Support AzCommand using AZURE_CREDENTIALS (#204)

* Support AzCommand using AZURE_CREDENTIALS

* spelling

* concurrency

Author: christothes

src/Commands/Extension/AzCommand.cs

@@ -7,6 +7,7 @@
 using AzureMcp.Arguments.Extension;
 using AzureMcp.Models.Argument;
 using AzureMcp.Models.Command;
+using AzureMcp.Services.Azure.Authentication;
 using AzureMcp.Services.Interfaces;
 using Microsoft.Extensions.Logging;
 using ModelContextProtocol.Server;
@@ -19,7 +20,8 @@ public sealed class AzCommand(ILogger<AzCommand> logger, int processTimeoutSecon
     private readonly int _processTimeoutSeconds = processTimeoutSeconds;
     private readonly Option<string> _commandOption = ArgumentDefinitions.Extension.Az.Command.ToOption();
     private static string? _cachedAzPath;
-
+    private volatile bool _isAuthenticated = false;
+    private static readonly SemaphoreSlim _authSemaphore = new(1, 1);
 
     protected override string GetCommandName() => "az";
 
@@ -105,6 +107,55 @@ protected override AzArguments BindArguments(ParseResult parseResult)
         return null;
     }
 
+    private async Task<bool> AuthenticateWithAzureCredentialsAsync(IExternalProcessService processService, ILogger logger)
+    {
+        if (_isAuthenticated)
+        {
+            Console.WriteLine("Already authenticated with Azure CLI.1");
+            return true;
+        }
+
+        try
+        {
+            // Check if the semaphore is already acquired to avoid re-authentication
+            bool isAcquired = await _authSemaphore.WaitAsync(1000);
+            if (!isAcquired || _isAuthenticated)
+            {
+                return _isAuthenticated;
+            }
+            var credentials = AuthenticationUtils.GetAzureCredentials(logger);
+            if (credentials == null)
+            {
+                logger.LogWarning("Invalid AZURE_CREDENTIALS format. Skipping authentication. Ensure it contains clientId, clientSecret, and tenantId.");
+                return false;
+            }
+
+            var azPath = FindAzCliPath() ?? throw new FileNotFoundException("Azure CLI executable not found in PATH or common installation locations. Please ensure Azure CLI is installed.");
+
+            var loginCommand = $"login --service-principal -u {credentials.ClientId} -p {credentials.ClientSecret} --tenant {credentials.TenantId}";
+            var result = await processService.ExecuteAsync(azPath, loginCommand, 60);
+
+            if (result.ExitCode != 0)
+            {
+                logger.LogWarning("Failed to authenticate with Azure CLI. Error: {Error}", result.Error);
+                return false;
+            }
+
+            _isAuthenticated = true;
+            logger.LogInformation("Successfully authenticated with Azure CLI using service principal.");
+            return true;
+        }
+        catch (Exception ex)
+        {
+            logger.LogWarning(ex, "Error during service principal authentication. Command will proceed without authentication.");
+            return false;
+        }
+        finally
+        {
+            _authSemaphore.Release();
+        }
+    }
+
     [McpServerTool(Destructive = true, ReadOnly = false)]
     public override async Task<CommandResponse> ExecuteAsync(CommandContext context, ParseResult parseResult)
     {
@@ -121,6 +172,9 @@ public override async Task<CommandResponse> ExecuteAsync(CommandContext context,
             var command = args.Command;
             var processService = context.GetService<IExternalProcessService>();
 
+            // Try to authenticate, but continue even if it fails
+            await AuthenticateWithAzureCredentialsAsync(processService, _logger);
+
             var azPath = FindAzCliPath() ?? throw new FileNotFoundException("Azure CLI executable not found in PATH or common installation locations. Please ensure Azure CLI is installed.");
             var result = await processService.ExecuteAsync(azPath, command, _processTimeoutSeconds);
 

src/Commands/JsonSourceGenerationContext.cs

@@ -4,6 +4,7 @@
 using System.Text.Json.Serialization;
 using AzureMcp.Commands;
 using AzureMcp.Commands.Group;
+using AzureMcp.Models;
 
 namespace AzureMcp;
 
