def get_user(auth_token, user_id):
url = "https://graph.microsoft.com/v1.0/users/" + user_id
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
return response.json
raise AzureError(f'get_user failed with {response.code} - {response.text}')
def get_application(auth_token):
url = "https://graph.microsoft.com/v1.0/applications/{0}/".format(APP_ID)
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
return response.json
raise AzureError(f'get_application failed with {response.code} - {response.text}')
def get_app_roles_assigned_to(auth_token, url=None):
url = url or "https://graph.microsoft.com/v1.0/servicePrincipals/{0}/appRoleAssignments".format(SERVICE_ID)
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
return response.json
raise AzureError(f'get_app_roles_assigned_to failed with {response.code} - {response.text}')
def group_members_initial(auth_token, group_id):
url = "https://graph.microsoft.com/v1.0/groups/{}/members".format(group_id)
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
return response.json
raise AzureError(f'group_members_initial failed with {response.code} - {response.text}')
def find_group_starts_with_name_initial(auth_token, name):
url = "https://graph.microsoft.com/v1.0/groups"
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers, params={'$filter': 'startsWith(displayName,\'' + name + '\')'})
if response.ok:
return response.json
raise AzureError(f'find_group_starts_with_name_initial failed with {response.code} - {response.text}')
def find_group_by_name(auth_token, name):
url = "https://graph.microsoft.com/v1.0/groups"
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers, params={'$filter': 'displayName eq \'' + name + '\''})
if response.ok:
return response.json['value']
raise AzureError(f'find_group_by_name failed with {response.code} - {response.text}')
def find_user_by_sso(auth_token, user_sso):
url = "https://graph.microsoft.com/v1.0/users"
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers, params={'$filter': 'userPrincipalName eq \'' + user_sso + '\''})
if response.ok:
return response.json['value']
raise AzureError(f'find_user_by_sso failed with {response.code} - {response.text}')
def get_next_link(auth_token, next_url):
url = next_url
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
return response.json
raise AzureError(f'get_next_link failed with {response.code} - {response.text}')
def find_user_by_email(auth_token, user_email):
url = "https://graph.microsoft.com/v1.0/users"
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
# special graphql way of escaping single quotes
user_email = user_email.replace("'", "''")
params = {"$filter": f"mail eq '{user_email}'"}
response = http.get(url, headers=headers, params=params)
log.debug(f'Looking up used by email with filter parameters: {params}')
if response.ok:
return response.json['value']
raise AzureError(f'find_user_by_email failed with {response.code} - {response.text}')
def lookup_assignment_object_id(auth_token, user_id, role_id):
url = "https://graph.microsoft.com/v1.0/users/{0}/appRoleAssignments".format(user_id)
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
matched_assignments = [assignment['objectId'] for assignment in response.json['value'] if assignment['id'] == role_id]
if len(matched_assignments) != 1:
raise AzureError('lookup_assignment_object_id - Invalid number of matched assignments found')
return matched_assignments[0]
raise AzureError(f'lookup_assignment_object_id failed with {response.code} - {response.text}')
def get_user_app_roles(auth_token, user_id):
url = "https://graph.microsoft.com/v1.0/users/{0}/appRoleAssignments/?$top=999".format(user_id)
headers = {
"Authorization": "Bearer " + auth_token,
"Content-Type": "application/json"
}
response = http.get(url, headers=headers)
if response.ok:
value = response.json['value']
while '@odata.nextLink' in response.json:
next_page = get_next_link(auth_token, response.json['@odata.nextLink'])
value.extend(next_page['value'])
return value
raise AzureError(f'get_user_app_roles failed with {response.code} - {response.text}')
def setup_saml_provider(resource, client, options, name='AAD'):
'''Setup AzureAD SAML Provider with federation metadata'''
for saml_provider in resource.saml_providers.all():
if name in saml_provider.arn:
if not options.recreate_saml_idp:
log.info(
f'Found existing SAML IdP with ARN: {saml_provider.arn}')
return
# we found existing IdP and want to re-create it
saml_provider.delete()
break
metadata_url = f'https://login.microsoftonline.com/{constants.TENANT_ID}/federationmetadata/2007-06/federationmetadata.xml?appid={constants.CLIENT_ID}'
log.info(f'Reading SAML metadata from {metadata_url}')
metadata = http.get(metadata_url).text
if not len(metadata):
raise Exception(f'Failed to get metadata from {metadata_url}')
created_arn = client.create_saml_provider(
Name=name, SAMLMetadataDocument=metadata)['SAMLProviderArn']
log.info(f'Created SAML IdP with ARN: {created_arn}')
return created_arn