Tests | Cleanup AAD Password auth from tests + code cleanup#4390
Tests | Cleanup AAD Password auth from tests + code cleanup#4390cheenamalhotra wants to merge 18 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Removes the Entra ID “password auth” connection-string configuration from the test suite (and CI templates) following the pipeline change in #4288, replacing it with a single “bare” AzureSqlConnectionString that tests extend at runtime to exercise specific authentication modes.
Changes:
- Renamed
AADPasswordConnectionString→AzureSqlConnectionStringacross test config (Config.cs/config.default.jsonc), docs, and Azure DevOps pipeline templates; updated pipeline variables accordingly. - Added shared test helpers under
tests/Common/(CommonUtils,StringExtensions) to compose auth/credential keywords onto a base connection string. - Updated ManualTests + Azure extensions tests to remove
ActiveDirectoryPasswordcoverage and to use managed identity / token-based flows with the new helpers.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| TESTGUIDE.md | Updates documented test config property name/meaning for AAD/Azure SQL tests. |
| src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj | References the new shared test helper project. |
| src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/config.default.jsonc | Renames config field and clarifies Azure SQL base conn string expectation (no creds). |
| src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Config.cs | Renames the config field to AzureSqlConnectionString. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs | Removes AAD password tests and rewrites AAD scenarios to use helpers and AzureSqlConnectionString. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectionPoolTest/ConnectionPoolTest.cs | Updates pooled AAD/token tests to use AzureSqlConnectionString and async token retrieval. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/AADFedAuthTokenRefreshTest/AADFedAuthTokenRefreshTest.cs | Switches the fed-auth refresh scenario to managed identity-based auth/provider usage. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ManagedIdentityProvider.cs | Renames the custom provider class to clarify it targets user-assigned MI. |
| src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/DataTestUtility.cs | Renames config fields, adds MI-based token retrieval APIs, and removes AAD password token generation. |
| src/Microsoft.Data.SqlClient/tests/Common/StringExtensions.cs | Adds fluent helpers for composing auth/credential keywords and for removing auth/credential keywords. |
| src/Microsoft.Data.SqlClient/tests/Common/CommonUtils.cs | Adds shared random/name helpers used by updated tests. |
| src/Microsoft.Data.SqlClient.Extensions/Azure/test/Config.cs | Renames the Azure test config field read from config.jsonc. |
| src/Microsoft.Data.SqlClient.Extensions/Azure/test/AADConnectionTest.cs | Updates Azure extension tests to build auth modes from the base Azure SQL conn string. |
| eng/pipelines/jobs/test-azure-package-ci-job.yml | Switches pipeline config-writing to AzureSqlConnectionString and updates secret scoping. |
| eng/pipelines/dotnet-sqlclient-ci-core.yml | Switches CI template config-writing to AzureSqlConnectionString (WestUS2/EastUS). |
| eng/pipelines/common/templates/steps/update-config-file-step.yml | Renames template parameter and output property to AzureSqlConnectionString. |
| eng/pipelines/common/templates/jobs/ci-run-tests-job.yml | Renames config pass-through property to AzureSqlConnectionString. |
| .github/instructions/testing.instructions.md | Updates the test-config docs to match the renamed Azure SQL config property. |
… SQL The ConnectionPoolConnectionStringProvider classes now add Authentication=ActiveDirectoryDefault when running against Azure SQL, so pool tests authenticate via managed identity instead of failing with 'Login failed for user ''' after auth properties are stripped. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 28 out of 29 changed files in this pull request and generated 2 comments.
Files not reviewed (1)
- src/Microsoft.Data.SqlClient/src/Resources/Strings.Designer.cs: Generated file
Comments suppressed due to low confidence (1)
src/Microsoft.Data.SqlClient.Extensions/Azure/test/Config.cs:48
Configdefines bothTCPConnectionString(populated from config) andTcpConnectionString(left asstring.Empty).HasTcpConnectionString()and several tests useTcpConnectionString, which means those tests will be skipped or build connection strings from an empty base. MakeTcpConnectionStringan alias ofTCPConnectionString(or remove it and update all call sites) so the configured value is used consistently.
