Skip to content

Commit

Permalink
Merge pull request #108 from haroonf/authconfig
Browse files Browse the repository at this point in the history
Add auth subgroups
  • Loading branch information
StrawnSC authored May 19, 2022
2 parents 5c87013 + e7137ff commit 8d31890
Show file tree
Hide file tree
Showing 8 changed files with 1,148 additions and 11 deletions.
1 change: 1 addition & 0 deletions src/containerapp/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Release History
* Added 'az containerapp env certificate' to manage certificates in a container app environment
* Added 'az containerapp hostname' to manage hostnames in a container app
* Added 'az containerapp ssl upload' to upload a certificate, add a hostname and the binding to a container app
* Added 'az containerapp auth' to manage AuthConfigs for a containerapp

0.3.4
++++++
Expand Down
9 changes: 9 additions & 0 deletions src/containerapp/azext_containerapp/_constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,13 @@

MAX_ENV_PER_LOCATION = 2

MICROSOFT_SECRET_SETTING_NAME = "microsoft-provider-authentication-secret"
FACEBOOK_SECRET_SETTING_NAME = "facebook-provider-authentication-secret"
GITHUB_SECRET_SETTING_NAME = "github-provider-authentication-secret"
GOOGLE_SECRET_SETTING_NAME = "google-provider-authentication-secret"
MSA_SECRET_SETTING_NAME = "msa-provider-authentication-secret"
TWITTER_SECRET_SETTING_NAME = "twitter-provider-authentication-secret"
APPLE_SECRET_SETTING_NAME = "apple-provider-authentication-secret"
UNAUTHENTICATED_CLIENT_ACTION = ['RedirectToLoginPage', 'AllowAnonymous', 'RejectWith401', 'RejectWith404']
FORWARD_PROXY_CONVENTION = ['NoProxy', 'Standard', 'Custom']
CHECK_CERTIFICATE_NAME_AVAILABILITY_TYPE = "Microsoft.App/managedEnvironments/certificates"
221 changes: 221 additions & 0 deletions src/containerapp/azext_containerapp/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -807,3 +807,224 @@
text: |
az containerapp hostname list -n MyContainerapp -g MyResourceGroup
"""

# Auth commands
helps['containerapp auth'] = """
type: group
short-summary: Manage containerapp authentication and authorization.
"""

helps['containerapp auth show'] = """
type: command
short-summary: Show the authentication settings for the containerapp.
examples:
- name: Show the authentication settings for the containerapp.
text: az containerapp auth show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth update'] = """
type: command
short-summary: Update the authentication settings for the containerapp.
examples:
- name: Update the client ID of the AAD provider already configured.
text: |
az containerapp auth update -g myResourceGroup --name MyContainerapp --set identityProviders.azureActiveDirectory.registration.clientId=my-client-id
- name: Configure the app with file based authentication by setting the config file path.
text: |
az containerapp auth update -g myResourceGroup --name MyContainerapp --config-file-path D:\\home\\site\\wwwroot\\auth.json
- name: Configure the app to allow unauthenticated requests to hit the app.
text: |
az containerapp auth update -g myResourceGroup --name MyContainerapp --unauthenticated-client-action AllowAnonymous
- name: Configure the app to redirect unauthenticated requests to the Facebook provider.
text: |
az containerapp auth update -g myResourceGroup --name MyContainerapp --redirect-provider Facebook
- name: Configure the app to listen to the forward headers X-FORWARDED-HOST and X-FORWARDED-PROTO.
text: |
az containerapp auth update -g myResourceGroup --name MyContainerapp --proxy-convention Standard
"""

helps['containerapp auth apple'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the Apple identity provider.
"""

helps['containerapp auth apple show'] = """
type: command
short-summary: Show the authentication settings for the Apple identity provider.
examples:
- name: Show the authentication settings for the Apple identity provider.
text: az containerapp auth apple show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth apple update'] = """
type: command
short-summary: Update the client id and client secret for the Apple identity provider.
examples:
- name: Update the client id and client secret for the Apple identity provider.
text: |
az containerapp auth apple update -g myResourceGroup --name MyContainerapp \\
--client-id my-client-id --client-secret very_secret_password
"""

helps['containerapp auth facebook'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the Facebook identity provider.
"""

helps['containerapp auth facebook show'] = """
type: command
short-summary: Show the authentication settings for the Facebook identity provider.
examples:
- name: Show the authentication settings for the Facebook identity provider.
text: az containerapp auth facebook show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth facebook update'] = """
type: command
short-summary: Update the app id and app secret for the Facebook identity provider.
examples:
- name: Update the app id and app secret for the Facebook identity provider.
text: |
az containerapp auth facebook update -g myResourceGroup --name MyContainerapp \\
--app-id my-client-id --app-secret very_secret_password
"""

helps['containerapp auth github'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the GitHub identity provider.
"""

