From 8a81c6de2aaa92f7cd565fd1e5368397f8037019 Mon Sep 17 00:00:00 2001 From: jiasli <4003950+jiasli@users.noreply.github.com> Date: Tue, 7 Dec 2021 17:35:37 +0800 Subject: [PATCH 1/2] Enable token cache encryption on MacOS --- src/azure-cli-core/azure/cli/core/_profile.py | 2 +- .../azure/cli/core/auth/persistence.py | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py index e9c533cdf96..93038fef9ab 100644 --- a/src/azure-cli-core/azure/cli/core/_profile.py +++ b/src/azure-cli-core/azure/cli/core/_profile.py @@ -861,7 +861,7 @@ def _create_identity_instance(cli_ctx, *args, **kwargs): from .auth.identity import Identity # Only enable encryption for Windows (for now). - fallback = sys.platform.startswith('win32') + fallback = sys.platform.startswith('win32') or sys.platform.startswith('darwin') # encrypt_token_cache affects both MSAL token cache and service principal entries. encrypt = cli_ctx.config.getboolean('core', 'encrypt_token_cache', fallback=fallback) diff --git a/src/azure-cli-core/azure/cli/core/auth/persistence.py b/src/azure-cli-core/azure/cli/core/auth/persistence.py index 6ebec24883f..858d657d20f 100644 --- a/src/azure-cli-core/azure/cli/core/auth/persistence.py +++ b/src/azure-cli-core/azure/cli/core/auth/persistence.py @@ -21,6 +21,8 @@ # Files extensions for encrypted and plaintext persistence file_extensions = {True: '.bin', False: '.json'} +KEYCHAIN_SERVICE_NAME = 'azure-cli' + def load_persisted_token_cache(location, encrypt): persistence = build_persistence(location, encrypt) @@ -38,16 +40,27 @@ def build_persistence(location, encrypt): logger.debug("build_persistence: location=%r, encrypt=%r", location, encrypt) if encrypt: if sys.platform.startswith('win'): + # For FilePersistenceWithDataProtection, location is where the credential is stored. + logger.debug("Initializing FilePersistenceWithDataProtection.") return FilePersistenceWithDataProtection(location) if sys.platform.startswith('darwin'): - return KeychainPersistence(location, "my_service_name", "my_account_name") + # For KeychainPersistence, location is only used as a signal for the credential's last modified time. + # The credential is stored in Keychain identified by (service_name, account_name) combination. + # msal-extensions automatically computes account_name from signal_location. + # https://github.com/AzureAD/microsoft-authentication-extensions-for-python/pull/103 + logger.debug("Initializing KeychainPersistence") + return KeychainPersistence(location, service_name=KEYCHAIN_SERVICE_NAME) if sys.platform.startswith('linux'): + # TODO: Support token cache encryption on Linux + logger.debug("Initializing LibsecretPersistence.") return LibsecretPersistence( location, schema_name="my_schema_name", attributes={"my_attr1": "foo", "my_attr2": "bar"} ) else: + # For FilePersistence, location is where the credential is stored. + logger.debug("Initializing FilePersistence") return FilePersistence(location) From 9ea9ff454e206cdd83f36c6d6b347c938e6ea8e7 Mon Sep 17 00:00:00 2001 From: Jiashuo Li <4003950+jiasli@users.noreply.github.com> Date: Wed, 8 Dec 2021 09:59:08 +0800 Subject: [PATCH 2/2] Update _profile.py --- src/azure-cli-core/azure/cli/core/_profile.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py index 93038fef9ab..c7e321ffd43 100644 --- a/src/azure-cli-core/azure/cli/core/_profile.py +++ b/src/azure-cli-core/azure/cli/core/_profile.py @@ -860,7 +860,7 @@ def _create_identity_instance(cli_ctx, *args, **kwargs): """Lazily import and create Identity instance to avoid unnecessary imports.""" from .auth.identity import Identity - # Only enable encryption for Windows (for now). + # Only enable encryption for Windows and MacOS (for now). fallback = sys.platform.startswith('win32') or sys.platform.startswith('darwin') # encrypt_token_cache affects both MSAL token cache and service principal entries. encrypt = cli_ctx.config.getboolean('core', 'encrypt_token_cache', fallback=fallback)