def show_subscription(subscription=None, show_auth_for_sdk=None): import json profile = Profile() if not show_auth_for_sdk: return profile.get_subscription(subscription) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
def show_subscription(cmd, subscription=None, show_auth_for_sdk=None): import json profile = Profile(cli_ctx=cmd.cli_ctx) if not show_auth_for_sdk: return profile.get_subscription(subscription) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
def show_subscription(cmd, subscription=None, show_auth_for_sdk=None): import json profile = Profile(cli_ctx=cmd.cli_ctx) if show_auth_for_sdk: from azure.cli.command_modules.role.custom import CREDENTIAL_WARNING logger.warning(CREDENTIAL_WARNING) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(profile.get_sp_auth_info(subscription), indent=2)) return return profile.get_subscription(subscription)
def test_get_auth_info_for_logged_in_service_principal( self, mock_auth_context): mock_auth_context.acquire_token_with_client_credentials.return_value = self.token_entry1 mock_arm_client = mock.MagicMock() mock_arm_client.subscriptions.list.return_value = [self.subscription1] finder = SubscriptionFinder(lambda _, _2: mock_auth_context, None, lambda _: mock_arm_client) storage_mock = {'subscriptions': []} profile = Profile(storage_mock, use_global_creds_cache=False) profile._management_resource_uri = 'https://management.core.windows.net/' profile.find_subscriptions_on_login(False, '1234', 'my-secret', True, self.tenant_id, False, finder) # action extended_info = profile.get_sp_auth_info() # assert self.assertEqual( self.id1.split('/')[-1], extended_info['subscriptionId']) self.assertEqual('1234', extended_info['clientId']) self.assertEqual('my-secret', extended_info['clientSecret']) self.assertEqual('https://login.microsoftonline.com', extended_info['activeDirectoryEndpointUrl']) self.assertEqual('https://management.azure.com/', extended_info['resourceManagerEndpointUrl'])
def create_service_principal_for_rbac( # pylint:disable=too-many-statements,too-many-locals, too-many-branches cmd, name=None, password=None, years=None, create_cert=False, cert=None, scopes=None, role='Contributor', show_auth_for_sdk=None, skip_assignment=False, keyvault=None): import time import pytz graph_client = _graph_client_factory(cmd.cli_ctx) role_client = _auth_client_factory(cmd.cli_ctx).role_assignments scopes = scopes or ['/subscriptions/' + role_client.config.subscription_id] years = years or 1 sp_oid = None _RETRY_TIMES = 36 app_display_name = None if name and '://' not in name: app_display_name = name name = "http://" + name # normalize be a valid graph service principal name if name: query_exp = 'servicePrincipalNames/any(x:x eq \'{}\')'.format(name) aad_sps = list(graph_client.service_principals.list(filter=query_exp)) if aad_sps: raise CLIError("'{}' already exists.".format(name)) app_start_date = datetime.datetime.now(pytz.utc) app_end_date = app_start_date + relativedelta(years=years or 1) app_display_name = app_display_name or ( 'azure-cli-' + app_start_date.strftime('%Y-%m-%d-%H-%M-%S')) if name is None: name = 'http://' + app_display_name # just a valid uri, no need to exist password, public_cert_string, cert_file, cert_start_date, cert_end_date = \ _process_service_principal_creds(cmd.cli_ctx, years, app_start_date, app_end_date, cert, create_cert, password, keyvault) app_start_date, app_end_date, cert_start_date, cert_end_date = \ _validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date) aad_application = create_application(graph_client.applications, display_name=app_display_name, homepage='http://' + app_display_name, identifier_uris=[name], available_to_other_tenants=False, password=password, key_value=public_cert_string, start_date=app_start_date, end_date=app_end_date) # pylint: disable=no-member app_id = aad_application.app_id # retry till server replication is done for l in range(0, _RETRY_TIMES): try: aad_sp = _create_service_principal(cmd.cli_ctx, app_id, resolve_app=False) break except Exception as ex: # pylint: disable=broad-except if l < _RETRY_TIMES and (' does not reference ' in str(ex) or ' does not exist ' in str(ex)): time.sleep(5) logger.warning('Retrying service principal creation: %s/%s', l + 1, _RETRY_TIMES) else: logger.warning( "Creating service principal failed for appid '%s'. Trace followed:\n%s", name, ex.response.headers if hasattr(ex, 'response') else ex) # pylint: disable=no-member raise sp_oid = aad_sp.object_id # retry while server replication is done if not skip_assignment: for scope in scopes: for l in range(0, _RETRY_TIMES): try: _create_role_assignment(cmd.cli_ctx, role, sp_oid, None, scope, resolve_assignee=False) break except Exception as ex: if l < _RETRY_TIMES and ' does not exist in the directory ' in str( ex): time.sleep(5) logger.warning( 'Retrying role assignment creation: %s/%s', l + 1, _RETRY_TIMES) continue else: # dump out history for diagnoses logger.warning('Role assignment creation failed.