ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-15 11:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deployment fix for --auto_create_cli_app flag bug (#2921)

Browse Source 
* Update .gitignore

* re-add sync-fork.yml

deleted after merge from origin/main

* Update README.md

TEST

* Update README.md

* Update sync-fork.yml

bump ver to 1.8

* updated deploy.py and configuration.py

* cleanup

* formatting

* linter cleanup

* linter cleanup 2

* better logging

* last linter issue

* remove extra app

* Updating getting started docs for config refactor

* Update docs/getting-started.md

Co-authored-by: Noah McGregor Harper <74685766+nharper285@users.noreply.github.com>

* update getting-started.md doc for config refactor

* update getting-started.md doc for config refactor

---------

Co-authored-by: Noah McGregor Harper <74685766+nharper285@users.noreply.github.com>
This commit is contained in:
Adam
2023-03-10 15:26:40 -08:00
committed by GitHub
parent 49543cfa14
commit 1f67494334
3 changed files with 110 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/getting-started.md
View File

@ -30,7 +30,7 @@ On a host with the [Azure CLI logged
in](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest), in](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest),
do the following: do the following:
``` ```console
unzip onefuzz-deployment-$VERSION.zip unzip onefuzz-deployment-$VERSION.zip
pip install -r requirements.txt pip install -r requirements.txt
chmod +x deploy.py chmod +x deploy.py
@ -40,7 +40,7 @@ chmod +x deploy.py
When running `deploy.py` the first time for an instance, you will be prompted When running `deploy.py` the first time for an instance, you will be prompted
to follow a manual step to initialize your CLI config. to follow a manual step to initialize your CLI config.
The `$NSG_CONFIG_FILE` is a required parameter that specifies the 'allow rules' for the OneFuzz Network Security Group. A default `config.json` is provided in the deployment zip. The `$NSG_CONFIG_FILE` is a required parameter that specifies the 'allow rules' for the OneFuzz Network Security Group as well as other basic OneFuzz settings. A `config.json` file is provided with default NSG values.
This 'allow' config resembles the following: This 'allow' config resembles the following:
```json ```json
@ -52,6 +52,44 @@ This 'allow' config resembles the following:
} }
``` ```
>#### Note:
> - Line #5 in the example `config.json` inside of the deployment.zip has the parameter for `"cli_client_id": "",`
> - You'll need to add your CLI app registration ID to this parameter's value for deployments and upgrade deployments
> **unless** you're deploying and passing the `--auto_create_cli_app` flag to create a new App ID during the deployment.
> - If you wanted to create a new App ID at deployment and use this flag, you need to delete this line to remove the `cli_client_id` key from your config file.
**Example deployment config.json:**
```json
{
"tenant_id": "05c88c2c-55f6-4a51-81db-cdbbf759fa75",
"tenant_domain": "azurewebsites.net",
"multi_tenant_domain": "",
"cli_client_id": "6e5d9a35-39ca-4978-8fe3-5b84b0b8806a",
"proxy_nsg_config": {
"allowed_ips": [
"*"
],
"allowed_service_tags": []
}
}
```
**Example config.json for a deployment where `--auto_create_cli_app` is being used:**
```json
{
"tenant_id": "e6424a5f-2625-42a4-8d94-c9677a4d96fc",
"tenant_domain": "azurewebsites.net",
"multi_tenant_domain": "",
"proxy_nsg_config": {
"allowed_ips": [
"*"
],
"allowed_service_tags": []
}
}
```
Future updates can be made to this configuration via the OneFuzz CLI. Future updates can be made to this configuration via the OneFuzz CLI.
## Install the CLI ## Install the CLI
@ -61,7 +99,7 @@ from the [Latest Release of OneFuzz](https://github.com/microsoft/onefuzz/releas
If you're using the SDK, install via: If you're using the SDK, install via:
``` ```console
pip install ./onefuzz*.whl pip install ./onefuzz*.whl
``` ```

76
src/deployment/deploy.py
View File

@ -398,36 +398,41 @@ class Client:
(password_id, password) = self.create_password(app["id"]) (password_id, password) = self.create_password(app["id"])
cli_app = get_application( try:
app_id=uuid.UUID(self.cli_app_id), cli_app = get_application(
subscription_id=self.get_subscription_id(), app_id=uuid.UUID(self.cli_app_id),
) subscription_id=self.get_subscription_id(),
)
except Exception as err:
cli_app = None
logger.info(
"Could not find the default CLI application under the current "
"subscription."
)
logger.debug(f"Error finding CLI application due to: {err}")
if self.auto_create_cli_app:
logger.info("auto_create_cli_app specified, creating a new CLI application")
app_info = register_application(
"onefuzz-cli",
self.application_name,
OnefuzzAppRole.CliClient,
self.get_subscription_id(),
)
if not cli_app: try:
if self.auto_create_cli_app: cli_app = get_application(
logger.info( app_id=app_info.client_id,
"Could not find the default CLI application under the current " subscription_id=self.get_subscription_id(),
