def _get_azure_ad_access_token(self) -> str:
""" https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication """
app = ConfidentialClientApplication(
client_id=self.oauth_client_id,
client_credential=self.oauth_client_secret,
authority=self.oauth_client_authority)
result = None
config = {
"scope": ["https://graph.microsoft.com/.default"],
}
if not result:
result = app.acquire_token_for_client(scopes=config["scope"])
if "access_token" not in result:
print(result.get("error"))
print(result.get("error_description"))
print(result.get(
"correlation_id")) # You might need this when reporting a bug.
raise dbt.exceptions.FailedToConnectException(
'failed to connect to Azure')
# print("ACCESS TOKEN:"+ result["access_token"])
# return result["access_token"]
return "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiIyZmY4MTRhNi0zMzA0LTRhYjgtODVjYi1jZDBlNmY4NzljMWQiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yY2M0ZjZiZS1kMjMzLTQ5NjgtYTkyYy03NGNlMmQyNmFkYjEvIiwiaWF0IjoxNjEzOTEzNTk2LCJuYmYiOjE2MTM5MTM1OTYsImV4cCI6MTYxMzkxNzQ5NiwiYWNyIjoiMSIsImFpbyI6IkFVUUF1LzhUQUFBQWtlbWNtcGpGdEw2NzNEakJPOWtpdHg2eFZiTDVRalNqTExLaGtJa2hMUUE1Q3c0WVNIb0haWG5nc0FGbVdLeDJaV2JucTZkWFc1M2dhZnZRMnhxS2NnPT0iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwM0JGRkQxM0FBQkU3RiIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiI0NTRjZjY3OS1jOGMzLTQ0OTUtOTllMy1jZWMzMjAxNDU4MDkiLCJhcHBpZGFjciI6IjAiLCJlbWFpbCI6InZhbGRhc0BtYWtzaW1hdmljaXVzLmV1IiwiZmFtaWx5X25hbWUiOiIyZGRhMWYzYS0zMjExLTRjMjAtYTdjMC1jYzliMmY3ZmI4NzkiLCJnaXZlbl9uYW1lIjoiZjk1ZWQ5NzgtY2I0My00OThjLWIxNmUtMTU0MGQ5NWYzNDQxIiwiaWRwIjoibGl2ZS5jb20iLCJpcGFkZHIiOiI3OC41OC4yMzcuMTY2IiwibmFtZSI6ImY5NWVkOTc4LWNiNDMtNDk4Yy1iMTZlLTE1NDBkOTVmMzQ0MSAyZGRhMWYzYS0zMjExLTRjMjAtYTdjMC1jYzliMmY3ZmI4NzkiLCJvaWQiOiIwYjRmNWQ3OC03ZTBlLTQyMzItYmI2MS01NjNmZmVlNDlhNzQiLCJwdWlkIjoiMTAwMzAwMDBBQzAwN0U3NyIsInJoIjoiMC5BVEVBdnZiRUxEUFNhRW1wTEhUT0xTYXRzWG4yVEVYRHlKVkVtZVBPd3lBVVdBa3hBSm8uIiwic2NwIjoidXNlcl9pbXBlcnNvbmF0aW9uIiwic3ViIjoiVGNpaS16bXhDUTkxSjdCWVoxdGpKdkVSb0xLQ0FGQ2NPeGYtYmo3QzF3SSIsInRpZCI6IjJjYzRmNmJlLWQyMzMtNDk2OC1hOTJjLTc0Y2UyZDI2YWRiMSIsInVuaXF1ZV9uYW1lIjoibGl2ZS5jb20jdmFsZGFzQG1ha3NpbWF2aWNpdXMuZXUiLCJ1dGkiOiJNZ1JhczNXUVUwQ3R0d0I3cUVCQkFBIiwidmVyIjoiMS4wIn0.PGjS4bHZTMCFQnbBNUUg1w5G9YTem1dfjM3eiBf1-sVPRRyRyUlB28nB7PjYB_GnR235ZmaBkc3TF0mToGUqC43Zky2a0CWlAEmRyzUH85y8RIWzgnEx5cRi7SC46klzqHa78xnQWoihjPCG23VT8bo3nwKH0JziH6DFBmsrFc0wwqMBm4l_xjf_3MgPr5Fk-GzQ_LtryUvxdiATXAjqiK6Zcmm1fPKZZAdizP4EQImfGALbDwjoIdyggyInnZzOGWJjODXPaFMpbNnKM8LWGcpMgNfCeShfWchOSn5JqNvVBMIrsRkuVzo8eDOK_e63YTASncj4ncNRJ4EDtlBQGA"
class ApplicationCertificateTokenProvider(TokenProviderBase):
"""
Acquire a token from MSAL using application certificate
Passing the public certificate is optional and will result in Subject Name & Issuer Authentication
"""
def __init__(self, kusto_uri: str, client_id: str, authority_uri: str, private_cert: str, thumbprint: str, public_cert: str = None):
super().__init__(kusto_uri)
self._msal_client = None
