Merge pull request #1616 from bennerv/dbtoken-oidcv2-clientid

Add dbTokenClientID to RP Config
2021-08-03 09:10:05 +01:00 · 2021-08-03 09:10:05 +01:00 · 57688ed8ce
--- a/cmd/aro/dbtoken.go
+++ b/cmd/aro/dbtoken.go
@ -30,6 +30,7 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {
 		for _, key := range []string{
 			"MDM_ACCOUNT",
 			"MDM_NAMESPACE",
+			"AZURE_DBTOKEN_CLIENT_ID",
 		} {
 			if _, found := os.LookupEnv(key); !found {
 				return fmt.Errorf("environment variable %q unset", key)
@ -85,9 +86,7 @@ func dbtoken(ctx context.Context, log *logrus.Entry) error {

 	// example value: https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111/v2.0
 	issuer := _env.Environment().ActiveDirectoryEndpoint + _env.TenantID() + "/v2.0"
-
-	// example value: https://dbtoken.aro.azure.com/
-	clientID := "https://dbtoken." + _env.Environment().AppSuffix + "/"
+	clientID := os.Getenv("AZURE_DBTOKEN_CLIENT_ID")

 	verifier, err := oidc.NewVerifier(ctx, issuer, clientID)
 	if err != nil {
--- a/deploy/rp-production-parameters.json
+++ b/deploy/rp-production-parameters.json
@ -50,6 +50,9 @@
        "databaseAccountName": {
            "value": ""
        },
+        "dbtokenClientId": {
+            "value": ""
+        },
        "disableCosmosDBFirewall": {
            "value": false
        },
--- a/deploy/rp-production.json
+++ b/deploy/rp-production.json
--- a/docs/prepare-a-shared-rp-development-environment.md
+++ b/docs/prepare-a-shared-rp-development-environment.md
@ -228,6 +228,22 @@ locations.

   TODO: more steps are needed to configure aro-v4-portal-shared.

+1. Create an AAD application which will fake up the dbtoken client.
+
+   1. Create the application and set `requestedAccessTokenVersion`
+
+   ```bash
+   AZURE_DBTOKEN_CLIENT_ID="$(az ad app create --display-name dbtoken \
+      --oauth2-allow-implicit-flow false \
+      --query appId \
+      -o tsv)"
+
+   OBJ_ID="$(az ad app show --id $AZURE_DBTOKEN_CLIENT_ID --query objectId)"
+
+   az rest --method PATCH \
+      --uri https://graph.microsoft.com/v1.0/applications/$OBJ_ID/ \
+      --body '{"api":{"requestedAccessTokenVersion": 2}}'
+   ```

 ## Certificates

@ -320,6 +336,7 @@ locations.
   export AZURE_ARM_CLIENT_ID='$AZURE_ARM_CLIENT_ID'
   export AZURE_FP_CLIENT_ID='$AZURE_FP_CLIENT_ID'
   export AZURE_FP_SERVICE_PRINCIPAL_ID='$(az ad sp list --filter "appId eq '$AZURE_FP_CLIENT_ID'" --query '[].objectId' -o tsv)'
+   export AZURE_DBTOKEN_CLIENT_ID='$AZURE_DBTOKEN_CLIENT_ID'
   export AZURE_PORTAL_CLIENT_ID='$AZURE_PORTAL_CLIENT_ID'
   export AZURE_PORTAL_ACCESS_GROUP_IDS='$ADMIN_OBJECT_ID'
   export AZURE_PORTAL_ELEVATED_GROUP_IDS='$ADMIN_OBJECT_ID'
--- a/pkg/deploy/bindata.go
+++ b/pkg/deploy/bindata.go
--- a/pkg/deploy/config.go
+++ b/pkg/deploy/config.go
@ -50,6 +50,7 @@ type Configuration struct {
 	ClusterMDSDNamespace               *string       `json:"clusterMdsdNamespace,omitempty" value:"required"`
 	ClusterParentDomainName            *string       `json:"clusterParentDomainName,omitempty" value:"required"`
 	DatabaseAccountName                *string       `json:"databaseAccountName,omitempty" value:"required"`
+	DBTokenClientID                    *string       `json:"dbtokenClientId,omitempty" value:"required"`
 	DisableCosmosDBFirewall            *bool         `json:"disableCosmosDBFirewall,omitempty"`
 	ExtraClusterKeyvaultAccessPolicies []interface{} `json:"extraClusterKeyvaultAccessPolicies,omitempty" value:"required"`
 	ExtraDBTokenKeyvaultAccessPolicies []interface{} `json:"extraDBTokenKeyvaultAccessPolicies,omitempty" value:"required"`
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@ -377,11 +377,11 @@ func (g *generator) rpVMSS() *arm.Resource {

 	for _, variable := range []string{
 		"acrResourceId",
+		"adminApiClientCertCommonName",
+		"armApiClientCertCommonName",
 		"armClientId",
 		"azureCloudName",
 		"azureSecPackVSATenantId",
-		"adminApiClientCertCommonName",
-		"armApiClientCertCommonName",
 		"billingE2EStorageAccountId",
 		"clusterMdmAccount",
 		"clusterMdsdAccount",
@ -389,10 +389,11 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"clusterMdsdNamespace",
 		"clusterParentDomainName",
 		"databaseAccountName",
+		"dbtokenClientId",
 		"fpClientId",
 		"fpServicePrincipalId",
-		"keyvaultPrefix",
 		"keyvaultDNSSuffix",
+		"keyvaultPrefix",
 		"mdmFrontendUrl",
 		"mdsdEnvironment",
 		"portalAccessGroupIds",
@ -660,6 +661,7 @@ EOF

 cat >/etc/sysconfig/aro-dbtoken <<EOF
 DATABASE_ACCOUNT_NAME='$DATABASEACCOUNTNAME'
+AZURE_DBTOKEN_CLIENT_ID='$DBTOKENCLIENTID'
 KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE=DBToken
@ -679,6 +681,7 @@ ExecStart=/usr/bin/docker run \
  --name %N \
  --rm \
  -e DATABASE_ACCOUNT_NAME \
+  -e AZURE_DBTOKEN_CLIENT_ID \
  -e KEYVAULT_PREFIX \
  -e MDM_ACCOUNT \
  -e MDM_NAMESPACE \
--- a/pkg/deploy/generator/templates_rp.go
+++ b/pkg/deploy/generator/templates_rp.go
@ -43,6 +43,7 @@ func (g *generator) rpTemplate() *arm.Template {
 			"clusterMdsdAccount",
 			"clusterMdsdConfigVersion",
 			"clusterMdsdNamespace",
+			"dbtokenClientId",
 			"disableCosmosDBFirewall",
 			"extraCosmosDBIPs",
 			"fpClientId",