Skip to content
This repository has been archived by the owner on Nov 1, 2023. It is now read-only.

migrate to msgraph #966

Merged
merged 93 commits into from
Oct 22, 2021
Merged
Show file tree
Hide file tree
Changes from 92 commits
Commits
Show all changes
93 commits
Select commit Hold shift + click to select a range
bd8d425
migrate to msgraph
chkeita Jun 7, 2021
1ad0f5a
add subscription id to query_microsoft_graph
chkeita Jun 7, 2021
ac0f400
migrating remaingin references
chkeita Jun 8, 2021
4902528
formatting
chkeita Jun 8, 2021
a4379c8
adding missing dependencies
chkeita Jun 8, 2021
098ac3c
Merge branch 'main' into msgraph
chkeita Jun 9, 2021
e1fa0ad
flake fix
chkeita Jun 9, 2021
c130d6d
fix get_tenant_id
chkeita Jun 9, 2021
b6bf69f
Merge branch 'main' into msgraph
chkeita Jun 9, 2021
681867e
cleanup
chkeita Jun 10, 2021
8230024
formatting
chkeita Jun 14, 2021
1a60c07
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Jun 14, 2021
dd989fb
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Jun 16, 2021
0403485
migrate application creation in deploy.py
chkeita Jun 16, 2021
6245563
foramt
chkeita Jun 16, 2021
431200d
mypy fix
chkeita Jun 16, 2021
71bceef
isort
chkeita Jun 16, 2021
7e1b93c
isort
chkeita Jun 16, 2021
7ba55de
format
chkeita Jun 16, 2021
09107ab
bug fixes
chkeita Jun 17, 2021
73a135f
specify the correct signInAudience
chkeita Jun 17, 2021
be18ab9
fix backing service principal creation
chkeita Jun 17, 2021
295c56e
remove remaining references to graphrbac
chkeita Jun 17, 2021
9c47159
fix ms graph authentication
chkeita Jun 18, 2021
99df719
Merge branch 'main' into msgraph
chkeita Jun 30, 2021
b9915c1
Merge branch 'main' into msgraph
chkeita Jul 9, 2021
128c7f8
formatting
chkeita Jul 9, 2021
d5ec3cc
Merge branch 'main' into msgraph
chkeita Jul 15, 2021
208b822
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Jul 16, 2021
d995aab
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Jul 20, 2021
c3e5b38
fix typo
chkeita Jul 20, 2021
174cd86
format
chkeita Jul 20, 2021
088dc4d
deployment fix
chkeita Jul 20, 2021
b402038
set implicitGrantSettings in the deployment
chkeita Jul 21, 2021
9996678
format
chkeita Jul 21, 2021
37f2cab
Merge branch 'main' into msgraph
chkeita Jul 21, 2021
998829d
fix deployment
chkeita Jul 27, 2021
63cde94
fix graph authentication on the server
chkeita Jul 27, 2021
93ee8c9
use the current cli logged in account to retrive the backend token cache
chkeita Jul 29, 2021
e937286
assign the the msgraph app role permissions to the web app during the…
chkeita Jul 29, 2021
642c37b
formatting
chkeita Jul 29, 2021
05ba100
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Jul 29, 2021
398af21
fix build
chkeita Jul 29, 2021
b58a04d
build fix
chkeita Jul 29, 2021
c490239
fix bandit issue
chkeita Jul 29, 2021
79b050d
mypy fix
chkeita Jul 29, 2021
92ad8e9
isort
chkeita Jul 29, 2021
4f9b98f
deploy fixes
chkeita Jul 30, 2021
66d3bed
formatting
chkeita Jul 30, 2021
4c805d7
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Aug 2, 2021
7ca5d9b
remove assign_app_permissions
chkeita Aug 6, 2021
eb7b574
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Aug 6, 2021
0b11e2e
Merge branch 'main' into msgraph
chkeita Aug 23, 2021
074c85a
Merge branch 'main' into msgraph
chkeita Aug 30, 2021
e4adb97
mypy fix
chkeita Aug 30, 2021
f3c75ef
