Prevent ManagedIdentityCredential mutating GetToken arguments (#15331)

Azure · Aug 20, 2021 · cf0793e · cf0793e
1 parent dc2d9f4
commit cf0793e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/sdk/azidentity/CHANGELOG.md b/sdk/azidentity/CHANGELOG.md
@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+* `ManagedIdentityCredential.GetToken` no longer mutates its `opts.Scopes`
 
 ### Other Changes
 

diff --git a/sdk/azidentity/managed_identity_credential.go b/sdk/azidentity/managed_identity_credential.go
@@ -95,9 +95,9 @@ func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts azcore.To
 		addGetTokenFailureLogs("Managed Identity Credential", err, true)
 		return nil, err
 	}
-	// The following code will remove the /.default suffix from any scopes passed into the method since ManagedIdentityCredentials expect a resource string instead of a scope string
-	opts.Scopes[0] = strings.TrimSuffix(opts.Scopes[0], defaultSuffix)
-	tk, err := c.client.authenticate(ctx, c.id, opts.Scopes)
+	// managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here
+	scopes := []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
+	tk, err := c.client.authenticate(ctx, c.id, scopes)
 	if err != nil {
 		addGetTokenFailureLogs("Managed Identity Credential", err, true)
 		return nil, err

diff --git a/sdk/azidentity/managed_identity_credential_test.go b/sdk/azidentity/managed_identity_credential_test.go
@@ -512,6 +512,31 @@ func TestManagedIdentityCredential_GetTokenNilResource(t *testing.T) {
 	}
 }
 
+func TestManagedIdentityCredential_ScopesImmutable(t *testing.T) {
+	resetEnvironmentVarsForTest()
+	srv, close := mock.NewServer()
+	defer close()
+	srv.AppendResponse(mock.WithBody([]byte(expiresOnIntResp)))
+	_ = os.Setenv(msiEndpoint, srv.URL())
+	defer clearEnvVars(msiEndpoint)
+	options := ManagedIdentityCredentialOptions{
+		HTTPClient: srv,
+	}
+	cred, err := NewManagedIdentityCredential("", &options)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	scope := "https://localhost/.default"
+	scopes := []string{scope}
+	_, err = cred.GetToken(context.Background(), azcore.TokenRequestOptions{Scopes: scopes})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if scopes[0] != scope {
+		t.Fatalf("GetToken shouldn't mutate arguments")
+	}
+}
+
 func TestManagedIdentityCredential_GetTokenMultipleResources(t *testing.T) {
 	resetEnvironmentVarsForTest()
 	srv, close := mock.NewServer()