App Config - Audience Policy (Azure#44221)

* Audience Policy

* Update sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_audience_policy.py

Co-authored-by: Copilot <[email protected]>

* Update test_audience_policy.py

* code review items

* Update _audience_policy.py

* Update test_audience_policy.py

* Update _audience_policy.py

* Update sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_audience_policy.py

Co-authored-by: Avani Gupta <[email protected]>

* Updating class name

* fixing kwarg get after merge

* Update _audience_policy.py

* rename + review comments

* Update test_audience_policy.py

* merge fixes

* small fixes plus lives tests

* review comments

* updated async tests

* Revert policy ordering

* fixing cspell issue

* fixing recorded tests

* Removing test as it as there is no way to record it

* Update assets.json

* Update test_audience_policy.py

---------

Co-authored-by: Copilot <[email protected]>
Co-authored-by: Avani Gupta <[email protected]>

Author: 3 people

sdk/appconfiguration/azure-appconfiguration/CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features Added
 
+- Fixed AudiencePolicy to correctly handle AAD audience errors and return ClientAuthenticationError as expected.
 - Added `match_conditions` parameter to `by_page()` method in `list_configuration_settings()` to efficiently monitor configuration changes using etags without fetching unchanged data.
 - Added query parameter normalization to support Azure Front Door as a CDN. Query parameter keys are now converted to lowercase and sorted alphabetically.
 - Added support for custom authentication audiences via the `audience` keyword argument in `AzureAppConfigurationClient` constructor to enable authentication against sovereign clouds.

sdk/appconfiguration/azure-appconfiguration/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/appconfiguration/azure-appconfiguration",
-  "Tag": "python/appconfiguration/azure-appconfiguration_18aed813de"
+  "Tag": "python/appconfiguration/azure-appconfiguration_7b8ff3a790"
 }

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_audience_error_handling_policy.py

@@ -0,0 +1,67 @@
+# ------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# -------------------------------------------------------------------------
+import sys
+from azure.core.exceptions import ClientAuthenticationError
+from azure.core.pipeline import PipelineRequest
+from azure.core.pipeline.policies import SansIOHTTPPolicy
+
+NO_AUDIENCE_ERROR_MESSAGE = (
+    "Unable to authenticate to Azure App Configuration. No authentication token audience was provided. Please set the "
+    "audience via 'audience' when constructing AzureAppConfigurationClient for the target cloud. For details on "
+    "how to configure the authentication token audience visit https://aka.ms/appconfig/client-token-audience."
+)
+INCORRECT_AUDIENCE_ERROR_MESSAGE = (
+    "Unable to authenticate to Azure App Configuration. An incorrect token audience was provided. Please set the "
+    "audience via 'audience' when constructing AzureAppConfigurationClient to the appropriate audience for this "
+    "cloud. For details on how to configure the authentication token audience visit "
+    "https://aka.ms/appconfig/client-token-audience."
+)
+AAD_AUDIENCE_ERROR_CODE = "AADSTS500011"
+
+
+class AudienceErrorHandlingPolicy(SansIOHTTPPolicy):
+    """
+    A policy to handle audience-related authentication errors for Azure App Configuration.
+    Raises a ClientAuthenticationError with a helpful message if the audience is missing or incorrect.
+    """
+
+    def __init__(self, has_audience: bool = False):
+        """
+        Initialize the AudienceErrorHandlingPolicy.
+
+        :param has_audience: Indicates if the expected audience is set for the authentication token.
+        :type has_audience: bool
+        """
+        self.has_audience = has_audience
+
+    def on_exception(self, request: PipelineRequest):
+        """
+        Handles exceptions raised during pipeline execution.
+        If the exception is a ClientAuthenticationError related to audience, raises a more descriptive error.
+
+        :param request: The pipeline request object.
+        :type request: ~azure.core.pipeline.PipelineRequest
+        :return: The exception if not handled, otherwise raises a new error.
+        """
+        ex_type, ex_value, _ = sys.exc_info()
+        if ex_type is None:
+            return None
+        if ex_type is ClientAuthenticationError and isinstance(ex_value, ClientAuthenticationError):
+            self._handle_audience_exception(ex_value)
+        return ex_value
+
+    def _handle_audience_exception(self, ex: ClientAuthenticationError):
+        """
+        Checks the exception message for audience errors and raises a descriptive ClientAuthenticationError.
+
+        :param ex: The exception to check and potentially re-raise.
+        :type ex: ClientAuthenticationError
+        """
+        if ex.message and AAD_AUDIENCE_ERROR_CODE in ex.message:
+            message = INCORRECT_AUDIENCE_ERROR_MESSAGE if self.has_audience else NO_AUDIENCE_ERROR_MESSAGE
+            err = ClientAuthenticationError(message, ex.response)
+            err.message = message
+            raise err

