py2docfx 0.1.20rc2196756__py3-none-any.whl → 0.1.21.dev2246704__py3-none-any.whl

py2docfx/venv/venv1/Lib/site-packages/azure/core/pipeline/policies/_authentication_async.py

@@ -13,6 +13,7 @@ from azure.core.credentials_async import (
     AsyncSupportsTokenInfo,
     AsyncTokenProvider,
 )
+from azure.core.exceptions import HttpResponseError
 from azure.core.pipeline import PipelineRequest, PipelineResponse
 from azure.core.pipeline.policies import AsyncHTTPPolicy
 from azure.core.pipeline.policies._authentication import (
@@ -110,7 +111,21 @@ class AsyncBearerTokenCredentialPolicy(AsyncHTTPPolicy[HTTPRequestType, AsyncHTT
         if response.http_response.status_code == 401:
             self._token = None  # any cached token is invalid
             if "WWW-Authenticate" in response.http_response.headers:
-                request_authorized = await self.on_challenge(request, response)
+                try:
+                    request_authorized = await self.on_challenge(request, response)
+                except Exception as ex:
+                    # If the response is streamed, read it so the error message is immediately available to the user.
+                    # Otherwise, a generic error message will be given and the user will have to read the response
+                    # body to see the actual error.
+                    if response.context.options.get("stream"):
+                        try:
+                            await response.http_response.read()  # type: ignore
+                        except Exception:  # pylint:disable=broad-except
+                            pass
+
+                    # Raise the exception from the token request with the original 401 response
+                    raise ex from HttpResponseError(response=response.http_response)
+
                 if request_authorized:
                     # if we receive a challenge response, we retrieve a new token
                     # which matches the new target. In this case, we don't want to remove
@@ -145,14 +160,11 @@ class AsyncBearerTokenCredentialPolicy(AsyncHTTPPolicy[HTTPRequestType, AsyncHTT
             encoded_claims = get_challenge_parameter(headers, "Bearer", "claims")
             if not encoded_claims:
                 return False
-            try:
-                padding_needed = -len(encoded_claims) % 4
-                claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
-                if claims:
-                    await self.authorize_request(request, *self._scopes, claims=claims)
-                    return True
-            except Exception:  # pylint:disable=broad-except
-                return False
+            padding_needed = -len(encoded_claims) % 4
+            claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode("utf-8")
+            if claims:
+                await self.authorize_request(request, *self._scopes, claims=claims)
+                return True
         return False
 
     def on_response(

py2docfx/venv/venv1/Lib/site-packages/azure/core/pipeline/policies/_retry.py

@@ -118,7 +118,7 @@ class RetryPolicyBase:
             "read": options.pop("retry_read", self.read_retries),
             "status": options.pop("retry_status", self.status_retries),
             "backoff": options.pop("retry_backoff_factor", self.backoff_factor),
-            "max_backoff": options.pop("retry_backoff_max", self.BACKOFF_MAX),
+            "max_backoff": options.pop("retry_backoff_max", self.backoff_max),
             "methods": options.pop("retry_on_methods", self._method_whitelist),
             "timeout": options.pop("timeout", self.timeout),
             "history": [],

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_bearer_token_provider.py

@@ -30,7 +30,7 @@ def get_bearer_token_provider(credential: TokenProvider, *scopes: str) -> Callab
         request.headers["Authorization"] = "Bearer " + bearer_token_provider()
 
     :param credential: The credential used to authenticate the request.
-    :type credential: ~azure.core.credentials.TokenCredential
+    :type credential: ~azure.core.credentials.TokenProvider
     :param str scopes: The scopes required for the bearer token.
     :rtype: callable
     :return: A callable that returns a bearer token.

