Merged PR 7167: Merge from development to main

Related work items: #7086, #40377, #40829, #40924, #41302, #41412, #41497, #41728, #41762, #41830, #41851, #42218, #42220, #42221, #42278, #42830, #43124, #43143, #43144, #43259, #43282

Author: David-Engel

.gdn/.gdnsuppress

@@ -1,24 +1,29 @@
 {
-  "hydrated": false,
+  "hydrated": true,
   "properties": {
     "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions"
   },
   "version": "1.0.0",
   "suppressionSets": {
     "default": {
       "name": "default",
-      "createdDate": "2026-02-19 21:04:38Z",
-      "lastUpdatedDate": "2026-02-19 21:04:38Z"
+      "createdDate": "2026-02-26 00:51:41Z",
+      "lastUpdatedDate": "2026-02-26 00:51:41Z"
     }
   },
   "results": {
     "bd1ce7227025d22a25d3d98df0aef3b236e0aa4987f80c43874a2afc3e3713a0": {
       "signature": "bd1ce7227025d22a25d3d98df0aef3b236e0aa4987f80c43874a2afc3e3713a0",
       "alternativeSignatures": [],
+      "target": "mssql-py-core/tests/mssql_python/test_bulkcopy_access_token.py",
+      "line": 443,
+      "uriBaseId": "file:///D:/a/_work/1/s/",
       "memberOf": [
         "default"
       ],
-      "createdDate": "2026-02-19 21:04:38Z"
+      "tool": "credscan",
+      "ruleId": "CSCAN-GENERAL0030",
+      "createdDate": "2026-02-26 00:51:41Z"
     }
   }
 }

