Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

Added support for multi-tenant authentication #563

Closed
wants to merge 98 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
98 commits
Select commit Hold shift + click to select a range
2443280
changes for multi-tenant auth
andrew-slutsky Jan 28, 2021
93c3fcd
Adding changes for multi-tenant auth
andrew-slutsky Jan 28, 2021
669e728
changes for multi-tenant auth
andrew-slutsky Jan 28, 2021
3f53c1c
changes for multi-tenant auth
andrew-slutsky Jan 28, 2021
e2e8569
Merge remote-tracking branch 'origin/main' into main_multi_tenant
andrew-slutsky Jan 29, 2021
8356243
saving change
andrew-slutsky Feb 3, 2021
77ba272
adding changes to deploy.py
andrew-slutsky Feb 12, 2021
3e79876
changes to enable support for multi-tenant authentication
andrew-slutsky Feb 12, 2021
e7021a1
changes to app function to support multi-tenant auth
andrew-slutsky Feb 12, 2021
f8fda80
removing to compile
andrew-slutsky Feb 12, 2021
ac95cd3
Merge branch 'main' into main_multi_tenant
andrew-slutsky Feb 12, 2021
72f3d6e
temp removing agent changes
andrew-slutsky Feb 12, 2021
c2d1793
fixing python from lint
andrew-slutsky Feb 12, 2021
11ccd1d
removing pdb
andrew-slutsky Feb 12, 2021
2a14b57
typo
andrew-slutsky Feb 12, 2021
aadb0fe
typo
andrew-slutsky Feb 12, 2021
8233e66
typo
andrew-slutsky Feb 12, 2021
2d90809
typo
andrew-slutsky Feb 12, 2021
aa15f10
typo
andrew-slutsky Feb 12, 2021
fefc9d4
formatting
andrew-slutsky Feb 12, 2021
a1acf00
updating after feedback
andrew-slutsky Feb 14, 2021
987e876
updating app function resource for agent
andrew-slutsky Feb 14, 2021
69f98b2
rename var
andrew-slutsky Feb 14, 2021
ec9ede0
reformatting with tool: black
andrew-slutsky Feb 14, 2021
210f167
typos
andrew-slutsky Feb 14, 2021
ff74d1a
typoes
andrew-slutsky Feb 14, 2021
14f3108
typos
andrew-slutsky Feb 14, 2021
fdf1ed0
outputs
andrew-slutsky Feb 14, 2021
c45630e
fixing lint issue
andrew-slutsky Feb 14, 2021
7dfad83
lint changes
andrew-slutsky Feb 14, 2021
9595b6b
reverting
andrew-slutsky Feb 14, 2021
ffe118a
ran utility black
andrew-slutsky Feb 14, 2021
3553a08
making changes for lint
andrew-slutsky Feb 14, 2021
6874719
typo
andrew-slutsky Feb 14, 2021
d88fbdb
removing info self.tenant
andrew-slutsky Feb 14, 2021
a5aa3f4
revert
andrew-slutsky Feb 14, 2021
499f50d
agent
andrew-slutsky Feb 14, 2021
3a9067a
new build
andrew-slutsky Feb 14, 2021
7cbe7a4
build
andrew-slutsky Feb 14, 2021
a1dc8c9
build
andrew-slutsky Feb 14, 2021
0578941
build
andrew-slutsky Feb 14, 2021
0b329cb
build
andrew-slutsky Feb 14, 2021
bc15097
build
andrew-slutsky Feb 14, 2021
d3deb9a
build
andrew-slutsky Feb 14, 2021
93f16b9
build
andrew-slutsky Feb 14, 2021
cd19cdf
build
andrew-slutsky Feb 14, 2021
262cecf
