func (s *InteractiveSuite) TestInteractiveRoleAssignmentAlreadyExists(c *gc.C) {
var requests []*http.Request
senders := azuretesting.Senders{
oauthConfigSender(),
deviceCodeSender(),
tokenSender(),
tokenSender(),
tokenSender(),
currentUserSender(),
createServicePrincipalSender(),
roleDefinitionListSender(),
roleAssignmentAlreadyExistsSender(),
}
_, _, err := azureauth.InteractiveCreateServicePrincipal(
ioutil.Discard,
&senders,
azuretesting.RequestRecorder(&requests),
"https://arm.invalid",
"https://graph.invalid",
"22222222-2222-2222-2222-222222222222",
s.clock,
s.newUUID,
)
c.Assert(err, jc.ErrorIsNil)
}
func (s *InteractiveSuite) TestInteractiveServicePrincipalAlreadyExists(c *gc.C) {
var requests []*http.Request
senders := azuretesting.Senders{
oauthConfigSender(),
deviceCodeSender(),
tokenSender(),
tokenSender(),
tokenSender(),
currentUserSender(),
createServicePrincipalAlreadyExistsSender(),
servicePrincipalListSender(),
passwordCredentialsListSender(),
updatePasswordCredentialsSender(),
roleDefinitionListSender(),
roleAssignmentAlreadyExistsSender(),
}
_, password, err := azureauth.InteractiveCreateServicePrincipal(
ioutil.Discard,
&senders,
azuretesting.RequestRecorder(&requests),
"https://arm.invalid",
"https://graph.invalid",
"22222222-2222-2222-2222-222222222222",
s.clock,
s.newUUID,
)
c.Assert(err, jc.ErrorIsNil)
c.Assert(password, gc.Equals, "33333333-3333-3333-3333-333333333333")
c.Assert(requests, gc.HasLen, 10)
c.Check(requests[0].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222")
c.Check(requests[1].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/devicecode")
c.Check(requests[2].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/token")
c.Check(requests[3].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/me")
c.Check(requests[4].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals") // create
c.Check(requests[5].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals") // list
c.Check(requests[6].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals/sp-object-id/passwordCredentials") // list
c.Check(requests[7].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals/sp-object-id/passwordCredentials") // update
c.Check(requests[8].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions")
c.Check(requests[9].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555")
// Make sure that we don't wipe existing password credentials, and that
// the new password credential matches the one returned from the
// function.
var params ad.PasswordCredentialsUpdateParameters
err = json.NewDecoder(requests[7].Body).Decode(¶ms)
c.Assert(err, jc.ErrorIsNil)
c.Assert(params.Value, gc.HasLen, 2)
c.Assert(params.Value[0], jc.DeepEquals, ad.PasswordCredential{
KeyId: "password-credential-key-id",
StartDate: time.Time{}.UTC(),
EndDate: time.Time{}.UTC(),
})
assertPasswordCredential(c, params.Value[1])
}
func (s *storageSuite) SetUpTest(c *gc.C) {
s.BaseSuite.SetUpTest(c)
s.storageClient = azuretesting.MockStorageClient{}
s.requests = nil
envProvider := newProvider(c, azure.ProviderConfig{
Sender: &s.sender,
NewStorageClient: s.storageClient.NewClient,
RequestInspector: azuretesting.RequestRecorder(&s.requests),
RandomWindowsAdminPassword: func() string { return "sorandom" },
InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
})
s.sender = nil
var err error
env := openEnviron(c, envProvider, &s.sender)
s.provider, err = env.StorageProvider("azure")
c.Assert(err, jc.ErrorIsNil)
}
func (s *environProviderSuite) SetUpTest(c *gc.C) {
s.BaseSuite.SetUpTest(c)
s.provider = newProvider(c, azure.ProviderConfig{
Sender: &s.sender,
RequestInspector: azuretesting.RequestRecorder(&s.requests),
RandomWindowsAdminPassword: func() string { return "sorandom" },
InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
})
s.spec = environs.CloudSpec{
Type: "azure",
Name: "azure",
Region: "westus",
Endpoint: "https://api.azurestack.local",
IdentityEndpoint: "https://login.azurestack.local",
StorageEndpoint: "https://storage.azurestack.local",
Credential: fakeServicePrincipalCredential(),
}
s.sender = nil
}
func (s *instanceSuite) SetUpTest(c *gc.C) {
s.BaseSuite.SetUpTest(c)
s.provider = newProvider(c, azure.ProviderConfig{
Sender: &s.sender,
RequestInspector: azuretesting.RequestRecorder(&s.requests),
RandomWindowsAdminPassword: func() string { return "sorandom" },
InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
})
s.env = openEnviron(c, s.provider, &s.sender)
s.sender = nil
s.requests = nil
s.networkInterfaces = []network.Interface{
makeNetworkInterface("nic-0", "machine-0"),
}
s.publicIPAddresses = nil