self._auth = authority_uri
self._client_id = client_id
self._cert_credentials = {TokenConstants.MSAL_PRIVATE_CERT: private_cert, TokenConstants.MSAL_THUMBPRINT: thumbprint}
if public_cert is not None:
self._cert_credentials[TokenConstants.MSAL_PUBLIC_CERT] = public_cert
@staticmethod
def name() -> str:
return "ApplicationCertificateTokenProvider"
def context(self) -> dict:
return {"authority": self._auth, "client_id": self._app_client_id, "thumbprint": self._cert_credentials[TokenConstants.MSAL_THUMBPRINT]}
def _init_impl(self):
self._msal_client = ConfidentialClientApplication(client_id=self._client_id, client_credential=self._cert_credentials, authority=self._auth)
def _get_token_impl(self) -> dict:
token = self._msal_client.acquire_token_for_client(scopes=self._scopes)
return self._valid_token_or_throw(token)
def _get_token_from_cache_impl(self) -> dict:
token = self._msal_client.acquire_token_silent(scopes=self._scopes, account=None)
return self._valid_token_or_none(token)
class ApplicationKeyTokenProvider(TokenProviderBase):
""" Acquire a token from MSAL with application Id and Key """
def __init__(self, kusto_uri: str, authority_uri: str, app_client_id: str, app_key: str):
super().__init__(kusto_uri)
self._msal_client = None
self._app_client_id = app_client_id
self._app_key = app_key
self._auth = authority_uri
@staticmethod
def name() -> str:
return "ApplicationKeyTokenProvider"
def context(self) -> dict:
return {"authority": self._auth, "client_id": self._app_client_id}
def _init_impl(self):
self._msal_client = ConfidentialClientApplication(client_id=self._app_client_id, client_credential=self._app_key, authority=self._auth)
def _get_token_impl(self) -> dict:
token = self._msal_client.acquire_token_for_client(scopes=self._scopes)
return self._valid_token_or_throw(token)
def _get_token_from_cache_impl(self) -> dict:
token = self._msal_client.acquire_token_silent(scopes=self._scopes, account=None)
return self._valid_token_or_none(token)
def __init__(self, spn_tenant_id: str, spn_client_id: str, spn_client_secret: str):
app_client = ConfidentialClientApplication(
client_id=spn_client_id,
authority=f"https://login.microsoftonline.com/{spn_tenant_id}",
client_credential=spn_client_secret
)
token = app_client.acquire_token_for_client(scopes="https://cloudpartner.azure.com/.default")
if 'error' in token:
raise RuntimeError("Could not fetch token for Azure Marketplace client", token['error_description'])
self.token = token['access_token']
def fetch_from_sharepoint_list(table_name: str, sub_site_id: str, list_id: str,
**kwargs):
s3 = S3Data(table_name, kwargs["ts_nodash"])
app = ConfidentialClientApplication(
DIT_SHAREPOINT_CREDENTIALS['client_id'],
authority=
f'https://login.microsoftonline.com/{DIT_SHAREPOINT_CREDENTIALS["tenant_id"]}',
client_credential=DIT_SHAREPOINT_CREDENTIALS['client_secret'],
)
token_response = app.acquire_token_for_client(
scopes=['https://graph.microsoft.com/.default'])
if 'access_token' not in token_response:
raise InvalidAuthCredentialsError(
f'Failed to acquire token: {token_response.get("error_description")}'
)
access_token = token_response['access_token']
tenant = DIT_SHAREPOINT_CREDENTIALS["tenant_domain"]
sharepoint_site = (
f':/sites/{DIT_SHAREPOINT_CREDENTIALS["site_name"]}:/sites/{sub_site_id}'
)
list_url = f'https://graph.microsoft.com/v1.0/sites/{tenant}{sharepoint_site}/lists/{list_id}'
items_url = f'{list_url}/items'
# Fetch a copy of the column names, this needs to be done separately from
# fetching items as otherwise paging will not work.
logger.info('Fetching column names from %s', list_url)
graph_data = _make_request(list_url, access_token, {'expand': 'columns'})
column_map = {
col['name']: col['displayName']
for col in graph_data['columns']
}
# Fetch the list item data
page = 1
while items_url is not None:
logger.info('Fetching from %s', items_url)
graph_data = _make_request(items_url, access_token,
{'expand': 'fields'})
records = [{
**{
column_map[col_id]: row['fields'][col_id]
for col_id in row['fields'].keys() if col_id in column_map
},
'createdBy':
row['createdBy']['user'],
'lastModifiedBy':
row['lastModifiedBy']['user']
if row.get('lastModifiedBy') is not None else None,
} for row in graph_data['value']]
s3.write_key(f"{page:010}.json", records)
page += 1
items_url = graph_data.get('@odata.nextLink')
logger.info('Finished fetching from sharepoint')
def ms_graph_client_token():
azure_tenant_id = os.environ["AZURE_TENANT_ID"]
client_id = os.environ["MS_GRAPH_API_CLIENT_ID"]
client_secret = os.environ["MS_GRAPH_API_CLIENT_SECRET"]
context = ConfidentialClientApplication(
client_id=client_id,
client_credential=client_secret,
authority="https://login.microsoftonline.com/{}".format(
azure_tenant_id),
)
scope = "https://graph.microsoft.com/.default"
return context.acquire_token_for_client(scope)
def __init__(self, spn_tenant_id: str, spn_client_id: str,
spn_client_secret: str):
app_client = ConfidentialClientApplication(
spn_client_id,
authority=f"https://login.microsoftonline.com/{spn_tenant_id}",
client_credential=spn_client_secret)
token = app_client.acquire_token_for_client(
scopes="https://cloudpartner.azure.com/.default")
self.req_headers = {
"Authorization": f"Bearer {token['access_token']}",
"Content-Type": "application/json",
}
self.req_params = {"api-version": "2017-10-31"}
async def get_obo_token(
auth_settings: AuthSettings = Depends(get_auth_settings),
msal_app: msal.ConfidentialClientApplication = Depends(
get_private_app),
):
tenant = urlparse(auth_settings.b2c_endpoint).path.lstrip('/')
scopes = [
f'https://{tenant}/{auth_settings.elastic_client_id}/.default',
]
token_resp = msal_app.acquire_token_for_client(scopes)
try:
return token_resp['access_token']
except KeyError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail='Unable to acquire elastic access token',
headers={'WWW-Authenticate': 'Bearer'},
)
def _get_msgraph_token() -> str:
scopes = ["https://graph.microsoft.com/.default"]
app = ConfidentialClientApplication(