\n') if getattr(ex, 'response', None) is not None: logger.warning( 'role assignment response headers: %s\n', ex.response.headers) # pylint: disable=no-member raise if show_auth_for_sdk: import json from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) result = profile.get_sp_auth_info( scopes[0].split('/')[2] if scopes else None, app_id, password, cert_file) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(result, indent=2)) return result = { 'appId': app_id, 'password': password, 'name': name, 'displayName': app_display_name, 'tenant': graph_client.config.tenant_id } if cert_file: logger.warning( "Please copy %s to a safe place. When run 'az login' provide the file path to the --password argument", cert_file) result['fileWithCertAndPrivateKey'] = cert_file return result
def create_service_principal_for_rbac( # pylint:disable=too-many-statements,too-many-locals, too-many-branches, unused-argument, inconsistent-return-statements cmd, name=None, years=None, create_cert=False, cert=None, scopes=None, role=None, show_auth_for_sdk=None, skip_assignment=False, keyvault=None): from azure.cli.command_modules.role.custom import (_graph_client_factory, TZ_UTC, _process_service_principal_creds, _validate_app_dates, create_application, _create_service_principal, _create_role_assignment, _error_caused_by_role_assignment_exists) if role and not scopes or not role and scopes: raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.") graph_client = _graph_client_factory(cmd.cli_ctx) years = years or 1 _RETRY_TIMES = 36 existing_sps = None if not name: # No name is provided, create a new one app_display_name = 'azure-cli-' + datetime.utcnow().strftime('%Y-%m-%d-%H-%M-%S') else: app_display_name = name # patch existing app with the same displayName to make the command idempotent query_exp = "displayName eq '{}'".format(name) existing_sps = list(graph_client.service_principals.list(filter=query_exp)) app_start_date = datetime.now(TZ_UTC) app_end_date = app_start_date + relativedelta(years=years or 1) password, public_cert_string, cert_file, cert_start_date, cert_end_date = \ _process_service_principal_creds(cmd.cli_ctx, years, app_start_date, app_end_date, cert, create_cert, None, keyvault) app_start_date, app_end_date, cert_start_date, cert_end_date = \ _validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date) aad_application = create_application(cmd, display_name=app_display_name, available_to_other_tenants=False, password=password, key_value=public_cert_string, start_date=app_start_date, end_date=app_end_date, credential_description='rbac') # pylint: disable=no-member app_id = aad_application.app_id # retry till server replication is done aad_sp = existing_sps[0] if existing_sps else None if not aad_sp: for retry_time in range(0, _RETRY_TIMES): try: aad_sp = _create_service_principal(cmd.cli_ctx, app_id, resolve_app=False) break except Exception as ex: # pylint: disable=broad-except err_msg = str(ex) if retry_time < _RETRY_TIMES and ( ' does not reference ' in err_msg or ' does not exist ' in err_msg or 'service principal being created must in the local tenant' in err_msg): logger.warning("Creating service principal failed with error '%s'. Retrying: %s/%s", err_msg, retry_time + 1, _RETRY_TIMES) time.sleep(5) else: logger.warning( "Creating service principal failed for '%s'. Trace followed:\n%s", app_id, ex.response.headers if hasattr(ex, 'response') else ex) # pylint: disable=no-member raise sp_oid = aad_sp.object_id if role: for scope in scopes: # logger.warning("Creating '%s' role assignment under scope '%s'", role, scope) # retry till server replication is done for retry_time in range(0, _RETRY_TIMES): try: _create_role_assignment(cmd.cli_ctx, role, sp_oid, None, scope, resolve_assignee=False, assignee_principal_type='ServicePrincipal') break except Exception as ex: if retry_time < _RETRY_TIMES and ' does not exist in the directory ' in str(ex): time.sleep(5) logger.warning(' Retrying role assignment creation: %s/%s', retry_time + 1, _RETRY_TIMES) continue if _error_caused_by_role_assignment_exists(ex): logger.warning(' Role assignment already exists.