def test_service_principal(self):
creds = mock.create_autospec(ServicePrincipalCredentials)
session = mock.create_autospec(OAuth2Session)
creds._setup_session.return_value = session
session.fetch_token.return_value = {
'expires_at':'1',
'expires_in':'2'}
creds.token_uri = "token_uri"
creds.verify = True
creds.id = 123
creds.secret = 'secret'
creds.resource = 'resource'
ServicePrincipalCredentials.set_token(creds)
self.assertEqual(creds.token, session.fetch_token.return_value)
session.fetch_token.assert_called_with(
"token_uri", client_id=123, client_secret='secret',
resource='resource', response_type="client_credentials",
verify=True)
session.fetch_token.side_effect = oauthlib.oauth2.OAuth2Error
with self.assertRaises(AuthenticationError):
ServicePrincipalCredentials.set_token(creds)
session = mock.create_autospec(OAuth2Session)
with mock.patch.object(
ServicePrincipalCredentials, '_setup_session', return_value=session):
creds = ServicePrincipalCredentials("client_id", "secret",
verify=False, tenant="private")
session.fetch_token.assert_called_with(
"https://login.microsoftonline.com/private/oauth2/token",
client_id="client_id", client_secret='secret',
resource='https://management.core.windows.net/',
response_type="client_credentials", verify=False)
with mock.patch.object(
ServicePrincipalCredentials, '_setup_session', return_value=session):
creds = ServicePrincipalCredentials("client_id", "secret", china=True,
verify=False, tenant="private")
session.fetch_token.assert_called_with(
"https://login.chinacloudapi.cn/private/oauth2/token",
client_id="client_id", client_secret='secret',
resource='https://management.core.chinacloudapi.cn/',
response_type="client_credentials", verify=False)
def __init__(self, config=None):
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken
from msrestazure.azure_active_directory import ServicePrincipalCredentials
super(StorageAccountSample, self).__init__(config=config)
self.keyvault_sp_client = KeyVaultClient(
ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id))
# the key vault storage methods, storage_account_set and regenerate_storage_account_key
# must be called by an authenticated user (not a service principal) so we create a secondary
# client which authenticates a user using device code authentication
# create a KeyVaultClient that authenticates as the user
def authenticate_user(server, resource, scope, scheme):
token = self.get_user_token(resource=resource)
return AccessToken(scheme=token['tokenType'],
token=token['accessToken'],
key=None)
self.keyvault_user_client = KeyVaultClient(
KeyVaultAuthentication(authorization_callback=authenticate_user))
self._user_id = None
self._user_oid = None
def create_clients():
config = {
"tenant_id": os.environ.get("AZURE_TENANT"),
"client_id": os.environ.get("AZURE_CLIENT_ID"),
"client_secret": os.environ.get("AZURE_SECRET"),
"subscription_id": os.environ.get("AZURE_SUBSCRIPTION_ID"),
}
for k, v in config.items():
if not v:
raise ValueError("'{}' config value not set".format(k))
credentials = ServicePrincipalCredentials(
config["client_id"],
config["client_secret"],
tenant=config["tenant_id"],
verify=True,
resource="https://management.azure.com/")
alert_client = LogAnalyticsAlertClient(credentials,
config["subscription_id"])
mgmt_client = LogAnalyticsManagementClient(credentials,
config["subscription_id"])
return mgmt_client, alert_client
def get_credential(self, client_class, **kwargs):
tenant_id = os.environ.get("AZURE_TENANT_ID", getattr(os.environ, "TENANT_ID", None))
client_id = os.environ.get("AZURE_CLIENT_ID", getattr(os.environ, "CLIENT_ID", None))
secret = os.environ.get("AZURE_CLIENT_SECRET", getattr(os.environ, "CLIENT_SECRET", None))
is_async = kwargs.pop("is_async", False)
if tenant_id and client_id and secret and self.is_live:
if _is_autorest_v3(client_class):
# Create azure-identity class
from azure.identity import ClientSecretCredential
if is_async:
from azure.identity.aio import ClientSecretCredential
return ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=secret)
else:
# Create msrestazure class
from msrestazure.azure_active_directory import (
ServicePrincipalCredentials,
)
return ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=secret)
else:
if _is_autorest_v3(client_class):
if is_async:
if self.is_live:
raise ValueError(
"Async live doesn't support mgmt_setting_real, please set AZURE_TENANT_ID, "
"AZURE_CLIENT_ID, AZURE_CLIENT_SECRET"
)
return AsyncFakeCredential()
else:
return self.settings.get_azure_core_credentials()
else:
return self.settings.get_credentials()
def authenticate(self, secret_name):
"""
Get the azure service account key stored in AWS secrets manager.
