def test_service_principal(self):
creds = mock.create_autospec(ServicePrincipalCredentials)
session = mock.create_autospec(OAuth2Session)
creds._setup_session.return_value = session
session.fetch_token.return_value = {
'expires_at':'1',
'expires_in':'2'}
creds.token_uri = "token_uri"
creds.verify = True
creds.id = 123
creds.secret = 'secret'
creds.resource = 'resource'
ServicePrincipalCredentials.set_token(creds)
self.assertEqual(creds.token, session.fetch_token.return_value)
session.fetch_token.assert_called_with(
"token_uri", client_id=123, client_secret='secret',
resource='resource', response_type="client_credentials",
verify=True)
session.fetch_token.side_effect = oauthlib.oauth2.OAuth2Error
with self.assertRaises(AuthenticationError):
ServicePrincipalCredentials.set_token(creds)
session = mock.create_autospec(OAuth2Session)
with mock.patch.object(
ServicePrincipalCredentials, '_setup_session', return_value=session):
creds = ServicePrincipalCredentials("client_id", "secret",
verify=False, tenant="private")
session.fetch_token.assert_called_with(
"https://login.microsoftonline.com/private/oauth2/token",
client_id="client_id", client_secret='secret',
resource='https://management.core.windows.net/',
response_type="client_credentials", verify=False)
with mock.patch.object(
ServicePrincipalCredentials, '_setup_session', return_value=session):
creds = ServicePrincipalCredentials("client_id", "secret", china=True,
verify=False, tenant="private")
session.fetch_token.assert_called_with(
"https://login.chinacloudapi.cn/private/oauth2/token",
client_id="client_id", client_secret='secret',
resource='https://management.core.chinacloudapi.cn/',
response_type="client_credentials", verify=False)
def get_credential(self, client_class, **kwargs):
tenant_id = os.environ.get("AZURE_TENANT_ID", getattr(os.environ, "TENANT_ID", None))
client_id = os.environ.get("AZURE_CLIENT_ID", getattr(os.environ, "CLIENT_ID", None))
secret = os.environ.get("AZURE_CLIENT_SECRET", getattr(os.environ, "CLIENT_SECRET", None))
is_async = kwargs.pop("is_async", False)
if tenant_id and client_id and secret and self.is_live:
if _is_autorest_v3(client_class):
# Create azure-identity class
from azure.identity import ClientSecretCredential
if is_async:
from azure.identity.aio import ClientSecretCredential
return ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=secret)
else:
# Create msrestazure class
from msrestazure.azure_active_directory import (
ServicePrincipalCredentials,
)
return ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=secret)
else:
if _is_autorest_v3(client_class):
if is_async:
if self.is_live:
raise ValueError(
"Async live doesn't support mgmt_setting_real, please set AZURE_TENANT_ID, "
"AZURE_CLIENT_ID, AZURE_CLIENT_SECRET"
)
return AsyncFakeCredential()
else:
return self.settings.get_azure_core_credentials()
else:
return self.settings.get_credentials()
def setup_sample(self):
"""
Provides common setup for Key Vault samples such as creating the authentication context, sample resource group
if needed, and ensuring proper access for the service principal.
:return: None
"""
if not KeyVaultSampleBase._setup_complete:
self.config.auth_context = adal.AuthenticationContext(
'https://login.microsoftonline.com/%s' % self.config.tenant_id)
creds = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
resource_mgmt_client = ResourceManagementClient(
creds, self.config.subscription_id)
# ensure the service principle has key vault and storage as valid providers
resource_mgmt_client.providers.register('Microsoft.KeyVault')
resource_mgmt_client.providers.register('Microsoft.Storage')
# ensure the intended resource group exists
resource_mgmt_client.resource_groups.create_or_update(
resource_group_name=self.config.group_name,
parameters={'location': self.config.location})
KeyVaultSampleBase._setup_complete = True
def create_clients():
config = {
"tenant_id": os.environ.get("AZURE_TENANT"),
"client_id": os.environ.get("AZURE_CLIENT_ID"),
"client_secret": os.environ.get("AZURE_SECRET"),
"subscription_id": os.environ.get("AZURE_SUBSCRIPTION_ID"),
}
for k, v in config.items():
if not v:
raise ValueError("'{}' config value not set".format(k))
credentials = ServicePrincipalCredentials(
config["client_id"],
config["client_secret"],
tenant=config["tenant_id"],
verify=True,
resource="https://management.azure.com/")
alert_client = LogAnalyticsAlertClient(credentials,
config["subscription_id"])
mgmt_client = LogAnalyticsManagementClient(credentials,
config["subscription_id"])
return mgmt_client, alert_client
def create(self, secrets: Dict) -> ServicePrincipalCredentials:
result = ServicePrincipalCredentials(
client_id=secrets.get('client_id'),
secret=secrets.get('client_secret'),
tenant=secrets.get('tenant_id'),
cloud_environment=secrets.get('cloud'))
return result
def configure_advisor_threshold():
creds = ServicePrincipalCredentials(client_id=client_id,
secret=secret,
tenant=tenant)
creds.set_token()
client = AdvisorManagementClient(credentials=creds,
