in src/authV2/azext_authV2/custom.py [0:0]
def update_aad_settings(cmd, resource_group_name, name, slot=None, # pylint: disable=unused-argument
client_id=None, client_secret_setting_name=None, # pylint: disable=unused-argument
issuer=None, allowed_token_audiences=None, client_secret=None, # pylint: disable=unused-argument
client_secret_certificate_thumbprint=None, # pylint: disable=unused-argument
client_secret_certificate_san=None, # pylint: disable=unused-argument
client_secret_certificate_issuer=None, # pylint: disable=unused-argument
yes=False, tenant_id=None): # pylint: disable=unused-argument
if client_secret is not None and client_secret_setting_name is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --client-secret-setting-name cannot both be '
'configured to non empty strings')
if client_secret_setting_name is not None and client_secret_certificate_thumbprint is not None:
raise ArgumentUsageError('Usage Error: --client-secret-setting-name and --thumbprint cannot both be '
'configured to non empty strings')
if client_secret is not None and client_secret_certificate_thumbprint is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --thumbprint cannot both be '
'configured to non empty strings')
if client_secret is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --san cannot both be '
'configured to non empty strings')
if client_secret_setting_name is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --client-secret-setting-name and --san cannot both be '
'configured to non empty strings')
if client_secret_certificate_thumbprint is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --thumbprint and --san cannot both be '
'configured to non empty strings')
if ((client_secret_certificate_san is not None and client_secret_certificate_issuer is None) or
(client_secret_certificate_san is None and client_secret_certificate_issuer is not None)):
raise ArgumentUsageError('Usage Error: --san and --certificate-issuer must both be '
'configured to non empty strings')
if issuer is not None and (tenant_id is not None):
raise ArgumentUsageError('Usage Error: --issuer and --tenant-id cannot be configured '
'to non empty strings at the same time.')
is_new_aad_app = False
existing_auth = get_auth_settings_v2(cmd, resource_group_name, name, slot)["properties"]
registration = {}
validation = {}
if "identityProviders" not in existing_auth.keys():
existing_auth["identityProviders"] = {}
if "azureActiveDirectory" not in existing_auth["identityProviders"].keys():
existing_auth["identityProviders"]["azureActiveDirectory"] = {}
is_new_aad_app = True
if is_new_aad_app and issuer is None and tenant_id is None:
raise CLIError('Usage Error: Either --issuer or --tenant-id must be specified when configuring the '
'Microsoft auth registration.')
if client_secret is not None and not yes:
msg = 'Configuring --client-secret will add app settings to the web app. Are you sure you want to continue?'
if not prompt_y_n(msg, default="n"):
raise CLIError('Usage Error: --client-secret cannot be used without agreeing to add app settings '
'to the web app.')
openid_issuer = issuer
if openid_issuer is None:
# cmd.cli_ctx.cloud resolves to whichever cloud the customer is currently logged into
authority = cmd.cli_ctx.cloud.endpoints.active_directory
if tenant_id is not None:
openid_issuer = authority + "/" + tenant_id + "/v2.0"
existing_auth = get_auth_settings_v2(cmd, resource_group_name, name, slot)["properties"]
registration = {}
validation = {}
if "identityProviders" not in existing_auth.keys():
existing_auth["identityProviders"] = {}
if "azureActiveDirectory" not in existing_auth["identityProviders"].keys():
existing_auth["identityProviders"]["azureActiveDirectory"] = {}
if (client_id is not None or client_secret is not None or
client_secret_setting_name is not None or openid_issuer is not None or
client_secret_certificate_thumbprint is not None or
client_secret_certificate_san is not None or
client_secret_certificate_issuer is not None):
if "registration" not in existing_auth["identityProviders"]["azureActiveDirectory"].keys():
existing_auth["identityProviders"]["azureActiveDirectory"]["registration"] = {}
registration = existing_auth["identityProviders"]["azureActiveDirectory"]["registration"]
if allowed_token_audiences is not None:
if "validation" not in existing_auth["identityProviders"]["azureActiveDirectory"].keys():
existing_auth["identityProviders"]["azureActiveDirectory"]["validation"] = {}
validation = existing_auth["identityProviders"]["azureActiveDirectory"]["validation"]
if client_id is not None:
registration["clientId"] = client_id
if client_secret_setting_name is not None:
registration["clientSecretSettingName"] = client_secret_setting_name
if client_secret is not None:
registration["clientSecretSettingName"] = MICROSOFT_SECRET_SETTING_NAME
settings = []
settings.append(MICROSOFT_SECRET_SETTING_NAME + '=' + client_secret)
update_app_settings(cmd, resource_group_name, name, slot=slot, slot_settings=settings)
if client_secret_setting_name is not None or client_secret is not None:
if "clientSecretCertificateThumbprint" in registration.keys() and registration["clientSecretCertificateThumbprint"] is not None:
registration["clientSecretCertificateThumbprint"] = None
if "clientSecretCertificateSubjectAlternativeName" in registration.keys() and registration["clientSecretCertificateSubjectAlternativeName"] is not None:
registration["clientSecretCertificateSubjectAlternativeName"] = None
if "clientSecretCertificateIssuer" in registration.keys() and registration["clientSecretCertificateIssuer"] is not None:
registration["clientSecretCertificateIssuer"] = None
if client_secret_certificate_thumbprint is not None:
registration["clientSecretCertificateThumbprint"] = client_secret_certificate_thumbprint
if "clientSecretSettingName" in registration.keys() and registration["clientSecretSettingName"] is not None:
registration["clientSecretSettingName"] = None
if "clientSecretCertificateSubjectAlternativeName" in registration.keys() and registration["clientSecretCertificateSubjectAlternativeName"] is not None:
registration["clientSecretCertificateSubjectAlternativeName"] = None
if "clientSecretCertificateIssuer" in registration.keys() and registration["clientSecretCertificateIssuer"] is not None:
registration["clientSecretCertificateIssuer"] = None
if client_secret_certificate_san is not None:
registration["clientSecretCertificateSubjectAlternativeName"] = client_secret_certificate_san
if client_secret_certificate_issuer is not None:
registration["clientSecretCertificateIssuer"] = client_secret_certificate_issuer
if client_secret_certificate_san is not None and client_secret_certificate_issuer is not None:
if "clientSecretSettingName" in registration.keys() and registration["clientSecretSettingName"] is not None:
registration["clientSecretSettingName"] = None
if "clientSecretCertificateThumbprint" in registration.keys() and registration["clientSecretCertificateThumbprint"] is not None:
registration["clientSecretCertificateThumbprint"] = None
if openid_issuer is not None:
registration["openIdIssuer"] = openid_issuer
if allowed_token_audiences is not None:
validation["allowedAudiences"] = allowed_token_audiences.split(",")
existing_auth["identityProviders"]["azureActiveDirectory"]["validation"] = validation
if (client_id is not None or client_secret is not None or
client_secret_setting_name is not None or issuer is not None or
client_secret_certificate_thumbprint is not None or
client_secret_certificate_san is not None or
client_secret_certificate_issuer is not None):
existing_auth["identityProviders"]["azureActiveDirectory"]["registration"] = registration
updated_auth_settings = update_auth_settings_v2_rest_call(cmd, resource_group_name, name, existing_auth, slot)
return updated_auth_settings["identityProviders"]["azureActiveDirectory"]