client_id=config.API_CLIENT_ID,
client_credential=config.API_CLIENT_SECRET,
authority=f"{config.AAD_INSTANCE}/{config.AAD_TENANT_ID}")
result = app.acquire_token_silent(scopes=scopes, account=None)
if not result:
logging.info(
'No suitable token exists in cache, getting a new one from AAD'
)
result = app.acquire_token_for_client(scopes=scopes)
if "access_token" not in result:
logging.debug(result.get('error'))
logging.debug(result.get('error_description'))
logging.debug(result.get('correlation_id'))
raise Exception(result.get('error'))
return result["access_token"]
def generatetoken():
with open('app/json_files/credential.json') as f:
credentials = json.load(f)
appMS = ConfidentialClientApplication(
credentials.get('CLIENT_ID', {}),
authority=credentials.get('AUTHORITY', {}),
client_credential=credentials.get('CLIENT_SECRET', {}))
result = None
scope = credentials.get('SCOPE', {})
result = appMS.acquire_token_silent(scopes=list(scope), account=None)
if not result:
logging.info(
"No suitable token exists in cache. Let's get a new one from AAD.")
result = appMS.acquire_token_for_client(scopes=scope)
token = result.get('access_token', {})
return token
def patching_oms(plugin, date):
AZURE_TENANT = plugin.params.get(name="AZURE_TENANT").value
AZURE_APP_ID = plugin.params.get(name="AZURE_APP_ID").value
AZURE_APP_SECRET = plugin.params.get(name="AZURE_APP_SECRET").value
AZURE_LOG_WORKSPACE = plugin.params.get(name="AZURE_LOG_WORKSPACE").value
LOG_ANALYTICS_BASE = "https://api.loganalytics.io"
LOG_ANALYTICS_BASE_SCOPE = "{}/.default".format(LOG_ANALYTICS_BASE)
LOG_ANALYTICS_QUERY = "{}/v1/workspaces/{}/query".format(
LOG_ANALYTICS_BASE, AZURE_LOG_WORKSPACE)
ctx = ConfidentialClientApplication(
client_id=AZURE_APP_ID,
client_credential=AZURE_APP_SECRET,
authority=AZURE_TENANT,
)
token = ctx.acquire_token_for_client(LOG_ANALYTICS_BASE_SCOPE)
headers = {"Authorization": "Bearer {}".format(token["access_token"])}
patching = requests.get(
LOG_ANALYTICS_QUERY,
params={
"query":
"(ConfigurationData | project Computer, TimeGenerated, VMUUID | distinct Computer) | join kind=inner ( Heartbeat | project Computer, OSType, OSName, OSMajorVersion, OSMinorVersion, ComputerEnvironment, TimeGenerated, TenantId, ComputerIP | summarize arg_max (TimeGenerated, *) by Computer ) on Computer"
},
headers=headers,
)
results = patching.json()
for computer in results["tables"][0]["rows"]:
host_status = lookup(computer[0], date)
if host_status is None:
continue
host_status.patching_info = {
"id": computer[8],
"os_type": computer[3],
"os_name": computer[4],
"os_major_version": computer[5],
"os_minor_version": computer[6],
}
host_status.patching_plugin = plugin
host_status.patching_output = "Server has been enrolled in OMS."
host_status.patching_status = 3
host_status.save()
print("Updated patching status for {}".format(host_status))
def get_sp_access_token(client_id,client_credential,tenant_name,scopes):
logging.info('Attempting to obtain an access token...')
result = None
app = ConfidentialClientApplication(
client_id = client_id,
client_credential= client_credential,
authority = f"https://login.microsoftonline.com/{tenant_name}"
)
result = app.acquire_token_for_client(scopes=scopes)
if "access_token" in result:
logging.info('Access token successfully acquired')
return result['access_token']
else:
logging.error('Unable to obtain access token')
logging.error(f"Error was: {result['error']}")
logging.error(f"Error description was: {result['error_description']}")
logging.error(f"Error correlation_id was: {result['correlation_id']}")
raise Exception('Failed to obtain access token')
def teams_session():
client_id = ge('client_id')
authority_id = ge('authority_id')
client_credential = ge('client_credential')
BASE_URL = "https://graph.microsoft.com/beta/"
ms_s = sessions.BaseUrlSession(base_url=BASE_URL)
app = ConfidentialClientApplication(
client_id=client_id,
authority=f"https://login.microsoftonline.com/{authority_id}",
client_credential=client_credential)
result = app.acquire_token_for_client(
scopes=["https://graph.microsoft.com/.default"])
token = result['access_token']
sessions.BaseUrlSession(base_url='https://graph.microsoft.com/beta/')
ms_s.headers.update({"Authorization": f"Bearer {token}"})
return ms_s
class Authenticator:
app: ConfidentialClientApplication
def __init__(self, config: Dict):
client_id: str = config['GRAPH_API_AUTH_CLIENT_ID']
authority: str = config['GRAPH_API_AUTH_AUTHORITY']
thumprint: str = config['GRAPH_API_AUTH_PUBKEY_THUMBPRINT']
priv_key_path: str = config['GRAPH_API_AUTH_PRIVKEY_PATH']
client_credential: dict = {
"thumbprint": thumprint,
"private_key": open(priv_key_path).read()
}
self.app = ConfidentialClientApplication(
client_id=client_id,
authority=authority,
client_credential=client_credential)
def get_auth_token(self) -> str:
"""
Returns a valid auth_token or throws a value exception
"""
result = None
# Check in cache
result = self.app.acquire_token_silent(AUTHENTICATION_SCOPE,
account=None)
if not result:
print("Getting new token")
result = self.app.acquire_token_for_client(
scopes=AUTHENTICATION_SCOPE)
if "access_token" in result:
return result["access_token"]
print(result.get("error"))
print(result.get("error_description"))
# You may need this when reporting a bug
print(result.get("correlation_id"))
raise ValueError(result)
class ApplicationKeyTokenProvider(CloudInfoTokenProvider):
"""Acquire a token from MSAL with application Id and Key"""
def __init__(self,
kusto_uri: str,
authority_id: str,
app_client_id: str,
app_key: str,
is_async: bool = False):
super().__init__(kusto_uri, is_async)
self._msal_client = None
self._app_client_id = app_client_id
self._app_key = app_key
self._auth = authority_id
@staticmethod
def name() -> str:
return "ApplicationKeyTokenProvider"
def _context_impl(self) -> dict:
return {
"authority": self._cloud_info.authority_uri(self._auth),
"client_id": self._app_client_id
}
def _init_impl(self):
self._msal_client = ConfidentialClientApplication(
client_id=self._app_client_id,
client_credential=self._app_key,
authority=self._cloud_info.authority_uri(self._auth),
proxies=self._proxy_dict)
def _get_token_impl(self) -> Optional[dict]:
token = self._msal_client.acquire_token_for_client(scopes=self._scopes)
return self._valid_token_or_throw(token)
def _get_token_from_cache_impl(self) -> dict:
token = self._msal_client.acquire_token_silent(scopes=self._scopes,
account=None)
return self._valid_token_or_none(token)
def main(tenant_id, client_id, client_secret):
authority = "https://login.microsoftonline.com/{tenant_id}".format(
tenant_id=tenant_id)
app = ConfidentialClientApplication(client_id=client_id,
authority=authority,
client_credential=client_secret)
token_response = app.acquire_token_for_client(
["https://graph.microsoft.com/.default"])
print("Response: ", token_response)
print("Access token: ", token_response['access_token'])
api_endpoint = "https://management.azure.com/providers/Microsoft.Management/managementgroups/{managementGroupId}/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-09-01"
# The tenant id is the root management group
api_endpoint = api_endpoint.format(managementGroupId=tenant_id)
session = request_authenticated_azure_session(
token_response['access_token'])
with session as req:
response = req.get(api_endpoint)
if response.status_code in range(200, 299):
print(response.json())
else:
print("Oops!")
