def test_initialize_session_token(self): with patch.dict(os.environ, { constants.ENV_ACCESS_TOKEN: 'token', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() self.assertIsNone(s.get_credentials()._credential) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID) self.assertEqual(s.get_credentials().get_token(), AccessToken('token', 0))
def test_initialize_session_msi_authentication_error(self, mock_log, mock_cred): with self.assertRaises(SystemExit): mock_cred.side_effect = HTTPError() with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() s.get_credentials().get_token() mock_log.assert_called_once()
def test_initialize_msi_auth_user(self): with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID, constants.ENV_CLIENT_ID: 'client' }, clear=True): s = Session() self.assertIsInstance(s.get_credentials()._credential, ManagedIdentityCredential) self.assertEqual( s.get_credentials()._credential._credential._identity_config["client_id"], 'client') self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def augment(self, resources): s = Session(resource='https://graph.windows.net') graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) object_ids = list( set(resource['properties']['principalId'] for resource in resources if resource['properties']['principalId'])) object_params = GetObjectsParameters( include_directory_object_references=True, object_ids=object_ids) aad_objects = graph_client.objects.get_objects_by_object_ids( object_params) try: principal_dics = { aad_object.object_id: aad_object for aad_object in aad_objects } for resource in resources: graph_resource = principal_dics[resource['properties'] ['principalId']] resource['principalName'] = self.get_principal_name( graph_resource) resource['displayName'] = graph_resource.display_name resource['aadType'] = graph_resource.object_type except CloudError: log.warning( 'Credentials not authorized for access to read from Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n') return resources
def test_initialize_session_auth_file(self): s = Session(authorization_file=self.authorization_file) self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID) self.assertEqual(s.get_tenant_id(), 'tenant')
def _enhance_policies(self, access_policies): if not access_policies: return access_policies if self.graph_client is None: s = Session(resource='https://graph.windows.net') self.graph_client = GraphRbacManagementClient( s.get_credentials(), s.get_tenant_id()) # Retrieve graph objects for all object_id object_ids = [p['objectId'] for p in access_policies] # GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph # or if graph is not available. principal_dics = GraphHelper.get_principal_dictionary( self.graph_client, object_ids, True) for policy in access_policies: aad_object = principal_dics[policy['objectId']] if aad_object.object_id: policy['displayName'] = aad_object.display_name policy['aadType'] = aad_object.object_type policy['principalName'] = GraphHelper.get_principal_name( aad_object) return access_policies
def augment(self, resources): s = Session(resource='https://graph.windows.net') graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) object_ids = list(set( resource['properties']['principalId'] for resource in resources if resource['properties']['principalId'])) object_params = GetObjectsParameters( include_directory_object_references=True, object_ids=object_ids) aad_objects = graph_client.objects.get_objects_by_object_ids(object_params) try: principal_dics = {aad_object.object_id: aad_object for aad_object in aad_objects} for resource in resources: graph_resource = principal_dics[resource['properties']['principalId']] resource['principalName'] = self.get_principal_name(graph_resource) resource['displayName'] = graph_resource.display_name resource['aadType'] = graph_resource.object_type except CloudError: log.warning('Credentials not authorized for access to read from Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n' ) return resources
def test_initialize_session_auth_file(self): with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', autospec=True, return_value=None): s = Session(authorization_file=self.authorization_file) self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID) self.assertEqual(s.get_tenant_id(), 'tenant')
def test_initialize_msi_auth_system(self): with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() self.assertIsInstance(s.get_credentials()._credential, ManagedIdentityCredential) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_session_auth_file_no_sub(self): s = Session(subscription_id=CUSTOM_SUBSCRIPTION_ID, authorization_file=self.authorization_file_no_sub) self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential) self.assertEqual(s.get_subscription_id(), CUSTOM_SUBSCRIPTION_ID) # will vary between recorded/live auth options but useful to ensure # we ended up with one of the valid values self.assertTrue(s.get_tenant_id() in [DEFAULT_TENANT_ID, 'tenant'])
def test_initialize_session_token(self, _1): with patch.dict(os.environ, { constants.ENV_ACCESS_TOKEN: 'token', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), BasicTokenAuthentication) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_session_authentication_error(self, mock_log, mock_cred): with self.assertRaises(SystemExit): adal_err = AdalError("test") adal_err.error_response = {'error': 'test'} err = AuthenticationError('test') err.inner_exception = adal_err mock_cred.side_effect = err with patch.dict(os.environ, { constants.ENV_TENANT_ID: DEFAULT_TENANT_ID, constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID, constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret' }, clear=True): s = Session() s.get_credentials().get_token() mock_log.assert_called_once()
def test_initialize_session_token(self): with patch.dict(os.environ, { constants.ENV_ACCESS_TOKEN: 'token', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), BasicTokenAuthentication) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_token(self): with patch.dict(os.environ, { constants.ENV_ACCESS_TOKEN: 'token', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), BasicTokenAuthentication) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_msi_auth_system(self): with patch('msrestazure.azure_active_directory.MSIAuthentication.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), MSIAuthentication) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID)