"""
client = boto3.client('secretsmanager')
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name)
except ClientError as e:
logger.error("Unable to get secret value for {}: {}".format(
secret_name, e))
raise ServicePrincipalError(e)
else:
if 'SecretString' in get_secret_value_response:
secret_value = get_secret_value_response['SecretString']
else:
secret_value = get_secret_value_response['SecretBinary']
try:
secret_dict = json.loads(secret_value)
if self.tenant_name in secret_dict:
creds = secret_dict[self.tenant_name]
except Exception as e:
logger.error(
"Error during Credential and Service extraction: {}".format(e))
raise ServicePrincipalError(e)
try:
self.credentials = ServicePrincipalCredentials(
client_id=creds['application_id'],
secret=creds['key'],
tenant=creds['tenant_id'])
except Exception as e:
raise ServicePrincipalError(e)
def setup_sample(self):
"""
Provides common setup for Key Vault samples such as creating the authentication context, sample resource group
if needed, and ensuring proper access for the service principal.
:return: None
"""
if not KeyVaultSampleBase._setup_complete:
self.config.auth_context = adal.AuthenticationContext(
'https://login.microsoftonline.com/%s' % self.config.tenant_id)
creds = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
resource_mgmt_client = ResourceManagementClient(
creds, self.config.subscription_id)
# ensure the service principle has key vault and storage as valid providers
resource_mgmt_client.providers.register('Microsoft.KeyVault')
resource_mgmt_client.providers.register('Microsoft.Storage')
# ensure the intended resource group exists
resource_mgmt_client.resource_groups.create_or_update(
resource_group_name=self.config.group_name,
parameters={'location': self.config.location})
KeyVaultSampleBase._setup_complete = True
def create(self, secrets: Dict) -> ServicePrincipalCredentials:
result = ServicePrincipalCredentials(
client_id=secrets.get('client_id'),
secret=secrets.get('client_secret'),
tenant=secrets.get('tenant_id'),
cloud_environment=secrets.get('cloud'))
return result
def __get_credentials(creds: dict) -> ServicePrincipalCredentials:
credentials = ServicePrincipalCredentials(
client_id=creds['azure_client_id'],
secret=creds['azure_client_secret'],
tenant=creds['azure_tenant_id'],
cloud_environment=__get_cloud_env_by_name(creds['azure_cloud'])
)
return credentials
def _get_credentials(self):
if self.context.auth_type == MapRAzure.SERVICE_PRINCIPAL:
secret = urllib.quote(self.context.secret)
credentials = ServicePrincipalCredentials(self.context.client_id, secret, tenant=self.context.tenant)
else:
credentials = UserPassCredentials(self.context.username, self.context.password, client_id=self.context.client_id)
return credentials
def __init__(self, config):
super(AzureBaseResourceManagerAction, self).__init__(config=config)
resource_config = self.config['resource_manager']
self.credentials = ServicePrincipalCredentials(
client_id=resource_config['client_id'],
secret=resource_config['secret'],
tenant=resource_config['tenant'])
def get_key_vault_credentials():
if "APPSETTING_WEBSITE_SITE_NAME" in os.environ:
return MSIAuthentication(resource='https://vault.azure.net')
else:
return ServicePrincipalCredentials(
client_id=os.environ['AZURE_CLIENT_ID'],
secret=os.environ['AZURE_CLIENT_SECRET'],
tenant=os.environ['AZURE_TENANT_ID'],
resource='https://vault.azure.net')
def create(self, secrets: Secrets) -> ServicePrincipalCredentials:
_cloud = cloud.get_or_raise(secrets.get('azure_cloud'))
result = ServicePrincipalCredentials(
client_id=secrets.get('client_id'),
secret=secrets.get('client_secret'),
tenant=secrets.get('tenant_id'),
cloud_environment=_cloud
)
return result
def create_basic_client(self, client_class, **kwargs):
tenant_id = os.environ.get("AZURE_TENANT_ID", None)
client_id = os.environ.get("AZURE_CLIENT_ID", None)
secret = os.environ.get("AZURE_CLIENT_SECRET", None)
if tenant_id and client_id and secret and self.is_live:
if _is_autorest_v3(client_class):
# Create azure-identity class
from azure.identity import ClientSecretCredential
credentials = ClientSecretCredential(
tenant=tenant_id,
client_id=client_id,
client_secret=secret
)
else:
# Create msrestazure class
from msrestazure.azure_active_directory import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
tenant=tenant_id,
client_id=client_id,
secret=secret
)
else:
if _is_autorest_v3(client_class):
credentials = self.settings.get_azure_core_credentials()
else:
credentials = self.settings.get_credentials()