def backup_storagesync(plugin, date):
AZURE_TENANT = plugin.params.get(name="AZURE_TENANT").value
AZURE_APP_ID = plugin.params.get(name="AZURE_APP_ID").value
AZURE_APP_SECRET = plugin.params.get(name="AZURE_APP_SECRET").value
AZURE_SUBSCRIPTION_ID = plugin.params.get(
name="AZURE_SUBSCRIPTION_ID").value
AZURE_RESOURCE_GROUP = plugin.params.get(name="AZURE_RESOURCE_GROUP").value
AZURE_STORAGE_SYNC_NAME = plugin.params.get(
name="AZURE_STORAGE_SYNC_NAME").value
AZURE_URL = "https://portal.azure.com/#resource/subscriptions/{}/resourceGroups/{}/providers/Microsoft.StorageSync/storageSyncServices/{}/syncGroups".format(
AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, AZURE_STORAGE_SYNC_NAME)
MANAGEMENT_BASE = "https://management.azure.com"
MANAGEMENT_BASE_SCOPE = "{}/.default".format(MANAGEMENT_BASE)
backup_limit = (datetime.datetime.now(tz=datetime.timezone.utc) -
datetime.timedelta(days=1)).isoformat()
ctx = ConfidentialClientApplication(
client_id=AZURE_APP_ID,
client_credential=AZURE_APP_SECRET,
authority=AZURE_TENANT,
)
token = ctx.acquire_token_for_client(MANAGEMENT_BASE_SCOPE)
headers = {"Authorization": "Bearer {}".format(token["access_token"])}
# Get list of sync groups
MANAGEMENT_SYNC_BASE = "{}/subscriptions/{}/resourceGroups/{}/providers/Microsoft.StorageSync/storageSyncServices/{}".format(
MANAGEMENT_BASE,
AZURE_SUBSCRIPTION_ID,
AZURE_RESOURCE_GROUP,
AZURE_STORAGE_SYNC_NAME,
)
MANAGEMENT_SYNC_GROUPS = "{}/syncGroups?api-version=2019-03-01".format(
MANAGEMENT_SYNC_BASE)
sync_groups = {}
group_list = _ms_api("GET", MANAGEMENT_SYNC_GROUPS, headers=headers)
for group in group_list:
sync_groups[group["name"]] = _ms_api(
"GET",
"{}/syncGroups/{}/serverEndpoints?api-version=2019-03-01".format(
MANAGEMENT_SYNC_BASE, group["name"]),
headers=headers,
)
server_map = {}
for name, servers in sync_groups.items():
for server in servers:
key = server["properties"]["friendlyName"]
if key not in server_map:
server_map[key] = []
server_map[key].append({
"name":
name,
"path":
server["properties"]["serverLocalPath"],
"upload_health":
server["properties"]["syncStatus"]["uploadHealth"],
"download_health":
server["properties"]["syncStatus"]["downloadHealth"],
"files_not_syncing":
server["properties"]["syncStatus"]
["totalPersistentFilesNotSyncingCount"],
"last_upload":
server["properties"]["syncStatus"]["uploadStatus"]
["lastSyncTimestamp"],
"last_upload_success":
server["properties"]["syncStatus"]["uploadStatus"]
["lastSyncSuccessTimestamp"],
"last_download":
server["properties"]["syncStatus"]["downloadStatus"]
["lastSyncTimestamp"],
"last_download_success":
server["properties"]["syncStatus"]["downloadStatus"]
["lastSyncSuccessTimestamp"],
"id":
server["id"],
})
for name, servers in server_map.items():
host_status = lookup(name, date)
if not host_status or host_status.backup_plugin:
continue
host_status.backup_plugin = plugin
host_status.backup_url = AZURE_URL
host_status.backup_info = servers
for server in servers:
if server["last_upload_success"] < backup_limit:
host_status.backup_output = (
"File shares are being backed up, last backup older than 24 hours."
