/pkg/armhelpers/graph.go

https://github.com/Azure/acs-engine · Go · 154 lines · 114 code · 24 blank · 16 comment · 11 complexity · 1e5b7da1cfb3144b8d8514411a8306f4 MD5 · raw file 

    

  1. // Copyright (c) Microsoft Corporation. All rights reserved.
    2. 

  2. // Licensed under the MIT license.
    3. 

  3. 

  4. package armhelpers
    5. 

  5. 

  6. import (
    7. 

  7. 	"context"
    8. 

  8. 	"fmt"
    9. 

  9. 	"regexp"
    10. 

  10. 	"time"
    11. 

  11. 

  12. 	"github.com/Azure/azure-sdk-for-go/services/authorization/mgmt/2015-07-01/authorization"
    13. 

  13. 	"github.com/Azure/azure-sdk-for-go/services/graphrbac/1.6/graphrbac"
    14. 

  14. 	"github.com/Azure/go-autorest/autorest"
    15. 

  15. 	"github.com/Azure/go-autorest/autorest/date"
    16. 

  16. 	"github.com/Azure/go-autorest/autorest/to"
    17. 

  17. 	"github.com/satori/go.uuid"
    18. 

  18. 	log "github.com/sirupsen/logrus"
    19. 

  19. )
    20. 

  20. 

  21. const (
    22. 

  22. 	// AADContributorRoleID is the role id that exists in every subscription for 'Contributor'
    23. 

  23. 	AADContributorRoleID = "b24988ac-6180-42a0-ab88-20f7382dd24c"
    24. 

  24. 	// AADRoleReferenceTemplate is a template for a roleDefinitionId
    25. 

  25. 	AADRoleReferenceTemplate = "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/%s"
    26. 

  26. 	// AADRoleResourceGroupScopeTemplate is a template for a roleDefinition scope
    27. 

  27. 	AADRoleResourceGroupScopeTemplate = "/subscriptions/%s/resourceGroups/%s"
    28. 

  28. )
    29. 

  29. 

  30. // CreateGraphApplication creates an application via the graphrbac client
    31. 

  31. func (az *AzureClient) CreateGraphApplication(ctx context.Context, applicationCreateParameters graphrbac.ApplicationCreateParameters) (graphrbac.Application, error) {
    32. 

  32. 	return az.applicationsClient.Create(ctx, applicationCreateParameters)
    33. 

  33. }
    34. 

  34. 

  35. // DeleteGraphApplication deletes an application via the graphrbac client
    36. 

  36. func (az *AzureClient) DeleteGraphApplication(ctx context.Context, applicationObjectID string) (result autorest.Response, err error) {
    37. 

  37. 	return az.applicationsClient.Delete(ctx, applicationObjectID)
    38. 

  38. }
    39. 

  39. 

  40. // CreateGraphPrincipal creates a service principal via the graphrbac client
    41. 

  41. func (az *AzureClient) CreateGraphPrincipal(ctx context.Context, servicePrincipalCreateParameters graphrbac.ServicePrincipalCreateParameters) (graphrbac.ServicePrincipal, error) {
    42. 

  42. 	return az.servicePrincipalsClient.Create(ctx, servicePrincipalCreateParameters)
    43. 

  43. }
    44. 

  44. 

  45. // CreateRoleAssignment creates a role assignment via the authorization client
    46. 

  46. func (az *AzureClient) CreateRoleAssignment(ctx context.Context, scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (authorization.RoleAssignment, error) {
    47. 

  47. 	return az.authorizationClient.Create(ctx, scope, roleAssignmentName, parameters)
    48. 

  48. }
    49. 

  49. 

  50. // DeleteRoleAssignmentByID deletes a roleAssignment via its unique identifier
    51. 

  51. func (az *AzureClient) DeleteRoleAssignmentByID(ctx context.Context, roleAssignmentID string) (authorization.RoleAssignment, error) {
    52. 

  52. 	return az.authorizationClient.DeleteByID(ctx, roleAssignmentID)
    53. 

  53. }
    54. 

  54. 

  55. // ListRoleAssignmentsForPrincipal (e.g. a VM) via the scope and the unique identifier of the principal
    56. 

  56. func (az *AzureClient) ListRoleAssignmentsForPrincipal(ctx context.Context, scope string, principalID string) (RoleAssignmentListResultPage, error) {
    57. 

  57. 	page, err := az.authorizationClient.ListForScope(ctx, scope, fmt.Sprintf("principalId eq '%s'", principalID))
    58. 

  58. 	return &page, err
    59. 

  59. }
    60. 

  60. 

  61. // CreateApp is a simpler method for creating an application
    62. 

  62. func (az *AzureClient) CreateApp(ctx context.Context, appName, appURL string, replyURLs *[]string, requiredResourceAccess *[]graphrbac.RequiredResourceAccess) (applicationResp graphrbac.Application, servicePrincipalObjectID, servicePrincipalClientSecret string, err error) {
    63. 

  63. 	notBefore := time.Now()
    64. 

  64. 	notAfter := time.Now().Add(10000 * 24 * time.Hour)
    65. 

  65. 

  66. 	startDate := date.Time{Time: notBefore}
    67. 

  67. 	endDate := date.Time{Time: notAfter}
    68. 

  68. 

  69. 	servicePrincipalClientSecret = uuid.NewV4().String()
    70. 

