def test_service_principal(self): creds = mock.create_autospec(ServicePrincipalCredentials) session = mock.create_autospec(OAuth2Session) creds._setup_session.return_value = session session.fetch_token.return_value = { 'expires_at':'1', 'expires_in':'2'} creds.token_uri = "token_uri" creds.verify = True creds.id = 123 creds.secret = 'secret' creds.resource = 'resource' ServicePrincipalCredentials.set_token(creds) self.assertEqual(creds.token, session.fetch_token.return_value) session.fetch_token.assert_called_with( "token_uri", client_id=123, client_secret='secret', resource='resource', response_type="client_credentials", verify=True) session.fetch_token.side_effect = oauthlib.oauth2.OAuth2Error with self.assertRaises(AuthenticationError): ServicePrincipalCredentials.set_token(creds) session = mock.create_autospec(OAuth2Session) with mock.patch.object( ServicePrincipalCredentials, '_setup_session', return_value=session): creds = ServicePrincipalCredentials("client_id", "secret", verify=False, tenant="private") session.fetch_token.assert_called_with( "https://login.microsoftonline.com/private/oauth2/token", client_id="client_id", client_secret='secret', resource='https://management.core.windows.net/', response_type="client_credentials", verify=False) with mock.patch.object( ServicePrincipalCredentials, '_setup_session', return_value=session): creds = ServicePrincipalCredentials("client_id", "secret", china=True, verify=False, tenant="private") session.fetch_token.assert_called_with( "https://login.chinacloudapi.cn/private/oauth2/token", client_id="client_id", client_secret='secret', resource='https://management.core.chinacloudapi.cn/', response_type="client_credentials", verify=False)
def __init__(self, config=None): from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken from msrestazure.azure_active_directory import ServicePrincipalCredentials super(StorageAccountSample, self).__init__(config=config) self.keyvault_sp_client = KeyVaultClient( ServicePrincipalCredentials(client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id)) # the key vault storage methods, storage_account_set and regenerate_storage_account_key # must be called by an authenticated user (not a service principal) so we create a secondary # client which authenticates a user using device code authentication # create a KeyVaultClient that authenticates as the user def authenticate_user(server, resource, scope, scheme): token = self.get_user_token(resource=resource) return AccessToken(scheme=token['tokenType'], token=token['accessToken'], key=None) self.keyvault_user_client = KeyVaultClient( KeyVaultAuthentication(authorization_callback=authenticate_user)) self._user_id = None self._user_oid = None
def create_clients(): config = { "tenant_id": os.environ.get("AZURE_TENANT"), "client_id": os.environ.get("AZURE_CLIENT_ID"), "client_secret": os.environ.get("AZURE_SECRET"), "subscription_id": os.environ.get("AZURE_SUBSCRIPTION_ID"), } for k, v in config.items(): if not v: raise ValueError("'{}' config value not set".format(k)) credentials = ServicePrincipalCredentials( config["client_id"], config["client_secret"], tenant=config["tenant_id"], verify=True, resource="https://management.azure.com/") alert_client = LogAnalyticsAlertClient(credentials, config["subscription_id"]) mgmt_client = LogAnalyticsManagementClient(credentials, config["subscription_id"]) return mgmt_client, alert_client
def get_credential(self, client_class, **kwargs): tenant_id = os.environ.get("AZURE_TENANT_ID", getattr(os.environ, "TENANT_ID", None)) client_id = os.environ.get("AZURE_CLIENT_ID", getattr(os.environ, "CLIENT_ID", None)) secret = os.environ.get("AZURE_CLIENT_SECRET", getattr(os.environ, "CLIENT_SECRET", None)) is_async = kwargs.pop("is_async", False) if tenant_id and client_id and secret and self.is_live: if _is_autorest_v3(client_class): # Create azure-identity class from azure.identity import ClientSecretCredential if is_async: from azure.identity.aio import ClientSecretCredential return ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=secret) else: # Create msrestazure class from msrestazure.azure_active_directory import ( ServicePrincipalCredentials, ) return ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=secret) else: if _is_autorest_v3(client_class): if is_async: if self.is_live: raise ValueError( "Async live doesn't support mgmt_setting_real, please set AZURE_TENANT_ID, " "AZURE_CLIENT_ID, AZURE_CLIENT_SECRET" ) return AsyncFakeCredential() else: return self.settings.get_azure_core_credentials() else: return self.settings.get_credentials()