helps['containerapp auth github show'] = """
type: command
short-summary: Show the authentication settings for the GitHub identity provider.
examples:
- name: Show the authentication settings for the GitHub identity provider.
text: az containerapp auth github show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth github update'] = """
type: command
short-summary: Update the client id and client secret for the GitHub identity provider.
examples:
- name: Update the client id and client secret for the GitHub identity provider.
text: |
az containerapp auth github update -g myResourceGroup --name MyContainerapp \\
--client-id my-client-id --client-secret very_secret_password
"""

helps['containerapp auth google'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the Google identity provider.
"""

helps['containerapp auth google show'] = """
type: command
short-summary: Show the authentication settings for the Google identity provider.
examples:
- name: Show the authentication settings for the Google identity provider.
text: az containerapp auth google show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth google update'] = """
type: command
short-summary: Update the client id and client secret for the Google identity provider.
examples:
- name: Update the client id and client secret for the Google identity provider.
text: |
az containerapp auth google update -g myResourceGroup --name MyContainerapp \\
--client-id my-client-id --client-secret very_secret_password
"""

helps['containerapp auth microsoft'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the Microsoft identity provider.
"""

helps['containerapp auth microsoft show'] = """
type: command
short-summary: Show the authentication settings for the Azure Active Directory identity provider.
examples:
- name: Show the authentication settings for the Azure Active Directory identity provider.
text: az containerapp auth microsoft show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth microsoft update'] = """
type: command
short-summary: Update the client id and client secret for the Azure Active Directory identity provider.
examples:
- name: Update the open id issuer, client id and client secret for the Azure Active Directory identity provider.
text: |
az containerapp auth microsoft update -g myResourceGroup --name MyContainerapp \\
--client-id my-client-id --client-secret very_secret_password \\
--issuer https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/
"""

helps['containerapp auth openid-connect'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the custom OpenID Connect identity providers.
"""

helps['containerapp auth openid-connect show'] = """
type: command
short-summary: Show the authentication settings for the custom OpenID Connect identity provider.
examples:
- name: Show the authentication settings for the custom OpenID Connect identity provider.
text: az containerapp auth openid-connect show --name MyContainerapp --resource-group MyResourceGroup \\
--provider-name myOpenIdConnectProvider
"""

helps['containerapp auth openid-connect add'] = """
type: command
short-summary: Configure a new custom OpenID Connect identity provider.
examples:
- name: Configure a new custom OpenID Connect identity provider.
text: |
az containerapp auth openid-connect add -g myResourceGroup --name MyContainerapp \\
--provider-name myOpenIdConnectProvider --client-id my-client-id \\
--client-secret-name MY_SECRET_APP_SETTING \\
--openid-configuration https://myopenidprovider.net/.well-known/openid-configuration
"""

helps['containerapp auth openid-connect update'] = """
type: command
short-summary: Update the client id and client secret setting name for an existing custom OpenID Connect identity provider.
examples:
- name: Update the client id and client secret setting name for an existing custom OpenID Connect identity provider.
text: |
az containerapp auth openid-connect update -g myResourceGroup --name MyContainerapp \\
--provider-name myOpenIdConnectProvider --client-id my-client-id \\
--client-secret-name MY_SECRET_APP_SETTING
"""

helps['containerapp auth openid-connect remove'] = """
type: command
short-summary: Removes an existing custom OpenID Connect identity provider.
examples:
- name: Removes an existing custom OpenID Connect identity provider.
text: |
az containerapp auth openid-connect remove --name MyContainerapp --resource-group MyResourceGroup \\
--provider-name myOpenIdConnectProvider
"""

helps['containerapp auth twitter'] = """
type: group
short-summary: Manage containerapp authentication and authorization of the Twitter identity provider.
"""

helps['containerapp auth twitter show'] = """
type: command
short-summary: Show the authentication settings for the Twitter identity provider.
examples:
- name: Show the authentication settings for the Twitter identity provider.
text: az containerapp auth twitter show --name MyContainerapp --resource-group MyResourceGroup
"""

helps['containerapp auth twitter update'] = """
type: command
short-summary: Update the consumer key and consumer secret for the Twitter identity provider.
examples:
- name: Update the consumer key and consumer secret for the Twitter identity provider.
text: |
az containerapp auth twitter update -g myResourceGroup --name MyContainerapp \\
--consumer-key my-client-id --consumer-secret very_secret_password
"""
38 changes: 38 additions & 0 deletions src/containerapp/azext_containerapp/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

from ._validators import (validate_memory, validate_cpu, validate_managed_env_name_or_id, validate_registry_server,
validate_registry_user, validate_registry_pass, validate_target_port, validate_ingress)
from ._constants import UNAUTHENTICATED_CLIENT_ACTION, FORWARD_PROXY_CONVENTION


def load_arguments(self, _):
Expand Down Expand Up @@ -223,6 +224,7 @@ def load_arguments(self, _):
c.argument('secret_name', help="The name of the secret to show.")
c.argument('secret_names', nargs='+', help="A list of secret(s) for the container app. Space-separated secret values names.")
c.argument('show_values', help='Show the secret values.')
c.ignore('disable_max_length')

with self.argument_context('containerapp env dapr-component') as c:
c.argument('dapr_app_id', help="The Dapr app ID.")
Expand Down Expand Up @@ -272,6 +274,42 @@ def load_arguments(self, _):
c.argument('service_principal_client_secret', help='The service principal client secret. Used by Github Actions to authenticate with Azure.', options_list=["--service-principal-client-secret", "--sp-sec"])
c.argument('service_principal_tenant_id', help='The service principal tenant ID. Used by Github Actions to authenticate with Azure.', options_list=["--service-principal-tenant-id", "--sp-tid"])

with self.argument_context('containerapp auth') as c:
# subgroup update
c.argument('client_id', options_list=['--client-id'], help='The Client ID of the app used for login.')
c.argument('client_secret', options_list=['--client-secret'], help='The client secret.')
c.argument('client_secret_setting_name', options_list=['--client-secret-name'], help='The app secret name that contains the client secret of the relying party application.')
c.argument('issuer', options_list=['--issuer'], help='The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application.')
c.argument('allowed_token_audiences', options_list=['--allowed-token-audiences', '--allowed-audiences'], help='The configuration settings of the allowed list of audiences from which to validate the JWT token.')
c.argument('client_secret_certificate_thumbprint', options_list=['--thumbprint', '--client-secret-certificate-thumbprint'], help='Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes')
c.argument('client_secret_certificate_san', options_list=['--san', '--client-secret-certificate-san'], help='Alternative to AAD Client Secret and thumbprint, subject alternative name of a certificate used for signing purposes')
c.argument('client_secret_certificate_issuer', options_list=['--certificate-issuer', '--client-secret-certificate-issuer'], help='Alternative to AAD Client Secret and thumbprint, issuer of a certificate used for signing purposes')
c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
c.argument('tenant_id', options_list=['--tenant-id'], help='The tenant id of the application.')
c.argument('app_id', options_list=['--app-id'], help='The App ID of the app used for login.')
c.argument('app_secret', options_list=['--app-secret'], help='The app secret.')
c.argument('app_secret_setting_name', options_list=['--app-secret-name', '--secret-name'], help='The app secret name that contains the app secret.')
c.argument('graph_api_version', options_list=['--graph-api-version'], help='The version of the Facebook api to be used while logging in.')
c.argument('scopes', options_list=['--scopes'], help='A list of the scopes that should be requested while authenticating.')
c.argument('consumer_key', options_list=['--consumer-key'], help='The OAuth 1.0a consumer key of the Twitter application used for sign-in.')
c.argument('consumer_secret', options_list=['--consumer-secret'], help='The consumer secret.')
c.argument('consumer_secret_setting_name', options_list=['--consumer-secret-name', '--secret-name'], help='The consumer secret name that contains the app secret.')
c.argument('provider_name', options_list=['--provider-name'], required=True, help='The name of the custom OpenID Connect provider.')
c.argument('openid_configuration', options_list=['--openid-configuration'], help='The endpoint that contains all the configuration endpoints for the provider.')
# auth update
c.argument('set_string', options_list=['--set'], help='Value of a specific field within the configuration settings for the Azure App Service Authentication / Authorization feature.')
c.argument('config_file_path', options_list=['--config-file-path'], help='The path of the config file containing auth settings if they come from a file.')
c.argument('unauthenticated_client_action', options_list=['--unauthenticated-client-action', '--action'], arg_type=get_enum_type(UNAUTHENTICATED_CLIENT_ACTION), help='The action to take when an unauthenticated client attempts to access the app.')
c.argument('redirect_provider', options_list=['--redirect-provider'], help='The default authentication provider to use when multiple providers are configured.')
c.argument('enable_token_store', options_list=['--enable-token-store'], arg_type=get_three_state_flag(return_label=True), help='true to durably store platform-specific security tokens that are obtained during login flows; otherwise, false.')
c.argument('require_https', options_list=['--require-https'], arg_type=get_three_state_flag(return_label=True), help='false if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.')
c.argument('proxy_convention', options_list=['--proxy-convention'], arg_type=get_enum_type(FORWARD_PROXY_CONVENTION), help='The convention used to determine the url of the request made.')
c.argument('proxy_custom_host_header', options_list=['--proxy-custom-host-header', '--custom-host-header'], help='The name of the header containing the host of the request.')
c.argument('proxy_custom_proto_header', options_list=['--proxy-custom-proto-header', '--custom-proto-header'], help='The name of the header containing the scheme of the request.')
c.argument('excluded_paths', options_list=['--excluded-paths'], help='The list of paths that should be excluded from authentication rules.')
c.argument('enabled', options_list=['--enabled'], arg_type=get_three_state_flag(return_label=True), help='true if the Authentication / Authorization feature is enabled for the current app; otherwise, false.')
c.argument('runtime_version', options_list=['--runtime-version'], help='The RuntimeVersion of the Authentication / Authorization feature in use for the current app.')

with self.argument_context('containerapp ssl upload') as c:
c.argument('hostname', help='The custom domain name.')
c.argument('environment', options_list=['--environment', '-e'], help='Name or resource id of the Container App environment.')
Expand Down
Loading

0 comments on commit 8d31890

Please sign in to comment.