Example #1
0
def remove_signer(cmd,
                  client,
                  signer=None,
                  signer_file=None,
                  resource_group_name=None,
                  provider_name=None):
    if not signer and not signer_file:
        raise CLIError(
            'Please specify one of parameters: --signer or --signer-file/-f')

    if signer and signer_file:
        raise CLIError('--signer and --signer-file/-f are mutually exclusive.')

    if signer_file:
        signer_file = os.path.expanduser(signer_file)
        if not os.path.exists(signer_file):
            raise CLIError(
                'Signer file "{}" does not exist.'.format(signer_file))
        if not os.path.isfile(signer_file):
            raise CLIError('Signer file "{}" is not a valid file name.'.format(
                signer_file))
        with open(signer_file) as f:
            signer = f.read()

    provider_client = cf_attestation_provider(cmd.cli_ctx)
    provider = provider_client.get(resource_group_name=resource_group_name,
                                   provider_name=provider_name)
    client.remove(tenant_base_url=provider.attest_uri,
                  policy_certificate_to_remove=signer)
    return list_signers(cmd, client, resource_group_name, provider_name)
def repo_creds(username, encrypted_password, has_pass):
    """Get a representation of the container repository credentials"""
    from azure.servicefabric.models import RegistryCredential
    from getpass import getpass

    # Wonky since we allow empty string as an encrypted passphrase
    if not any([username, encrypted_password is not None, has_pass]):
        return None

    if (encrypted_password is not None) and (not username):
        raise CLIError('Missing container repository username')

    if has_pass and (not username):
        raise CLIError('Missing container repository username')

    if encrypted_password is not None:
        return RegistryCredential(registry_user_name=username,
                                  registry_password=encrypted_password,
                                  password_encrypted=True)
    if has_pass:
        passphrase = getpass(prompt='Container repository password: ')
        return RegistryCredential(registry_user_name=username,
                                  registry_password=passphrase,
                                  password_encrypted=False)

    return RegistryCredential(registry_user_name=username)
def validate_provider_resource_id(ns):
    resource_id = getattr(ns, 'identifier', None)
    if resource_id:
        if ns.resource_group_name or ns.provider_name:
            raise CLIError(
                'Please omit --resource-group/-g or --name/-n if you have already specified --id.'
            )

        ns.resource_group_name = resource_id.split('/')[4]
        ns.provider_name = resource_id.split('/')[8]

    if not all([ns.resource_group_name, ns.provider_name]):
        raise CLIError(
            'Please specify both --resource-group/-g and --name/-n.')

    del ns.identifier
def read_file(file_path):
    """Reads a file contents given a file path"""
    file_contents = None
    with open(file_path) as f_desc:
        file_contents = f_desc.read()
    if not file_contents:
        raise CLIError('Could not read {}'.format(file_path))
    return file_contents
Example #5
0
def add_signer(cmd,
               client,
               signer=None,
               signer_file=None,
               resource_group_name=None,
               provider_name=None):
    if not signer and not signer_file:
        raise CLIError(
            'Please specify one of parameters: --signer or --signer-file/-f')

    if signer and signer_file:
        raise CLIError('--signer and --signer-file/-f are mutually exclusive.')

    if signer_file:
        signer_file = os.path.expanduser(signer_file)
        if not os.path.exists(signer_file):
            raise CLIError(
                'Signer file "{}" does not exist.'.format(signer_file))
        if not os.path.isfile(signer_file):
            raise CLIError('Signer file "{}" is not a valid file name.'.format(
                signer_file))
        with open(signer_file) as f:
            signer = f.read()

    provider_client = cf_attestation_provider(cmd.cli_ctx)
    provider = provider_client.get(resource_group_name=resource_group_name,
                                   provider_name=provider_name)
    token = client.add(tenant_base_url=provider.attest_uri,
                       policy_certificate_to_add=signer)
    result = {'Jwt': token}

    if token:
        header = jwt.get_unverified_header(token)
        result.update({
            'Algorithm': header.get('alg', ''),
            'JKU': header.get('jku', '')
        })
        body = jwt.decode(token,
                          algorithms=['RS256'],
                          options={"verify_signature": False})
        result['Certificates'] = body.get('aas-policyCertificates',
                                          {}).get('keys', [])
        result['CertificateCount'] = len(result['Certificates'])

