in src/azure-cli/azure/cli/command_modules/containerapp/custom.py [0:0]
def update_aad_settings(cmd, resource_group_name, name,
client_id=None, client_secret_setting_name=None,
issuer=None, allowed_token_audiences=None, client_secret=None,
client_secret_certificate_thumbprint=None,
client_secret_certificate_san=None,
client_secret_certificate_issuer=None,
yes=False, tenant_id=None):
try:
show_ingress(cmd, name, resource_group_name)
except Exception as e:
raise ValidationError("Authentication requires ingress to be enabled for your containerapp.") from e
if client_secret is not None and client_secret_setting_name is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --client-secret-setting-name cannot both be '
'configured to non empty strings')
if client_secret_setting_name is not None and client_secret_certificate_thumbprint is not None:
raise ArgumentUsageError('Usage Error: --client-secret-setting-name and --thumbprint cannot both be '
'configured to non empty strings')
if client_secret is not None and client_secret_certificate_thumbprint is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --thumbprint cannot both be '
'configured to non empty strings')
if client_secret is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --client-secret and --san cannot both be '
'configured to non empty strings')
if client_secret_setting_name is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --client-secret-setting-name and --san cannot both be '
'configured to non empty strings')
if client_secret_certificate_thumbprint is not None and client_secret_certificate_san is not None:
raise ArgumentUsageError('Usage Error: --thumbprint and --san cannot both be '
'configured to non empty strings')
if ((client_secret_certificate_san is not None and client_secret_certificate_issuer is None) or
(client_secret_certificate_san is None and client_secret_certificate_issuer is not None)):
raise ArgumentUsageError('Usage Error: --san and --certificate-issuer must both be '
'configured to non empty strings')
if issuer is not None and (tenant_id is not None):
raise ArgumentUsageError('Usage Error: --issuer and --tenant-id cannot be configured '
'to non empty strings at the same time.')
is_new_aad_app = False
existing_auth = {}
try:
existing_auth = AuthClient.get(cmd=cmd, resource_group_name=resource_group_name, container_app_name=name, auth_config_name="current")["properties"]
except:
existing_auth = {}
existing_auth["platform"] = {}
existing_auth["platform"]["enabled"] = True
existing_auth["globalValidation"] = {}
existing_auth["login"] = {}
registration = {}
validation = {}
if "identityProviders" not in existing_auth:
existing_auth["identityProviders"] = {}
if "azureActiveDirectory" not in existing_auth["identityProviders"]:
existing_auth["identityProviders"]["azureActiveDirectory"] = {}
is_new_aad_app = True
if is_new_aad_app and issuer is None and tenant_id is None:
raise ArgumentUsageError('Usage Error: Either --issuer or --tenant-id must be specified when configuring the '
'Microsoft auth registration.')
if client_secret is not None and not yes:
msg = 'Configuring --client-secret will add a secret to the containerapp. Are you sure you want to continue?'
if not prompt_y_n(msg, default="n"):
raise ArgumentUsageError('Usage Error: --client-secret cannot be used without agreeing to add secret '
'to the containerapp.')
openid_issuer = issuer
if openid_issuer is None:
# cmd.cli_ctx.cloud resolves to whichever cloud the customer is currently logged into
authority = cmd.cli_ctx.cloud.endpoints.active_directory
if tenant_id is not None:
openid_issuer = authority + "/" + tenant_id + "/v2.0"
registration = {}
validation = {}
if "identityProviders" not in existing_auth:
existing_auth["identityProviders"] = {}
if "azureActiveDirectory" not in existing_auth["identityProviders"]:
existing_auth["identityProviders"]["azureActiveDirectory"] = {}
if (client_id is not None or client_secret is not None or
client_secret_setting_name is not None or openid_issuer is not None or
client_secret_certificate_thumbprint is not None or
client_secret_certificate_san is not None or
client_secret_certificate_issuer is not None):
if "registration" not in existing_auth["identityProviders"]["azureActiveDirectory"]:
existing_auth["identityProviders"]["azureActiveDirectory"]["registration"] = {}
registration = existing_auth["identityProviders"]["azureActiveDirectory"]["registration"]
if allowed_token_audiences is not None:
if "validation" not in existing_auth["identityProviders"]["azureActiveDirectory"]:
existing_auth["identityProviders"]["azureActiveDirectory"]["validation"] = {}
validation = existing_auth["identityProviders"]["azureActiveDirectory"]["validation"]
if client_id is not None:
registration["clientId"] = client_id
if client_secret_setting_name is not None:
registration["clientSecretSettingName"] = client_secret_setting_name
if client_secret is not None:
registration["clientSecretSettingName"] = MICROSOFT_SECRET_SETTING_NAME
set_secrets(cmd, name, resource_group_name, secrets=[f"{MICROSOFT_SECRET_SETTING_NAME}={client_secret}"], no_wait=False, disable_max_length=True)
if client_secret_setting_name is not None or client_secret is not None:
fields = ["clientSecretCertificateThumbprint", "clientSecretCertificateSubjectAlternativeName", "clientSecretCertificateIssuer"]
for field in [f for f in fields if registration.get(f)]:
registration[field] = None
if client_secret_certificate_thumbprint is not None:
registration["clientSecretCertificateThumbprint"] = client_secret_certificate_thumbprint
fields = ["clientSecretSettingName", "clientSecretCertificateSubjectAlternativeName", "clientSecretCertificateIssuer"]
for field in [f for f in fields if registration.get(f)]:
registration[field] = None
if client_secret_certificate_san is not None:
registration["clientSecretCertificateSubjectAlternativeName"] = client_secret_certificate_san
if client_secret_certificate_issuer is not None:
registration["clientSecretCertificateIssuer"] = client_secret_certificate_issuer
if client_secret_certificate_san is not None and client_secret_certificate_issuer is not None:
if "clientSecretSettingName" in registration:
registration["clientSecretSettingName"] = None
if "clientSecretCertificateThumbprint" in registration:
registration["clientSecretCertificateThumbprint"] = None
if openid_issuer is not None:
registration["openIdIssuer"] = openid_issuer
if allowed_token_audiences is not None:
validation["allowedAudiences"] = allowed_token_audiences.split(",")
existing_auth["identityProviders"]["azureActiveDirectory"]["validation"] = validation
if (client_id is not None or client_secret is not None or
client_secret_setting_name is not None or issuer is not None or
client_secret_certificate_thumbprint is not None or
client_secret_certificate_san is not None or
client_secret_certificate_issuer is not None):
existing_auth["identityProviders"]["azureActiveDirectory"]["registration"] = registration
try:
updated_auth_settings = AuthClient.create_or_update(cmd=cmd, resource_group_name=resource_group_name, container_app_name=name, auth_config_name="current", auth_config_envelope=existing_auth)["properties"]
return updated_auth_settings["identityProviders"]["azureActiveDirectory"]
except Exception as e:
handle_raw_exception(e)