Closed — no review needed#832
Closed
cheatsheet1999 wants to merge 1 commit into
Closed
Conversation
Three bug-bash regressions discovered during the 0.31.0b1 preview cycle: #7 az iot dps linked-hub create: reject re-linking the same hub under a different hostname type or authentication method. Previously silently created duplicate iotHubs entries. Adds a single _linked_hub_hostname helper shared with _warn_mixed_endpoint_types (refactor). #8 az iot hub {device,module}-identity connection-string show: reject --hostname-type service up-front. Devices and modules cannot authenticate against the service endpoint. #9 az iot hub generate-sas-token: add --hostname-type and produce audience-correct SAS tokens for TLS 1.3 hubs. - Hub-level scope defaults to 'auto' = service endpoint on GWv2. - Device/module scope defaults to 'auto' = device endpoint on GWv2. - service hostname-type is rejected for device/module scopes. Tests ----- Unit: +23 SAS hostname-type permutation tests, +3 CS service-rejection tests, +9 dup-link guard tests, +7 _linked_hub_hostname helper tests. 332 unit tests pass on the touched files. Int: +1 DPS dup-link test, +1 hub-level SAS hostname-type test, +1 device-scope CS/SAS permutation test, +1 module-scope test. flake8 clean across the whole package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR delivers three TLS 1.3 / GWv2 bug-bash follow-up fixes for the Azure IoT CLI extension, focused on preventing ambiguous DPS linked-hub states and ensuring generated connection strings / SAS tokens target the correct GWv2 endpoints.
Changes:
- Add a duplicate-link guard to
az iot dps linked-hub createto prevent linking the same hub multiple times under different hostname types/auth methods. - Reject
--hostname-type servicefor device/module connection-string show commands and for device/module SAS token generation. - Add
--hostname-type {auto,classic,device,service}toaz iot hub generate-sas-tokenand update SASsr=audience construction to match the selected hostname type.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
HISTORY.rst |
Documents bug-bash follow-up fixes and the generate-sas-token behavior change. |
azext_iot/operations/hub.py |
Implements hostname-type selection for SAS audience and rejects unsupported service endpoint usage for device/module scopes. |
azext_iot/core/custom.py |
Adds _linked_hub_hostname helper and enforces DPS linked-hub duplicate protection across hostname types/auth modes. |
azext_iot/_params.py |
Wires --hostname-type parameter into iot hub generate-sas-token. |
azext_iot/_help.py |
Adds generate-sas-token examples demonstrating the new flag. |
azext_iot/tests/iothub/core/test_iothub_utilities_unit.py |
Adds unit tests covering hostname-type permutations and service rejection for CS show. |
azext_iot/tests/iothub/core/test_iothub_utilities_int.py |
Adds integration coverage for hub-scope SAS hostname-type permutations. |
azext_iot/tests/iothub/devices/test_iothub_devices_int.py |
Adds integration coverage for device-scope CS-show + SAS hostname-type permutations. |
azext_iot/tests/iothub/modules/test_iothub_modules_int.py |
Adds integration coverage for module-scope CS-show + SAS hostname-type permutations. |
azext_iot/tests/dps/core/test_dps_linked_hub_unit.py |
Adds unit coverage for duplicate-link guard and _linked_hub_hostname. |
azext_iot/tests/dps/core/test_dps_linked_hub_int.py |
Adds integration test ensuring cross-hostname-type duplicate linking is rejected. |
Comments suppressed due to low confidence (1)
azext_iot/operations/hub.py:2273
hostname_typeis currently ignored when--connection-stringis used (the code always calls_iot_build_sas_token_from_cs(...)without applying any hostname-type transformation). This makesaz iot hub generate-sas-token --connection-string ... --hostname-type <...>behave the same for all hostname types and can confuse users now that the flag is advertised for this command. Consider either applying_transform_hostname(...)to the parsed HostName (and choosing device/service whenhostname_type=autobased on scope), or explicitly rejecting--hostname-typewhen--connection-stringis provided with a clear error message.
if connection_string:
return {
DeviceAuthApiType.sas.value: _iot_build_sas_token_from_cs(
connection_string,
duration,
).generate_sas_token()
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+2368
to
+2374
| auto_tls_key = "deviceHostName" if device_id else "serviceHostName" | ||
| if login: | ||
| resolved_host = _transform_hostname(target["entity"], hostname_type) | ||
| else: | ||
| resolved_host = _resolve_hostname_by_type( | ||
| target, hostname_type, auto_tls_key=auto_tls_key | ||
| ) |
cheatsheet1999
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closed. No action required.