# Real client creation
# FIXME decide what is the final argument for that
# if self.is_playback():
# kwargs.setdefault("polling_interval", 0)
if _is_autorest_v3(client_class):
kwargs.setdefault("logging_enable", True)
client = client_class(
credential=credentials,
**kwargs
)
else:
client = client_class(
credentials=credentials,
**kwargs
)
if self.is_playback():
try:
client._config.polling_interval = 0 # FIXME in azure-mgmt-core, make this a kwargs
except AttributeError:
pass
if hasattr(client, "config"): # Autorest v2
if self.is_playback():
client.config.long_running_operation_timeout = 0
client.config.enable_http_logger = True
return client
def __init__(self, config=None):
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken
from msrestazure.azure_active_directory import ServicePrincipalCredentials
super(SasDefinitionSample, self).__init__(config=config)
self.keyvault_client = KeyVaultClient(
ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id))
def _make_credentials(self):
"""
Creates and returns a Azure credential object.
Returns:
A Azure credential object.
"""
return ServicePrincipalCredentials(client_id=self._client_id,
secret=self._client_secret,
tenant=self._tenant_id)
def authenticate_device_code(self, CLIENT, KEY, TENANT_ID):
"""
Authenticate the end-user using device auth. This is one of the easiest authentication method, but the
requirement of a secret key only makes it unsuitable for sensitive information
"""
credentials = ServicePrincipalCredentials(client_id=CLIENT,
secret=KEY,
tenant=TENANT_ID)
return credentials
def get_key_vault_credentials():
"""This tries to get a token using MSI, or fallback to SP env variables.
"""
if "APPSETTING_WEBSITE_SITE_NAME" in os.environ:
return MSIAuthentication(resource='https://vault.azure.net')
else:
return ServicePrincipalCredentials(
client_id=os.environ['AZURE_CLIENT_ID'],
secret=os.environ['AZURE_CLIENT_SECRET'],
tenant=os.environ['AZURE_TENANT_ID'],
resource='https://vault.azure.net')
def __init__(self, config=None):
super(NetworkAclSample, self).__init__(config=config)
creds = ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
self.mgmt_client = KeyVaultManagementClient(
credentials=creds, subscription_id=self.config.subscription_id)
self.vault = None
def login(self):
print('\nLogging in...')
self.credentials = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.secret,
tenant=self.config.tenant_id,
)
print('(got credentials)')
subscription_client = SubscriptionClient(self.credentials)
subscription = next(subscription_client.subscriptions.list())
print('(found subscription)')
self.resource_client = ResourceManagementClient(
self.credentials, subscription.subscription_id)
print("(logged in)")
def __init__(self, config):
super(AzureBaseADAction, self).__init__(config=config)
resource_config = self.config['resource_manager']
self.credentials = ServicePrincipalCredentials(
client_id=resource_config['client_id'],
secret=resource_config['secret'],
tenant=resource_config['tenant'],
resource='https://graph.windows.net'
)
self.graphrbac_client = GraphRbacManagementClient(
self.credentials,
resource_config['tenant']
)
def setUp(self):
tenant_id = os.environ.get("AZURE_TENANT")
client_id = os.environ.get("AZURE_CLIENT_ID")
client_secret = os.environ.get("AZURE_SECRET")
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
if not tenant_id or not client_id or not client_secret or not subscription_id:
raise ValueError("one or more environment variables are missing")
credentials = ServicePrincipalCredentials(client_id, client_secret, tenant=tenant_id, verify=True, resource="https://management.azure.com/")
self.laa_client = LogAnalyticsAlertClient(credentials, subscription_id)
self.lam_client = LogAnalyticsManagementClient(credentials, subscription_id)
self.clean_up()
def __get_credentials(creds: dict) -> ServicePrincipalCredentials:
if creds['azure_client_secret'] is not None:
credentials = ServicePrincipalCredentials(
client_id=creds['azure_client_id'],
secret=creds['azure_client_secret'],
tenant=creds['azure_tenant_id'],
cloud_environment=__get_cloud_env_by_name(creds['azure_cloud']))
elif creds['access_token'] is not None:
token = dict(accessToken=creds['access_token'])
credentials = AADTokenCredentials(token, creds['azure_client_id'])
else:
raise InterruptExecution("Authentication to Azure requires a"
" client secret or an access token")
return credentials
def __init__(
self,
azure_subscription_id,
azure_tenant_id,
azure_application_id,
azure_application_key,
logger,
):
"""Init command.
