Adds FederatedIdentityCredentials (FICS) request builders to Graph Client

.vscode/cspell.global.yaml

@@ -57,6 +57,7 @@ ignoreWords:
     - execfn
     - execmock
     - fdfp
+    - fics
     - Frontdoor
     - graphsdk
     - hndl
@@ -68,6 +69,7 @@ ignoreWords:
     - kubernetes
     - kusto
     - magefile
+    - mainfic
     - menuid
     - migr
     - mockconfig
@@ -80,6 +82,7 @@ ignoreWords:
     - odata
     - osdisk
     - osexec
+    - oidc
     - pcert
     - pdnsz
     - Peerings

cli/azd/cmd/pipeline.go

@@ -35,6 +35,12 @@ func (pc *pipelineConfigFlags) Bind(local *pflag.FlagSet, global *internal.Globa
 		"origin",
 		"The name of the git remote to configure the pipeline to run on.",
 	)
+	local.StringVar(
+		&pc.PipelineAuthTypeName,
+		"auth-type",
+		"",
+		"The authentication type used between the pipeline provider and Azure for deployment (Only valid for GitHub provider)",
+	)
 	local.StringVar(&pc.PipelineRoleName, "principal-role", "Contributor", "The role to assign to the service principal.")
 	local.StringVar(&pc.PipelineProvider, "provider", "", "The pipeline provider to use (GitHub and Azdo supported).")
 	pc.global = global

cli/azd/pkg/commands/pipeline/azdo_provider.go

@@ -57,7 +57,12 @@ func (p *AzdoScmProvider) requiredTools(_ context.Context) []tools.ExternalTool
 
 // preConfigureCheck check the current state of external tools and any
 // other dependency to be as expected for execution.
-func (p *AzdoScmProvider) preConfigureCheck(ctx context.Context, console input.Console) error {
+func (p *AzdoScmProvider) preConfigureCheck(
+	ctx context.Context,
+	console input.Console,
+	pipelineManagerArgs PipelineManagerArgs,
+	infraOptions provisioning.Options,
+) error {
 	_, err := azdo.EnsurePatExists(ctx, p.Env, console)
 	if err != nil {
 		return err
@@ -572,7 +577,23 @@ func (p *AzdoCiProvider) requiredTools(_ context.Context) []tools.ExternalTool {
 }
 
 // preConfigureCheck nil for Azdo
-func (p *AzdoCiProvider) preConfigureCheck(ctx context.Context, console input.Console) error {
+func (p *AzdoCiProvider) preConfigureCheck(
+	ctx context.Context,
+	console input.Console,
+	pipelineManagerArgs PipelineManagerArgs,
+	infraOptions provisioning.Options,
+) error {
+	authType := PipelineAuthType(pipelineManagerArgs.PipelineAuthTypeName)
+
+	if authType == AuthTypeFederated {
+		return fmt.Errorf(
+			//nolint:lll
+			"Azure DevOps does not support federated authentication. To explicitly use client credentials set the %s flag. %w",
+			output.WithBackticks("--auth-type client-credentials"),
+			ErrAuthNotSupported,
+		)
+	}
+
 	_, err := azdo.EnsurePatExists(ctx, p.Env, console)
 	if err != nil {
 		return err
@@ -596,6 +617,7 @@ func (p *AzdoCiProvider) configureConnection(
 	repoDetails *gitRepositoryDetails,
 	provisioningProvider provisioning.Options,
 	credentials json.RawMessage,
+	authType PipelineAuthType,
 	console input.Console) error {
 
 	azureCredentials, err := parseCredentials(ctx, credentials)

cli/azd/pkg/commands/pipeline/azdo_provider_test.go

@@ -5,11 +5,13 @@ package pipeline
 
 import (
 	"context"
+	"errors"
 	"path"
 	"testing"
 
 	"github.com/azure/azure-dev/cli/azd/pkg/azdo"
 	"github.com/azure/azure-dev/cli/azd/pkg/environment"
+	"github.com/azure/azure-dev/cli/azd/pkg/infra/provisioning"
 	"github.com/azure/azure-dev/cli/azd/pkg/input"
 	"github.com/azure/azure-dev/cli/azd/test/mocks/console"
 	"github.com/azure/azure-dev/cli/azd/test/ostest"
@@ -78,7 +80,7 @@ func Test_azdo_provider_getRepoDetails(t *testing.T) {
 	})
 }
 
-func Test_azdo_provider_preConfigureCheck(t *testing.T) {
+func Test_azdo_scm_provider_preConfigureCheck(t *testing.T) {
 	t.Run("accepts a PAT via system environment variables", func(t *testing.T) {
 		// arrange
 		testPat := "12345"
@@ -89,7 +91,7 @@ func Test_azdo_provider_preConfigureCheck(t *testing.T) {
 		ctx := context.Background()
 
 		// act
-		e := provider.preConfigureCheck(ctx, testConsole)
+		e := provider.preConfigureCheck(ctx, testConsole, PipelineManagerArgs{}, provisioning.Options{})
 
 		// assert
 		require.NoError(t, e)
@@ -108,14 +110,46 @@ func Test_azdo_provider_preConfigureCheck(t *testing.T) {
 		ctx := context.Background()
 
 		// act
-		e := provider.preConfigureCheck(ctx, testConsole)
+		e := provider.preConfigureCheck(ctx, testConsole, PipelineManagerArgs{}, provisioning.Options{})
 
 		// assert
 		require.Nil(t, e)
 		// PAT is not persisted to .env
 		require.EqualValues(t, "", provider.Env.Values[azdo.AzDoPatName])
 	})
+}
+
+func Test_azdo_ci_provider_preConfigureCheck(t *testing.T) {
+	t.Run("success with default options", func(t *testing.T) {
+		ctx := context.Background()
+		provider := getAzdoCiProviderTestHarness()
+		testConsole := console.NewMockConsole()
+		testPat := "testPAT12345"
+		testConsole.WhenPrompt(func(options input.ConsoleOptions) bool {
+			return options.Message == "Personal Access Token (PAT):"
+		}).Respond(testPat)
+
+		pipelineManagerArgs := PipelineManagerArgs{
+			PipelineAuthTypeName: "",
+		}
+
+		err := provider.preConfigureCheck(ctx, testConsole, pipelineManagerArgs, provisioning.Options{})
+		require.NoError(t, err)
+	})
+
+	t.Run("fails if auth type is set to federated", func(t *testing.T) {
+		ctx := context.Background()
+		provider := getAzdoCiProviderTestHarness()
+		testConsole := console.NewMockConsole()
+
+		pipelineManagerArgs := PipelineManagerArgs{
+			PipelineAuthTypeName: string(AuthTypeFederated),
+		}
 
+		err := provider.preConfigureCheck(ctx, testConsole, pipelineManagerArgs, provisioning.Options{})
+		require.Error(t, err)
+		require.True(t, errors.Is(err, ErrAuthNotSupported))
+	})
 }
 
 func Test_saveEnvironmentConfig(t *testing.T) {
@@ -139,6 +173,7 @@ func Test_saveEnvironmentConfig(t *testing.T) {
 	})
 
 }
+
 func getEmptyAzdoScmProviderTestHarness() *AzdoScmProvider {
 	return &AzdoScmProvider{
 		Env: &environment.Environment{
@@ -161,3 +196,18 @@ func getAzdoScmProviderTestHarness() *AzdoScmProvider {
 		},
 	}
 }
+
+func getAzdoCiProviderTestHarness() *AzdoCiProvider {
+	return &AzdoCiProvider{
+		Env: &environment.Environment{
+			Values: map[string]string{
+				azdo.AzDoEnvironmentOrgName:       "fake_org",
+				azdo.AzDoEnvironmentProjectName:   "project1",
+				azdo.AzDoEnvironmentProjectIdName: "12345",
+				azdo.AzDoEnvironmentRepoName:      "repo1",
+				azdo.AzDoEnvironmentRepoIdName:    "9876",
+				azdo.AzDoEnvironmentRepoWebUrl:    "https://repo",
+			},
+		},
+	}
+}