Prepare for the June Identity GA release. (#5695)

* Prepare for the June Identity GA release.

* Validate azure arc.

* Update changelog entry.

* Update cspell, fixup gtest skip, and remove unnecessary logging.

* Move gtest_skip call inside the gtest.

* Use system command due to permissions on creating a directory, on linux.

* Pass in a c_str() to system.

* Update permissions to create keys and address pr feedback (rename test
var and method to remove 'valid').

* Address PR feedback - nits.

* Fix remaining rename of local variable.

Author: ahsonkhan

.vscode/cspell.json

@@ -70,6 +70,7 @@
     "authcid",
     "avro",
     "antkmsft",
+    "azcmagent",
     "azcore",
     "azsdk",
     "azsdkengsys",

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,14 +1,15 @@
 # Release History
 
-## 1.7.0-beta.3 (Unreleased)
+## 1.8.0 (2024-06-11)
 
 ### Features Added
 
-### Breaking Changes
+- [[#4474]](https://github.com/Azure/azure-sdk-for-cpp/issues/4474) Enable proactive renewal of Managed Identity tokens.
+- [[#5116]](https://github.com/Azure/azure-sdk-for-cpp/issues/5116) `AzureCliCredential`: Added support for the new response field which represents token expiration timestamp as time zone agnostic value.
 
 ### Bugs Fixed
 
-### Other Changes
+- Managed identity bug fixes.
 
 ## 1.7.0-beta.2 (2024-02-09)
 

sdk/identity/azure-identity/src/managed_identity_source.cpp

@@ -6,12 +6,15 @@
 #include "private/identity_log.hpp"
 
 #include <azure/core/internal/environment.hpp>
+#include <azure/core/platform.hpp>
 
 #include <fstream>
 #include <iterator>
 #include <stdexcept>
 #include <utility>
 
+#include <sys/stat.h> // for stat() used to check file size
+
 using namespace Azure::Identity::_detail;
 
 using Azure::Core::_internal::Environment;
@@ -30,6 +33,73 @@ void PrintEnvNotSetUpMessage(std::string const& credName, std::string const& cre
       credName + ": Environment is not set up for the credential to be created"
           + WithSourceMessage(credSource) + '.');
 }
+
+// ExpectedArcKeyDirectory returns the directory expected to contain Azure Arc keys.
+std::string ExpectedArcKeyDirectory()
+{
+  using Azure::Core::Credentials::AuthenticationException;
+
+#if defined(AZ_PLATFORM_LINUX)
+  return "/var/opt/azcmagent/tokens";
+#elif defined(AZ_PLATFORM_WINDOWS)
+  const std::string programDataPath{
+      Azure::Core::_internal::Environment::GetVariable("ProgramData")};
+  if (programDataPath.empty())
+  {
+    throw AuthenticationException("Unable to get ProgramData folder path.");
+  }
+  return programDataPath + "\\AzureConnectedMachineAgent\\Tokens";
+#else
+  throw AuthenticationException("Unsupported OS. Arc supports only Linux and Windows.");
+#endif
+}
+
+static constexpr off_t MaximumAzureArcKeySize = 4096;
+
+#if defined(AZ_PLATFORM_WINDOWS)
+static constexpr char DirectorySeparator = '\\';
+#else
+static constexpr char DirectorySeparator = '/';
+#endif
+
+// Validates that a given Azure Arc MSI file path is valid for use.
+// The specified file must:
+// - be in the expected directory for the OS
+// - have a .key extension
+// - contain at most 4096 bytes
+void ValidateArcKeyFile(std::string fileName)
+{
+  using Azure::Core::Credentials::AuthenticationException;
+
+  std::string directory;
+  const size_t lastSlashIndex = fileName.rfind(DirectorySeparator);
+  if (std::string::npos != lastSlashIndex)
+  {
+    directory = fileName.substr(0, lastSlashIndex);
+  }
+  if (directory != ExpectedArcKeyDirectory() || fileName.size() < 5
+      || fileName.substr(fileName.size() - 4) != ".key")
+  {
+    throw AuthenticationException(
+        "The file specified in the 'WWW-Authenticate' header in the response from Azure Arc "
+        "Managed Identity Endpoint has an unexpected file path.");
+  }
+
+  struct stat s;
+  if (!stat(fileName.c_str(), &s))
+  {
+    if (s.st_size > MaximumAzureArcKeySize)
+    {
+      throw AuthenticationException(
+          "The file specified in the 'WWW-Authenticate' header in the response from Azure Arc "
+          "Managed Identity Endpoint is larger than 4096 bytes.");
+    }
+  }
+  else
+  {
+    throw AuthenticationException("Failed to get file size for '" + fileName + "'.");
+  }
+}
 } // namespace
 
 Azure::Core::Url ManagedIdentitySource::ParseEndpointUrl(
@@ -352,7 +422,11 @@ Azure::Core::Credentials::AccessToken AzureArcManagedIdentitySource::GetToken(
           }
 
           auto request = createRequest();
-          std::ifstream secretFile(challenge.substr(eq + 1));
+
+          const std::string fileName = challenge.substr(eq + 1);
+          ValidateArcKeyFile(fileName);
+
+          std::ifstream secretFile(fileName);
           request->HttpRequest.SetHeader(
               "Authorization",
               "Basic "

sdk/identity/azure-identity/src/private/package_version.hpp

@@ -11,9 +11,9 @@
 #include <cstdint>
 
 #define AZURE_IDENTITY_VERSION_MAJOR 1
-#define AZURE_IDENTITY_VERSION_MINOR 7
+#define AZURE_IDENTITY_VERSION_MINOR 8
 #define AZURE_IDENTITY_VERSION_PATCH 0
-#define AZURE_IDENTITY_VERSION_PRERELEASE "beta.3"
+#define AZURE_IDENTITY_VERSION_PRERELEASE ""
 
 #define AZURE_IDENTITY_VERSION_ITOA_HELPER(i) #i
 #define AZURE_IDENTITY_VERSION_ITOA(i) AZURE_IDENTITY_VERSION_ITOA_HELPER(i)