diff --git a/.secrets.baseline b/.secrets.baseline index ccfc932e..258ea89e 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$", "lines": null }, - "generated_at": "2020-01-16T16:10:27Z", + "generated_at": "2020-01-19T20:21:20Z", "plugins_used": [ { "base64_limit": 4.5, @@ -32,13 +32,6 @@ "is_verified": false, "line_number": 156, "type": "Secret Keyword" - }, - { - "hashed_secret": "81b127e2222d9bfc4609053faec85300f7525463", - "is_secret": false, - "is_verified": false, - "line_number": 290, - "type": "Secret Keyword" } ], "alembic.ini": [ @@ -89,7 +82,7 @@ "hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3", "is_secret": false, "is_verified": false, - "line_number": 30, + "line_number": 31, "type": "Secret Keyword" } ], diff --git a/Pipfile b/Pipfile index 0de14fa2..5d3a7920 100644 --- a/Pipfile +++ b/Pipfile @@ -33,6 +33,10 @@ azure-mgmt-authorization = "*" azure-mgmt-managementgroups = "*" azure-mgmt-resource = "*" transitions = "*" +azure-mgmt-consumption = "*" +adal = "*" +azure-identity = "*" +azure-keyvault = "*" [dev-packages] bandit = "*" diff --git a/Pipfile.lock b/Pipfile.lock index ef6d0203..53a28b17 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "63b8f9d203f306a6f0ff20514b024909aa7e64917e1befcc9ea79931b5b4bd34" + "sha256": "4dbb023bcb860eb6dc56e1c201c91f272e1e67ad03e5e5eeb3a7a7fdff350eed" }, "pipfile-spec": 6, "requires": { @@ -21,14 +21,15 @@ "sha256:5a7f1e037c6290c6d7609cab33a9e5e988c2fbec5c51d1c4c649ee3faff37eaf", "sha256:fd17e5661f60634ddf96a569b95d34ccb8a98de60593d729c28bdcfe360eaad1" ], + "index": "pypi", "version": "==1.2.2" }, "alembic": { "hashes": [ - "sha256:3b0cb1948833e062f4048992fbc97ecfaaaac24aaa0d83a1202a99fb58af8c6d" + "sha256:d412982920653db6e5a44bfd13b1d0db5685cbaaccaf226195749c706e1e862a" ], "index": "pypi", - "version": "==1.3.2" + "version": "==1.3.3" }, "amqp": { "hashes": [ @@ -44,6 +45,13 @@ ], "version": "==1.1.24" }, + "azure-core": { + "hashes": [ + "sha256:b8ccbd901d085048e4e3e72627b066923c5bd3780e4c43cf9cf9948aee9bdf9e", + "sha256:e2cd99f0c0aef12c168d498cb5bc47a3a45c8ab08112183e3ec97e4dcb33ceb9" + ], + "version": "==1.2.1" + }, "azure-graphrbac": { "hashes": [ "sha256:53e98ae2ca7c19b349e9e9bb1b6a824aeae8dcfcbe17190d20fe69c0f185b2e2", @@ -52,6 +60,36 @@ "index": "pypi", "version": "==0.61.1" }, + "azure-identity": { + "hashes": [ + "sha256:4ce65058461c277991763ed3f121efc6b9eb9c2edefb62c414dfa85c814690d3", + "sha256:b32acd1cdb6202bfe10d9a0858dc463d8960295da70ae18097eb3b85ab12cb91" + ], + "index": "pypi", + "version": "==1.2.0" + }, + "azure-keyvault": { + "hashes": [ + "sha256:76f75cb83929f312a08616d426ad6f597f1beae180131cf445876fb88f2c8ef1", + "sha256:e85f5bd6cb4f10b3248b99bbf02e3acc6371d366846897027d4153f18025a2d7" + ], + "index": "pypi", + "version": "==4.0.0" + }, + "azure-keyvault-keys": { + "hashes": [ + "sha256:2983fa42e20a0e6bf6b87976716129c108e613e0292d34c5b0f0c8dc1d488e89", + "sha256:38c27322637a2c52620a8b96da1942ad6a8d22d09b5a01f6fa257f7a51e52ed0" + ], + "version": "==4.0.0" + }, + "azure-keyvault-secrets": { + "hashes": [ + "sha256:2eae9264a8f6f59277e1a9bfdbc8b0a15969ee5a80d8efe403d7744805b4a481", + "sha256:97a602406a833e8f117c540c66059c818f4321a35168dd17365fab1e4527d718" + ], + "version": "==4.0.0" + }, "azure-mgmt-authorization": { "hashes": [ "sha256:31e875a34ac2c5d6fefe77b4a8079a8b2bdbe9edb957e47e8b44222fb212d6a7", @@ -60,6 +98,14 @@ "index": "pypi", "version": "==0.60.0" }, + "azure-mgmt-consumption": { + "hashes": [ + "sha256:035d4b74ca7c47e2683bea17105fd9014c27060336fb6255324ac86b27f70f5b", + "sha256:af319ad6e3ec162a7578563f149e3cdd7d833a62ec80761cfd93caf79467610b" + ], + "index": "pypi", + "version": "==3.0.0" + }, "azure-mgmt-managementgroups": { "hashes": [ "sha256:3d5237947458dc94b4a392141174b1c1258d26611241ee104e9006d1d798f682", @@ -208,6 +254,14 @@ ], "version": "==2.8" }, + "dataclasses": { + "hashes": [ + "sha256:3459118f7ede7c8bea0fe795bff7c6c2ce287d01dd226202f7c9ebc0610a7836", + "sha256:494a6dcae3b8bcf80848eea2ef64c0cc5cd307ffc263e17cdf42f3e5420808e6" + ], + "markers": "python_version < '3.7'", + "version": "==0.7" + }, "flask": { "hashes": [ "sha256:13f9f196f330c7c2c5d7a5cf91af894110ca0215ac051b5844701f2bfd934d52", @@ -301,9 +355,9 @@ }, "mako": { "hashes": [ - "sha256:a36919599a9b7dc5d86a7a8988f23a9a3a3d083070023bab23d64f7f1d1e0a4b" + "sha256:2984a6733e1d472796ceef37ad48c26f4a984bb18119bb2dbc37a44d8f6e75a4" ], - "version": "==1.1.0" + "version": "==1.1.1" }, "markupsafe": { "hashes": [ @@ -345,6 +399,20 @@ ], "version": "==8.1.0" }, + "msal": { + "hashes": [ + "sha256:c944b833bf686dfbc973e9affdef94b77e616cb52ab397e76cde82e26b8a3373", + "sha256:ecbe3f5ac77facad16abf08eb9d8562af3bc7184be5d4d90c9ef4db5bde26340" + ], + "version": "==1.0.0" + }, + "msal-extensions": { + "hashes": [ + "sha256:59e171a9a4baacdbf001c66915efeaef372fb424421f1a4397115a3ddd6205dc", + "sha256:c5a32b8e1dce1c67733dcdf8aa8bebcff5ab123e779ef7bc14e416bd0da90037" + ], + "version": "==0.1.3" + }, "msrest": { "hashes": [ "sha256:56b8b5b4556fb2a92cac640df267d560889bdc9e2921187772d4691d97bc4e8d", @@ -379,6 +447,13 @@ "index": "pypi", "version": "==2.0.5" }, + "portalocker": { + "hashes": [ + "sha256:6f57aabb25ba176462dc7c63b86c42ad6a9b5bd3d679a9d776d0536bfb803d54", + "sha256:dac62e53e5670cb40d2ee4cdc785e6b829665932c3ee75307ad677cf5f7d2e9f" + ], + "version": "==1.5.2" + }, "psycopg2-binary": { "hashes": [ "sha256:040234f8a4a8dfd692662a8308d78f63f31a97e1c42d2480e5e6810c48966a29", @@ -444,6 +519,9 @@ "version": "==1.3" }, "pyjwt": { + "extras": [ + "crypto" + ], "hashes": [ "sha256:5c6eca3c2940464d106b99ba83b00c6add741c9becaec087fb7ccdefea71350e", "sha256:8d59a976fb773f3e6a39c85636357c4f0e242707394cadadd9814f5cbaa20e96" @@ -529,17 +607,17 @@ }, "six": { "hashes": [ - "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd", - "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66" + "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a", + "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c" ], - "version": "==1.13.0" + "version": "==1.14.0" }, "sqlalchemy": { "hashes": [ - "sha256:bfb8f464a5000b567ac1d350b9090cf081180ec1ab4aa87e7bca12dab25320ec" + "sha256:64a7b71846db6423807e96820993fa12a03b89127d278290ca25c0b11ed7b4fb" ], "index": "pypi", - "version": "==1.3.12" + "version": "==1.3.13" }, "sqlalchemy-json": { "hashes": [ @@ -572,10 +650,10 @@ }, "urllib3": { "hashes": [ - "sha256:a8a318824cc77d1fd4b2bec2ded92646630d7fe8619497b142c84a9e6f5a7293", - "sha256:f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e48b0745" + "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", + "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" ], - "version": "==1.25.7" + "version": "==1.25.8" }, "vine": { "hashes": [ @@ -609,10 +687,10 @@ }, "zipp": { "hashes": [ - "sha256:8dda78f06bd1674bd8720df8a50bb47b6e1233c503a4eed8e7810686bde37656", - "sha256:d38fbe01bbf7a3593a32bc35a9c4453c32bc42b98c377f9bff7e9f8da157786c" + "sha256:b338014b9bc7102ca69e0fb96ed07215a8954d2989bc5d83658494ab2ba634af", + "sha256:e013e7800f60ec4dde789ebf4e9f7a54236e4bbf5df2a1a4e20ce9e1d9609d67" ], - "version": "==1.0.0" + "version": "==2.0.1" } }, "develop": { @@ -1022,11 +1100,11 @@ }, "pexpect": { "hashes": [ - "sha256:2094eefdfcf37a1fdbfb9aa090862c1a4878e5c7e0e7e7088bdb511c558e5cd1", - "sha256:9e2c1fd0e6ee3a49b28f95d4b33bc389c89b20af6a1255906e90ff1262ce62eb" + "sha256:0b48a55dcb3c05f3329815901ea4fc1537514d6ba867a152b581d69ae3710937", + "sha256:fc65a43959d153d0114afe13997d439c22823a27cefceb5ff35c2178c6784c0c" ], "markers": "sys_platform != 'win32'", - "version": "==4.7.0" + "version": "==4.8.0" }, "pickleshare": { "hashes": [ @@ -1201,10 +1279,10 @@ }, "six": { "hashes": [ - "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd", - "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66" + "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a", + "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c" ], - "version": "==1.13.0" + "version": "==1.14.0" }, "smmap2": { "hashes": [ @@ -1285,10 +1363,10 @@ }, "urllib3": { "hashes": [ - "sha256:a8a318824cc77d1fd4b2bec2ded92646630d7fe8619497b142c84a9e6f5a7293", - "sha256:f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e48b0745" + "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", + "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" ], - "version": "==1.25.7" + "version": "==1.25.8" }, "watchdog": { "hashes": [ @@ -1319,10 +1397,10 @@ }, "zipp": { "hashes": [ - "sha256:8dda78f06bd1674bd8720df8a50bb47b6e1233c503a4eed8e7810686bde37656", - "sha256:d38fbe01bbf7a3593a32bc35a9c4453c32bc42b98c377f9bff7e9f8da157786c" + "sha256:b338014b9bc7102ca69e0fb96ed07215a8954d2989bc5d83658494ab2ba634af", + "sha256:e013e7800f60ec4dde789ebf4e9f7a54236e4bbf5df2a1a4e20ce9e1d9609d67" ], - "version": "==1.0.0" + "version": "==2.0.1" } } } diff --git a/README.md b/README.md index 1dfc1ad1..2681346e 100644 --- a/README.md +++ b/README.md @@ -255,6 +255,7 @@ To generate coverage reports for the Javascript tests: - `SERVER_NAME`: Hostname for ATAT. Only needs to be specified in contexts where the hostname cannot be inferred from the request, such as Celery workers. https://flask.palletsprojects.com/en/1.1.x/config/#SERVER_NAME - `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME - `SESSION_COOKIE_DOMAIN`: String value specifying the name to use for the session cookie. This should be set to the root domain so that it is valid for both the main site and the authentication subdomain. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_DOMAIN +- `SESSION_KEY_PREFIX`: A prefix that is added before all session keys: https://pythonhosted.org/Flask-Session/#configuration - `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/ - `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed. - `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout. diff --git a/alembic/env.py b/alembic/env.py index 91b96364..5ea815e3 100644 --- a/alembic/env.py +++ b/alembic/env.py @@ -29,11 +29,13 @@ parent_dir = Path(__file__).parent.parent sys.path.append(parent_dir) from atst.app import make_config + app_config = make_config() -config.set_main_option('sqlalchemy.url', app_config['DATABASE_URI']) +config.set_main_option("sqlalchemy.url", app_config["DATABASE_URI"]) from atst.database import db from atst.models import * + target_metadata = Base.metadata @@ -51,7 +53,8 @@ def run_migrations_offline(): """ url = config.get_main_option("sqlalchemy.url") context.configure( - url=url, target_metadata=target_metadata, literal_binds=True) + url=url, target_metadata=target_metadata, literal_binds=True, compare_type=True + ) with context.begin_transaction(): context.run_migrations() @@ -66,18 +69,19 @@ def run_migrations_online(): """ connectable = engine_from_config( config.get_section(config.config_ini_section), - prefix='sqlalchemy.', - poolclass=pool.NullPool) + prefix="sqlalchemy.", + poolclass=pool.NullPool, + ) with connectable.connect() as connection: context.configure( - connection=connection, - target_metadata=target_metadata + connection=connection, target_metadata=target_metadata, compare_type=True ) with context.begin_transaction(): context.run_migrations() + if context.is_offline_mode(): run_migrations_offline() else: diff --git a/alembic/versions/26319c44a8d5_state_machine_states_extended.py b/alembic/versions/26319c44a8d5_state_machine_states_extended.py new file mode 100644 index 00000000..720e50ee --- /dev/null +++ b/alembic/versions/26319c44a8d5_state_machine_states_extended.py @@ -0,0 +1,132 @@ +"""state machine states extended + +Revision ID: 26319c44a8d5 +Revises: 59973fa17ded +Create Date: 2020-01-22 15:54:03.186751 + +""" +from alembic import op +import sqlalchemy as sa + +# revision identifiers, used by Alembic. +revision = "26319c44a8d5" # pragma: allowlist secret +down_revision = "59973fa17ded" # pragma: allowlist secret +branch_labels = None +depends_on = None + + +def upgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column( + "portfolio_state_machines", + "state", + existing_type=sa.Enum( + "UNSTARTED", + "STARTING", + "STARTED", + "COMPLETED", + "FAILED", + "TENANT_CREATED", + "TENANT_IN_PROGRESS", + "TENANT_FAILED", + "BILLING_PROFILE_CREATED", + "BILLING_PROFILE_IN_PROGRESS", + "BILLING_PROFILE_FAILED", + "ADMIN_SUBSCRIPTION_CREATED", + "ADMIN_SUBSCRIPTION_IN_PROGRESS", + "ADMIN_SUBSCRIPTION_FAILED", + name="fsmstates", + native_enum=False, + ), + type_=sa.Enum( + "UNSTARTED", + "STARTING", + "STARTED", + "COMPLETED", + "FAILED", + "TENANT_CREATED", + "TENANT_IN_PROGRESS", + "TENANT_FAILED", + "BILLING_PROFILE_CREATION_CREATED", + "BILLING_PROFILE_CREATION_IN_PROGRESS", + "BILLING_PROFILE_CREATION_FAILED", + "BILLING_PROFILE_VERIFICATION_CREATED", + "BILLING_PROFILE_VERIFICATION_IN_PROGRESS", + "BILLING_PROFILE_VERIFICATION_FAILED", + "BILLING_PROFILE_TENANT_ACCESS_CREATED", + "BILLING_PROFILE_TENANT_ACCESS_IN_PROGRESS", + "BILLING_PROFILE_TENANT_ACCESS_FAILED", + "TASK_ORDER_BILLING_CREATION_CREATED", + "TASK_ORDER_BILLING_CREATION_IN_PROGRESS", + "TASK_ORDER_BILLING_CREATION_FAILED", + "TASK_ORDER_BILLING_VERIFICATION_CREATED", + "TASK_ORDER_BILLING_VERIFICATION_IN_PROGRESS", + "TASK_ORDER_BILLING_VERIFICATION_FAILED", + "BILLING_INSTRUCTION_CREATED", + "BILLING_INSTRUCTION_IN_PROGRESS", + "BILLING_INSTRUCTION_FAILED", + name="fsmstates", + native_enum=False, + create_constraint=False, + ), + existing_nullable=False, + ) + # ### end Alembic commands ### + + +def downgrade(): + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column( + "portfolio_state_machines", + "state", + existing_type=sa.Enum( + "UNSTARTED", + "STARTING", + "STARTED", + "COMPLETED", + "FAILED", + "TENANT_CREATED", + "TENANT_IN_PROGRESS", + "TENANT_FAILED", + "BILLING_PROFILE_CREATION_CREATED", + "BILLING_PROFILE_CREATION_IN_PROGRESS", + "BILLING_PROFILE_CREATION_FAILED", + "BILLING_PROFILE_VERIFICATION_CREATED", + "BILLING_PROFILE_VERIFICATION_IN_PROGRESS", + "BILLING_PROFILE_VERIFICATION_FAILED", + "BILLING_PROFILE_TENANT_ACCESS_CREATED", + "BILLING_PROFILE_TENANT_ACCESS_IN_PROGRESS", + "BILLING_PROFILE_TENANT_ACCESS_FAILED", + "TASK_ORDER_BILLING_CREATION_CREATED", + "TASK_ORDER_BILLING_CREATION_IN_PROGRESS", + "TASK_ORDER_BILLING_CREATION_FAILED", + "TASK_ORDER_BILLING_VERIFICATION_CREATED", + "TASK_ORDER_BILLING_VERIFICATION_IN_PROGRESS", + "TASK_ORDER_BILLING_VERIFICATION_FAILED", + "BILLING_INSTRUCTION_CREATED", + "BILLING_INSTRUCTION_IN_PROGRESS", + "BILLING_INSTRUCTION_FAILED", + name="fsmstates", + native_enum=False, + ), + type_=sa.Enum( + "UNSTARTED", + "STARTING", + "STARTED", + "COMPLETED", + "FAILED", + "TENANT_CREATED", + "TENANT_IN_PROGRESS", + "TENANT_FAILED", + "BILLING_PROFILE_CREATED", + "BILLING_PROFILE_IN_PROGRESS", + "BILLING_PROFILE_FAILED", + "ADMIN_SUBSCRIPTION_CREATED", + "ADMIN_SUBSCRIPTION_IN_PROGRESS", + "ADMIN_SUBSCRIPTION_FAILED", + name="fsmstates", + native_enum=False, + ), + existing_nullable=False, + ) + # ### end Alembic commands ### diff --git a/atst/domain/auth.py b/atst/domain/auth.py index 73bb1db1..77c22438 100644 --- a/atst/domain/auth.py +++ b/atst/domain/auth.py @@ -1,4 +1,13 @@ -from flask import g, redirect, url_for, session, request, current_app as app +from flask import ( + g, + redirect, + url_for, + session, + request, + current_app as app, + _request_ctx_stack as request_ctx_stack, +) +from werkzeug.datastructures import ImmutableTypeConversionDict from atst.domain.users import Users @@ -10,7 +19,6 @@ UNPROTECTED_ROUTES = [ "atst.login_redirect", "atst.logout", "atst.unauthorized", - "atst.helpdocs", "static", "atst.about", ] @@ -57,12 +65,26 @@ def get_last_login(): return session.get("user_id") and session.get("last_login") +def _nullify_session(session): + session_key = f"{app.config.get('SESSION_KEY_PREFIX')}{session.sid}" + app.redis.delete(session_key) + request.cookies = ImmutableTypeConversionDict() + request_ctx_stack.top.session = app.session_interface.open_session(app, request) + + +def _current_dod_id(): + return g.current_user.dod_id if session.get("user_id") else None + + def logout(): - if session.get("user_id"): # pragma: no branch - dod_id = g.current_user.dod_id - del session["user_id"] - del session["last_login"] + dod_id = _current_dod_id() + + _nullify_session(session) + + if dod_id: app.logger.info(f"user with EDIPI {dod_id} has logged out") + else: + app.logger.info("unauthenticated user has logged out") def _unprotected_route(request): diff --git a/atst/domain/csp/__init__.py b/atst/domain/csp/__init__.py index fc452935..d886f8a2 100644 --- a/atst/domain/csp/__init__.py +++ b/atst/domain/csp/__init__.py @@ -1,5 +1,3 @@ -import importlib - from .cloud import MockCloudProvider from .file_uploads import AzureUploader, MockUploader from .reports import MockReportingProvider @@ -31,22 +29,3 @@ def make_csp_provider(app, csp=None): app.csp = MockCSP(app, test_mode=True) else: app.csp = MockCSP(app) - - -def _stage_to_classname(stage): - return "".join( - map(lambda word: word.capitalize(), stage.replace("_", " ").split(" ")) - ) - - -def get_stage_csp_class(stage, class_type): - """ - given a stage name and class_type return the