  70. 

  71. 	log.Debugf("ad: creating application with name=%q identifierURL=%q", appName, appURL)
    72. 

  72. 	applicationReq := graphrbac.ApplicationCreateParameters{
    73. 

  73. 		AvailableToOtherTenants: to.BoolPtr(false),
    74. 

  74. 		DisplayName:             to.StringPtr(appName),
    75. 

  75. 		Homepage:                to.StringPtr(appURL),
    76. 

  76. 		IdentifierUris:          to.StringSlicePtr([]string{appURL}),
    77. 

  77. 		ReplyUrls:               replyURLs,
    78. 

  78. 		PasswordCredentials: &[]graphrbac.PasswordCredential{
    79. 

  79. 			{
    80. 

  80. 				KeyID:     to.StringPtr(uuid.NewV4().String()),
    81. 

  81. 				StartDate: &startDate,
    82. 

  82. 				EndDate:   &endDate,
    83. 

  83. 				Value:     to.StringPtr(servicePrincipalClientSecret),
    84. 

  84. 			},
    85. 

  85. 		},
    86. 

  86. 		RequiredResourceAccess: requiredResourceAccess,
    87. 

  87. 	}
    88. 

  88. 	applicationResp, err = az.CreateGraphApplication(ctx, applicationReq)
    89. 

  89. 	if err != nil {
    90. 

  90. 		return applicationResp, "", "", err
    91. 

  91. 	}
    92. 

  92. 	applicationID := to.String(applicationResp.AppID)
    93. 

  93. 

  94. 	log.Debugf("ad: creating servicePrincipal for applicationID: %q", applicationID)
    95. 

  95. 

  96. 	servicePrincipalReq := graphrbac.ServicePrincipalCreateParameters{
    97. 

  97. 		AppID:          applicationResp.AppID,
    98. 

  98. 		AccountEnabled: to.BoolPtr(true),
    99. 

  99. 	}
    100. 

  100. 	servicePrincipalResp, err := az.servicePrincipalsClient.Create(ctx, servicePrincipalReq)
    101. 

  101. 	if err != nil {
    102. 

  102. 		return applicationResp, "", "", err
    103. 

  103. 	}
    104. 

  104. 

  105. 	servicePrincipalObjectID = to.String(servicePrincipalResp.ObjectID)
    106. 

  106. 

  107. 	return applicationResp, servicePrincipalObjectID, servicePrincipalClientSecret, nil
    108. 

  108. }
    109. 

  109. 

  110. // DeleteApp is a simpler method for deleting an application and the associated spn
    111. 

  111. func (az *AzureClient) DeleteApp(ctx context.Context, applicationName, applicationObjectID string) (autorest.Response, error) {
    112. 

  112. 	log.Debugf("ad: deleting application with name=%q", applicationName)
    113. 

  113. 	return az.DeleteGraphApplication(ctx, applicationObjectID)
    114. 

  114. }
    115. 

  115. 

  116. // CreateRoleAssignmentSimple is a wrapper around RoleAssignmentsClient.Create
    117. 

  117. func (az *AzureClient) CreateRoleAssignmentSimple(ctx context.Context, resourceGroup, servicePrincipalObjectID string) error {
    118. 

  118. 	roleAssignmentName := uuid.NewV4().String()
    119. 

  119. 

  120. 	roleDefinitionID := fmt.Sprintf(AADRoleReferenceTemplate, az.subscriptionID, AADContributorRoleID)
    121. 

  121. 	scope := fmt.Sprintf(AADRoleResourceGroupScopeTemplate, az.subscriptionID, resourceGroup)
    122. 

  122. 

  123. 	roleAssignmentParameters := authorization.RoleAssignmentCreateParameters{
    124. 

  124. 		Properties: &authorization.RoleAssignmentProperties{
    125. 

  125. 			RoleDefinitionID: to.StringPtr(roleDefinitionID),
    126. 

  126. 			PrincipalID:      to.StringPtr(servicePrincipalObjectID),
    127. 

  127. 		},
    128. 

  128. 	}
    129. 

  129. 

  130. 	re := regexp.MustCompile(`(?i)status=(\d+)`)
    131. 

  131. 	for {
    132. 

  132. 		_, err := az.CreateRoleAssignment(
    133. 

  133. 			ctx,
    134. 

  134. 			scope,
    135. 

  135. 			roleAssignmentName,
    136. 

  136. 			roleAssignmentParameters,
    137. 

  137. 		)
    138. 

  138. 		if err != nil {
    139. 

  139. 			match := re.FindStringSubmatch(err.Error())
    140. 

  140. 			if match != nil && (match[1] == "403") {
    141. 

  141. 				//insufficient permissions. stop now
    142. 

  142. 				log.Debugf("Failed to create role assignment (will abort now): %q", err)
    143. 

  143. 				return err
    144. 

  144. 			}
    145. 

  145. 			// TODO: Should we handle 409 errors as well here ?
    146. 

  146. 			log.Debugf("Failed to create role assignment (will retry): %q", err)
    147. 

  147. 			time.Sleep(3 * time.Second)
    148. 

  148. 			continue
    149. 

  149. 		}
    150. 

  150. 		break
    151. 

  151. 	}
    152. 

  152. 

  153. 	return nil
    154. 

  154. }
    155.