Skip to content

Refactor: extract shared PolicyTokenAcquirer + ChangeSafetyParameters (Change Safety – Stage 0)#454

Open
YangAn-microsoft wants to merge 4 commits into
Azure:mainfrom
YangAn-microsoft:feature/change-safety-shared-core
Open

Refactor: extract shared PolicyTokenAcquirer + ChangeSafetyParameters (Change Safety – Stage 0)#454
YangAn-microsoft wants to merge 4 commits into
Azure:mainfrom
YangAn-microsoft:feature/change-safety-shared-core

Conversation

@YangAn-microsoft

@YangAn-microsoft YangAn-microsoft commented Jul 13, 2026

Copy link
Copy Markdown

Summary

Behavior-preserving refactor that extracts the Change Safety policy-token logic (shipped for SDK cmdlets) into two reusable, pipeline-agnostic types so it can be shared by the upcoming AutoRest Change Safety work — without duplicating a compliance-sensitive wire contract.

  • New src/Common/PolicyTokenAcquirer.cs — the pipeline-agnostic wire core (write-verb gate, subscription-id extraction, acquirePolicyToken POST, and x-ms-policy-external-evaluations header stamping) exposed via StampPolicyTokenAsync(...). Sends via its own HttpClient, so it has no dependency on base.SendAsync or any pipeline. public because it will be consumed cross-assembly by ContextAdapter in Az.Accounts (see "Why").
  • New src/Common/ChangeSafetyParameters.cs — factory + name constants for the -AcquirePolicyToken / -ChangeReference dynamic parameters.
  • AcquirePolicyTokenHandler now delegates its SendAsync to PolicyTokenAcquirer then calls base.SendAsync (public ctor / fields / Clone() / ICloneable retained).
  • AzurePSCmdlet.GetDynamicParameters() keeps the read-verb gate and now uses ChangeSafetyParameters.

Why (this is Stage 0 of a multi-repo feature)

AutoRest-generated cmdlets don't inherit AzurePSCmdlet, so they can't reuse the SDK Change Safety handler by inheritance. The upcoming AutoRest work adds an AcquirePolicyToken step in ContextAdapter.OnNewRequest (Az.Accounts, in azure-powershell) that must run the identical wire logic. Extracting it here gives both cmdlet families a single source of truth for the acquirePolicyToken contract instead of a duplicated copy. This PR is the prerequisite for that Az.Accounts change and is intentionally a small, standalone, behavior-preserving refactor.

Behavior change

None. Parameter names, help text, gating, payload, headers, and error mapping are unchanged. Existing tests pass unmodified: AcquirePolicyTokenHandlerTests (Common.Test) and AzureRMCmdletUnitTests (ResourceManager.Test).

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@YangAn-microsoft

YangAn-microsoft commented Jul 14, 2026

Copy link
Copy Markdown
Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Supported commands
  • help:
    • Get descriptions, examples and documentation about supported commands
    • Example: help "command_name"
  • list:
    • List all pipelines for this repository using a comment.
    • Example: "list"
  • run:
    • Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
    • Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
  • where:
    • Report back the Azure DevOps orgs that are related to this repository and org
    • Example: "where"

See additional documentation.

@azure-pipelines

Copy link
Copy Markdown
Commenter does not have sufficient privileges for PR 454 in repo Azure/azure-powershell-common

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request performs a behavior-preserving refactor of the Change Safety “AcquirePolicyToken” implementation by extracting the wire-contract/token-stamping logic and the dynamic parameter definitions into reusable, pipeline-agnostic types. This supports upcoming AutoRest-based cmdlets and cross-assembly reuse (e.g., in Az.Accounts) without duplicating the compliance-sensitive acquirePolicyToken contract.

Changes:

  • Introduces PolicyTokenAcquirer to centralize acquiring/stamping the x-ms-policy-external-evaluations header in a pipeline-agnostic way.
  • Introduces ChangeSafetyParameters to centralize dynamic parameter names and construction for -AcquirePolicyToken and -ChangeReference.
  • Refactors AcquirePolicyTokenHandler and AzurePSCmdlet.GetDynamicParameters() to delegate to the new shared types.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/Common/PolicyTokenAcquirer.cs New shared implementation for token acquisition + request header stamping.
src/Common/ChangeSafetyParameters.cs New shared helper for change safety dynamic parameters and name constants.
src/Common/AzurePSCmdlet.cs Switches cmdlet dynamic parameter plumbing to use ChangeSafetyParameters.
src/Common/AcquirePolicyTokenHandler.cs Delegates handler behavior to PolicyTokenAcquirer to preserve the same wire logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/Common/PolicyTokenAcquirer.cs
Comment thread src/Common/PolicyTokenAcquirer.cs Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment thread src/Common/PolicyTokenAcquirer.cs
Comment thread src/Common/PolicyTokenAcquirer.cs Outdated
Comment thread src/Common/ChangeSafetyParameters.cs

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Comment thread src/Common/PolicyTokenAcquirer.cs
@jsntcy

jsntcy commented Jul 16, 2026

Copy link
Copy Markdown
Member

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).

The acquirer now disposes the token HttpRequestMessage (and its Content) after sending, so the E2E tests could no longer read capturedTokenRequest.Content afterward (ObjectDisposedException). Capture the request body string inside the mock server callback instead.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

@YangAn-microsoft

Copy link
Copy Markdown
Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants