calvinsID · StrawnSC · May 19, 2022 · May 18, 2022 · May 18, 2022 · May 18, 2022
@@ -9,6 +9,7 @@ Release History
 * Added 'az containerapp env certificate' to manage certificates in a container app environment
 * Added 'az containerapp hostname' to manage hostnames in a container app
 * Added 'az containerapp ssl upload' to upload a certificate, add a hostname and the binding to a container app
+* Added 'az containerapp auth' to manage AuthConfigs for a containerapp
 
 0.3.4
 ++++++

@@ -14,4 +14,13 @@
 
 MAX_ENV_PER_LOCATION = 2
 
+MICROSOFT_SECRET_SETTING_NAME = "microsoft-provider-authentication-secret"
+FACEBOOK_SECRET_SETTING_NAME = "facebook-provider-authentication-secret"
+GITHUB_SECRET_SETTING_NAME = "github-provider-authentication-secret"
+GOOGLE_SECRET_SETTING_NAME = "google-provider-authentication-secret"
+MSA_SECRET_SETTING_NAME = "msa-provider-authentication-secret"
+TWITTER_SECRET_SETTING_NAME = "twitter-provider-authentication-secret"
+APPLE_SECRET_SETTING_NAME = "apple-provider-authentication-secret"
+UNAUTHENTICATED_CLIENT_ACTION = ['RedirectToLoginPage', 'AllowAnonymous', 'RejectWith401', 'RejectWith404']
+FORWARD_PROXY_CONVENTION = ['NoProxy', 'Standard', 'Custom']
 CHECK_CERTIFICATE_NAME_AVAILABILITY_TYPE = "Microsoft.App/managedEnvironments/certificates"
@@ -807,3 +807,224 @@
       text: |
           az containerapp hostname list -n MyContainerapp -g MyResourceGroup
 """
+
+# Auth commands
+helps['containerapp auth'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization.
+"""
+
+helps['containerapp auth show'] = """
+type: command
+short-summary: Show the authentication settings for the containerapp.
+examples:
+  - name: Show the authentication settings for the containerapp.
+    text: az containerapp auth show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth update'] = """
+type: command
+short-summary: Update the authentication settings for the containerapp.
+examples:
+  - name: Update the client ID of the AAD provider already configured.
+    text: |
+        az containerapp auth update -g myResourceGroup --name MyContainerapp --set identityProviders.azureActiveDirectory.registration.clientId=my-client-id
+  - name: Configure the app with file based authentication by setting the config file path.
+    text: |
+        az containerapp auth update -g myResourceGroup --name MyContainerapp --config-file-path D:\\home\\site\\wwwroot\\auth.json
+  - name: Configure the app to allow unauthenticated requests to hit the app.
+    text: |
+        az containerapp auth update -g myResourceGroup --name MyContainerapp --unauthenticated-client-action AllowAnonymous
+  - name: Configure the app to redirect unauthenticated requests to the Facebook provider.
+    text: |
+        az containerapp auth update -g myResourceGroup --name MyContainerapp --redirect-provider Facebook
+  - name: Configure the app to listen to the forward headers X-FORWARDED-HOST and X-FORWARDED-PROTO.
+    text: |
+        az containerapp auth update -g myResourceGroup --name MyContainerapp --proxy-convention Standard
+"""
+
+helps['containerapp auth apple'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the Apple identity provider.
+"""
+
+helps['containerapp auth apple show'] = """
+type: command
+short-summary: Show the authentication settings for the Apple identity provider.
+examples:
+  - name: Show the authentication settings for the Apple identity provider.
+    text: az containerapp auth apple show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth apple update'] = """
+type: command
+short-summary: Update the client id and client secret for the Apple identity provider.
+examples:
+  - name: Update the client id and client secret for the Apple identity provider.
+    text: |
+        az containerapp auth apple update  -g myResourceGroup --name MyContainerapp \\
+          --client-id my-client-id --client-secret very_secret_password
+"""
+
+helps['containerapp auth facebook'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the Facebook identity provider.
+"""
+
+helps['containerapp auth facebook show'] = """
+type: command
+short-summary: Show the authentication settings for the Facebook identity provider.
+examples:
+  - name: Show the authentication settings for the Facebook identity provider.
+    text: az containerapp auth facebook show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth facebook update'] = """
+type: command
+short-summary: Update the app id and app secret for the Facebook identity provider.
+examples:
+  - name: Update the app id and app secret for the Facebook identity provider.
+    text: |
+        az containerapp auth facebook update  -g myResourceGroup --name MyContainerapp \\
+          --app-id my-client-id --app-secret very_secret_password
+"""
+
+helps['containerapp auth github'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the GitHub identity provider.
+"""
+
+helps['containerapp auth github show'] = """
+type: command
+short-summary: Show the authentication settings for the GitHub identity provider.
+examples:
+  - name: Show the authentication settings for the GitHub identity provider.
+    text: az containerapp auth github show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth github update'] = """
+type: command
+short-summary: Update the client id and client secret for the GitHub identity provider.
