mirror of
https://github.com/microsoft/onefuzz.git
synced 2025-06-15 03:18:07 +00:00
assign scaleset to a role (#185)
This commit is contained in:
Cheick Keita
GitHub
@ -12,18 +12,20 @@ import shutil
|
||||
import subprocess
|
||||
import sys
|
||||
import tempfile
|
||||
import time
|
||||
import uuid
|
||||
import zipfile
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
from azure.cli.core import CLIError
|
||||
from azure.common.client_factory import get_client_from_cli_profile
|
||||
from azure.common.credentials import get_cli_profile
|
||||
from azure.core.exceptions import ResourceExistsError
|
||||
from azure.cosmosdb.table.tableservice import TableService
|
||||
from azure.graphrbac import GraphRbacManagementClient
|
||||
from azure.graphrbac.models import (
|
||||
Application,
|
||||
ApplicationCreateParameters,
|
||||
ApplicationUpdateParameters,
|
||||
AppRole,
|
||||
GraphErrorException,
|
||||
OptionalClaims,
|
||||
@ -48,7 +50,6 @@ from azure.mgmt.resource.resources.models import (
|
||||
DeploymentMode,
|
||||
DeploymentProperties,
|
||||
)
|
||||
import time
|
||||
from azure.mgmt.storage import StorageManagementClient
|
||||
from azure.storage.blob import (
|
||||
BlobServiceClient,
|
||||
@ -59,12 +60,12 @@ from azure.storage.queue import QueueServiceClient
|
||||
from msrest.serialization import TZ_UTC
|
||||
|
||||
from data_migration import migrate
|
||||
from register_pool_application import (
|
||||
from registration import (
|
||||
add_application_password,
|
||||
authorize_application,
|
||||
get_application,
|
||||
register_application,
|
||||
update_registration,
|
||||
update_pool_registration,
|
||||
)
|
||||
|
||||
USER_IMPERSONATION = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
|
||||
@ -225,12 +226,11 @@ class Client:
|
||||
while True:
|
||||
time.sleep(wait)
|
||||
count += 1
|
||||
try:
|
||||
return add_application_password(object_id)
|
||||
except CLIError as err:
|
||||
if count > timeout_seconds/wait:
|
||||
raise err
|
||||
logger.info("creating password failed, trying again")
|
||||
password = add_application_password(object_id)
|
||||
if password:
|
||||
return password
|
||||
if count > timeout_seconds/wait:
|
||||
raise Exception("creating password failed, trying again")
|
||||
|
||||
def setup_rbac(self):
|
||||
"""
|
||||
@ -256,6 +256,25 @@ class Client:
|
||||
logger.error("unable to query RBAC. Provide client_id and client_secret")
|
||||
sys.exit(1)
|
||||
|
||||
app_roles = [
|
||||
AppRole(
|
||||
allowed_member_types=["Application"],
|
||||
display_name="CliClient",
|
||||
id=str(uuid.uuid4()),
|
||||
is_enabled=True,
|
||||
description="Allows access from the CLI.",
|
||||
value="CliClient",
|
||||
),
|
||||
AppRole(
|
||||
allowed_member_types=["Application"],
|
||||
display_name="ManagedNode",
|
||||
id=str(uuid.uuid4()),
|
||||
is_enabled=True,
|
||||
description="Allow access from a lab machine.",
|
||||
value="ManagedNode",
|
||||
),
|
||||
]
|
||||
|
||||
if not existing:
|
||||
logger.info("creating Application registration")
|
||||
url = "https://%s.azurewebsites.net" % self.application_name
|
||||
@ -273,24 +292,7 @@ class Client:
|
||||
resource_app_id="00000002-0000-0000-c000-000000000000",
|
||||
)
|
||||
],
|
||||
app_roles=[
|
||||
AppRole(
|
||||
allowed_member_types=["Application"],
|
||||
display_name="CliClient",
|
||||
id=str(uuid.uuid4()),
|
||||
is_enabled=True,
|
||||
description="Allows access from the CLI.",
|
||||
value="CliClient",
|
||||
),
|
||||
AppRole(
|
||||
allowed_member_types=["Application"],
|
||||
display_name="LabMachine",
|
||||
id=str(uuid.uuid4()),
|
||||
is_enabled=True,
|
||||
description="Allow access from a lab machine.",
|
||||
value="LabMachine",
|
||||
),
|
||||
],
|
||||
app_roles=app_roles,
|
||||
)
|
||||
app = client.applications.create(params)
|
||||
|
||||
@ -303,7 +305,27 @@ class Client:
|
||||
)
|
||||
client.service_principals.create(service_principal_params)
|
||||
else:
|
||||
app = existing[0]
|
||||
app: Application = existing[0]
|
||||
existing_role_values = [app_role.value for app_role in app.app_roles]
|
||||
has_missing_roles = any(
|
||||
[role.value not in existing_role_values for role in app_roles]
|
||||
)
|
||||
|
||||
if has_missing_roles:
|
||||
# disabling the existing app role first to allow the update
|
||||
# this is a requirement to update the application roles
|
||||
for role in app.app_roles:
|
||||
role.is_enabled = False
|
||||
|
||||
client.applications.patch(
|
||||
app.object_id, ApplicationUpdateParameters(app_roles=app.app_roles)
|
||||
)
|
||||
|
||||
# overriding the list of app roles
|
||||
client.applications.patch(
|
||||
app.object_id, ApplicationUpdateParameters(app_roles=app_roles)
|
||||
)
|
||||
|
||||
creds = list(client.applications.list_password_credentials(app.object_id))
|
||||
client.applications.update_password_credentials(app.object_id, creds)
|
||||
|
||||
@ -612,7 +634,7 @@ class Client:
|
||||
def update_registration(self):
|
||||
if not self.create_registration:
|
||||
return
|
||||
update_registration(self.application_name)
|
||||
update_pool_registration(self.application_name)
|
||||
|
||||
def done(self):
|
||||
logger.info(TELEMETRY_NOTICE)
|
||||
@ -766,19 +788,6 @@ def main():
|
||||
|
||||
logging.getLogger("deploy").setLevel(logging.INFO)
|
||||
|
||||
# TODO: using az_cli resets logging defaults. For now, force these
|
||||
# to be WARN level
|
||||
if not args.verbose:
|
||||
for entry in [
|
||||
"adal-python",
|
||||
"msrest.universal_http",
|
||||
"urllib3.connectionpool",
|
||||
"az_command_data_logger",
|
||||
"msrest.service_client",
|
||||
"azure.core.pipeline.policies.http_logging_policy",
|
||||
]:
|
||||
logging.getLogger(entry).setLevel(logging.WARN)
|
||||
|
||||
if args.start_at != states[0][0]:
|
||||
logger.warning(
|
||||
"*** Starting at a non-standard deployment state. "
|
||||
|
||||
Reference in New Issue
Block a user