Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Commit

Permalink
fix multi-tenant deployment (#1270)
Browse files Browse the repository at this point in the history
  • Loading branch information
chkeita authored Sep 24, 2021
1 parent 10f6af4 commit d739811
Showing 1 changed file with 31 additions and 34 deletions.
65 changes: 31 additions & 34 deletions src/deployment/deploy.py
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,30 @@ def check_region(self) -> None:
def create_password(self, object_id: UUID) -> Tuple[str, str]:
return add_application_password(object_id, self.get_subscription_id())

def get_instance_url(self) -> str:
## The url to access the instance
## This also represents the legacy identifier_uris of the application registration
if self.multi_tenant_domain:
return "https://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
else:
return "https://%s.azurewebsites.net" % self.application_name

def get_identifier_url(self) -> str:
## The used to identify the application registration via the identifier_uris field
## Depending on the environment this value needs to be from an approved domain
## The format of this value is derived from the default value proposed by azure when creating
## an application registration api://{guid}/...
if self.multi_tenant_domain:
return "api://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
else:
return "api://%s.azurewebsites.net" % self.application_name

def setup_rbac(self) -> None:
"""
Setup the client application for the OneFuzz instance.
Expand Down Expand Up @@ -300,18 +324,10 @@ def setup_rbac(self) -> None:
if not existing:
logger.info("creating Application registration")

if self.multi_tenant_domain:
url = "https://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
else:
url = "https://%s.azurewebsites.net" % self.application_name

params = ApplicationCreateParameters(
display_name=self.application_name,
identifier_uris=[f"api://{self.application_name}.azurewebsites.net"],
reply_urls=[url + "/.auth/login/aad/callback"],
identifier_uris=[self.get_identifier_url()],
reply_urls=[self.get_instance_url() + "/.auth/login/aad/callback"],
optional_claims=OptionalClaims(id_token=[], access_token=[]),
required_resource_access=[
RequiredResourceAccess(
Expand Down Expand Up @@ -362,14 +378,7 @@ def try_sp_create() -> None:

else:
app = existing[0]
if self.multi_tenant_domain:
api_id = "api://%s/%s" % (
self.multi_tenant_domain,
self.application_name,
)
else:
api_id = "api://%s.azurewebsites.net" % self.application_name

api_id = self.get_identifier_url()
if api_id not in app.identifier_uris:
identifier_uris = app.identifier_uris
identifier_uris.append(api_id)
Expand Down Expand Up @@ -473,28 +482,16 @@ def deploy_template(self) -> None:
"%Y-%m-%dT%H:%M:%SZ"
)

app_func_audiences = [
self.get_identifier_url(),
self.get_instance_url(),
]
if self.multi_tenant_domain:
# clear the value in the Issuer Url field:
# https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant
app_func_audiences = [
"api://%s/%s"
% (
self.multi_tenant_domain,
self.application_name,
),
"https://%s/%s"
% (
self.multi_tenant_domain,
self.application_name,
),
]
app_func_issuer = ""
multi_tenant_domain = {"value": self.multi_tenant_domain}
else:
app_func_audiences = [
"api://%s.azurewebsites.net" % self.application_name,
"https://%s.azurewebsites.net" % self.application_name,
]
tenant_oid = str(self.cli_config["authority"]).split("/")[-1]
app_func_issuer = "https://sts.windows.net/%s/" % tenant_oid
multi_tenant_domain = {"value": ""}
Expand Down

0 comments on commit d739811

Please sign in to comment.