diff --git a/src/deployment/deploy.py b/src/deployment/deploy.py index 0f428ae451..c1d9dbf1e2 100644 --- a/src/deployment/deploy.py +++ b/src/deployment/deploy.py @@ -251,6 +251,30 @@ def check_region(self) -> None: def create_password(self, object_id: UUID) -> Tuple[str, str]: return add_application_password(object_id, self.get_subscription_id()) + def get_instance_url(self) -> str: + ## The url to access the instance + ## This also represents the legacy identifier_uris of the application registration + if self.multi_tenant_domain: + return "https://%s/%s" % ( + self.multi_tenant_domain, + self.application_name, + ) + else: + return "https://%s.azurewebsites.net" % self.application_name + + def get_identifier_url(self) -> str: + ## The used to identify the application registration via the identifier_uris field + ## Depending on the environment this value needs to be from an approved domain + ## The format of this value is derived from the default value proposed by azure when creating + ## an application registration api://{guid}/... + if self.multi_tenant_domain: + return "api://%s/%s" % ( + self.multi_tenant_domain, + self.application_name, + ) + else: + return "api://%s.azurewebsites.net" % self.application_name + def setup_rbac(self) -> None: """ Setup the client application for the OneFuzz instance. @@ -300,18 +324,10 @@ def setup_rbac(self) -> None: if not existing: logger.info("creating Application registration") - if self.multi_tenant_domain: - url = "https://%s/%s" % ( - self.multi_tenant_domain, - self.application_name, - ) - else: - url = "https://%s.azurewebsites.net" % self.application_name - params = ApplicationCreateParameters( display_name=self.application_name, - identifier_uris=[f"api://{self.application_name}.azurewebsites.net"], - reply_urls=[url + "/.auth/login/aad/callback"], + identifier_uris=[self.get_identifier_url()], + reply_urls=[self.get_instance_url() + "/.auth/login/aad/callback"], optional_claims=OptionalClaims(id_token=[], access_token=[]), required_resource_access=[ RequiredResourceAccess( @@ -362,14 +378,7 @@ def try_sp_create() -> None: else: app = existing[0] - if self.multi_tenant_domain: - api_id = "api://%s/%s" % ( - self.multi_tenant_domain, - self.application_name, - ) - else: - api_id = "api://%s.azurewebsites.net" % self.application_name - + api_id = self.get_identifier_url() if api_id not in app.identifier_uris: identifier_uris = app.identifier_uris identifier_uris.append(api_id) @@ -473,28 +482,16 @@ def deploy_template(self) -> None: "%Y-%m-%dT%H:%M:%SZ" ) + app_func_audiences = [ + self.get_identifier_url(), + self.get_instance_url(), + ] if self.multi_tenant_domain: # clear the value in the Issuer Url field: # https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant - app_func_audiences = [ - "api://%s/%s" - % ( - self.multi_tenant_domain, - self.application_name, - ), - "https://%s/%s" - % ( - self.multi_tenant_domain, - self.application_name, - ), - ] app_func_issuer = "" multi_tenant_domain = {"value": self.multi_tenant_domain} else: - app_func_audiences = [ - "api://%s.azurewebsites.net" % self.application_name, - "https://%s.azurewebsites.net" % self.application_name, - ] tenant_oid = str(self.cli_config["authority"]).split("/")[-1] app_func_issuer = "https://sts.windows.net/%s/" % tenant_oid multi_tenant_domain = {"value": ""}