Refractor

Author: jprakash-db

src/databricks/sql/auth/auth.py

@@ -7,39 +7,7 @@
     DatabricksOAuthProvider,
     AzureServicePrincipalCredentialProvider,
 )
-from databricks.sql.auth.common import AuthType
-
-
-class ClientContext:
-    def __init__(
-        self,
-        hostname: str,
-        access_token: Optional[str] = None,
-        auth_type: Optional[str] = None,
-        oauth_scopes: Optional[List[str]] = None,
-        oauth_client_id: Optional[str] = None,
-        oauth_client_secret: Optional[str] = None,
-        azure_tenant_id: Optional[str] = None,
-        azure_workspace_resource_id: Optional[str] = None,
-        oauth_redirect_port_range: Optional[List[int]] = None,
-        use_cert_as_auth: Optional[str] = None,
-        tls_client_cert_file: Optional[str] = None,
-        oauth_persistence=None,
-        credentials_provider=None,
-    ):
-        self.hostname = hostname
-        self.access_token = access_token
-        self.auth_type = auth_type
-        self.oauth_scopes = oauth_scopes
-        self.oauth_client_id = oauth_client_id
-        self.oauth_client_secret = oauth_client_secret
-        self.azure_tenant_id = azure_tenant_id
-        self.azure_workspace_resource_id = azure_workspace_resource_id
-        self.oauth_redirect_port_range = oauth_redirect_port_range
-        self.use_cert_as_auth = use_cert_as_auth
-        self.tls_client_cert_file = tls_client_cert_file
-        self.oauth_persistence = oauth_persistence
-        self.credentials_provider = credentials_provider
+from databricks.sql.auth.common import AuthType, ClientContext
 
 
 def get_auth_provider(cfg: ClientContext):
@@ -49,8 +17,8 @@ def get_auth_provider(cfg: ClientContext):
         return ExternalAuthProvider(
             AzureServicePrincipalCredentialProvider(
                 cfg.hostname,
-                cfg.oauth_client_id,
-                cfg.oauth_client_secret,
+                cfg.azure_client_id,
+                cfg.azure_client_secret,
                 cfg.azure_tenant_id,
                 cfg.azure_workspace_resource_id,
             )
@@ -113,13 +81,10 @@ def get_client_id_and_redirect_port(use_azure_auth: bool):
 
 def get_python_sql_connector_auth_provider(hostname: str, **kwargs):
     auth_type = kwargs.get("auth_type")
-    client_id = kwargs.get("oauth_client_id")
-    redirect_port_range = kwargs.get("oauth_redirect_port_range")
+    (client_id, redirect_port_range) = get_client_id_and_redirect_port(
+        auth_type == AuthType.AZURE_OAUTH.value
+    )
 
-    if auth_type != AuthType.AZURE_SP_M2M.value:
-        (client_id, redirect_port_range) = get_client_id_and_redirect_port(
-            auth_type == AuthType.AZURE_OAUTH.value
-        )
     if kwargs.get("username") or kwargs.get("password"):
         raise ValueError(
             "Username/password authentication is no longer supported. "
@@ -133,8 +98,9 @@ def get_python_sql_connector_auth_provider(hostname: str, **kwargs):
         use_cert_as_auth=kwargs.get("_use_cert_as_auth"),
         tls_client_cert_file=kwargs.get("_tls_client_cert_file"),
         oauth_scopes=PYSQL_OAUTH_SCOPES,
-        oauth_client_id=client_id,
-        oauth_client_secret=kwargs.get("oauth_client_secret"),
+        oauth_client_id=kwargs.get("oauth_client_id") or client_id,
+        azure_client_id=kwargs.get("azure_client_id"),
+        azure_client_secret=kwargs.get("azure_client_secret"),
         azure_tenant_id=kwargs.get("azure_tenant_id"),
         azure_workspace_resource_id=kwargs.get("azure_workspace_resource_id"),
         oauth_redirect_port_range=[kwargs["oauth_redirect_port"]]

src/databricks/sql/auth/authenticators.py

@@ -8,15 +8,17 @@
     ClientCredentialsTokenSource,
 )
 from databricks.sql.auth.endpoint import get_oauth_endpoints
-from databricks.sql.auth.common import AuthType, get_effective_azure_login_app_id
-from databricks.sdk import WorkspaceClient
+from databricks.sql.auth.common import (
+    AuthType,
+    get_effective_azure_login_app_id,
+    get_azure_tenant_id_from_host,
+)
 
 # Private API: this is an evolving interface and it will change in the future.
 # Please must not depend on it in your applications.
 from databricks.sql.experimental.oauth_persistence import OAuthToken, OAuthPersistence
 
 
-
 class AuthProvider:
     def add_headers(self, request_headers: Dict[str, str]):
         pass
@@ -165,8 +167,8 @@ class AzureServicePrincipalCredentialProvider(CredentialsProvider):
 
