Skip to content

symbols: add opt-in Managed Identity support for symbol server auth#58

Merged
devinro merged 10 commits into
mainfrom
agents/add-managed-identity-support
Jun 4, 2026
Merged

symbols: add opt-in Managed Identity support for symbol server auth#58
devinro merged 10 commits into
mainfrom
agents/add-managed-identity-support

Conversation

@devinro

@devinro devinro commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds opt-in Azure Managed Identity support for symbol server authentication, enabling headless/Azure deployments (e.g. BigRedPerfAI) to download PDB symbols without interactive browser auth.

Changes

\SymbolFileSourceSettings.cs\

  • Added \ManagedIdentityEnabled\ ([ProtoMember(26)], default \ alse)

\PDBDebugInfoProvider.cs\

  • Refactored static constructor into \BuildAndSetCredentialChain(bool managedIdentityEnabled)\ helper
  • Added \public static ReinitializeCredentials(SymbolFileSourceSettings)\ — necessary because the static ctor runs at class-load time, before application settings are available
  • Credential chains are mutually exclusive: MI-only when enabled, full developer chain when disabled (default, unchanged)
  • Added \credentialLock_\ for thread-safe handler reinitialization

\Program.cs\ (MCP server)

  • Added \�ool useManagedIdentity = false\ parameter to the \OpenTrace\ tool
  • Calls \PDBDebugInfoProvider.ReinitializeCredentials\ before loading the trace

Notes

  • No UI toggle — intended for headless/cloud callers via MCP server parameter
  • Default behavior is unchanged

Add ManagedIdentityEnabled setting (ProtoMember 26, default false) to
SymbolFileSourceSettings. Refactor PDBDebugInfoProvider static credential
chain into BuildAndSetCredentialChain(bool) + public ReinitializeCredentials(settings)
to allow runtime reconfiguration after settings load (static ctor runs before
settings are available).

When ManagedIdentityEnabled=true, use ManagedIdentityCredential exclusively
(no developer/browser creds) for headless Azure deployments. When false
(default), use the existing full developer chain unchanged.

Expose useManagedIdentity parameter on MCP server OpenTrace tool for
headless/Azure callers like BigRedPerfAI.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 28, 2026 18:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds opt-in Azure Managed Identity support for symbol server authentication so headless/Azure callers (e.g. via the MCP server) can download PDBs without interactive browser auth. The credential chain in PDBDebugInfoProvider is refactored so it can be rebuilt at runtime once application settings are available, and a new MCP OpenTrace parameter selects the MI-only chain.

Changes:

  • New ManagedIdentityEnabled setting on SymbolFileSourceSettings (ProtoMember 26, default false).
  • PDBDebugInfoProvider static credential setup refactored into BuildAndSetCredentialChain + thread-safe ReinitializeCredentials; MI-only chain when enabled, full developer chain otherwise.
  • MCP OpenTrace gains a useManagedIdentity parameter that flows into SymbolFileSourceSettings and triggers ReinitializeCredentials.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
src/ProfileExplorerCore/Settings/SymbolFileSourceSettings.cs Adds ManagedIdentityEnabled proto-serialized option.
src/ProfileExplorerCore/Binary/PDBDebugInfoProvider.cs Refactors credential chain construction; adds runtime reinit and lock for thread-safety.
src/ProfileExplorer.McpServer/Program.cs Exposes useManagedIdentity parameter on OpenTrace, propagates to settings and reinitializes credentials.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

devinro and others added 9 commits June 1, 2026 09:26
- PDBDebugInfoProvider: read MANAGED_IDENTITY_CLIENT_ID env var to configure
  user-assigned managed identity when useManagedIdentity=true; previously used
  system-assigned MI which doesn't exist on Azure Batch nodes
- McpActionExecutor: accept useManagedIdentity param in OpenTraceAsync; call
  PDBDebugInfoProvider.ReinitializeCredentials before trace load; force-add
  symweb to symbol paths on Batch nodes (which are not domain-joined and would
  otherwise only have the public MSDL server)
- IMcpActionExecutor/ProfileExplorerMcpServer/Program: wire useManagedIdentity
  flag through MCP interface and JSON RPC handler
- DiagnosticLogger: minor diagnostic improvements
- ProfileExplorerUI.csproj: dependency updates for Azure.Identity