    return result
Example #6
0
def login(scopes: str, client_id=None, tenant_id=None):
    # Stripping whitespaces so that users don't have to worry about how
    # they enter scopes. ie "user.read, mail.read" or "user.read,mail.read"
    scopes = [scope.strip() for scope in scopes.split(',')]
    logged_in = authentication.login(scopes, client_id, tenant_id)

    if not logged_in:
        raise CLIError('Login failed')

    print('Logged in successfully')
Example #7
0
def attestation_attestation_provider_create(client,
                                            resource_group_name,
                                            provider_name,
                                            location,
                                            tags=None,
                                            certs_input_path=None):

    certs = []
    if not certs_input_path:
        certs_input_path = []

    for p in certs_input_path:
        expand_path = os.path.expanduser(p)
        if not os.path.exists(expand_path):
            raise CLIError('Path "{}" does not exist.'.format(expand_path))
        if not os.path.isfile(expand_path):
            raise CLIError(
                '"{}" is not a valid file path.'.format(expand_path))

        with open(expand_path, 'rb') as f:
            pem_data = f.read()

        cert = load_pem_x509_certificate(pem_data, backend=default_backend())
        key = cert.public_key()
        if isinstance(key, rsa.RSAPublicKey):
            kty = 'RSA'
            alg = 'RS256'
        else:
            raise CLIError('Unsupported key type: {}'.format(type(key)))

        jwk = JsonWebKey(kty=kty, alg=alg, use='sig')
        jwk.x5c = [
            base64.b64encode(cert.public_bytes(Encoding.DER)).decode('ascii')
        ]
        certs.append(jwk)

    return client.create(resource_group_name=resource_group_name,
                         provider_name=provider_name,
                         location=location,
                         tags=tags,
                         certs=certs)
Example #8
0
    def _get_endpoint(self):
        host_name = None
        https_prefix = "https://"
        http_prefix = "http://"

        if self.name.lower().startswith(https_prefix):
            self.name = self.name[len(https_prefix):]
        elif self.name.lower().startswith(http_prefix):
            self.name = self.name[len(http_prefix):]

        if not all([valid_hostname(self.name), "." in self.name]):
            instance = self.rp.find_instance(name=self.name, resource_group_name=self.rg)
            host_name = instance.host_name
            if not host_name:
                raise CLIError("Instance has invalid hostName. Aborting operation...")
        else:
            host_name = self.name

        return "https://{}".format(host_name)
Example #9
0
def set_policy(cmd,
               client,
               attestation_type,
               new_attestation_policy=None,
               new_attestation_policy_file=None,
               policy_format='Text',
               resource_group_name=None,
               provider_name=None):

    if new_attestation_policy_file and new_attestation_policy:
        raise CLIError(
            'Please specify just one of --new-attestation-policy and --new-attestation-policy-file/-f'
        )

    if not new_attestation_policy_file and not new_attestation_policy:
        raise CLIError(
            'Please specify --new-attestation-policy or --new-attestation-policy-file/-f'
        )

    if new_attestation_policy_file:
        file_path = os.path.expanduser(new_attestation_policy_file)
        if not os.path.exists(file_path):
            raise CLIError(
                'Policy file "{}" does not exist.'.format(file_path))

        if not os.path.isfile(file_path):
            raise CLIError('"{}" is not a valid file name.'.format(file_path))

        with open(file_path) as f:
            new_attestation_policy = f.read()

    provider_client = cf_attestation_provider(cmd.cli_ctx)
    provider = provider_client.get(resource_group_name=resource_group_name,
                                   provider_name=provider_name)

    if policy_format == 'Text':
        if provider.trust_model != 'AAD':
            raise CLIError(
                'Only supports Text policy under AAD model. Current model: {}. '
                'If you are using signed JWT policy, please specify --policy-format JWT'
                .format(provider.trust_model))

        import jwt
        try:
            new_attestation_policy = \
                base64.urlsafe_b64encode(new_attestation_policy.encode('ascii')).decode('ascii').strip('=')
            new_attestation_policy = {
                'AttestationPolicy': new_attestation_policy
            }
            new_attestation_policy = jwt.encode(new_attestation_policy,
                                                key='',
                                                algorithm='none')
        except TypeError as e:
            print(e)
            raise CLIError(
                'Failed to encode text content, are you using JWT? If yes, please use --policy-format JWT'
            )

    client.set(tenant_base_url=provider.attest_uri,
               tee=tee_mapping[attestation_type],
               new_attestation_policy=new_attestation_policy)
    return get_policy(cmd,
                      client,
                      attestation_type,
                      resource_group_name=resource_group_name,
                      provider_name=provider_name)
def profile_exception_handler(exception):
    raise CLIError(exception)
def auth_exception_handler(exception):
    raise CLIError(exception)
Example #12
0
    def attest_open_enclave(self,
                            tenant_base_url,
                            request,
                            custom_headers=None,
                            raw=False,
                            **operation_config):
        """Attest to an SGX-OpenEnclaveSDK enclave.
        """
        url = '/attest/OpenEnclave'
        path_format_arguments = {
            'tenantBaseUrl':
            self._serialize.url("tenant_base_url",
                                tenant_base_url,
                                'str',
                                skip_quote=True)
        }
        url = self._client.format_url(url, **path_format_arguments)

        # Construct parameters
        query_parameters = {}
        query_parameters['api-version'] = self._serialize.query(
            "self.api_version", self.api_version, 'str')

        # Construct headers
        header_parameters = {}
        header_parameters['Accept'] = 'application/json'
        header_parameters['Content-Type'] = 'text/plain'
        if self.config.generate_client_request_id:
            header_parameters['x-ms-client-request-id'] = str(uuid.uuid1())
        if custom_headers:
            header_parameters.update(custom_headers)
        if self.config.accept_language is not None:
            header_parameters['accept-language'] = self._serialize.header(
                "self.config.accept_language", self.config.accept_language,
                'str')

        # Construct body
        body_content = self._serialize.body(request,
                                            'AttestOpenEnclaveRequest')

        # Construct and send request
        request = self._client.post(url, query_parameters, header_parameters,
                                    body_content)
        response = self._client.send(request, stream=False, **operation_config)

        if response.status_code not in [200, 400, 401]:
            exp = CloudError(response)
            exp.request_id = response.headers.get('x-ms-request-id')
            raise exp

        deserialized = None
        if response.status_code == 400:
            raise CLIError(response.text)
        if response.status_code == 401:
            deserialized = self._deserialize('str', response)

        if raw:
            client_raw_response = ClientRawResponse(deserialized, response)
            return client_raw_response

        return deserialized
    def remove(
            self, tenant_base_url, policy_certificate_to_remove, custom_headers=None, raw=False, **operation_config):
        """Removes the specified policy management certificate. Note that the
        final policy management certificate cannot be removed.

        :param tenant_base_url: The tenant name, for example
         https://mytenant.attest.azure.net.
        :type tenant_base_url: str
        :param policy_certificate_to_remove: An RFC7519 JSON Web Token
         containing a claim named "maa-policyCertificate" whose value is an
         RFC7517 JSON Web Key which specifies a new key to update. The RFC7519
         JWT must be signed with one of the existing signing certificates
        :type policy_certificate_to_remove: str
        :param dict custom_headers: headers that will be added to the request
        :param bool raw: returns the direct response alongside the
         deserialized response
        :param operation_config: :ref:`Operation configuration
         overrides<msrest:optionsforoperations>`.
        :return: object or ClientRawResponse if raw=true
        :rtype: object or ~msrest.pipeline.ClientRawResponse
        :raises: :class:`CloudError<msrestazure.azure_exceptions.CloudError>`
        """
        # Construct URL
        url = self.remove.metadata['url']
        path_format_arguments = {
            'tenantBaseUrl': self._serialize.url("tenant_base_url", tenant_base_url, 'str', skip_quote=True)
        }
        url = self._client.format_url(url, **path_format_arguments)

        # Construct parameters
        query_parameters = {}
        query_parameters['api-version'] = self._serialize.query("self.api_version", self.api_version, 'str')
        # query_parameters['api-version'] = '2018-09-01-preview'

        # Construct headers
        header_parameters = {}
        header_parameters['Accept'] = 'application/json'
        header_parameters['Content-Type'] = 'application/json; charset=utf-8'
        if self.config.generate_client_request_id:
            header_parameters['x-ms-client-request-id'] = str(uuid.uuid1())
        if custom_headers:
            header_parameters.update(custom_headers)
        if self.config.accept_language is not None:
            header_parameters['accept-language'] = self._serialize.header("self.config.accept_language", self.config.accept_language, 'str')

        # Construct body
        body_content = self._serialize.body(policy_certificate_to_remove, 'str')

        # Construct and send request
        request = self._client.post(url, query_parameters, header_parameters, body_content)
        response = self._client.send(request, stream=False, **operation_config)

        if response.status_code not in [200, 400, 401]:
            exp = CloudError(response)
            exp.request_id = response.headers.get('x-ms-request-id')
            raise exp

        deserialized = None
        if response.status_code == 200:
            deserialized = self._deserialize('str', response)
        if response.status_code == 400:
            raise CLIError(response.text)
        if response.status_code == 401:
            deserialized = self._deserialize('str', response)

        if raw:
            client_raw_response = ClientRawResponse(deserialized, response)
            return client_raw_response

        return deserialized
Example #14
0
    def reset(
            self, tenant_base_url, tee, policy_jws, custom_headers=None, raw=False, **operation_config):
        """Resets the attestation policy for the specified tenant and reverts to
        the default policy.

        :param tenant_base_url: The tenant name, for example
         https://mytenant.attest.azure.net.
        :type tenant_base_url: str
        :param tee: Specifies the trusted execution environment to be used to
         validate the evidence. Possible values include: 'SgxEnclave',
         'OpenEnclave', 'CyResComponent', 'VSMEnclave'
        :type tee: str or ~azure.attestation.models.TeeKind
        :param policy_jws: JSON Web Signature with an empty policy document
        :type policy_jws: str
        :param dict custom_headers: headers that will be added to the request
        :param bool raw: returns the direct response alongside the
         deserialized response
        :param operation_config: :ref:`Operation configuration
         overrides<msrest:optionsforoperations>`.
        :return: object or ClientRawResponse if raw=true
        :rtype: object or ~msrest.pipeline.ClientRawResponse
        :raises: :class:`CloudError<msrestazure.azure_exceptions.CloudError>`
        """
        # Construct URL
        url = '/policies/{}%3areset'.format(tee)
        path_format_arguments = {
            'tenantBaseUrl': self._serialize.url("tenant_base_url", tenant_base_url, 'str', skip_quote=True)
        }
        url = self._client.format_url(url, **path_format_arguments)

        # Construct parameters
        query_parameters = {}
        query_parameters['api-version'] = self._serialize.query("self.api_version", self.api_version, 'str')
        query_parameters['tee'] = self._serialize.query("tee", tee, 'str')

        # Construct headers
        header_parameters = {}
        header_parameters['Accept'] = 'application/json'
        header_parameters['Content-Type'] = 'text/plain'
        if self.config.generate_client_request_id:
            header_parameters['x-ms-client-request-id'] = str(uuid.uuid1())
        if custom_headers:
            header_parameters.update(custom_headers)
        if self.config.accept_language is not None:
            header_parameters['accept-language'] = self._serialize.header("self.config.accept_language", self.config.accept_language, 'str')

        # Construct body
        body_content = self._serialize.body(policy_jws, 'str')

        # Construct and send request
        request = self._client.post(url, query_parameters, header_parameters, body_content)
        response = self._client.send(request, stream=False, **operation_config)

        if response.status_code not in [200, 400, 401]:
            exp = CloudError(response)
            exp.request_id = response.headers.get('x-ms-request-id')
            raise exp

        deserialized = None
        if response.status_code == 200:
            deserialized = self._deserialize('str', response)
        if response.status_code == 400:
            raise CLIError(response.text)
        if response.status_code == 401:
            deserialized = self._deserialize('str', response)

        if raw:
            client_raw_response = ClientRawResponse(deserialized, response)
            return client_raw_response

        return deserialized
Example #15
0
 def _get_endpoint(self):
     instance = self.rp.find_instance(name=self.name, resource_group_name=self.rg)
     host_name = instance.host_name
     if not host_name:
         raise CLIError("Retrieved hostName was null which is invalid.")
     return "https://{}".format(instance.host_name)