def authenticate(self, secret_name): """ Get the azure service account key stored in AWS secrets manager. """ client = boto3.client('secretsmanager') try: get_secret_value_response = client.get_secret_value( SecretId=secret_name) except ClientError as e: logger.error("Unable to get secret value for {}: {}".format( secret_name, e)) raise ServicePrincipalError(e) else: if 'SecretString' in get_secret_value_response: secret_value = get_secret_value_response['SecretString'] else: secret_value = get_secret_value_response['SecretBinary'] try: secret_dict = json.loads(secret_value) if self.tenant_name in secret_dict: creds = secret_dict[self.tenant_name] except Exception as e: logger.error( "Error during Credential and Service extraction: {}".format(e)) raise ServicePrincipalError(e) try: self.credentials = ServicePrincipalCredentials( client_id=creds['application_id'], secret=creds['key'], tenant=creds['tenant_id']) except Exception as e: raise ServicePrincipalError(e)
def setup_sample(self): """ Provides common setup for Key Vault samples such as creating the authentication context, sample resource group if needed, and ensuring proper access for the service principal. :return: None """ if not KeyVaultSampleBase._setup_complete: self.config.auth_context = adal.AuthenticationContext( 'https://login.microsoftonline.com/%s' % self.config.tenant_id) creds = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) resource_mgmt_client = ResourceManagementClient( creds, self.config.subscription_id) # ensure the service principle has key vault and storage as valid providers resource_mgmt_client.providers.register('Microsoft.KeyVault') resource_mgmt_client.providers.register('Microsoft.Storage') # ensure the intended resource group exists resource_mgmt_client.resource_groups.create_or_update( resource_group_name=self.config.group_name, parameters={'location': self.config.location}) KeyVaultSampleBase._setup_complete = True
def create(self, secrets: Dict) -> ServicePrincipalCredentials: result = ServicePrincipalCredentials( client_id=secrets.get('client_id'), secret=secrets.get('client_secret'), tenant=secrets.get('tenant_id'), cloud_environment=secrets.get('cloud')) return result
def __get_credentials(creds: dict) -> ServicePrincipalCredentials: credentials = ServicePrincipalCredentials( client_id=creds['azure_client_id'], secret=creds['azure_client_secret'], tenant=creds['azure_tenant_id'], cloud_environment=__get_cloud_env_by_name(creds['azure_cloud']) ) return credentials
def _get_credentials(self): if self.context.auth_type == MapRAzure.SERVICE_PRINCIPAL: secret = urllib.quote(self.context.secret) credentials = ServicePrincipalCredentials(self.context.client_id, secret, tenant=self.context.tenant) else: credentials = UserPassCredentials(self.context.username, self.context.password, client_id=self.context.client_id) return credentials
def __init__(self, config): super(AzureBaseResourceManagerAction, self).__init__(config=config) resource_config = self.config['resource_manager'] self.credentials = ServicePrincipalCredentials( client_id=resource_config['client_id'], secret=resource_config['secret'], tenant=resource_config['tenant'])
def get_key_vault_credentials(): if "APPSETTING_WEBSITE_SITE_NAME" in os.environ: return MSIAuthentication(resource='https://vault.azure.net') else: return ServicePrincipalCredentials( client_id=os.environ['AZURE_CLIENT_ID'], secret=os.environ['AZURE_CLIENT_SECRET'], tenant=os.environ['AZURE_TENANT_ID'], resource='https://vault.azure.net')
def create(self, secrets: Secrets) -> ServicePrincipalCredentials: _cloud = cloud.get_or_raise(secrets.get('azure_cloud')) result = ServicePrincipalCredentials( client_id=secrets.get('client_id'), secret=secrets.get('client_secret'), tenant=secrets.get('tenant_id'), cloud_environment=_cloud ) return result