)
host_status.backup_status = 2
host_status.save()
return
if server["upload_health"] != "Healthy":
host_status.backup_output = (
"File shares are being backed up, uploads not marked as healthy."
)
host_status.backup_status = 2
host_status.save()
return
host_status.backup_output = (
"File shares are being backed up, last backup was successful.")
host_status.backup_status = 3
host_status.save()
def backup_azure(plugin, date):
AZURE_TENANT = plugin.params.get(name="AZURE_TENANT").value
AZURE_APP_ID = plugin.params.get(name="AZURE_APP_ID").value
AZURE_APP_SECRET = plugin.params.get(name="AZURE_APP_SECRET").value
AZURE_SUBSCRIPTION_ID = plugin.params.get(
name="AZURE_SUBSCRIPTION_ID").value
AZURE_VAULT_NAME = plugin.params.get(name="AZURE_VAULT_NAME").value
AZURE_URL = "https://portal.azure.com/#resource{}/backupSetting"
MANAGEMENT_BASE = "https://management.azure.com"
MANAGEMENT_BASE_SCOPE = "{}/.default".format(MANAGEMENT_BASE)
MANAGEMENT_SUB = "{}/subscriptions/{}".format(MANAGEMENT_BASE,
AZURE_SUBSCRIPTION_ID)
ctx = ConfidentialClientApplication(
client_id=AZURE_APP_ID,
client_credential=AZURE_APP_SECRET,
authority=AZURE_TENANT,
)
token = ctx.acquire_token_for_client(MANAGEMENT_BASE_SCOPE)
headers = {"Authorization": "Bearer {}".format(token["access_token"])}
# Get the ID of the specified vault.
MANAGEMENT_LIST_VAULTS = "{}/providers/Microsoft.RecoveryServices/vaults?api-version=2016-06-01".format(
MANAGEMENT_SUB)
vaults = _ms_api("GET", MANAGEMENT_LIST_VAULTS, headers=headers)
vault = None
for v in vaults:
if v["name"] == AZURE_VAULT_NAME:
vault = v["id"]
break
if vault is None:
return
# Get backup protection container list.
MANAGEMENT_LIST_CONTAINERS = "{}{}/backupProtectionContainers?api-version=2016-12-01&$filter=backupManagementType%20eq%20%27AzureIaasVM%27%20and%20status%20eq%20%27Registered%27".format(
MANAGEMENT_BASE, vault)
containers = _ms_api("GET", MANAGEMENT_LIST_CONTAINERS, headers=headers)
vm_mapping = {}
for container in containers:
vm_id = container["properties"]["virtualMachineId"]
if vm_id not in vm_mapping:
vm_mapping[vm_id] = {}
vm_mapping[vm_id]["id"] = vm_id
vm_mapping[vm_id]["container_name"] = container["name"]
vm_mapping[vm_id]["container_id"] = container["id"]
vm_mapping[vm_id]["container_health"] = container["properties"][
"healthStatus"]
vm_mapping[vm_id]["ips"] = []
# Get private IP addresses of each VM
MANAGEMENT_LIST_NICS = "{}/providers/Microsoft.Network/networkInterfaces?api-version=2018-10-01".format(
MANAGEMENT_SUB)
nics = _ms_api("GET", MANAGEMENT_LIST_NICS, headers=headers)
for nic in nics:
if "virtualMachine" not in nic["properties"]:
continue
vm_id = nic["properties"]["virtualMachine"]["id"]
if vm_id in vm_mapping:
vm_mapping[vm_id]["ips"] = [
x["properties"]["privateIPAddress"]
for x in nic["properties"]["ipConfigurations"]
]
for vm in vm_mapping.values():
host_status = None
for ip in vm["ips"]:
host_status = lookup(ip, date)
if host_status:
break
if not host_status:
continue
host_status.backup_plugin = plugin
host_status.backup_url = AZURE_URL.format(vm["id"])
host_status.backup_info = {
"id": vm["id"],
"container_name": vm["container_name"],
"container_id": vm["container_id"],
"container_health": vm["container_health"],
}
if vm["container_health"] == "Healthy":
host_status.backup_output = "VM is enrolled for backups and is healthy."