+examples:
+  - name: Update the client id and client secret for the GitHub identity provider.
+    text: |
+        az containerapp auth github update  -g myResourceGroup --name MyContainerapp \\
+          --client-id my-client-id --client-secret very_secret_password
+"""
+
+helps['containerapp auth google'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the Google identity provider.
+"""
+
+helps['containerapp auth google show'] = """
+type: command
+short-summary: Show the authentication settings for the Google identity provider.
+examples:
+  - name: Show the authentication settings for the Google identity provider.
+    text: az containerapp auth google show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth google update'] = """
+type: command
+short-summary: Update the client id and client secret for the Google identity provider.
+examples:
+  - name: Update the client id and client secret for the Google identity provider.
+    text: |
+        az containerapp auth google update  -g myResourceGroup --name MyContainerapp \\
+          --client-id my-client-id --client-secret very_secret_password
+"""
+
+helps['containerapp auth microsoft'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the Microsoft identity provider.
+"""
+
+helps['containerapp auth microsoft show'] = """
+type: command
+short-summary: Show the authentication settings for the Azure Active Directory identity provider.
+examples:
+  - name: Show the authentication settings for the Azure Active Directory identity provider.
+    text: az containerapp auth microsoft show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth microsoft update'] = """
+type: command
+short-summary: Update the client id and client secret for the Azure Active Directory identity provider.
+examples:
+  - name: Update the open id issuer, client id and client secret for the Azure Active Directory identity provider.
+    text: |
+        az containerapp auth microsoft update  -g myResourceGroup --name MyContainerapp \\
+          --client-id my-client-id --client-secret very_secret_password \\
+          --issuer https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/
+"""
+
+helps['containerapp auth openid-connect'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the custom OpenID Connect identity providers.
+"""
+
+helps['containerapp auth openid-connect show'] = """
+type: command
+short-summary: Show the authentication settings for the custom OpenID Connect identity provider.
+examples:
+  - name: Show the authentication settings for the custom OpenID Connect identity provider.
+    text: az containerapp auth openid-connect show --name MyContainerapp --resource-group MyResourceGroup \\
+            --provider-name myOpenIdConnectProvider
+"""
+
+helps['containerapp auth openid-connect add'] = """
+type: command
+short-summary: Configure a new custom OpenID Connect identity provider.
+examples:
+  - name: Configure a new custom OpenID Connect identity provider.
+    text: |
+        az containerapp auth openid-connect add -g myResourceGroup --name MyContainerapp \\
+          --provider-name myOpenIdConnectProvider --client-id my-client-id \\
+          --client-secret-setting-name MY_SECRET_APP_SETTING \\
+          --openid-configuration https://myopenidprovider.net/.well-known/openid-configuration
+"""
+
+helps['containerapp auth openid-connect update'] = """
+type: command
+short-summary: Update the client id and client secret setting name for an existing custom OpenID Connect identity provider.
+examples:
+  - name: Update the client id and client secret setting name for an existing custom OpenID Connect identity provider.
+    text: |
+        az containerapp auth openid-connect update -g myResourceGroup --name MyContainerapp \\
+          --provider-name myOpenIdConnectProvider --client-id my-client-id \\
+          --client-secret-setting-name MY_SECRET_APP_SETTING
+"""
+
+helps['containerapp auth openid-connect remove'] = """
+type: command
+short-summary: Removes an existing custom OpenID Connect identity provider.
+examples:
+  - name: Removes an existing custom OpenID Connect identity provider.
+    text: |
+        az containerapp auth openid-connect remove --name MyContainerapp --resource-group MyResourceGroup \\
+          --provider-name myOpenIdConnectProvider
+"""
+
+helps['containerapp auth twitter'] = """
+type: group
+short-summary: Manage containerapp authentication and authorization of the Twitter identity provider.
+"""
+
+helps['containerapp auth twitter show'] = """
+type: command
+short-summary: Show the authentication settings for the Twitter identity provider.
+examples:
+  - name: Show the authentication settings for the Twitter identity provider.
+    text: az containerapp auth twitter show --name MyContainerapp --resource-group MyResourceGroup
+"""
+
+helps['containerapp auth twitter update'] = """
+type: command
+short-summary: Update the consumer key and consumer secret for the Twitter identity provider.
+examples:
+  - name: Update the consumer key and consumer secret for the Twitter identity provider.
+    text: |
+        az containerapp auth twitter update  -g myResourceGroup --name MyContainerapp \\
+          --consumer-key my-client-id --consumer-secret very_secret_password
+"""
@@ -13,6 +13,7 @@
 
