_on_mac = "msauth.com.msauth.unsignedapp://auth"  # Note:
     # On Mac, the native Python has a team_id which links to bundle id
     # com.apple.python3 however it won't give Python scripts better security.
     # Besides, the homebrew-installed Pythons have no team_id
     # so they have to use a generic placeholder anyway.
     # The v-team chose to combine two situations into using same placeholder.
 
+_default_redirect_uri = "https://login.microsoftonline.com/common/oauth2/nativeclient"
+    # Linux Java Broker requires a non-empty valid redirect_uri.
+    # On Windows, WAM does not currently use this default redirect_uri,
+    # but MSAL.cpp still requires it to be non-empty and valid.
 
 def _convert_error(error, client_id):
     context = error.get_context()  # Available since pymsalruntime 0.0.4
@@ -63,8 +67,7 @@ def _convert_error(error, client_id):
             """MsalRuntime needs the current app to register these redirect_uri
 (1) ms-appx-web://Microsoft.AAD.BrokerPlugin/{}
 (2) {}
-(3) https://login.microsoftonline.com/common/oauth2/nativeclient""".format(
-            client_id, _redirect_uri_on_mac))
+(3) {}""".format(client_id, _default_redirect_uri_on_mac, _default_redirect_uri))
         # OTOH, AAD would emit other errors when other error handling branch was hit first,
         # so, the AADSTS50011/RedirectUriError is not guaranteed to happen.
     return {
@@ -145,20 +148,19 @@ def _build_msal_runtime_auth_params(client_id, authority):
     params.set_additional_parameter("msal_client_ver", __version__)
     return params
 
-def _set_redirect_uri_for_linux(params):
-    if sys.platform == "linux":
-        # This is required by Linux Java Broker to set a non-empty valid redirect_uri
-        params.set_redirect_uri(
-            "https://login.microsoftonline.com/common/oauth2/nativeclient"
-        )
+def _set_redirect_uri(params):
+    if sys.platform == "darwin":
+        params.set_redirect_uri(_default_redirect_uri_on_mac)
+    else:
+        params.set_redirect_uri(_default_redirect_uri)
 
 def _signin_silently(
         authority, client_id, scopes, correlation_id=None, claims=None,
         enable_msa_pt=False,
         auth_scheme=None,
         **kwargs):
     params = _build_msal_runtime_auth_params(client_id, authority)
-    _set_redirect_uri_for_linux(params)
+    _set_redirect_uri(params)
     params.set_requested_scopes(scopes)
     if claims:
         params.set_decoded_claims(claims)
@@ -193,12 +195,7 @@ def _signin_interactively(
         **kwargs):
     params = _build_msal_runtime_auth_params(client_id, authority)
     params.set_requested_scopes(scopes)
-    params.set_redirect_uri(
-        _redirect_uri_on_mac if sys.platform == "darwin" else
-        "https://login.microsoftonline.com/common/oauth2/nativeclient"
-        # This default redirect_uri value is not currently used by WAM
-        # but it is required by the MSAL.cpp to be set to a non-empty valid URI.
-    )
+    _set_redirect_uri(params)
     if prompt:
         if prompt == "select_account":
             if login_hint:
@@ -248,7 +245,7 @@ def _acquire_token_silently(
     if account is None:
         return
     params = _build_msal_runtime_auth_params(client_id, authority)
-    _set_redirect_uri_for_linux(params)
+    _set_redirect_uri(params)
     params.set_requested_scopes(scopes)
     if claims:
         params.set_decoded_claims(claims)

tests/test_cryptography.py

@@ -35,11 +35,11 @@ class CryptographyTestCase(TestCase):
 
     def test_should_be_run_with_latest_version_of_cryptography(self):
         import cryptography
-        self.assertEqual(
-            cryptography.__version__, latest_cryptography_version,
-            "We are using cryptography {} but we should test with latest {} instead. "
-            "Run 'pip install -U cryptography'.".format(
-            cryptography.__version__, latest_cryptography_version))
+        if cryptography.__version__ != latest_cryptography_version:
+            warnings.warn(
+                "We are using cryptography {} but we should test with latest {} instead. "
+                "Run 'pip install -U cryptography'.".format(
+                cryptography.__version__, latest_cryptography_version))
 
     def test_latest_cryptography_should_support_our_usage_without_warnings(self):
         passphrase_bytes = _str2bytes("password")
@@ -54,10 +54,11 @@ def test_latest_cryptography_should_support_our_usage_without_warnings(self):
 
     def test_ceiling_should_be_latest_cryptography_version_plus_three(self):
         expected_ceiling = int(latest_cryptography_version.split(".")[0]) + 3
-        self.assertEqual(
-            expected_ceiling, get_current_ceiling(),
-            "Test passed with latest cryptography, so we shall bump ceiling to N+3={}, "
-            "based on their latest deprecation policy "
-            "https://cryptography.io/en/latest/api-stability/#deprecation".format(
-            expected_ceiling))
+        current_ceiling = get_current_ceiling()
+        if expected_ceiling != current_ceiling:
+            warnings.warn(
+                "Test passed with latest cryptography, so we shall bump ceiling to N+3={}, "
+                "based on their latest deprecation policy "
+                "https://cryptography.io/en/latest/api-stability/#deprecation".format(
+                expected_ceiling))
 

tests/test_fmi_e2e.py

@@ -21,9 +21,9 @@
 logging.basicConfig(level=logging.DEBUG if "-v" in sys.argv else logging.INFO)
 
 # Test configuration
-_FMI_TENANT_ID = "f645ad92-e38d-4d1a-b510-d1b09a74a8ca"
-_FMI_CLIENT_ID = "4df2cbbb-8612-49c1-87c8-f334d6d065ad"
-_FMI_SCOPE = "3091264c-7afb-45d4-b527-39737ee86187/.default"
+_FMI_TENANT_ID = "10c419d4-4a50-45b2-aa4e-919fb84df24f"
+_FMI_CLIENT_ID = "3bf56293-fbb5-42bd-a407-248ba7431a8c"
+_FMI_SCOPE = "aa464f73-2868-4f67-b0e7-fc2f749e757f/.default"
 _FMI_PATH = "SomeFmiPath/FmiCredentialPath"
 _FMI_CLIENT_ID_URN = "urn:microsoft:identity:fmi"
 _FMI_SCOPE_FOR_RMA = "api://AzureFMITokenExchange/.default"