[OBO] Add CLI support for user-delegated authentication configuration (#3128)

Copilot · anushakolan · Aniruddh25 · web-flow · commit 99e30baf3740 · 2026-02-27T10:21:17.000-08:00
## Why make this change? Implements CLI configuration for OBO (On-Behalf-Of) delegated identity as specified in #2898. The OBO core implementation was merged into main via PR #3151. This PR adds CLI commands to enable operators to configure per-user Entra ID authentication to Azure SQL and SQL Server via CLI instead of manual config file editing. ## What is this change? **CLI Commands Added** - `dab configure --data-source.user-delegated-auth.enabled true` - Enable/disable OBO authentication for Azure SQL and SQL Server - `dab configure --data-source.user-delegated-auth.database-audience "https://database.windows.net"` - Configure database resource identifier for token acquisition **Implementation Details** - Updated `ConfigureOptions.cs` with two new CLI option parameters (`dataSourceUserDelegatedAuthEnabled`, `dataSourceUserDelegatedAuthDatabaseAudience`) - Updated `ConfigGenerator.TryUpdateConfiguredDataSourceOptions()` to create/update `UserDelegatedAuthOptions` configuration - Added validation to ensure user-delegated-auth is only used with MSSQL database type - Provider field automatically defaults to "EntraId" when user-delegated-auth is configured - Preserves existing user-delegated-auth configuration when updating individual fields - Help text clarifies support for both Azure SQL and on-premises SQL Server **Configuration Output** The CLI generates configuration that integrates with the `UserDelegatedAuthOptions` from the merged OBO implementation: ```json { "data-source": { "database-type": "mssql", "connection-string": "...", "user-delegated-auth": { "enabled": true, "provider": "EntraId", "database-audience": "https://database.windows.net" } } } ``` **Files Changed (5 CLI-specific files)** - `src/Cli/Commands/ConfigureOptions.cs` - CLI option definitions with SQL Server on-premises support - `src/Cli/ConfigGenerator.cs` - Configuration update logic - `src/Cli.Tests/ConfigureOptionsTests.cs` - Consolidated CLI configuration tests - `src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs` - 2 runtime parsing tests - `src/Cli.Tests/TestHelper.cs` - Added CONFIG_WITH_USER_DELEGATED_AUTH test constant ## How was this tested? - [x] Unit Tests - 9 tests total: - 3 parameterized CLI configuration tests (enabled only, audience only, both together) - 1 update test with JSON structure validation (verifies proper nesting under data-source with correct property names) - 3 validation error tests (PostgreSQL, MySQL, CosmosDB rejection) - 2 runtime parsing tests (verify CLI-generated config loads correctly) - Tests verify default values for properties not explicitly set (Enabled defaults to false, DatabaseAudience defaults to null) - [x] Integration Tests - Verified MSSQL-only validation with PostgreSQL/MySQL/CosmosDB rejection scenarios ## Sample Request(s) **Initialize and configure OBO in one workflow:** ```bash # Initialize MSSQL config dab init --database-type mssql --connection-string "Server=myserver.database.windows.net;Database=mydb" # Enable user-delegated auth with both options dab configure --data-source.user-delegated-auth.enabled true \ --data-source.user-delegated-auth.database-audience "https://database.windows.net" ``` **Update audience for existing configuration:** ```bash dab configure --data-source.user-delegated-auth.database-audience "https://database.usgovcloudapi.net" ``` **Update only the enabled flag:** ```bash dab configure --data-source.user-delegated-auth.enabled false ``` **Validation - fails for non-MSSQL:** ```bash dab init --database-type postgresql --connection-string "..." dab configure --data-source.user-delegated-auth.enabled true # Error: user-delegated-auth is only supported for database-type 'mssql'. ```  <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>[OBO] CLI Support for Enabling OBO Delegated Identity</issue_title> > <issue_description>Implement CLI support for enabling OBO exactly as defined in the design. > > - These CLI Commands should be supported > `dab configure --data-source.user-delegated-auth.enabled true` > `dab configure --data-source.user-delegated-auth.database-audience "<audience>"` > > - Ensure CLI writes correct config structure > - Ensure runtime consumes CLI‑produced config > > Testing: > 1. CLI sets user-delegated-auth.enabled = true > 2. CLI sets correct database-audience > 3. runtime reads CLI output correctly > 4. invalid CLI input fails deterministically</issue_description> > > <agent_instructions>https://microsoft-my.sharepoint.com/:w:/p/anushakolan/IQDsb4patJ52Q65Cp0QHQ-b_Aazplc1go_6k2HccCOYLQNU?e=Bpuv1Z&wdOrigin=TEAMS-MAGLEV.null_ns.rwc&wdExp=TEAMS-TREATMENT&wdhostclicktime=1770765689642&web=1 > > Follow this design document for more context and questions, understand the requirement of the task, this is the main task, #2898, create the PR accordingly.</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details>  - Fixes #3127  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: anushakolan <45540936+anushakolan@users.noreply.github.com> Co-authored-by: Anusha Kolan <anushakolan10@gmail.com> Co-authored-by: Aniruddh Munde <anmunde@microsoft.com>
diff --git a/src/Cli.Tests/ConfigureOptionsTests.cs b/src/Cli.Tests/ConfigureOptionsTests.cs
@@ -1094,5 +1094,130 @@ private void SetupFileSystemWithInitialConfig(string jsonConfig)
             Assert.IsTrue(RuntimeConfigLoader.TryParseConfig(jsonConfig, out RuntimeConfig? config));
             Assert.IsNotNull(config.Runtime);
         }
+
+        /// <summary>
+        /// Tests adding user-delegated-auth configuration options individually or together.
