def test_initialize_session_token(self):
with patch.dict(os.environ,
{
constants.ENV_ACCESS_TOKEN: 'token',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
self.assertIsNone(s.get_credentials()._credential)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_credentials().get_token(), AccessToken('token', 0))
def test_initialize_session_msi_authentication_error(self, mock_log, mock_cred):
with self.assertRaises(SystemExit):
mock_cred.side_effect = HTTPError()
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
s.get_credentials().get_token()
mock_log.assert_called_once()
def test_initialize_msi_auth_user(self):
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client'
}, clear=True):
s = Session()
self.assertIsInstance(s.get_credentials()._credential, ManagedIdentityCredential)
self.assertEqual(
s.get_credentials()._credential._credential._identity_config["client_id"],
'client')
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(),
s.get_tenant_id())
object_ids = list(
set(resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
object_params = GetObjectsParameters(
include_directory_object_references=True, object_ids=object_ids)
aad_objects = graph_client.objects.get_objects_by_object_ids(
object_params)
try:
principal_dics = {
aad_object.object_id: aad_object
for aad_object in aad_objects
}
for resource in resources:
graph_resource = principal_dics[resource['properties']
['principalId']]
resource['principalName'] = self.get_principal_name(
graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
except CloudError:
log.warning(
'Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n')
return resources
def test_initialize_session_auth_file(self):
s = Session(authorization_file=self.authorization_file)
self.assertIs(type(s.get_credentials()._credential),
ClientSecretCredential)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
def _enhance_policies(self, access_policies):
if not access_policies:
return access_policies
if self.graph_client is None:
s = Session(resource='https://graph.windows.net')
self.graph_client = GraphRbacManagementClient(
s.get_credentials(), s.get_tenant_id())
# Retrieve graph objects for all object_id
object_ids = [p['objectId'] for p in access_policies]
# GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph
# or if graph is not available.
principal_dics = GraphHelper.get_principal_dictionary(
self.graph_client, object_ids, True)
for policy in access_policies:
aad_object = principal_dics[policy['objectId']]
if aad_object.object_id:
policy['displayName'] = aad_object.display_name
policy['aadType'] = aad_object.object_type
policy['principalName'] = GraphHelper.get_principal_name(
aad_object)
return access_policies
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
object_params = GetObjectsParameters(
include_directory_object_references=True,
object_ids=object_ids)
aad_objects = graph_client.objects.get_objects_by_object_ids(object_params)
try:
principal_dics = {aad_object.object_id: aad_object for aad_object in aad_objects}
for resource in resources:
graph_resource = principal_dics[resource['properties']['principalId']]
resource['principalName'] = self.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
except CloudError:
log.warning('Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n'
)
return resources
def test_initialize_session_auth_file(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
s = Session(authorization_file=self.authorization_file)
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
def test_initialize_session_auth_file(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
s = Session(authorization_file=self.authorization_file)
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
def test_initialize_msi_auth_system(self):
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
self.assertIsInstance(s.get_credentials()._credential, ManagedIdentityCredential)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_session_auth_file_no_sub(self):
s = Session(subscription_id=CUSTOM_SUBSCRIPTION_ID,
authorization_file=self.authorization_file_no_sub)
self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential)
self.assertEqual(s.get_subscription_id(), CUSTOM_SUBSCRIPTION_ID)
# will vary between recorded/live auth options but useful to ensure
# we ended up with one of the valid values
self.assertTrue(s.get_tenant_id() in [DEFAULT_TENANT_ID, 'tenant'])
def test_initialize_session_token(self, _1):
with patch.dict(os.environ, {
constants.ENV_ACCESS_TOKEN: 'token',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
},
clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), BasicTokenAuthentication)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_session_authentication_error(self, mock_log, mock_cred):
with self.assertRaises(SystemExit):
adal_err = AdalError("test")
adal_err.error_response = {'error': 'test'}
err = AuthenticationError('test')
err.inner_exception = adal_err
mock_cred.side_effect = err
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: DEFAULT_TENANT_ID,
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
}, clear=True):
s = Session()
s.get_credentials().get_token()
mock_log.assert_called_once()
def test_initialize_session_token(self):
with patch.dict(os.environ,
{
constants.ENV_ACCESS_TOKEN: 'token',
constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), BasicTokenAuthentication)