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/authorization_code.py

@@ -127,7 +127,7 @@ class AuthorizationCodeCredential(GetTokenMixin):
             return token
 
         token = None
-        for refresh_token in self._client.get_cached_refresh_tokens(scopes):
+        for refresh_token in self._client.get_cached_refresh_tokens(scopes, **kwargs):
             if "secret" in refresh_token:
                 token = self._client.obtain_token_by_refresh_token(scopes, refresh_token["secret"], **kwargs)
                 if token:

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azd_cli.py

@@ -17,7 +17,7 @@ from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOpt
 from azure.core.exceptions import ClientAuthenticationError
 
 from .. import CredentialUnavailableError
-from .._internal import resolve_tenant, within_dac, validate_tenant_id, validate_scope
+from .._internal import encode_base64, resolve_tenant, within_dac, validate_tenant_id, validate_scope
 from .._internal.decorators import log_get_token
 
 
@@ -28,7 +28,11 @@ CLI_NOT_FOUND = (
     "Please visit https://aka.ms/azure-dev for installation instructions and then,"
     "once installed, authenticate to your Azure account using 'azd auth login'."
 )
-COMMAND_LINE = ["auth", "token", "--output", "json"]
+UNKNOWN_CLAIMS_FLAG = (
+    "Claims challenges are not supported by the Azure Developer CLI version you are using. "
+    "Please update to version 1.18.1 or later."
+)
+COMMAND_LINE = ["auth", "token", "--output", "json", "--no-prompt"]
 EXECUTABLE_NAME = "azd"
 NOT_LOGGED_IN = "Please run 'azd auth login' from a command prompt to authenticate before using this credential."
 
@@ -99,7 +103,7 @@ class AzureDeveloperCliCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -111,7 +115,8 @@ class AzureDeveloperCliCredential:
         :param str scopes: desired scope for the access token. This credential allows only one scope per request.
             For more information about scopes, see
             https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
-        :keyword str claims: not used by this credential; any value provided will be ignored.
+        :keyword str claims: additional claims required in the token, such as those returned in a resource provider's
+            claims challenge following an authorization failure.
         :keyword str tenant_id: optional tenant to include in the token request.
 
         :return: An access token with the desired scopes.
@@ -125,6 +130,8 @@ class AzureDeveloperCliCredential:
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -159,6 +166,7 @@ class AzureDeveloperCliCredential:
             raise ValueError("Missing scope in request. \n")
 
         tenant_id = options.get("tenant_id") if options else None
+        claims = options.get("claims") if options else None
         if tenant_id:
             validate_tenant_id(tenant_id)
         for scope in scopes:
@@ -175,16 +183,23 @@ class AzureDeveloperCliCredential:
         )
         if tenant:
             command_args += ["--tenant-id", tenant]
+        if claims:
+            command_args += ["--claims", encode_base64(claims)]
         output = _run_command(command_args, self._process_timeout)
 
         token = parse_token(output)
         if not token:
-            sanitized_output = sanitize_output(output)
-            message = (
-                f"Unexpected output from Azure Developer CLI: '{sanitized_output}'. \n"
-                f"To mitigate this issue, please refer to the troubleshooting guidelines here at "
-                f"https://aka.ms/azsdk/python/identity/azdevclicredential/troubleshoot."
-            )
+            # Try to extract a meaningful error from azd consoleMessage JSON lines
+            extracted = extract_cli_error_message(output)
+            if extracted:
+                message = extracted
+            else:
+                sanitized_output = sanitize_output(output)
+                message = (
+                    f"Unexpected output from Azure Developer CLI: '{sanitized_output}'. \n"
+                    f"To mitigate this issue, please refer to the troubleshooting guidelines here at "
+                    f"https://aka.ms/azsdk/python/identity/azdevclicredential/troubleshoot."
+                )
             if within_dac.get():
                 raise CredentialUnavailableError(message=message)
             raise ClientAuthenticationError(message=message)
@@ -241,6 +256,54 @@ def sanitize_output(output: str) -> str:
     return re.sub(r"\"token\": \"(.*?)(\"|$)", "****", output)
 
