def get_aad_token(endpoint, no_verify):
#pylint: disable-msg=too-many-locals
"""Get AAD token"""
from azure.servicefabric.service_fabric_client_ap_is import (
ServiceFabricClientAPIs)
from sfctl.auth import ClientCertAuthentication
from sfctl.config import set_aad_metadata
auth = ClientCertAuthentication(None, None, no_verify)
client = ServiceFabricClientAPIs(auth, base_url=endpoint)
aad_metadata = client.get_aad_metadata()
if aad_metadata.type != "aad":
raise CLIError("Not AAD cluster")
aad_resource = aad_metadata.metadata
tenant_id = aad_resource.tenant
authority_uri = aad_resource.login + '/' + tenant_id
context = adal.AuthenticationContext(authority_uri, api_version=None)
cluster_id = aad_resource.cluster
client_id = aad_resource.client
set_aad_metadata(authority_uri, cluster_id, client_id)
code = context.acquire_user_code(cluster_id, client_id)
print(code['message'])
token = context.acquire_token_with_device_code(cluster_id, code, client_id)
print("Succeed!")
return token, context.cache
def select(endpoint,
cert=None,
key=None,
pem=None,
ca=None,
aad=False,
no_verify=False):
#pylint: disable-msg=too-many-locals
"""
Connects to a Service Fabric cluster endpoint.
If connecting to secure cluster specify an absolute path to a cert (.crt)
and key file (.key) or a single file with both (.pem). Do not specify both.
Optionally, if connecting to a secure cluster, specify also an absolute
path to a CA bundle file or directory of trusted CA certs.
:param str endpoint: Cluster endpoint URL, including port and HTTP or HTTPS
prefix
:param str cert: Absolute path to a client certificate file
:param str key: Absolute path to client certificate key file
:param str pem: Absolute path to client certificate, as a .pem file
:param str ca: Absolute path to CA certs directory to treat as valid
or CA bundle
file
:param bool aad: Use Azure Active Directory for authentication
:param bool no_verify: Disable verification for certificates when using
HTTPS, note: this is an insecure option and should not be used for
production environments
"""
from sfctl.config import (set_ca_cert, set_auth, set_aad_cache,
set_cluster_endpoint, set_no_verify)
from msrest import ServiceClient, Configuration
from sfctl.auth import ClientCertAuthentication, AdalAuthentication
select_arg_verify(endpoint, cert, key, pem, ca, aad, no_verify)
if aad:
new_token, new_cache = get_aad_token(endpoint, no_verify)
set_aad_cache(new_token, new_cache)
rest_client = ServiceClient(AdalAuthentication(no_verify),
Configuration(endpoint))
# Make sure basic GET request succeeds
rest_client.send(rest_client.get('/')).raise_for_status()
else:
client_cert = None
if pem:
client_cert = pem
elif cert:
client_cert = (cert, key)
rest_client = ServiceClient(
ClientCertAuthentication(client_cert, ca, no_verify),
Configuration(endpoint))
# Make sure basic GET request succeeds
rest_client.send(rest_client.get('/')).raise_for_status()
set_cluster_endpoint(endpoint)
set_no_verify(no_verify)
set_ca_cert(ca)
set_auth(pem, cert, key, aad)
def create(_):
"""Create a client for Service Fabric APIs."""
endpoint = client_endpoint()
if not endpoint:
raise CLIError(
'Connection endpoint not found. '
'Before running sfctl commands, connect to a cluster using '
'the "sfctl cluster select" command. '
'If you are seeing this message on Linux after already selecting a cluster, '
'you may need to run the command with sudo.')
no_verify = no_verify_setting()
if security_type() == 'aad':
auth = AdalAuthentication(no_verify)
else:
cert = cert_info()
ca_cert = ca_cert_info()
auth = ClientCertAuthentication(cert, ca_cert, no_verify)
client = ServiceFabricClientAPIs(auth, base_url=endpoint)
# client.config.retry_policy has type msrest.pipeline.ClientRetryPolicy
client.config.retry_policy.total = False
client.config.retry_policy.policy.total = False
# msrest defines ClientRetryPolicy in pipline.py.
# ClientRetryPolicy.__init__ defines values for status_forcelist
# which is passed to urllib3.util.retry.Retry
client.config.retry_policy.policy.status_forcelist = None
return client
def create(_):
"""Create a client for Service Fabric APIs."""
