def test_refresh_aadtokencredentials_existing_session(user_password):
user, password = user_password
context = adal.AuthenticationContext(
'https://login.microsoftonline.com/common')
token = context.acquire_token_with_username_password(
'https://management.core.windows.net/', user, password,
'04b07795-8ddb-461a-bbee-02f9e1bf7b46')
creds = AADTokenCredentials(token)
root_session = Session()
creds.signed_session(root_session)
response = root_session.get(
"https://management.azure.com/subscriptions?api-version=2016-06-01")
response.raise_for_status() # Should never raise
# Hacking the token time
creds.token['expires_on'] = time.time() - 10
creds.token['expires_at'] = creds.token['expires_on']
try:
creds.signed_session(root_session)
response = root_session.get(
"https://management.azure.com/subscriptions?api-version=2016-06-01"
)
pytest.fail("Requests should have failed")
except oauthlib.oauth2.rfc6749.errors.TokenExpiredError:
creds.refresh_session(root_session)
response = root_session.get(
"https://management.azure.com/subscriptions?api-version=2016-06-01"
)
response.raise_for_status() # Should never raise
def authenticate(self, tenant_id, scope):
app = adal.AuthenticationContext(authority=self.url + tenant_id)
token = None
token = app.acquire_token_with_client_credentials(
scope, self.client_id, self.secret)
print(token)
return AADTokenCredentials(token, self.client_id)
def retrieveToken(self):
"""
Authenticate using service principal w/ key.
"""
if self.resource_uri != "":
client_id = ""
client_secret = ""
authority_host_uri = ""
tenant = ""
# TODO: get this from key vault
with open("metadata.json", "r") as f:
data = json.load(f)
client_id = data['CLIENT_ID']
client_secret = data['CLIENT_SECRET']
authority_host_uri = data["AUTHORITY_HOST_URI"]
tenant = data["TENANT"]
authority_uri = authority_host_uri + '/' + tenant
resource_uri = self.resource_uri
context = adal.AuthenticationContext(authority_uri,
api_version=None)
self.token = context.acquire_token_with_client_credentials(
resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(self.token, client_id)
def create(self, secrets: Dict) -> AADTokenCredentials:
result = AADTokenCredentials(
token={"accessToken": secrets['access_token']},
client_id=secrets.get('client_id'),
cloud_environment=secrets.get('cloud'))
return result
def get_client_for_resource(self,
resource='https://management.core.windows.net/'
):
import adal
from msrestazure.azure_active_directory import AADTokenCredentials
# https://github.com/Azure-Samples/key-vault-python-authentication/blob/master/authentication_sample.py
# create an adal authentication context
auth_context = adal.AuthenticationContext(
'https://login.microsoftonline.com/%s' % self.get_tenantid())
# using the XPlat command line client id as it is available across all tenants and subscriptions
# this would be replaced by your app id
xplat_client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
user_code_info = auth_context.acquire_user_code(
resource, xplat_client_id)
print(user_code_info['message'])
#try:
# import webbrowser
# webbrowser.open_new('https://microsoft.com/devicelogin?input='+ user_code_info['user_code'])
# except:
# pass
token = auth_context.acquire_token_with_device_code(
resource=resource,
client_id=xplat_client_id,
user_code_info=user_code_info)
return AADTokenCredentials(token, xplat_client_id)
def update_batch_and_storage_client_creds(self, batch_auth_token,
mgmt_auth_token):
self.batchCredentials = AADTokenCredentials(
batch_auth_token,
cloud_environment=self.aad_environment_provider.
getEnvironmentForId(self.aad_environment_id),
tenant=self.aad_tenant_name)
self.mgmtCredentials = AADTokenCredentials(
mgmt_auth_token,
cloud_environment=self.aad_environment_provider.