.github/prompts/plan-documentMssqlTdsPublicApi.prompt.md

@@ -0,0 +1,151 @@
+# Performance benchmark pipeline
+#
+# Compares Criterion benchmark results between the PR branch and
+# the target branch to detect performance regressions.
+# Runs on Linux x64 only.
+
+trigger: none
+
+pr:
+  branches:
+    include:
+      - main
+      - development
+
+parameters:
+  - name: baselineBranch
+    displayName: 'Baseline branch (for manual runs; PR builds auto-detect target)'
+    type: string
+    default: main
+
+stages:
+  - stage: Benchmark
+    displayName: Performance Benchmark
+    jobs:
+      - job: Benchmark
+        displayName: 'Criterion Benchmark'
+        timeoutInMinutes: 30
+        pool:
+          name: RUST-1ES-POOL-WUS3
+          demands:
+            - imageOverride -equals RUST-1ES-UBUSLIM
+        variables:
+          ob_outputDirectory: '$(Build.ArtifactStagingDirectory)'
+
+        steps:
+          - checkout: self
+            fetchDepth: 0
+            persistCredentials: true
+
+          - template: templates/install-dependencies.yml
+            parameters:
+              osType: Linux
+              enableJsDeps: false
+
+          - template: templates/cargo-authenticate-template.yml
+            parameters:
+              osType: Linux
+
+          - template: templates/sql-setup-template.yml
+            parameters:
+              buildTarget: Linux
+
+          - script: |
+              set -euo pipefail
+              CONTAINER_ID=$(docker ps -q --filter ancestor=mcr.microsoft.com/mssql/server:2025-latest)
+              if [ -z "$CONTAINER_ID" ]; then
+                echo "##vso[task.logissue type=error]No SQL Server container found"
+                exit 1
+              fi
+              if [ "$(echo "$CONTAINER_ID" | wc -l)" -ne 1 ]; then
+                echo "##vso[task.logissue type=error]Multiple SQL Server containers found"
+                exit 1
+              fi
+              echo "SQL Server container: $CONTAINER_ID"
+              for i in $(seq 1 30); do
+                if docker exec "$CONTAINER_ID" /opt/mssql-tools18/bin/sqlcmd \
+                  -S localhost -U sa -P "$SQL_PASSWORD" -C -Q "SELECT 1" > /dev/null 2>&1; then
+                  echo "SQL Server ready after $((i * 2))s"
+                  exit 0
+                fi
+                echo "Waiting for SQL Server... ($i/30)"
+                sleep 2
+              done
+              echo "##vso[task.logissue type=error]SQL Server did not become ready in time"
+              exit 1
+            displayName: Wait for SQL Server
+            env:
+              SQL_PASSWORD: $(SQL_PASSWORD)
+
+          - script: cargo install critcmp --version 0.1.8 --locked
+            displayName: Install critcmp
+
+          - script: cargo fetch
+            displayName: Fetch crates
+
+          - script: |
+              set -euo pipefail
+              PR_SHA=$(git rev-parse HEAD)
+              echo "PR commit: $PR_SHA"
+              echo "##vso[task.setvariable variable=PR_SHA]$PR_SHA"
+
+              if [ "$(Build.Reason)" = "PullRequest" ]; then
+                RAW="$(System.PullRequest.TargetBranch)"
+                BASELINE="${RAW#refs/heads/}"
+              else
+                BASELINE="${{ parameters.baselineBranch }}"
+              fi
+              echo "Baseline branch: $BASELINE"
+              echo "##vso[task.setvariable variable=BASELINE_BRANCH]$BASELINE"
+            displayName: Resolve branches
+
+          - script: |
+              set -euo pipefail
+              echo "=== Checking out baseline: $(BASELINE_BRANCH) ==="
+              git fetch origin "$(BASELINE_BRANCH)"
+              git checkout FETCH_HEAD
+
+              echo "=== Running baseline benchmarks ==="
+              cargo bench --package mssql-tds --bench perf -- --save-baseline base
+            displayName: 'Baseline benchmarks ($(BASELINE_BRANCH))'
+            env:
+              SQL_PASSWORD: $(SQL_PASSWORD)
+              DB_HOST: localhost
+              DB_PORT: '1433'
+              DB_USERNAME: sa
+              TRUST_SERVER_CERTIFICATE: 'true'
+              CERT_HOST_NAME: sql1
+
+          - script: |
+              set -euo pipefail
+              echo "=== Checking out PR commit: $(PR_SHA) ==="
+              git checkout "$(PR_SHA)"
+
+              echo "=== Running PR benchmarks ==="
+              cargo bench --package mssql-tds --bench perf -- --save-baseline pr
+            displayName: 'PR benchmarks'
+            env:
+              SQL_PASSWORD: $(SQL_PASSWORD)
+              DB_HOST: localhost
+              DB_PORT: '1433'
+              DB_USERNAME: sa
+              TRUST_SERVER_CERTIFICATE: 'true'
+              CERT_HOST_NAME: sql1
+
+          - script: |
+              set -euo pipefail
+              echo ""
+              echo "============================================"
+              echo "  Benchmark Comparison: base → pr"
+              echo "============================================"
+              echo ""
+              mkdir -p "$(Build.ArtifactStagingDirectory)/benchmarks"
+              critcmp base pr | tee "$(Build.ArtifactStagingDirectory)/benchmarks/comparison.txt"
+            displayName: Compare results
+
+          - task: PublishPipelineArtifact@1
+            inputs:
+              targetPath: '$(Build.ArtifactStagingDirectory)/benchmarks'
+              artifactName: benchmark-results
+            displayName: Publish benchmark results
+            condition: always()