build onefuzz
andrew-slutsky Feb 14, 2021
7f5eebe
build onefuzz
andrew-slutsky Feb 14, 2021
79c42c3
build onefuzz
andrew-slutsky Feb 14, 2021
a6b4625
build onefuzz
andrew-slutsky Feb 14, 2021
ab3b65b
build onefuzz
andrew-slutsky Feb 14, 2021
25d6827
commenting out cargo
andrew-slutsky Feb 14, 2021
4ae1ddc
build
andrew-slutsky Feb 15, 2021
5c9fcb0
format check
andrew-slutsky Feb 15, 2021
8944153
build
andrew-slutsky Feb 15, 2021
db98c73
build
andrew-slutsky Feb 15, 2021
3fd1b2b
build
andrew-slutsky Feb 15, 2021
7c9c0d1
build
andrew-slutsky Feb 15, 2021
3a6b0ed
build
andrew-slutsky Feb 15, 2021
14d5cd6
build
andrew-slutsky Feb 15, 2021
c408410
Update auth.rs
andrew-slutsky Feb 15, 2021
c21ec1d
build
andrew-slutsky Feb 15, 2021
7d48e77
build
andrew-slutsky Feb 15, 2021
194fbe0
build
andrew-slutsky Feb 15, 2021
c1f0b61
build
andrew-slutsky Feb 15, 2021
c612e20
build
andrew-slutsky Feb 15, 2021
7e740d6
build
andrew-slutsky Feb 16, 2021
f9d1eca
asdfasdfsadfasdffasdfasdasdffsda
andrew-slutsky Feb 17, 2021
387a9a3
build
andrew-slutsky Feb 17, 2021
45307b2
build
andrew-slutsky Feb 17, 2021
687ea3d
build
andrew-slutsky Feb 17, 2021
2e98181
build
andrew-slutsky Feb 18, 2021
b50ad94
build
andrew-slutsky Feb 18, 2021
6420970
build
andrew-slutsky Feb 18, 2021
13e515c
build
andrew-slutsky Feb 18, 2021
1a63ca0
build
andrew-slutsky Feb 18, 2021
9c6bc01
build
andrew-slutsky Feb 18, 2021
22497d2
build
andrew-slutsky Feb 18, 2021
9264f4e
build
andrew-slutsky Feb 18, 2021
fdb37a4
build
andrew-slutsky Feb 18, 2021
04e88db
build
andrew-slutsky Feb 18, 2021
552da77
build
andrew-slutsky Feb 18, 2021
1e1c525
build
andrew-slutsky Feb 18, 2021
9743c87
build
andrew-slutsky Feb 18, 2021
ec0085c
Update src/agent/onefuzz-supervisor/src/auth.rs
andrew-slutsky Feb 23, 2021
d0d8f68
build
andrew-slutsky Feb 23, 2021
59be78d
build
andrew-slutsky Feb 23, 2021
b823b74
build
andrew-slutsky Feb 24, 2021
5e0bd10
build
andrew-slutsky Feb 24, 2021
1075624
build
andrew-slutsky Feb 24, 2021
f6f13a0
build
andrew-slutsky Feb 24, 2021
4562ae8
build
andrew-slutsky Feb 24, 2021
5c1e7ae
build
andrew-slutsky Feb 24, 2021
e02c1f6
build
andrew-slutsky Feb 24, 2021
be548fc
build
andrew-slutsky Feb 24, 2021
365b35e
build
andrew-slutsky Feb 24, 2021
3c9dc6f
build
andrew-slutsky Feb 24, 2021
bffadd9
build
andrew-slutsky Feb 24, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
adding changes to deploy.py
  • Loading branch information
andrew-slutsky committed Feb 12, 2021
commit 77ba2727424b95b5584f5be22202339a20b89b86
34 changes: 31 additions & 3 deletions src/deployment/deploy.py
Original file line number Diff line number Diff line change
@@ -69,6 +69,7 @@
authorize_application,
register_application,
update_pool_registration,
assign_multi_tenant_auth,
)

