From 4e5ce2db0ee6b50af150f005f562221af8803814 Mon Sep 17 00:00:00 2001
From: yugangw-msft <yugangw@microsoft.com>
Date: Fri, 23 Nov 2018 23:11:26 -0800
Subject: [PATCH 1/4] auth: support multi tenant service principal

---
 src/azure-cli-core/azure/cli/core/_profile.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py
index 8f517992f24..ce639b59549 100644
--- a/src/azure-cli-core/azure/cli/core/_profile.py
+++ b/src/azure-cli-core/azure/cli/core/_profile.py
@@ -496,7 +496,8 @@ def get_login_credentials(self, resource=None, subscription_id=None, aux_subscri
         for ext_sub in ext_subs:
             sub = self.get_subscription(ext_sub)
             if sub[_TENANT_ID] != account[_TENANT_ID]:
-                external_tenants_info.append((sub[_USER_ENTITY][_USER_NAME], sub[_TENANT_ID]))
+                # external_tenants_info.append((sub[_USER_ENTITY][_USER_NAME], sub[_TENANT_ID]))
+                external_tenants_info.append(sub)
 
         if identity_type is None:
             def _retrieve_token():
@@ -507,12 +508,18 @@ def _retrieve_token():
                                                                      account[_TENANT_ID], resource)
                 use_cert_sn_issuer = account[_USER_ENTITY].get(_SERVICE_PRINCIPAL_CERT_SN_ISSUER_AUTH)
                 return self._creds_cache.retrieve_token_for_service_principal(username_or_sp_id, resource,
+                                                                              account[_TENANT_ID],
                                                                               use_cert_sn_issuer)
 
             def _retrieve_tokens_from_external_tenants():
                 external_tokens = []
-                for u, t in external_tenants_info:
-                    external_tokens.append(self._creds_cache.retrieve_token_for_user(u, t, resource))
+                for s in external_tenants_info:
+                    if user_type == _USER:
+                        external_tokens.append(self._creds_cache.retrieve_token_for_user(
+                            username_or_sp_id, s[_TENANT_ID], resource))
+                    else:
+                        external_tokens.append(self._creds_cache.retrieve_token_for_service_principal(
+                            username_or_sp_id, resource, s[_TENANT_ID], resource))
                 return external_tokens
 
             from azure.cli.core.adal_authentication import AdalAuthentication
@@ -562,6 +569,7 @@ def get_raw_token(self, resource=None, subscription=None):
                                                               account[_TENANT_ID], resource)
         else:
             creds = self._creds_cache.retrieve_token_for_service_principal(username_or_sp_id,
+                                                                           account[_TENANT_ID],
                                                                            resource)
         return (creds,
                 str(account[_SUBSCRIPTION_ID]),
@@ -878,9 +886,10 @@ def retrieve_token_for_user(self, username, tenant, resource):
             self.persist_cached_creds()
         return (token_entry[_TOKEN_ENTRY_TOKEN_TYPE], token_entry[_ACCESS_TOKEN], token_entry)
 
-    def retrieve_token_for_service_principal(self, sp_id, resource, use_cert_sn_issuer=False):
+    def retrieve_token_for_service_principal(self, sp_id, resource, tenant, use_cert_sn_issuer=False):
         self.load_adal_token_cache()
-        matched = [x for x in self._service_principal_creds if sp_id == x[_SERVICE_PRINCIPAL_ID]]
+        matched = [x for x in self._service_principal_creds if sp_id == x[_SERVICE_PRINCIPAL_ID] and
+                   tenant == tenant[_TENANT_ID]]
         if not matched:
             raise CLIError("Please run 'az account set' to select active account.")
         cred = matched[0]

From 9d2d683a7e26be401b8a89daf5eeed51c9fa3b1e Mon Sep 17 00:00:00 2001
From: yugangw-msft <yugangw@microsoft.com>
Date: Fri, 23 Nov 2018 23:35:05 -0800
Subject: [PATCH 2/4] fix test