 
+def extract_cli_error_message(output: str) -> Optional[str]:
+    """
+    Extract a single, user-friendly message from azd consoleMessage JSON output.
+
+    :param str output: The output from the Azure Developer CLI command.
+    :return: A user-friendly error message if found, otherwise None.
+    :rtype: Optional[str]
+
+    Preference order:
+    1) A message containing "Suggestion" (case-insensitive)
+    2) The second message if multiple are present
+    3) The first message if only one exists
+    Returns None if no messages can be parsed.
+    """
+    messages: List[str] = []
+    for line in output.splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            obj = json.loads(line)
+        except json.JSONDecodeError:  # not JSON -> ignore
+            continue
+        if isinstance(obj, dict):
+            data = obj.get("data")
+            if isinstance(data, dict):
+                msg = data.get("message")
+                if isinstance(msg, str) and msg.strip():
+                    messages.append(msg.strip())
+                    continue
+            msg = obj.get("message")
+            if isinstance(msg, str) and msg.strip():
+                messages.append(msg.strip())
+
+    if not messages:
+        return None
+
+    # Prefer the suggestion line if present
+    for msg in messages:
+        if "suggestion" in msg.lower():
+            return sanitize_output(msg)
+
+    # If more than one message exists, return the last one
+    if len(messages) > 1:
+        return sanitize_output(messages[-1])
+    return sanitize_output(messages[0])
+
+
 def _run_command(command_args: List[str], timeout: int) -> str:
     # Ensure executable exists in PATH first. This avoids a subprocess call that would fail anyway.
     azd_path = shutil.which(EXECUTABLE_NAME)
@@ -267,16 +330,18 @@ def _run_command(command_args: List[str], timeout: int) -> str:
         # Fallback check in case the executable is not found while executing subprocess.
         if ex.returncode == 127 or (ex.stderr is not None and ex.stderr.startswith("'azd' is not recognized")):
             raise CredentialUnavailableError(message=CLI_NOT_FOUND) from ex
-        if ex.stderr is not None and (
-            "not logged in, run `azd auth login` to login" in ex.stderr and "AADSTS" not in ex.stderr
-        ):
+        combined_text = "{}\n{}".format(ex.output or "", ex.stderr or "")
+        if "not logged in, run `azd auth login` to login" in combined_text and "AADSTS" not in combined_text:
             raise CredentialUnavailableError(message=NOT_LOGGED_IN) from ex
+        if "unknown flag: --claims" in combined_text:
+            raise CredentialUnavailableError(message=UNKNOWN_CLAIMS_FLAG) from ex
 
         # return code is from the CLI -> propagate its output
-        if ex.stderr:
-            message = sanitize_output(ex.stderr)
-        else:
-            message = "Failed to invoke Azure Developer CLI"
+        message = (
+            extract_cli_error_message(ex.output or "")
+            or extract_cli_error_message(ex.stderr or "")
+            or (sanitize_output(ex.stderr) if ex.stderr else "Failed to invoke Azure Developer CLI")
+        )
         if within_dac.get():
             raise CredentialUnavailableError(message=message) from ex
         raise ClientAuthenticationError(message=message) from ex

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azure_cli.py

@@ -18,6 +18,7 @@ from azure.core.exceptions import ClientAuthenticationError
 from .. import CredentialUnavailableError
 from .._internal import (
     _scopes_to_resource,
+    encode_base64,
     resolve_tenant,
     within_dac,
     validate_tenant_id,
@@ -34,6 +35,11 @@ CLI_NOT_FOUND = "Azure CLI not found on path"
 COMMAND_LINE = ["account", "get-access-token", "--output", "json"]
 EXECUTABLE_NAME = "az"
 NOT_LOGGED_IN = "Please run 'az login' to set up an account"
+CLAIMS_UNSUPPORTED_ERROR = (
+    "This credential doesn't support claims challenges. To authenticate with the required "
+    "claims, please run the following command (requires Azure CLI version 2.76.0 or later): "
+    "az login --claims-challenge {claims_value}"
+)
 
 
 class AzureCliCredential:
@@ -90,7 +96,7 @@ class AzureCliCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -102,20 +108,23 @@ class AzureCliCredential:
         :param str scopes: desired scope for the access token. This credential allows only one scope per request.
             For more information about scopes, see
             https://learn.microsoft.com/entra/identity-platform/scopes-oidc.
-        :keyword str claims: not used by this credential; any value provided will be ignored.
+        :keyword str claims: additional claims required in the token. This credential does not support claims
+            challenges.
         :keyword str tenant_id: optional tenant to include in the token request.
 
         :return: An access token with the desired scopes.
         :rtype: ~azure.core.credentials.AccessToken
 
-        :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke the Azure CLI.
+        :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI
+          or a claims challenge was provided.
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
-
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -136,7 +145,8 @@ class AzureCliCredential:
         :rtype: ~azure.core.credentials.AccessTokenInfo
         :return: An AccessTokenInfo instance containing information about the token.
 