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add symbolPath parameter to IMcpActionExecutor.OpenTraceAsync and the
  open_trace MCP tool, allowing callers to explicitly supply symbol server
  paths rather than having PE infer them from environment heuristics.
- McpActionExecutor now clones App.Settings.SymbolSettings as the base
  (preserving user-configured paths, rejection caches, etc.) and overlays
  the caller-supplied symbolPath and useManagedIdentity flag. Replaces the
  previous approach of constructing fresh settings and force-adding symweb
  when useManagedIdentity was true.
- Remove Console.Error noise from PDBDebugInfoProvider credential init.
- Update MockMcpActionExecutor signature to match interface.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…FILE_EXPLORER_LOG_DIR

PE was hardcoded to check AZ_BATCH_TASK_WORKING_DIR for the log directory,
making it Batch-specific. Replace with a generic PROFILE_EXPLORER_LOG_DIR
env var. Callers (e.g. FUN AI on Batch) can set it to whatever path is
appropriate for their environment.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Allow callers to override the diagnostic log directory via --log-dir <path>
instead of relying on the PROFILE_EXPLORER_LOG_DIR environment variable being
set externally. The arg is parsed before the first DiagnosticLogger call so
Initialize() picks up the override naturally.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace custom CopyNativeDependencies MSBuild target (which only copied
to build output) with Content items using CopyToPublishDirectory so
capstone.dll, msdia140.dll, and tree-sitter DLLs are included when
running dotnet publish.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Path.GetDirectoryName strips '//server' from 'srv*https://server' as
a UNC-like path component, leaving just 'srv*https:'. Bypass
TryGetDirectoryName for symbol server paths (starting with 'srv*').

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PE stores decorated MSVC names (e.g. ?ProcessComposition@CComposition@@UEAAXXZ)
in FunctionDebugInfo.Name, but callers pass human-readable demangled names
(e.g. CComposition::ProcessComposition) from Kusto telemetry.

FindFunction now builds a lazy per-trace dictionary mapping demangled names
back to IRTextFunction, using PDBDebugInfoProvider.DemangleFunctionName with
OnlyName|NoReturnType|NoSpecialKeywords options. The lookup order is:

1. Exact decorated name match
2. Exact demangled name match (via lazy dict)
3. Exact hex placeholder match
4. Contains on demangled name
5. Contains on decorated/hex name

DemangledFunctionLookup is cleared in ProfileSession.Reset() so it rebuilds
fresh on each new trace load.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Revert the McpServer.csproj native dependency change from Content items
back to the original NativeDependency/CopyNativeDependencies pattern.
Add a matching CopyNativeDependenciesOnPublish target that runs
AfterTargets='Publish' to copy native DLLs (capstone, msdia140,
tree-sitter) to \, ensuring they are included in
self-contained win-x64 publish outputs used for Azure Batch deployment.

Also revert unrelated ProfileExplorerUI.csproj changes (version bump
and publish\ exclusion).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add FunctionNameDemanglingTests covering:
- Non-decorated names pass through unchanged (plain C, hex placeholders, null/empty)
- Decorated MSVC names demangle correctly with default options
- OnlyName|NoReturnType|NoSpecialKeywords options (the exact flags used by
  FindFunction) produce a scoped name matching what Kusto callers supply

Wire managed identity into ProfileExplorer.exe startup path:
- App.OnStartup now calls PDBDebugInfoProvider.ReinitializeCredentials after
  LoadApplicationSettings so that ManagedIdentityEnabled from saved user
  settings is applied at launch, not just when OpenTrace is driven via MCP.
  Previously the static credential chain always started as the interactive
  chain regardless of saved settings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@devinro devinro merged commit de5bdc7 into main Jun 4, 2026
6 checks passed
@devinro devinro deleted the agents/add-managed-identity-support branch June 4, 2026 22:29
trgibeau added a commit that referenced this pull request Jun 24, 2026
Resolve FindFunction conflict in McpServer by adapting main's demangled-name lookup feature to the branch's ProfileFunctionId model. Auto-merge keeps main's Managed Identity symbol auth (#58) alongside the PdbSymbolProvider refactor.
trgibeau added a commit that referenced this pull request Jul 2, 2026
Resolve FindFunction conflict in McpServer by adapting main's demangled-name lookup feature to the branch's ProfileFunctionId model. Auto-merge keeps main's Managed Identity symbol auth (#58) alongside the PdbSymbolProvider refactor.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants