SP Guest Account Access locked down by default and deploying user added as admin. (#1425)

* Service Principal locked down by default and deploying user added. * Fixing call to client. * Adding multiple users. * Retrieving SP id. * Refactorin gcall. * Getting closer. * Can retrieve object_id from create * New retrieve sp functionality. * mypy fixes. * Separating functionality into new function. * mypy errors. * Logic for updating appRoleAssignemntRequired param. * Changing to patch. * Updating to Patch. * Fixing bug. * Fixing bad assignment. * Responding to comments. * Removing functionality for updating setting. * Update src/deployment/deploy.py Co-authored-by: Cheick Keita <kcheick@gmail.com> * UPdating error message. * Retriggering? * Trying to emulate new file structure. * Fixing lint issues. * Fixing create sp. Co-authored-by: nharper285 <nharper285@gmail.com> Co-authored-by: Cheick Keita <kcheick@gmail.com>
2025-06-14 11:08:06 +00:00 · 2021-11-05 16:29:08 -07:00
parent 6b64b60da7
commit de2b7cabd0
3 changed files with 125 additions and 5 deletions
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -60,9 +60,12 @@ from deploylib.registration import (
    GraphQueryError,
    OnefuzzAppRole,
    add_application_password,
+    add_user,
    assign_instance_app_role,
    authorize_application,
    get_application,
+    get_service_principal,
+    get_signed_in_user,
    get_tenant_id,
    query_microsoft_graph,
    register_application,
@ -300,7 +303,6 @@ class Client:
            display_name=self.application_name,
            subscription_id=self.get_subscription_id(),
        )
-
        app_roles = [
            {
                "allowedMemberTypes": ["Application"],
@ -318,6 +320,14 @@ class Client:
                "isEnabled": True,
                "value": OnefuzzAppRole.ManagedNode.value,
            },
+            {
+                "allowedMemberTypes": ["User"],
+                "description": "Allows user access from the CLI.",
+                "displayName": OnefuzzAppRole.UserAssignment.value,
+                "id": str(uuid.uuid4()),
+                "isEnabled": True,
+                "value": OnefuzzAppRole.UserAssignment.value,
+            },
        ]

        if not app:
@ -372,7 +382,7 @@ class Client:

            service_principal_params = {
                "accountEnabled": True,
-                "appRoleAssignmentRequired": False,
+                "appRoleAssignmentRequired": True,
                "servicePrincipalType": "Application",
                "appId": app["appId"],
            }
@ -431,11 +441,10 @@ class Client:
                # this is a requirement to update the application roles
                for role in app["appRoles"]:
                    role["isEnabled"] = False
-
                query_microsoft_graph(
                    method="PATCH",
                    resource=f"applications/{app['id']}",
-                    body={"appRoles": app["AppRoles"]},
+                    body={"appRoles": app["appRoles"]},
                    subscription=self.get_subscription_id(),
                )

@ -603,6 +612,37 @@ class Client:
            OnefuzzAppRole.ManagedNode,
        )

+    def assign_user_access(self) -> None:
+        logger.info("assinging user access to service principal")
+        app = get_application(
+            display_name=self.application_name,
+            subscription_id=self.get_subscription_id(),
+        )
+        user = get_signed_in_user(self.subscription_id)
+
+        if app:
+            sp = get_service_principal(app["appId"], self.subscription_id)
+            # Update appRoleAssignmentRequired if necessary
+            if not sp["appRoleAssignmentRequired"]:
+                logger.warning(
+                    "The service is not currently configured to require a role assignment to access it."
+                    + " This means that any authenticated user can access the service. "
+                    + " To change this behavior enable 'Assignment Required?' on the service principal in the AAD Portal."
+                )
+
+            # Assign Roles and Add Users
+            roles = [
+                x["id"]
+                for x in app["appRoles"]
+                if x["displayName"] == OnefuzzAppRole.UserAssignment.value
+            ]
+            users = [user["id"]]
+            if self.admins:
+                admins_str = [str(x) for x in self.admins]
+                users += admins_str
+            for user_id in users:
+                add_user(sp["id"], user_id, roles[0])
+
    def apply_migrations(self) -> None:
        logger.info("applying database migrations")
        name = self.results["deploy"]["func-name"]["value"]
@ -983,6 +1023,7 @@ def main() -> None:
        ("rbac", Client.setup_rbac),
        ("arm", Client.deploy_template),
        ("assign_scaleset_identity_role", Client.assign_scaleset_identity_role),
+        ("assign_user_access", Client.assign_user_access),
    ]

    full_deployment_states = rbac_only_states + [