Add automatic Azure DevOps CLI authentication via AZURE_DEVOPS_EXT_PAT (#1)

* Add devops login token for easier az cli devops use

* Address PR feedback: fix test isolation and documentation wording

- Add mkdir -p ${HOME}/bin in test cases that were missing it to ensure
  each test is independent and not order-dependent
- Change 'PAT' to 'access token' in NOTES.md to accurately reflect what
  ado-auth-helper returns

Author: scaryrawr

src/artifacts-helper/NOTES.md

@@ -6,6 +6,20 @@ The `az` shim specifically intercepts `az account get-access-token` requests and
 to acquire tokens via the ado-codespaces-auth VS Code extension. This enables `DefaultAzureCredential`'s
 `AzureCliCredential` to work in Codespaces without requiring `az login`.
 
+## Azure DevOps CLI Integration
+
+For `az devops` commands, the shim automatically sets the `AZURE_DEVOPS_EXT_PAT` environment variable
+using the `ado-auth-helper` when falling through to the real Azure CLI. This enables `az devops`
+commands to authenticate without requiring manual `az devops login` or setting the token manually.
+
+The shim will:
+1. Wait for `ado-auth-helper` to become available (up to 3 minutes, configurable via `MAX_WAIT`)
+2. Call `ado-auth-helper get-access-token` to retrieve an access token used by the Azure DevOps CLI extension
+3. Export `AZURE_DEVOPS_EXT_PAT` before executing the real `az` command
+
+If `AZURE_DEVOPS_EXT_PAT` is already set, the shim will not overwrite it. If `ado-auth-helper` is not
+available after the timeout, the command will still execute (but may fail to authenticate to Azure DevOps).
+
 For `npm`, `yarn`, `rush`, and `pnpm` this requires that your `~/.npmrc` file is configured to use the ${ARTIFACTS_ACCESSTOKEN}
 environment variable for the `authToken`. A helper script has been added that you can use to write your `~/.npmrc`
 file during your setup process, though there are many ways you could accomplish this. To use the script, run it like

src/artifacts-helper/scripts/az

@@ -100,6 +100,43 @@ EOF
 fi
 
 # Fall through to real az CLI for all other commands
+# Before fallthrough, set AZURE_DEVOPS_EXT_PAT if ado-auth-helper is available
+# This enables 'az devops' commands to authenticate automatically
+if [[ -z "${AZURE_DEVOPS_EXT_PAT}" ]]; then
+    MAX_WAIT=${MAX_WAIT:-180}
+    ELAPSED=0
+
+    if [[ "${ARTIFACTS_HELPER_VERBOSE}" == "true" ]]; then
+        echo "::step::Waiting for AzDO Authentication Helper for az devops..." >&2
+    fi
+
+    while [[ $ELAPSED -lt $MAX_WAIT ]]; do
+        if [[ -f "${HOME}/ado-auth-helper" ]]; then
+            AZURE_DEVOPS_EXT_PAT=$("${HOME}/ado-auth-helper" get-access-token 2>/dev/null)
+            if [[ $? -eq 0 && -n "$AZURE_DEVOPS_EXT_PAT" ]]; then
+                export AZURE_DEVOPS_EXT_PAT
+                if [[ "${ARTIFACTS_HELPER_VERBOSE}" == "true" ]]; then
+                    echo "::step::✓ AZURE_DEVOPS_EXT_PAT set successfully" >&2
+                fi
+                break
+            fi
+        fi
+        sleep 2
+        ELAPSED=$((ELAPSED + 2))
+
+        # Progress indicator every 20 seconds (verbose only)
+        if [[ "${ARTIFACTS_HELPER_VERBOSE}" == "true" && $((ELAPSED % 20)) -eq 0 ]]; then
+            echo "  Still waiting... (${ELAPSED}s elapsed)" >&2
+        fi
+    done
+
+    # Always show timeout warnings regardless of verbose setting, as this indicates a potential issue
+    if [[ $ELAPSED -ge $MAX_WAIT ]]; then
+        echo "::warning::AzDO Authentication Helper not found after ${MAX_WAIT} seconds" >&2
+        echo "Continuing without AZURE_DEVOPS_EXT_PAT..." >&2
+    fi
+fi
+
 AZ_EXE="$(resolve_shim)"
 if [[ -n "$AZ_EXE" ]]; then
     exec "${AZ_EXE}" "$@"

test/artifacts-helper/test_az_shim.sh

@@ -74,6 +74,76 @@ check "az shim bypasses interception in GitHub Actions" bash -c '
     echo "$output" | grep -qv "test-token-12345" && echo "SUCCESS" || echo "FAILED"
 ' | grep -q "SUCCESS"
 