     Attributes:
         hostname (str): The Databricks workspace hostname.
-        oauth_client_id (str): The Azure service principal's client ID.
-        oauth_client_secret (str): The Azure service principal's client secret.
+        azure_client_id (str): The Azure service principal's client ID.
+        azure_client_secret (str): The Azure service principal's client secret.
         azure_tenant_id (str): The Azure AD tenant ID.
         azure_workspace_resource_id (str, optional): The Azure workspace resource ID.
     """
@@ -184,56 +186,50 @@ class AzureServicePrincipalCredentialProvider(CredentialsProvider):
     def __init__(
         self,
         hostname,
-        oauth_client_id,
-        oauth_client_secret,
-        azure_tenant_id,
+        azure_client_id,
+        azure_client_secret,
+        azure_tenant_id=None,
         azure_workspace_resource_id=None,
     ):
-        self.workspace_api_client = WorkspaceClient(
-            host=hostname,
-            azure_workspace_resource_id=azure_workspace_resource_id,
-            azure_tenant_id=azure_tenant_id,
-            azure_client_id=oauth_client_id,
-            azure_client_secret=oauth_client_secret,
-        )
         self.hostname = hostname
-        self.oauth_client_id = oauth_client_id
-        self.oauth_client_secret = oauth_client_secret
-        self.azure_tenant_id = azure_tenant_id
+        self.azure_client_id = azure_client_id
+        self.azure_client_secret = azure_client_secret
         self.azure_workspace_resource_id = azure_workspace_resource_id
+        self.azure_tenant_id = azure_tenant_id or get_azure_tenant_id_from_host(
+            hostname
+        )
 
     def auth_type(self) -> str:
         return AuthType.AZURE_SP_M2M.value
 
     def get_token_source(self, resource: str) -> RefreshableTokenSource:
         return ClientCredentialsTokenSource(
             token_url=f"{self.AZURE_AAD_ENDPOINT}/{self.azure_tenant_id}/{self.AZURE_TOKEN_ENDPOINT}",
-            oauth_client_id=self.oauth_client_id,
-            oauth_client_secret=self.oauth_client_secret,
+            client_id=self.azure_client_id,
+            client_secret=self.azure_client_secret,
             extra_params={"resource": resource},
         )
 
     def __call__(self, *args, **kwargs) -> HeaderFactory:
-        # inner = self.get_token_source(
-        #     resource=get_effective_azure_login_app_id(self.hostname)
-        # )
-        # cloud = self.get_token_source(resource=self.AZURE_MANAGED_RESOURCE)
+        inner = self.get_token_source(
+            resource=get_effective_azure_login_app_id(self.hostname)
+        )
+        cloud = self.get_token_source(resource=self.AZURE_MANAGED_RESOURCE)
 
         def header_factory() -> Dict[str, str]:
-            # inner_token = inner.get_token()
-            # cloud_token = cloud.get_token()
+            inner_token = inner.get_token()
+            cloud_token = cloud.get_token()
 
-            # headers = {
-            #     HttpHeader.AUTHORIZATION.value: f"{inner_token.token_type} {inner_token.access_token}",
-            #     self.DATABRICKS_AZURE_SP_TOKEN_HEADER: cloud_token.access_token,
-            # }
+            headers = {
+                HttpHeader.AUTHORIZATION.value: f"{inner_token.token_type} {inner_token.access_token}",
+                self.DATABRICKS_AZURE_SP_TOKEN_HEADER: cloud_token.access_token,
+            }
 
-            # if self.azure_workspace_resource_id:
-            #     headers[
-            #         self.DATABRICKS_AZURE_WORKSPACE_RESOURCE_ID_HEADER
-            #     ] = self.azure_workspace_resource_id
+            if self.azure_workspace_resource_id:
+                headers[
+                    self.DATABRICKS_AZURE_WORKSPACE_RESOURCE_ID_HEADER
+                ] = self.azure_workspace_resource_id
 
-            # return headers
-            return self.workspace_api_client.config.authenticate()
+            return headers
 
         return header_factory

src/databricks/sql/auth/common.py

@@ -1,4 +1,10 @@
 from enum import Enum
+import logging
+from typing import Optional, List
+from urllib.parse import urlparse
+from databricks.sql.common.http import DatabricksHttpClient, HttpMethod
+
+logger = logging.getLogger(__name__)
 
 
 class AuthType(Enum):
@@ -13,6 +19,40 @@ class AzureAppId(Enum):
     PROD = (".azuredatabricks.net", "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d")
 
