From 42a936dbf38e2871020ed4911dc1aaaa57f674d4 Mon Sep 17 00:00:00 2001
From: Yugang Wang <yugangw@microsoft.com>
Date: Wed, 23 Aug 2017 11:05:16 -0700
Subject: [PATCH] block login flows when inside the cloud console (#4268)

* block login flows when inside the cloud console

* address review feedback

* block logout as well
---
 .../cli/command_modules/profile/custom.py     | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/command_modules/azure-cli-profile/azure/cli/command_modules/profile/custom.py b/src/command_modules/azure-cli-profile/azure/cli/command_modules/profile/custom.py
index 177be9eaf..f49da5e9e 100644
--- a/src/command_modules/azure-cli-profile/azure/cli/command_modules/profile/custom.py
+++ b/src/command_modules/azure-cli-profile/azure/cli/command_modules/profile/custom.py
@@ -13,6 +13,9 @@ from azure.cli.core.cloud import get_active_cloud
 
 logger = get_az_logger(__name__)
 
+_CLOUD_CONSOLE_ERR_TEMPLATE = ("Azure Cloud Shell relies on the user account it was initially launched under, "
+                               "as a result 'az {}' is disabled.")
+
 
 def load_subscriptions(all_clouds=False, refresh=False):
     profile = Profile()
@@ -91,6 +94,13 @@ def login(username=None, password=None, service_principal=None, tenant=None,
 
     profile = Profile()
 
+    if _in_cloud_console():
+        console_tokens = os.environ.get('AZURE_CONSOLE_TOKENS', None)
+        if console_tokens:
+            return profile.find_subscriptions_in_cloud_console(re.split(';|,', console_tokens))
+        else:
+            raise CLIError(_CLOUD_CONSOLE_ERR_TEMPLATE.format('login'))
+
     if username:
         if not password:
             # in a VM with managed service identity?
@@ -102,11 +112,6 @@ def login(username=None, password=None, service_principal=None, tenant=None,
             except NoTTYException:
                 raise CLIError('Please specify both username and password in non-interactive mode.')
     else:
-        # in a cloud console?
-        console_tokens = os.environ.get('AZURE_CONSOLE_TOKENS', None)
-        if console_tokens:
-            return profile.find_subscriptions_in_cloud_console(re.split(';|,', console_tokens))
-
         interactive = True
 
     try:
@@ -137,6 +142,9 @@ def login(username=None, password=None, service_principal=None, tenant=None,
 
 def logout(username=None):
     """Log out to remove access to Azure subscriptions"""
+    if _in_cloud_console():
+        raise CLIError(_CLOUD_CONSOLE_ERR_TEMPLATE.format('logout'))
+
     profile = Profile()
     if not username:
         username = profile.get_current_account_user()
@@ -146,3 +154,8 @@ def logout(username=None):
 def list_locations():
     from azure.cli.core.commands.parameters import get_subscription_locations
     return get_subscription_locations()
+
+
+def _in_cloud_console():
+    import os
+    return os.environ.get('ACC_CLOUD', None)