@@ -12,6 +13,7 @@ namespace AzureMcp;
 [JsonSerializable(typeof(JsonElement))]
 [JsonSerializable(typeof(List<string>))]
 [JsonSerializable(typeof(List<JsonNode>))]
+[JsonSerializable(typeof(AzureCredentials))]
 [JsonSourceGenerationOptions(PropertyNamingPolicy = JsonKnownNamingPolicy.CamelCase)]
 internal partial class JsonSourceGenerationContext : JsonSerializerContext
 {

src/Models/AzureCredentials.cs

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace AzureMcp.Models;
+
+public record AzureCredentials(
+    [property: JsonPropertyName("clientId")] string ClientId,
+    [property: JsonPropertyName("clientSecret")] string ClientSecret,
+    [property: JsonPropertyName("tenantId")] string TenantId,
+    [property: JsonPropertyName("subscriptionId")] string? SubscriptionId = null
+);

src/Services/Azure/Authentication/AuthenticationUtils.cs

@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json;
+using AzureMcp.Models;
+using Microsoft.Extensions.Logging;
+
+namespace AzureMcp.Services.Azure.Authentication;
+
+/// <summary>
+/// A utility class for handling Azure authentication.
+/// </summary>
+
+public static class AuthenticationUtils
+{
+    /// <summary>
+    /// Fetches the Azure credentials from the environment variable AZURE_CREDENTIALS.
+    /// </summary>
+    public static AzureCredentials? GetAzureCredentials(ILogger logger)
+    {
+        var credentialsJson = Environment.GetEnvironmentVariable("AZURE_CREDENTIALS");
+        if (string.IsNullOrEmpty(credentialsJson))
+        {
+            return null;
+        }
+
+        try
+        {
+            // Use source-generated serialization to avoid trimmer warnings
+            var credentials = JsonSerializer.Deserialize(credentialsJson, JsonSourceGenerationContext.Default.AzureCredentials);
+            if (credentials == null)
+            {
+                logger.LogWarning("Invalid AZURE_CREDENTIALS format. Ensure it contains clientId, clientSecret, and tenantId.");
+                return null;
+            }
+            return credentials;
+        }
+        catch (JsonException ex)
+        {
+            logger.LogWarning(ex, "Failed to deserialize AZURE_CREDENTIALS. Ensure it contains clientId, clientSecret, and tenantId.");
+            return null;
+        }
+    }
+}