USER_IMPERSONATION = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
@@ -118,6 +119,7 @@ def __init__(
migrations: List[str],
export_appinsights: bool,
log_service_principal: bool,
multi_tenant_domain: str,
upgrade: bool,
):
self.resource_group = resource_group
@@ -142,6 +144,7 @@ def __init__(
self.migrations = migrations
self.export_appinsights = export_appinsights
self.log_service_principal = log_service_principal
self.multi_tenant_domain = multi_tenant_domain

machine = platform.machine()
system = platform.system()
@@ -274,7 +277,11 @@ def setup_rbac(self) -> None:

if not existing:
logger.info("creating Application registration")
url = "https://%s.azurewebsites.net" % self.application_name

if self.multi_tenant_domain is not None:
url = "https://%s/%s" % (self.multi_tenant_domain, self.application_name)
else:
url = "https://%s.azurewebsites.net" % self.application_name

params = ApplicationCreateParameters(
display_name=self.application_name,
@@ -291,8 +298,14 @@ def setup_rbac(self) -> None:
],
app_roles=app_roles,
)

app = client.applications.create(params)

if self.multi_tenant_domain is not None:
# signInAudience must be set using Microsoft Graph REST API and not Azure AD due to issue:
# https://github.com/Azure/azure-cli/issues/14086 requires Microsoft Graph REST API v1.0
assign_multi_tenant_auth(app.object_id)

logger.info("creating service principal")
service_principal_params = ServicePrincipalCreateParameters(
account_enabled=True,
@@ -315,12 +328,18 @@ def setup_rbac(self) -> None:
role.is_enabled = False

client.applications.patch(
app.object_id, ApplicationUpdateParameters(app_roles=app.app_roles)
app.object_id, ApplicationUpdateParameters(
app_roles=app.app_roles,
sign_in_audience=audience
)
)

# overriding the list of app roles
client.applications.patch(
app.object_id, ApplicationUpdateParameters(app_roles=app_roles)
app.object_id, ApplicationUpdateParameters(
app_roles=app_roles,
sign_in_audience=audience
)
)

creds = list(client.applications.list_password_credentials(app.object_id))
@@ -351,6 +370,8 @@ def setup_rbac(self) -> None:
self.results["client_id"] = app.app_id
self.results["client_secret"] = password

import pdb; pdb.set_trace()

# Log `client_secret` for consumption by CI.
if self.log_service_principal:
logger.info("client_id: %s client_secret: %s", app.app_id, password)
@@ -848,6 +869,12 @@ def main() -> None:
action="store_true",
help="display service prinipal with info log level",
)
parser.add_argument(
"--multi_tenant_domain",
type=str,
default=None,
help="enable multi-tenant authentication with this tenant domain",
)
args = parser.parse_args()

if shutil.which("func") is None:
@@ -871,6 +898,7 @@ def main() -> None:
migrations=args.apply_migrations,
export_appinsights=args.export_appinsights,
log_service_principal=args.log_service_principal,
multi_tenant_domain=args.multi_tenant_domain,
upgrade=args.upgrade,
)
if args.verbose:
15 changes: 15 additions & 0 deletions src/deployment/registration.py
Original file line number Diff line number Diff line change
@@ -503,6 +503,21 @@ def assign_scaleset_role(onefuzz_instance_name: str, scaleset_name: str) -> None
except adal.AdalError:
assign_scaleset_role_manually(onefuzz_instance_name, scaleset_name)

def assign_multi_tenant_auth(
objectId: str
) -> None:

try:
query_microsoft_graph(
method="PATCH",
resource="applications/%s" % objectId,
body={ "signInAudience": "AzureADMultipleOrgs"},
)
except adal.AdalError:
raise Exception("error setting signInAudience in ad application %s: %s" %
onefuzz_instance_name,
adal.AdalError
)
andrew-slutsky marked this conversation as resolved.
Show resolved Hide resolved

def main() -> None:
formatter = argparse.ArgumentDefaultsHelpFormatter