+        /// Verifies that enabled and database-audience properties can be set independently or combined.
+        /// Also verifies default values for properties not explicitly set.
+        /// Commands:
+        /// - dab configure --data-source.user-delegated-auth.enabled true
+        /// - dab configure --data-source.user-delegated-auth.database-audience "https://database.windows.net"
+        /// - dab configure --data-source.user-delegated-auth.enabled true --data-source.user-delegated-auth.database-audience "https://database.windows.net"
+        /// </summary>
+        [DataTestMethod]
+        [DataRow(true, null, DisplayName = "Set enabled=true only")]
+        [DataRow(null, "https://database.windows.net", DisplayName = "Set database-audience only")]
+        [DataRow(true, "https://database.windows.net", DisplayName = "Set both enabled and database-audience")]
+        public void TestAddUserDelegatedAuthConfiguration(bool? enabledValue, string? audienceValue)
+        {
+            // Arrange
+            SetupFileSystemWithInitialConfig(INITIAL_CONFIG);
+
+            ConfigureOptions options = new(
+                dataSourceUserDelegatedAuthEnabled: enabledValue,
+                dataSourceUserDelegatedAuthDatabaseAudience: audienceValue,
+                config: TEST_RUNTIME_CONFIG_FILE
+            );
+
+            // Act
+            bool isSuccess = TryConfigureSettings(options, _runtimeConfigLoader!, _fileSystem!);
+
+            // Assert
+            Assert.IsTrue(isSuccess);
+            string updatedConfig = _fileSystem!.File.ReadAllText(TEST_RUNTIME_CONFIG_FILE);
+            Assert.IsTrue(RuntimeConfigLoader.TryParseConfig(updatedConfig, out RuntimeConfig? config));
+            Assert.IsNotNull(config.DataSource);
+            Assert.IsNotNull(config.DataSource.UserDelegatedAuth);
+
+            // Verify enabled value (if set, use provided value; otherwise defaults to false)
+            if (enabledValue.HasValue)
+            {
+                Assert.AreEqual(enabledValue.Value, config.DataSource.UserDelegatedAuth.Enabled);
+            }
+            else
+            {
+                Assert.IsFalse(config.DataSource.UserDelegatedAuth.Enabled);
+            }
+
+            // Verify database-audience value
+            if (audienceValue is not null)
+            {
+                Assert.AreEqual(audienceValue, config.DataSource.UserDelegatedAuth.DatabaseAudience);
+            }
+            else
+            {
+                Assert.IsNull(config.DataSource.UserDelegatedAuth.DatabaseAudience);
+            }
+
+            // Verify provider is set to default
+            Assert.AreEqual("EntraId", config.DataSource.UserDelegatedAuth.Provider);
+        }
+
+        /// <summary>
+        /// Tests that enabling user-delegated-auth on a non-MSSQL database fails.
+        /// This method verifies that user-delegated-auth is only allowed for MSSQL database type.