def test_initialize_msi_auth_system(self): with patch('msrestazure.azure_active_directory.MSIAuthentication.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), MSIAuthentication) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_auth_file_no_sub(self): with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', autospec=True, return_value=None): s = Session(subscription_id=CUSTOM_SUBSCRIPTION_ID, authorization_file=self.authorization_file_no_sub) self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials) self.assertEqual(s.get_subscription_id(), CUSTOM_SUBSCRIPTION_ID) # will vary between recorded/live auth options but useful to ensure # we ended up with one of the valid values self.assertTrue(s.get_tenant_id() in [DEFAULT_TENANT_ID, 'tenant'])
def test_initialize_session_principal(self): with patch.dict(os.environ, { constants.ENV_TENANT_ID: DEFAULT_TENANT_ID, constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID, constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()._credential), ClientSecretCredential) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID) self.assertEqual(s.get_tenant_id(), DEFAULT_TENANT_ID)
def test_initialize_session_token(self): with patch.dict( os.environ, { constants.ENV_ACCESS_TOKEN: 'token', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), BasicTokenAuthentication) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_session_principal(self): with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_TENANT_ID: DEFAULT_TENANT_ID, constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID, constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials) self.assertEqual(s.get_subscription_id(), DEFAULT_SUBSCRIPTION_ID) self.assertEqual(s.get_tenant_id(), DEFAULT_TENANT_ID)
def test_initialize_session_principal(self): with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_TENANT_ID: 'tenant', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47', constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def test_initialize_msi_auth_user(self): with patch( 'msrestazure.azure_active_directory.MSIAuthentication.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_USE_MSI: 'true', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47', constants.ENV_CLIENT_ID: 'client' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), MSIAuthentication) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')
def augment(self, resources): s = Session(resource='https://graph.windows.net') graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) object_ids = list(set( resource['properties']['principalId'] for resource in resources if resource['properties']['principalId'])) principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids) for resource in resources: if resource['properties']['principalId'] in principal_dics.keys(): graph_resource = principal_dics[resource['properties']['principalId']] resource['principalName'] = GraphHelper.get_principal_name(graph_resource) resource['displayName'] = graph_resource.display_name resource['aadType'] = graph_resource.object_type return resources
def enhance_policies(self, access_policies): if self.graph_client is None: s = Session(resource='https://graph.windows.net') self.graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) # Retrieve graph objects for all object_id object_ids = [p['objectId'] for p in access_policies] # GraphHelper.get_principal_dictionary returns empty AADObject if not found with graph # or if graph is not available. principal_dics = GraphHelper.get_principal_dictionary(self.graph_client, object_ids) for policy in access_policies: aad_object = principal_dics[policy['objectId']] policy['displayName'] = aad_object.display_name policy['aadType'] = aad_object.object_type policy['principalName'] = GraphHelper.get_principal_name(aad_object) return access_policies
def augment(self, resources): s = Session(resource='https://graph.windows.net') graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) object_ids = list(set( resource['properties']['principalId'] for resource in resources if resource['properties']['principalId'])) principal_dics = GraphHelper.get_principal_dictionary(graph_client, object_ids) for resource in resources: if resource['properties']['principalId'] in principal_dics.keys(): graph_resource = principal_dics[resource['properties']['principalId']] if graph_resource.object_id: resource['principalName'] = GraphHelper.get_principal_name(graph_resource) resource['displayName'] = graph_resource.display_name resource['aadType'] = graph_resource.object_type return resources
def test_compare_auth_params(self, _1): with patch.dict(os.environ, { constants.ENV_TENANT_ID: 'tenant', constants.ENV_SUB_ID: DEFAULT_SUBSCRIPTION_ID, constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret', constants.ENV_USE_MSI: 'true', constants.ENV_ACCESS_TOKEN: 'access_token', constants.ENV_KEYVAULT_CLIENT_ID: 'kv_client', constants.ENV_KEYVAULT_SECRET_ID: 'kv_secret' }, clear=True): env_params = Session().get_credentials().auth_params session = Session(authorization_file=self.authorization_file_full) file_params = session.get_credentials().auth_params self.assertTrue(env_params.pop('enable_cli_auth')) self.assertFalse(file_params.pop('enable_cli_auth', None)) self.assertEqual(env_params, file_params)
def test_initialize_session_principal(self): with patch( 'azure.common.credentials.ServicePrincipalCredentials.__init__', autospec=True, return_value=None): with patch.dict(os.environ, { constants.ENV_TENANT_ID: 'tenant', constants.ENV_SUB_ID: 'ea42f556-5106-4743-99b0-c129bfa71a47', constants.ENV_CLIENT_ID: 'client', constants.ENV_CLIENT_SECRET: 'secret' }, clear=True): s = Session() self.assertIs(type(s.get_credentials()), ServicePrincipalCredentials) self.assertEqual(s.get_subscription_id(), 'ea42f556-5106-4743-99b0-c129bfa71a47')