 from ._validators import (validate_memory, validate_cpu, validate_managed_env_name_or_id, validate_registry_server,
                           validate_registry_user, validate_registry_pass, validate_target_port, validate_ingress)
+from ._constants import UNAUTHENTICATED_CLIENT_ACTION, FORWARD_PROXY_CONVENTION
 
 
 def load_arguments(self, _):
@@ -223,6 +224,7 @@ def load_arguments(self, _):
         c.argument('secret_name', help="The name of the secret to show.")
         c.argument('secret_names', nargs='+', help="A list of secret(s) for the container app. Space-separated secret values names.")
         c.argument('show_values', help='Show the secret values.')
+        c.ignore('disable_max_length')
 
     with self.argument_context('containerapp env dapr-component') as c:
         c.argument('dapr_app_id', help="The Dapr app ID.")
@@ -272,6 +274,40 @@ def load_arguments(self, _):
         c.argument('service_principal_client_secret', help='The service principal client secret. Used by Github Actions to authenticate with Azure.', options_list=["--service-principal-client-secret", "--sp-sec"])
         c.argument('service_principal_tenant_id', help='The service principal tenant ID. Used by Github Actions to authenticate with Azure.', options_list=["--service-principal-tenant-id", "--sp-tid"])
 
+    with self.argument_context('containerapp auth') as c:
+        # subgroup update
+        c.argument('client_id', options_list=['--client-id'], help='The Client ID of the app used for login.')
+        c.argument('client_secret', options_list=['--client-secret'], help='The client secret.')
+        c.argument('client_secret_setting_name', options_list=['--client-secret-name'], help='The app setting name that contains the client secret of the relying party application.')
+        c.argument('issuer', options_list=['--issuer'], help='The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application.')
+        c.argument('allowed_token_audiences', options_list=['--allowed-token-audiences', '--allowed-audiences'], help='The configuration settings of the allowed list of audiences from which to validate the JWT token.')
+        c.argument('client_secret_certificate_thumbprint', options_list=['--thumbprint', '--client-secret-certificate-thumbprint'], help='Alternative to AAD Client Secret, thumbprint of a certificate used for signing purposes')
+        c.argument('client_secret_certificate_san', options_list=['--san', '--client-secret-certificate-san'], help='Alternative to AAD Client Secret and thumbprint, subject alternative name of a certificate used for signing purposes')
+        c.argument('client_secret_certificate_issuer', options_list=['--certificate-issuer', '--client-secret-certificate-issuer'], help='Alternative to AAD Client Secret and thumbprint, issuer of a certificate used for signing purposes')
+        c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
+        c.argument('tenant_id', options_list=['--tenant-id'], help='The tenant id of the application.')
+        c.argument('app_id', options_list=['--app-id'], help='The App ID of the app used for login.')
+        c.argument('app_secret', options_list=['--app-secret'], help='The app secret.')
+        c.argument('app_secret_setting_name', options_list=['--app-secret-setting-name', '--secret-setting'], help='The app setting name that contains the app secret.')