.pipeline/benchmark-pipeline.yml

@@ -428,6 +428,25 @@ impl PyCoreConnection {
         context.ipaddress_preference = ipaddress_preference;
         context.keep_alive_in_ms = keep_alive_in_ms;
         context.keep_alive_interval_in_ms = keep_alive_interval_in_ms;
+        // Block authentication methods not yet supported through py-core.
+        // ActiveDirectoryIntegrated requires Kerberos ticket forwarding via
+        // Entra ID which has no token-provider wired up yet.
+        // ActiveDirectoryPassword requires an Entra ID token provider callback
+        // that py-core does not register.
+        match &transformed.method {
+            mssql_tds::connection::client_context::TdsAuthenticationMethod::ActiveDirectoryIntegrated => {
+                return Err(PyRuntimeError::new_err(
+                    "Authentication method 'ActiveDirectoryIntegrated' is not currently supported by mssql-py-core."
+                ));
+            }
+            mssql_tds::connection::client_context::TdsAuthenticationMethod::ActiveDirectoryPassword => {
+                return Err(PyRuntimeError::new_err(
+                    "Authentication method 'ActiveDirectoryPassword' is not currently supported by mssql-py-core."
+                ));
+            }
+            _ => {}
+        }
+
         context.tds_authentication_method = transformed.method;
         context.access_token = transformed.access_token;
 

mssql-py-core/src/connection.rs

@@ -201,26 +201,17 @@ def test_07_sqlpassword_uid_pwd(self):
         ctx["authentication"] = "SqlPassword"
         _connect_ok(ctx)
 
-    # #8 — ADPassword + UID + PWD → AAD Password
-    #     (will fail against local SQL Server — that's fine, validates pipeline)
+    # #8 — ADPassword + UID + PWD → blocked (not supported by mssql-py-core)
     def test_08_ad_password_uid_pwd(self):
         ctx = _base_ctx()
         ctx["authentication"] = "ActiveDirectoryPassword"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "Unsupported Authentication" not in str(e)
-            assert "Both User and Password" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
-    # #9 — ADIntegrated, no creds
+    # #9 — ADIntegrated, no creds → blocked (not supported by mssql-py-core)
     def test_09_ad_integrated_alone(self):
         ctx = _bare_ctx()
         ctx["authentication"] = "ActiveDirectoryIntegrated"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "Unsupported Authentication" not in str(e)
-            assert "User or Password" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
     # #10 — ADInteractive + UID (as hint)
     def test_10_ad_interactive_with_hint(self):
@@ -354,39 +345,27 @@ def test_20_admsi_system_clears_pwd(self):
         except RuntimeError as e:
             assert "Both User and Password" not in str(e)
 
-    # #21 — ADIntegrated + UID → UID silently cleared (ODBC dialog behavior)
+    # #21 — ADIntegrated + UID → blocked (not supported by mssql-py-core)
     def test_21_ad_integrated_clears_uid(self):
         ctx = _bare_ctx()
         ctx["authentication"] = "ActiveDirectoryIntegrated"
         ctx["user_name"] = "user@domain.com"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "ActiveDirectoryIntegrated" not in str(e)
-            assert "User or Password" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
-    # #22 — ADIntegrated + PWD → PWD silently cleared
+    # #22 — ADIntegrated + PWD → blocked (not supported by mssql-py-core)
     def test_22_ad_integrated_clears_pwd(self):
         ctx = _bare_ctx()
         ctx["authentication"] = "ActiveDirectoryIntegrated"
         ctx["password"] = "secret"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "ActiveDirectoryIntegrated" not in str(e)
-            assert "User or Password" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
-    # #23 — ADIntegrated + UID + PWD → both silently cleared
+    # #23 — ADIntegrated + UID + PWD → blocked (not supported by mssql-py-core)
     def test_23_ad_integrated_clears_both(self):
         ctx = _bare_ctx()
         ctx["authentication"] = "ActiveDirectoryIntegrated"
         ctx["user_name"] = "user@domain.com"
         ctx["password"] = "secret"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "ActiveDirectoryIntegrated" not in str(e)
-            assert "User or Password" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
 