internal static string TCPConnectionString { get; } = string.Empty;
internal static string ServicePrincipalId { get; } = string.Empty;
internal static string ServicePrincipalSecret { get; } = string.Empty;
internal static string SystemAccessToken { get; } = string.Empty;
internal static bool SystemAssignedManagedIdentitySupported { get; } = false;
internal static string TcpConnectionString { get; } = string.Empty;
…oryDefault Convert ConnectionPoolTest and TransactionPoolTest to async, using DataTestUtility.GetAccessTokenAsync() to set connection.AccessToken before opening connections targeting Azure SQL. This ensures pool tests authenticate via managed identity without embedding auth in the connection string (which would conflict with tests that set AccessToken or AccessTokenCallback directly). Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- src/Microsoft.Data.SqlClient/src/Resources/Strings.Designer.cs: Generated file
Comments suppressed due to low confidence (1)
src/Microsoft.Data.SqlClient.Extensions/Azure/test/Config.cs:47
- Config currently defines both
TCPConnectionStringandTcpConnectionString, but onlyTCPConnectionStringis populated in the static constructor.HasTcpConnectionString()and some tests useTcpConnectionString, so they will see an empty string and get skipped/misconfigured. Collapse to a single backing property (keepTcpConnectionString) and makeTCPConnectionStringan alias if you still want the uppercase name for callers.
internal static string TCPConnectionString { get; } = string.Empty;
internal static string ServicePrincipalId { get; } = string.Empty;
internal static string ServicePrincipalSecret { get; } = string.Empty;
internal static string SystemAccessToken { get; } = string.Empty;
internal static bool SystemAssignedManagedIdentitySupported { get; } = false;
| SystemAssignedManagedIdentitySupported = | ||
| GetBool(root, "SupportsSystemAssignedManagedIdentity"); | ||
| TcpConnectionString = GetString(root, "TCPConnectionString"); | ||
| TCPConnectionString = GetString(root, "TCPConnectionString"); |
| internal static bool IsAzureSqlConnectionString() => !TCPConnectionString.IsEmpty() && IsAzureSqlServer(); | ||
| internal static bool HasServicePrincipal() => !ServicePrincipalId.IsEmpty() && !ServicePrincipalSecret.IsEmpty(); | ||
| internal static bool HasSystemAccessToken() => !SystemAccessToken.IsEmpty(); | ||
| internal static bool HasTcpConnectionString() => !TcpConnectionString.IsEmpty(); |
Follow up changes to test suite after #4288 where AAD Password auth was disabled from pipelines. This PR removes the AAD Password Conn String parameter completely to make it easier for AAD tests to be managed.
What Changed
Pipeline / config
AAD_PASSWORD_CONN_STR(_eastus)withAZURE_SQL_CONN_STRING_WestUS2/AZURE_SQL_CONN_STRING_EastUS(bare conn string, no credentials).AADAuthorityURLconfig property, as its now unused.AADPasswordConnectionString→AzureSqlConnectionStringacrossConfig.cs,config.default.jsonc, and pipeline templates (update-config-file-step.yml,ci-run-tests-job.yml,dotnet-sqlclient-ci-core.yml,test-azure-package-ci-job.yml).AADServicePrincipalIdinside theIsFork == 'False'guard (matches existing policy forAADServicePrincipalSecret).New shared test helpers (
tests/Common/)CommonUtils.cs:EnsureSeparator,GenerateRandomSecureString,GenerateRandomCharacters,GenerateObjectName.StringExtensions.cs: fluentAdd*AuthenticationToConnStringextensions (Integrated, Interactive, DeviceCodeFlow, ServicePrincipal, WorkloadIdentity, MSI, Default) plusAddUserToConnString/AddPasswordToConnString. Tests now compose auth ontoAzureSqlConnectionStringdynamically — required for broker-aware test legs.Test updates
ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs: removed allActiveDirectoryPasswordcases; rewrote MSI / Workload Identity / Device Code / Default / token-callback tests against the new helpers; applied target-typednew(), collection expressions,using SecureString,Assert.Equal(ConnectionState.Open, …).DataTestUtility.cs,AADFedAuthTokenRefreshTest,ConnectionPoolTest, andMicrosoft.Data.SqlClient.Extensions/Azure/test/AADConnectionTest.cs+Config.csupdated to match.TESTGUIDE.mdand.github/instructions/testing.instructions.mdupdated.Breaking change (CI only)
Downstream pipelines /
config.user.jsoncmust renameAADPasswordConnectionString→AzureSqlConnectionStringand supply a bare Azure SQL connection string (noAuthentication=,User ID=,Password=). The variablesAAD_PASSWORD_CONN_STR/_eastusare no longer consumed and can be retired.Validation
dotnet buildManualTests / net9.0 — 0 warnings, 0 errors.dotnet testUnitTests / net9.0 — 792 pass; 4 failures are pre-existing macOS-env issues (Windows-only SSPI + keychain-restricted AE fixtures), not regressions.Future TODOs