def test_create_for_rbac_failed_with_regular_error(self, graph_client_mock, auth_client_mock): cmd = mock.MagicMock() cmd.cli_ctx = DummyCli() TestRoleMocked._common_rbac_err_polish_test_mock_setup(graph_client_mock, auth_client_mock, 'something bad for you', self.subscription_id) # action with self.assertRaises(GraphErrorException): create_service_principal_for_rbac(cmd, 'will-fail')
def test_create_for_rbac_failed_with_regular_error(self, graph_client_mock, auth_client_mock): cmd = mock.MagicMock() cmd.cli_ctx = TestCli() TestRoleMocked._common_rbac_err_polish_test_mock_setup(graph_client_mock, auth_client_mock, 'something bad for you', self.subscription_id) # action with self.assertRaises(GraphErrorException): create_service_principal_for_rbac(cmd, 'will-fail')
def test_create_for_rbac_failed_with_polished_error_if_due_to_permission(self, graph_client_mock, auth_client_mock): cmd = mock.MagicMock() cmd.cli_ctx = TestCli() TestRoleMocked._common_rbac_err_polish_test_mock_setup(graph_client_mock, auth_client_mock, 'Insufficient privileges to complete the operation', self.subscription_id) # action with self.assertRaises(CLIError) as context: create_service_principal_for_rbac(cmd, 'will-fail', skip_assignment=True) # assert we handled such error self.assertTrue('https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal' in str(context.exception))
def test_create_for_rbac_failed_with_polished_error_if_due_to_permission(self, graph_client_mock, auth_client_mock): cmd = mock.MagicMock() cmd.cli_ctx = DummyCli() TestRoleMocked._common_rbac_err_polish_test_mock_setup(graph_client_mock, auth_client_mock, 'Insufficient privileges to complete the operation', self.subscription_id) # action with self.assertRaises(CLIError) as context: create_service_principal_for_rbac(cmd, 'will-fail', skip_assignment=True) # assert we handled such error self.assertTrue('https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal' in str(context.exception))
def test_create_for_rbac_password_plumbed_through(self, graph_client_mock, auth_client_mock): faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client test_pwd = 'verySecret' name = 'mysp' test_app_id = 'app_id_123' app = Application(app_id=test_app_id) faked_graph_client.applications.create.return_value = app sp = ServicePrincipal() faked_graph_client.service_principals.create.return_value = sp # action cmd = mock.MagicMock() cmd.cli_ctx = TestCli() result = create_service_principal_for_rbac(cmd, name, test_pwd, 12, skip_assignment=True) # assert self.assertEqual(result['password'], test_pwd) self.assertEqual(result['name'], 'http://' + name) self.assertEqual(result['appId'], test_app_id)
def register_credential_secrets(cmd, database_engine, server, repository): logger.warning('Adding secret "AZURE_CREDENTIALS" to github repository') resource_group = parse_resource_id(server.id)["resource_group"] provider = "DBforMySQL" if database_engine == "postgresql": provider = "DBforPostgreSQL" scope = "/subscriptions/{}/resourceGroups/{}/providers/Microsoft.{}/flexibleServers/{}".format(get_subscription_id(cmd.cli_ctx), resource_group, provider, server.name) app = create_service_principal_for_rbac(cmd, name=server.name, role='contributor', scopes=[scope]) app['clientId'], app['clientSecret'], app['tenantId'] = app.pop('appId'), app.pop('password'), app.pop('tenant') app['subscriptionId'] = get_subscription_id(cmd.cli_ctx) app.pop('displayName') app.pop('name') app_key_val = [] for key, val in app.items(): app_key_val.append('"{}": "{}"'.format(key, val)) app_json = ',\n '.join(app_key_val) app_json = '{\n ' + app_json + '\n}' credential_file = "./temp_app_credential.txt" with open(credential_file, "w") as f: f.write(app_json) run_subprocess('gh secret set {} --repo {} < {}'.format(AZURE_CREDENTIALS, repository, credential_file)) os.remove(credential_file)
def test_create_for_rbac_password_plumbed_through(self, graph_client_mock, auth_client_mock): faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client test_pwd = 'verySecret' name = 'mysp' test_app_id = 'app_id_123' app = Application(app_id=test_app_id) faked_graph_client.applications.create.return_value = app sp = ServicePrincipal() faked_graph_client.service_principals.create.return_value = sp # action cmd = mock.MagicMock() cmd.cli_ctx = TestCli() result = create_service_principal_for_rbac(cmd, name, test_pwd, 12, skip_assignment=True) # assert self.assertEqual(result['password'], test_pwd) self.assertEqual(result['name'], 'http://' + name) self.assertEqual(result['appId'], test_app_id)
def create_resource_manager_sp(cmd): from azure.cli.command_modules.role.custom import create_service_principal_for_rbac, add_permission, admin_consent sp = create_service_principal_for_rbac( cmd, name='http://TeamCloud.ResourceManager', years=10, role='Owner') # Azure Active Directory Graph permissions add_permission( cmd, identifier=sp['appId'], api='00000002-0000-0000-c000-000000000000', api_permissions=[ '5778995a-e1bf-45b8-affa-663a9f3f4d04=Role', # Directory.Read.All '824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role' ]) # Application.ReadWrite.OwnedBy # Microsoft Graph permissions add_permission( cmd, identifier=sp['appId'], api='00000003-0000-0000-c000-000000000000', api_permissions=[ '7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role', # Directory.Read.All '18a4783c-866b-4cc7-a460-3d5e5662c884=Role' ]) # Application.ReadWrite.OwnedBy # 'e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope', # User.Read # 'df021288-bdef-4463-88db-98f22de89214=Role', # User.Read admin_consent(cmd, identifier=sp['appId']) return sp
