Class: Azure::Utility::Credentials

Inherits:

Object

• Object
• Azure::Utility::Credentials

Defined in:

lib/azure/utility/credentials.rb

Overview

Credentials

Constant Summary

AZURE_SERVICE_PRINCIPAL =

'1950a258-227b-4e31-a9cf-717495945fc2'.freeze

CONFIG_PATH =

"#{ENV['HOME']}/.azure/credentials".freeze

Instance Method Summary

• #assign_service_principal_to_role_id(subscription_id, token, service_principal_object_id, role_definition_id) ⇒ Object
• #azure_authenticate(username, password) ⇒ Object
• #azure_call(method, url, data, token) ⇒ Object
• #create_all_objects(token, config) ⇒ Object
• #create_application(tenant_id, token, new_application_name, new_client_secret) ⇒ Object
• #create_file(created_credentials, config) ⇒ Object
• #create_service_principal(tenant_id, token, application_id) ⇒ Object
• #get_role_definition(tenant_id, token, role_name) ⇒ Object
• #get_subscriptions(token) ⇒ Object
• #get_tenant_id(token) ⇒ Object
• #http_post(url, data) ⇒ Object
• #initialize ⇒ Credentials constructor

  A new instance of Credentials.

• #password_stdin ⇒ Object
• #username_stdin ⇒ Object

Constructor Details

#initialize ⇒ Credentials

Returns a new instance of Credentials.

# File 'lib/azure/utility/credentials.rb', line 125

def initialize
  cli = Options.new
  cli.parse_options
  CustomLogger.log.debug "Command line options: #{cli.config.inspect}"

  username = cli.config[:username] || username_stdin
  password = cli.config[:password] || password_stdin

  # Get Bearer token for user and pass through to main method

  token = azure_authenticate(username, password)
  if token.nil?
    error_message = 'Unable to acquire token from Azure AD provider.'
    CustomLogger.log.error error_message
    raise error_message
  end
  created_credentials = create_all_objects(token, cli.config)
  CustomLogger.log.debug "Credential details: #{created_credentials.inspect}"
  create_file(created_credentials, cli.config)
  CustomLogger.log.info 'Done!'
end

Instance Method Details

#assign_service_principal_to_role_id(subscription_id, token, service_principal_object_id, role_definition_id) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 306

def assign_service_principal_to_role_id(subscription_id, token, service_principal_object_id, role_definition_id)
  CustomLogger.log.info 'Attempting to assign service principal to role'
  url = "https://management.azure.com/subscriptions/#{subscription_id}/providers/Microsoft.Authorization/roleAssignments/#{service_principal_object_id}?api-version=2015-07-01"
  payload_json = "  {\n      \"properties\": {\n          \"roleDefinitionId\": \"\#{role_definition_id}\",\n          \"principalId\": \"\#{service_principal_object_id}\"\n      }\n  }\n  EOH\n  azure_call(:put, url, payload_json, token)\nend\n"

#azure_authenticate(username, password) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 325

def azure_authenticate(username, password)
  CustomLogger.log.info 'Authenticating to Azure Active Directory'
  url = 'https://login.windows.net/Common/oauth2/token'
  data = "resource=https%3A%2F%2Fmanagement.core.windows.net%2F&client_id=#{AZURE_SERVICE_PRINCIPAL}" \
    "&grant_type=password&username=#{username}&scope=openid&password=#{password}"
  response = http_post(url, data)
  JSON.parse(response.body)['access_token']
end

#azure_call(method, url, data, token) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 347

def azure_call(method, url, data, token)
  uri = URI(url)
  response = nil
  Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
    case method
    when :put
      request = Net::HTTP::Put.new uri
    when :delete
      request = Net::HTTP::Delete.new uri
    when :get
      request = Net::HTTP::Get.new uri
    when :post
      request = Net::HTTP::Post.new uri
    when :patch
      request = Net::HTTP::Patch.new uri
    end
    request.body = data
    request['Authorization'] = "Bearer #{token}"
    request['Content-Type'] = 'application/json'
    CustomLogger.log.debug "Request: #{request.uri} (#{method}) #{data}"
    response = http.request request
    CustomLogger.log.debug "Response: #{response.body}"
  end
  JSON.parse(response.body) unless response.nil?
end