+        c.argument('graph_api_version', options_list=['--graph-api-version'], help='The version of the Facebook api to be used while logging in.')
+        c.argument('scopes', options_list=['--scopes'], help='A list of the scopes that should be requested while authenticating.')
+        c.argument('consumer_key', options_list=['--consumer-key'], help='The OAuth 1.0a consumer key of the Twitter application used for sign-in.')
+        c.argument('consumer_secret', options_list=['--consumer-secret'], help='The consumer secret.')
+        c.argument('provider_name', options_list=['--provider-name'], required=True, help='The name of the custom OpenID Connect provider.')
+        c.argument('openid_configuration', options_list=['--openid-configuration'], help='The endpoint that contains all the configuration endpoints for the provider.')
+        # auth update
+        c.argument('set_string', options_list=['--set'], help='Value of a specific field within the configuration settings for the Azure App Service Authentication / Authorization V2 feature.')
+        c.argument('config_file_path', options_list=['--config-file-path'], help='The path of the config file containing auth settings if they come from a file.')
+        c.argument('unauthenticated_client_action', options_list=['--unauthenticated-client-action', '--action'], arg_type=get_enum_type(UNAUTHENTICATED_CLIENT_ACTION), help='The action to take when an unauthenticated client attempts to access the app.')
+        c.argument('redirect_provider', options_list=['--redirect-provider'], help='The default authentication provider to use when multiple providers are configured.')
+        c.argument('enable_token_store', options_list=['--enable-token-store'], arg_type=get_three_state_flag(return_label=True), help='true to durably store platform-specific security tokens that are obtained during login flows; otherwise, false.')
+        c.argument('require_https', options_list=['--require-https'], arg_type=get_three_state_flag(return_label=True), help='false if the authentication/authorization responses not having the HTTPS scheme are permissible; otherwise, true.')
+        c.argument('proxy_convention', options_list=['--proxy-convention'], arg_type=get_enum_type(FORWARD_PROXY_CONVENTION), help='The convention used to determine the url of the request made.')
+        c.argument('proxy_custom_host_header', options_list=['--proxy-custom-host-header', '--custom-host-header'], help='The name of the header containing the host of the request.')
+        c.argument('proxy_custom_proto_header', options_list=['--proxy-custom-proto-header', '--custom-proto-header'], help='The name of the header containing the scheme of the request.')
+        c.argument('excluded_paths', options_list=['--excluded-paths'], help='The list of paths that should be excluded from authentication rules.')
+        c.argument('enabled', options_list=['--enabled'], arg_type=get_three_state_flag(return_label=True), help='true if the Authentication / Authorization feature is enabled for the current app; otherwise, false.')
+
     with self.argument_context('containerapp ssl upload') as c:
         c.argument('hostname', help='The custom domain name.')
         c.argument('environment', options_list=['--environment', '-e'], help='Name or resource id of the Container App environment.')