From bd7a79a34d86fa6538eb5cc105107c4b478f5f92 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 15 Aug 2022 14:47:27 -0700 Subject: [PATCH] Added additional support for other Azure clouds --- engine/app/globals.py | 51 ++++++++++++++++++++++++----- engine/app/routers/common/helper.py | 17 ++++++++-- 2 files changed, 56 insertions(+), 12 deletions(-) diff --git a/engine/app/globals.py b/engine/app/globals.py index b49904c..8a1922e 100644 --- a/engine/app/globals.py +++ b/engine/app/globals.py @@ -9,29 +9,61 @@ from azure.identity import AzureAuthorityHosts AZURE_ENV_MAP = { 'AZURE_PUBLIC': { 'AZURE_ARM': 'management.azure.com', + 'AZURE_MGMT': 'management.core.windows.net', 'AUTH_HOST': AzureAuthorityHosts.AZURE_PUBLIC_CLOUD }, 'AZURE_US_GOV': { 'AZURE_ARM': 'management.usgovcloudapi.net', + 'AZURE_MGMT': 'management.core.usgovcloudapi.net', 'AUTH_HOST': AzureAuthorityHosts.AZURE_GOVERNMENT }, 'AZURE_GERMANY': { 'AZURE_ARM': 'management.microsoftazure.de', + 'AZURE_MGMT': 'management.core.cloudapi.de', 'AUTH_HOST': AzureAuthorityHosts.AZURE_GERMANY }, 'AZURE_CHINA': { 'AZURE_ARM': 'management.chinacloudapi.cn', + 'AZURE_MGMT': 'management.core.chinacloudapi.cn', 'AUTH_HOST': AzureAuthorityHosts.AZURE_CHINA } } class Globals: - def __init__(self): - client_creds = ClientSecretCredential(self.TENANT_ID, self.CLIENT_ID, self.CLIENT_SECRET, authority=self.AUTHORITY_HOST) - mgmt_group_api = ManagementGroupsAPI(client_creds) - target_group = mgmt_group_api.management_groups.get(os.environ.get('TENANT_ID')) + # def __init__(self): + # azure_env = os.environ.get('AZURE_ENV') + # azure_arm_host = AZURE_ENV_MAP[azure_env]['AZURE_ARM'] if azure_env in AZURE_ENV_MAP else AZURE_ENV_MAP['AZURE_PUBLIC']['AZURE_ARM'] + # azure_auth_host = AZURE_ENV_MAP[azure_env]['AUTH_HOST'] if azure_env in AZURE_ENV_MAP else AZURE_ENV_MAP['AZURE_PUBLIC']['AUTH_HOST'] + # azure_arm_url = 'https://{}'.format(azure_arm_host) + # azure_arm_scope = '{}/.default'.format(azure_arm_url) + # mgmt_group_id = '/providers/Microsoft.Management/managementGroups/{}'.format(os.environ.get('TENANT_ID')) - self.root_mgmt_group = target_group.name + # print("---------------------------") + # print("********GLOBAL INIT********") + # print("---------------------------") + # print("TENANT_ID: {}".format(os.environ.get('TENANT_ID'))) + # print("CLIENT_ID: {}".format(os.environ.get('CLIENT_ID'))) + # print("CLIENT_SECRET: {}".format(os.environ.get('CLIENT_SECRET'))) + # print("AUTHORITY_HOST: {}".format(azure_auth_host)) + # print("AZURE_MGMT_URL: {}".format(azure_arm_url)) + # print("---------------------------") + + # client_creds = ClientSecretCredential( + # tenant_id=os.environ.get('TENANT_ID'), + # client_id=os.environ.get('CLIENT_ID'), + # client_secret=os.environ.get('CLIENT_SECRET'), + # authority=azure_auth_host + # ) + + # mgmt_group_api = ManagementGroupsAPI( + # credential=client_creds, + # base_url=azure_arm_url, + # credential_scopes=[azure_arm_scope] + # ) + + # target_group = mgmt_group_api.management_groups.get(os.environ.get('TENANT_ID')) + + # self.root_mgmt_group = target_group.name @property def CLIENT_ID(self): @@ -57,9 +89,9 @@ class Globals: def KEYVAULT_URL(self): return os.environ.get('KEYVAULT_URL') - @property - def ROOT_MGMT_GROUP(self): - return self.root_mgmt_group + # @property + # def ROOT_MGMT_GROUP(self): + # return self.root_mgmt_group @property def AZURE_ARM_URL(self): @@ -67,7 +99,8 @@ class Globals: azure_arm_url = AZURE_ENV_MAP[azure_env]['AZURE_ARM'] if azure_env in AZURE_ENV_MAP else AZURE_ENV_MAP['AZURE_PUBLIC']['AZURE_ARM'] - return 'https://{}/user_impersonation'.format(azure_arm_url) + # return 'https://{}/user_impersonation'.format(azure_arm_url) + return azure_arm_url @property def AUTHORITY_HOST(self): diff --git a/engine/app/routers/common/helper.py b/engine/app/routers/common/helper.py index 3e2673a..b898bf6 100644 --- a/engine/app/routers/common/helper.py +++ b/engine/app/routers/common/helper.py @@ -45,8 +45,10 @@ def get_user_id_from_jwt(token): async def get_obo_token(assertion): """DOCSTRING""" + azure_arm_url = 'https://{}/user_impersonation'.format(globals.AZURE_ARM_URL) + credential = OnBehalfOfCredential(globals.TENANT_ID, globals.CLIENT_ID, client_secret=globals.CLIENT_SECRET, user_assertion=assertion) - obo_token = await credential.get_token(globals.AZURE_ARM_URL) + obo_token = await credential.get_token(azure_arm_url) await credential.close() return obo_token @@ -226,6 +228,8 @@ async def arg_query(auth, admin, query): except ClientAuthenticationError: raise HTTPException(status_code=401, detail="Token has expired.") except HttpResponseError as e: + print("IsAdmin: {}".format(admin)) + print(e) raise HTTPException(status_code=403, detail="Access denied.") finally: await creds.close() @@ -269,7 +273,14 @@ async def arg_query_helper(credentials, query): results = [] - resource_graph_client = ResourceGraphClient(credentials) + azure_arm_url = 'https://{}'.format(globals.AZURE_ARM_URL) + azure_arm_scope = '{}/.default'.format(azure_arm_url) + + resource_graph_client = ResourceGraphClient( + credential=credentials, + base_url=azure_arm_url, + credential_scopes=[azure_arm_scope] + ) try: skip_token = None @@ -277,7 +288,7 @@ async def arg_query_helper(credentials, query): while True: query_request = QueryRequest( query=query, - management_groups=[globals.ROOT_MGMT_GROUP], + # management_groups=[globals.TENANT_ID], options=QueryRequestOptions( result_format=ResultFormat.object_array, skip_token=skip_token