subscription_id=subscription_id)
# create a new configuration to update low CPU threshold to 20
cfg = ConfigData()
cfg.properties = ConfigDataProperties(low_cpu_threshold=20, exclude=False)
# update the configuration
client.configurations.create_in_subscription(cfg)
def __get_credentials(creds: dict) -> ServicePrincipalCredentials:
credentials = ServicePrincipalCredentials(
client_id=creds['azure_client_id'],
secret=creds['azure_client_secret'],
tenant=creds['azure_tenant_id'],
cloud_environment=__get_cloud_env_by_name(creds['azure_cloud'])
)
return credentials
def create_basic_client(self, client_class, **kwargs):
tenant_id = os.environ.get("AZURE_TENANT_ID", None)
client_id = os.environ.get("AZURE_CLIENT_ID", None)
secret = os.environ.get("AZURE_CLIENT_SECRET", None)
if tenant_id and client_id and secret and self.is_live:
if _is_autorest_v3(client_class):
# Create azure-identity class
from azure.identity import ClientSecretCredential
credentials = ClientSecretCredential(
tenant=tenant_id,
client_id=client_id,
client_secret=secret
)
else:
# Create msrestazure class
from msrestazure.azure_active_directory import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
tenant=tenant_id,
client_id=client_id,
secret=secret
)
else:
if _is_autorest_v3(client_class):
credentials = self.settings.get_azure_core_credentials()
else:
credentials = self.settings.get_credentials()
# Real client creation
# FIXME decide what is the final argument for that
# if self.is_playback():
# kwargs.setdefault("polling_interval", 0)
if _is_autorest_v3(client_class):
kwargs.setdefault("logging_enable", True)
client = client_class(
credential=credentials,
**kwargs
)
else:
client = client_class(
credentials=credentials,
**kwargs
)
if self.is_playback():
try:
client._config.polling_interval = 0 # FIXME in azure-mgmt-core, make this a kwargs
except AttributeError:
pass
if hasattr(client, "config"): # Autorest v2
if self.is_playback():
client.config.long_running_operation_timeout = 0
client.config.enable_http_logger = True
return client
def __init__(self, config=None):
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken
from msrestazure.azure_active_directory import ServicePrincipalCredentials
super(SasDefinitionSample, self).__init__(config=config)
self.keyvault_client = KeyVaultClient(
ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id))
def __init__(self, config=None):
super(NetworkAclSample, self).__init__(config=config)
creds = ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
self.mgmt_client = KeyVaultManagementClient(
credentials=creds, subscription_id=self.config.subscription_id)
self.vault = None
def __get_credentials(creds: dict) -> ServicePrincipalCredentials:
if creds['azure_client_secret'] is not None:
credentials = ServicePrincipalCredentials(
client_id=creds['azure_client_id'],
secret=creds['azure_client_secret'],
tenant=creds['azure_tenant_id'],
cloud_environment=__get_cloud_env_by_name(creds['azure_cloud']))
elif creds['access_token'] is not None:
token = dict(accessToken=creds['access_token'])
credentials = AADTokenCredentials(token, creds['azure_client_id'])
else:
raise InterruptExecution("Authentication to Azure requires a"
" client secret or an access token")
return credentials
def setUp(self):
tenant_id = os.environ.get("AZURE_TENANT")
client_id = os.environ.get("AZURE_CLIENT_ID")
client_secret = os.environ.get("AZURE_SECRET")
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
if not tenant_id or not client_id or not client_secret or not subscription_id:
raise ValueError("one or more environment variables are missing")
credentials = ServicePrincipalCredentials(client_id, client_secret, tenant=tenant_id, verify=True, resource="https://management.azure.com/")
self.laa_client = LogAnalyticsAlertClient(credentials, subscription_id)
self.lam_client = LogAnalyticsManagementClient(credentials, subscription_id)
self.clean_up()
def __init__(
self,
azure_subscription_id,
azure_tenant_id,
azure_application_id,
azure_application_key,
logger,
):
"""Init command.
:param str azure_subscription_id:
:param str azure_tenant_id:
:param str azure_application_id:
:param str azure_application_key:
:param str azure_application_key:
:param logging.Logger logger:
"""
self._azure_subscription_id = azure_subscription_id
self._azure_tenant_id = azure_tenant_id
self._azure_application_id = azure_application_id
self._azure_application_key = azure_application_key
self._logger = logger
self._cached_storage_account_keys = {}
self._credentials = ServicePrincipalCredentials(
client_id=azure_application_id,
secret=azure_application_key,
tenant=azure_tenant_id,
)
self._subscription_client = SubscriptionClient(
credentials=self._credentials)
self._resource_client = ResourceManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._compute_client = ComputeManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._storage_client = StorageManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._network_client = NetworkManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)