#create_all_objects(token, config) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 219

def create_all_objects(token, config)
  tenant_id = get_tenant_id(token).first['tenantId']
  subscriptions = Array(config[:subscription_id])
  subscriptions = get_subscriptions(token) if subscriptions.empty?
  identifier = SecureRandom.hex(2)
  credentials = []
  subscriptions.each do |subscription|
    new_application_name = "azure_#{identifier}_#{subscription}"
    new_client_secret = SecureRandom.urlsafe_base64(16, true)
    application_id = create_application(tenant_id, token, new_application_name, new_client_secret)['appId']
    service_principal_object_id = create_service_principal(tenant_id, token, application_id)['objectId']
    role_name = config[:role] || 'Contributor'
    role_definition_id = get_role_definition(subscription, token, role_name).first['id']
    success = false
    counter = 0
    until success || counter > 5
      counter += 1
      CustomLogger.log.info "Waiting for service principal to be available in directory (retry #{counter})"
      sleep 2
      assigned_role = assign_service_principal_to_role_id(subscription, token, service_principal_object_id, role_definition_id)
      success = true unless assigned_role['error']
    end
    raise 'Failed to assign Service Principal to Role' unless success
    CustomLogger.log.info "Assigned service principal to role #{role_name} in subscription #{subscription}"
    new_credentials = {}
    new_credentials[:subscription_id] = subscription
    new_credentials[:client_id] = application_id
    new_credentials[:client_secret] = new_client_secret
    new_credentials[:tenant_id] = tenant_id
    credentials.push(new_credentials)
  end
  credentials
end

#create_application(tenant_id, token, new_application_name, new_client_secret) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 270

def create_application(tenant_id, token, new_application_name, new_client_secret)
  CustomLogger.log.info "Creating application #{new_application_name} in tenant #{tenant_id}"
  url = "https://graph.windows.net/#{tenant_id}/applications?api-version=1.42-previewInternal"
  payload_json = "  {\n      \"availableToOtherTenants\": false,\n      \"displayName\": \"\#{new_application_name}\",\n      \"homepage\": \"https://management.core.windows.net\",\n      \"identifierUris\": [\n          \"https://\#{tenant_id}/\#{new_application_name}\"\n      ],\n      \"passwordCredentials\": [\n          {\n          \"startDate\": \"\#{Time.now.utc.iso8601}\",\n          \"endDate\": \"\#{(Time.now + (24 * 60 * 60 * 365 * 10)).utc.iso8601}\",\n          \"keyId\": \"\#{SecureRandom.uuid}\",\n          \"value\": \"\#{new_client_secret}\"\n          }\n      ]\n  }\n  EOH\n  azure_call(:post, url, payload_json, token)\nend\n"

#create_file(created_credentials, config) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 156

def create_file(created_credentials, config)
  file_name = config[:output_file] || './credentials'
  file_name_expanded = File.expand_path(file_name)
  CustomLogger.log.info "Creating credentials file at #{file_name_expanded}"
  output = ''

  style = config[:type] || 'chef'
  case style
  when 'chef' # ref: https://github.com/pendrica/chef-provisioning-azurerm#configuration