+        /// Command: dab configure --data-source.database-type postgresql --data-source.user-delegated-auth.enabled true
+        /// </summary>
+        [DataTestMethod]
+        [DataRow("postgresql", DisplayName = "Fail when enabling user-delegated-auth on PostgreSQL")]
+        [DataRow("mysql", DisplayName = "Fail when enabling user-delegated-auth on MySQL")]
+        [DataRow("cosmosdb_nosql", DisplayName = "Fail when enabling user-delegated-auth on CosmosDB")]
+        public void TestFailureWhenEnablingUserDelegatedAuthOnNonMSSQLDatabase(string dbType)
+        {
+            // Arrange
+            SetupFileSystemWithInitialConfig(INITIAL_CONFIG);
+
+            ConfigureOptions options = new(
+                dataSourceDatabaseType: dbType,
+                dataSourceUserDelegatedAuthEnabled: true,
+                config: TEST_RUNTIME_CONFIG_FILE
+            );
+
+            // Act
+            bool isSuccess = TryConfigureSettings(options, _runtimeConfigLoader!, _fileSystem!);
+
+            // Assert
+            Assert.IsFalse(isSuccess);
+        }
+
+        /// <summary>
+        /// Tests updating existing user-delegated-auth configuration by changing the database-audience.
+        /// Verifies that the database-audience can be updated while preserving the enabled setting.
+        /// Also validates JSON structure: verifies user-delegated-auth is correctly nested under data-source
+        /// with proper JSON property names (enabled, provider, database-audience).
+        /// </summary>
+        [TestMethod]
+        public void TestUpdateUserDelegatedAuthDatabaseAudience()
+        {
+            // Arrange - Config with existing user-delegated-auth section
+            SetupFileSystemWithInitialConfig(TestHelper.CONFIG_WITH_USER_DELEGATED_AUTH);
+
+            string newAudience = "https://database.usgovcloudapi.net";
+            ConfigureOptions options = new(
+                dataSourceUserDelegatedAuthDatabaseAudience: newAudience,
+                config: TEST_RUNTIME_CONFIG_FILE
+            );
+
+            // Act
+            bool isSuccess = TryConfigureSettings(options, _runtimeConfigLoader!, _fileSystem!);
+
+            // Assert
+            Assert.IsTrue(isSuccess);
+            string updatedConfig = _fileSystem!.File.ReadAllText(TEST_RUNTIME_CONFIG_FILE);
+            Assert.IsTrue(RuntimeConfigLoader.TryParseConfig(updatedConfig, out RuntimeConfig? config));
+            Assert.IsNotNull(config.DataSource);
+            Assert.IsNotNull(config.DataSource.UserDelegatedAuth);
+            Assert.IsTrue(config.DataSource.UserDelegatedAuth.Enabled);
+            Assert.AreEqual(newAudience, config.DataSource.UserDelegatedAuth.DatabaseAudience);
+            Assert.AreEqual("EntraId", config.DataSource.UserDelegatedAuth.Provider);
+
+            // Verify JSON structure using JObject to ensure correct nesting
+            JObject configJson = JObject.Parse(updatedConfig);
+            JToken? userDelegatedAuthSection = configJson["data-source"]?["user-delegated-auth"];
+            Assert.IsNotNull(userDelegatedAuthSection);
+            Assert.AreEqual(newAudience, (string?)userDelegatedAuthSection["database-audience"]);
+            Assert.AreEqual(true, (bool?)userDelegatedAuthSection["enabled"]);
+            Assert.AreEqual("EntraId", (string?)userDelegatedAuthSection["provider"]);
+        }
     }
 }
diff --git a/src/Cli.Tests/TestHelper.cs b/src/Cli.Tests/TestHelper.cs
@@ -279,6 +279,46 @@ public static Process ExecuteDabCommand(string command, string flags)
 
         public const string CONFIG_WITH_DISABLED_GLOBAL_REST_GRAPHQL = $"{{{SAMPLE_SCHEMA_DATA_SOURCE},{RUNTIME_SECTION_WITH_DISABLED_REST_GRAPHQL}}}";
 
+        /// <summary>
+        /// A config json with user-delegated-auth enabled. This is used in tests to verify updating existing
+        /// user-delegated-auth configuration.
