Пример #1
0
func (s *InteractiveSuite) TestInteractiveRoleAssignmentAlreadyExists(c *gc.C) {
	var requests []*http.Request
	senders := azuretesting.Senders{
		oauthConfigSender(),
		deviceCodeSender(),
		tokenSender(),
		tokenSender(),
		tokenSender(),
		currentUserSender(),
		createServicePrincipalSender(),
		roleDefinitionListSender(),
		roleAssignmentAlreadyExistsSender(),
	}
	_, _, err := azureauth.InteractiveCreateServicePrincipal(
		ioutil.Discard,
		&senders,
		azuretesting.RequestRecorder(&requests),
		"https://arm.invalid",
		"https://graph.invalid",
		"22222222-2222-2222-2222-222222222222",
		s.clock,
		s.newUUID,
	)
	c.Assert(err, jc.ErrorIsNil)
}
Пример #2
0
func (s *InteractiveSuite) TestInteractiveServicePrincipalAlreadyExists(c *gc.C) {
	var requests []*http.Request
	senders := azuretesting.Senders{
		oauthConfigSender(),
		deviceCodeSender(),
		tokenSender(),
		tokenSender(),
		tokenSender(),
		currentUserSender(),
		createServicePrincipalAlreadyExistsSender(),
		servicePrincipalListSender(),
		passwordCredentialsListSender(),
		updatePasswordCredentialsSender(),
		roleDefinitionListSender(),
		roleAssignmentAlreadyExistsSender(),
	}
	_, password, err := azureauth.InteractiveCreateServicePrincipal(
		ioutil.Discard,
		&senders,
		azuretesting.RequestRecorder(&requests),
		"https://arm.invalid",
		"https://graph.invalid",
		"22222222-2222-2222-2222-222222222222",
		s.clock,
		s.newUUID,
	)
	c.Assert(err, jc.ErrorIsNil)
	c.Assert(password, gc.Equals, "33333333-3333-3333-3333-333333333333")

	c.Assert(requests, gc.HasLen, 10)
	c.Check(requests[0].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222")
	c.Check(requests[1].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/devicecode")
	c.Check(requests[2].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/token")
	c.Check(requests[3].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/me")
	c.Check(requests[4].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals")                                  // create
	c.Check(requests[5].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals")                                  // list
	c.Check(requests[6].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals/sp-object-id/passwordCredentials") // list
	c.Check(requests[7].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals/sp-object-id/passwordCredentials") // update
	c.Check(requests[8].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions")
	c.Check(requests[9].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555")

	// Make sure that we don't wipe existing password credentials, and that
	// the new password credential matches the one returned from the
	// function.
	var params ad.PasswordCredentialsUpdateParameters
	err = json.NewDecoder(requests[7].Body).Decode(&params)
	c.Assert(err, jc.ErrorIsNil)
	c.Assert(params.Value, gc.HasLen, 2)
	c.Assert(params.Value[0], jc.DeepEquals, ad.PasswordCredential{
		KeyId:     "password-credential-key-id",
		StartDate: time.Time{}.UTC(),
		EndDate:   time.Time{}.UTC(),
	})
	assertPasswordCredential(c, params.Value[1])
}
Пример #3
0
func (s *storageSuite) SetUpTest(c *gc.C) {
	s.BaseSuite.SetUpTest(c)
	s.storageClient = azuretesting.MockStorageClient{}
	s.requests = nil
	envProvider := newProvider(c, azure.ProviderConfig{
		Sender:                            &s.sender,
		NewStorageClient:                  s.storageClient.NewClient,
		RequestInspector:                  azuretesting.RequestRecorder(&s.requests),
		RandomWindowsAdminPassword:        func() string { return "sorandom" },
		InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
	})
	s.sender = nil

	var err error
	env := openEnviron(c, envProvider, &s.sender)
	s.provider, err = env.StorageProvider("azure")
	c.Assert(err, jc.ErrorIsNil)
}
Пример #4
0
func (s *environProviderSuite) SetUpTest(c *gc.C) {
	s.BaseSuite.SetUpTest(c)
	s.provider = newProvider(c, azure.ProviderConfig{
		Sender:                            &s.sender,
		RequestInspector:                  azuretesting.RequestRecorder(&s.requests),
		RandomWindowsAdminPassword:        func() string { return "sorandom" },
		InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
	})
	s.spec = environs.CloudSpec{
		Type:             "azure",
		Name:             "azure",
		Region:           "westus",
		Endpoint:         "https://api.azurestack.local",
		IdentityEndpoint: "https://login.azurestack.local",
		StorageEndpoint:  "https://storage.azurestack.local",
		Credential:       fakeServicePrincipalCredential(),
	}
	s.sender = nil
}
Пример #5
0
func (s *instanceSuite) SetUpTest(c *gc.C) {
	s.BaseSuite.SetUpTest(c)
	s.provider = newProvider(c, azure.ProviderConfig{
		Sender:                            &s.sender,
		RequestInspector:                  azuretesting.RequestRecorder(&s.requests),
		RandomWindowsAdminPassword:        func() string { return "sorandom" },
		InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
	})
	s.env = openEnviron(c, s.provider, &s.sender)
	s.sender = nil
	s.requests = nil
	s.networkInterfaces = []network.Interface{
		makeNetworkInterface("nic-0", "machine-0"),
	}
	s.publicIPAddresses = nil
	s.deployments = []resources.DeploymentExtended{
		makeDeployment("machine-0"),
		makeDeployment("machine-1"),
	}
}
Пример #6
0
func (s *environSuite) SetUpTest(c *gc.C) {
	s.BaseSuite.SetUpTest(c)
	s.storageClient = azuretesting.MockStorageClient{}
	s.sender = nil
	s.requests = nil
	s.retryClock = mockClock{Clock: gitjujutesting.NewClock(time.Time{})}