def create_basic_client(self, client_class, **kwargs): tenant_id = os.environ.get("AZURE_TENANT_ID", None) client_id = os.environ.get("AZURE_CLIENT_ID", None) secret = os.environ.get("AZURE_CLIENT_SECRET", None) if tenant_id and client_id and secret and self.is_live: if _is_autorest_v3(client_class): # Create azure-identity class from azure.identity import ClientSecretCredential credentials = ClientSecretCredential( tenant=tenant_id, client_id=client_id, client_secret=secret ) else: # Create msrestazure class from msrestazure.azure_active_directory import ServicePrincipalCredentials credentials = ServicePrincipalCredentials( tenant=tenant_id, client_id=client_id, secret=secret ) else: if _is_autorest_v3(client_class): credentials = self.settings.get_azure_core_credentials() else: credentials = self.settings.get_credentials() # Real client creation # FIXME decide what is the final argument for that # if self.is_playback(): # kwargs.setdefault("polling_interval", 0) if _is_autorest_v3(client_class): kwargs.setdefault("logging_enable", True) client = client_class( credential=credentials, **kwargs ) else: client = client_class( credentials=credentials, **kwargs ) if self.is_playback(): try: client._config.polling_interval = 0 # FIXME in azure-mgmt-core, make this a kwargs except AttributeError: pass if hasattr(client, "config"): # Autorest v2 if self.is_playback(): client.config.long_running_operation_timeout = 0 client.config.enable_http_logger = True return client
def __init__(self, config=None): from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken from msrestazure.azure_active_directory import ServicePrincipalCredentials super(SasDefinitionSample, self).__init__(config=config) self.keyvault_client = KeyVaultClient( ServicePrincipalCredentials(client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id))
def _make_credentials(self): """ Creates and returns a Azure credential object. Returns: A Azure credential object. """ return ServicePrincipalCredentials(client_id=self._client_id, secret=self._client_secret, tenant=self._tenant_id)
def authenticate_device_code(self, CLIENT, KEY, TENANT_ID): """ Authenticate the end-user using device auth. This is one of the easiest authentication method, but the requirement of a secret key only makes it unsuitable for sensitive information """ credentials = ServicePrincipalCredentials(client_id=CLIENT, secret=KEY, tenant=TENANT_ID) return credentials
def get_key_vault_credentials(): """This tries to get a token using MSI, or fallback to SP env variables. """ if "APPSETTING_WEBSITE_SITE_NAME" in os.environ: return MSIAuthentication(resource='https://vault.azure.net') else: return ServicePrincipalCredentials( client_id=os.environ['AZURE_CLIENT_ID'], secret=os.environ['AZURE_CLIENT_SECRET'], tenant=os.environ['AZURE_TENANT_ID'], resource='https://vault.azure.net')
def __init__(self, config=None): super(NetworkAclSample, self).__init__(config=config) creds = ServicePrincipalCredentials(client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) self.mgmt_client = KeyVaultManagementClient( credentials=creds, subscription_id=self.config.subscription_id) self.vault = None
def login(self): print('\nLogging in...') self.credentials = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.secret, tenant=self.config.tenant_id, ) print('(got credentials)') subscription_client = SubscriptionClient(self.credentials) subscription = next(subscription_client.subscriptions.list()) print('(found subscription)') self.resource_client = ResourceManagementClient( self.credentials, subscription.subscription_id) print("(logged in)")
def __init__(self, config): super(AzureBaseADAction, self).__init__(config=config) resource_config = self.config['resource_manager'] self.credentials = ServicePrincipalCredentials( client_id=resource_config['client_id'], secret=resource_config['secret'], tenant=resource_config['tenant'], resource='https://graph.windows.net' ) self.graphrbac_client = GraphRbacManagementClient( self.credentials, resource_config['tenant'] )
def setUp(self): tenant_id = os.environ.get("AZURE_TENANT") client_id = os.environ.get("AZURE_CLIENT_ID") client_secret = os.environ.get("AZURE_SECRET") subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID") if not tenant_id or not client_id or not client_secret or not subscription_id: raise ValueError("one or more environment variables are missing") credentials = ServicePrincipalCredentials(client_id, client_secret, tenant=tenant_id, verify=True, resource="https://management.azure.com/") self.laa_client = LogAnalyticsAlertClient(credentials, subscription_id) self.lam_client = LogAnalyticsManagementClient(credentials, subscription_id) self.clean_up()
def __get_credentials(creds: dict) -> ServicePrincipalCredentials: if creds['azure_client_secret'] is not None: credentials = ServicePrincipalCredentials( client_id=creds['azure_client_id'], secret=creds['azure_client_secret'], tenant=creds['azure_tenant_id'], cloud_environment=__get_cloud_env_by_name(creds['azure_cloud'])) elif creds['access_token'] is not None: token = dict(accessToken=creds['access_token']) credentials = AADTokenCredentials(token, creds['azure_client_id']) else: raise InterruptExecution("Authentication to Azure requires a" " client secret or an access token") return credentials
def __init__( self, azure_subscription_id, azure_tenant_id, azure_application_id, azure_application_key, logger, ): """Init command. :param str azure_subscription_id: :param str azure_tenant_id: :param str azure_application_id: :param str azure_application_key: :param str azure_application_key: :param logging.Logger logger: """ self._azure_subscription_id = azure_subscription_id self._azure_tenant_id = azure_tenant_id self._azure_application_id = azure_application_id self._azure_application_key = azure_application_key self._logger = logger self._cached_storage_account_keys = {} self._credentials = ServicePrincipalCredentials( client_id=azure_application_id, secret=azure_application_key, tenant=azure_tenant_id, ) self._subscription_client = SubscriptionClient( credentials=self._credentials) self._resource_client = ResourceManagementClient( credentials=self._credentials, subscription_id=self._azure_subscription_id) self._compute_client = ComputeManagementClient( credentials=self._credentials, subscription_id=self._azure_subscription_id) self._storage_client = StorageManagementClient( credentials=self._credentials, subscription_id=self._azure_subscription_id) self._network_client = NetworkManagementClient( credentials=self._credentials, subscription_id=self._azure_subscription_id)
def configure_advisor_threshold(): creds = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant) creds.set_token() client = AdvisorManagementClient(credentials=creds, subscription_id=subscription_id) # create a new configuration to update low CPU threshold to 20 cfg = ConfigData() cfg.properties = ConfigDataProperties(low_cpu_threshold=20, exclude=False) # update the configuration client.configurations.create_in_subscription(cfg)
def __init__(self, sensor_service, config=None, poll_interval=None): super(AzureSecurityAlerts, self).__init__(sensor_service=sensor_service, config=config, poll_interval=poll_interval) self.logger = sensor_service.get_logger(name=self.__class__.__name__) self.trigger_ref = "azure.alert" resource_config = self.config['resource_manager'] credentials = ServicePrincipalCredentials( client_id=resource_config['client_id'], secret=resource_config['secret'], tenant=resource_config['tenant']) subscription_id = self.config['subscription_id'] self.client = SecurityCenter(credentials, subscription_id, asc_location="centralus")
def create_keyvault(KV_NAME, GROUP_NAME, OBJECT_ID, location): subscription_id = os.environ['SUB'] credentials = ServicePrincipalCredentials(client_id=os.environ['CLIENT'], secret=os.environ['KEY'], tenant=os.environ['TENANT']) kv_client = KeyVaultManagementClient(credentials, subscription_id) resource_client = ResourceManagementClient(credentials, subscription_id) # You MIGHT need to add KeyVault as a valid provider for these credentials # If so, this operation has to be done only once for each credentials resource_client.providers.register('Microsoft.KeyVault') # Create Resource group resource_group_params = {'location': location} resource_client.resource_groups.create_or_update(GROUP_NAME, resource_group_params) # Create a vault vault = kv_client.vaults.create_or_update( GROUP_NAME, KV_NAME, { 'location': location, 'properties': { 'sku': { 'name': 'standard' }, 'tenant_id': os.environ['TENANT'], 'access_policies': [{ 'tenant_id': os.environ['TENANT'], 'object_id': OBJECT_ID, 'permissions': { 'keys': ['all'], 'secrets': ['all'] } }] } })