-        :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke the Azure CLI.
+        :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI
+          or a claims challenge was provided.
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't
           receive an access token.
         """
@@ -145,6 +155,19 @@ class AzureCliCredential:
     def _get_token_base(
         self, *scopes: str, options: Optional[TokenRequestOptions] = None, **kwargs: Any
     ) -> AccessTokenInfo:
+        # Check for claims challenge first
+        if options and "claims" in options and options["claims"]:
+            error_message = CLAIMS_UNSUPPORTED_ERROR.format(claims_value=encode_base64(options["claims"]))
+
+            # Add tenant if provided in options
+            if options.get("tenant_id"):
+                error_message += f" --tenant {options.get('tenant_id')}"
+
+            # Add scope if provided
+            if scopes:
+                error_message += f" --scope {scopes[0]}"
+
+            raise CredentialUnavailableError(message=error_message)
 
         tenant_id = options.get("tenant_id") if options else None
         if tenant_id:

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/azure_powershell.py

@@ -13,7 +13,14 @@ from azure.core.exceptions import ClientAuthenticationError
 
 from .azure_cli import get_safe_working_dir
 from .. import CredentialUnavailableError
-from .._internal import _scopes_to_resource, resolve_tenant, within_dac, validate_tenant_id, validate_scope
+from .._internal import (
+    _scopes_to_resource,
+    encode_base64,
+    resolve_tenant,
+    within_dac,
+    validate_tenant_id,
+    validate_scope,
+)
 from .._internal.decorators import log_get_token
 
 
@@ -24,6 +31,11 @@ BLOCKED_BY_EXECUTION_POLICY = "Execution policy prevented invoking Azure PowerSh
 NO_AZ_ACCOUNT_MODULE = "NO_AZ_ACCOUNT_MODULE"
 POWERSHELL_NOT_INSTALLED = "PowerShell is not installed"
 RUN_CONNECT_AZ_ACCOUNT = 'Please run "Connect-AzAccount" to set up account'
+CLAIMS_UNSUPPORTED_ERROR = (
+    "This credential doesn't support claims challenges. To authenticate with the required "
+    "claims, please run the following command (requires Az.Accounts module version 5.2.0 or later): "
+    "Connect-AzAccount -ClaimsChallenge {claims_value}"
+)
 SCRIPT = """$ErrorActionPreference = 'Stop'
 [version]$minimumVersion = '2.2.0'
 
@@ -112,7 +124,7 @@ class AzurePowerShellCredential:
     def get_token(
         self,
         *scopes: str,
-        claims: Optional[str] = None,  # pylint:disable=unused-argument
+        claims: Optional[str] = None,
         tenant_id: Optional[str] = None,
         **kwargs: Any,
     ) -> AccessToken:
@@ -135,10 +147,11 @@ class AzurePowerShellCredential:
         :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked Azure PowerShell but didn't
           receive an access token
         """
-
         options: TokenRequestOptions = {}
         if tenant_id:
             options["tenant_id"] = tenant_id
+        if claims:
+            options["claims"] = claims
 
         token_info = self._get_token_base(*scopes, options=options, **kwargs)
         return AccessToken(token_info.token, token_info.expires_on)
@@ -170,6 +183,13 @@ class AzurePowerShellCredential:
         self, *scopes: str, options: Optional[TokenRequestOptions] = None, **kwargs: Any
     ) -> AccessTokenInfo:
 
+        # Check if claims challenge is provided
+        if options and "claims" in options and options["claims"]:
+            error_message = CLAIMS_UNSUPPORTED_ERROR.format(claims_value=encode_base64(options["claims"]))
+            if options.get("tenant_id"):
+                error_message += f" -Tenant {options.get('tenant_id')}"
+            raise CredentialUnavailableError(message=error_message)
+
         tenant_id = options.get("tenant_id") if options else None
         if tenant_id:
             validate_tenant_id(tenant_id)
@@ -269,7 +289,11 @@ def raise_for_error(return_code: int, stdout: str, stderr: str) -> None:
 
     if stderr:
         # stderr is too noisy to include with an exception but may be useful for debugging
-        _LOGGER.debug('%s received an error from Azure PowerShell: "%s"', AzurePowerShellCredential.__name__, stderr)
+        _LOGGER.debug(
+            '%s received an error from Azure PowerShell: "%s"',
+            AzurePowerShellCredential.__name__,
+            stderr,
+        )
     raise CredentialUnavailableError(
         message="Failed to invoke PowerShell. Enable debug logging for additional information."
     )

