Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Config Refactor Round 2. #2771

Merged
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
bf67175
Config Refactor Round 2.
nharper285 Jan 24, 2023
4b1a64e
Adding docs.
nharper285 Jan 24, 2023
fc1a86c
Fix file formatting.
nharper285 Jan 25, 2023
b8705fc
Removing.
nharper285 Jan 25, 2023
153f0b9
fixing imports.
nharper285 Jan 25, 2023
ec4a2fc
Removing.
nharper285 Jan 25, 2023
16b82e8
Fixing cli access token retrieval.
nharper285 Jan 25, 2023
ae9acaa
Fixing authority check.
nharper285 Jan 25, 2023
7d6c864
Merge branch 'main' into user/noharper/config-endpoint-update-2
nharper285 Jan 25, 2023
ae9b57f
Small edits.
nharper285 Jan 25, 2023
fb914dc
Merge branch 'user/noharper/config-endpoint-update-2' of https://gith…
nharper285 Jan 25, 2023
e7b9c5a
Removing duplicate.
nharper285 Jan 25, 2023
6073689
Adding uuid check.
nharper285 Jan 25, 2023
733840c
Possible to override with existing params.
nharper285 Jan 25, 2023
72669a6
Allowing flags to override storage.
nharper285 Jan 26, 2023
22f40fc
Trying to fix config params.?
nharper285 Jan 26, 2023
a83257e
Fixing.
nharper285 Jan 26, 2023
a4eb26d
Set endpoint params via app function.
nharper285 Jan 26, 2023
2e2ecc2
Checking changes to params.
nharper285 Jan 26, 2023
cd4f408
Make tenant_domain default.
nharper285 Jan 26, 2023
1e63be9
Merge branch 'main' into user/noharper/config-endpoint-update-2
nharper285 Jan 26, 2023
ffe8146
Remove endoint params from models.
nharper285 Jan 26, 2023
a5a6a54
UPdating docs.
nharper285 Jan 26, 2023
b5c3a74
Setting
nharper285 Jan 26, 2023
f184bc9
Removing hardcoded values.
nharper285 Jan 26, 2023
efe3a06
Typo.
nharper285 Jan 26, 2023
081b454
Removing endpoint upload.
nharper285 Jan 26, 2023
5fa1abc
Typo.
nharper285 Jan 26, 2023
dbe3f67
Fixing typos.
nharper285 Jan 26, 2023
794be7a
Fix error message about aad tenant.
nharper285 Jan 30, 2023
3b07e54
Merge branch 'main' into user/noharper/config-endpoint-update-2
nharper285 Jan 30, 2023
d78ac48
Responding to comments.
nharper285 Jan 30, 2023
7ac405c
Merge branch 'user/noharper/config-endpoint-update-2' of https://gith…
nharper285 Jan 30, 2023
c867a1c
Merge branch 'main' into user/noharper/config-endpoint-update-2
nharper285 Jan 31, 2023
ab844c8
Update src/ApiService/ApiService/UserCredentials.cs
nharper285 Jan 31, 2023
e5d1e2c
Merge branch 'main' into user/noharper/config-endpoint-update-2
nharper285 Jan 31, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 34 additions & 1 deletion docs/webhook_events.md
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,8 @@ If webhook is set to have Event Grid message format then the payload will look a
"allowed_aad_tenants": [
"00000000-0000-0000-0000-000000000000"
],
"authority": "",
"client_id": "",
"default_linux_vm_image": "Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest",
"default_windows_vm_image": "MicrosoftWindowsDesktop:Windows-10:win10-21h2-pro:latest",
"network_config": {
Expand All @@ -707,7 +709,8 @@ If webhook is set to have Event Grid message format then the payload will look a
"allowed_service_tags": []
},
"proxy_vm_sku": "Standard_B2s",
"require_admin_privileges": false
"require_admin_privileges": false,
"tenant_domain": ""
}
}
```
Expand Down Expand Up @@ -838,6 +841,16 @@ If webhook is set to have Event Grid message format then the payload will look a
"title": "Api Access Rules",
"type": "object"
},
"authority": {
"default": "",
"title": "Authority",
"type": "string"
},
"client_id": {
"default": "",
"title": "Client Id",
"type": "string"
},
"default_linux_vm_image": {
"default": "Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest",
"title": "Default Linux Vm Image",
Expand Down Expand Up @@ -878,6 +891,11 @@ If webhook is set to have Event Grid message format then the payload will look a
"title": "Require Admin Privileges",