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_azure_appconfiguration_client.py

@@ -40,7 +40,9 @@
     get_label_filter,
     parse_connection_string,
 )
+
 from ._sync_token import SyncTokenPolicy
+from ._audience_error_handling_policy import AudienceErrorHandlingPolicy
 
 
 class AzureAppConfigurationClient:
@@ -72,7 +74,14 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
         self._sync_token_policy = SyncTokenPolicy()
         self._query_param_policy = QueryParamPolicy()
 
-        audience = kwargs.pop("audience", get_audience(base_url))
+        audience = kwargs.pop("audience", None)
+
+        audience_policy = AudienceErrorHandlingPolicy(bool(audience))
+        per_call_policies = [self._query_param_policy, self._sync_token_policy, audience_policy]
+
+        if audience is None:
+            audience = get_audience(base_url)
+
         # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
         kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
@@ -97,10 +106,7 @@ def __init__(self, base_url: str, credential: TokenCredential, **kwargs: Any) ->
             )
         # mypy doesn't compare the credential type hint with the API surface in patch.py
         self._impl = AzureAppConfigurationClientGenerated(
-            base_url,
-            credential,
-            per_call_policies=[self._query_param_policy, self._sync_token_policy],
-            **kwargs,  # type: ignore[arg-type]
+            base_url, credential, per_call_policies=per_call_policies, **kwargs  # type: ignore[arg-type]
         )
 
     @classmethod

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/aio/_azure_appconfiguration_client_async.py

@@ -43,6 +43,7 @@
     get_label_filter,
     parse_connection_string,
 )
+from .._audience_error_handling_policy import AudienceErrorHandlingPolicy
 
 
 class AzureAppConfigurationClient:
@@ -77,7 +78,14 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
         self._sync_token_policy = AsyncSyncTokenPolicy()
         self._query_param_policy = QueryParamPolicy()
 
-        audience = kwargs.pop("audience", get_audience(base_url))
+        audience = kwargs.pop("audience", None)
+
+        audience_policy = AudienceErrorHandlingPolicy(bool(audience))
+        per_call_policies = [self._query_param_policy, self._sync_token_policy, audience_policy]
+
+        if audience is None:
+            audience = get_audience(base_url)
+
         # Ensure all scopes end with /.default and strip any trailing slashes before adding suffix
         kwargs["credential_scopes"] = [audience + DEFAULT_SCOPE_SUFFIX]
 
@@ -102,10 +110,7 @@ def __init__(self, base_url: str, credential: AsyncTokenCredential, **kwargs: An
             )
         # mypy doesn't compare the credential type hint with the API surface in patch.py
         self._impl = AzureAppConfigurationClientGenerated(
-            base_url,
-            credential,
-            per_call_policies=[self._query_param_policy, self._sync_token_policy],
-            **kwargs,  # type: ignore[arg-type]
+            base_url, credential, per_call_policies=per_call_policies, **kwargs  # type: ignore[arg-type]
         )
 
     @classmethod

sdk/appconfiguration/azure-appconfiguration/tests/asynctestcase.py

@@ -12,9 +12,9 @@
 
 
 class AsyncAppConfigTestCase(AppConfigTestCase):
-    def create_aad_client(self, appconfiguration_endpoint_string):
+    def create_aad_client(self, appconfiguration_endpoint_string, audience=None):
         cred = self.get_credential(AzureAppConfigurationClient, is_async=True)
-        return AzureAppConfigurationClient(appconfiguration_endpoint_string, cred)
+        return AzureAppConfigurationClient(appconfiguration_endpoint_string, cred, audience=audience)
 
     def create_client(self, appconfiguration_connection_string):
         return AzureAppConfigurationClient.from_connection_string(appconfiguration_connection_string)
@@ -41,6 +41,15 @@ async def set_up(self, appconfiguration_string, is_aad=False):
 
     async def tear_down(self):
         if self.client is not None:
+            # Archive all ready snapshots
+            snapshots = self.client.list_snapshots(status=["ready"])
+            async for snapshot in snapshots:
+                try:
+                    await self.client.archive_snapshot(name=snapshot.name)
+                except Exception:
+                    pass
+
+            # Delete all configuration settings
             config_settings = self.client.list_configuration_settings()
             async for config_setting in config_settings:
                 await self.client.delete_configuration_setting(key=config_setting.key, label=config_setting.label)

sdk/appconfiguration/azure-appconfiguration/tests/test_audience_error_handling_live.py

@@ -0,0 +1,67 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+import pytest
+from azure.core.exceptions import ClientAuthenticationError
+from azure.appconfiguration._audience_error_handling_policy import (
+    AudienceErrorHandlingPolicy,
+    INCORRECT_AUDIENCE_ERROR_MESSAGE,
+)
+from testcase import AppConfigTestCase
+from preparers import app_config_aad_decorator
+from devtools_testutils import recorded_by_proxy
+
+# cspell:disable-next-line
+CORRECT_AUDIENCE = "https://azconfig.io"
+# cspell:disable-next-line
+VALID_ENDPOINT_SUFFIX = ".azconfig.io"
+# cspell:disable-next-line
+INVALID_ENDPOINT_SUFFIX = ".azconfig.sovcloud-api.fr"
+# cspell:disable-next-line
+INCORRECT_AUDIENCE = "https://login.sovcloud-identity2.fr"
+
+
+class TestAudienceErrorHandlingLive(AppConfigTestCase):
+    """Live and recorded tests for audience error handling with the Azure App Configuration client."""
+
+    @app_config_aad_decorator
+    @recorded_by_proxy
+    def test_client_has_audience_policy_with_no_audience(self, appconfiguration_endpoint_string):
+        """Test that client created without audience has policy with has_audience=False."""
+        # Create client without audience
+        client = self.create_aad_client(appconfiguration_endpoint_string)
+
+        # Check that audience error handling policy is in the pipeline
+        policies = client._impl._client._pipeline._impl_policies
+        audience_policy = None
+        for policy in policies:
+            # Policies are wrapped in _SansIOHTTPPolicyRunner, so we need to access the underlying policy
+            underlying_policy = getattr(policy, "_policy", policy)
+            if isinstance(underlying_policy, AudienceErrorHandlingPolicy):
+                audience_policy = underlying_policy
+                break
+
+        assert audience_policy is not None, "AudienceErrorHandlingPolicy should be in pipeline"
+        assert audience_policy.has_audience is False, "has_audience should be False when no audience provided"
+
+    @app_config_aad_decorator
+    @recorded_by_proxy
+    def test_client_has_audience_policy_with_audience(self, appconfiguration_endpoint_string):
+        """Test that client created with audience has policy with has_audience=True."""
+        # Create client with audience
+        client = self.create_aad_client(appconfiguration_endpoint_string, audience=CORRECT_AUDIENCE)
+
+        # Check that audience error handling policy is in the pipeline
+        policies = client._impl._client._pipeline._impl_policies
+        audience_policy = None
+        for policy in policies:
+            # Policies are wrapped in _SansIOHTTPPolicyRunner, so we need to access the underlying policy
+            underlying_policy = getattr(policy, "_policy", policy)
+            if isinstance(underlying_policy, AudienceErrorHandlingPolicy):
+                audience_policy = underlying_policy
+                break
+
+        assert audience_policy is not None, "AudienceErrorHandlingPolicy should be in pipeline"
+        assert audience_policy.has_audience is True, "has_audience should be True when audience provided"

sdk/appconfiguration/azure-appconfiguration/tests/test_audience_error_handling_live_async.py

