feat: add az CLI shim for Azure token acquisition via ado-codespaces-auth

src/artifacts-helper/NOTES.md

@@ -1,6 +1,10 @@
 This installs [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider)
-and optionally configures shims which shadow `dotnet`, `nuget`, `npm`, `yarn`, `rush`, and `pnpm`.
-These dynamically sets an authentication token for pulling artifacts from a feed before running the command.
+and optionally configures shims which shadow `dotnet`, `nuget`, `npm`, `yarn`, `rush`, `pnpm`, and `az`.
+These dynamically set an authentication token for pulling artifacts from a feed before running the command.
+
+The `az` shim specifically intercepts `az account get-access-token` requests and uses the `azure-auth-helper`
+to acquire tokens via the ado-codespaces-auth VS Code extension. This enables `DefaultAzureCredential`'s
+`AzureCliCredential` to work in Codespaces without requiring `az login`.
 
 For `npm`, `yarn`, `rush`, and `pnpm` this requires that your `~/.npmrc` file is configured to use the ${ARTIFACTS_ACCESSTOKEN}
 environment variable for the `authToken`. A helper script has been added that you can use to write your `~/.npmrc`

src/artifacts-helper/README.md

@@ -24,6 +24,7 @@ Configures Codespace to authenticate with Azure Artifact feeds
 | npxAlias | Create alias for npx | boolean | true |
 | rushAlias | Create alias for rush | boolean | true |
 | pnpmAlias | Create alias for pnpm | boolean | true |
+| azAlias | Create alias for az (Azure CLI) | boolean | true |
 | shimDirectory | Directory where the shims will be installed. This must be in $PATH, and needs to be as early as possible in priority for the scripts to override the base executables. | string | /usr/local/share/codespace-shims |
 | targetFiles | Comma separated list of files to write to. Default is '/etc/bash.bashrc,/etc/zsh/zshrc' for root and '~/.bashrc,~/.zshrc' for non-root | string | DEFAULT |
 | python | Install Python keyring helper for pip | boolean | false |
@@ -35,8 +36,12 @@ Configures Codespace to authenticate with Azure Artifact feeds
 - `ms-codespaces-tools.ado-codespaces-auth`
 
 This installs [Azure Artifacts Credential Provider](https://github.com/microsoft/artifacts-credprovider)
-and optionally configures shims which shadow `dotnet`, `nuget`, `npm`, `yarn`, `rush`, and `pnpm`.
-These dynamically sets an authentication token for pulling artifacts from a feed before running the command.
+and optionally configures shims which shadow `dotnet`, `nuget`, `npm`, `yarn`, `rush`, `pnpm`, and `az`.
+These dynamically set an authentication token for pulling artifacts from a feed before running the command.
+
+The `az` shim specifically intercepts `az account get-access-token` requests and uses the `azure-auth-helper`
+to acquire tokens via the ado-codespaces-auth VS Code extension. This enables `DefaultAzureCredential`'s
+`AzureCliCredential` to work in Codespaces without requiring `az login`.
 
 For `npm`, `yarn`, `rush`, and `pnpm` this requires that your `~/.npmrc` file is configured to use the ${ARTIFACTS_ACCESSTOKEN}
 environment variable for the `authToken`. A helper script has been added that you can use to write your `~/.npmrc`

src/artifacts-helper/devcontainer-feature.json

@@ -49,6 +49,11 @@
             "default": true,
             "description": "Create alias for pnpm"
         },
+        "azAlias": {
+            "type": "boolean",
+            "default": true,
+            "description": "Create alias for az (Azure CLI)"
+        },
         "shimDirectory": {
             "type": "string",
             "default": "/usr/local/share/codespace-shims",

src/artifacts-helper/install.sh

@@ -11,6 +11,7 @@ ALIAS_YARN="${YARNALIAS:-"true"}"
 ALIAS_NPX="${NPXALIAS:-"true"}"
 ALIAS_RUSH="${RUSHALIAS:-"true"}"
 ALIAS_PNPM="${PNPMALIAS:-"true"}"
+ALIAS_AZ="${AZALIAS:-"true"}"
 INSTALL_PIP_HELPER="${PYTHON:-"false"}"
 SHIM_DIRECTORY="${SHIMDIRECTORY:-"/usr/local/share/codespace-shims/"}"
 
