AzureAD · RyAuld · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
@@ -0,0 +1,13 @@
+{
+  "tool": "Credential Scanner",
+  "suppressions": [
+    {
+      "file": "certificate-with-password.pfx",
+      "_justification": "Self-signed certificate used only in unit tests. Not a production credential."
+    },
+    {
+      "file": "test_mi.py",
-      "file": "certificate-with-password.pfx",
-      "_justification": "Self-signed certificate used only in unit tests. Not a production credential."
-    },
-    {
-      "file": "test_mi.py",
+      "file": "tests/certificate-with-password.pfx",
+      "_justification": "Self-signed certificate used only in unit tests. Not a production credential."
+    },
+    {
+      "file": "tests/test_mi.py",
-      "file": "certificate-with-password.pfx",
-      "_justification": "Self-signed certificate used only in unit tests. Not a production credential."
-    },
-    {
-      "file": "test_mi.py",
+      "file": "tests/certificate-with-password.pfx",
+      "_justification": "Self-signed certificate used only in unit tests. Not a production credential."
+    },
+    {
+      "file": "tests/test_mi.py",
+      "_justification": "WWW-Authenticate challenge header value used as a mock HTTP response fixture in unit tests. Not a real credential."
+    }
+  ]
+}
@@ -0,0 +1,179 @@
+# pipeline-publish.yml
+#
+# Release pipeline for the msal Python package — manually triggered only.
+# Source: https://github.com/AzureAD/microsoft-authentication-library-for-python
+#
+# Publish targets:
+#   test.pypi.org (Preview / RC) — preview releases via MSAL-Test-Python-Upload SC
+#                                   (SC creation pending test.pypi.org API token)
+#   pypi.org (ESRP Production)   — production releases via MSAL-Prod-Python-Upload SC
-#   pypi.org (ESRP Production)   — production releases via MSAL-Prod-Python-Upload SC
+#   pypi.org (ESRP Production)   — production releases via ESRP (EsrpRelease@9) using MSAL-ESRP-AME SC
-#   pypi.org (ESRP Production)   — production releases via MSAL-Prod-Python-Upload SC
+#   pypi.org (ESRP Production)   — production releases via ESRP (EsrpRelease@9) using MSAL-ESRP-AME SC
+#
+# For one-time ADO setup, see ADO-PUBLISH-SETUP.md.
+
+parameters:
+- name: packageVersion
+  displayName: 'Package version to publish (must match msal/sku.py, e.g. 1.36.0 or 1.36.0rc1)'
+  type: string
+
+- name: publishTarget
+  displayName: 'Publish target'
+  type: string
+  values:
+  - 'test.pypi.org (Preview / RC)'
+  - 'pypi.org (ESRP Production)'
+
+trigger: none    # manual runs only — no automatic branch or tag triggers
+pr: none
+
+# Stage flow:
+#
+#   PreBuildCheck ─► Validate ─► CI ─► Build ─► PublishMSALPython  (publishTarget == Preview)
+#                                             └─► PublishPyPI       (publishTarget == ESRP Production)
+
+stages:
+
+# PreBuildCheck, Validate, and CI stages are defined in the shared template.