    created_credentials.each do |s|
      subscription_template = "[\#{s[:subscription_id]}]\nclient_id = \"\#{s[:client_id]}\"\nclient_secret = \"\#{s[:client_secret]}\"\ntenant_id = \"\#{s[:tenant_id]}\"\n\n      EOH\n      output += subscription_template\n    end\n  when 'terraform' # ref: https://www.terraform.io/docs/providers/azurerm/index.html\n    created_credentials.each do |s|\n      subscription_template = <<-EOH\nprovider \"azurerm\" {\n  subscription_id = \"\#{s[:subscription_id]}\"\n  client_id       = \"\#{s[:client_id]}\"\n  client_secret   = \"\#{s[:client_secret]}\"\n  tenant_id       = \"\#{s[:tenant_id]}\"\n}\n\n        EOH\n      output += subscription_template\n    end\n  when 'puppet' # ref: https://github.com/puppetlabs/puppetlabs-azure#installing-the-azure-module\n    created_credentials.each do |s|\n      subscription_template = <<-EOH\nazure: {\n subscription_id: \"\#{s[:subscription_id]}\"\n tenant_id: \"\#{s[:tenant_id]}\"\n client_id: \"\#{s[:client_id]}\"\n client_secret: \"\#{s[:client_secret]}\"\n}\n\n        EOH\n      output += subscription_template\n    end\n  else # generic credentials output\n    created_credentials.each do |s|\n      subscription_template = <<-EOH\nazure_subscription_id = \"\#{s[:subscription_id]}\"\nazure_tenant_id = \"\#{s[:tenant_id]}\"\nazure_client_id = \"\#{s[:client_id]}\"\nazure_client_secret = \"\#{s[:client_secret]}\"\n\n        EOH\n      output += subscription_template\n    end\n  end\n  File.open(file_name_expanded, 'w') do |file|\n    file.write(output)\n  end\n  puts output if config[:out_to_screen]\nend\n"

#create_service_principal(tenant_id, token, application_id) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 294

def create_service_principal(tenant_id, token, application_id)
  CustomLogger.log.info 'Creating service principal for application'
  url = "https://graph.windows.net/#{tenant_id}/servicePrincipals?api-version=1.42-previewInternal"
  payload_json = "  {\n      \"appId\": \"\#{application_id}\",\n      \"accountEnabled\": true\n  }\n  EOH\n  azure_call(:post, url, payload_json, token)\nend\n"

#get_role_definition(tenant_id, token, role_name) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 320

def get_role_definition(tenant_id, token, role_name)
  role_definitions = azure_call(:get, "https://management.azure.com/subscriptions/#{tenant_id}/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20\'#{role_name}\'&api-version=2015-07-01", nil, token)
  role_definitions['value']
end

#get_subscriptions(token) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 253

def get_subscriptions(token)
  CustomLogger.log.info 'Retrieving subscriptions info'
  subscriptions = []
  subscriptions_call = azure_call(:get, 'https://management.azure.com/subscriptions?api-version=2015-01-01', nil, token)
  subscriptions_call['value'].each do |subscription|
    subscriptions.push subscription['subscriptionId']
  end
  CustomLogger.log.debug "SubscriptionIDs returned: #{subscriptions.inspect}"
  subscriptions
end

#get_tenant_id(token) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 264

def get_tenant_id(token)
  CustomLogger.log.info 'Retrieving tenant info'
  tenants = azure_call(:get, 'https://management.azure.com/tenants?api-version=2015-01-01', nil, token)
  tenants['value']
end

#http_post(url, data) ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 334

def http_post(url, data)
  uri = URI(url)
  response = nil
  Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
    request = Net::HTTP::Post.new uri
    CustomLogger.log.debug "Request: #{request.uri} (#{request.method}) #{data}"
    request.body = data
    response = http.request request
    CustomLogger.log.debug "Response: #{response.body}"
  end
  response
end

#password_stdin ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 151

def password_stdin
  print 'Enter your password: '
  STDIN.noecho(&:gets).chomp
end

#username_stdin ⇒ Object

# File 'lib/azure/utility/credentials.rb', line 146

def username_stdin
  print 'Enter your Azure AD username (user@domain.com): '
  STDIN.gets.chomp
end