@@ -39,6 +40,9 @@ if [ "${ALIAS_PNPM}" = "true" ]; then
     ALIASES_ARR+=('pnpm')
     ALIASES_ARR+=('pnpx')
 fi
+if [ "${ALIAS_AZ}" = "true" ]; then
+    ALIASES_ARR+=('az')
+fi
 
 # Source /etc/os-release to get OS info
 . /etc/os-release

src/artifacts-helper/scripts/az

@@ -0,0 +1,101 @@
+#!/bin/bash
+# Azure CLI shim for GitHub Codespaces
+# Intercepts 'az account get-access-token' requests and uses azure-auth-helper
+# to acquire tokens via the ado-codespaces-auth VS Code extension.
+#
+# This enables DefaultAzureCredential's AzureCliCredential to work in Codespaces
+# without requiring 'az login' (which times out waiting for browser auth).
+#
+# To install: Copy this to /usr/local/share/codespace-shims/az
+# The shims directory should already be in PATH for Codespaces.
+
+# If ACTIONS_ID_TOKEN_REQUEST_URL is set, we're in GitHub Actions - skip interception
+if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then
+    source "$(dirname $0)"/resolve-shim.sh
+    AZ_EXE="$(resolve_shim)"
+    exec "${AZ_EXE}" "$@"
+fi
+
+source "$(dirname $0)"/resolve-shim.sh
+
+# Well-known resource type mappings (az account get-access-token --resource-type)
+declare -A RESOURCE_TYPE_MAP=(
+    ["arm"]="https://management.azure.com"
+    ["aad-graph"]="https://graph.windows.net"
+    ["ms-graph"]="https://graph.microsoft.com"
+    ["batch"]="https://batch.core.windows.net"
+    ["data-lake"]="https://datalake.azure.net"
+    ["media"]="https://rest.media.azure.net"
+    ["oss-rdbms"]="https://ossrdbms-aad.database.windows.net"
+)
+
+# Check if this is a get-access-token request that we should intercept
+if [[ "$1" == "account" && "$2" == "get-access-token" ]]; then
+    # Parse arguments to extract --resource, --scope, or --resource-type
+    resource=""
+    scope=""
+    resource_type=""
+    prev=""
+
+    for arg in "${@:3}"; do
+        case "$prev" in
+            --resource)
+                resource="$arg"
+                ;;
+            --scope)
+                scope="$arg"
+                ;;
+            --resource-type)
+                resource_type="$arg"
+                ;;
+        esac
+        prev="$arg"
+    done
+
+    # Resolve resource-type to resource URL if specified
+    if [[ -n "$resource_type" && -z "$resource" ]]; then
+        resource="${RESOURCE_TYPE_MAP[$resource_type]}"
+    fi
+
+    # Determine the scope to request
+    # Priority: explicit --scope > --resource/.default > --resource-type/.default
+    request_scope=""
+    if [[ -n "$scope" ]]; then
+        request_scope="$scope"
+    elif [[ -n "$resource" ]]; then
+        # Append /.default if not already present
+        if [[ "$resource" == *"/.default" ]]; then
+            request_scope="$resource"
+        else
+            request_scope="${resource}/.default"
+        fi
+    fi
+
+    # If we have a scope and azure-auth-helper exists, use it
+    if [[ -n "$request_scope" && -f "${HOME}/azure-auth-helper" ]]; then
+        # Get token from azure-auth-helper
+        token=$("${HOME}/azure-auth-helper" get-access-token "$request_scope" 2>/dev/null)
+        exit_code=$?
+
+        if [[ $exit_code -eq 0 && -n "$token" ]]; then
+            # Return in az CLI JSON format
+            cat <<EOF
+{
+  "accessToken": "${token}",
+  "tokenType": "Bearer"
+}
+EOF
+            exit 0
+        fi
+        # Fall through to real az CLI if azure-auth-helper fails
+    fi
+fi
+
+# Fall through to real az CLI for all other commands
+AZ_EXE="$(resolve_shim)"
+if [[ -n "$AZ_EXE" ]]; then
+    exec "${AZ_EXE}" "$@"
+else
+    echo "Error: Azure CLI not found in PATH" >&2
+    exit 1
+fi