class - class_type is either 'payload' or 'result' - - """ - cls_name = "".join([_stage_to_classname(stage), "CSP", class_type.capitalize()]) - try: - return getattr(importlib.import_module("atst.domain.csp.cloud"), cls_name) - except AttributeError: - print("could not import CSP Result class <%s>" % cls_name) diff --git a/atst/domain/csp/cloud.py b/atst/domain/csp/cloud.py deleted file mode 100644 index 9f764da0..00000000 --- a/atst/domain/csp/cloud.py +++ /dev/null @@ -1,878 +0,0 @@ -import re -from typing import Dict -from uuid import uuid4 - -from pydantic import BaseModel - -from atst.models.user import User -from atst.models.environment import Environment -from atst.models.environment_role import EnvironmentRole - - -class GeneralCSPException(Exception): - pass - - -class OperationInProgressException(GeneralCSPException): - """Throw this for instances when the CSP reports that the current entity is already - being operated on/created/deleted/etc - """ - - def __init__(self, operation_desc): - self.operation_desc = operation_desc - - @property - def message(self): - return "An operation for this entity is already in progress: {}".format( - self.operation_desc - ) - - -class AuthenticationException(GeneralCSPException): - """Throw this for instances when there is a problem with the auth credentials: - * Missing credentials - * Incorrect credentials - * Other credential problems - """ - - def __init__(self, auth_error): - self.auth_error = auth_error - - @property - def message(self): - return "An error occurred with authentication: {}".format(self.auth_error) - - -class AuthorizationException(GeneralCSPException): - """Throw this for instances when the current credentials are not authorized - for the current action. - """ - - def __init__(self, auth_error): - self.auth_error = auth_error - - @property - def message(self): - return "An error occurred with authorization: {}".format(self.auth_error) - - -class ConnectionException(GeneralCSPException): - """A general problem with the connection, timeouts or unresolved endpoints - """ - - def __init__(self, connection_error): - self.connection_error = connection_error - - @property - def message(self): - return "Could not connect to cloud provider: {}".format(self.connection_error) - - -class UnknownServerException(GeneralCSPException): - """An error occured on the CSP side (5xx) and we don't know why - """ - - def __init__(self, server_error): - self.server_error = server_error - - @property - def message(self): - return "A server error occured: {}".format(self.server_error) - - -class EnvironmentCreationException(GeneralCSPException): - """If there was an error in creating the environment - """ - - def __init__(self, env_identifier, reason): - self.env_identifier = env_identifier - self.reason = reason - - @property - def message(self): - return "The envionment {} couldn't be created: {}".format( - self.env_identifier, self.reason - ) - - -class UserProvisioningException(GeneralCSPException): - """Failed to provision a user - """ - - def __init__(self, env_identifier, user_identifier, reason): - self.env_identifier = env_identifier - self.user_identifier = user_identifier - self.reason = reason - - @property - def message(self): - return "Failed to create user {} for environment {}: {}".format( - self.user_identifier, self.env_identifier, self.reason - ) - - -class UserRemovalException(GeneralCSPException): - """Failed to remove a user - """ - - def __init__(self, user_csp_id, reason): - self.user_csp_id = user_csp_id - self.reason = reason - - @property - def message(self): - return "Failed to suspend or delete user {}: {}".format( - self.user_csp_id, self.reason - ) - - -class BaselineProvisionException(GeneralCSPException): - """If there's any issues standing up whatever is required - for an environment baseline - """ - - def __init__(self, env_identifier, reason): - self.env_identifier = env_identifier - self.reason = reason - - @property - def message(self): - return "Could not complete baseline provisioning for environment ({}): {}".format( - self.env_identifier, self.reason - ) - - -class BaseCSPPayload(BaseModel): - # {"username": "mock-cloud", "pass": "shh"} - creds: Dict - - -class TenantCSPPayload(BaseCSPPayload): - user_id: str - password: str - domain_name: str - first_name: str - last_name: str - country_code: str - password_recovery_email_address: str - - -class TenantCSPResult(BaseModel): - user_id: str - tenant_id: str - user_object_id: str - - -class BillingProfileAddress(BaseModel): - address: Dict - """ - "address": { - "firstName": "string", - "lastName": "string", - "companyName": "string", - "addressLine1": "string", - "addressLine2": "string", - "addressLine3": "string", - "city": "string", - "region": "string", - "country": "string", - "postalCode": "string" - }, - """ - - -class BillingProfileCLINBudget(BaseModel): - clinBudget: Dict - """ - "clinBudget": { - "amount": 0, - "startDate": "2019-12-18T16:47:40.909Z", - "endDate": "2019-12-18T16:47:40.909Z", - "externalReferenceId": "string" - } - """ - - -class BillingProfileCSPPayload( - BaseCSPPayload, BillingProfileAddress, BillingProfileCLINBudget -): - displayName: str - poNumber: str - invoiceEmailOptIn: str - - """ - { - "displayName": "string", - "poNumber": "string", - "address": { - "firstName": "string", - "lastName": "string", - "companyName": "string", - "addressLine1": "string", - "addressLine2": "string", - "addressLine3": "string", - "city": "string", - "region": "string", - "country": "string", - "postalCode": "string" - }, - "invoiceEmailOptIn": true, - Note: These last 2 are also the body for adding/updating new TOs/clins - "enabledAzurePlans": [ - { - "skuId": "string" - } - ], - "clinBudget": { - "amount": 0, - "startDate": "2019-12-18T16:47:40.909Z", - "endDate": "2019-12-18T16:47:40.909Z", - "externalReferenceId": "string" - } - } - """ - - -class CloudProviderInterface: - def root_creds(self) -> Dict: - raise NotImplementedError() - - def create_environment( - self, auth_credentials: Dict, user: User, environment: Environment - ) -> str: - """Create a new environment in the CSP. - - Arguments: - auth_credentials -- Object containing CSP account credentials - user -- ATAT user authorizing the environment creation - environment -- ATAT Environment model - - Returns: - string: ID of created environment - - Raises: - AuthenticationException: Problem with the credentials - AuthorizationException: Credentials not authorized for current action(s) - ConnectionException: Issue with the CSP API connection - UnknownServerException: Unknown issue on the CSP side - EnvironmentExistsException: Environment already exists and has been created - """ - raise NotImplementedError() - - def create_atat_admin_user( - self, auth_credentials: Dict, csp_environment_id: str - ) -> Dict: - """Creates a new, programmatic user in the CSP. Grants this user full permissions to administer - the CSP. - - Arguments: - auth_credentials -- Object containing CSP account credentials - csp_environment_id -- ID of the CSP Environment the admin user should be created in - - Returns: - object: Object representing new remote admin user, including credentials - Something like: - { - "user_id": string, - "credentials": dict, # structure TBD based on csp - } - - Raises: - AuthenticationException: Problem with the credentials - AuthorizationException: Credentials not authorized for current action(s) - ConnectionException: Issue with the CSP API connection - UnknownServerException: Unknown issue on the CSP side - UserProvisioningException: Problem creating the root user - """ - raise NotImplementedError() - - def create_or_update_user( - self, auth_credentials: Dict, user_info: EnvironmentRole, csp_role_id: str - ) -> str: - """Creates a user or updates an existing user's role. - - Arguments: - auth_credentials -- Object containing CSP account credentials - user_info -- instance of EnvironmentRole containing user data - if it has a csp_user_id it will try to update that user - csp_role_id -- The id of the role the user should be given in the CSP - - Returns: - string: Returns the interal csp_user_id of the created/updated user account - - Raises: - AuthenticationException: Problem with the credentials - AuthorizationException: Credentials not authorized for current action(s) - ConnectionException: Issue with the CSP API connection - UnknownServerException: Unknown issue on the CSP side - UserProvisioningException: User couldn't be created or modified - """ - raise NotImplementedError() - - def disable_user(self, auth_credentials: Dict, csp_user_id: str) -> bool: - """Revoke all privileges for a user. Used to prevent user access while a full - delete is being processed. - - Arguments: - auth_credentials -- Object containing CSP account credentials - csp_user_id -- CSP internal user identifier - - Returns: - bool -- True on success - - Raises: - AuthenticationException: Problem with the credentials - AuthorizationException: Credentials not authorized for current action(s) - ConnectionException: Issue with the CSP API connection - UnknownServerException: Unknown issue on the CSP side - UserRemovalException: User couldn't be suspended - """ - raise NotImplementedError() - - def get_calculator_url(self) -> str: - """Returns the calculator url for the CSP. - This will likely be a static property elsewhere once a CSP is chosen. - """ - raise NotImplementedError() - - def get_environment_login_url(self, environment) -> str: - """Returns the login url for a given environment - This may move to be a computed property on the Environment domain object - """ - raise NotImplementedError() - - -class MockCloudProvider(CloudProviderInterface): - - # TODO: All of these constants - AUTHENTICATION_EXCEPTION = AuthenticationException("Authentication failure.") - AUTHORIZATION_EXCEPTION = AuthorizationException("Not authorized.") - NETWORK_EXCEPTION = ConnectionException("Network failure.") - SERVER_EXCEPTION = UnknownServerException("Not our fault.") - - SERVER_FAILURE_PCT = 1 - NETWORK_FAILURE_PCT = 7 - ENV_CREATE_FAILURE_PCT = 12 - ATAT_ADMIN_CREATE_FAILURE_PCT = 12 - UNAUTHORIZED_RATE = 2 - - def __init__( - self, config, with_delay=True, with_failure=True, with_authorization=True - ): - from time import sleep - import random - - self._with_delay = with_delay - self._with_failure = with_failure - self._with_authorization = with_authorization - self._sleep = sleep - self._random = random - - def root_creds(self): - return self._auth_credentials - - def create_environment(self, auth_credentials, user, environment): - self._authorize(auth_credentials) - - self._delay(1, 5) - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise( - self.ENV_CREATE_FAILURE_PCT, - EnvironmentCreationException( - environment.id, "Could not create environment." - ), - ) - - csp_environment_id = self._id() - - self._delay(1, 5) - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise( - self.ATAT_ADMIN_CREATE_FAILURE_PCT, - BaselineProvisionException( - csp_environment_id, "Could not create environment baseline." - ), - ) - self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) - - return csp_environment_id - - def create_atat_admin_user(self, auth_credentials, csp_environment_id): - self._authorize(auth_credentials) - - self._delay(1, 5) - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise( - self.ATAT_ADMIN_CREATE_FAILURE_PCT, - UserProvisioningException( - csp_environment_id, "atat_admin", "Could not create admin user." - ), - ) - - self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) - - return {"id": self._id(), "credentials": self._auth_credentials} - - def create_tenant(self, payload): - """ - payload is an instance of TenantCSPPayload data class - """ - - self._authorize(payload.creds) - - self._delay(1, 5) - - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) - # return tenant id, tenant owner id and tenant owner object id from: - response = {"tenantId": "string", "userId": "string", "objectId": "string"} - return { - "tenant_id": response["tenantId"], - "user_id": response["userId"], - "user_object_id": response["objectId"], - } - - def create_billing_profile(self, creds, tenant_admin_details, billing_owner_id): - # call billing profile creation endpoint, specifying owner - # Payload: - """ - { - "displayName": "string", - "poNumber": "string", - "address": { - "firstName": "string", - "lastName": "string", - "companyName": "string", - "addressLine1": "string", - "addressLine2": "string", - "addressLine3": "string", - "city": "string", - "region": "string", - "country": "string", - "postalCode": "string" - }, - "invoiceEmailOptIn": true, - Note: These last 2 are also the body for adding/updating new TOs/clins - "enabledAzurePlans": [ - { - "skuId": "string" - } - ], - "clinBudget": { - "amount": 0, - "startDate": "2019-12-18T16:47:40.909Z", - "endDate": "2019-12-18T16:47:40.909Z", - "externalReferenceId": "string" - } - } - """ - # response will be mostly the same as the body, but we only really care about the id - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) - - response = {"id": "string"} - return {"billing_profile_id": response["id"]} - - def create_or_update_user(self, auth_credentials, user_info, csp_role_id): - self._authorize(auth_credentials) - - self._delay(1, 5) - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - self._maybe_raise( - self.ATAT_ADMIN_CREATE_FAILURE_PCT, - UserProvisioningException( - user_info.environment.id, - user_info.application_role.user_id, - "Could not create user.", - ), - ) - - self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) - return self._id() - - def disable_user(self, auth_credentials, csp_user_id): - self._authorize(auth_credentials) - self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) - self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) - - self._maybe_raise( - self.ATAT_ADMIN_CREATE_FAILURE_PCT, - UserRemovalException(csp_user_id, "Could not disable user."), - ) - - return self._maybe(12) - - def get_calculator_url(self): - return "https://www.rackspace.com/en-us/calculator" - - def get_environment_login_url(self, environment): - """Returns the login url for a given environment - """ - return "https://www.mycloud.com/my-env-login" - - def _id(self): - return uuid4().hex - - def _delay(self, min_secs, max_secs): - if self._with_delay: - duration = self._random.randrange(min_secs, max_secs) - self._sleep(duration) - - def _maybe(self, pct): - return not self._with_failure or self._random.randrange(0, 100) < pct - - def _maybe_raise(self, pct, exc): - if self._with_failure and self._maybe(pct): - raise exc - - @property - def _auth_credentials(self): - return {"username": "mock-cloud", "pass": "shh"} - - def _authorize(self, credentials): - self._delay(1, 5) - if self._with_authorization and credentials != self._auth_credentials: - raise self.AUTHENTICATION_EXCEPTION - - -AZURE_ENVIRONMENT = "AZURE_PUBLIC_CLOUD" # TBD -AZURE_SKU_ID = "?" # probably a static sku specific to ATAT/JEDI -SUBSCRIPTION_ID_REGEX = re.compile( - "subscriptions\/([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})", - re.I, -) - -# This needs to be a fully pathed role definition identifier, not just a UUID -REMOTE_ROOT_ROLE_DEF_ID = "/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-4000-8000-000000000000" - - -class AzureSDKProvider(object): - def __init__(self): - from azure.mgmt import subscription, authorization - import azure.graphrbac as graphrbac - import azure.common.credentials as credentials - from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD - - self.subscription = subscription - self.authorization = authorization - self.graphrbac = graphrbac - self.credentials = credentials - # may change to a JEDI cloud - self.cloud = AZURE_PUBLIC_CLOUD - - -class AzureCloudProvider(CloudProviderInterface): - def __init__(self, config, azure_sdk_provider=None): - self.config = config - - self.client_id = config["AZURE_CLIENT_ID"] - self.secret_key = config["AZURE_SECRET_KEY"] - self.tenant_id = config["AZURE_TENANT_ID"] - - if azure_sdk_provider is None: - self.sdk = AzureSDKProvider() - else: - self.sdk = azure_sdk_provider - - def create_environment( - self, auth_credentials: Dict, user: User, environment: Environment - ): - credentials = self._get_credential_obj(self._root_creds) - sub_client = self.sdk.subscription.SubscriptionClient(credentials) - - display_name = f"{environment.application.name}_{environment.name}_{environment.id}" # proposed format - - billing_profile_id = "?" # something chained from environment? - sku_id = AZURE_SKU_ID - # we want to set AT-AT as an owner here - # we could potentially associate subscriptions with "management groups" per DOD component - body = self.sdk.subscription.models.ModernSubscriptionCreationParameters( - display_name, - billing_profile_id, - sku_id, - # owner= - ) - - # These 2 seem like something that might be worthwhile to allow tiebacks to - # TOs filed for the environment - billing_account_name = "?" - invoice_section_name = "?" - # We may also want to create billing sections in the enrollment account - sub_creation_operation = sub_client.subscription_factory.create_subscription( - billing_account_name, invoice_section_name, body - ) - - # the resulting object from this process is a link to the new subscription - # not a subscription model, so we'll have to unpack the ID - new_sub = sub_creation_operation.result() - - subscription_id = self._extract_subscription_id(new_sub.subscription_link) - if subscription_id: - return subscription_id - else: - # troublesome error, subscription should exist at this point - # but we just don't have a valid ID - pass - - def create_atat_admin_user( - self, auth_credentials: Dict, csp_environment_id: str - ) -> Dict: - root_creds = self._root_creds - credentials = self._get_credential_obj(root_creds) - - sub_client = self.sdk.subscription.SubscriptionClient(credentials) - subscription = sub_client.subscriptions.get(csp_environment_id) - - managment_principal = self._get_management_service_principal() - - auth_client = self.sdk.authorization.AuthorizationManagementClient( - credentials, - # TODO: Determine which subscription this needs to point at - # Once we're in a multi-sub environment - subscription.id, - ) - - # Create role assignment for - role_assignment_id = str(uuid4()) - role_assignment_create_params = auth_client.role_assignments.models.RoleAssignmentCreateParameters( - role_definition_id=REMOTE_ROOT_ROLE_DEF_ID, - principal_id=managment_principal.id, - ) - - auth_client.role_assignments.create( - scope=f"/subscriptions/{subscription.id}/", - role_assignment_name=role_assignment_id, - parameters=role_assignment_create_params, - ) - - return { - "csp_user_id": managment_principal.object_id, - "credentials": managment_principal.password_credentials, - "role_name": role_assignment_id, - } - - def create_tenant(self, payload): - # auth as SP that is allowed to create tenant? (tenant creation sp creds) - # create tenant with owner details (populated from portfolio point of contact, pw is generated) - - # return tenant id, tenant owner id and tenant owner object id from: - response = {"tenantId": "string", "userId": "string", "objectId": "string"} - return self._ok( - { - "tenant_id": response["tenantId"], - "user_id": response["userId"], - "user_object_id": response["objectId"], - } - ) - - def create_billing_owner(self, creds, tenant_admin_details): - # authenticate as tenant_admin - # create billing owner identity - - # TODO: Lookup response format - # Managed service identity? - response = {"id": "string"} - return self._ok({"billing_owner_id": response["id"]}) - - def assign_billing_owner(self, creds, billing_owner_id, tenant_id): - # TODO: Do we source role definition ID from config, api or self-defined? - # TODO: If from api, - """ - { - "principalId": "string", - "principalTenantId": "string", - "billingRoleDefinitionId": "string" - } - """ - - return self.ok() - - def create_billing_profile(self, creds, tenant_admin_details, billing_owner_id): - # call billing profile creation endpoint, specifying owner - # Payload: - """ - { - "displayName": "string", - "poNumber": "string", - "address": { - "firstName": "string", - "lastName": "string", - "companyName": "string", - "addressLine1": "string", - "addressLine2": "string", - "addressLine3": "string", - "city": "string", - "region": "string", - "country": "string", - "postalCode": "string" - }, - "invoiceEmailOptIn": true, - Note: These last 2 are also the body for adding/updating new TOs/clins - "enabledAzurePlans": [ - { - "skuId": "string" - } - ], - "clinBudget": { - "amount": 0, - "startDate": "2019-12-18T16:47:40.909Z", - "endDate": "2019-12-18T16:47:40.909Z", - "externalReferenceId": "string" - } - } - """ - - # response will be mostly the same as the body, but we only really care about the id - response = {"id": "string"} - return self._ok({"billing_profile_id": response["id"]}) - - def report_clin(self, creds, clin_id, clin_amount, clin_start, clin_end, clin_to): - # should consumer be responsible for reporting each clin or - # should this take a list and manage the sequential reporting? - """ Payload - { - "enabledAzurePlans": [ - { - "skuId": "string" - } - ], - "clinBudget": { - "amount": 0, - "startDate": "2019-12-18T16:47:40.909Z", - "endDate": "2019-12-18T16:47:40.909Z", - "externalReferenceId": "string" - } - } - """ - - # we don't need any of the returned info for this - return self._ok() - - def create_remote_admin(self, creds, tenant_details): - # create app/service principal within tenant, with name constructed from tenant details - # assign principal global admin - - # needs to call out to CLI with tenant owner username/password, prototyping for that underway - - # return identifier and creds to consumer for storage - response = {"clientId": "string", "secretKey": "string", "tenantId": "string"} - return self._ok( - { - "client_id": response["clientId"], - "secret_key": response["secret_key"], - "tenant_id": response["tenantId"], - } - ) - - def force_tenant_admin_pw_update(self, creds, tenant_owner_id): - # use creds to update to force password recovery? - # not sure what the endpoint/method for this is, yet - - return self._ok() - - def create_billing_alerts(self, TBD): - # TODO: Add azure-mgmt-consumption for Budget and Notification entities/operations - # TODO: Determine how to auth against that API using the SDK, doesn't seeem possible at the moment - # TODO: billing alerts are registered as Notifications on Budget objects, which have start/end dates - # TODO: determine what the keys in the Notifications dict are supposed to be - # we may need to rotate budget objects when new TOs/CLINs are reported? - - # we likely only want the budget ID, can be updated or replaced? - response = {"id": "id"} - return self._ok({"budget_id": response["id"]}) - - def _get_management_service_principal(self): - # we really should be using graph.microsoft.com, but i'm getting - # "expired token" errors for that - # graph_resource = "https://graph.microsoft.com" - graph_resource = "https://graph.windows.net" - graph_creds = self._get_credential_obj( - self._root_creds, resource=graph_resource - ) - # I needed to set permissions for the graph.windows.net API before I - # could get this to work. - - # how do we scope the graph client to the new subscription rather than - # the cloud0 subscription? tenant id seems to be separate from subscription id - graph_client = self.sdk.graphrbac.GraphRbacManagementClient( - graph_creds, self._root_creds.get("tenant_id") - ) - - # do we need to create a new application to manage each subscripition - # or should we manage access to each subscription from a single service - # principal with multiple role assignments? - app_display_name = "?" # name should reflect the subscription it exists - app_create_param = self.sdk.graphrbac.models.ApplicationCreateParameters( - display_name=app_display_name - ) - - # we need the appropriate perms here: - # https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http - # https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names - # set app perms in app registration portal - # https://docs.microsoft.com/en-us/graph/auth-v2-service#2-configure-permissions-for-microsoft-graph - app: self.sdk.graphrbac.models.Application = graph_client.applications.create( - app_create_param - ) - - # create a new service principle for the new application, which should be scoped - # to the new subscription - app_id = app.app_id - sp_create_params = self.sdk.graphrbac.models.ServicePrincipalCreateParameters( - app_id=app_id, account_enabled=True - ) - - service_principal = graph_client.service_principals.create(sp_create_params) - - return service_principal - - def _extract_subscription_id(self, subscription_url): - sub_id_match = SUBSCRIPTION_ID_REGEX.match(subscription_url) - - if sub_id_match: - return sub_id_match.group(1) - - def _get_credential_obj(self, creds, resource=None): - - return self.sdk.credentials.ServicePrincipalCredentials( - client_id=creds.get("client_id"), - secret=creds.get("secret_key"), - tenant=creds.get("tenant_id"), - resource=resource, - cloud_environment=self.sdk.cloud, - ) - - def _make_tenant_admin_cred_obj(self, username, password): - return self.sdk.credentials.UserPassCredentials(username, password) - - def _ok(self, body=None): - return self._make_response("ok", body) - - def _error(self, body=None): - return self._make_response("error", body) - - def _make_response(self, status, body=dict()): - """Create body for responses from API - - Arguments: - status {string} -- "ok" or "error" - body {dict} -- dict containing details of response or error, if applicable - - Returns: - dict -- status of call with body containing details - """ - return {"status": status, "body": body} - - @property - def _root_creds(self): - return { - "client_id": self.client_id, - "secret_key": self.secret_key, - "tenant_id": self.tenant_id, - } diff --git a/atst/domain/csp/cloud/__init__.py b/atst/domain/csp/cloud/__init__.py new file mode 100644 index 00000000..99128d9c --- /dev/null +++ b/atst/domain/csp/cloud/__init__.py @@ -0,0 +1,3 @@ +from .azure_cloud_provider import AzureCloudProvider +from .cloud_provider_interface import CloudProviderInterface +from .mock_cloud_provider import MockCloudProvider diff --git a/atst/domain/csp/cloud/azure_cloud_provider.py b/atst/domain/csp/cloud/azure_cloud_provider.py new file mode 100644 index 00000000..5a6a9253 --- /dev/null +++ b/atst/domain/csp/cloud/azure_cloud_provider.py @@ -0,0 +1,628 @@ +import re +from secrets import token_urlsafe +from typing import Dict +from uuid import uuid4 + +from atst.models.application import Application +from atst.models.environment import Environment +from atst.models.user import User + +from .cloud_provider_interface import CloudProviderInterface +from .exceptions import AuthenticationException +from .models import ( + BillingInstructionCSPPayload, + BillingInstructionCSPResult, + BillingProfileCreationCSPPayload, + BillingProfileCreationCSPResult, + BillingProfileTenantAccessCSPPayload, + BillingProfileTenantAccessCSPResult, + BillingProfileVerificationCSPPayload, + BillingProfileVerificationCSPResult, + TaskOrderBillingCreationCSPPayload, + TaskOrderBillingCreationCSPResult, + TaskOrderBillingVerificationCSPPayload, + TaskOrderBillingVerificationCSPResult, + TenantCSPPayload, + TenantCSPResult, +) +from .policy import AzurePolicyManager + +AZURE_ENVIRONMENT = "AZURE_PUBLIC_CLOUD" # TBD +AZURE_SKU_ID = "?" # probably a static sku specific to ATAT/JEDI +SUBSCRIPTION_ID_REGEX = re.compile( + "subscriptions\/([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12})", + re.I, +) + +# This needs to be a fully pathed role definition identifier, not just a UUID +REMOTE_ROOT_ROLE_DEF_ID = "/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-4000-8000-000000000000" +AZURE_MANAGEMENT_API = "https://management.azure.com" + + +class AzureSDKProvider(object): + def __init__(self): + from azure.mgmt import subscription, authorization, managementgroups + from azure.mgmt.resource import policy + import azure.graphrbac as graphrbac + import azure.common.credentials as credentials + import azure.identity as identity + from azure.keyvault import secrets + + from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD + import adal + import requests + + self.subscription = subscription + self.policy = policy + self.managementgroups = managementgroups + self.authorization = authorization + self.adal = adal + self.graphrbac = graphrbac + self.credentials = credentials + self.identity = identity + self.exceptions = exceptions + self.secrets = secrets + self.requests = requests + # may change to a JEDI cloud + self.cloud = AZURE_PUBLIC_CLOUD + + +class AzureCloudProvider(CloudProviderInterface): + def __init__(self, config, azure_sdk_provider=None): + self.config = config + + self.client_id = config["AZURE_CLIENT_ID"] + self.secret_key = config["AZURE_SECRET_KEY"] + self.tenant_id = config["AZURE_TENANT_ID"] + self.vault_url = config["AZURE_VAULT_URL"] + + if azure_sdk_provider is None: + self.sdk = AzureSDKProvider() + else: + self.sdk = azure_sdk_provider + + self.policy_manager = AzurePolicyManager(config["AZURE_POLICY_LOCATION"]) + + def set_secret(self, secret_key, secret_value): + credential = self._get_client_secret_credential_obj({}) + secret_client = self.secrets.SecretClient( + vault_url=self.vault_url, credential=credential, + ) + try: + return secret_client.set_secret(secret_key, secret_value) + except self.exceptions.HttpResponseError: + app.logger.error( + f"Could not SET secret in Azure keyvault for key {secret_key}.", + exc_info=1, + ) + + def get_secret(self, secret_key): + credential = self._get_client_secret_credential_obj({}) + secret_client = self.secrets.SecretClient( + vault_url=self.vault_url, credential=credential, + ) + try: + return secret_client.get_secret(secret_key).value + except self.exceptions.HttpResponseError: + app.logger.error( + f"Could not GET secret in Azure keyvault for key {secret_key}.", + exc_info=1, + ) + + def create_environment( + self, auth_credentials: Dict, user: User, environment: Environment + ): + # since this operation would only occur within a tenant, should we source the tenant + # via lookup from environment once we've created the portfolio csp data schema + # something like this: + # environment_tenant = environment.application.portfolio.csp_data.get('tenant_id', None) + # though we'd probably source the whole credentials for these calls from the portfolio csp + # data, as it would have to be where we store the creds for the at-at user within the portfolio tenant + # credentials = self._get_credential_obj(environment.application.portfolio.csp_data.get_creds()) + credentials = self._get_credential_obj(self._root_creds) + display_name = f"{environment.application.name}_{environment.name}_{environment.id}" # proposed format + management_group_id = "?" # management group id chained from environment + parent_id = "?" # from environment.application + + management_group = self._create_management_group( + credentials, management_group_id, display_name, parent_id, + ) + + return management_group + + def create_atat_admin_user( + self, auth_credentials: Dict, csp_environment_id: str + ) -> Dict: + root_creds = self._root_creds + credentials = self._get_credential_obj(root_creds) + + sub_client = self.sdk.subscription.SubscriptionClient(credentials) + subscription = sub_client.subscriptions.get(csp_environment_id) + + managment_principal = self._get_management_service_principal() + + auth_client = self.sdk.authorization.AuthorizationManagementClient( + credentials, + # TODO: Determine which subscription this needs to point at + # Once we're in a multi-sub environment + subscription.id, + ) + + # Create role assignment for + role_assignment_id = str(uuid4()) + role_assignment_create_params = auth_client.role_assignments.models.RoleAssignmentCreateParameters( + role_definition_id=REMOTE_ROOT_ROLE_DEF_ID, + principal_id=managment_principal.id, + ) + + auth_client.role_assignments.create( + scope=f"/subscriptions/{subscription.id}/", + role_assignment_name=role_assignment_id, + parameters=role_assignment_create_params, + ) + + return { + "csp_user_id": managment_principal.object_id, + "credentials": managment_principal.password_credentials, + "role_name": role_assignment_id, + } + + def _create_application(self, auth_credentials: Dict, application: Application): + management_group_name = str(uuid4()) # can be anything, not just uuid + display_name = application.name # Does this need to be unique? + credentials = self._get_credential_obj(auth_credentials) + parent_id = "?" # application.portfolio.csp_details.management_group_id + + return self._create_management_group( + credentials, management_group_name, display_name, parent_id, + ) + + def _create_management_group( + self, credentials, management_group_id, display_name, parent_id=None, + ): + mgmgt_group_client = self.sdk.managementgroups.ManagementGroupsAPI(credentials) + create_parent_grp_info = self.sdk.managementgroups.models.CreateParentGroupInfo( + id=parent_id + ) + create_mgmt_grp_details = self.sdk.managementgroups.models.CreateManagementGroupDetails( + parent=create_parent_grp_info + ) + mgmt_grp_create = self.sdk.managementgroups.models.CreateManagementGroupRequest( + name=management_group_id, + display_name=display_name, + details=create_mgmt_grp_details, + ) + create_request = mgmgt_group_client.management_groups.create_or_update( + management_group_id, mgmt_grp_create + ) + + # result is a synchronous wait, might need to do a poll instead to handle first mgmt group create + # since we were told it could take 10+ minutes to complete, unless this handles that polling internally + return create_request.result() + + def _create_subscription( + self, + credentials, + display_name, + billing_profile_id, + sku_id, + management_group_id, + billing_account_name, + invoice_section_name, + ): + sub_client = self.sdk.subscription.SubscriptionClient(credentials) + + billing_profile_id = "?" # where do we source this? + sku_id = AZURE_SKU_ID + # These 2 seem like something that might be worthwhile to allow tiebacks to + # TOs filed for the environment + billing_account_name = "?" # from TO? + invoice_section_name = "?" # from TO? + + body = self.sdk.subscription.models.ModernSubscriptionCreationParameters( + display_name=display_name, + billing_profile_id=billing_profile_id, + sku_id=sku_id, + management_group_id=management_group_id, + ) + + # We may also want to create billing sections in the enrollment account + sub_creation_operation = sub_client.subscription_factory.create_subscription( + billing_account_name, invoice_section_name, body + ) + + # the resulting object from this process is a link to the new subscription + # not a subscription model, so we'll have to unpack the ID + new_sub = sub_creation_operation.result() + + subscription_id = self._extract_subscription_id(new_sub.subscription_link) + if subscription_id: + return subscription_id + else: + # troublesome error, subscription should exist at this point + # but we just don't have a valid ID + pass + + def _create_policy_definition( + self, credentials, subscription_id, management_group_id, properties, + ): + """ + Requires credentials that have AZURE_MANAGEMENT_API + specified as the resource. The Service Principal + specified in the credentials must have the "Resource + Policy Contributor" role assigned with a scope at least + as high as the management group specified by + management_group_id. + + Arguments: + credentials -- ServicePrincipalCredentials + subscription_id -- str, ID of the subscription (just the UUID, not the path) + management_group_id -- str, ID of the management group (just the UUID, not the path) + properties -- dictionary, the "properties" section of a valid Azure policy definition document + + Returns: + azure.mgmt.resource.policy.