Re-enable the retry logic for App Password creation (#338)

2025-06-15 19:38:11 +00:00 · 2020-11-24 08:00:31 -05:00
parent d47124fe8c
commit 905dc7c0d6
3 changed files with 39 additions and 28 deletions
--- a/src/deployment/data_migration.py
+++ b/src/deployment/data_migration.py
@ -47,7 +47,6 @@ def migrate_notification_keys(table_service: TableService) -> None:
    notifications = table_service.query_entities(
        table_name, select="PartitionKey,RowKey,config"
    )
-    partitionKey = None

    count = 0
    for entry in notifications:
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -226,19 +226,7 @@ class Client:
            sys.exit(1)

    def create_password(self, object_id: UUID) -> Tuple[str, str]:
-        # Work-around the race condition where the app is created but passwords cannot
-        # be created yet.
-        count = 0
-        wait = 5
-        timeout_seconds = 60
-        while True:
-            time.sleep(wait)
-            count += 1
-            password = add_application_password(object_id)
-            if password:
-                return password
-            if count > timeout_seconds / wait:
-                raise Exception("creating password failed, trying again")
+        return add_application_password(object_id)

    def setup_rbac(self) -> None:
        """
@ -689,7 +677,8 @@ class Client:
                        if i + 1 < max_tries:
                            logger.debug("func failure error: %s", err)
                            logger.warning(
-                                "function failed to deploy, waiting 60 seconds and trying again"
+                                "function failed to deploy, waiting 60 "
+                                "seconds and trying again"
                            )
                            time.sleep(60)
                if error is not None:
--- a/src/deployment/registration.py
+++ b/src/deployment/registration.py
@ -19,7 +19,6 @@ from azure.graphrbac import GraphRbacManagementClient
 from azure.graphrbac.models import (
    Application,
    ApplicationCreateParameters,
-    AppRole,
    RequiredResourceAccess,
    ResourceAccess,
 )
@ -32,6 +31,7 @@ logger = logging.getLogger("deploy")
 class GraphQueryError(Exception):
    def __init__(self, message: str, status_code: int) -> None:
        super(GraphQueryError, self).__init__(message)
+        self.message = message
        self.status_code = status_code


@ -211,6 +211,28 @@ def create_application_registration(


 def add_application_password(app_object_id: UUID) -> Tuple[str, str]:
+    # Work-around the race condition where the app is created but passwords cannot
+    # be created yet.
+
+    error: Optional[GraphQueryError] = None
+    count = 0
+    tries = 10
+    wait_duration = 10
+    while count < tries:
+        count += 1
+        try:
+            return add_application_password_impl(app_object_id)
+        except GraphQueryError as err:
+            error = err
+            logging.warning("unable to create app password: %s", err.message)
+        time.sleep(wait_duration)
+    if error:
+        raise error
+    else:
+        raise Exception("unable to create password")
+
+
+def add_application_password_impl(app_object_id: UUID) -> Tuple[str, str]:
    key = uuid4()
    password_request = {
        "passwordCredential": {
@ -222,7 +244,7 @@ def add_application_password(app_object_id: UUID) -> Tuple[str, str]:
            ),
        }
    }
-    try:
+
    password: Dict = query_microsoft_graph(
        method="POST",
        resource="applications/%s/addPassword" % app_object_id,
@ -230,9 +252,6 @@ def add_application_password(app_object_id: UUID) -> Tuple[str, str]:
    )

    return (str(key), password["secretText"])
-    except GraphQueryError as err:
-        logger.warning("creating password failed : %s" % err)
-        raise err


 def get_application(app_id: UUID) -> Optional[Any]:
@ -312,7 +331,10 @@ def update_pool_registration(onefuzz_instance_name: str) -> None:


 def assign_scaleset_role(onefuzz_instance_name: str, scaleset_name: str) -> None:
-    """ Allows the nodes in the scaleset to access the service by assigning their managed identity to the ManagedNode Role """
+    """
+    Allows the nodes in the scaleset to access the service by assigning
+    their managed identity to the ManagedNode Role
+    """

    onefuzz_service_appId = query_microsoft_graph(
        method="GET",
@ -354,7 +376,8 @@ def assign_scaleset_role(onefuzz_instance_name: str, scaleset_name: str) -> None

    if not managed_node_role:
        raise Exception(
-            "ManagedNode role not found int the onefuzz application registration. Please redeploy the instance"
+            "ManagedNode role not found in the OneFuzz application "
+            "registration. Please redeploy the instance"
        )

    assignments = query_microsoft_graph(