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/broker.py

@@ -0,0 +1,79 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import sys
+from typing import Any
+
+import msal
+from azure.core.credentials import AccessToken, AccessTokenInfo, SupportsTokenInfo
+from .._exceptions import CredentialUnavailableError
+from .._internal.utils import get_broker_credential, is_wsl
+
+
+class BrokerCredential(SupportsTokenInfo):
+    """A broker credential that handles prerequisite checking and falls back appropriately.
+
+    This credential checks if the azure-identity-broker package is available and the platform
+    is supported. If both conditions are met, it uses the real broker credential. Otherwise,
+    it raises CredentialUnavailableError with an appropriate message.
+    """
+
+    def __init__(self, **kwargs: Any) -> None:
+
+        self._tenant_id = kwargs.pop("tenant_id", None)
+        self._client_id = kwargs.pop("client_id", None)
+        self._broker_credential = None
+        self._unavailable_message = None
+
+        # Check prerequisites and initialize the appropriate credential
+        broker_credential_class = get_broker_credential()
+        if broker_credential_class and (sys.platform.startswith("win") or is_wsl()):
+            # The silent auth flow for brokered auth is available on Windows/WSL with the broker package
+            try:
+                broker_credential_args = {
+                    "tenant_id": self._tenant_id,
+                    "parent_window_handle": msal.PublicClientApplication.CONSOLE_WINDOW_HANDLE,
+                    "use_default_broker_account": True,
+                    "disable_interactive_fallback": True,
+                    **kwargs,
+                }
+                if self._client_id:
+                    broker_credential_args["client_id"] = self._client_id
+                self._broker_credential = broker_credential_class(**broker_credential_args)
+            except Exception as ex:  # pylint: disable=broad-except
+                self._unavailable_message = f"InteractiveBrowserBrokerCredential initialization failed: {ex}"
+        else:
+            # Determine the specific reason for unavailability
+            if broker_credential_class is None:
+                self._unavailable_message = (
+                    "InteractiveBrowserBrokerCredential unavailable. "
+                    "The 'azure-identity-broker' package is required to use brokered authentication."
+                )
+            else:
+                self._unavailable_message = (
+                    "InteractiveBrowserBrokerCredential unavailable. "
+                    "Brokered authentication is only supported on Windows and WSL platforms."
+                )
+
+    def get_token(self, *scopes: str, **kwargs: Any) -> AccessToken:
+        if self._broker_credential:
+            return self._broker_credential.get_token(*scopes, **kwargs)
+        raise CredentialUnavailableError(message=self._unavailable_message)
+
+    def get_token_info(self, *scopes: str, **kwargs: Any) -> AccessTokenInfo:
+        if self._broker_credential:
+            return self._broker_credential.get_token_info(*scopes, **kwargs)
+        raise CredentialUnavailableError(message=self._unavailable_message)
+
+    def __enter__(self) -> "BrokerCredential":
+        if self._broker_credential:
+            self._broker_credential.__enter__()
+        return self
+
+    def __exit__(self, *args):
+        if self._broker_credential:
+            self._broker_credential.__exit__(*args)
+
+    def close(self) -> None:
+        self.__exit__()

py2docfx/venv/venv1/Lib/site-packages/azure/identity/_credentials/chained.py

@@ -23,10 +23,16 @@ _LOGGER = logging.getLogger(__name__)
 def _get_error_message(history):
     attempts = []
     for credential, error in history:
+        # Check if credential has a custom name (for DACErrorReporter instances)
+        if hasattr(credential, "_credential_name"):
+            credential_name = credential._credential_name  # pylint: disable=protected-access
+        else:
+            credential_name = credential.__class__.__name__
+
         if error:
-            attempts.append("{}: {}".format(credential.__class__.__name__, error))
+            attempts.append("{}: {}".format(credential_name, error))
         else:
-            attempts.append(credential.__class__.__name__)
+            attempts.append(credential_name)
     return """
 Attempted credentials:\n\t{}""".format(
         "\n\t".join(attempts)
@@ -41,7 +47,7 @@ class ChainedTokenCredential:
     <"https://aka.ms/azsdk/python/identity/credential-chains#chainedtokencredential-overview">`__.
 
     :param credentials: credential instances to form the chain
-    :type credentials: ~azure.core.credentials.TokenCredential
+    :type credentials: ~azure.core.credentials.TokenProvider
 
     .. admonition:: Example: