def add_webapp_access_restriction(cmd,
resource_group_name,
name,
priority,
rule_name=None,
action='Allow',
ip_address=None,
subnet=None,
vnet_name=None,
description=None,
scm_site=False,
ignore_missing_vnet_service_endpoint=False,
slot=None,
vnet_resource_group=None):
configs = get_site_configs(cmd, resource_group_name, name, slot)
if (ip_address and subnet) or (not ip_address and not subnet):
raise CLIError('Usage error: --subnet | --ip-address')
# get rules list
access_rules = configs.scm_ip_security_restrictions if scm_site else configs.ip_security_restrictions
# check for null
access_rules = access_rules or []
rule_instance = None
if subnet:
vnet_rg = vnet_resource_group if vnet_resource_group else resource_group_name
subnet_id = _validate_subnet(cmd.cli_ctx, subnet, vnet_name, vnet_rg)
if not ignore_missing_vnet_service_endpoint:
_ensure_subnet_service_endpoint(cmd.cli_ctx, subnet_id)
rule_instance = IpSecurityRestriction(
name=rule_name,
vnet_subnet_resource_id=subnet_id,
priority=priority,
action=action,
tag='Default',
description=description)
access_rules.append(rule_instance)
elif ip_address:
rule_instance = IpSecurityRestriction(name=rule_name,
ip_address=ip_address,
priority=priority,
action=action,
tag='Default',
description=description)
access_rules.append(rule_instance)
result = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_configuration', slot, configs)
return result.scm_ip_security_restrictions if scm_site else result.ip_security_restrictions
def remove_all_auth_settings_secrets(cmd,
resource_group_name,
name,
slot=None): # pylint: disable=unused-argument
auth_settings = get_auth_settings(cmd, resource_group_name, name, slot)
auth_settings.client_secret = ""
auth_settings.facebook_app_secret = ""
auth_settings.git_hub_client_secret = ""
auth_settings.google_client_secret = ""
auth_settings.microsoft_account_client_secret = ""
auth_settings.twitter_consumer_secret_setting_name = ""
return _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_auth_settings', slot, auth_settings)
def set_webapp_access_restriction(cmd,
resource_group_name,
name,
use_same_restrictions_for_scm_site,
slot=None):
configs = get_site_configs(cmd, resource_group_name, name, slot)
setattr(configs, 'scm_ip_security_restrictions_use_main',
bool(use_same_restrictions_for_scm_site))
use_main = _generic_site_operation(
cmd.cli_ctx, resource_group_name, name, 'update_configuration', slot,
configs).scm_ip_security_restrictions_use_main
use_main_json = {"scmIpSecurityRestrictionsUseMain": use_main}
return use_main_json
def remove_webapp_access_restriction(cmd,
resource_group_name,
name,
rule_name=None,
action='Allow',
ip_address=None,
subnet=None,
vnet_name=None,
scm_site=False,
slot=None):
configs = get_site_configs(cmd, resource_group_name, name, slot)
rule_instance = None
# get rules list
access_rules = configs.scm_ip_security_restrictions if scm_site else configs.ip_security_restrictions
for rule in list(access_rules):
if rule_name:
if rule.name and rule.name.lower() == rule_name.lower(
) and rule.action == action:
rule_instance = rule
break
elif ip_address:
if rule.ip_address == ip_address and rule.action == action:
if rule_name and rule.name and rule.name.lower(
) != rule_name.lower():
continue
rule_instance = rule
break
elif subnet:
subnet_id = _validate_subnet(cmd.cli_ctx, subnet, vnet_name,
resource_group_name)
if rule.vnet_subnet_resource_id == subnet_id and rule.action == action:
if rule_name and rule.name and rule.name.lower(
) != rule_name.lower():
continue
rule_instance = rule
break
if rule_instance is None:
raise CLIError(
'No rule found with the specified criteria. '
'If you are trying to remove a Deny rule, you must explicitly specify --action Deny'
)
access_rules.remove(rule_instance)
result = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_configuration', slot, configs)
return result.scm_ip_security_restrictions if scm_site else result.ip_security_restrictions
def remove_webapp_access_restriction(cmd,
resource_group_name,
name,
rule_name,
scm_site=False,
slot=None):
configs = get_site_configs(cmd, resource_group_name, name, slot)
rule_instance = None
# get rules list
access_rules = configs.scm_ip_security_restrictions if scm_site else configs.ip_security_restrictions
for rule in list(access_rules):
if rule.name.lower() == rule_name.lower():
rule_instance = rule
break
if rule_instance is not None:
access_rules.remove(rule_instance)
result = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_configuration', slot, configs)
return result.scm_ip_security_restrictions if scm_site else result.ip_security_restrictions
def _get_app_url(cmd, rg_name, app_name):
site = _generic_site_operation(cmd.cli_ctx, rg_name, app_name, 'get')
return "https://" + site.enabled_host_names[0]
def update_auth_classic_settings(
cmd,
resource_group_name,
name,
enabled=None,
action=None, # pylint: disable=unused-argument
