[test][ACR] move to use federated auth (Azure#30173)

- bump @azure-tools/test-credential to ^2.0.0
- remove env vars that are no longer used from tests.yml
- update karma.config.js to remove env vars
- remove unused env vars from test utils
- remove unused env vars from sample.env
- bump dev dep `@azure/identity` version to ^4.2.1
- re-publish samples

---------

Co-authored-by: Timo van Veenendaal <timov@microsoft.com>

sdk/containerregistry/container-registry/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "js",
   "TagPrefix": "js/containerregistry/container-registry",
-  "Tag": "js/containerregistry/container-registry_59421903dd"
+  "Tag": "js/containerregistry/container-registry_da78a482eb"
 }

sdk/containerregistry/container-registry/karma.conf.js

@@ -49,9 +49,6 @@ module.exports = function (config) {
       "TEST_MODE",
       "CONTAINER_REGISTRY_ENDPOINT",
       "CONTAINER_REGISTRY_ANONYMOUS_ENDPOINT",
-      "CONTAINERREGISTRY_CLIENT_ID",
-      "CONTAINERREGISTRY_CLIENT_SECRET",
-      "CONTAINERREGISTRY_TENANT_ID",
       "RECORDINGS_RELATIVE_PATH",
     ],
 

sdk/containerregistry/container-registry/package.json

@@ -89,10 +89,10 @@
   "devDependencies": {
     "@azure/dev-tool": "^1.0.0",
     "@azure/eslint-plugin-azure-sdk": "^3.0.0",
-    "@azure/identity": "^4.0.1",
+    "@azure/identity": "^4.2.1",
     "@azure/core-util": "^1.9.0",
     "@azure-tools/test-utils": "^1.0.1",
-    "@azure-tools/test-credential": "^1.0.0",
+    "@azure-tools/test-credential": "^2.0.0",
     "@azure-tools/test-recorder": "^3.0.0",
     "@microsoft/api-extractor": "^7.31.1",
     "@types/chai": "^4.1.6",

sdk/containerregistry/container-registry/sample.env

@@ -6,16 +6,6 @@ CONTAINER_REGISTRY_ANONYMOUS_ENDPOINT="<container registry anonymous REST API en
 REPOSITORY_NAME="<repository name>"
 REGISTRY="<name of registry>"
 
-# Used to authenticate using Azure AD as a service principal for role-based
-# authentication in the tokenAuth sample.
-#
-# See the documentation for `EnvironmentCredential` at the following link:
-# https://docs.microsoft.com/javascript/api/@azure/identity/environmentcredential
-
-CONTAINERREGISTRY_TENANT_ID="<AD tenant id or name>"
-CONTAINERREGISTRY_CLIENT_ID="<ID of the user/service principal to authenticate as>"
-CONTAINERREGISTRY_CLIENT_SECRET="<client secret used to authenticate to Azure AD>"
-
 # Our tests assume that TEST_MODE is "playback" by default. You can change it
 # to "record" to generate new recordings, or "live" to bypass the recorder
 # entirely.

sdk/containerregistry/container-registry/samples/v1/javascript/deleteBlob.js

@@ -20,7 +20,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const downloadResult = await client.getManifest("latest");

sdk/containerregistry/container-registry/samples/v1/javascript/deleteManifest.js

@@ -17,7 +17,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const downloadResult = await client.getManifest("latest");

sdk/containerregistry/container-registry/samples/v1/javascript/downloadCustomManifest.js

@@ -17,7 +17,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const manifestListType = "application/vnd.docker.distribution.manifest.list.v2+json";

sdk/containerregistry/container-registry/samples/v1/javascript/downloadImage.js

@@ -27,7 +27,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   // Download the manifest to obtain the list of files in the image based on the tag

sdk/containerregistry/container-registry/samples/v1/javascript/sample.env

@@ -6,16 +6,6 @@ CONTAINER_REGISTRY_ANONYMOUS_ENDPOINT="<container registry anonymous REST API en
 REPOSITORY_NAME="<repository name>"
 REGISTRY="<name of registry>"
 
-# Used to authenticate using Azure AD as a service principal for role-based
-# authentication in the tokenAuth sample.
-#
-# See the documentation for `EnvironmentCredential` at the following link:
-# https://docs.microsoft.com/javascript/api/@azure/identity/environmentcredential
-
-CONTAINERREGISTRY_TENANT_ID="<AD tenant id or name>"
-CONTAINERREGISTRY_CLIENT_ID="<ID of the user/service principal to authenticate as>"
-CONTAINERREGISTRY_CLIENT_SECRET="<client secret used to authenticate to Azure AD>"
-
 # Our tests assume that TEST_MODE is "playback" by default. You can change it
 # to "record" to generate new recordings, or "live" to bypass the recorder
 # entirely.

sdk/containerregistry/container-registry/samples/v1/javascript/uploadCustomManifest.js

@@ -17,7 +17,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const mediaType = "application/vnd.docker.distribution.manifest.list.v2+json";

sdk/containerregistry/container-registry/samples/v1/javascript/uploadImage.js

@@ -17,7 +17,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const config = Buffer.from("Sample config");

sdk/containerregistry/container-registry/samples/v1/javascript/uploadManifest.js

@@ -17,7 +17,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const layer = Buffer.from("Hello, world");
@@ -31,7 +31,7 @@ async function main() {
         type: "layers",
         diff_ids: [layerDigest],
       },
-    })
+    }),
   );
 
   const { digest: configDigest, sizeInBytes: configSize } = await client.uploadBlob(config);

sdk/containerregistry/container-registry/samples/v1/typescript/sample.env

@@ -6,16 +6,6 @@ CONTAINER_REGISTRY_ANONYMOUS_ENDPOINT="<container registry anonymous REST API en
 REPOSITORY_NAME="<repository name>"
 REGISTRY="<name of registry>"
 