@@ -0,0 +1,71 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+import pytest
+from azure.core.exceptions import ClientAuthenticationError
+from azure.appconfiguration._audience_error_handling_policy import (
+    AudienceErrorHandlingPolicy,
+    INCORRECT_AUDIENCE_ERROR_MESSAGE,
+)
+from asynctestcase import AsyncAppConfigTestCase
+from async_preparers import app_config_aad_decorator_async
+from devtools_testutils.aio import recorded_by_proxy_async
+
+# cspell:disable-next-line
+CORRECT_AUDIENCE = "https://azconfig.io"
+# cspell:disable-next-line
+VALID_ENDPOINT_SUFFIX = ".azconfig.io"
+# cspell:disable-next-line
+INVALID_ENDPOINT_SUFFIX = ".azconfig.sovcloud-api.fr"
+# cspell:disable-next-line
+INCORRECT_AUDIENCE = "https://login.sovcloud-identity2.fr"
+
+
+class TestAudienceErrorHandlingLiveAsync(AsyncAppConfigTestCase):
+    """Async live and recorded tests for audience error handling with the Azure App Configuration client."""
+
+    @app_config_aad_decorator_async
+    @recorded_by_proxy_async
+    async def test_async_client_has_audience_policy_with_no_audience(self, appconfiguration_endpoint_string):
+        """Test that async client created without audience has policy with has_audience=False."""
+        # Create client without audience
+        client = self.create_aad_client(appconfiguration_endpoint_string)
+
+        # Check that audience error handling policy is in the pipeline
+        policies = client._impl._client._pipeline._impl_policies
+        audience_policy = None
+        for policy in policies:
+            # Policies are wrapped in _SansIOHTTPPolicyRunner, so we need to access the underlying policy
+            underlying_policy = getattr(policy, "_policy", policy)
+            if isinstance(underlying_policy, AudienceErrorHandlingPolicy):
+                audience_policy = underlying_policy
+                break
+
+        assert audience_policy is not None, "AudienceErrorHandlingPolicy should be in pipeline"
+        assert audience_policy.has_audience is False, "has_audience should be False when no audience provided"
+
+        await client.close()
+
+    @app_config_aad_decorator_async
+    @recorded_by_proxy_async
+    async def test_async_client_has_audience_policy_with_audience(self, appconfiguration_endpoint_string):
+        """Test that async client created with audience has policy with has_audience=True."""
+        # Create client with audience
+        client = self.create_aad_client(appconfiguration_endpoint_string, audience=CORRECT_AUDIENCE)
+
+        # Check that audience error handling policy is in the pipeline
+        policies = client._impl._client._pipeline._impl_policies
+        audience_policy = None
+        for policy in policies:
+            # Policies are wrapped in _SansIOHTTPPolicyRunner, so we need to access the underlying policy
+            underlying_policy = getattr(policy, "_policy", policy)
+            if isinstance(underlying_policy, AudienceErrorHandlingPolicy):
+                audience_policy = underlying_policy
+                break
+
+        assert audience_policy is not None, "AudienceErrorHandlingPolicy should be in pipeline"
+        assert audience_policy.has_audience is True, "has_audience should be True when audience provided"
+
+        await client.close()

sdk/appconfiguration/azure-appconfiguration/tests/test_audience_policy.py

@@ -0,0 +1,42 @@
+# ------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# -------------------------------------------------------------------------
+from azure.core.exceptions import ClientAuthenticationError
+from azure.appconfiguration._audience_error_handling_policy import (
+    AudienceErrorHandlingPolicy,
+    AAD_AUDIENCE_ERROR_CODE,
+    NO_AUDIENCE_ERROR_MESSAGE,
+    INCORRECT_AUDIENCE_ERROR_MESSAGE,
+)
+import pytest
+
+
+def test_on_exception_no_audience():
+    policy = AudienceErrorHandlingPolicy(False)
+    try:
+        raise ClientAuthenticationError(message=f"{AAD_AUDIENCE_ERROR_CODE} some error", response=None)
+    except ClientAuthenticationError:
+        with pytest.raises(ClientAuthenticationError) as exc_info:
+            policy.on_exception(None)
+            assert NO_AUDIENCE_ERROR_MESSAGE in str(exc_info.value)
+
+
+def test_on_exception_incorrect_audience():
+    policy = AudienceErrorHandlingPolicy(True)
+    try:
+        raise ClientAuthenticationError(message=f"{AAD_AUDIENCE_ERROR_CODE} some error", response=None)
+    except ClientAuthenticationError:
+        with pytest.raises(ClientAuthenticationError) as exc_info:
+            policy.on_exception(None)
+            assert INCORRECT_AUDIENCE_ERROR_MESSAGE in str(exc_info.value)
+
+
+def test_on_exception_non_audience_error():
+    policy = AudienceErrorHandlingPolicy(False)
+    try:
+        raise ClientAuthenticationError(message="Some other error", response=None)
+    except ClientAuthenticationError as ex:
+        result = policy.on_exception(None)
+        assert result is ex