:param str azure_subscription_id:
:param str azure_tenant_id:
:param str azure_application_id:
:param str azure_application_key:
:param str azure_application_key:
:param logging.Logger logger:
"""
self._azure_subscription_id = azure_subscription_id
self._azure_tenant_id = azure_tenant_id
self._azure_application_id = azure_application_id
self._azure_application_key = azure_application_key
self._logger = logger
self._cached_storage_account_keys = {}
self._credentials = ServicePrincipalCredentials(
client_id=azure_application_id,
secret=azure_application_key,
tenant=azure_tenant_id,
)
self._subscription_client = SubscriptionClient(
credentials=self._credentials)
self._resource_client = ResourceManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._compute_client = ComputeManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._storage_client = StorageManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
self._network_client = NetworkManagementClient(
credentials=self._credentials,
subscription_id=self._azure_subscription_id)
def configure_advisor_threshold():
creds = ServicePrincipalCredentials(client_id=client_id,
secret=secret,
tenant=tenant)
creds.set_token()
client = AdvisorManagementClient(credentials=creds,
subscription_id=subscription_id)
# create a new configuration to update low CPU threshold to 20
cfg = ConfigData()
cfg.properties = ConfigDataProperties(low_cpu_threshold=20, exclude=False)
# update the configuration
client.configurations.create_in_subscription(cfg)
def __init__(self, sensor_service, config=None, poll_interval=None):
super(AzureSecurityAlerts,
self).__init__(sensor_service=sensor_service,
config=config,
poll_interval=poll_interval)
self.logger = sensor_service.get_logger(name=self.__class__.__name__)
self.trigger_ref = "azure.alert"
resource_config = self.config['resource_manager']
credentials = ServicePrincipalCredentials(
client_id=resource_config['client_id'],
secret=resource_config['secret'],
tenant=resource_config['tenant'])
subscription_id = self.config['subscription_id']
self.client = SecurityCenter(credentials,
subscription_id,
asc_location="centralus")
def create_keyvault(KV_NAME, GROUP_NAME, OBJECT_ID, location):
subscription_id = os.environ['SUB']
credentials = ServicePrincipalCredentials(client_id=os.environ['CLIENT'],
secret=os.environ['KEY'],
tenant=os.environ['TENANT'])
kv_client = KeyVaultManagementClient(credentials, subscription_id)
resource_client = ResourceManagementClient(credentials, subscription_id)
# You MIGHT need to add KeyVault as a valid provider for these credentials
# If so, this operation has to be done only once for each credentials
resource_client.providers.register('Microsoft.KeyVault')
# Create Resource group
resource_group_params = {'location': location}
resource_client.resource_groups.create_or_update(GROUP_NAME,
resource_group_params)
# Create a vault
vault = kv_client.vaults.create_or_update(
GROUP_NAME, KV_NAME, {
'location': location,
'properties': {
'sku': {
'name': 'standard'
},
'tenant_id':
os.environ['TENANT'],
'access_policies': [{
'tenant_id': os.environ['TENANT'],
'object_id': OBJECT_ID,
'permissions': {
'keys': ['all'],
'secrets': ['all']
}
}]
}
})