Merge branch 'main' into msgraph
chkeita Aug 30, 2021
33145a4
Merge remote-tracking branch 'upstream/main' into msgraph
chkeita Sep 27, 2021
2c799f8
Merge branch 'main' into msgraph
chkeita Sep 27, 2021
9622d3a
build fix
chkeita Sep 27, 2021
3582046
mypy fix
chkeita Sep 27, 2021
9825cae
format
chkeita Sep 27, 2021
a4a5123
formatting
chkeita Sep 27, 2021
6e0f8ca
flake fix
chkeita Sep 28, 2021
1db5092
remove webapp identity permission assignment
chkeita Sep 28, 2021
3550bfc
remove unused reference to assign_app_role
chkeita Sep 28, 2021
9d80ecc
Merge branch 'main' into msgraph
chkeita Oct 1, 2021
4be7fb5
Merge branch 'main' into msgraph
mgreisen Oct 1, 2021
4b5d453
Merge branch 'main' into msgraph
chkeita Oct 5, 2021
7e4a104
remove manual registration message
chkeita Oct 5, 2021
7f0473f
Merge branch 'main' into msgraph
stishkin Oct 5, 2021
8a49442
fixing name and logging
chkeita Oct 5, 2021
ceee50e
address PR coments
chkeita Oct 11, 2021
07f6586
address PR comments
chkeita Oct 11, 2021
06ce521
Merge branch 'main' into msgraph
chkeita Oct 12, 2021
c6e3888
build fix
chkeita Oct 12, 2021
5bb126c
lint
chkeita Oct 12, 2021
5e4053e
lint
chkeita Oct 12, 2021
82e8e1a
mypy fix
chkeita Oct 12, 2021
f30f8db
mypy fix
chkeita Oct 12, 2021
550aa25
formatting
chkeita Oct 12, 2021
eaa5992
address PR comments
chkeita Oct 13, 2021
6570f49
Merge branch 'main' into msgraph
chkeita Oct 13, 2021
c75cd3a
linting
chkeita Oct 13, 2021
34149c5
Merge branch 'main' into msgraph
chkeita Oct 13, 2021
1f0408b
lint
chkeita Oct 13, 2021
9fcf65d
Merge branch 'main' into msgraph
chkeita Oct 14, 2021
28b4dcf
remove ONEFUZZ_AAD_GROUP_ID check
chkeita Oct 19, 2021
e58c69e
regenerate webhook_events.md
chkeita Oct 19, 2021
dacf485
Merge branch 'main' into msgraph
chkeita Oct 19, 2021
701fb69
change return type of query_microsoft_graph_list
chkeita Oct 19, 2021
7732edc
Merge branch 'main' into msgraph
chkeita Oct 20, 2021
74a6d70
fix tenant_id
chkeita Oct 20, 2021
66b681a
Merge branch 'main' into msgraph
chkeita Oct 22, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions docs/webhook_events.md
Original file line number Diff line number Diff line change
Expand Up @@ -1004,7 +1004,8 @@ Each event will be submitted via HTTP POST to the user provided URL.
469,
470,
471,
472
472,
473
],
"title": "ErrorCode"
},
Expand Down Expand Up @@ -1615,7 +1616,8 @@ Each event will be submitted via HTTP POST to the user provided URL.
469,
470,
471,
472
472,
473
],
"title": "ErrorCode"
}
Expand Down Expand Up @@ -2501,7 +2503,8 @@ Each event will be submitted via HTTP POST to the user provided URL.
469,
470,
471,
472
472,
473
],
"title": "ErrorCode"
}
Expand Down Expand Up @@ -3190,7 +3193,8 @@ Each event will be submitted via HTTP POST to the user provided URL.
469,
470,
471,
472
472,
473
],
"title": "ErrorCode"
},
Expand Down Expand Up @@ -5123,7 +5127,8 @@ Each event will be submitted via HTTP POST to the user provided URL.
469,
470,
471,
472
472,
473
],
"title": "ErrorCode"
},
Expand Down
85 changes: 74 additions & 11 deletions src/api-service/__app__/onefuzzlib/azure/creds.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
import functools
import logging
import os
from typing import Any, Callable, List, TypeVar, cast
import urllib.parse
from typing import Any, Callable, Dict, List, Optional, TypeVar, cast
from uuid import UUID