+- template: template-pipeline-stages.yml
+  parameters:
+    packageVersion: ${{ parameters.packageVersion }}
+    runPublish: true
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 3 · Build — build sdist + wheel
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Build
+  displayName: 'Build package'
+  dependsOn: CI
+  condition: eq(dependencies.CI.result, 'Succeeded')
+  jobs:
+  - job: BuildDist
+    displayName: 'Build sdist + wheel (Python 3.12)'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.12'
+      displayName: 'Use Python 3.12'
+
+    - script: |
+        python -m pip install --upgrade pip build twine
+      displayName: 'Install build toolchain'
+
+    - script: |
+        python -m build
+      displayName: 'Build sdist and wheel'
+
+    - script: |
+        python -m twine check dist/*
+      displayName: 'Verify distribution (twine check)'
+
+    - task: PublishPipelineArtifact@1
+      displayName: 'Publish dist/ as pipeline artifact'
+      inputs:
+        targetPath: dist/
+        artifact: python-dist
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4a · Publish to test.pypi.org (Preview / RC)
+#   Note: requires MSAL-Test-Python-Upload SC in ADO (pending test.pypi.org API token)
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PublishMSALPython
+  displayName: 'Publish to test.pypi.org (Preview)'
+  dependsOn: Build
+  condition: >
+    and(
+      eq(dependencies.Build.result, 'Succeeded'),
+      eq('${{ parameters.publishTarget }}', 'test.pypi.org (Preview / RC)')
+    )
+  jobs:
+  - deployment: DeployMSALPython
+    displayName: 'Upload to test.pypi.org'
+    pool:
+      vmImage: ubuntu-latest
+    environment: MSAL-Python
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
+          - task: UsePythonVersion@0
+            inputs:
+              versionSpec: '3.12'
+            displayName: 'Use Python 3.12'
+
+          - script: |
+              python -m pip install --upgrade pip twine
+            displayName: 'Install twine'
+
+          # TODO: create MSAL-Test-Python-Upload SC with test.pypi.org API token, then uncomment:
+          # - task: TwineAuthenticate@1
+          #   displayName: 'Authenticate with MSAL-Test-Python-Upload'
+          #   inputs:
+          #     pythonUploadServiceConnection: MSAL-Test-Python-Upload
+
+          # - script: |
+          #     python -m twine upload \
+          #       -r "MSAL-Test-Python-Upload" \
+          #       --config-file $(PYPIRC_PATH) \
+          #       --skip-existing \
+          #       $(Pipeline.Workspace)/python-dist/*
+          #   displayName: 'Upload to test.pypi.org'
+
+          - script: echo "Publish to test.pypi.org skipped — MSAL-Test-Python-Upload SC not yet created."
+            displayName: 'Skip upload (SC pending)'
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 4b · Publish to PyPI (ESRP Production)
+#   Uses EsrpRelease@9 via the MSAL-ESRP-AME service connection.
+#   IMPORTANT: configure a required manual approval on this environment in
+#   ADO → Pipelines → Environments → MSAL-Python-Release → Approvals and checks.
+#   IMPORTANT: EsrpRelease@9 requires a Windows agent.
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PublishPyPI
+  displayName: 'Publish to PyPI (ESRP Production)'
+  dependsOn: Build
+  condition: >
+    and(
+      eq(dependencies.Build.result, 'Succeeded'),
+      eq('${{ parameters.publishTarget }}', 'pypi.org (ESRP Production)')
+    )
+  jobs:
+  - deployment: DeployPyPI
+    displayName: 'Upload to PyPI via ESRP'
+    pool:
+      vmImage: windows-latest
+    environment: MSAL-Python-Release
+    strategy:
+      runOnce:
+        deploy:
+          steps:
+          - task: DownloadPipelineArtifact@2
+            displayName: 'Download python-dist artifact'
+            inputs:
+              artifactName: python-dist
+              targetPath: $(Pipeline.Workspace)/python-dist
+
+          - task: EsrpRelease@9
+            displayName: 'Publish to PyPI via ESRP'
+            inputs:
+              connectedservicename: 'MSAL-ESRP-AME'
+              usemanagedidentity: true
+              keyvaultname: 'MSALVault'
+              signcertname: 'MSAL-ESRP-Release-Signing'
+              clientid: '8650ce2b-38d4-466a-9144-bc5c19c88112'
+              intent: 'PackageDistribution'
+              contenttype: 'PyPi'
+              contentsource: 'Folder'
+              folderlocation: '$(Pipeline.Workspace)/python-dist'
+              waitforreleasecompletion: true
+              owners: 'ryauld@microsoft.com;avdunn@microsoft.com'
+              approvers: 'avdunn@microsoft.com;bogavril@microsoft.com'
+              serviceendpointurl: 'https://api.esrp.microsoft.com'
+              mainpublisher: 'ESRPRELPACMAN'
+              domaintenantid: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
@@ -0,0 +1,192 @@
+# template-pipeline-stages.yml
+#
+# Shared stages template for the msal Python package.