+        /// </summary>
+        public const string CONFIG_WITH_USER_DELEGATED_AUTH = @"
+            {
+                ""$schema"": """ + DAB_DRAFT_SCHEMA_TEST_PATH + @""",
+                ""data-source"": {
+                    ""database-type"": ""mssql"",
+                    ""connection-string"": """ + SAMPLE_TEST_CONN_STRING + @""",
+                    ""user-delegated-auth"": {
+                        ""enabled"": true,
+                        ""provider"": ""EntraId"",
+                        ""database-audience"": ""https://database.windows.net""
+                    }
+                },
+                ""runtime"": {
+                    ""rest"": {
+                        ""enabled"": true,
+                        ""path"": ""/api""
+                    },
+                    ""graphql"": {
+                        ""enabled"": true,
+                        ""path"": ""/graphql"",
+                        ""allow-introspection"": true
+                    },
+                    ""host"": {
+                        ""mode"": ""development"",
+                        ""cors"": {
+                            ""origins"": [],
+                            ""allow-credentials"": false
+                        },
+                        ""authentication"": {
+                            ""provider"": ""StaticWebApps""
+                        }
+                    }
+                },
+                ""entities"": {}
+            }";
+
         public const string SINGLE_ENTITY = @"
           {
               ""entities"": {
diff --git a/src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs b/src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs
@@ -0,0 +1,101 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Cli.Tests
+{
+    [TestClass]
+    public class UserDelegatedAuthRuntimeParsingTests
+    {
+        [TestMethod]
+        public void TestRuntimeCanParseUserDelegatedAuthConfig()
+        {
+            // Arrange
+            string configJson = @"{
+                ""$schema"": ""test"",
+                ""data-source"": {
+                    ""database-type"": ""mssql"",
+                    ""connection-string"": ""testconnectionstring"",
+                    ""user-delegated-auth"": {
+                        ""enabled"": true,
+                        ""database-audience"": ""https://database.windows.net""
+                    }
+                },
+                ""runtime"": {
+                    ""rest"": {
+                        ""enabled"": true,
+                        ""path"": ""/api""
+                    },
+                    ""graphql"": {
+                        ""enabled"": true,
+                        ""path"": ""/graphql"",
+                        ""allow-introspection"": true
+                    },
+                    ""host"": {
+                        ""mode"": ""development"",
+                        ""cors"": {
+                            ""origins"": [],
+                            ""allow-credentials"": false
+                        },
+                        ""authentication"": {
+                            ""provider"": ""StaticWebApps""
+                        }
+                    }
+                },
+                ""entities"": {}
+            }";
+
+            // Act
+            bool success = RuntimeConfigLoader.TryParseConfig(configJson, out RuntimeConfig? config);
+
+            // Assert
+            Assert.IsTrue(success);
+            Assert.IsNotNull(config);
+            Assert.IsNotNull(config.DataSource.UserDelegatedAuth);
+            Assert.IsTrue(config.DataSource.UserDelegatedAuth.Enabled);
+            Assert.AreEqual("https://database.windows.net", config.DataSource.UserDelegatedAuth.DatabaseAudience);
+        }
+
+        [TestMethod]
+        public void TestRuntimeCanParseConfigWithoutUserDelegatedAuth()
+        {
+            // Arrange
+            string configJson = @"{
+                ""$schema"": ""test"",
+                ""data-source"": {
+                    ""database-type"": ""mssql"",
+                    ""connection-string"": ""testconnectionstring""
+                },
+                ""runtime"": {
+                    ""rest"": {
+                        ""enabled"": true,
+                        ""path"": ""/api""
+                    },
+                    ""graphql"": {
+                        ""enabled"": true,
+                        ""path"": ""/graphql"",
+                        ""allow-introspection"": true
+                    },
+                    ""host"": {
+                        ""mode"": ""development"",
+                        ""cors"": {
+                            ""origins"": [],
+                            ""allow-credentials"": false
+                        },
+                        ""authentication"": {
+                            ""provider"": ""StaticWebApps""
+                        }
+                    }
+                },
+                ""entities"": {}
+            }";
+
+            // Act
+            bool success = RuntimeConfigLoader.TryParseConfig(configJson, out RuntimeConfig? config);
+
+            // Assert
+            Assert.IsTrue(success);
+            Assert.IsNotNull(config);
+            Assert.IsNull(config.DataSource.UserDelegatedAuth);
+        }
+    }
+}
diff --git a/src/Cli/Commands/ConfigureOptions.cs b/src/Cli/Commands/ConfigureOptions.cs
@@ -29,6 +29,8 @@ public ConfigureOptions(
             string? dataSourceOptionsSchema = null,
             bool? dataSourceOptionsSetSessionContext = null,
             string? dataSourceHealthName = null,
+            bool? dataSourceUserDelegatedAuthEnabled = null,
+            string? dataSourceUserDelegatedAuthDatabaseAudience = null,
             int? depthLimit = null,
             bool? runtimeGraphQLEnabled = null,
             string? runtimeGraphQLPath = null,
@@ -84,6 +86,8 @@ public ConfigureOptions(
             DataSourceOptionsSchema = dataSourceOptionsSchema;
             DataSourceOptionsSetSessionContext = dataSourceOptionsSetSessionContext;
             DataSourceHealthName = dataSourceHealthName;
+            DataSourceUserDelegatedAuthEnabled = dataSourceUserDelegatedAuthEnabled;
+            DataSourceUserDelegatedAuthDatabaseAudience = dataSourceUserDelegatedAuthDatabaseAudience;
             // GraphQL
             DepthLimit = depthLimit;
             RuntimeGraphQLEnabled = runtimeGraphQLEnabled;
@@ -160,6 +164,12 @@ public ConfigureOptions(
         [Option("data-source.health.name", Required = false, HelpText = "Identifier for data source in health check report.")]
