From ec8d7a03b6b6e279e6bddd7f96755a44cd1d3bab Mon Sep 17 00:00:00 2001 From: chaudhariniraj Date: Fri, 12 Jun 2026 16:24:39 +0530 Subject: [PATCH 1/5] Resolve CodeQL issues --- .../src/libs/utils/azure_credential_utils.py | 6 +++++- src/ContentProcessor/src/libs/utils/credential_util.py | 6 +++++- src/ContentProcessorAPI/app/libs/base/application_base.py | 4 ++-- .../src/libs/azure/app_configuration.py | 8 +++++++- .../src/libs/base/application_base.py | 3 ++- src/ContentProcessorWorkflow/src/utils/credential_util.py | 7 ++++++- 6 files changed, 27 insertions(+), 7 deletions(-) diff --git a/src/ContentProcessor/src/libs/utils/azure_credential_utils.py b/src/ContentProcessor/src/libs/utils/azure_credential_utils.py index 07a4f2b0..5d711e85 100644 --- a/src/ContentProcessor/src/libs/utils/azure_credential_utils.py +++ b/src/ContentProcessor/src/libs/utils/azure_credential_utils.py @@ -130,7 +130,11 @@ def get_azure_credential(): logging.info( "[AUTH] All CLI credentials failed - falling back to DefaultAzureCredential" ) - return DefaultAzureCredential() + raise RuntimeError( + "No Azure authentication available. " + "Use Managed Identity in Azure or run " + "'az login' / 'azd auth login' locally." + ) def get_async_azure_credential(): diff --git a/src/ContentProcessor/src/libs/utils/credential_util.py b/src/ContentProcessor/src/libs/utils/credential_util.py index 52fbdeef..1efcaab7 100644 --- a/src/ContentProcessor/src/libs/utils/credential_util.py +++ b/src/ContentProcessor/src/libs/utils/credential_util.py @@ -130,7 +130,11 @@ def get_azure_credential(): logging.info( "[AUTH] All CLI credentials failed - falling back to DefaultAzureCredential" ) - return DefaultAzureCredential() + raise RuntimeError( + "No Azure authentication available. " + "Use Managed Identity in Azure or run " + "'az login' / 'azd auth login' locally." + ) def get_async_azure_credential(): diff --git a/src/ContentProcessorAPI/app/libs/base/application_base.py b/src/ContentProcessorAPI/app/libs/base/application_base.py index 7ea33d8e..e3fb6e1c 100644 --- a/src/ContentProcessorAPI/app/libs/base/application_base.py +++ b/src/ContentProcessorAPI/app/libs/base/application_base.py @@ -15,7 +15,7 @@ import os from abc import ABC, abstractmethod -from azure.identity import DefaultAzureCredential +from app.utils.azure_credential_utils import get_azure_credential from dotenv import load_dotenv from app.libs.application.application_configuration import ( @@ -72,7 +72,7 @@ def __init__(self, env_file_path: str | None = None, **data): self._load_env(env_file_path=env_file_path) self.application_context = AppContext() - self.application_context.set_credential(DefaultAzureCredential()) + self.application_context.set_credential(get_azure_credential()) app_config_endpoint: str | None = EnvConfiguration().app_config_endpoint if app_config_endpoint != "" and app_config_endpoint is not None: diff --git a/src/ContentProcessorWorkflow/src/libs/azure/app_configuration.py b/src/ContentProcessorWorkflow/src/libs/azure/app_configuration.py index ee2501cd..f333133e 100644 --- a/src/ContentProcessorWorkflow/src/libs/azure/app_configuration.py +++ b/src/ContentProcessorWorkflow/src/libs/azure/app_configuration.py @@ -91,7 +91,13 @@ def __init__( ValueError: If *app_configuration_url* is ``None`` or the credential is missing after defaulting. """ - self.credential = credential or DefaultAzureCredential() + if credential is None: + raise ValueError( + "Azure credential is required. " + "Use Managed Identity, AzureCliCredential, or AzureDeveloperCliCredential." + ) + + self.credential = credential self.app_config_endpoint = app_configuration_url self._initialize_client() diff --git a/src/ContentProcessorWorkflow/src/libs/base/application_base.py b/src/ContentProcessorWorkflow/src/libs/base/application_base.py index fbcbaa23..d3a63579 100644 --- a/src/ContentProcessorWorkflow/src/libs/base/application_base.py +++ b/src/ContentProcessorWorkflow/src/libs/base/application_base.py @@ -36,6 +36,7 @@ def run(self): from abc import ABC, abstractmethod from azure.identity import DefaultAzureCredential +from src.utils.credential_util import get_azure_credential from dotenv import load_dotenv from libs.agent_framework.agent_framework_settings import AgentFrameworkSettings @@ -117,7 +118,7 @@ def __init__(self, env_file_path: str | None = None, **data): self._load_env(env_file_path=env_file_path) self.application_context = AppContext() - self.application_context.set_credential(DefaultAzureCredential()) + self.application_context.set_credential(get_azure_credential()) app_config_url: str | None = _envConfiguration().app_config_endpoint if app_config_url != "" and app_config_url is not None: diff --git a/src/ContentProcessorWorkflow/src/utils/credential_util.py b/src/ContentProcessorWorkflow/src/utils/credential_util.py index b37de6d9..fbef0657 100644 --- a/src/ContentProcessorWorkflow/src/utils/credential_util.py +++ b/src/ContentProcessorWorkflow/src/utils/credential_util.py @@ -126,7 +126,12 @@ def get_azure_credential(): logging.info( "[AUTH] All CLI credentials failed - falling back to DefaultAzureCredential" ) - return DefaultAzureCredential() + + raise RuntimeError( + "No Azure authentication available. " + "Use Managed Identity in Azure or run " + "'az login' / 'azd auth login' locally." + ) def get_async_azure_credential(): From 8fc57b86eb95c492abeed51054bf553b23e9521f Mon Sep 17 00:00:00 2001 From: chaudhariniraj Date: Fri, 12 Jun 2026 17:55:45 +0530 Subject: [PATCH 2/5] Resolve test cases error --- .../utils/test_azure_credential_utils.py | 16 +++++++++------- .../test_azure_credential_utils_extended.py | 14 +++++--------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/src/tests/ContentProcessor/utils/test_azure_credential_utils.py b/src/tests/ContentProcessor/utils/test_azure_credential_utils.py index 216b302e..7f0f88a0 100644 --- a/src/tests/ContentProcessor/utils/test_azure_credential_utils.py +++ b/src/tests/ContentProcessor/utils/test_azure_credential_utils.py @@ -7,6 +7,8 @@ from unittest.mock import MagicMock, patch +import pytest + import libs.utils.azure_credential_utils as azure_credential_utils MODULE = "libs.utils.azure_credential_utils" @@ -45,16 +47,16 @@ def test_returns_user_assigned_with_client_id(self, mock_managed): mock_managed.assert_called_once_with(client_id="test-client-id") assert credential == mock_instance - @patch(f"{MODULE}.DefaultAzureCredential") @patch(f"{MODULE}.AzureDeveloperCliCredential", side_effect=Exception("no azd")) @patch(f"{MODULE}.AzureCliCredential", side_effect=Exception("no az")) @patch.dict("os.environ", {}, clear=True) - def test_falls_back_to_default(self, mock_cli, mock_dev_cli, mock_default): - mock_instance = MagicMock() - mock_default.return_value = mock_instance - credential = azure_credential_utils.get_azure_credential() - mock_default.assert_called_once() - assert credential == mock_instance + def test_raises_when_no_credentials_available( + self, mock_cli, mock_dev_cli + ): + with pytest.raises(RuntimeError) as exc: + azure_credential_utils.get_azure_credential() + + assert "No Azure authentication available" in str(exc.value) # ── TestGetAsyncAzureCredential ───────────────────────────────────────── diff --git a/src/tests/ContentProcessor/utils/test_azure_credential_utils_extended.py b/src/tests/ContentProcessor/utils/test_azure_credential_utils_extended.py index 11858fdc..edd735d8 100644 --- a/src/tests/ContentProcessor/utils/test_azure_credential_utils_extended.py +++ b/src/tests/ContentProcessor/utils/test_azure_credential_utils_extended.py @@ -42,26 +42,22 @@ def test_get_azure_credential_with_website_site_name(self, monkeypatch): assert credential == mock_instance def test_get_azure_credential_cli_failure_fallback(self, monkeypatch): - """Test fallback to DefaultAzureCredential when CLI credentials fail""" + """Test RuntimeError when all credential options fail""" # Clear all Azure environment indicators for key in ["WEBSITE_SITE_NAME", "AZURE_CLIENT_ID", "MSI_ENDPOINT", "IDENTITY_ENDPOINT", "KUBERNETES_SERVICE_HOST", "CONTAINER_REGISTRY_LOGIN"]: monkeypatch.delenv(key, raising=False) with patch('libs.utils.azure_credential_utils.AzureCliCredential') as mock_cli_cred, \ - patch('libs.utils.azure_credential_utils.AzureDeveloperCliCredential') as mock_azd_cred, \ - patch('libs.utils.azure_credential_utils.DefaultAzureCredential') as mock_default: + patch('libs.utils.azure_credential_utils.AzureDeveloperCliCredential') as mock_azd_cred: - # Make both CLI credentials raise exceptions mock_cli_cred.side_effect = Exception("CLI credential failed") mock_azd_cred.side_effect = Exception("AZD credential failed") - mock_default_instance = Mock() - mock_default.return_value = mock_default_instance - credential = get_azure_credential() + with pytest.raises(RuntimeError) as exc: + get_azure_credential() - assert credential == mock_default_instance - mock_default.assert_called_once() + assert "No Azure authentication available" in str(exc.value) def test_get_azure_credential_azd_success(self, monkeypatch): """Test successful Azure Developer CLI credential""" From e11892e8f6aaef61d6ba5faa17d7962f73e481f5 Mon Sep 17 00:00:00 2001 From: chaudhariniraj Date: Fri, 12 Jun 2026 18:28:45 +0530 Subject: [PATCH 3/5] Resolve test cases error 1 --- src/ContentProcessorWorkflow/src/libs/base/application_base.