self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_token(self):
with patch.dict(os.environ,
{
constants.ENV_ACCESS_TOKEN: 'token',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), BasicTokenAuthentication)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_msi_auth_system(self):
with patch('msrestazure.azure_active_directory.MSIAuthentication.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), MSIAuthentication)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_msi_auth_system(self):
with patch('msrestazure.azure_active_directory.MSIAuthentication.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), MSIAuthentication)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_msi_auth_system(self):
with patch('msrestazure.azure_active_directory.MSIAuthentication.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), MSIAuthentication)
self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_auth_file_no_sub(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
s = Session(subscription_id=CUSTOM_SUBSCRIPTION_ID,
authorization_file=self.authorization_file_no_sub)
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), CUSTOM_SUBSCRIPTION_ID)
# will vary between recorded/live auth options but useful to ensure
# we ended up with one of the valid values
self.assertTrue(s.get_tenant_id() in [DEFAULT_TENANT_ID, 'tenant'])
def test_initialize_session_principal(self):
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: DEFAULT_TENANT_ID,
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), DEFAULT_TENANT_ID)
def test_initialize_session_token(self):
with patch.dict(
os.environ,
{
constants.ENV_ACCESS_TOKEN: 'token',
constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47'
},
clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), BasicTokenAuthentication)
self.assertEqual(s.get_subscription_id(),
'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_principal(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: DEFAULT_TENANT_ID,
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), DEFAULT_TENANT_ID)
def test_initialize_session_principal(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: 'tenant',
constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47',
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_msi_auth_user(self):
with patch(
'msrestazure.azure_active_directory.MSIAuthentication.__init__',
autospec=True,
return_value=None):
with patch.dict(os.environ, {
constants.ENV_USE_MSI: 'true',
constants.ENV_SUB_ID:
'ea42f556-5106-4743-99b0-c129bfa71a47',
constants.ENV_CLIENT_ID: 'client'
},
clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), MSIAuthentication)
self.assertEqual(s.get_subscription_id(),
'ea42f556-5106-4743-99b0-c129bfa71a47')
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids)
for resource in resources:
if resource['properties']['principalId'] in principal_dics.keys():
graph_resource = principal_dics[resource['properties']['principalId']]
resource['principalName'] = GraphHelper.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
return resources
def enhance_policies(self, access_policies):
if self.graph_client is None:
s = Session(resource='https://graph.windows.net')
self.graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
# Retrieve graph objects for all object_id
object_ids = [p['objectId'] for p in access_policies]
# GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph
# or if graph is not available.
principal_dics = GraphHelper.get_principal_dictionary(self.graph_client, object_ids)
for policy in access_policies:
aad_object = principal_dics[policy['objectId']]
policy['displayName'] = aad_object.display_name
policy['aadType'] = aad_object.object_type
policy['principalName'] = GraphHelper.get_principal_name(aad_object)
return access_policies
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids)
for resource in resources:
if resource['properties']['principalId'] in principal_dics.keys():
graph_resource = principal_dics[resource['properties']['principalId']]
if graph_resource.object_id:
resource['principalName'] = GraphHelper.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
return resources
def test_compare_auth_params(self, _1):
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: 'tenant',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret',
constants.ENV_USE_MSI: 'true',
constants.ENV_ACCESS_TOKEN: 'access_token',
constants.ENV_KEYVAULT_CLIENT_ID: 'kv_client',
constants.ENV_KEYVAULT_SECRET_ID: 'kv_secret'
}, clear=True):
env_params = Session().get_credentials().auth_params
session = Session(authorization_file=self.authorization_file_full)
file_params = session.get_credentials().auth_params
self.assertTrue(env_params.pop('enable_cli_auth'))
self.assertFalse(file_params.pop('enable_cli_auth', None))
self.assertEqual(env_params, file_params)
def test_initialize_session_principal(self):
with patch(
'azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True,
return_value=None):
with patch.dict(os.environ, {
constants.ENV_TENANT_ID: 'tenant',
constants.ENV_SUB_ID:
'ea42f556-5106-4743-99b0-c129bfa71a47',
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
},
clear=True):
s = Session()
self.assertIs(type(s.get_credentials()),
ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(),
'ea42f556-5106-4743-99b0-c129bfa71a47')
