def _graph_client_factory(**_):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
client = GraphRbacManagementClient(cred, tenant_id)
configure_common_settings(client)
return client
def __init__(self, storage=None, auth_ctx_factory=None):
self._storage = storage or ACCOUNT
factory = auth_ctx_factory or _AUTH_CTX_FACTORY
self._creds_cache = CredsCache(factory)
self._subscription_finder = SubscriptionFinder(
factory, self._creds_cache.adal_token_cache)
self.env = get_env()
self._management_resource_uri = self.env[ENDPOINT_URLS.MANAGEMENT]
def __init__(self, storage=None, auth_ctx_factory=None):
self._storage = storage or ACCOUNT
factory = auth_ctx_factory or _AUTH_CTX_FACTORY
self._creds_cache = CredsCache(factory)
self._subscription_finder = SubscriptionFinder(factory, self._creds_cache.adal_token_cache)
env = get_env()
self._management_resource_uri = env[ENDPOINT_URLS.MANAGEMENT]
self._graph_resource_uri = env[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID]
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[
KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete,
KeyPermissions.list, KeyPermissions.update,
KeyPermissions.import_enum, KeyPermissions.backup,
KeyPermissions.restore
],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def _object_id_args_helper(object_id, spn, upn):
if not object_id:
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(resource=get_env()[
ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
graph_client = GraphRbacManagementClient(cred, tenant_id)
object_id = _get_object_id(graph_client, spn=spn, upn=upn)
if not object_id:
raise CLIError('Unable to get object id from principal name.')
return object_id
def get_login_credentials(self,
resource=get_env()[ENDPOINT_URLS.MANAGEMENT],
subscription_id=None):
account = self.get_subscription(subscription_id)
user_type = account[_USER_ENTITY][_USER_TYPE]
username_or_sp_id = account[_USER_ENTITY][_USER_NAME]
if user_type == _USER:
token_retriever = lambda: self._creds_cache.retrieve_token_for_user(
username_or_sp_id, account[_TENANT_ID], resource)
auth_object = AdalAuthentication(token_retriever)
else:
token_retriever = lambda: self._creds_cache.retrieve_token_for_service_principal(
username_or_sp_id, resource)
auth_object = AdalAuthentication(token_retriever)
return (auth_object, str(account[_SUBSCRIPTION_ID]),
str(account[_TENANT_ID]))
def test_get_login_credentials_for_graph_client(self, mock_get_token,
mock_read_cred_file):
some_token_type = 'Bearer'
mock_read_cred_file.return_value = [Test_Profile.token_entry1]
mock_get_token.return_value = (some_token_type,
Test_Profile.raw_token1)
#setup
storage_mock = {'subscriptions': None}
profile = Profile(storage_mock)
consolidated = Profile._normalize_properties(self.user1,
[self.subscription1],
False, ENV_DEFAULT)
profile._set_subscriptions(consolidated)
#action
cred, _, tenant_id = profile.get_login_credentials(resource=get_env()[
ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
_, _ = cred._token_retriever()
#verify
mock_get_token.assert_called_once_with(mock.ANY, self.user1,
self.tenant_id,
'https://graph.windows.net/')
self.assertEqual(tenant_id, self.tenant_id)
class CredentialType(Enum): # pylint: disable=too-few-public-methods
management = get_env()[ENDPOINT_URLS.MANAGEMENT]
rbac = get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID]