def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
object_params = GetObjectsParameters(
include_directory_object_references=True,
object_ids=object_ids)
aad_objects = graph_client.objects.get_objects_by_object_ids(object_params)
try:
principal_dics = {aad_object.object_id: aad_object for aad_object in aad_objects}
for resource in resources:
graph_resource = principal_dics[resource['properties']['principalId']]
resource['principalName'] = self.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
except CloudError:
log.warning('Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n'
)
return resources
def test_initialize_session_auth_file(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
s = Session(authorization_file=self.authorization_file)
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
def test_initialize_session_principal(self):
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True, return_value=None):
with patch.dict(os.environ,
{
constants.ENV_TENANT_ID: 'tenant',
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
}, clear=True):
s = Session()
self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
def enhance_policies(self, access_policies):
if self.graph_client is None:
s = Session(resource='https://graph.windows.net')
self.graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
# Retrieve graph objects for all object_id
object_ids = [p['objectId'] for p in access_policies]
# GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph
# or if graph is not available.
principal_dics = GraphHelper.get_principal_dictionary(self.graph_client, object_ids)
for policy in access_policies:
aad_object = principal_dics[policy['objectId']]
policy['displayName'] = aad_object.display_name
policy['aadType'] = aad_object.object_type
policy['principalName'] = GraphHelper.get_principal_name(aad_object)
return access_policies
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids)
for resource in resources:
if resource['properties']['principalId'] in principal_dics.keys():
graph_resource = principal_dics[resource['properties']['principalId']]
if graph_resource.object_id:
resource['principalName'] = GraphHelper.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
return resources
def test_initialize_session_principal(self):
with patch(
'azure.common.credentials.ServicePrincipalCredentials.__init__',
autospec=True,
return_value=None):
with patch.dict(os.environ, {
constants.ENV_TENANT_ID: DEFAULT_TENANT_ID,
constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID,
constants.ENV_CLIENT_ID: 'client',
constants.ENV_CLIENT_SECRET: 'secret'
},
clear=True):
s = Session()
self.assertIs(type(s.get_credentials()),
ServicePrincipalCredentials)
self.assertEqual(s.get_subscription_id(),
DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), DEFAULT_TENANT_ID)
def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id())
object_ids = list(set(
resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids)
for resource in resources:
if resource['properties']['principalId'] in principal_dics.keys():
graph_resource = principal_dics[resource['properties']['principalId']]
if graph_resource.object_id:
resource['principalName'] = GraphHelper.get_principal_name(graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
return resources
def enhance_policies(self, access_policies):
if self.graph_client is None:
s = Session(resource='https://graph.windows.net')
self.graph_client = GraphRbacManagementClient(
s.get_credentials(), s.get_tenant_id())
# Retrieve graph objects for all object_id
object_ids = [p['objectId'] for p in access_policies]
# GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph
# or if graph is not available.
principal_dics = GraphHelper.get_principal_dictionary(
self.graph_client, object_ids)
for policy in access_policies:
aad_object = principal_dics[policy['objectId']]
policy['displayName'] = aad_object.display_name
policy['aadType'] = aad_object.object_type
policy['principalName'] = GraphHelper.get_principal_name(
aad_object)
return access_policies
def test_initialize_session_auth_file(self):
s = Session(authorization_file=self.authorization_file)
self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential)
self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
self.assertEqual(s.get_tenant_id(), 'tenant')