[api version].models.PolicyDefinition: the PolicyDefinition object provided to Azure + + Raises: + TBD + """ + # TODO: which subscription would this be? + client = self.sdk.policy.PolicyClient(credentials, subscription_id) + + definition = client.policy_definitions.models.PolicyDefinition( + policy_type=properties.get("policyType"), + mode=properties.get("mode"), + display_name=properties.get("displayName"), + description=properties.get("description"), + policy_rule=properties.get("policyRule"), + parameters=properties.get("parameters"), + ) + + name = properties.get("displayName") + + return client.policy_definitions.create_or_update_at_management_group( + policy_definition_name=name, + parameters=definition, + management_group_id=management_group_id, + ) + + def create_tenant(self, payload: TenantCSPPayload): + sp_token = self._get_sp_token(payload.creds) + if sp_token is None: + raise AuthenticationException("Could not resolve token for tenant creation") + payload.password = token_urlsafe(16) + create_tenant_body = payload.dict(by_alias=True) + + create_tenant_headers = { + "Authorization": f"Bearer {sp_token}", + } + + result = self.sdk.requests.post( + "https://management.azure.com/providers/Microsoft.SignUp/createTenant?api-version=2020-01-01-preview", + json=create_tenant_body, + headers=create_tenant_headers, + ) + + if result.status_code == 200: + return self._ok( + TenantCSPResult( + **result.json(), + tenant_admin_password=payload.password, + tenant_admin_username=payload.user_id, + ) + ) + else: + return self._error(result.json()) + + def create_billing_profile_creation( + self, payload: BillingProfileCreationCSPPayload + ): + sp_token = self._get_sp_token(payload.creds) + if sp_token is None: + raise AuthenticationException( + "Could not resolve token for billing profile creation" + ) + + create_billing_account_body = payload.dict(by_alias=True) + + create_billing_account_headers = { + "Authorization": f"Bearer {sp_token}", + } + + billing_account_create_url = f"https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{payload.billing_account_name}/billingProfiles?api-version=2019-10-01-preview" + + result = self.sdk.requests.post( + billing_account_create_url, + json=create_billing_account_body, + headers=create_billing_account_headers, + ) + + if result.status_code == 202: + # 202 has location/retry after headers + return self._ok(BillingProfileCreationCSPResult(**result.headers)) + elif result.status_code == 200: + # NB: Swagger docs imply call can sometimes resolve immediately + return self._ok(BillingProfileVerificationCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_billing_profile_verification( + self, payload: BillingProfileVerificationCSPPayload + ): + sp_token = self._get_sp_token(payload.creds) + if sp_token is None: + raise AuthenticationException( + "Could not resolve token for billing profile validation" + ) + + auth_header = { + "Authorization": f"Bearer {sp_token}", + } + + result = self.sdk.requests.get( + payload.billing_profile_verify_url, headers=auth_header + ) + + if result.status_code == 202: + # 202 has location/retry after headers + return self._ok(BillingProfileCreationCSPResult(**result.headers)) + elif result.status_code == 200: + return self._ok(BillingProfileVerificationCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_billing_profile_tenant_access( + self, payload: BillingProfileTenantAccessCSPPayload + ): + sp_token = self._get_sp_token(payload.creds) + request_body = { + "properties": { + "principalTenantId": payload.tenant_id, # from tenant creation + "principalId": payload.user_object_id, # from tenant creationn + "roleDefinitionId": f"/providers/Microsoft.Billing/billingAccounts/{payload.billing_account_name}/billingProfiles/{payload.billing_profile_name}/billingRoleDefinitions/40000000-aaaa-bbbb-cccc-100000000000", + } + } + + headers = { + "Authorization": f"Bearer {sp_token}", + } + + url = f"https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{payload.billing_account_name}/billingProfiles/{payload.billing_profile_name}/createBillingRoleAssignment?api-version=2019-10-01-preview" + + result = self.sdk.requests.post(url, headers=headers, json=request_body) + if result.status_code == 201: + return self._ok(BillingProfileTenantAccessCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_task_order_billing_creation( + self, payload: TaskOrderBillingCreationCSPPayload + ): + sp_token = self._get_sp_token(payload.creds) + request_body = [ + { + "op": "replace", + "path": "/enabledAzurePlans", + "value": [{"skuId": "0001"}], + } + ] + + request_headers = { + "Authorization": f"Bearer {sp_token}", + } + + url = f"https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{payload.billing_account_name}/billingProfiles/{payload.billing_profile_name}?api-version=2019-10-01-preview" + + result = self.sdk.requests.patch( + url, headers=request_headers, json=request_body + ) + + if result.status_code == 202: + # 202 has location/retry after headers + return self._ok(TaskOrderBillingCreationCSPResult(**result.headers)) + elif result.status_code == 200: + return self._ok(TaskOrderBillingVerificationCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_task_order_billing_verification( + self, payload: TaskOrderBillingVerificationCSPPayload + ): + sp_token = self._get_sp_token(payload.creds) + if sp_token is None: + raise AuthenticationException( + "Could not resolve token for task order billing validation" + ) + + auth_header = { + "Authorization": f"Bearer {sp_token}", + } + + result = self.sdk.requests.get( + payload.task_order_billing_verify_url, headers=auth_header + ) + + if result.status_code == 202: + # 202 has location/retry after headers + return self._ok(TaskOrderBillingCreationCSPResult(**result.headers)) + elif result.status_code == 200: + return self._ok(TaskOrderBillingVerificationCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_billing_instruction(self, payload: BillingInstructionCSPPayload): + sp_token = self._get_sp_token(payload.creds) + if sp_token is None: + raise AuthenticationException( + "Could not resolve token for task order billing validation" + ) + + request_body = { + "properties": { + "amount": payload.initial_clin_amount, + "startDate": payload.initial_clin_start_date, + "endDate": payload.initial_clin_end_date, + } + } + + url = f"https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{payload.billing_account_name}/billingProfiles/{payload.billing_profile_name}/instructions/{payload.initial_task_order_id}:CLIN00{payload.initial_clin_type}?api-version=2019-10-01-preview" + + auth_header = { + "Authorization": f"Bearer {sp_token}", + } + + result = self.sdk.requests.put(url, headers=auth_header, json=request_body) + + if result.status_code == 200: + return self._ok(BillingInstructionCSPResult(**result.json())) + else: + return self._error(result.json()) + + def create_remote_admin(self, creds, tenant_details): + # create app/service principal within tenant, with name constructed from tenant details + # assign principal global admin + + # needs to call out to CLI with tenant owner username/password, prototyping for that underway + + # return identifier and creds to consumer for storage + response = {"clientId": "string", "secretKey": "string", "tenantId": "string"} + return self._ok( + { + "client_id": response["clientId"], + "secret_key": response["secret_key"], + "tenant_id": response["tenantId"], + } + ) + + def force_tenant_admin_pw_update(self, creds, tenant_owner_id): + # use creds to update to force password recovery? + # not sure what the endpoint/method for this is, yet + + return self._ok() + + def create_billing_alerts(self, TBD): + # TODO: Add azure-mgmt-consumption for Budget and Notification entities/operations + # TODO: Determine how to auth against that API using the SDK, doesn't seeem possible at the moment + # TODO: billing alerts are registered as Notifications on Budget objects, which have start/end dates + # TODO: determine what the keys in the Notifications dict are supposed to be + # we may need to rotate budget objects when new TOs/CLINs are reported? + + # we likely only want the budget ID, can be updated or replaced? + response = {"id": "id"} + return self._ok({"budget_id": response["id"]}) + + def _get_management_service_principal(self): + # we really should be using graph.microsoft.com, but i'm getting + # "expired token" errors for that + # graph_resource = "https://graph.microsoft.com" + graph_resource = "https://graph.windows.net" + graph_creds = self._get_credential_obj( + self._root_creds, resource=graph_resource + ) + # I needed to set permissions for the graph.windows.net API before I + # could get this to work. + + # how do we scope the graph client to the new subscription rather than + # the cloud0 subscription? tenant id seems to be separate from subscription id + graph_client = self.sdk.graphrbac.GraphRbacManagementClient( + graph_creds, self._root_creds.get("tenant_id") + ) + + # do we need to create a new application to manage each subscripition + # or should we manage access to each subscription from a single service + # principal with multiple role assignments? + app_display_name = "?" # name should reflect the subscription it exists + app_create_param = self.sdk.graphrbac.models.ApplicationCreateParameters( + display_name=app_display_name + ) + + # we need the appropriate perms here: + # https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http + # https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names + # set app perms in app registration portal + # https://docs.microsoft.com/en-us/graph/auth-v2-service#2-configure-permissions-for-microsoft-graph + app: self.sdk.graphrbac.models.Application = graph_client.applications.create( + app_create_param + ) + + # create a new service principle for the new application, which should be scoped + # to the new subscription + app_id = app.app_id + sp_create_params = self.sdk.graphrbac.models.ServicePrincipalCreateParameters( + app_id=app_id, account_enabled=True + ) + + service_principal = graph_client.service_principals.create(sp_create_params) + + return service_principal + + def _extract_subscription_id(self, subscription_url): + sub_id_match = SUBSCRIPTION_ID_REGEX.match(subscription_url) + + if sub_id_match: + return sub_id_match.group(1) + + def _get_sp_token(self, creds): + home_tenant_id = creds.get("home_tenant_id") + client_id = creds.get("client_id") + secret_key = creds.get("secret_key") + + # TODO: Make endpoints consts or configs + authentication_endpoint = "https://login.microsoftonline.com/" + resource = "https://management.azure.com/" + + context = self.sdk.adal.AuthenticationContext( + authentication_endpoint + home_tenant_id + ) + + # TODO: handle failure states here + token_response = context.acquire_token_with_client_credentials( + resource, client_id, secret_key + ) + + return token_response.get("accessToken", None) + + def _get_credential_obj(self, creds, resource=None): + return self.sdk.credentials.ServicePrincipalCredentials( + client_id=creds.get("client_id"), + secret=creds.get("secret_key"), + tenant=creds.get("tenant_id"), + resource=resource, + cloud_environment=self.sdk.cloud, + ) + + def _get_client_secret_credential_obj(self, creds): + return self.sdk.identity.ClientSecretCredential( + tenant_id=creds.get("tenant_id"), + client_id=creds.get("client_id"), + client_secret=creds.get("secret_key"), + ) + + def _make_tenant_admin_cred_obj(self, username, password): + return self.sdk.credentials.UserPassCredentials(username, password) + + def _ok(self, body=None): + return self._make_response("ok", body) + + def _error(self, body=None): + return self._make_response("error", body) + + def _make_response(self, status, body=dict()): + """Create body for responses from API + + Arguments: + status {string} -- "ok" or "error" + body {dict} -- dict containing details of response or error, if applicable + + Returns: + dict -- status of call with body containing details + """ + return {"status": status, "body": body} + + @property + def _root_creds(self): + return { + "client_id": self.client_id, + "secret_key": self.secret_key, + "tenant_id": self.tenant_id, + } diff --git a/atst/domain/csp/cloud/cloud_provider_interface.py b/atst/domain/csp/cloud/cloud_provider_interface.py new file mode 100644 index 00000000..7f975c07 --- /dev/null +++ b/atst/domain/csp/cloud/cloud_provider_interface.py @@ -0,0 +1,126 @@ +from typing import Dict + +from atst.models.user import User +from atst.models.environment import Environment +from atst.models.environment_role import EnvironmentRole + + +class CloudProviderInterface: + def set_secret(self, secret_key: str, secret_value: str): + raise NotImplementedError() + + def get_secret(self, secret_key: str): + raise NotImplementedError() + + def root_creds(self) -> Dict: + raise NotImplementedError() + + def create_environment( + self, auth_credentials: Dict, user: User, environment: Environment + ) -> str: + """Create a new environment in the CSP. + + Arguments: + auth_credentials -- Object containing CSP account credentials + user -- ATAT user authorizing the environment creation + environment -- ATAT Environment model + + Returns: + string: ID of created environment + + Raises: + AuthenticationException: Problem with the credentials + AuthorizationException: Credentials not authorized for current action(s) + ConnectionException: Issue with the CSP API connection + UnknownServerException: Unknown issue on the CSP side + EnvironmentExistsException: Environment already exists and has been created + """ + raise NotImplementedError() + + def create_atat_admin_user( + self, auth_credentials: Dict, csp_environment_id: str + ) -> Dict: + """Creates a new, programmatic user in the CSP. Grants this user full permissions to administer + the CSP. + + Arguments: + auth_credentials -- Object containing CSP account credentials + csp_environment_id -- ID of the CSP Environment the admin user should be created in + + Returns: + object: Object representing new remote admin user, including credentials + Something like: + { + "user_id": string, + "credentials": dict, # structure TBD based on csp + } + + Raises: + AuthenticationException: Problem with the credentials + AuthorizationException: Credentials not authorized for current action(s) + ConnectionException: Issue with the CSP API connection + UnknownServerException: Unknown issue on the CSP side + UserProvisioningException: Problem creating the root user + """ + raise NotImplementedError() + + def create_or_update_user( + self, auth_credentials: Dict, user_info: EnvironmentRole, csp_role_id: str + ) -> str: + """Creates a user or updates an existing user's role. + + Arguments: + auth_credentials -- Object containing CSP account credentials + user_info -- instance of EnvironmentRole containing user data + if it has a csp_user_id it will try to update that user + csp_role_id -- The id of the role the user should be given in the CSP + + Returns: + string: Returns the interal csp_user_id of the created/updated user account + + Raises: + AuthenticationException: Problem with the credentials + AuthorizationException: Credentials not authorized for current action(s) + ConnectionException: Issue with the CSP API connection + UnknownServerException: Unknown issue on the CSP side + UserProvisioningException: User couldn't be created or modified + """ + raise NotImplementedError() + + def disable_user(self, auth_credentials: Dict, csp_user_id: str) -> bool: + """Revoke all privileges for a user. Used to prevent user access while a full + delete is being processed. + + Arguments: + auth_credentials -- Object containing CSP account credentials + csp_user_id -- CSP internal user identifier + + Returns: + bool -- True on success + + Raises: + AuthenticationException: Problem with the credentials + AuthorizationException: Credentials not authorized for current action(s) + ConnectionException: Issue with the CSP API connection + UnknownServerException: Unknown issue on the CSP side + UserRemovalException: User couldn't be suspended + """ + raise NotImplementedError() + + def get_calculator_url(self) -> str: + """Returns the calculator url for the CSP. + This will likely be a static property elsewhere once a CSP is chosen. + """ + raise NotImplementedError() + + def get_environment_login_url(self, environment) -> str: + """Returns the login url for a given environment + This may move to be a computed property on the Environment domain object + """ + raise NotImplementedError() + + def create_subscription(self, environment): + """Returns True if a new subscription has been created or raises an + exception if an error occurs while creating a subscription. + """ + raise NotImplementedError() diff --git a/atst/domain/csp/cloud/exceptions.py b/atst/domain/csp/cloud/exceptions.py new file mode 100644 index 00000000..6ed47dff --- /dev/null +++ b/atst/domain/csp/cloud/exceptions.py @@ -0,0 +1,131 @@ +class GeneralCSPException(Exception): + pass + + +class OperationInProgressException(GeneralCSPException): + """Throw this for instances when the CSP reports that the current entity is already + being operated on/created/deleted/etc + """ + + def __init__(self, operation_desc): + self.operation_desc = operation_desc + + @property + def message(self): + return "An operation for this entity is already in progress: {}".format( + self.operation_desc + ) + + +class AuthenticationException(GeneralCSPException): + """Throw this for instances when there is a problem with the auth credentials: + * Missing credentials + * Incorrect credentials + * Other credential problems + """ + + def __init__(self, auth_error): + self.auth_error = auth_error + + @property + def message(self): + return "An error occurred with authentication: {}".format(self.auth_error) + + +class AuthorizationException(GeneralCSPException): + """Throw this for instances when the current credentials are not authorized + for the current action. + """ + + def __init__(self, auth_error): + self.auth_error = auth_error + + @property + def message(self): + return "An error occurred with authorization: {}".format(self.auth_error) + + +class ConnectionException(GeneralCSPException): + """A general problem with the connection, timeouts or unresolved endpoints + """ + + def __init__(self, connection_error): + self.connection_error = connection_error + + @property + def message(self): + return "Could not connect to cloud provider: {}".format(self.connection_error) + + +class UnknownServerException(GeneralCSPException): + """An error occured on the CSP side (5xx) and we don't know why + """ + + def __init__(self, server_error): + self.server_error = server_error + + @property + def message(self): + return "A server error occured: {}".format(self.server_error) + + +class EnvironmentCreationException(GeneralCSPException): + """If there was an error in creating the environment + """ + + def __init__(self, env_identifier, reason): + self.env_identifier = env_identifier + self.reason = reason + + @property + def message(self): + return "The envionment {} couldn't be created: {}".format( + self.env_identifier, self.reason + ) + + +class UserProvisioningException(GeneralCSPException): + """Failed to provision a user + """ + + def __init__(self, env_identifier, user_identifier, reason): + self.env_identifier = env_identifier + self.user_identifier = user_identifier + self.reason = reason + + @property + def message(self): + return "Failed to create user {} for environment {}: {}".format( + self.user_identifier, self.env_identifier, self.reason + ) + + +class UserRemovalException(GeneralCSPException): + """Failed to remove a user + """ + + def __init__(self, user_csp_id, reason): + self.user_csp_id = user_csp_id + self.reason = reason + + @property + def message(self): + return "Failed to suspend or delete user {}: {}".format( + self.user_csp_id, self.reason + ) + + +class BaselineProvisionException(GeneralCSPException): + """If there's any issues standing up whatever is required + for an environment baseline + """ + + def __init__(self, env_identifier, reason): + self.env_identifier = env_identifier + self.reason = reason + + @property + def message(self): + return "Could not complete baseline provisioning for environment ({}): {}".format( + self.env_identifier, self.reason + ) diff --git a/atst/domain/csp/cloud/mock_cloud_provider.py b/atst/domain/csp/cloud/mock_cloud_provider.py new file mode 100644 index 00000000..a6c338b5 --- /dev/null +++ b/atst/domain/csp/cloud/mock_cloud_provider.py @@ -0,0 +1,342 @@ +from uuid import uuid4 + +from atst.domain.csp.cloud.exceptions import ( + BaselineProvisionException, + EnvironmentCreationException, + GeneralCSPException, + UserProvisioningException, + UserRemovalException, +) +from atst.domain.csp.cloud.models import BillingProfileTenantAccessCSPResult + +from .cloud_provider_interface import CloudProviderInterface +from .exceptions import ( + AuthenticationException, + AuthorizationException, + ConnectionException, + UnknownServerException, +) +from .models import ( + BillingInstructionCSPPayload, + BillingInstructionCSPResult, + BillingProfileCreationCSPPayload, + BillingProfileCreationCSPResult, + BillingProfileVerificationCSPPayload, + BillingProfileVerificationCSPResult, + TaskOrderBillingCreationCSPPayload, + TaskOrderBillingCreationCSPResult, + TaskOrderBillingVerificationCSPPayload, + TaskOrderBillingVerificationCSPResult, + TenantCSPPayload, + TenantCSPResult, +) + + +class MockCloudProvider(CloudProviderInterface): + + # TODO: All of these constants + AUTHENTICATION_EXCEPTION = AuthenticationException("Authentication failure.") + AUTHORIZATION_EXCEPTION = AuthorizationException("Not authorized.") + NETWORK_EXCEPTION = ConnectionException("Network failure.") + SERVER_EXCEPTION = UnknownServerException("Not our fault.") + + SERVER_FAILURE_PCT = 1 + NETWORK_FAILURE_PCT = 7 + ENV_CREATE_FAILURE_PCT = 12 + ATAT_ADMIN_CREATE_FAILURE_PCT = 12 + UNAUTHORIZED_RATE = 2 + + def __init__( + self, config, with_delay=True, with_failure=True, with_authorization=True + ): + from time import sleep + import random + + self._with_delay = with_delay + self._with_failure = with_failure + self._with_authorization = with_authorization + self._sleep = sleep + self._random = random + + def root_creds(self): + return self._auth_credentials + + def set_secret(self, secret_key: str, secret_value: str): + pass + + def get_secret(self, secret_key: str, default=dict()): + return default + + def create_environment(self, auth_credentials, user, environment): + self._authorize(auth_credentials) + + self._delay(1, 5) + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise( + self.ENV_CREATE_FAILURE_PCT, + EnvironmentCreationException( + environment.id, "Could not create environment." + ), + ) + + csp_environment_id = self._id() + + self._delay(1, 5) + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise( + self.ATAT_ADMIN_CREATE_FAILURE_PCT, + BaselineProvisionException( + csp_environment_id, "Could not create environment baseline." + ), + ) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return csp_environment_id + + def create_atat_admin_user(self, auth_credentials, csp_environment_id): + self._authorize(auth_credentials) + + self._delay(1, 5) + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise( + self.ATAT_ADMIN_CREATE_FAILURE_PCT, + UserProvisioningException( + csp_environment_id, "atat_admin", "Could not create admin user." + ), + ) + + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return {"id": self._id(), "credentials": self._auth_credentials} + + def create_tenant(self, payload: TenantCSPPayload): + """ + payload is an instance of TenantCSPPayload data class + """ + + self._authorize(payload.creds) + + self._delay(1, 5) + + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return TenantCSPResult( + **{ + "tenant_id": "", + "user_id": "", + "user_object_id": "", + "tenant_admin_username": "test", + "tenant_admin_password": "test", + } + ) + + def create_billing_profile_creation( + self, payload: BillingProfileCreationCSPPayload + ): + # response will be mostly the same as the body, but we only really care about the id + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return BillingProfileCreationCSPResult( + **dict( + billing_profile_verify_url="https://zombo.com", + billing_profile_retry_after=10, + ) + ) + + def create_billing_profile_verification( + self, payload: BillingProfileVerificationCSPPayload + ): + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + return BillingProfileVerificationCSPResult( + **{ + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB", + "name": "KQWI-W2SU-BG7-TGB", + "properties": { + "address": { + "addressLine1": "123 S Broad Street, Suite 2400", + "city": "Philadelphia", + "companyName": "Promptworks", + "country": "US", + "postalCode": "19109", + "region": "PA", + }, + "currency": "USD", + "displayName": "Test Billing Profile", + "enabledAzurePlans": [], + "hasReadAccess": True, + "invoiceDay": 5, + "invoiceEmailOptIn": False, + "invoiceSections": [ + { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/invoiceSections/CHCO-BAAR-PJA-TGB", + "name": "CHCO-BAAR-PJA-TGB", + "properties": {"displayName": "Test Billing Profile"}, + "type": "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections", + } + ], + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles", + } + ) + + def create_billing_profile_tenant_access(self, payload): + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return BillingProfileTenantAccessCSPResult( + **{ + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/billingRoleAssignments/40000000-aaaa-bbbb-cccc-100000000000_0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "name": "40000000-aaaa-bbbb-cccc-100000000000_0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "properties": { + "createdOn": "2020-01-14T14:39:26.3342192+00:00", + "createdByPrincipalId": "82e2b376-3297-4096-8743-ed65b3be0b03", + "principalId": "0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "principalTenantId": "60ff9d34-82bf-4f21-b565-308ef0533435", + "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/billingRoleDefinitions/40000000-aaaa-bbbb-cccc-100000000000", + "scope": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB", + }, + "type": "Microsoft.Billing/billingRoleAssignments", + } + ) + + def create_task_order_billing_creation( + self, payload: TaskOrderBillingCreationCSPPayload + ): + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return TaskOrderBillingCreationCSPResult( + **{"Location": "https://somelocation", "Retry-After": "10"} + ) + + def create_task_order_billing_verification( + self, payload: TaskOrderBillingVerificationCSPPayload + ): + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return TaskOrderBillingVerificationCSPResult( + **{ + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/XC36-GRNZ-BG7-TGB", + "name": "XC36-GRNZ-BG7-TGB", + "properties": { + "address": { + "addressLine1": "123 S Broad Street, Suite 2400", + "city": "Philadelphia", + "companyName": "Promptworks", + "country": "US", + "postalCode": "19109", + "region": "PA", + }, + "currency": "USD", + "displayName": "First Portfolio Billing Profile", + "enabledAzurePlans": [ + { + "productId": "DZH318Z0BPS6", + "skuId": "0001", + "skuDescription": "Microsoft Azure Plan", + } + ], + "hasReadAccess": True, + "invoiceDay": 5, + "invoiceEmailOptIn": False, + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles", + } + ) + + def create_billing_instruction(self, payload: BillingInstructionCSPPayload): + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + + return BillingInstructionCSPResult( + **{ + "name": "TO1:CLIN001", + "properties": { + "amount": 1000.0, + "endDate": "2020-03-01T00:00:00+00:00", + "startDate": "2020-01-01T00:00:00+00:00", + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles/billingInstructions", + } + ) + + def create_or_update_user(self, auth_credentials, user_info, csp_role_id): + self._authorize(auth_credentials) + + self._delay(1, 5) + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + self._maybe_raise( + self.ATAT_ADMIN_CREATE_FAILURE_PCT, + UserProvisioningException( + user_info.environment.id, + user_info.application_role.user_id, + "Could not create user.", + ), + ) + + self._maybe_raise(self.UNAUTHORIZED_RATE, self.AUTHORIZATION_EXCEPTION) + return self._id() + + def disable_user(self, auth_credentials, csp_user_id): + self._authorize(auth_credentials) + self._maybe_raise(self.NETWORK_FAILURE_PCT, self.NETWORK_EXCEPTION) + self._maybe_raise(self.SERVER_FAILURE_PCT, self.SERVER_EXCEPTION) + + self._maybe_raise( + self.ATAT_ADMIN_CREATE_FAILURE_PCT, + UserRemovalException(csp_user_id, "Could not disable user."), + ) + + return self._maybe(12) + + def create_subscription(self, environment): + self._maybe_raise(self.UNAUTHORIZED_RATE, GeneralCSPException) + + return True + + def get_calculator_url(self): + return "https://www.rackspace.com/en-us/calculator" + + def get_environment_login_url(self, environment): + """Returns the login url for a given environment + """ + return "https://www.mycloud.com/my-env-login" + + def _id(self): + return uuid4().hex + + def _delay(self, min_secs, max_secs): + if self._with_delay: + duration = self._random.randrange(min_secs, max_secs) + self._sleep(duration) + + def _maybe(self, pct): + return not self._with_failure or self._random.randrange(0, 100) < pct + + def _maybe_raise(self, pct, exc): + if self._with_failure and self._maybe(pct): + raise exc + + @property + def _auth_credentials(self): + return {"username": "mock-cloud", "password": "shh"} # pragma: allowlist secret + + def _authorize(self, credentials): + self._delay(1, 5) + if self._with_authorization and credentials != self._auth_credentials: + raise self.AUTHENTICATION_EXCEPTION diff --git a/atst/domain/csp/cloud/models.py b/atst/domain/csp/cloud/models.py new file mode 100644 index 00000000..c6bf0ede --- /dev/null +++ b/atst/domain/csp/cloud/models.py @@ -0,0 +1,234 @@ +from typing import Dict, List, Optional + +from pydantic import BaseModel, validator + +from atst.utils import snake_to_camel + + +class AliasModel(BaseModel): + """ + This provides automatic camel <-> snake conversion for serializing to/from json + You can override the alias generation in subclasses by providing a Config that defines + a fields property with a dict mapping variables to their cast names, for cases like: + * some_url:someURL + * user_object_id:objectId + """ + + class Config: + alias_generator = snake_to_camel + allow_population_by_field_name = True + + +class BaseCSPPayload(AliasModel): + # {"username": "mock-cloud", "pass": "shh"} + creds: Dict + + def dict(self, *args, **kwargs): + exclude = {"creds"} + if "exclude" not in kwargs: + kwargs["exclude"] = exclude + else: + kwargs["exclude"].update(exclude) + + return super().dict(*args, **kwargs) + + +class TenantCSPPayload(BaseCSPPayload): + user_id: str + password: Optional[str] + domain_name: str + first_name: str + last_name: str + country_code: str + password_recovery_email_address: str + + +class TenantCSPResult(AliasModel): + user_id: str + tenant_id: str + user_object_id: str + + tenant_admin_username: Optional[str] + tenant_admin_password: Optional[str] + + class Config: + fields = { + "user_object_id": "objectId", + } + + def dict(self, *args, **kwargs): + exclude = {"tenant_admin_username", "tenant_admin_password"} + if "exclude" not in kwargs: + kwargs["exclude"] = exclude + else: + kwargs["exclude"].update(exclude) + + return super().dict(*args, **kwargs) + + def get_creds(self): + return { + "tenant_admin_username": self.tenant_admin_username, + "tenant_admin_password": self.tenant_admin_password, + "tenant_id": self.tenant_id, + } + + +class BillingProfileAddress(AliasModel): + company_name: str + address_line_1: str + city: str + region: str + country: str + postal_code: str + + +class BillingProfileCLINBudget(AliasModel): + clin_budget: Dict + """ + "clinBudget": { + "amount": 0, + "startDate": "2019-12-18T16:47:40.909Z", + "endDate": "2019-12-18T16:47:40.909Z", + "externalReferenceId": "string" + } + """ + + +class