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ContentProcessorWorkflow/src/libs/base/application_base.py b/src/ContentProcessorWorkflow/src/libs/base/application_base.py index d3a63579..0379a702 100644 --- a/src/ContentProcessorWorkflow/src/libs/base/application_base.py +++ b/src/ContentProcessorWorkflow/src/libs/base/application_base.py @@ -36,6 +36,7 @@ def run(self): from abc import ABC, abstractmethod from azure.identity import DefaultAzureCredential +from utils.credential_util import get_azure_credential from src.utils.credential_util import get_azure_credential from dotenv import load_dotenv From cab11be1fe2d05e5c4db9b0c2f294486313bd6d6 Mon Sep 17 00:00:00 2001 From: chaudhariniraj Date: Fri, 12 Jun 2026 18:44:21 +0530 Subject: [PATCH 4/5] Resolve test cases error 2 --- src/ContentProcessorWorkflow/src/libs/base/application_base.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ContentProcessorWorkflow/src/libs/base/application_base.py b/src/ContentProcessorWorkflow/src/libs/base/application_base.py index 0379a702..cb657398 100644 --- a/src/ContentProcessorWorkflow/src/libs/base/application_base.py +++ b/src/ContentProcessorWorkflow/src/libs/base/application_base.py @@ -37,7 +37,6 @@ def run(self): from azure.identity import DefaultAzureCredential from utils.credential_util import get_azure_credential -from src.utils.credential_util import get_azure_credential from dotenv import load_dotenv from libs.agent_framework.agent_framework_settings import AgentFrameworkSettings From cf8dfc7284ee02bd97d4a5ef7c15085b4a30c627 Mon Sep 17 00:00:00 2001 From: chaudhariniraj Date: Fri, 12 Jun 2026 18:54:00 +0530 Subject: [PATCH 5/5] Resolve test cases error 3 --- .../src/libs/base/application_base.py | 1 - .../utils/test_credential_util_extended.py | 24 +++++++++++-------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/src/ContentProcessorWorkflow/src/libs/base/application_base.py b/src/ContentProcessorWorkflow/src/libs/base/application_base.py index cb657398..61b6a603 100644 --- a/src/ContentProcessorWorkflow/src/libs/base/application_base.py +++ b/src/ContentProcessorWorkflow/src/libs/base/application_base.py @@ -35,7 +35,6 @@ def run(self): import os from abc import ABC, abstractmethod -from azure.identity import DefaultAzureCredential from utils.credential_util import get_azure_credential from dotenv import load_dotenv diff --git a/src/tests/ContentProcessorWorkflow/utils/test_credential_util_extended.py b/src/tests/ContentProcessorWorkflow/utils/test_credential_util_extended.py index d4fda81d..40cfaf68 100644 --- a/src/tests/ContentProcessorWorkflow/utils/test_credential_util_extended.py +++ b/src/tests/ContentProcessorWorkflow/utils/test_credential_util_extended.py @@ -1,5 +1,6 @@ """Extended tests for credential_util.py to improve coverage""" from unittest.mock import Mock, patch +import pytest from utils.credential_util import ( get_azure_credential, get_async_azure_credential, @@ -40,24 +41,27 @@ def test_get_azure_credential_app_service_environment(self, monkeypatch): assert credential == mock_instance def test_get_azure_credential_all_cli_fail(self, monkeypatch): - """Test fallback when all CLI credentials fail""" - for key in ["WEBSITE_SITE_NAME", "AZURE_CLIENT_ID", "MSI_ENDPOINT", - "IDENTITY_ENDPOINT", "KUBERNETES_SERVICE_HOST", "CONTAINER_REGISTRY_LOGIN"]: + """Test RuntimeError when all credential options fail""" + for key in [ + "WEBSITE_SITE_NAME", + "AZURE_CLIENT_ID", + "MSI_ENDPOINT", + "IDENTITY_ENDPOINT", + "KUBERNETES_SERVICE_HOST", + "CONTAINER_REGISTRY_LOGIN", + ]: monkeypatch.delenv(key, raising=False) with patch('utils.credential_util.AzureCliCredential') as mock_cli, \ - patch('utils.credential_util.AzureDeveloperCliCredential') as mock_azd, \ - patch('utils.credential_util.DefaultAzureCredential') as mock_default: + patch('utils.credential_util.AzureDeveloperCliCredential') as mock_azd: mock_cli.side_effect = Exception("AzureCLI not available") mock_azd.side_effect = Exception("AzureDeveloperCLI not available") - mock_default_instance = Mock() - mock_default.return_value = mock_default_instance - credential = get_azure_credential() + with pytest.raises(RuntimeError) as exc: + get_azure_credential() - assert credential == mock_default_instance - mock_default.assert_called_once() + assert "No Azure authentication available" in str(exc.value) def test_get_azure_credential_cli_success(self, monkeypatch): """Test successful Azure CLI credential"""