ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-17 20:38:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

SP Guest Account Access locked down by default and deploying user added as admin. (#1425)

Browse Source 
* Service Principal locked down by default and deploying user added.

* Fixing call to client.

* Adding multiple users.

* Retrieving SP id.

* Refactorin gcall.

* Getting closer.

* Can retrieve object_id from create

* New retrieve sp functionality.

* mypy fixes.

* Separating functionality into new function.

* mypy errors.

* Logic for updating appRoleAssignemntRequired param.

* Changing to patch.

* Updating to Patch.

* Fixing bug.

* Fixing bad assignment.

* Responding to comments.

* Removing functionality for updating setting.

* Update src/deployment/deploy.py

Co-authored-by: Cheick Keita <kcheick@gmail.com>

* UPdating error message.

* Retriggering?

* Trying to emulate new file structure.

* Fixing lint issues.

* Fixing create sp.

Co-authored-by: nharper285 <nharper285@gmail.com>
Co-authored-by: Cheick Keita <kcheick@gmail.com>
This commit is contained in:
Noah McGregor Harper
2021-11-05 16:29:08 -07:00
committed by GitHub
parent 6b64b60da7
commit de2b7cabd0
3 changed files with 125 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
src/deployment/deploylib/registration.py
View File

@ -154,6 +154,7 @@ class ApplicationInfo(NamedTuple):
class OnefuzzAppRole(Enum):
ManagedNode = "ManagedNode"
CliClient = "CliClient"
UserAssignment = "UserAssignment"
def register_application(
@ -646,6 +647,84 @@ def set_app_audience(
raise Exception(err_str)
def get_signed_in_user(subscription_id: Optional[str]) -> Any:
# Get principalId by retrieving owner for SP
try:
app = query_microsoft_graph(
method="GET",
resource="me/",
subscription=subscription_id,
)
return app
except GraphQueryError:
query = (
"az rest --method post --url "
"https://graph.microsoft.com/v1.0/me "
'--headers "Content-Type"=application/json'
)
logger.warning(
"execute the following query in the azure portal bash shell and "
"run deploy.py again : \n%s",
query,
)
err_str = "Unable to retrieve signed-in user via Microsoft Graph Query API. \n"
raise Exception(err_str)
def get_service_principal(app_id: str, subscription_id: Optional[str]) -> Any:
try:
service_principals = query_microsoft_graph_list(
method="GET",
resource="servicePrincipals",
params={"$filter": f"appId eq '{app_id}'"},
subscription=subscription_id,
)
if len(service_principals) != 0:
return service_principals[0]
else:
raise GraphQueryError(
f"Could not retrieve any service principals for App Id: {app_id}", 400
)
except GraphQueryError:
err_str = "Unable to add retrieve SP using Microsoft Graph Query API. \n"
raise Exception(err_str)
def add_user(object_id: str, principal_id: str, role_id: str) -> None:
# Get principalId by retrieving owner for SP
# need to add users with proper role assignment
http_body = {
"principalId": principal_id,
"resourceId": object_id,
"appRoleId": role_id,
}
try:
query_microsoft_graph(
method="POST",
resource="users/%s/appRoleAssignments" % principal_id,
body=http_body,
)
except GraphQueryError as ex:
if "Permission being assigned already exists" not in ex.message:
query = (
"az rest --method post --url "
"https://graph.microsoft.com/v1.0/users/%s/appRoleAssignments "
"--body '%s' --headers \"Content-Type\"=application/json"
% (principal_id, http_body)
)
logger.warning(
"execute the following query in the azure portal bash shell and "
"run deploy.py again : \n%s",
query,
)
err_str = "Unable to add user to SP using Microsoft Graph Query API. \n"
raise Exception(err_str)
else:
logger.info("User already assigned to application.")
def main() -> None:
formatter = argparse.ArgumentDefaultsHelpFormatter