mirror of
https://github.com/microsoft/onefuzz.git
synced 2025-06-16 11:58:09 +00:00
fix multi-tenant deployment (#1270)
This commit is contained in:
Cheick Keita
GitHub
@ -251,6 +251,30 @@ class Client:
|
|||||||
def create_password(self, object_id: UUID) -> Tuple[str, str]:
|
def create_password(self, object_id: UUID) -> Tuple[str, str]:
|
||||||
return add_application_password(object_id, self.get_subscription_id())
|
return add_application_password(object_id, self.get_subscription_id())
|
||||||
|
|
||||||
|
def get_instance_url(self) -> str:
|
||||||
|
## The url to access the instance
|
||||||
|
## This also represents the legacy identifier_uris of the application registration
|
||||||
|
if self.multi_tenant_domain:
|
||||||
|
return "https://%s/%s" % (
|
||||||
|
self.multi_tenant_domain,
|
||||||
|
self.application_name,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
return "https://%s.azurewebsites.net" % self.application_name
|
||||||
|
|
||||||
|
def get_identifier_url(self) -> str:
|
||||||
|
## The used to identify the application registration via the identifier_uris field
|
||||||
|
## Depending on the environment this value needs to be from an approved domain
|
||||||
|
## The format of this value is derived from the default value proposed by azure when creating
|
||||||
|
## an application registration api://{guid}/...
|
||||||
|
if self.multi_tenant_domain:
|
||||||
|
return "api://%s/%s" % (
|
||||||
|
self.multi_tenant_domain,
|
||||||
|
self.application_name,
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
return "api://%s.azurewebsites.net" % self.application_name
|
||||||
|
|
||||||
def setup_rbac(self) -> None:
|
def setup_rbac(self) -> None:
|
||||||
"""
|
"""
|
||||||
Setup the client application for the OneFuzz instance.
|
Setup the client application for the OneFuzz instance.
|
||||||
@ -300,18 +324,10 @@ class Client:
|
|||||||
if not existing:
|
if not existing:
|
||||||
logger.info("creating Application registration")
|
logger.info("creating Application registration")
|
||||||
|
|
||||||
if self.multi_tenant_domain:
|
|
||||||
url = "https://%s/%s" % (
|
|
||||||
self.multi_tenant_domain,
|
|
||||||
self.application_name,
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
url = "https://%s.azurewebsites.net" % self.application_name
|
|
||||||
|
|
||||||
params = ApplicationCreateParameters(
|
params = ApplicationCreateParameters(
|
||||||
display_name=self.application_name,
|
display_name=self.application_name,
|
||||||
identifier_uris=[f"api://{self.application_name}.azurewebsites.net"],
|
identifier_uris=[self.get_identifier_url()],
|
||||||
reply_urls=[url + "/.auth/login/aad/callback"],
|
reply_urls=[self.get_instance_url() + "/.auth/login/aad/callback"],
|
||||||
optional_claims=OptionalClaims(id_token=[], access_token=[]),
|
optional_claims=OptionalClaims(id_token=[], access_token=[]),
|
||||||
required_resource_access=[
|
required_resource_access=[
|
||||||
RequiredResourceAccess(
|
RequiredResourceAccess(
|
||||||
@ -362,14 +378,7 @@ class Client:
|
|||||||
|
|
||||||
else:
|
else:
|
||||||
app = existing[0]
|
app = existing[0]
|
||||||
if self.multi_tenant_domain:
|
api_id = self.get_identifier_url()
|
||||||
api_id = "api://%s/%s" % (
|
|
||||||
self.multi_tenant_domain,
|
|
||||||
self.application_name,
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
api_id = "api://%s.azurewebsites.net" % self.application_name
|
|
||||||
|
|
||||||
if api_id not in app.identifier_uris:
|
if api_id not in app.identifier_uris:
|
||||||
identifier_uris = app.identifier_uris
|
identifier_uris = app.identifier_uris
|
||||||
identifier_uris.append(api_id)
|
identifier_uris.append(api_id)
|
||||||
@ -473,28 +482,16 @@ class Client:
|
|||||||
"%Y-%m-%dT%H:%M:%SZ"
|
"%Y-%m-%dT%H:%M:%SZ"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
app_func_audiences = [
|
||||||
|
self.get_identifier_url(),
|
||||||
|
self.get_instance_url(),
|
||||||
|
]
|
||||||
if self.multi_tenant_domain:
|
if self.multi_tenant_domain:
|
||||||
# clear the value in the Issuer Url field:
|
# clear the value in the Issuer Url field:
|
||||||
# https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant
|
# https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient-enterpriseapi-multitenant
|
||||||
app_func_audiences = [
|
|
||||||
"api://%s/%s"
|
|
||||||
% (
|
|
||||||
self.multi_tenant_domain,
|
|
||||||
self.application_name,
|
|
||||||
),
|
|
||||||
"https://%s/%s"
|
|
||||||
% (
|
|
||||||
self.multi_tenant_domain,
|
|
||||||
self.application_name,
|
|
||||||
),
|
|
||||||
]
|
|
||||||
app_func_issuer = ""
|
app_func_issuer = ""
|
||||||
multi_tenant_domain = {"value": self.multi_tenant_domain}
|
multi_tenant_domain = {"value": self.multi_tenant_domain}
|
||||||
else:
|
else:
|
||||||
app_func_audiences = [
|
|
||||||
"api://%s.azurewebsites.net" % self.application_name,
|
|
||||||
"https://%s.azurewebsites.net" % self.application_name,
|
|
||||||
]
|
|
||||||
tenant_oid = str(self.cli_config["authority"]).split("/")[-1]
|
tenant_oid = str(self.cli_config["authority"]).split("/")[-1]
|
||||||
app_func_issuer = "https://sts.windows.net/%s/" % tenant_oid
|
app_func_issuer = "https://sts.windows.net/%s/" % tenant_oid
|
||||||
multi_tenant_domain = {"value": ""}
|
multi_tenant_domain = {"value": ""}
|
||||||
|
|||||||
Reference in New Issue
Block a user