         public string? DataSourceHealthName { get; }
 
+        [Option("data-source.user-delegated-auth.enabled", Required = false, HelpText = "Enable user-delegated authentication (OBO) for Azure SQL and SQL Server. Default: false (boolean).")]
+        public bool? DataSourceUserDelegatedAuthEnabled { get; }
+
+        [Option("data-source.user-delegated-auth.database-audience", Required = false, HelpText = "Database resource identifier for token acquisition (e.g., https://database.windows.net for Azure SQL).")]
+        public string? DataSourceUserDelegatedAuthDatabaseAudience { get; }
+
         [Option("runtime.graphql.depth-limit", Required = false, HelpText = "Max allowed depth of the nested query. Allowed values: (0,2147483647] inclusive. Default is infinity. Use -1 to remove limit.")]
         public int? DepthLimit { get; }
 
diff --git a/src/Cli/ConfigGenerator.cs b/src/Cli/ConfigGenerator.cs
@@ -643,6 +643,7 @@ private static bool TryUpdateConfiguredDataSourceOptions(
             DatabaseType dbType = runtimeConfig.DataSource.DatabaseType;
             string dataSourceConnectionString = runtimeConfig.DataSource.ConnectionString;
             DatasourceHealthCheckConfig? datasourceHealthCheckConfig = runtimeConfig.DataSource.Health;
+            UserDelegatedAuthOptions? userDelegatedAuthConfig = runtimeConfig.DataSource.UserDelegatedAuth;
 
             if (options.DataSourceDatabaseType is not null)
             {
@@ -714,8 +715,41 @@ private static bool TryUpdateConfiguredDataSourceOptions(
                 }
             }
 
+            // Handle user-delegated-auth options
+            if (options.DataSourceUserDelegatedAuthEnabled is not null
+                || options.DataSourceUserDelegatedAuthDatabaseAudience is not null)
+            {
+                // Determine the enabled state: use new value if provided, otherwise preserve existing
+                bool enabled = options.DataSourceUserDelegatedAuthEnabled
+                    ?? userDelegatedAuthConfig?.Enabled
+                    ?? false;
+
+                // Validate that user-delegated-auth is only used with MSSQL when enabled=true
+                if (enabled && !DatabaseType.MSSQL.Equals(dbType))
+                {
+                    _logger.LogError("user-delegated-auth is only supported for database-type 'mssql'.");
+                    return false;
+                }
+
+                // Get database-audience: use new value if provided, otherwise preserve existing
+                string? databaseAudience = options.DataSourceUserDelegatedAuthDatabaseAudience
+                    ?? userDelegatedAuthConfig?.DatabaseAudience;
+
+                // Get provider: preserve existing or use default "EntraId"
+                string? provider = userDelegatedAuthConfig?.Provider ?? "EntraId";
+
+                // Create or update user-delegated-auth config
+                userDelegatedAuthConfig = new UserDelegatedAuthOptions(
+                    Enabled: enabled,
+                    Provider: provider,
+                    DatabaseAudience: databaseAudience);
+            }
+
             dbOptions = EnumerableUtilities.IsNullOrEmpty(dbOptions) ? null : dbOptions;
-            DataSource dataSource = new(dbType, dataSourceConnectionString, dbOptions, datasourceHealthCheckConfig);
+            DataSource dataSource = new(dbType, dataSourceConnectionString, dbOptions, datasourceHealthCheckConfig)
+            {
+                UserDelegatedAuth = userDelegatedAuthConfig
+            };
             runtimeConfig = runtimeConfig with { DataSource = dataSource };
 
             return runtimeConfig != null;
