From b754f1384fe7f272997e882702c64619b0ee60fb Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Tue, 4 Feb 2020 16:12:45 -0500
Subject: [PATCH] Include all Azure config in the INI file.

Adds all the new config items to the INI file and adjusts some naming
conventions so that these values sort together. Also adds defaults for
some values where they're known.
---
 .secrets.baseline                             |  4 ++--
 atst/domain/csp/cloud/azure_cloud_provider.py | 12 ++++++++----
 config/base.ini                               | 18 ++++++++++++++----
 tests/mock_azure.py                           |  6 ++++--
 4 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index a233e4cf..657683b7 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
     "lines": null
   },
-  "generated_at": "2020-01-27T19:24:43Z",
+  "generated_at": "2020-02-04T21:00:49Z",
   "plugins_used": [
     {
       "base64_limit": 4.5,
@@ -82,7 +82,7 @@
         "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 32,
+        "line_number": 43,
         "type": "Secret Keyword"
       }
     ],
diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py
index d5ef5204..60b6d9a0 100644
--- a/atst/domain/csp/cloud/azure_cloud_provider.py
+++ b/atst/domain/csp/cloud/azure_cloud_provider.py
@@ -97,10 +97,14 @@ class AzureCloudProvider(CloudProviderInterface):
         self.secret_key = config["AZURE_SECRET_KEY"]
         self.tenant_id = config["AZURE_TENANT_ID"]
         self.vault_url = config["AZURE_VAULT_URL"]
-        self.ps_client_id = config["POWERSHELL_CLIENT_ID"]
-        self.owner_role_def_id = config["AZURE_OWNER_ROLE_DEF_ID"]
+        self.ps_client_id = config["AZURE_POWERSHELL_CLIENT_ID"]
         self.graph_resource = config["AZURE_GRAPH_RESOURCE"]
         self.default_aadp_qty = config["AZURE_AADP_QTY"]
+        self.roles = {
+            "owner": config["AZURE_ROLE_DEF_ID_OWNER"],
+            "contributor": config["AZURE_ROLE_DEF_ID_CONTRIBUTOR"],
+            "billing": config["AZURE_ROLE_DEF_ID_BILLING_READER"],
+        }
 
         if azure_sdk_provider is None:
             self.sdk = AzureSDKProvider()
@@ -602,7 +606,7 @@ class AzureCloudProvider(CloudProviderInterface):
     def create_tenant_admin_ownership(self, payload: TenantAdminOwnershipCSPPayload):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {
@@ -630,7 +634,7 @@ class AzureCloudProvider(CloudProviderInterface):
         mgmt_token = self._get_elevated_management_token(payload.tenant_id)
 
         # NOTE: the tenant_id is also the id of the root management group, once it is created
-        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
+        role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
 
         request_body = {
             "properties": {
diff --git a/config/base.ini b/config/base.ini
index 1f4c732a..0105eea5 100644
--- a/config/base.ini
+++ b/config/base.ini
@@ -1,9 +1,19 @@
 [default]
 ASSETS_URL
+AZURE_AADP_QTY=5
 AZURE_ACCOUNT_NAME
-AZURE_STORAGE_KEY
-AZURE_TO_BUCKET_NAME
+AZURE_CLIENT_ID
+AZURE_GRAPH_RESOURCE="https://graph.microsoft.com/"
 AZURE_POLICY_LOCATION=policies
+AZURE_POWERSHELL_CLIENT_ID
+AZURE_ROLE_DEF_ID_BILLING_READER="fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64"
+AZURE_ROLE_DEF_ID_CONTRIBUTOR="b24988ac-6180-42a0-ab88-20f7382dd24c"
+AZURE_ROLE_DEF_ID_OWNER="8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+AZURE_SECRET_KEY
+AZURE_STORAGE_KEY
+AZURE_TENANT_ID
+AZURE_TO_BUCKET_NAME
+AZURE_VAULT_URL
 BLOB_STORAGE_URL=http://localhost:8000/
 CAC_URL = http://localhost:8000/login-redirect
 CA_CHAIN = ssl/server-certs/ca-chain.pem
@@ -42,10 +52,10 @@ REDIS_TLS=False
 REDIS_USER
 SECRET_KEY = change_me_into_something_secret
 SERVER_NAME
-SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_DOMAIN
-SESSION_KEY_PREFIX=session:
+SESSION_COOKIE_NAME=atat
 SESSION_COOKIE_SECURE=false
+SESSION_KEY_PREFIX=session:
 SESSION_TYPE = redis
 SESSION_USE_SIGNER = True
 SQLALCHEMY_ECHO = False
diff --git a/tests/mock_azure.py b/tests/mock_azure.py
index ce85a396..0062e386 100644
--- a/tests/mock_azure.py
+++ b/tests/mock_azure.py
@@ -9,8 +9,10 @@ AZURE_CONFIG = {
     "AZURE_TENANT_ID": "MOCK",
     "AZURE_POLICY_LOCATION": "policies",
     "AZURE_VAULT_URL": "http://vault",
-    "POWERSHELL_CLIENT_ID": "MOCK",
-    "AZURE_OWNER_ROLE_DEF_ID": "MOCK",
+    "AZURE_POWERSHELL_CLIENT_ID": "MOCK",
+    "AZURE_ROLE_DEF_ID_OWNER": "MOCK",
+    "AZURE_ROLE_DEF_ID_CONTRIBUTOR": "MOCK",
+    "AZURE_ROLE_DEF_ID_BILLING_READER": "MOCK",
     "AZURE_GRAPH_RESOURCE": "MOCK",
     "AZURE_AADP_QTY": 5,
 }