import requests
from azure.core.exceptions import ClientAuthenticationError
from azure.graphrbac import GraphRbacManagementClient
from azure.graphrbac.models import CheckGroupMembershipParameters
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.mgmt.resource import ResourceManagementClient
Expand All @@ -23,6 +23,10 @@

from .monkeypatch import allow_more_workers, reduce_logging

# https://docs.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0
GRAPH_RESOURCE = "https://graph.microsoft.com"
GRAPH_RESOURCE_ENDPOINT = "https://graph.microsoft.com/v1.0"


@cached
def get_msi() -> MSIAuthentication:
Expand Down Expand Up @@ -99,18 +103,77 @@ def get_regions() -> List[Region]:
return sorted([Region(x.name) for x in locations])


@cached
def get_graph_client() -> GraphRbacManagementClient:
return GraphRbacManagementClient(get_msi(), get_subscription())
class GraphQueryError(Exception):
def __init__(self, message: str, status_code: Optional[int]) -> None:
super(GraphQueryError, self).__init__(message)
self.message = message
self.status_code = status_code


def query_microsoft_graph(
chkeita marked this conversation as resolved.
Show resolved Hide resolved
method: str,
resource: str,
params: Optional[Dict] = None,
body: Optional[Dict] = None,
) -> Dict:
cred = get_identity()
access_token = cred.get_token(f"{GRAPH_RESOURCE}/.default")

url = urllib.parse.urljoin(f"{GRAPH_RESOURCE_ENDPOINT}/", resource)
headers = {
"Authorization": "Bearer %s" % access_token.token,
"Content-Type": "application/json",
}
response = requests.request(
method=method, url=url, headers=headers, params=params, json=body
)

if 200 <= response.status_code < 300:
chkeita marked this conversation as resolved.
Show resolved Hide resolved
if response.content and response.content.strip():
json = response.json()
if isinstance(json, Dict):
return json
else:
raise GraphQueryError(
"invalid data expected a json object: HTTP"
f" {response.status_code} - {json}",
response.status_code,
)
else:
return {}
else:
error_text = str(response.content, encoding="utf-8", errors="backslashreplace")
raise GraphQueryError(
f"request did not succeed: HTTP {response.status_code} - {error_text}",
response.status_code,
)


def query_microsoft_graph_list(
method: str,
resource: str,
params: Optional[Dict] = None,
body: Optional[Dict] = None,
) -> List[Any]:
result = query_microsoft_graph(
method,
resource,
params,
body,
)
value = result.get("value")
if isinstance(value, list):
return value
else:
raise GraphQueryError("Expected data containing a list of values", None)


def is_member_of(group_id: str, member_id: str) -> bool:
client = get_graph_client()
return bool(
client.groups.is_member_of(
CheckGroupMembershipParameters(group_id=group_id, member_id=member_id)
).value
body = {"groupIds": [group_id]}
response = query_microsoft_graph_list(
method="POST", resource=f"users/{member_id}/checkMemberGroups", body=body
)
return group_id in response
chkeita marked this conversation as resolved.
Show resolved Hide resolved


@cached
Expand Down
26 changes: 7 additions & 19 deletions src/api-service/__app__/onefuzzlib/request.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,11 @@
from uuid import UUID

from azure.functions import HttpRequest, HttpResponse
from azure.graphrbac.models import GraphErrorException
from onefuzztypes.enums import ErrorCode
from onefuzztypes.models import Error
from onefuzztypes.responses import BaseResponse
from pydantic import ValidationError

from .azure.creds import is_member_of
from .orm import ModelMixin

# We don't actually use these types at runtime at this time. Rather,
Expand All @@ -28,25 +26,15 @@


def check_access(req: HttpRequest) -> Optional[Error]:
if "ONEFUZZ_AAD_GROUP_ID" not in os.environ:
return None

group_id = os.environ["ONEFUZZ_AAD_GROUP_ID"]
member_id = req.headers["x-ms-client-principal-id"]
try:
result = is_member_of(group_id, member_id)
except GraphErrorException:
return Error(
code=ErrorCode.UNAUTHORIZED, errors=["unable to interact with graph"]
)
if not result:
logging.error("unauthorized access: %s is not in %s", member_id, group_id)
if "ONEFUZZ_AAD_GROUP_ID" in os.environ:
message = "ONEFUZZ_AAD_GROUP_ID configuration not supported"
logging.error(message)
return Error(
code=ErrorCode.UNAUTHORIZED,
errors=["not approved to use this instance of onefuzz"],
code=ErrorCode.INVALID_CONFIGURATION,
errors=[message],
)

return None
else:
return None


def ok(
Expand Down
1 change: 0 additions & 1 deletion src/api-service/__app__/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ azure-cosmosdb-nspkg==2.0.2
azure-cosmosdb-table==1.0.6
azure-devops==6.0.0b4
azure-functions==1.7.2
azure-graphrbac~=0.61.1
azure-identity==1.6.1
azure-keyvault-secrets~=4.3.0
azure-mgmt-compute==22.0
Expand Down
2 changes: 1 addition & 1 deletion src/cli/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ cryptography<3.4,>=3.2
# PyJWT needs to be pinned to the version used by azure-cli-core
PyJWT>=2.1.0
# onefuzztypes version is set during build
onefuzztypes==0.0.0
onefuzztypes==0.0.0
2 changes: 1 addition & 1 deletion src/deployment/azuredeploy.json
Original file line number Diff line number Diff line change
Expand Up @@ -899,6 +899,6 @@
"tenant_id": {
"type": "string",
"value": "[subscription().tenantId]"
}
}
}
}
Loading