tests/Commands/Extension/AzCommandTests.cs

@@ -0,0 +1,169 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.CommandLine.Parsing;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using AzureMcp.Commands.Extension;
+using AzureMcp.Models.Command;
+using AzureMcp.Services.Interfaces;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using Xunit;
+
+namespace AzureMcp.Tests.Commands.Extension;
+
+public sealed class AzCommandTests
+{
+    private readonly IServiceProvider _serviceProvider;
+    private readonly IExternalProcessService _processService;
+    private readonly ILogger<AzCommand> _logger;
+
+    public AzCommandTests()
+    {
+        _processService = Substitute.For<IExternalProcessService>();
+        _logger = Substitute.For<ILogger<AzCommand>>();
+
+        var collection = new ServiceCollection();
+        collection.AddSingleton(_processService);
+        _serviceProvider = collection.BuildServiceProvider();
+    }
+
+    [Fact]
+    public void Execute_ReturnsArguments()
+    {
+        var command = new AzCommand(_logger);
+        var arguments = command.GetArguments();
+
+        Assert.NotNull(arguments);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_ReturnsSuccessResult_WhenCommandExecutesSuccessfully()
+    {
+        using (new TestEnvVar(new Dictionary<string, string>
+            {
+                { "AZURE_CREDENTIALS", """{"clientId": "myClientId","clientSecret": "myClientSecret","subscriptionId": "mySubscriptionID","tenantId": "myTenantId"}""" }
+            }))
+        {
+            // Arrange
+            var command = new AzCommand(_logger);
+            var parser = new Parser(command.GetCommand());
+            var args = parser.Parse("--command \"group list\"");
+            var context = new CommandContext(_serviceProvider);
+
+            var expectedOutput = """{"value":[{"id":"/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/test-rg","name":"test-rg","type":"Microsoft.Resources/resourceGroups","location":"eastus","properties":{"provisioningState":"Succeeded"}}]}""";
+            var expectedJson = JsonDocument.Parse(expectedOutput).RootElement.Clone();
+
+            _processService.ExecuteAsync(
+                Arg.Any<string>(),
+                "group list",
+                Arg.Any<int>(),
+                Arg.Any<IEnumerable<string>>())
+                .Returns(new ProcessResult(0, expectedOutput, string.Empty, "group list"));
+
+            _processService.ParseJsonOutput(Arg.Any<ProcessResult>())
+                .Returns(expectedJson);
+
+            // Act
+            var response = await command.ExecuteAsync(context, args);
+
+            // Assert
+            Assert.NotNull(response);
+            Assert.Equal(200, response.Status);
+            Assert.NotNull(response.Results);
+
+            // Verify the ProcessService was called with expected parameters
+            await _processService.Received().ExecuteAsync(
+                Arg.Any<string>(),
+                "group list",
+                Arg.Any<int>(),
+                Arg.Any<IEnumerable<string>>());
+
+            await _processService.Received().ExecuteAsync(
+                Arg.Any<string>(),
+                $"login --service-principal -u myClientId -p myClientSecret --tenant myTenantId",
+                Arg.Any<int>(),
+                Arg.Any<IEnumerable<string>>());
+        }
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_ReturnsErrorResponse_WhenCommandFails()
+    {
+        // Arrange
+        var command = new AzCommand(_logger);
+        var parser = new Parser(command.GetCommand());
+        var args = parser.Parse("--command \"group invalid-command\"");
+        var context = new CommandContext(_serviceProvider);
+
+        var errorMessage = "Error: az group: 'invalid-command' is not an az command.";
+
+        _processService.ExecuteAsync(
+            Arg.Any<string>(),
+            "group invalid-command",
+            Arg.Any<int>(),
+            Arg.Any<IEnumerable<string>>())
+            .Returns(new ProcessResult(1, string.Empty, errorMessage, "group invalid-command"));
+
+        // Act
+        var response = await command.ExecuteAsync(context, args);
+
+        // Assert
+        Assert.NotNull(response);
+        Assert.Equal(500, response.Status);
+        Assert.Equal(errorMessage, response.Message);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_HandlesException_AndSetsException()
+    {
+        // Arrange
+        var command = new AzCommand(_logger);
+        var parser = new Parser(command.GetCommand());
+        var args = parser.Parse("--command \"group list\"");
+        var context = new CommandContext(_serviceProvider);
+
+        var exceptionMessage = "Azure CLI executable not found";
+
+        _processService.ExecuteAsync(
+            Arg.Any<string>(),
+            "group list",
+            Arg.Any<int>(),
+            Arg.Any<IEnumerable<string>>())
+            .Returns(Task.FromException<ProcessResult>(new FileNotFoundException(exceptionMessage)));
+
+        // Act
+        var response = await command.ExecuteAsync(context, args);
+
+        // Assert
+        Assert.NotNull(response);
+        Assert.Equal(500, response.Status);
+        Assert.Contains("To mitigate this issue", response.Message);
+        Assert.Contains(exceptionMessage, response.Message);
+    }
+
+    [Fact]
+    public async Task ExecuteAsync_ReturnsBadRequest_WhenMissingRequiredArguments()
+    {
+        // Arrange
+        var command = new AzCommand(_logger);
+        var parser = new Parser(command.GetCommand());
+        var args = parser.Parse(""); // No command specified
+        var context = new CommandContext(_serviceProvider);
+
+        // Act
+        var response = await command.ExecuteAsync(context, args);
+
+        // Assert
+        Assert.NotNull(response);
+        Assert.Equal(400, response.Status);
+    }
+
+    private sealed class AzResult
+    {
+        [JsonPropertyName("value")]
+        public List<JsonElement> Value { get; set; } = new();
+    }
+}