Add test hook to PopKeyAttestor for MSI v2 attestation tests

src/client/Microsoft.Identity.Client.KeyAttestation/PopKeyAttestor.cs

@@ -16,6 +16,15 @@ namespace Microsoft.Identity.Client.KeyAttestation
     /// </summary>
     internal static class PopKeyAttestor
     {
+        /// <summary>
+        /// Test hook to inject a mock attestation provider for unit testing.
+        /// When set, this delegate is called instead of loading the native DLL.
+        /// </summary>
+        /// <remarks>
+        /// This field is internal and accessible only via InternalsVisibleTo for test assemblies.
+        /// Tests should not run in parallel when using this hook to avoid race conditions.
+        /// </remarks>
+        internal static Func<string, SafeHandle, string, CancellationToken, Task<AttestationResult>> s_testAttestationProvider;
         /// <summary>
         /// Asynchronously attests a Credential Guard/CNG key with the remote attestation service and returns a JWT.
         /// Wraps the synchronous <see cref="AttestationClient.Attest"/> in a Task.Run so callers can
@@ -45,6 +54,12 @@ public static Task<AttestationResult> AttestCredentialGuardAsync(
 
             cancellationToken.ThrowIfCancellationRequested();
 
+            // Check for test provider to avoid loading native DLL in unit tests
+            if (s_testAttestationProvider != null)
+            {
+                return s_testAttestationProvider(endpoint, keyHandle, clientId, cancellationToken);
+            }
+
             return Task.Run(() =>
             {
                 try

tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs

@@ -53,12 +53,18 @@ public void ImdsV2Tests_Init()
                 // A broad sweep is simplest and safe for our fake endpoints/certs
                 ImdsV2TestStoreCleaner.RemoveAllTestArtifacts();
             }
+
+            // Inject mock attestation provider to avoid loading native DLL in tests
+            PopKeyAttestor.s_testAttestationProvider = TestAttestationProviders.CreateFakeAttestationResultProvider();
         }
 
         [TestCleanup]
         public void ImdsV2Tests_Cleanup()
         {
             // Cleanup handled automatically with delegate-based approach
+
+            // Reset test provider to ensure clean state for other tests
+            PopKeyAttestor.s_testAttestationProvider = null;
         }
 
         private void AddMocksToGetEntraToken(

tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/TestAttestationProviders.cs

@@ -5,6 +5,7 @@
 using System.Runtime.InteropServices;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Identity.Client.KeyAttestation.Attestation;
 
 namespace Microsoft.Identity.Test.Unit.ManagedIdentityTests
 {
@@ -14,13 +15,15 @@ namespace Microsoft.Identity.Test.Unit.ManagedIdentityTests
     internal static class TestAttestationProviders
     {
         /// <summary>
-        /// Creates a fake attestation provider delegate that returns a mock JWT.
+        /// Creates a fake attestation provider delegate that returns a mock AttestationResult.
+        /// This is used with PopKeyAttestor.s_testAttestationProvider for unit testing.
         /// </summary>
-        public static Func<string, SafeHandle, string, CancellationToken, Task<string>> CreateFakeProvider()
+        public static Func<string, SafeHandle, string, CancellationToken, Task<AttestationResult>> CreateFakeAttestationResultProvider()
         {
             return (attestationEndpoint, keyHandle, clientId, cancellationToken) =>
             {
-                return Task.FromResult("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.attestation.sig");
+                var fakeJwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.attestation.sig";
+                return Task.FromResult(new AttestationResult(AttestationStatus.Success, fakeJwt, 0, string.Empty));
             };
         }