	s.provider = newProvider(c, azure.ProviderConfig{
		Sender:           azuretesting.NewSerialSender(&s.sender),
		RequestInspector: azuretesting.RequestRecorder(&s.requests),
		NewStorageClient: s.storageClient.NewClient,
		RetryClock: &gitjujutesting.AutoAdvancingClock{
			&s.retryClock, s.retryClock.Advance,
		},
		RandomWindowsAdminPassword:        func() string { return "sorandom" },
		InteractiveCreateServicePrincipal: azureauth.InteractiveCreateServicePrincipal,
	})

	s.controllerUUID = testing.ControllerTag.Id()
	s.envTags = map[string]*string{
		"juju-model-uuid":      to.StringPtr(testing.ModelTag.Id()),
		"juju-controller-uuid": to.StringPtr(s.controllerUUID),
	}
	s.vmTags = map[string]*string{
		"juju-model-uuid":      to.StringPtr(testing.ModelTag.Id()),
		"juju-controller-uuid": to.StringPtr(s.controllerUUID),
		"juju-machine-name":    to.StringPtr("machine-0"),
	}

	s.group = &resources.ResourceGroup{
		Location: to.StringPtr("westus"),
		Tags:     &s.envTags,
		Properties: &resources.ResourceGroupProperties{
			ProvisioningState: to.StringPtr("Succeeded"),
		},
	}

	vmSizes := []compute.VirtualMachineSize{{
		Name:                 to.StringPtr("Standard_D1"),
		NumberOfCores:        to.Int32Ptr(1),
		OsDiskSizeInMB:       to.Int32Ptr(1047552),
		ResourceDiskSizeInMB: to.Int32Ptr(51200),
		MemoryInMB:           to.Int32Ptr(3584),
		MaxDataDiskCount:     to.Int32Ptr(2),
	}}
	s.vmSizes = &compute.VirtualMachineSizeListResult{Value: &vmSizes}

	s.storageAccount = &storage.Account{
		Name: to.StringPtr("my-storage-account"),
		Type: to.StringPtr("Standard_LRS"),
		Tags: &s.envTags,
		Properties: &storage.AccountProperties{
			PrimaryEndpoints: &storage.Endpoints{
				Blob: to.StringPtr(fmt.Sprintf("https://%s.blob.storage.azurestack.local/", storageAccountName)),
			},
			ProvisioningState: "Succeeded",
		},
	}

	keys := []storage.AccountKey{{
		KeyName:     to.StringPtr("key-1-name"),
		Value:       to.StringPtr("key-1"),
		Permissions: storage.FULL,
	}}
	s.storageAccountKeys = &storage.AccountListKeysResult{
		Keys: &keys,
	}

	s.ubuntuServerSKUs = []compute.VirtualMachineImageResource{
		{Name: to.StringPtr("12.04-LTS")},
		{Name: to.StringPtr("12.10")},
		{Name: to.StringPtr("14.04-LTS")},
		{Name: to.StringPtr("15.04")},
		{Name: to.StringPtr("15.10")},
		{Name: to.StringPtr("16.04-LTS")},
	}

	s.deployment = nil
}
Пример #7
0
func (s *InteractiveSuite) TestInteractive(c *gc.C) {

	var requests []*http.Request
	senders := azuretesting.Senders{
		oauthConfigSender(),
		deviceCodeSender(),
		tokenSender(), // CheckForUserCompletion returns a token.

		// Token.Refresh returns a token. We do this
		// twice: once for ARM, and once for AAD.
		tokenSender(),
		tokenSender(),

		currentUserSender(),
		createServicePrincipalSender(),
		roleDefinitionListSender(),
		roleAssignmentSender(),
	}

	var stderr bytes.Buffer
	subscriptionId := "22222222-2222-2222-2222-222222222222"
	appId, password, err := azureauth.InteractiveCreateServicePrincipal(
		&stderr,
		&senders,
		azuretesting.RequestRecorder(&requests),
		"https://arm.invalid",
		"https://graph.invalid",
		subscriptionId,
		s.clock,
		s.newUUID,
	)
	c.Assert(err, jc.ErrorIsNil)
	c.Assert(appId, gc.Equals, "cbb548f1-5039-4836-af0b-727e8571f6a9")
	c.Assert(password, gc.Equals, "33333333-3333-3333-3333-333333333333")
	c.Assert(stderr.String(), gc.Equals, `
Initiating interactive authentication.

open your browser, etc.

Authenticated as "Foo Bar".
Creating/updating service principal.
Assigning Owner role to service principal.
`[1:])

	// Token refreshes don't go through the inspectors.
	c.Assert(requests, gc.HasLen, 7)
	c.Check(requests[0].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222")
	c.Check(requests[1].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/devicecode")
	c.Check(requests[2].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/oauth2/token")
	c.Check(requests[3].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/me")
	c.Check(requests[4].URL.Path, gc.Equals, "/11111111-1111-1111-1111-111111111111/servicePrincipals")
	c.Check(requests[5].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleDefinitions")
	c.Check(requests[6].URL.Path, gc.Equals, "/subscriptions/22222222-2222-2222-2222-222222222222/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-555555555555")

	// The service principal creation includes the password. Check that the
	// password returned from the function is the same as the one set in the
	// request.
	var params ad.ServicePrincipalCreateParameters
	err = json.NewDecoder(requests[4].Body).Decode(&params)
	c.Assert(err, jc.ErrorIsNil)
	c.Assert(params.PasswordCredentials, gc.HasLen, 1)
	assertPasswordCredential(c, params.PasswordCredentials[0])
}