"subscription and auto_create specified, creating a new one"
) )
app_info = register_application( self.cli_app_id = str(app_info.client_id)
"onefuzz-cli", logger.info(f"New CLI app created - cli_app_id : {self.cli_app_id}")
self.application_name, except Exception as err:
OnefuzzAppRole.CliClient,
self.get_subscription_id(),
)
self.cli_config = {
"client_id": app_info.client_id,
"authority": self.authority,
}
else:
logger.error( logger.error(
"error deploying. could not find specified CLI app registrion." f"Unable to determine new 'cli_app_id' for new app registration: {err} "
"use flag --auto_create_cli_app to automatically create CLI registration"
"or specify a correct app id with --cli_app_id."
) )
sys.exit(1) sys.exit(1)
else:
if cli_app:
onefuzz_cli_app = cli_app onefuzz_cli_app = cli_app
authorize_application(uuid.UUID(onefuzz_cli_app["appId"]), app["appId"]) authorize_application(uuid.UUID(onefuzz_cli_app["appId"]), app["appId"])
@ -467,8 +472,15 @@ class Client:
OnefuzzAppRole.ManagedNode, OnefuzzAppRole.ManagedNode,
) )
self.results["client_id"] = app["appId"] self.results["client_id"] = app["appId"]
self.results["client_secret"] = password self.results["client_secret"] = password
else:
logger.error(
"error deploying. could not find specified CLI app registrion."
"use flag --auto_create_cli_app to automatically create CLI registration"
"or specify a correct app id with --cli_app_id."
)
sys.exit(1)
def update_existing_app_registration( def update_existing_app_registration(
self, app: Dict[str, Any], app_roles: List[Dict[str, Any]] self, app: Dict[str, Any], app_roles: List[Dict[str, Any]]
@ -777,7 +789,10 @@ class Client:
config_template = json.load(template_handle) config_template = json.load(template_handle)
try: try:
config = Config(config_template) if self.auto_create_cli_app:
config = Config(config_template, True)
else:
config = Config(config_template)
self.rules = parse_rules(config) self.rules = parse_rules(config)
## Values provided via the CLI will override what's in the config.json ## Values provided via the CLI will override what's in the config.json
@ -789,8 +804,9 @@ class Client:
self.tenant_domain = config.tenant_domain self.tenant_domain = config.tenant_domain
if self.multi_tenant_domain == "": if self.multi_tenant_domain == "":
self.multi_tenant_domain = config.multi_tenant_domain self.multi_tenant_domain = config.multi_tenant_domain
if self.cli_app_id == "": if not self.cli_app_id:
self.cli_app_id = config.cli_client_id if not self.auto_create_cli_app:
self.cli_app_id = config.cli_client_id
except Exception as ex: except Exception as ex:
logging.info( logging.info(

41
src/deployment/deploylib/configuration.py
View File

@ -56,7 +56,8 @@ class Config:
allowed_ips: List[str] allowed_ips: List[str]
allowed_service_tags: List[str] allowed_service_tags: List[str]
def __init__(self, config: Any): def __init__(self, config: Any, new_app: bool = False):
self.new_app_id = new_app
self.parse_nsg_json(config) self.parse_nsg_json(config)
self.parse_endpoint_json(config) self.parse_endpoint_json(config)
@ -113,25 +114,28 @@ class Config:
self.allowed_service_tags = proxy_config["allowed_service_tags"] self.allowed_service_tags = proxy_config["allowed_service_tags"]
def parse_endpoint_json(self, config: Any) -> None: def parse_endpoint_json(self, config: Any) -> None:
if "cli_client_id" not in config: if not self.new_app_id:
raise Exception( if "cli_client_id" not in config:
"CLI client_id not provided as valid key. Please Provide Valid Config." raise Exception(
) "CLI client_id not provided as valid key. Please Provide Valid Config."
)
if ( if (
not isinstance(config["cli_client_id"], str) not isinstance(config["cli_client_id"], str)
or config["cli_client_id"] == "" or config["cli_client_id"] == ""
): ):
raise Exception( raise Exception(
"client_id is not a string. Please provide valid client_id." "client_id is not a string. Please provide valid client_id."
) )
try: try:
UUID(config["cli_client_id"]) UUID(config["cli_client_id"])
except ValueError: except ValueError:
raise Exception( raise Exception(
"client_id is not a valid UUID. Please provide valid client_id." "client_id is not a valid UUID. Please provide valid client_id."
) )
self.cli_client_id = config["cli_client_id"]
if "tenant_id" not in config: if "tenant_id" not in config:
raise Exception( raise Exception(
@ -166,7 +170,6 @@ class Config:
"multi_tenant_domain is not a string. Please provide valid multi_tenant_domain. If the instance is not multi-tenant, please provide an empty string." "multi_tenant_domain is not a string. Please provide valid multi_tenant_domain. If the instance is not multi-tenant, please provide an empty string."
) )
self.cli_client_id = config["cli_client_id"]
self.tenant_id = config["tenant_id"] self.tenant_id = config["tenant_id"]
self.tenant_domain = config["tenant_domain"] self.tenant_domain = config["tenant_domain"]
self.multi_tenant_domain = config["multi_tenant_domain"] self.multi_tenant_domain = config["multi_tenant_domain"]