BillingProfileCreationCSPPayload(BaseCSPPayload): + tenant_id: str + billing_profile_display_name: str + billing_account_name: str + enabled_azure_plans: Optional[List[str]] + address: BillingProfileAddress + + @validator("enabled_azure_plans", pre=True, always=True) + def default_enabled_azure_plans(cls, v): + """ + Normally you'd implement this by setting the field with a value of: + dataclasses.field(default_factory=list) + but that prevents the object from being correctly pickled, so instead we need + to rely on a validator to ensure this has an empty value when not specified + """ + return v or [] + + class Config: + fields = {"billing_profile_display_name": "displayName"} + + +class BillingProfileCreationCSPResult(AliasModel): + billing_profile_verify_url: str + billing_profile_retry_after: int + + class Config: + fields = { + "billing_profile_verify_url": "Location", + "billing_profile_retry_after": "Retry-After", + } + + +class BillingProfileVerificationCSPPayload(BaseCSPPayload): + billing_profile_verify_url: str + + +class BillingInvoiceSection(AliasModel): + invoice_section_id: str + invoice_section_name: str + + class Config: + fields = {"invoice_section_id": "id", "invoice_section_name": "name"} + + +class BillingProfileProperties(AliasModel): + address: BillingProfileAddress + billing_profile_display_name: str + invoice_sections: List[BillingInvoiceSection] + + class Config: + fields = {"billing_profile_display_name": "displayName"} + + +class BillingProfileVerificationCSPResult(AliasModel): + billing_profile_id: str + billing_profile_name: str + billing_profile_properties: BillingProfileProperties + + class Config: + fields = { + "billing_profile_id": "id", + "billing_profile_name": "name", + "billing_profile_properties": "properties", + } + + +class BillingProfileTenantAccessCSPPayload(BaseCSPPayload): + tenant_id: str + user_object_id: str + billing_account_name: str + billing_profile_name: str + + +class BillingProfileTenantAccessCSPResult(AliasModel): + billing_role_assignment_id: str + billing_role_assignment_name: str + + class Config: + fields = { + "billing_role_assignment_id": "id", + "billing_role_assignment_name": "name", + } + + +class TaskOrderBillingCreationCSPPayload(BaseCSPPayload): + billing_account_name: str + billing_profile_name: str + + +class TaskOrderBillingCreationCSPResult(AliasModel): + task_order_billing_verify_url: str + task_order_retry_after: int + + class Config: + fields = { + "task_order_billing_verify_url": "Location", + "task_order_retry_after": "Retry-After", + } + + +class TaskOrderBillingVerificationCSPPayload(BaseCSPPayload): + task_order_billing_verify_url: str + + +class BillingProfileEnabledPlanDetails(AliasModel): + enabled_azure_plans: List[Dict] + + +class TaskOrderBillingVerificationCSPResult(AliasModel): + billing_profile_id: str + billing_profile_name: str + billing_profile_enabled_plan_details: BillingProfileEnabledPlanDetails + + class Config: + fields = { + "billing_profile_id": "id", + "billing_profile_name": "name", + "billing_profile_enabled_plan_details": "properties", + } + + +class BillingInstructionCSPPayload(BaseCSPPayload): + initial_clin_amount: float + initial_clin_start_date: str + initial_clin_end_date: str + initial_clin_type: str + initial_task_order_id: str + billing_account_name: str + billing_profile_name: str + + +class BillingInstructionCSPResult(AliasModel): + reported_clin_name: str + + class Config: + fields = { + "reported_clin_name": "name", + } diff --git a/atst/domain/csp/policy.py b/atst/domain/csp/cloud/policy.py similarity index 100% rename from atst/domain/csp/policy.py rename to atst/domain/csp/cloud/policy.py diff --git a/atst/forms/application_member.py b/atst/forms/application_member.py index 62c5ddfe..a1a4f704 100644 --- a/atst/forms/application_member.py +++ b/atst/forms/application_member.py @@ -46,13 +46,6 @@ class PermissionsForm(FlaskForm): "portfolios.applications.members.form.team_mgmt.description" ), ) - perms_del_env = BooleanField( - translate("portfolios.applications.members.form.del_env.label"), - default=False, - description=translate( - "portfolios.applications.members.form.del_env.description" - ), - ) @property def data(self): @@ -66,9 +59,6 @@ class PermissionsForm(FlaskForm): if _data["perms_team_mgmt"]: perm_sets.append(PermissionSets.EDIT_APPLICATION_TEAM) - if _data["perms_del_env"]: - perm_sets.append(PermissionSets.DELETE_APPLICATION_ENVIRONMENTS) - _data["permission_sets"] = perm_sets return _data diff --git a/atst/jobs.py b/atst/jobs.py index f4611a9a..7172343b 100644 --- a/atst/jobs.py +++ b/atst/jobs.py @@ -9,10 +9,10 @@ from atst.models import ( EnvironmentRole, PortfolioJobFailure, ) -from atst.domain.csp.cloud import CloudProviderInterface, GeneralCSPException +from atst.domain.csp.cloud.exceptions import GeneralCSPException +from atst.domain.csp.cloud import CloudProviderInterface from atst.domain.environments import Environments from atst.domain.portfolios import Portfolios - from atst.domain.environment_roles import EnvironmentRoles from atst.models.utils import claim_for_update from atst.utils.localization import translate diff --git a/atst/models/mixins/state_machines.py b/atst/models/mixins/state_machines.py index bc35209d..37682e5b 100644 --- a/atst/models/mixins/state_machines.py +++ b/atst/models/mixins/state_machines.py @@ -1,5 +1,7 @@ from enum import Enum +from flask import current_app as app + class StageStates(Enum): CREATED = "created" @@ -9,8 +11,12 @@ class StageStates(Enum): class AzureStages(Enum): TENANT = "tenant" - BILLING_PROFILE = "billing profile" - ADMIN_SUBSCRIPTION = "admin subscription" + BILLING_PROFILE_CREATION = "billing profile creation" + BILLING_PROFILE_VERIFICATION = "billing profile verification" + BILLING_PROFILE_TENANT_ACCESS = "billing profile tenant access" + TASK_ORDER_BILLING_CREATION = "task order billing creation" + TASK_ORDER_BILLING_VERIFICATION = "task order billing verification" + BILLING_INSTRUCTION = "billing instruction" def _build_csp_states(csp_stages): @@ -31,14 +37,14 @@ def _build_csp_states(csp_stages): FSMStates = Enum("FSMStates", _build_csp_states(AzureStages)) +compose_state = lambda csp_stage, state: getattr( + FSMStates, "_".join([csp_stage.name, state.name]) +) + def _build_transitions(csp_stages): transitions = [] states = [] - compose_state = lambda csp_stage, state: getattr( - FSMStates, "_".join([csp_stage.name, state.name]) - ) - for stage_i, csp_stage in enumerate(csp_stages): for state in StageStates: states.append( @@ -99,6 +105,22 @@ class FSMMixin: {"trigger": "fail", "source": "*", "dest": FSMStates.FAILED,}, ] + def fail_stage(self, stage): + fail_trigger = "fail" + stage + if fail_trigger in self.machine.get_triggers(self.current_state.name): + self.trigger(fail_trigger) + app.logger.info( + f"calling fail trigger '{fail_trigger}' for '{self.__repr__()}'" + ) + + def finish_stage(self, stage): + finish_trigger = "finish_" + stage + if finish_trigger in self.machine.get_triggers(self.current_state.name): + app.logger.info( + f"calling finish trigger '{finish_trigger}' for '{self.__repr__()}'" + ) + self.trigger(finish_trigger) + def prepare_init(self, event): pass @@ -125,13 +147,3 @@ class FSMMixin: def after_reset(self, event): pass - - def fail_stage(self, stage): - fail_trigger = "fail" + stage - if fail_trigger in self.machine.get_triggers(self.current_state.name): - self.trigger(fail_trigger) - - def finish_stage(self, stage): - finish_trigger = "finish_" + stage - if finish_trigger in self.machine.get_triggers(self.current_state.name): - self.trigger(finish_trigger) diff --git a/atst/models/portfolio_state_machine.py b/atst/models/portfolio_state_machine.py index 3c934197..cf42710b 100644 --- a/atst/models/portfolio_state_machine.py +++ b/atst/models/portfolio_state_machine.py @@ -1,3 +1,5 @@ +import importlib + from sqlalchemy import Column, ForeignKey, Enum as SQLAEnum from sqlalchemy.orm import relationship, reconstructor from sqlalchemy.dialects.postgresql import UUID @@ -8,8 +10,7 @@ from transitions.extensions.states import add_state_features, Tags from flask import current_app as app -from atst.domain.csp.cloud import ConnectionException, UnknownServerException -from atst.domain.csp import MockCSP, AzureCSP, get_stage_csp_class +from atst.domain.csp.cloud.exceptions import ConnectionException, UnknownServerException from atst.database import db from atst.models.types import Id from atst.models.base import Base @@ -17,6 +18,25 @@ import atst.models.mixins as mixins from atst.models.mixins.state_machines import FSMStates, AzureStages, _build_transitions +def _stage_to_classname(stage): + return "".join(map(lambda word: word.capitalize(), stage.split("_"))) + + +def get_stage_csp_class(stage, class_type): + """ + given a stage name and class_type return the class + class_type is either 'payload' or 'result' + + """ + cls_name = f"{_stage_to_classname(stage)}CSP{class_type.capitalize()}" + try: + return getattr( + importlib.import_module("atst.domain.csp.cloud.models"), cls_name + ) + except AttributeError: + print("could not import CSP Result class <%s>" % cls_name) + + @add_state_features(Tags) class StateMachineWithTags(Machine): pass @@ -50,6 +70,9 @@ class PortfolioStateMachine( db.session.add(self) db.session.commit() + def __repr__(self): + return f"") -def helpdocs(doc=None): - docs = [os.path.splitext(file)[0] for file in os.listdir("templates/help/docs")] - if doc: - return render_template("help/docs/{}.html".format(doc), docs=docs, doc=doc) - else: - return render_template("help/index.html", docs=docs, doc=doc) - - @bp.route("/home") def home(): return render_template("home.html") -@bp.route("/") -def catch_all(path): - try: - return render_template("{}.html".format(path)) - except TemplateNotFound: - raise NotFound() - - def _client_s_dn(): return request.environ.get("HTTP_X_SSL_CLIENT_S_DN") diff --git a/atst/routes/applications/index.py b/atst/routes/applications/index.py index 92b65398..8b249faa 100644 --- a/atst/routes/applications/index.py +++ b/atst/routes/applications/index.py @@ -26,7 +26,7 @@ def has_portfolio_applications(_user, portfolio=None, **_kwargs): def portfolio_applications(portfolio_id): user_env_roles = EnvironmentRoles.for_user(g.current_user.id, portfolio_id) environment_access = { - env_role.environment_id: env_role.role for env_role in user_env_roles + env_role.environment_id: env_role.role.value for env_role in user_env_roles } return render_template( diff --git a/atst/routes/applications/settings.py b/atst/routes/applications/settings.py index ed45fe2e..443989db 100644 --- a/atst/routes/applications/settings.py +++ b/atst/routes/applications/settings.py @@ -1,9 +1,10 @@ from flask import ( + current_app as app, + g, redirect, render_template, request as http_request, url_for, - g, ) from .blueprint import applications_bp @@ -12,7 +13,7 @@ from atst.domain.environments import Environments from atst.domain.applications import Applications from atst.domain.application_roles import ApplicationRoles from atst.domain.audit_log import AuditLog -from atst.domain.csp.cloud import GeneralCSPException +from atst.domain.csp.cloud.exceptions import GeneralCSPException from atst.domain.common import Paginator from atst.domain.environment_roles import EnvironmentRoles from atst.domain.invitations import ApplicationInvitations @@ -64,9 +65,6 @@ def filter_perm_sets_data(member): "perms_env_mgmt": bool( member.has_permission_set(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS) ), - "perms_del_env": bool( - member.has_permission_set(PermissionSets.DELETE_APPLICATION_ENVIRONMENTS) - ), } return perm_sets_data @@ -525,3 +523,31 @@ def resend_invite(application_id, application_role_id): _anchor="application-members", ) ) + + +@applications_bp.route( + "/environments//add_subscription", methods=["POST"] +) +@user_can(Permissions.EDIT_ENVIRONMENT, message="create new environment subscription") +def create_subscription(environment_id): + environment = Environments.get(environment_id) + + try: + app.csp.cloud.create_subscription(environment) + flash("environment_subscription_success", name=environment.displayname) + + except GeneralCSPException: + flash("environment_subscription_failure") + return ( + render_settings_page(application=environment.application, show_flash=True), + 400, + ) + + return redirect( + url_for( + "applications.settings", + application_id=environment.application.id, + fragment="application-environments", + _anchor="application-environments", + ) + ) diff --git a/atst/utils/__init__.py b/atst/utils/__init__.py index d3f284cc..09c63dea 100644 --- a/atst/utils/__init__.py +++ b/atst/utils/__init__.py @@ -25,6 +25,11 @@ def camel_to_snake(camel_cased): return re.sub("([a-z0-9])([A-Z])", r"\1_\2", s1).lower() +def snake_to_camel(snake_cased): + parts = snake_cased.split("_") + return f"{parts[0]}{''.join([w.capitalize() for w in parts[1:]])}" + + def pick(keys, dct): _keys = set(keys) return {k: v for (k, v) in dct.items() if k in _keys} diff --git a/atst/utils/flash.py b/atst/utils/flash.py index 02a74cb2..ea85f1ef 100644 --- a/atst/utils/flash.py +++ b/atst/utils/flash.py @@ -83,6 +83,16 @@ MESSAGES = { "message": "flash.environment.deleted.message", "category": "success", }, + "environment_subscription_failure": { + "title": "flash.environment.subscription_failure.title", + "message": "flash.environment.subscription_failure.message", + "category": "error", + }, + "environment_subscription_success": { + "title": "flash.environment.subscription_success.title", + "message": "flash.environment.subscription_success.message", + "category": "success", + }, "form_errors": { "title": "flash.form.errors.title", "message": "flash.form.errors.message", diff --git a/atst/utils/session_limiter.py b/atst/utils/session_limiter.py index cae43c5d..e0c02e0d 100644 --- a/atst/utils/session_limiter.py +++ b/atst/utils/session_limiter.py @@ -4,6 +4,7 @@ from atst.domain.users import Users class SessionLimiter(object): def __init__(self, config, session, redis): self.limit_logins = config["LIMIT_CONCURRENT_SESSIONS"] + self.session_prefix = config.get("SESSION_KEY_PREFIX", "session:") self.session = session self.redis = redis @@ -16,4 +17,4 @@ class SessionLimiter(object): Users.update_last_session_id(user, session_id) def _delete_session(self, session_id): - self.redis.delete("session:{}".format(session_id)) + self.redis.delete(f"{self.session_prefix}{session_id}") diff --git a/config/base.ini b/config/base.ini index 1df7f47a..6fbcce73 100644 --- a/config/base.ini +++ b/config/base.ini @@ -42,6 +42,7 @@ SECRET_KEY = change_me_into_something_secret SERVER_NAME SESSION_COOKIE_NAME=atat SESSION_COOKIE_DOMAIN +SESSION_KEY_PREFIX=session: SESSION_TYPE = redis SESSION_USE_SIGNER = True SQLALCHEMY_ECHO = False diff --git a/deploy/azure/atst-envvars-configmap.yml b/deploy/azure/atst-envvars-configmap.yml index 6f412a3d..edd049a7 100644 --- a/deploy/azure/atst-envvars-configmap.yml +++ b/deploy/azure/atst-envvars-configmap.yml @@ -15,6 +15,7 @@ data: CSP: azure DEBUG: "0" FLASK_ENV: master + LIMIT_CONCURRENT_SESSIONS: "true" LOG_JSON: "true" MAIL_PORT: "587" MAIL_SENDER: postmaster@atat.code.mil diff --git a/script/include/test_functions.inc.sh b/script/include/test_functions.inc.sh index d6bf0b4d..bfd4d343 100644 --- a/script/include/test_functions.inc.sh +++ b/script/include/test_functions.inc.sh @@ -8,7 +8,7 @@ run_python_lint() { } run_python_typecheck() { - run_command "mypy --ignore-missing-imports --follow-imports=skip atst/domain/csp/cloud.py" + run_command "mypy --ignore-missing-imports --follow-imports=skip atst/domain/csp/cloud/__init__.py" return $? } diff --git a/styles/components/_accordion_table.scss b/styles/components/_accordion_table.scss index 9a32c009..67e6fb0a 100644 --- a/styles/components/_accordion_table.scss +++ b/styles/components/_accordion_table.scss @@ -106,7 +106,7 @@ &__expanded { font-size: $small-font-size; font-weight: $font-normal; - background-color: $color-gray-lightest; + background-color: $color-offwhite; padding: $gap; &:last-child { diff --git a/styles/components/_portfolio_layout.scss b/styles/components/_portfolio_layout.scss index af083468..b5be6090 100644 --- a/styles/components/_portfolio_layout.scss +++ b/styles/components/_portfolio_layout.scss @@ -242,14 +242,21 @@ span.accordion-table__item__toggler { font-weight: $font-normal; + text-decoration: underline; + font-size: $small-font-size; &.environment-list__item__members { float: unset; - font-size: $small-font-size; + margin-left: -$gap; } } } + li.environment-list__edit { + border: 1px solid $color-gray-lighter; + padding: 0 $gap * 3 $gap * 2; + } + .activity-log { border-top: 3px solid $color-blue; diff --git a/templates/applications/fragments/environments.html b/templates/applications/fragments/environments.html index 8676bc6d..fa4e5959 100644 --- a/templates/applications/fragments/environments.html +++ b/templates/applications/fragments/environments.html @@ -17,7 +17,7 @@ {% if 0 == environments_obj | length -%}