s.deployments = []resources.DeploymentExtended{
makeDeployment("machine-0"),
makeDeployment("machine-1"),
}
}
func (s *environSuite) SetUpTest(c *gc.C) {
s.BaseSuite.SetUpTest(c)
s.storageClient = azuretesting.MockStorageClient{}
s.sender = nil
s.requests = nil
s.retryClock = mockClock{Clock: gitjujutesting.NewClock(time.Time{})}
s.provider = newProvider(c, azure.ProviderConfig{
Sender: azuretesting.NewSerialSender(&s.sender),
RequestInspector: azuretesting.RequestRecorder(&s.requests),
NewStorageClient: s.storageClient.NewClient,
RetryClock: &gitjujutesting.AutoAdvancingClock{
&s.retryClock, s.retryClock.Advance,
},
RandomWindowsAdminPassword: func() string { return "sorandom" },
InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
})
s.controllerUUID = testing.ControllerTag.Id()
s.envTags = map[string]*string{
"juju-model-uuid": to.StringPtr(testing.ModelTag.Id()),
"juju-controller-uuid": to.StringPtr(s.controllerUUID),
}
s.vmTags = map[string]*string{
"juju-model-uuid": to.StringPtr(testing.ModelTag.Id()),
"juju-controller-uuid": to.StringPtr(s.controllerUUID),
"juju-machine-name": to.StringPtr("machine-0"),
}
s.group = &resources.ResourceGroup{
Location: to.StringPtr("westus"),
Tags: &s.envTags,
Properties: &resources.ResourceGroupProperties{
ProvisioningState: to.StringPtr("Succeeded"),
},
}
vmSizes := []compute.VirtualMachineSize{{
Name: to.StringPtr("Standard_D1"),
NumberOfCores: to.Int32Ptr(1),
OsDiskSizeInMB: to.Int32Ptr(1047552),
ResourceDiskSizeInMB: to.Int32Ptr(51200),
MemoryInMB: to.Int32Ptr(3584),
MaxDataDiskCount: to.Int32Ptr(2),
}}
s.vmSizes = &compute.VirtualMachineSizeListResult{Value: &vmSizes}
s.storageAccount = &storage.Account{
Name: to.StringPtr("my-storage-account"),
Type: to.StringPtr("Standard_LRS"),
Tags: &s.envTags,
Properties: &storage.AccountProperties{
PrimaryEndpoints: &storage.Endpoints{
Blob: to.StringPtr(fmt.Sprintf("https://%s.blob.storage.azurestack.local/", storageAccountName)),
},
ProvisioningState: "Succeeded",
},
}
keys := []storage.AccountKey{{
KeyName: to.StringPtr("key-1-name"),
Value: to.StringPtr("key-1"),
Permissions: storage.FULL,
}}
s.storageAccountKeys = &storage.AccountListKeysResult{
Keys: &keys,
}
s.ubuntuServerSKUs = []compute.VirtualMachineImageResource{
{Name: to.StringPtr("12.04-LTS")},
{Name: to.StringPtr("12.10")},
{Name: to.StringPtr("14.04-LTS")},
{Name: to.StringPtr("15.04")},
{Name: to.StringPtr("15.10")},
{Name: to.StringPtr("16.04-LTS")},
}
s.deployment = nil
}
func (s *InteractiveSuite) TestInteractive(c *gc.C) {
var requests []*http.Request
senders := azuretesting.Senders{
oauthConfigSender(),
deviceCodeSender(),
tokenSender(), // CheckForUserCompletion returns a token.
// Token.Refresh returns a token. We do this
// twice: once for ARM, and once for AAD.
tokenSender(),
tokenSender(),
currentUserSender(),
createServicePrincipalSender(),
roleDefinitionListSender(),
roleAssignmentSender(),
}
var stderr bytes.Buffer
subscriptionId := "22222222-2222-2222-2222-222222222222"
appId, password, err := azureauth.InteractiveCreateServicePrincipal(
&stderr,
&senders,
azuretesting.RequestRecorder(&requests),
"https://arm.invalid",
"https://graph.invalid",
subscriptionId,
s.clock,
s.newUUID,
)
c.Assert(err, jc.ErrorIsNil)
c.Assert(appId, gc.Equals, "cbb548f1-5039-4836-af0b-727e8571f6a9")
c.Assert(password, gc.Equals, "33333333-3333-3333-3333-333333333333")
c.Assert(stderr.String(), gc.Equals, `
Initiating interactive authentication.
open your browser, etc.
Authenticated as "Foo Bar".
Creating/updating service principal.
Assigning Owner role to service principal.
`[1:])
// Token refreshes don't go through the inspectors.
c.Assert(requests, gc.HasLen, 7)
c.Check(requests[0].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222")
c.Check(requests[1].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/devicecode")
c.Check(requests[2].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/token")
c.Check(requests[3].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/me")
c.Check(requests[4].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals")
c.Check(requests[5].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions")
c.Check(requests[6].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555")
// The service principal creation includes the password. Check that the
// password returned from the function is the same as the one set in the
// request.
var params ad.ServicePrincipalCreateParameters
err = json.NewDecoder(requests[4].Body).Decode(¶ms)
c.Assert(err, jc.ErrorIsNil)
c.Assert(params.PasswordCredentials, gc.HasLen, 1)
assertPasswordCredential(c, params.PasswordCredentials[0])
}