---
 src/azure-cli-core/azure/cli/core/tests/test_profile.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/azure-cli-core/azure/cli/core/tests/test_profile.py b/src/azure-cli-core/azure/cli/core/tests/test_profile.py
index f17d99c4212..61402e7fe53 100644
--- a/src/azure-cli-core/azure/cli/core/tests/test_profile.py
+++ b/src/azure-cli-core/azure/cli/core/tests/test_profile.py
@@ -1050,7 +1050,7 @@ def just_raise(ex):
         mock_arm_client.subscriptions.list.return_value = [self.subscription1]
         finder = SubscriptionFinder(cli, lambda _, _1, _2: mock_auth_context, None, lambda _: mock_arm_client)
         # action
-        subs = finder.find_from_user_account(self.user1, 'bar', 'NiceTenant', 'http://someresource')
+        subs = finder.find_from_user_account(self.user1, 'bar', self.tenant_id, 'http://someresource')
 
         # assert
         self.assertEqual([self.subscription1], subs)
@@ -1122,7 +1122,7 @@ def just_raise(ex):
         mock_arm_client.subscriptions.list.return_value = [self.subscription1]
         finder = SubscriptionFinder(cli, lambda _, _1, _2: mock_auth_context, None, lambda _: mock_arm_client)
         # action
-        subs = finder.find_through_interactive_flow('NiceTenant', 'http://someresource')
+        subs = finder.find_through_interactive_flow(self.tenant_id, 'http://someresource')
 
         # assert
         self.assertEqual([self.subscription1], subs)

From b492388985380ac336696106ac0f3c264535772b Mon Sep 17 00:00:00 2001
From: yugangw-msft <yugangw@microsoft.com>
Date: Mon, 26 Nov 2018 09:42:27 -0800
Subject: [PATCH 3/4] update history

---
 src/azure-cli-core/HISTORY.rst | 4 ++++
 src/azure-cli-core/setup.py    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/azure-cli-core/HISTORY.rst b/src/azure-cli-core/HISTORY.rst
index 7f6bb43cb32..8306b96579e 100644
--- a/src/azure-cli-core/HISTORY.rst
+++ b/src/azure-cli-core/HISTORY.rst
@@ -2,6 +2,10 @@
 
 Release History
 ===============
+2.0.53
+++++++
+* core: support cross tenant resource provisioning for multi-tenant service principal
+
 2.0.52
 ++++++
 * Fix bug where ids piped from a command with tsv output is improperly parsed.
diff --git a/src/azure-cli-core/setup.py b/src/azure-cli-core/setup.py
index 608d355bc38..550d9042e09 100644
--- a/src/azure-cli-core/setup.py
+++ b/src/azure-cli-core/setup.py
@@ -17,7 +17,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "2.0.52"
+VERSION = "2.0.53"
 # If we have source, validate that our version numbers match
 # This should prevent uploading releases with mismatched versions.
 try:

From 7d9fb7ae94776c38ff482359967079d4336e92ff Mon Sep 17 00:00:00 2001
From: yugangw-msft <yugangw@microsoft.com>
Date: Mon, 26 Nov 2018 12:10:35 -0800
Subject: [PATCH 4/4] fix lint error

---
 src/azure-cli-core/HISTORY.rst | 5 +----
 src/azure-cli-core/setup.py    | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/azure-cli-core/HISTORY.rst b/src/azure-cli-core/HISTORY.rst
index 8306b96579e..c54f52f23e7 100644
--- a/src/azure-cli-core/HISTORY.rst
+++ b/src/azure-cli-core/HISTORY.rst
@@ -2,12 +2,9 @@
 
 Release History
 ===============
-2.0.53
-++++++
-* core: support cross tenant resource provisioning for multi-tenant service principal
-
 2.0.52
 ++++++
+* core: support cross tenant resource provisioning for multi-tenant service principal
 * Fix bug where ids piped from a command with tsv output is improperly parsed.
 
 2.0.51
diff --git a/src/azure-cli-core/setup.py b/src/azure-cli-core/setup.py
index 550d9042e09..608d355bc38 100644
--- a/src/azure-cli-core/setup.py
+++ b/src/azure-cli-core/setup.py
@@ -17,7 +17,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "2.0.53"
+VERSION = "2.0.52"
 # If we have source, validate that our version numbers match
 # This should prevent uploading releases with mismatched versions.
 try: