feat: Add Azure CLI auth source (POC)#265
Open
shirasassoon wants to merge 1 commit into
Open
Conversation
Add azure_cli as a new identity type that delegates token acquisition to Azure CLI via azure-identity's AzureCliCredential. This allows tools calling fab to reuse an existing az login session instead of requiring a separate interactive fab auth login. Changes: - Add 'azure_cli' to AUTH_KEYS identity type allow-list - Add _acquire_token_from_azure_cli() using AzureCliCredential - Add --azure-cli flag to fab auth login - Add 'Azure CLI' option to interactive login menu - Show auth_source in fab auth status output - Add azure-identity>=1.15.0 dependency - Add 12 unit tests covering dispatch, scopes, errors, sanitization Security: error messages are sanitized to never leak token content. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new authentication source (azure_cli) to Fabric CLI, delegating token acquisition to Azure CLI (via azure-identity’s AzureCliCredential) so fab can reuse an existing az login session. It also wires the new auth source into fab auth login (flag + interactive option) and exposes the selected auth source in fab auth status.
Changes:
- Add
azure_clias an allowed identity type and implement Azure CLI token acquisition inFabAuth. - Add
--azure-cliflag plus an “Azure CLI” interactive login option; includeauth_sourcein auth status output. - Add
azure-identity>=1.15.0dependency and a new unit test module for Azure CLI auth.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_core/test_fab_auth_azure_cli.py | Adds unit tests for the new Azure CLI auth flow, scopes, and error sanitization. |
| src/fabric_cli/parsers/fab_auth_parser.py | Adds --azure-cli to fab auth login and updates examples. |
| src/fabric_cli/core/fab_constant.py | Extends identity type allow-list to include azure_cli. |
| src/fabric_cli/core/fab_auth.py | Implements set_azure_cli() and _acquire_token_from_azure_cli() and dispatches in acquire_token(). |
| src/fabric_cli/commands/auth/fab_auth.py | Wires Azure CLI auth into login flows and adds auth_source to status output. |
| pyproject.toml | Adds the azure-identity runtime dependency required for AzureCliCredential. |
Comment on lines
+442
to
+446
| tenant_id = self.get_tenant_id() | ||
| try: | ||
| credential = AzureCliCredential(tenant_id=tenant_id) if tenant_id else AzureCliCredential() | ||
| # AzureCliCredential.get_token expects scopes as positional args | ||
| azure_token = credential.get_token(scope[0]) |
Comment on lines
+436
to
+440
| raise FabricCLIError( | ||
| "Azure CLI auth requires the 'azure-identity' package. " | ||
| "Install it with: pip install azure-identity", | ||
| status_code=con.ERROR_AUTHENTICATION_FAILED, | ||
| ) |
Comment on lines
+31
to
+33
| if getattr(args, "azure_cli", False): | ||
| FabAuth().set_access_mode("azure_cli", args.tenant) | ||
| FabAuth().set_azure_cli(args.tenant) |
Comment on lines
+27
to
+36
| @pytest.fixture | ||
| def auth_instance(temp_dir_fixture): | ||
| """Get a fresh FabAuth instance.""" | ||
| # Clear singleton for test isolation | ||
| FabAuth.__wrapped__ = None # type: ignore | ||
| from fabric_cli.core import fab_auth as fab_auth_module | ||
|
|
||
| if FabAuth in fab_auth_module.singleton.__wrapped__: # type: ignore | ||
| del fab_auth_module.singleton.__wrapped__[FabAuth] # type: ignore | ||
| return FabAuth() |
Comment on lines
+39
to
+56
| @pytest.fixture | ||
| def fresh_auth(temp_dir_fixture, monkeypatch): | ||
| """Get a fresh FabAuth instance with singleton cleared.""" | ||
| # Reset singleton instances dict | ||
| import fabric_cli.core.fab_auth as auth_module | ||
|
|
||
| # Access the closure variable of the singleton decorator | ||
| singleton_instances = auth_module.singleton.__code__.co_consts # noqa | ||
| # Simpler approach: just patch the module-level reference | ||
| monkeypatch.setattr( | ||
| "fabric_cli.core.fab_auth.FabAuth.__init__.__globals__", | ||
| {}, | ||
| raising=False, | ||
| ) | ||
| # Re-instantiate | ||
| auth = FabAuth.__new__(FabAuth) | ||
| auth.__init__() | ||
| return auth |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add azure_cli as a new identity type that delegates token acquisition to Azure CLI via azure-identity's AzureCliCredential. This allows tools calling fab to reuse an existing az login session instead of requiring a separate interactive fab auth login.
Changes:
Security: error messages are sanitized to never leak token content.