getEnvironmentForId(self.aad_environment_id),
tenant=self.aad_tenant_name)
self._client._mgmt_credentials = self.mgmtCredentials
self._client._client.creds = self.batchCredentials
self.storage_mgmt_client._client.creds = self.mgmtCredentials
def fetch_aad_token_credentials(client_id, client_secret, authority_uri,
resource_uri):
mgmt_token = fetch_aad_token(client_id, client_secret, authority_uri,
resource_uri)
try:
return AADTokenCredentials(mgmt_token, client_id)
except Exception as e:
sys.exit("Error occured while fetching credentials: " + str(e))
def update_batch_and_storage_client_creds(batch_auth_token, mgmt_auth_token,
environment_provider,
aad_environment_id):
global batch_client
batchCredentials = AADTokenCredentials(
batch_auth_token,
cloud_environment=environment_provider.getEnvironmentForId(
aad_environment_id),
tenant=aadTenant)
mgmtCredentials = AADTokenCredentials(
mgmt_auth_token,
cloud_environment=environment_provider.getEnvironmentForId(
aad_environment_id),
tenant=aadTenant)
batch_client._client._mgmt_credentials = mgmtCredentials
batch_client._client.creds = batchCredentials
def create(self, secrets: Secrets) -> AADTokenCredentials:
_cloud = cloud.get_or_raise(secrets['azure_cloud'])
result = AADTokenCredentials(
{"accessToken": secrets['access_token']},
secrets['client_id'],
cloud_environment=_cloud)
return result
def acquire_token_with_username_password(self, authority, resource, username, password, client_id, tenant):
authority_uri = authority
if tenant is not None:
authority_uri = authority + '/' + tenant
context = AuthenticationContext(authority_uri)
token_response = context.acquire_token_with_username_password(resource, username, password, client_id)
return AADTokenCredentials(token_response)
def __do_refresh_token(self):
auth_context = AuthenticationContext(
AzureTokenService.authority_url_format.format(self.__tenant_id))
self.__token = auth_context.acquire_token_with_refresh_token(
self.__token["refreshToken"], AzureTokenService.client_id,
AzureTokenService.resource_url)
self.__credentials = AADTokenCredentials(self.__token,
AzureTokenService.client_id)
self.__update_refresh_token_timer()
def get_credentials(tenant_id, client_id, client_secret):
authority_uri = '{0}/{1}'.format('https://login.microsoftonline.com',
tenant_id)
api_uri = 'https://management.core.windows.net'
context = adal.AuthenticationContext(authority_uri, api_version=None)
token = context.acquire_token_with_client_credentials(
api_uri, client_id, client_secret)
creds = AADTokenCredentials(token, client_id)
if not creds:
raise RuntimeError("Could not obtain credentials")
return creds
def authenticate(self, tenant_id, scope):
app = msal.ConfidentialClientApplication(self.client_id,
authority=self.url +
tenant_id,
client_credential=self.secret)
token = None
token = app.acquire_token_silent(scope, account=None)
if not token:
logging.info(
"No suitable token exists in cache. Retriving new one")
token = app.acquire_token_for_client(scopes=scope)
print(token)
return AADTokenCredentials(token, self.client_id)
def _configure_post_auth(self):
self.mgmtCredentials = AADTokenCredentials(
self.mgmt_auth_token,
cloud_environment=self.aad_environment_provider.
getEnvironmentForId(self.aad_environment_id),
tenant=self.aad_tenant_name)
self.batchCredentials = AADTokenCredentials(
self.batch_auth_token,
cloud_environment=self.aad_environment_provider.
getEnvironmentForId(self.aad_environment_id),
tenant=self.aad_tenant_name)
if self.can_init_from_config:
self.init_from_config()
self.ui.init_from_config()
else:
self.subscription_client = SubscriptionClient(
self.mgmtCredentials,
base_url=self.aad_environment_provider.getResourceManager(
self.aad_environment_id))
self.ui.init_post_auth()
def authenticate_client_key(authenticationInfo):
"""
Authenticate using service principal w/ key.
"""
authority_uri = authority_host_uri + '/' + authenticationInfo.tenant
app_id = authenticationInfo.app_id
app_secret = authenticationInfo.app_secret
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, app_id, app_secret)
credentials = AADTokenCredentials(mgmt_token, app_id)
return credentials
def authenticate_client_cert(self) -> ServicePrincipalCredentials:
"""
Authenticate using service principal w/ cert.
"""
authority_uri = FarmbeatsAuthHelper.AUTHORITY_HOST_URL + self.tenant_id
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(
FarmbeatsAuthHelper.RESOURCE_HOST_URL, self.app_id,
self.app_client_secret)
credentials = AADTokenCredentials(mgmt_token, self.app_id)
return credentials
def authenticate_client_key(tenant_id, client_id, client_secret):
"""
Authenticate using service principal w/ key.