\n') break # dump out history for diagnoses logger.warning(' Role assignment creation failed.\n') if getattr(ex, 'response', None) is not None: logger.warning(' role assignment response headers: %s\n', ex.response.headers) # pylint: disable=no-member raise if show_auth_for_sdk: from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) result = profile.get_sp_auth_info(scopes[0].split('/')[2] if scopes else None, app_id, password, cert_file) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(result, indent=2)) return result = { 'appId': app_id, 'password': password, 'displayName': app_display_name, 'tenant': graph_client.config.tenant_id } if cert_file: logger.warning( "Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument", cert_file) result['fileWithCertAndPrivateKey'] = cert_file return result
def create_service_principal_for_rbac( # pylint:disable=too-many-statements,too-many-locals, too-many-branches name=None, password=None, years=None, create_cert=False, cert=None, scopes=None, role='Contributor', show_auth_for_sdk=None, skip_assignment=False, keyvault=None): import time import pytz graph_client = _graph_client_factory() role_client = _auth_client_factory().role_assignments scopes = scopes or ['/subscriptions/' + role_client.config.subscription_id] years = years or 1 sp_oid = None _RETRY_TIMES = 36 app_display_name = None if name and '://' not in name: app_display_name = name name = "http://" + name # normalize be a valid graph service principal name if name: query_exp = 'servicePrincipalNames/any(x:x eq \'{}\')'.format(name) aad_sps = list(graph_client.service_principals.list(filter=query_exp)) if aad_sps: raise CLIError("'{}' already exists.".format(name)) app_start_date = datetime.datetime.now(pytz.utc) app_end_date = app_start_date + relativedelta(years=years or 1) app_display_name = app_display_name or ('azure-cli-' + app_start_date.strftime('%Y-%m-%d-%H-%M-%S')) if name is None: name = 'http://' + app_display_name # just a valid uri, no need to exist password, public_cert_string, cert_file, cert_start_date, cert_end_date = \ _process_service_principal_creds(years, app_start_date, app_end_date, cert, create_cert, password, keyvault) app_start_date, app_end_date, cert_start_date, cert_end_date = \ _validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date) aad_application = create_application(graph_client.applications, display_name=app_display_name, homepage='http://' + app_display_name, identifier_uris=[name], available_to_other_tenants=False, password=password, key_value=public_cert_string, start_date=app_start_date, end_date=app_end_date) # pylint: disable=no-member app_id = aad_application.app_id # retry till server replication is done for l in range(0, _RETRY_TIMES): try: aad_sp = _create_service_principal(app_id, resolve_app=False) break except Exception as ex: # pylint: disable=broad-except if l < _RETRY_TIMES and ( ' does not reference ' in str(ex) or ' does not exist ' in str(ex)): time.sleep(5) logger.warning('Retrying service principal creation: %s/%s', l + 1, _RETRY_TIMES) else: logger.warning( "Creating service principal failed for appid '%s'. Trace followed:\n%s", name, ex.response.headers if hasattr(ex, 'response') else ex) # pylint: disable=no-member raise sp_oid = aad_sp.object_id # retry while server replication is done if not skip_assignment: for scope in scopes: for l in range(0, _RETRY_TIMES): try: _create_role_assignment(role, sp_oid, None, scope, resolve_assignee=False) break except Exception as ex: if l < _RETRY_TIMES and ' does not exist in the directory ' in str(ex): time.sleep(5) logger.warning('Retrying role assignment creation: %s/%s', l + 1, _RETRY_TIMES) continue else: # dump out history for diagnoses logger.warning('Role assignment creation failed.\n') if getattr(ex, 'response', None) is not None: logger.warning('role assignment response headers: %s\n', ex.response.headers) # pylint: disable=no-member raise if show_auth_for_sdk: import json from azure.cli.core._profile import Profile profile = Profile() result = profile.get_sp_auth_info(scopes[0].split('/')[2] if scopes else None, app_id, password, cert_file) # sdk-auth file should be in json format all the time, hence the print print(json.dumps(result, indent=2)) return result = { 'appId': app_id, 'password': password, 'name': name, 'displayName': app_display_name, 'tenant': graph_client.config.tenant_id } if cert_file: logger.warning( "Please copy %s to a safe place. When run 'az login' provide the file path to the --password argument", cert_file) result['fileWithCertAndPrivateKey'] = cert_file return result