endpoint = client_endpoint()
if not endpoint:
raise CLIError("Connection endpoint not found")
no_verify = no_verify_setting()
if security_type() == 'aad':
auth = AdalAuthentication(no_verify)
else:
cert = cert_info()
ca_cert = ca_cert_info()
auth = ClientCertAuthentication(cert, ca_cert, no_verify)
return ServiceFabricClientAPIs(auth, base_url=endpoint)
def _get_client_cert_auth(pem, cert, key, ca, no_verify): # pylint: disable=invalid-name
"""
Return a ClientCertAuthentication based on given credentials
:param pem: See select command in this file
:param cert: See select command in this file
:param key: See select command in this file
:param ca: See select command in this file
:param no_verify: See select command in this file
:return: ClientCertAuthentication
"""
client_cert = None
if pem:
client_cert = pem
elif cert:
client_cert = (cert, key)
return ClientCertAuthentication(client_cert, ca, no_verify)
def create(_):
"""Create a client for Service Fabric APIs."""
endpoint = client_endpoint()
if not endpoint:
raise CLIError(
"Connection endpoint not found. "
"Before running sfctl commands, connect to a cluster using "
"the 'sfctl cluster select' command.")
no_verify = no_verify_setting()
if security_type() == 'aad':
auth = AdalAuthentication(no_verify)
else:
cert = cert_info()
ca_cert = ca_cert_info()
auth = ClientCertAuthentication(cert, ca_cert, no_verify)
return ServiceFabricClientAPIs(auth, base_url=endpoint)
def select(
endpoint,
cert=None,
key=None,
pem=None,
ca=None, #pylint: disable=invalid-name, too-many-arguments
aad=False,
no_verify=False):
#pylint: disable-msg=too-many-locals
"""
Connects to a Service Fabric cluster endpoint.
If connecting to secure cluster, specify an absolute path to a cert (.crt)
and key file (.key) or a single file with both (.pem). Do not specify both.
Optionally, if connecting to a secure cluster, also specify an absolute
path to a CA bundle file or directory of trusted CA certs. If using a
directory of CA certs, `c_rehash <directory>` provided by OpenSSL must be run first to compute
the certificate hashes and create the appropriate symbolics links.
:param str endpoint: Cluster endpoint URL, including port and HTTP or HTTPS
prefix
:param str cert: Absolute path to a client certificate file
:param str key: Absolute path to client certificate key file
:param str pem: Absolute path to client certificate, as a .pem file
:param str ca: Absolute path to CA certs directory to treat as valid
or CA bundle
file
:param bool aad: Use Azure Active Directory for authentication
:param bool no_verify: Disable verification for certificates when using
HTTPS, note: this is an insecure option and should not be used for
production environments
"""
# Regarding c_rehash:
# The c_rehash is needed when specifying a CA certs directory
# because requests.Sessions which is used underneath requires
# the c_rehash operation to be performed.
# See http://docs.python-requests.org/en/master/user/advanced/
from sfctl.config import (set_ca_cert, set_auth, set_aad_cache,
set_cluster_endpoint, set_no_verify)
from msrest import ServiceClient, Configuration
from sfctl.auth import ClientCertAuthentication, AdalAuthentication
select_arg_verify(endpoint, cert, key, pem, ca, aad, no_verify)
if aad:
new_token, new_cache = get_aad_token(endpoint, no_verify)
set_aad_cache(new_token, new_cache)
rest_client = ServiceClient(AdalAuthentication(no_verify),
Configuration(endpoint))
# Make sure basic GET request succeeds
rest_client.send(rest_client.get('/')).raise_for_status()
else:
client_cert = None
if pem:
client_cert = pem
elif cert:
client_cert = (cert, key)
rest_client = ServiceClient(
ClientCertAuthentication(client_cert, ca, no_verify),
Configuration(endpoint))
# Make sure basic GET request succeeds
rest_client.send(rest_client.get('/')).raise_for_status()
set_cluster_endpoint(endpoint)
set_no_verify(no_verify)
set_ca_cert(ca)
set_auth(pem, cert, key, aad)