"""
authority_host_uri = 'https://login.microsoftonline.com'
authority_uri = authority_host_uri + '/' + tenant_id
resource_uri = 'https://management.core.windows.net/'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(
resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def __get_credentials(creds: dict) -> ServicePrincipalCredentials:
if creds['azure_client_secret'] is not None:
credentials = ServicePrincipalCredentials(
client_id=creds['azure_client_id'],
secret=creds['azure_client_secret'],
tenant=creds['azure_tenant_id'],
cloud_environment=__get_cloud_env_by_name(creds['azure_cloud']))
elif creds['access_token'] is not None:
token = dict(accessToken=creds['access_token'])
credentials = AADTokenCredentials(token, creds['azure_client_id'])
else:
raise InterruptExecution("Authentication to Azure requires a"
" client secret or an access token")
return credentials
def renew_credentials(settings):
context = adal.AuthenticationContext(settings['authority_uri'],
api_version=None)
code = context.acquire_user_code(settings['storage_account_uri'],
settings['client_id'])
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(
settings['storage_account_uri'], code, settings['client_id'])
credentials = AADTokenCredentials(mgmt_token, settings['client_id'])
access_token = credentials.token['access_token']
with open('account.txt', 'w') as at_out:
at_out.write(access_token)
return credentials
def refresh_credential(self, credentials):
"""
Refresh credentials
"""
print_debug('Refreshing credentials')
authority_uri = AUTHORITY_HOST_URI + '/' + self.get_tenant_id()
existing_cache = self.context.cache
context = adal.AuthenticationContext(authority_uri, cache=existing_cache)
new_token = context.acquire_token(credentials.token['resource'],
credentials.token['user_id'],
credentials.token['_client_id'])
new_credentials = AADTokenCredentials(new_token, credentials.token.get('_client_id'))
return new_credentials
def adb_authorization_client_key(params):
"""
Authenticate using service principal w/ key.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = params['tenant_id']
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = params['client_id']
client_secret = params['client_secret']
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
log.info("created management authorization token for databricks resource")
return credentials
def _create_client(credential, account_name) -> DataLakeStorageClient:
scopes = "https://storage.azure.com/.default"
token = credential.get_token(scopes)
token_dict = token._asdict()
token_dict['access_token'] = token_dict['token']
aad_token_credentials = AADTokenCredentials(token_dict)
dns_suffix = "dfs.core.windows.net"
client = DataLakeStorageClient(aad_token_credentials,
account_name,
dns_suffix,
x_ms_version=VERSION)
client.config.base_url = 'https://{accountName}.{dnsSuffix}'
return client
def get_adb_authorization_client_key(params):
"""
Authenticate using service principal w/ key.
"""
authority_host_uri = AUTHORITY_HOST_URL
tenant = params['tenant_id']
authority_uri = authority_host_uri + '/' + tenant
resource_uri = MANAGEMENT_HOST_URL
client_id = params['client_id']
client_secret = params['client_secret']
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
log.info("created management authorization token for databricks resource")
return credentials
def get_adb_authentication_client_key(params):
"""
Authenticate using service principal w/ key.
"""
authority_host_uri = AUTHORITY_HOST_URL
tenant = params['tenant_id']
authority_uri = authority_host_uri + '/' + tenant
resource_uri = DATABRICKS_RESOURCE_ID
client_id = params['client_id']
client_secret = params['client_secret']
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
log.info("created aad authentication token")
return credentials
def authenticate_device_code():
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '45597f60-6e37-4be7-acfb-4c9e23b261ea' #SwissReTenantID
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://database.windows.net/'
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46' # Global Client ID
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def authenticate_client_key():
"""
Authenticate using service principal w/ key.
"""
authority_host_uri = '#'
tenant = '#'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://analysis.windows.net/powerbi/api'
client_id = '#'
client_secret = '#'
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def __get_new_token(self):
'''
Acquires a new token using the clientID and secret.
:return: newly generated token
'''
# generate token
context = adal.AuthenticationContext(AUTHORITY_URI, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(self.resource_uri, self.client_id, self.secret)
credentials = AADTokenCredentials(mgmt_token, self.client_id)
token = credentials.token["access_token"]
# store new token
self.token = token
return self.token
def authenticate_device_code(tenant_id):
"""
Authenticate the end-user using device auth.
"""
authority_host_uri = 'https://login.microsoftonline.com'
authority_uri = authority_host_uri + '/' + tenant_id
resource_uri = 'https://management.core.windows.net/'
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
async def authenticate_client_key(request):
authority_host_uri = 'https://login.microsoftonline.com'
authority_uri = authority_host_uri + '/' + TENANT
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(
RESOURCE, CLIENT_ID, CLIENT_SECRET)
credentials = AADTokenCredentials(mgmt_token, CLIENT_ID)
token = credentials.token['access_token']
uri = "https://graph.microsoft.com/beta/users?$filter=startsWith(userPrincipalName,'dron')&$select=UserPrincipalName"
headers = {'Authorization': 'Bearer {}'.format(token)}
r = requests.get(uri, headers=headers).json()
users = r['value']
return aiohttp_jinja2.render_template("azure-users.html",
request,
context={'users': users})
def authenticate_device_code(code):
"""
Authenticate the end-user using device auth.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = '----'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '------'
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
mgmt_token = context.acquire_token_with_device_code(
resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