+# Test AZURE_DEVOPS_EXT_PAT integration with ado-auth-helper
+check "az shim sets AZURE_DEVOPS_EXT_PAT when ado-auth-helper exists" bash -c '
+    export HOME='"$TEST_HOME"'
+    export MAX_WAIT=2  # Short timeout for testing
+    # Create a mock ado-auth-helper
+    cat > "${HOME}/ado-auth-helper" << '\''HELPER'\''
+#!/bin/bash
+echo "ado-test-pat-token"
+HELPER
+    chmod +x "${HOME}/ado-auth-helper"
+    
+    # Create a mock az that echoes the env var
+    mkdir -p "${HOME}/bin"
+    cat > "${HOME}/bin/az" << '\''MOCKAZ'\''
+#!/bin/bash
+echo "PAT=${AZURE_DEVOPS_EXT_PAT}"
+MOCKAZ
+    chmod +x "${HOME}/bin/az"
+    export PATH="${HOME}/bin:$PATH"
+    
+    # Call the shim with a non-token command
+    output=$(/usr/local/share/codespace-shims/az devops --help 2>&1)
+    echo "$output" | grep -q "PAT=ado-test-pat-token" && echo "SUCCESS" || echo "FAILED: $output"
+' | grep -q "SUCCESS"
+
+# Test that existing AZURE_DEVOPS_EXT_PAT is not overwritten
+check "az shim does not overwrite existing AZURE_DEVOPS_EXT_PAT" bash -c '
+    export HOME='"$TEST_HOME"'
+    export MAX_WAIT=2
+    export AZURE_DEVOPS_EXT_PAT="existing-pat-value"
+    # Create mock ado-auth-helper that would return different value
+    cat > "${HOME}/ado-auth-helper" << '\''HELPER'\''
+#!/bin/bash
+echo "new-pat-token"
+HELPER
+    chmod +x "${HOME}/ado-auth-helper"
+    
+    # Create mock az
+    mkdir -p "${HOME}/bin"
+    cat > "${HOME}/bin/az" << '\''MOCKAZ'\''
+#!/bin/bash
+echo "PAT=${AZURE_DEVOPS_EXT_PAT}"
+MOCKAZ
+    chmod +x "${HOME}/bin/az"
+    export PATH="${HOME}/bin:$PATH"
+    
+    output=$(/usr/local/share/codespace-shims/az devops --help 2>&1)
+    # Should still have original value
+    echo "$output" | grep -q "PAT=existing-pat-value" && echo "SUCCESS" || echo "FAILED: $output"
+' | grep -q "SUCCESS"
+
+# Test that missing ado-auth-helper still allows fallthrough
+check "az shim falls through without ado-auth-helper" bash -c '
+    export HOME='"$TEST_HOME"'
+    export MAX_WAIT=2  # Short timeout
+    rm -f "${HOME}/ado-auth-helper"
+    
+    # Create mock az
+    mkdir -p "${HOME}/bin"
+    cat > "${HOME}/bin/az" << '\''MOCKAZ'\''
+#!/bin/bash
+echo "FALLTHROUGH_OK"
+MOCKAZ
+    chmod +x "${HOME}/bin/az"
+    export PATH="${HOME}/bin:$PATH"
+    
+    output=$(/usr/local/share/codespace-shims/az version 2>&1)
+    echo "$output" | grep -q "FALLTHROUGH_OK" && echo "SUCCESS" || echo "FAILED: $output"
+' | grep -q "SUCCESS"
+
 # Cleanup
 rm -rf "$TEST_HOME"