host_status.backup_status = 3
else:
host_status.backup_output = (
"VM is enrolled for backups, but is not healthy.")
host_status.backup_status = 2
host_status.save()
print("Updated Azure backup status for {}".format(host_status))
# Build authority from tanenat
authority = "https://login.microsoftonline.com/{0}".format(config["tenant"])
# Setup the application with client id, client secret and tenant name
app = ConfidentialClientApplication(config["client_id"],
authority=authority,
client_credential=config["client_secret"])
# Try to get token from memory cache, can be expanded to use a more
# permanent storage like redis
token_result = app.acquire_token_silent(config["scope"], account=None)
if not token_result:
# No token in cache, let's get a new one
token_result = app.acquire_token_for_client(scopes=config["scope"])
# Check for token
if "access_token" in token_result:
# Make a request to the api
print("Authed successfully")
# --------------- Example 1a- Get a list of assets from Asset API ---------------
print("Making call to Asset API to get list of assets")
api_response = requests.get(config["assetApiEndpoint"] + "me/Assets",
headers={
'Authorization':
'Bearer ' + token_result["access_token"],
'Ocp-Apim-Subscription-Key':
config["assetApiSubscriptionKey"]
clientSecret = ""
app = ConfidentialClientApplication(clientID, authority=authority, client_credential=clientSecret)
scope = ["https://graph.microsoft.com/.default"]
# The pattern to acquire a token looks like this.
result = None
# First, the code looks up a token from the cache.
# Because we're looking for a token for the current app, not for a user,
# use None for the account parameter.
result = app.acquire_token_silent(scope, account=None)
if not result:
print("No suitable token exists in cache. Let's get a new one from AAD.")
result = app.acquire_token_for_client(scopes=scope)
if "access_token" in result:
# Call a protected API with the access token.
curToken = result["access_token"]
print(curToken)
endpoint = graphURI + "beta/conditionalAccess/policies"
# endpoint = graphURI + "v1.0/users"
http_headers = {'Authorization': 'Bearer ' + curToken,
'Accept': 'application/json',
'Content-Type': 'application/json'}
data = requests.get(endpoint, headers=http_headers, stream=False).json()
print(data)
else:
print(result.get("error"))
doConditionalAccessPolicyTestWithAdminConsentedSP = True
if doConditionalAccessPolicyTestWithAdminConsentedSP:
curClientId = appId
#TODO - un-hardcode the sleep to a error backoff like above
print(
f"This will use clientID: {curClientId}. Sleeping for 60 seconds for propagation"
)
time.sleep(60)
app = ConfidentialClientApplication(curClientId,
appPwd,
authority=authority)
capScopes = ["https://graph.microsoft.com/.default"]
capToken = app.acquire_token_for_client(capScopes)["access_token"]
capHeader = {
"Authorization": "Bearer {}".format(capToken),
"Content-Type": "application/json"
}
print("Now trying same creds against the policy endpoint")
capURL = graphURI + "beta/conditionalAccess/policies"
capResponse = requests.get(capURL, headers=capHeader)
capJSON = json.loads(capResponse.content)
print(
f"Response of Graph 2.0 API query against {capURL} using ClientID {curClientId} : {capResponse.content}"
)
print("All Done!")