+#
+# Called from:
+#   pipeline-publish.yml — release build (runPublish: true)
+#   azure-pipelines.yml  — PR gate and post-merge CI (runPublish: false)
+#
+# Parameters:
+#   packageVersion  - Version to validate against msal/sku.py
+#                     Required when runPublish is true; unused otherwise.
+#   runPublish      - When true: also runs the Validate stage before CI.
+#                     When false (PR / merge builds): only PreBuildCheck + CI run.
+#
+# Stage flow:
+#
+#   runPublish: true  → PreBuildCheck ─► Validate ─► CI
+#   runPublish: false → PreBuildCheck ─► CI  (Validate is skipped)
+#
+# Build and Publish stages are defined in pipeline-publish.yml (not here),
+# so that the PR build never references PyPI service connections.
+
+parameters:
+- name: packageVersion
+  type: string
+  default: ''
+- name: runPublish
+  type: boolean
+  default: false
+
+stages:
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 0 · PreBuildCheck — SDL security scans (PoliCheck + CredScan)
+#           Always runs, mirrors MSAL.NET pre-build analysis.
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: PreBuildCheck
+  displayName: 'Pre-build security checks'
+  jobs:
+  - job: SecurityScan
+    displayName: 'PoliCheck + CredScan'
+    pool:
+      vmImage: windows-latest
+    variables:
+      Codeql.SkipTaskAutoInjection: true
+    steps:
+    - task: NodeTool@0
+      displayName: 'Install Node.js (includes npm)'
+      inputs:
+        versionSpec: '20.x'
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+      displayName: 'Run PoliCheck'
+      inputs:
+        targetType: F
+      continueOnError: true
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+      displayName: 'Run CredScan'
+      inputs:
+        suppressionsFile: '$(Build.SourcesDirectory)/.Pipelines/credscan-exclusion.json'
+        toolMajorVersion: V2
+        debugMode: false
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+      displayName: 'Post Analysis'
+      inputs:
+        GdnBreakGdnToolCredScan: true
+        GdnBreakGdnToolPoliCheck: true
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 1 · Validate — verify packageVersion matches msal/sku.py __version__
+#           Skipped when runPublish is false (PR / merge builds).
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: Validate
+  displayName: 'Validate version'
+  dependsOn: PreBuildCheck
+  condition: and(${{ parameters.runPublish }}, eq(dependencies.PreBuildCheck.result, 'Succeeded'))
+  jobs:
+  - job: ValidateVersion
+    displayName: 'Check version matches source'
+    pool:
+      vmImage: ubuntu-latest
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.12'
+      displayName: 'Set up Python'
+
+    - bash: |
+        PARAM_VER="${{ parameters.packageVersion }}"
+        SKU_VER=$(grep '__version__' msal/sku.py | sed 's/.*"\(.*\)".*/\1/')
+
+        if [ -z "$PARAM_VER" ]; then
+          echo "##vso[task.logissue type=error]packageVersion is required. Enter the version to publish (must match msal/sku.py __version__)."
+          exit 1
+        elif [ "$PARAM_VER" != "$SKU_VER" ]; then
+          echo "##vso[task.logissue type=error]Version mismatch: parameter '$PARAM_VER' != msal/sku.py '$SKU_VER'"
+          echo "Update msal/sku.py __version__ to match the packageVersion parameter, or correct the parameter."
+          exit 1
+        else
+          echo "Version validated: $PARAM_VER"
+        fi
+      displayName: 'Verify version parameter matches msal/sku.py'
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Stage 2 · CI — run the full test matrix across all supported Python versions.
+#           Always runs. Waits for Validate when runPublish is true;
+#           runs immediately when Validate is skipped (PR / merge builds).
+# ══════════════════════════════════════════════════════════════════════════════
+- stage: CI
+  displayName: 'Run tests'
+  dependsOn:
+  - PreBuildCheck
+  - Validate
+  condition: |
+    and(
+      eq(dependencies.PreBuildCheck.result, 'Succeeded'),
+      in(dependencies.Validate.result, 'Succeeded', 'Skipped')
+    )
+  jobs:
+  - job: Test
+    displayName: 'Run unit tests'
+    pool:
+      vmImage: ubuntu-latest
+    strategy:
+      matrix:
+        Python39:
+          python.version: '3.9'
+        Python310:
+          python.version: '3.10'
+        Python311:
+          python.version: '3.11'
+        Python312:
+          python.version: '3.12'
+        Python313:
+          python.version: '3.13'
+        Python314:
+          python.version: '3.14'
+    steps:
+    # Retrieve the MSID Lab certificate from Key Vault (via AuthSdkResourceManager SC).