-# Used to authenticate using Azure AD as a service principal for role-based
-# authentication in the tokenAuth sample.
-#
-# See the documentation for `EnvironmentCredential` at the following link:
-# https://docs.microsoft.com/javascript/api/@azure/identity/environmentcredential
-
-CONTAINERREGISTRY_TENANT_ID="<AD tenant id or name>"
-CONTAINERREGISTRY_CLIENT_ID="<ID of the user/service principal to authenticate as>"
-CONTAINERREGISTRY_CLIENT_SECRET="<client secret used to authenticate to Azure AD>"
-
 # Our tests assume that TEST_MODE is "playback" by default. You can change it
 # to "record" to generate new recordings, or "live" to bypass the recorder
 # entirely.

sdk/containerregistry/container-registry/samples/v1/typescript/src/deleteBlob.ts

@@ -22,7 +22,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const downloadResult = await client.getManifest("latest");

sdk/containerregistry/container-registry/samples/v1/typescript/src/deleteManifest.ts

@@ -18,7 +18,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const downloadResult = await client.getManifest("latest");

sdk/containerregistry/container-registry/samples/v1/typescript/src/downloadCustomManifest.ts

@@ -18,7 +18,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const manifestListType = "application/vnd.docker.distribution.manifest.list.v2+json";

sdk/containerregistry/container-registry/samples/v1/typescript/src/downloadImage.ts

@@ -28,7 +28,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   // Download the manifest to obtain the list of files in the image based on the tag

sdk/containerregistry/container-registry/samples/v1/typescript/src/repositoryAndArtifact.ts

@@ -91,7 +91,7 @@ async function listTagPropertiesByPages(artifact: RegistryArtifact, pagesSize: n
 }
 
 async function listManifestProperties(
-  repository: ContainerRepository
+  repository: ContainerRepository,
 ): Promise<ArtifactManifestProperties[]> {
   console.log("Listing artifacts");
   const artifacts: ArtifactManifestProperties[] = [];
@@ -137,7 +137,7 @@ async function getProperties(repository: ContainerRepository) {
     `    canDelete: ${properties.canDelete},
     canList: ${properties.canList},
     canRead: ${properties.canRead},
-    canWrite: ${properties.canWrite}`
+    canWrite: ${properties.canWrite}`,
   );
   console.log("  }");
 }

sdk/containerregistry/container-registry/samples/v1/typescript/src/uploadCustomManifest.ts

@@ -18,7 +18,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const mediaType = "application/vnd.docker.distribution.manifest.list.v2+json";

sdk/containerregistry/container-registry/samples/v1/typescript/src/uploadImage.ts

@@ -18,7 +18,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const config = Buffer.from("Sample config");

sdk/containerregistry/container-registry/samples/v1/typescript/src/uploadManifest.ts

@@ -18,7 +18,7 @@ async function main() {
   const client = new ContainerRegistryContentClient(
     endpoint,
     repository,
-    new DefaultAzureCredential()
+    new DefaultAzureCredential(),
   );
 
   const layer = Buffer.from("Hello, world");
@@ -32,7 +32,7 @@ async function main() {
         type: "layers",
         diff_ids: [layerDigest],
       },
-    })
+    }),
   );
 
   const { digest: configDigest, sizeInBytes: configSize } = await client.uploadBlob(config);

sdk/containerregistry/container-registry/samples/v1/typescript/tsconfig.json

@@ -12,6 +12,6 @@
     "rootDir": "src"
   },
   "include": [
-    "src/**.ts"
+    "src/**/*.ts"
   ]
 }

sdk/containerregistry/container-registry/test/utils/utils.ts

@@ -18,9 +18,6 @@ import { isNodeLike } from "@azure/core-util";
 const envSetupForPlayback: Record<string, string> = {
   CONTAINER_REGISTRY_ENDPOINT: "https://myregistry.azurecr.io",
   CONTAINER_REGISTRY_ANONYMOUS_ENDPOINT: "https://myregistry.azurecr.io",
-  CONTAINERREGISTRY_TENANT_ID: "12345678-1234-1234-1234-123456789012",
-  CONTAINERREGISTRY_CLIENT_ID: "azure_client_id",
-  CONTAINERREGISTRY_CLIENT_SECRET: "azure_client_secret",
   SUBSCRIPTION_ID: "subscription_id",
   RESOURCE_GROUP: "resource_group_id",
   REGISTRY: "myregistry",
@@ -61,6 +58,13 @@ export const recorderStartOptions: RecorderStartOptions = {
       },
     ],
   },
+
+  removeCentralSanitizers: [
+    // our own refresh token sanitizer above replaces the value with a valid JWT which is required for tests to work
+    "AZSDK3401",
+    // "name" as used in tag properties is not secret and does not need to be sanitized
+    "AZSDK3493",
+  ],
 };
 
 function getAuthority(endpoint: string): AzureAuthorityHosts | undefined {

sdk/containerregistry/container-registry/tests.yml

@@ -5,12 +5,9 @@ extends:
     parameters:
       PackageName: "@azure/container-registry"
       ServiceDirectory: containerregistry
+      UseFederatedAuth: true
       MatrixFilters:
         - DependencyVersion=^$
         - ${{ if contains(variables['Build.DefinitionName'], 'tests-weekly') }}:
           - Pool=.*mms-ubuntu-2004.*
       SupportedClouds: 'Public,UsGov,China'
-      EnvVars:
-        AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
-        AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
-        AZURE_CLIENT_SECRET: $(aad-azure-sdk-test-client-secret)