"type": "boolean"
},
"tenant_domain": {
"default": "",
"title": "Tenant Domain",
"type": "string"
},
"vm_tags": {
"additionalProperties": {
"type": "string"
Expand Down Expand Up @@ -6158,6 +6176,16 @@ If webhook is set to have Event Grid message format then the payload will look a
"title": "Api Access Rules",
"type": "object"
},
"authority": {
"default": "",
"title": "Authority",
"type": "string"
},
"client_id": {
"default": "",
"title": "Client Id",
"type": "string"
},
"default_linux_vm_image": {
"default": "Canonical:0001-com-ubuntu-server-focal:20_04-lts:latest",
"title": "Default Linux Vm Image",
Expand Down Expand Up @@ -6198,6 +6226,11 @@ If webhook is set to have Event Grid message format then the payload will look a
"title": "Require Admin Privileges",
"type": "boolean"
},
"tenant_domain": {
"default": "",
"title": "Tenant Domain",
"type": "string"
},
"vm_tags": {
"additionalProperties": {
"type": "string"
Expand Down
35 changes: 35 additions & 0 deletions src/ApiService/ApiService/Functions/Config.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
using System.Net;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Http;

namespace Microsoft.OneFuzz.Service.Functions;

public class Config {
private readonly ILogTracer _log;
private readonly IOnefuzzContext _context;

public Config(ILogTracer log, IOnefuzzContext context) {
_log = log;
_context = context;
}

[Function("Config")]
public Async.Task<HttpResponseData> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "GET", Route = "config")] HttpRequestData req) {
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
return Get(req);
}
public async Async.Task<HttpResponseData> Get(HttpRequestData req) {
_log.Info($"getting endpoint config parameters");
var config = await _context.ConfigOperations.Fetch();

var endpointParams = new ConfigResponse(
Authority: config.Authority,
ClientId: config.ClientId,
TenantDomain: config.TenantDomain);

var response = req.CreateResponse(HttpStatusCode.OK);
await response.WriteAsJsonAsync(endpointParams);

return response;
}
}
5 changes: 4 additions & 1 deletion src/ApiService/ApiService/OneFuzzTypes/Model.cs
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,10 @@ public record InstanceConfig
IDictionary<Endpoint, ApiAccessRule>? ApiAccessRules = null,
IDictionary<PrincipalId, GroupId[]>? GroupMembership = null,
IDictionary<string, string>? VmTags = null,
IDictionary<string, string>? VmssTags = null
IDictionary<string, string>? VmssTags = null,
string? Authority = "",
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
string? ClientId = "",
string? TenantDomain = ""
) : EntityBase() {
public InstanceConfig(string instanceName) : this(
instanceName,
Expand Down
6 changes: 6 additions & 0 deletions src/ApiService/ApiService/OneFuzzTypes/Responses.cs
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,12 @@ public static ScalesetResponse ForScaleset(Scaleset s, bool includeAuth)
Nodes: null);
}

public record ConfigResponse(
string? Authority,
string? ClientId,
string? TenantDomain
) : BaseResponse();

public class BaseResponseConverter : JsonConverter<BaseResponse> {
public override BaseResponse? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) {
return null;
Expand Down
2 changes: 1 addition & 1 deletion src/ApiService/ApiService/onefuzzlib/ConfigOperations.cs
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ private sealed record InstanceConfigCacheKey();
private static readonly InstanceConfigCacheKey _key = new(); // singleton key
public Task<InstanceConfig> Fetch()
=> _cache.GetOrCreateAsync(_key, async entry => {
entry = entry.SetAbsoluteExpiration(TimeSpan.FromMinutes(10)); // cached for 10 minutes
entry = entry.SetAbsoluteExpiration(TimeSpan.FromMinutes(1)); // cached for 1 minute
stishkin marked this conversation as resolved.