+    # Matches the pattern used by MSAL.js (install-keyvault-secrets.yml) and MSAL Java.
+    - task: AzureKeyVault@2
+      displayName: 'Retrieve lab certificate from Key Vault'
+      inputs:
+        azureSubscription: 'AuthSdkResourceManager'
+        KeyVaultName: 'msidlabs'
+        SecretsFilter: 'LabAuth'
+        RunAsPreJob: false
+
+    - bash: |
+        set -euo pipefail
+        CERT_PATH="$(Agent.TempDirectory)/lab-auth.pfx"
+        printf '%s' "$(LabAuth)" | base64 -d > "$CERT_PATH"
+        echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
+        echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
+      displayName: 'Write lab certificate to disk'
-        printf '%s' "$(LabAuth)" | base64 -d > "$CERT_PATH"
-        echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
-        echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
-      displayName: 'Write lab certificate to disk'
+        if [ -z "${LABAUTH:-}" ] || [ "$LABAUTH" = '$(LabAuth)' ]; then
+          echo "Error: LabAuth secret is not set or is invalid. Ensure the LabAuth secret is defined in Azure Pipelines/Key Vault."
+          exit 1
+        fi
+        printf '%s' "$LABAUTH" | base64 -d > "$CERT_PATH"
+        echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
+        echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
+      displayName: 'Write lab certificate to disk'
+      env:
+        LABAUTH: $(LabAuth)
-        printf '%s' "$(LabAuth)" | base64 -d > "$CERT_PATH"
-        echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
-        echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
-      displayName: 'Write lab certificate to disk'
+        if [ -z "${LABAUTH:-}" ] || [ "$LABAUTH" = '$(LabAuth)' ]; then
+          echo "Error: LabAuth secret is not set or is invalid. Ensure the LabAuth secret is defined in Azure Pipelines/Key Vault."
+          exit 1
+        fi
+        printf '%s' "$LABAUTH" | base64 -d > "$CERT_PATH"
+        echo "##vso[task.setvariable variable=LAB_APP_CLIENT_CERT_PFX_PATH]$CERT_PATH"
+        echo "Lab cert written to: $CERT_PATH ($(wc -c < "$CERT_PATH") bytes)"
+      displayName: 'Write lab certificate to disk'
+      env:
+        LABAUTH: $(LabAuth)
+
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '$(python.version)'
+      displayName: 'Set up Python'
+
+    - script: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+      displayName: 'Install dependencies'
+
+    # Use bash: explicitly; set -o pipefail so that pytest failures aren't hidden by the pipe to tee.
+    # Without pipefail, tee exits 0 and the step can succeed even when tests fail.
+    # (set -o pipefail also works in script: steps, but bash: makes the shell choice explicit.)
+    - bash: |
+        pip install pytest pytest-azurepipelines
+        mkdir -p test-results
+        set -o pipefail
+        pytest -vv --junitxml=test-results/junit.xml 2>&1 | tee test-results/pytest.log
+      displayName: 'Run tests'
+      env:
+        LAB_APP_CLIENT_CERT_PFX_PATH: $(LAB_APP_CLIENT_CERT_PFX_PATH)
+
+    - task: PublishTestResults@2
+      displayName: 'Publish test results'
+      condition: succeededOrFailed()
+      inputs:
+        testResultsFormat: 'JUnit'
+        testResultsFiles: 'test-results/junit.xml'
+        failTaskOnFailedTests: true
+        testRunTitle: 'Python $(python.version)'
+
+    - bash: rm -f "$(Agent.TempDirectory)/lab-auth.pfx"
+      displayName: 'Clean up lab certificate'
+      condition: always()