def test_create_for_rbac_use_cert_date(self, logger_mock, graph_client_mock, auth_client_mock): test_app_id = 'app_id_123' app = Application(app_id=test_app_id) def mock_app_create(parameters): end_date = parameters.key_credentials[0].end_date # sample check the cert's expiration time self.assertEqual(end_date.day, 21) self.assertEqual(end_date.month, 4) return app faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client curr_dir = os.path.dirname(os.path.realpath(__file__)) cert_file = os.path.join(curr_dir, 'cert.pem').replace('\\', '\\\\') with open(cert_file) as f: cert = f.read() name = 'mysp' faked_graph_client.applications.create.side_effect = mock_app_create sp = ServicePrincipal(object_id='does not matter') faked_graph_client.service_principals.create.return_value = sp # action result = create_service_principal_for_rbac(name, cert=cert, years=2, skip_assignment=True) # assert self.assertEqual(result['name'], 'http://' + name) self.assertEqual(result['appId'], test_app_id) self.assertTrue(logger_mock.warning.called) # we should warn 'years' will be dropped self.assertTrue(faked_graph_client.applications.create.called)
def test_create_for_rbac_use_cert_date(self, logger_mock, graph_client_mock, auth_client_mock): import OpenSSL.crypto def mock_app_create(parameters): end_date = parameters['keyCredentials'][0]['endDateTime'] # Check the cert's expiration time self.assertEqual(end_date, '2018-04-21T18:27:50Z') return MOCKED_APP faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client curr_dir = os.path.dirname(os.path.realpath(__file__)) cert_file = os.path.join(curr_dir, 'cert.pem').replace('\\', '\\\\') with open(cert_file) as f: cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read()) faked_graph_client.application_create.side_effect = mock_app_create faked_graph_client.service_principal_create.return_value = MOCKED_SP # action cmd = mock.MagicMock() cmd.cli_ctx = DummyCli() result = create_service_principal_for_rbac(cmd, MOCKED_APP_DISPLAY_NAME, cert=cert, years=2) # assert self.assertEqual(result['appId'], MOCKED_APP_APP_ID) self.assertTrue(logger_mock.warning.called) # we should warn 'years' will be dropped self.assertTrue(faked_graph_client.application_create.called)
def test_create_for_rbac_retry(self, create_application_mock, create_service_principal_mock, graph_client_factory_mock, auth_client_factory_mock): graph_client_factory_mock.return_value.config.tenant_id = '00000001-0000-0000-0000-000000000000' create_application_mock.return_value.app_id = '00000000-0000-0000-0000-000000000000' create_service_principal_mock.side_effect = [ # Mock replication exceptions Exception("The appId '00000000-0000-0000-0000-000000000000' of the service principal " "does not reference a valid application object."), Exception("When using this permission, the backing application of the service principal being " "created must in the local tenant"), # Success mock.MagicMock() ] # action cmd = mock.MagicMock() cmd.cli_ctx = DummyCli() with mock.patch("time.sleep", lambda _: None): create_service_principal_for_rbac(cmd, skip_assignment=True)
def test_create_for_rbac_password_plumbed_through(self, graph_client_mock, auth_client_mock): faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client faked_graph_client.application_create.return_value = MOCKED_APP faked_graph_client.application_add_password.return_value = {'secretText': MOCKED_PASSWORD} faked_graph_client.service_principal_create.return_value = MOCKED_SP # action cmd = mock.MagicMock() cmd.cli_ctx = DummyCli() result = create_service_principal_for_rbac(cmd, MOCKED_APP_DISPLAY_NAME, 12) # assert self.assertEqual(result['displayName'], MOCKED_APP_DISPLAY_NAME) self.assertEqual(result['appId'], MOCKED_APP_APP_ID) self.assertEqual(result['password'], MOCKED_PASSWORD)
def test_create_for_rbac_use_cert_date(self, logger_mock, graph_client_mock, auth_client_mock): import OpenSSL.crypto test_app_id = 'app_id_123' app = Application(app_id=test_app_id) def mock_app_create(parameters): end_date = parameters.key_credentials[0].end_date # sample check the cert's expiration time self.assertEqual(end_date.day, 21) self.assertEqual(end_date.month, 4) return app faked_role_client = mock.MagicMock() auth_client_mock.return_value = faked_role_client faked_role_client.config.subscription_id = self.subscription_id faked_graph_client = mock.MagicMock() graph_client_mock.return_value = faked_graph_client curr_dir = os.path.dirname(os.path.realpath(__file__)) cert_file = os.path.join(curr_dir, 'cert.pem').replace('\\', '\\\\') with open(cert_file) as f: cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read()) name = 'mysp' faked_graph_client.applications.create.side_effect = mock_app_create sp = ServicePrincipal() faked_graph_client.service_principals.create.return_value = sp # action cmd = mock.MagicMock() cmd.cli_ctx = TestCli() result = create_service_principal_for_rbac(cmd, name, cert=cert, years=2, skip_assignment=True) # assert self.assertEqual(result['name'], 'http://' + name) self.assertEqual(result['appId'], test_app_id) self.assertTrue(logger_mock.warning.called) # we should warn 'years' will be dropped self.assertTrue(faked_graph_client.applications.create.called)