 
+class ClientContext:
+    def __init__(
+        self,
+        hostname: str,
+        access_token: Optional[str] = None,
+        auth_type: Optional[str] = None,
+        oauth_scopes: Optional[List[str]] = None,
+        oauth_client_id: Optional[str] = None,
+        azure_client_id: Optional[str] = None,
+        azure_client_secret: Optional[str] = None,
+        azure_tenant_id: Optional[str] = None,
+        azure_workspace_resource_id: Optional[str] = None,
+        oauth_redirect_port_range: Optional[List[int]] = None,
+        use_cert_as_auth: Optional[str] = None,
+        tls_client_cert_file: Optional[str] = None,
+        oauth_persistence=None,
+        credentials_provider=None,
+    ):
+        self.hostname = hostname
+        self.access_token = access_token
+        self.auth_type = auth_type
+        self.oauth_scopes = oauth_scopes
+        self.oauth_client_id = oauth_client_id
+        self.azure_client_id = azure_client_id
+        self.azure_client_secret = azure_client_secret
+        self.azure_tenant_id = azure_tenant_id
+        self.azure_workspace_resource_id = azure_workspace_resource_id
+        self.oauth_redirect_port_range = oauth_redirect_port_range
+        self.use_cert_as_auth = use_cert_as_auth
+        self.tls_client_cert_file = tls_client_cert_file
+        self.oauth_persistence = oauth_persistence
+        self.credentials_provider = credentials_provider
+
+
 def get_effective_azure_login_app_id(hostname) -> str:
     """
     Get the effective Azure login app ID for a given hostname.
@@ -27,3 +67,30 @@ def get_effective_azure_login_app_id(hostname) -> str:
 
     # default databricks resource id
     return AzureAppId.PROD.value
+
+
+def get_azure_tenant_id_from_host(host: str, http_client=None) -> str:
+    """
+    Load the Azure tenant ID from the Azure Databricks login page.
+    """
+
+    if http_client is None:
+        http_client = DatabricksHttpClient.get_instance()
+
+    login_url = f"{host}/aad/auth"
+    logger.debug("Loading tenant ID from %s", login_url)
+    with http_client.execute(HttpMethod.GET, login_url, allow_redirects=False) as resp:
+        if resp.status_code // 100 != 3:
+            raise ValueError(
+                f"Failed to get tenant ID from {login_url}: expected status code 3xx, got {resp.status_code}"
+            )
+        entra_id_endpoint = resp.headers.get("Location")
+        if entra_id_endpoint is None:
+            raise ValueError(f"No Location header in response from {login_url}")
+        # The Location header has the following form: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize?...
+        # The domain may change depending on the Azure cloud (e.g. login.microsoftonline.us for US Government cloud).
+        url = urlparse(entra_id_endpoint)
+        path_segments = url.path.split("/")
+        if len(path_segments) < 2:
+            raise ValueError(f"Invalid path in Location header: {url.path}")
+        return path_segments[1]

src/databricks/sql/auth/oauth.py

@@ -311,19 +311,19 @@ class ClientCredentialsTokenSource(RefreshableTokenSource):
 
     Attributes:
         token_url (str): The URL of the token endpoint.
-        oauth_client_id (str): The client ID.
-        oauth_client_secret (str): The client secret.
+        client_id (str): The client ID.
+        client_secret (str): The client secret.
     """
 
     def __init__(
         self,
         token_url,
-        oauth_client_id,
-        oauth_client_secret,
+        client_id,
+        client_secret,
         extra_params: dict = {},
     ):
-        self.oauth_client_id = oauth_client_id
-        self.oauth_client_secret = oauth_client_secret
+        self.client_id = client_id
+        self.client_secret = client_secret
         self.token_url = token_url
         self.extra_params = extra_params
         self.token: Optional[Token] = None
@@ -341,8 +341,8 @@ def refresh(self) -> Token:
         data = urlencode(
             {
                 "grant_type": "client_credentials",
-                "client_id": self.oauth_client_id,
-                "client_secret": self.oauth_client_secret,
+                "client_id": self.client_id,
+                "client_secret": self.client_secret,
                 **self.extra_params,
             }
         )

src/databricks/sql/common/http.py

@@ -62,9 +62,11 @@ def get_instance(cls) -> "DatabricksHttpClient":
                 if cls._instance is None:
                     cls._instance = DatabricksHttpClient()
         return cls._instance
-    
+
     @contextmanager
-    def execute(self, method: HttpMethod, url: str, **kwargs) -> Generator[requests.Response, None, None]:
+    def execute(
+        self, method: HttpMethod, url: str, **kwargs
+    ) -> Generator[requests.Response, None, None]:
         response = None
         try:
             response = self.session.request(method.value, url, **kwargs)

tests/unit/test_auth.py

@@ -224,8 +224,8 @@ def status_response(response_status_code):
     def token_source(self):
         return ClientCredentialsTokenSource(
             token_url="https://token_url.com",
-            oauth_client_id="client_id",
-            oauth_client_secret="client_secret",
+            client_id="client_id",
+            client_secret="client_secret",
         )
 
     def test_no_token_refresh__when_token_is_not_expired(
@@ -271,8 +271,8 @@ class TestAzureServicePrincipalCredentialProvider:
     def credential_provider(self):
         return AzureServicePrincipalCredentialProvider(
             hostname="hostname",
-            oauth_client_id="client_id",
-            oauth_client_secret="client_secret",
+            azure_client_id="client_id",
+            azure_client_secret="client_secret",
             azure_tenant_id="tenant_id",
         )