 # ═══════════════════════════════════════════════════════════════════════════
@@ -521,7 +500,13 @@ def test_38_adspa_pwd_only(self):
 # ═══════════════════════════════════════════════════════════════════════════
 
 class TestAccessTokenClashes:
-    """ODBC conflict matrix §3.5: rows #39–#43."""
+    """ODBC conflict matrix §3.5: rows #39–#43.
+
+    validate_auth enforces strict ODBC-parity: access_token must be
+    the sole credential — any auth keyword, UID, or PWD is a conflict.
+    The Python layer (cursor.py) is responsible for stripping the
+    authentication keyword after acquiring a token, before calling py-core.
+    """
 
     # #39 — Access Token + TC=Yes
     def test_39_token_tc(self):
@@ -671,10 +656,7 @@ def test_case_insensitive_sqlpassword(self):
     def test_case_insensitive_ad_password(self):
         ctx = _base_ctx()
         ctx["authentication"] = "activedirectorypassword"
-        try:
-            _connect_ok(ctx)
-        except RuntimeError as e:
-            assert "Unsupported Authentication" not in str(e)
+        _expect_validation_error(ctx, "not currently supported by mssql-py-core")
 
     # Bogus auth keyword
     def test_bogus_auth_keyword_rejected(self):
@@ -754,7 +736,11 @@ def test_ad_managed_identity_tc(self):
 # ═══════════════════════════════════════════════════════════════════════════
 
 class TestAccessTokenClashesExtended:
-    """Access Token conflicts with each AD auth keyword."""
+    """Access Token conflicts with each AD auth keyword.
+
+    validate_auth rejects access_token combined with any other credential.
+    Python's cursor.py must strip stale fields before calling py-core.
+    """
 
     def test_token_ad_password(self):
         ctx = _bare_ctx()
@@ -790,3 +776,49 @@ def test_token_uid_pwd_combined(self):
         ctx = _base_ctx()
         ctx["access_token"] = "fake-jwt"
         _expect_validation_error(ctx, "Access Token")
+
+
+# ═══════════════════════════════════════════════════════════════════════════
+# Bulkcopy Entra ID: validator enforces clean token-only input
+# ═══════════════════════════════════════════════════════════════════════════
+
+class TestBulkcopyTokenValidation:
+    """Documents the contract between cursor.py and py-core for bulkcopy auth.
+
+    When Python acquires a token via azure-identity, it MUST strip the
+    authentication keyword, user_name, and password before passing the dict
+    to PyCoreConnection. validate_auth enforces this — access_token must
+    arrive alone (except server/TLS params).
+
+    These tests verify the validator correctly rejects stale fields,
+    ensuring the Python layer cleans up properly.
+    """
+
+    def test_token_plus_ad_default_rejected(self):
+        """cursor.py must strip authentication before calling py-core."""
+        ctx = _bare_ctx()
+        ctx["authentication"] = "ActiveDirectoryDefault"
+        ctx["access_token"] = "fake-jwt-default"
+        _expect_validation_error(ctx, "Access Token")
+
+    def test_token_plus_login_hint_rejected(self):
+        """cursor.py must strip user_name (login hint) when token is set."""
+        ctx = _bare_ctx()
+        ctx["access_token"] = "fake-jwt-interactive"
+        ctx["user_name"] = "user@domain.com"
+        _expect_validation_error(ctx, "Access Token")
+
+    def test_token_plus_auth_plus_uid_pwd_rejected(self):
+        """All stale fields must be stripped — validator catches any leak."""
+        ctx = _bare_ctx()
+        ctx["authentication"] = "ActiveDirectoryPassword"
+        ctx["user_name"] = "user@domain.com"
+        ctx["password"] = "old-password"
+        ctx["access_token"] = "fake-jwt"
+        _expect_validation_error(ctx, "Access Token")
+
+    def test_token_alone_accepted(self):
+        """Clean input: only access_token — passes validation."""
+        ctx = _bare_ctx()
+        ctx["access_token"] = "fake-jwt"
+        _expect_no_validation_error(ctx)