Show resolved Hide resolved
var key = _context.ServiceConfiguration.OneFuzzInstanceName ?? throw new Exception("Environment variable ONEFUZZ_INSTANCE_NAME is not set");
return await GetEntityAsync(key, key);
});
Expand Down
36 changes: 36 additions & 0 deletions src/cli/onefuzz/api.py
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ def _req_model(
as_params: bool = False,
alternate_endpoint: Optional[str] = None,
) -> A:

# Retrieve Auth Parameters
self._req_config_params()
logging.debug("in req model")
response = self._req_base(
method,
data=data,
Expand Down Expand Up @@ -153,6 +157,38 @@ def _req_model_list(

return [model.parse_obj(x) for x in response]

def _req_config_params(
self,
) -> None:

endpoint_params = responses.Config(
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
authority="",
client_id="",
tenant_domain="",
)

if self.onefuzz._backend.config.endpoint is not None:
nharper285 marked this conversation as resolved.
Show resolved Hide resolved

endpoint = self.onefuzz._backend.config.endpoint

response = self.onefuzz._backend.session.request(
"GET", endpoint + "/api/config"
)

endpoint_params = responses.Config.parse_obj(response.json())

# Will override client id in storage w/ provided client_id for SP use
if self.onefuzz._backend.config.client_id == "":
self.onefuzz._backend.config.client_id = endpoint_params.client_id

# Ignores provided auth and tenant_domain in favor of what's in storage
self.onefuzz._backend.config.authority = endpoint_params.authority
self.onefuzz._backend.config.tenant_domain = endpoint_params.tenant_domain

self.onefuzz._backend.save_config()
else:
raise Exception("Endpoint Not Configured")

def _disambiguate(
self,
name: str,
Expand Down
2 changes: 1 addition & 1 deletion src/cli/onefuzz/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ def get_access_token(self) -> Any:
if not self.config.endpoint:
raise Exception("endpoint not configured")

if self.config.tenant_domain:
if "common" in self.config.authority:
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
endpoint = urlparse(self.config.endpoint).netloc.split(".")[0]
scopes = [
f"api://{self.config.tenant_domain}/{endpoint}/.default",
Expand Down
14 changes: 7 additions & 7 deletions src/deployment/bicep-templates/function.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ param diagnostics_log_level string
param log_retention int
param linux_fx_version string


var siteconfig = (use_windows) ? {
} : {
linuxFxVersion: linux_fx_version
Expand Down Expand Up @@ -57,24 +56,25 @@ resource function 'Microsoft.Web/sites@2021-03-01' = {
type: 'SystemAssigned'
}
properties: union({
siteConfig: union(siteconfig, commonSiteConfig)
httpsOnly: true
serverFarmId: server_farm_id
clientAffinityEnabled: true
}, extraProperties)
siteConfig: union(siteconfig, commonSiteConfig)
httpsOnly: true
serverFarmId: server_farm_id
clientAffinityEnabled: true
}, extraProperties)
}

resource funcAuthSettings 'Microsoft.Web/sites/config@2021-03-01' = {
name: 'authsettingsV2'
properties: {
login:{
login: {
tokenStore: {
enabled: true
}
}
globalValidation: {
unauthenticatedClientAction: 'RedirectToLoginPage'
requireAuthentication: true
excludedPaths: [ '/api/config' ]
}
httpSettings: {
requireHttps: true
Expand Down
8 changes: 7 additions & 1 deletion src/deployment/config.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
{
"tenant_id": "72f988bf-86f1-41af-91ab-2d7cd011db47",
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
"tenant_domain": "azurewebsites.net",
"multi_tenant_domain": "",
"cli_client_id": "72f1562a-8c0c-41ea-beb9-fa2b71c80134",
"proxy_nsg_config": {
"allowed_ips": ["*"],
"allowed_ips": [
nharper285 marked this conversation as resolved.
Show resolved Hide resolved
"*"
],
"allowed_service_tags": []
}
}
Loading