client_id=None,
token_store_enabled=None,
runtime_version=None, # pylint: disable=unused-argument
token_refresh_extension_hours=None, # pylint: disable=unused-argument
allowed_external_redirect_urls=None,
client_secret=None, # pylint: disable=unused-argument
client_secret_certificate_thumbprint=None, # pylint: disable=unused-argument
allowed_audiences=None,
issuer=None,
facebook_app_id=None, # pylint: disable=unused-argument
facebook_app_secret=None,
facebook_oauth_scopes=None, # pylint: disable=unused-argument
twitter_consumer_key=None,
twitter_consumer_secret=None, # pylint: disable=unused-argument
google_client_id=None,
google_client_secret=None, # pylint: disable=unused-argument
google_oauth_scopes=None,
microsoft_account_client_id=None, # pylint: disable=unused-argument
microsoft_account_client_secret=None, # pylint: disable=unused-argument
microsoft_account_oauth_scopes=None,
slot=None, # pylint: disable=unused-argument
git_hub_client_id=None,
git_hub_client_secret=None, # pylint: disable=unused-argument
git_hub_o_auth_scopes=None, # pylint: disable=unused-argument
client_secret_setting_name=None,
facebook_app_secret_setting_name=None, # pylint: disable=unused-argument
google_client_secret_setting_name=None, # pylint: disable=unused-argument
microsoft_account_client_secret_setting_name=None, # pylint: disable=unused-argument
twitter_consumer_secret_setting_name=None,
git_hub_client_secret_setting_name=None): # pylint: disable=unused-argument
if is_auth_v2_app(cmd, resource_group_name, name, slot):
raise CLIError(
'Usage Error: Cannot use command az webapp auth-classic update when the app '
'is using auth v2. If you wish to revert the app to v1, run az webapp auth revert'
)
auth_settings = get_auth_settings(cmd, resource_group_name, name, slot)
if action == 'AllowAnonymous':
auth_settings.unauthenticated_client_action = 'AllowAnonymous'
elif action:
auth_settings.unauthenticated_client_action = 'RedirectToLoginPage'
auth_settings.default_provider = AUTH_TYPES[action]
# validate runtime version
if not is_auth_runtime_version_valid(runtime_version):
raise CLIError('Usage Error: --runtime-version set to invalid value')
import inspect
frame = inspect.currentframe()
bool_flags = ['enabled', 'token_store_enabled']
# note: getargvalues is used already in azure.cli.core.commands.
# and no simple functional replacement for this deprecating method for 3.5
args, _, _, values = inspect.getargvalues(frame) # pylint: disable=deprecated-method
for arg in args[2:]:
if values.get(arg, None):
setattr(
auth_settings, arg, values[arg]
if arg not in bool_flags else values[arg] == 'true')
return _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_auth_settings', slot, auth_settings)
def get_auth_settings(cmd, resource_group_name, name, slot=None):
return _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'get_auth_settings', slot)
def add_webapp_access_restriction(cmd,
resource_group_name,
name,
rule_name,
priority,
action='Allow',
ip_address=None,
subnet=None,
vnet_name=None,
description=None,
scm_site=False,
ignore_missing_vnet_service_endpoint=False,
slot=None):
configs = get_site_configs(cmd, resource_group_name, name, slot)
# get rules list
access_rules = configs.scm_ip_security_restrictions if scm_site else configs.ip_security_restrictions
# check for null
access_rules = access_rules or []
rule_instance = None
if subnet or vnet_name:
subnet_id = _validate_subnet(cmd.cli_ctx, subnet, vnet_name,
resource_group_name)
if not ignore_missing_vnet_service_endpoint:
_ensure_subnet_service_endpoint(cmd.cli_ctx, subnet_id)
for rule in list(access_rules):
if rule.vnet_subnet_resource_id:
if rule.action.lower() == action.lower(
) and rule.vnet_subnet_resource_id.lower() == subnet_id.lower(
):
rule_instance = rule
break
if rule_instance:
rule_instance.name = rule_name
rule_instance.priority = priority
rule_instance.description = description if description else rule_instance.description
else:
rule_instance = IpSecurityRestriction(
name=rule_name,
vnet_subnet_resource_id=subnet_id,
priority=priority,
action=action,
tag='Default',
description=description)
access_rules.append(rule_instance)
if ip_address:
for rule in list(access_rules):
if rule.ip_address:
if rule.action.lower() == action.lower(
) and rule.ip_address.lower() == ip_address.lower():
rule_instance = rule
break
if rule_instance:
rule_instance.name = rule_name
rule_instance.priority = priority
rule_instance.description = description or rule_instance.description
else:
rule_instance = IpSecurityRestriction(name=rule_name,
ip_address=ip_address,
priority=priority,
action=action,
tag='Default',
description=description)
access_rules.append(rule_instance)
result = _generic_site_operation(cmd.cli_ctx, resource_group_name, name,
'update_configuration', slot, configs)
return result.scm_ip_security_restrictions if scm_site else result.ip_security_restrictions