- This Application has no environments + {{ 'portfolios.applications.environments.blank_slate' | translate }}

{% else %} @@ -31,8 +31,23 @@
- {{ env['name'] }} + + {{ env['name'] }} {{ Icon('link', classes='icon--medium icon--primary') }} + + {% if user_can(permissions.EDIT_ENVIRONMENT) -%} + {{ + ToggleButton( + open_html="common.edit"|translate, + close_html="common.close"|translate, + section_name="edit" + ) + }} + {%- endif %} +
{% set members_button = "portfolios.applications.member_count" | translate({'count': env['member_count']}) %} {{ ToggleButton( @@ -42,23 +57,9 @@ classes="environment-list__item__members" ) }} - {% if user_can(permissions.EDIT_ENVIRONMENT) -%} - {% set edit_environment_button = "Edit" %} - {{ - ToggleButton( - open_html=edit_environment_button, - close_html=edit_environment_button, - section_name="edit" - ) - }} - {%- endif %}
{% if env['pending'] -%} {{ Label(type="changes_pending", classes='label--below')}} - {% else %} - - {{ "portfolios.applications.csp_link" | translate }} {{ Icon('link', classes="icon--tiny") }} - {%- endif %}
@@ -66,7 +67,7 @@ {% call ToggleSection(section_name="members") %}
    {% for member in env['members'] %} - {% set status = ": Access Suspended" if member['status'] == 'disabled' %} + {% set status = "portfolios.applications.environments.disabled"|translate if member['status'] == 'disabled' %}
  • {{ member['user_name'] }}{{ status }}
    • @@ -77,16 +78,28 @@ {% if user_can(permissions.EDIT_ENVIRONMENT) -%} {% call ToggleSection(section_name="edit") %}
      -
    • +
    • -
      + {{ edit_form.csrf_token }} {{ TextInput(edit_form.name, validation='defaultStringField', optional=False) }} - {{ - SaveButton( - text=("common.save_changes" | translate) - ) - }} +
      + {{ + SaveButton( + text=("common.save_changes" | translate) + ) + }} +
      +
      • diff --git a/templates/applications/fragments/member_form_fields.html b/templates/applications/fragments/member_form_fields.html index 7b04f8cc..dd91dd5d 100644 --- a/templates/applications/fragments/member_form_fields.html +++ b/templates/applications/fragments/member_form_fields.html @@ -89,16 +89,13 @@ {% if new %} {% set team_mgmt = form.perms_team_mgmt.name %} {% set env_mgmt = form.perms_env_mgmt.name %} - {% set del_env = form.perms_del_env.name %} {% else %} {% set team_mgmt = "perms_team_mgmt-{}".format(member_role_id) %} {% set env_mgmt = "perms_env_mgmt-{}".format(member_role_id) %} - {% set del_env = "perms_del_env-{}".format(member_role_id) %} {% endif %} {{ CheckboxInput(form.perms_team_mgmt, classes="input__inline-fields", key=team_mgmt, id=team_mgmt, optional=True) }} {{ CheckboxInput(form.perms_env_mgmt, classes="input__inline-fields", key=env_mgmt, id=env_mgmt, optional=True) }} - {{ CheckboxInput(form.perms_del_env, classes="input__inline-fields", key=del_env, id=del_env, optional=True) }}
      diff --git a/templates/components/save_button.html b/templates/components/save_button.html index 5426219f..ebf96e5a 100644 --- a/templates/components/save_button.html +++ b/templates/components/save_button.html @@ -2,7 +2,7 @@ {% set class = "usa-button usa-button-primary " + additional_classes %} {% if element == "button" %} - {% elif element == 'input' %} diff --git a/templates/help/docs/getting-started.html b/templates/help/docs/getting-started.html deleted file mode 100644 index bf32e037..00000000 --- a/templates/help/docs/getting-started.html +++ /dev/null @@ -1,137 +0,0 @@ -{% extends "help/index.html" %} - -{% set subnav = [ - {"label":"Financial Verification", "href":"#financial-verification"}, - {"label":"ID/IQ CLINs", "href":"#idiq-clins"}, - {"label":"JEDI Cloud Applications", "href":"#jedi-cloud-applications"}, -] %} - -{% block doc_content %} - -

      Financial Verification

      - -

      How to prepare for Financial Verification step?

      -

      Once your request is approved, the next step is to create a Task Order (T.O.) associated with the JEDI Cloud ID/IQ. Please contact a Contracting Officer (KO) or Contracting Officer Representative (COR) to help with this step.

      -

      This may also involve talking to your Financial Manager (FM) to secure funding.

      -

      Once the Task Order (T.O.) has been created, you will need to provide information related to the task order and funding in AT-AT. This step is referred to as “Financial Verification.”

      -

      We also recommend getting familiar with the JEDI Cloud CLIN structures so that you know which specific services are available under JEDI and categorized for contracting purposes. This will help you and the Contracting Officer create a Task Order.

      - -

      Why is this important?

      -

      This step allows AT-AT and the CCPO to track and report on cloud infrastructure spending across the Department., It also enables you and your team to see your cloud usage and verify your invoices with your budget.

      - -

      What to prepare for Financial Verification?

      -

      You will need to have these details on hand before filling out the next step.

      - -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Item you’ll need to provideFormat / ExampleExplanation
      Task Order Number associated with this request*Example:
      1234567899C0001      		 -

      Please include the original Task Order number (including the 000X at the end); this field is not requesting any modification numbers.

      -

      Please note that there may be a lag between the time you have created and approved the task order to the time it is searchable within the electronic.

      -

      A Contracting Officer will likely be the best source for this number.

      -
      Unique Item Identifiers (UII) related to your system(s) if you already have themExample:
      DI 0CVA5786950 OR UN1945326361234786950      		 -

      A Unique Investment Identifier is a unique code that helps the Department of Defense track and report on where and how digital assets are stored and where the budget comes from.

      -

      Not all applications have an existing UII number assigned.

      -

      This identifier can be found in SNaP-IT.

      -
      Program Element (PE) Number related to your requestExample:
      0203752A      		Program Element numbers helps the Department of Defense identify which offices' budgets are contributing towards this resource use.
      Program Treasury CodeExample:
      1200      		The Treasury Code (or Appropriations Code) is a four digit number that identifies resource types.
      Program BA CodeExample:
      02      		The Budget Activity Code (or BA Code) is a two digit number that is the category within each appropriation and fund account used to identify the purposes, applications, or types of activities financed by the appropriation fund.
      -
      -

      *AT-AT will search your Task Order number in available APIs and find other relevant details about your task order automatically. If we are unable to locate your Task Order, you will be asked to manually enter information such as total contract amount, CLIN amounts, and contracting officer information.

      - -
      - -

      ID/IQ CLINs

      - -

      How are the JEDI ID/IQ CLINs structured?

      - -

      We recommend sharing the following details with your contracting personnel to help accelerate the task order creation process.

      -

      The JEDI contract vehicle supports the following types of cloud infrastructure services.

      -

      Your contracting personnel will want to know which services above and contract line item numbers (CLINs) you are interested in procuring and what estimated dollar amounts to use associate. Use the JEDI Cloud Calculator to arrive at a price estimate for each of those.

      - -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      JEDI Contract Line Item Numbers (CLINs)Services supported
      CLIN 0001 - Unclassified IaaS and PaaS Amount -

      This CLIN covers infrastructure as a service (IaaS) features including the basic building blocks of networking features, computers (virtual or on dedicated hardware), and data storage space.

      -

      It also provides platform as a service (PaaS) features including resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application.

      -
      CLIN 0003 - Unclassified Cloud Support PackageThis CLIN covers the basic customer service support package offered including _______
      CLIN 1001 - Unclassified IaaS and PaaS Amount OPTION PERIOD 1 
      CLIN 1003 - Unclassified Cloud Support Package OPTION PERIOD 1 
      CLIN 2001 - Unclassified IaaS and PaaS Amount OPTION PERIOD 2 
      CLIN 2003 - Unclassified Cloud Support Package OPTION PERIOD 2 
      -
      - -
      - -

      JEDI Cloud Applications

      - -

      How are applications organized in the JEDI Cloud?

      - -

      Application Structure for JEDI Cloud

      - -

      Separate your portfolio into applications and environments; this allows your team to manage user access to systems more securely and track expenditures for each application.

      -

      Here’s an example:
      -Application A has a development environment, production environment, and sandbox environment. The cloud resources in the development environment are grouped and accessed separately from the production environment and sandbox environment.

      - -AT-AT FAQs Content - -{% endblock %} diff --git a/templates/help/index.html b/templates/help/index.html deleted file mode 100644 index f34bf4f9..00000000 --- a/templates/help/index.html +++ /dev/null @@ -1,48 +0,0 @@ -{% extends "base_public.html" %} -{% from "components/sidenav_item.html" import SidenavItem %} - -{% block title %}Help | JEDI Cloud{% endblock %} - - -{% block content %} -
      -
      -
      -
      -
        - {{ SidenavItem("JEDI Cloud Help", - href = url_for("atst.helpdocs"), - active = not doc, - )}} - {% for doc_item in docs %} - {% set active = doc and doc == doc_item %} - {{ SidenavItem(doc_item | title, - href = url_for("atst.helpdocs", doc=doc_item), - active = active, - )}} - {% endfor %} -
      -
      -
      -
      -
      -
      -
      -

      - {% if doc %} -
      JEDI Cloud Help Documentation
      -
      {{ doc | title }}
      - {% else %} -
      JEDI Cloud Help Documentation - {% endif %} -

      -
      -
      - {% block doc_content %} -

      Welcome to the JEDI Cloud help documentation.

      - {% endblock %} -
      -
      -
      -
      -{% endblock %} diff --git a/templates/navigation/topbar.html b/templates/navigation/topbar.html index f48f04ea..005ef6d6 100644 --- a/templates/navigation/topbar.html +++ b/templates/navigation/topbar.html @@ -14,7 +14,7 @@ {{ Icon('user', classes='topbar__link-icon') }} {{ g.current_user.first_name + " " + g.current_user.last_name }} - + {{ Icon('question', classes='topbar__link-icon') }} Support diff --git a/terraform/README.md b/terraform/README.md index 40460cb9..ec0fbdeb 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -281,3 +281,4 @@ secrets-tool secrets --keyvault https://ops-jedidev-keyvault.vault.azure.net/ cr `terraform apply` +*[Configure AD for MFA](https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa)* \ No newline at end of file diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index 13231685..e2f91f58 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -11,6 +11,20 @@ resource "azurerm_storage_account" "bucket" { account_replication_type = "LRS" } +resource "azurerm_storage_account_network_rules" "acls" { + resource_group_name = azurerm_resource_group.bucket.name + storage_account_name = azurerm_storage_account.bucket.name + + default_action = var.policy + + # Azure Storage CIDR ACLs do not accept /32 CIDR ranges. + ip_rules = [ + for cidr in values(var.whitelist) : cidr + ] + virtual_network_subnet_ids = var.subnet_ids + bypass = ["AzureServices"] +} + resource "azurerm_storage_container" "bucket" { name = "content" storage_account_name = azurerm_storage_account.bucket.name diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index 6278355e..82367ed7 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -29,3 +29,20 @@ variable "service_name" { description = "Name of the service using this bucket" type = string } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} diff --git a/terraform/modules/container_registry/main.tf b/terraform/modules/container_registry/main.tf index a22bacf0..30b2b1cc 100644 --- a/terraform/modules/container_registry/main.tf +++ b/terraform/modules/container_registry/main.tf @@ -1,3 +1,7 @@ +locals { + whitelist = values(var.whitelist) +} + resource "azurerm_resource_group" "acr" { name = "${var.name}-${var.environment}-acr" location = var.region @@ -10,4 +14,30 @@ resource "azurerm_container_registry" "acr" { sku = var.sku admin_enabled = var.admin_enabled #georeplication_locations = [azurerm_resource_group.acr.location, var.backup_region] + + network_rule_set { + default_action = var.policy + + ip_rule = [ + for cidr in values(var.whitelist) : { + action = "Allow" + ip_range = cidr + } + ] + # Dynamic rule should work, but doesn't - See https://github.com/hashicorp/terraform/issues/22340#issuecomment-518779733 + #dynamic "ip_rule" { + # for_each = values(var.whitelist) + # content { + # action = "Allow" + # ip_range = ip_rule.value + # } + #} + + virtual_network = [ + for subnet in var.subnet_ids : { + action = "Allow" + subnet_id = subnet.value + } + ] + } } \ No newline at end of file diff --git a/terraform/modules/container_registry/variables.tf b/terraform/modules/container_registry/variables.tf index 6fe16ad5..48fbb64a 100644 --- a/terraform/modules/container_registry/variables.tf +++ b/terraform/modules/container_registry/variables.tf @@ -35,3 +35,20 @@ variable "admin_enabled" { default = false } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index ddfb8465..1df84367 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -13,6 +13,13 @@ resource "azurerm_key_vault" "keyvault" { sku_name = "premium" + network_acls { + default_action = var.policy + bypass = "AzureServices" + virtual_network_subnet_ids = var.subnet_ids + ip_rules = values(var.whitelist) + } + tags = { environment = var.environment owner = var.owner diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf index d2484793..56e7cc13 100644 --- a/terraform/modules/keyvault/variables.tf +++ b/terraform/modules/keyvault/variables.tf @@ -32,3 +32,20 @@ variable "admin_principals" { type = map description = "A list of user principals who need access to manage the keyvault" } + +variable "subnet_ids" { + description = "List of subnet_ids that will have access to this service" + type = list +} + +variable "policy" { + description = "The default policy for the network access rules (Allow/Deny)" + default = "Deny" + type = string +} + +variable "whitelist" { + type = map + description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." + default = {} +} \ No newline at end of file diff --git a/terraform/modules/postgres/main.tf b/terraform/modules/postgres/main.tf index 641c4102..c3252264 100644 --- a/terraform/modules/postgres/main.tf +++ b/terraform/modules/postgres/main.tf @@ -37,9 +37,9 @@ resource "azurerm_postgresql_virtual_network_rule" "sql" { } resource "azurerm_postgresql_database" "db" { - name = "${var.environment}-atat" + name = "${var.name}-${var.environment}-atat" resource_group_name = azurerm_resource_group.sql.name server_name = azurerm_postgresql_server.sql.name charset = "UTF8" - collation = "en_US.utf8" + collation = "en-US" } diff --git a/terraform/modules/postgres/variables.tf b/terraform/modules/postgres/variables.tf index 2ee62685..f3366cdb 100644 --- a/terraform/modules/postgres/variables.tf +++ b/terraform/modules/postgres/variables.tf @@ -93,4 +93,3 @@ variable "ssl_enforcement" { description = "Enforce SSL (Enabled/Disable)" default = "Enabled" } - diff --git a/terraform/modules/redis/main.tf b/terraform/modules/redis/main.tf index 90a88a2b..b12bf92d 100644 --- a/terraform/modules/redis/main.tf +++ b/terraform/modules/redis/main.tf @@ -13,6 +13,7 @@ resource "azurerm_redis_cache" "redis" { sku_name = var.sku_name enable_non_ssl_port = var.enable_non_ssl_port minimum_tls_version = var.minimum_tls_version + subnet_id = var.subnet_id redis_configuration { enable_authentication = var.enable_authentication diff --git a/terraform/modules/redis/variables.tf b/terraform/modules/redis/variables.tf index dac8819b..06ddd36d 100644 --- a/terraform/modules/redis/variables.tf +++ b/terraform/modules/redis/variables.tf @@ -22,35 +22,30 @@ variable "capacity" { type = string default = 2 description = "The capacity of the redis cache" - } variable "family" { type = string default = "C" description = "The subscription family for redis" - } variable "sku_name" { type = string default = "Standard" description = "The sku to use" - } variable "enable_non_ssl_port" { type = bool default = false description = "Enable non TLS port (default: false)" - } variable "minimum_tls_version" { type = string default = "1.2" description = "Minimum TLS version to use" - } variable "enable_authentication" { @@ -58,3 +53,8 @@ variable "enable_authentication" { default = true description = "Enable or disable authentication (default: true)" } + +variable "subnet_id" { + type = string + description = "Subnet ID that the service_endpoint should reside" +} diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index dbbe4bfa..d0ea9a2a 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -39,6 +39,8 @@ resource "azurerm_subnet" "subnet" { lifecycle { ignore_changes = [route_table_id] } + + service_endpoints = split(",", var.service_endpoints[each.key]) #delegation { # name = "acctestdelegation" # @@ -108,7 +110,7 @@ resource "azurerm_virtual_network_gateway" "vnet_gateway" { } vpn_client_configuration { - address_space = ["172.16.1.0/24"] + address_space = var.vpn_client_cidr vpn_client_protocols = ["OpenVPN"] } } \ No newline at end of file diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf index eedaab6c..baa32935 100644 --- a/terraform/modules/vpc/outputs.tf +++ b/terraform/modules/vpc/outputs.tf @@ -1,3 +1,9 @@ output "subnets" { - value = azurerm_subnet.subnet["private"].id #FIXME - output should be a map + value = azurerm_subnet.subnet["private"].id #FIXED: this is now legacy, use subnet_list } + +output "subnet_list" { + value = { + for k, id in azurerm_subnet.subnet : k => id + } +} \ No newline at end of file diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf index 9f331534..aae7ef45 100644 --- a/terraform/modules/vpc/variables.tf +++ b/terraform/modules/vpc/variables.tf @@ -46,3 +46,15 @@ variable "gateway_subnet" { type = string description = "The Subnet CIDR that we'll use for the virtual_network_gateway 'GatewaySubnet'" } + +variable "service_endpoints" { + type = map + description = "A map of the service endpoints and its mapping to subnets" + +} + +variable "vpn_client_cidr" { + type = list + description = "The CIDR range used for clients on the VPN" + default = ["172.16.0.0/16"] +} diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf index d58987fc..36510f3e 100644 --- a/terraform/providers/dev/buckets.tf +++ b/terraform/providers/dev/buckets.tf @@ -1,3 +1,5 @@ +# Task order bucket is required to be accessible publicly by the users. +# which is why the policy here is "Allow" module "task_order_bucket" { source = "../../modules/bucket" service_name = "jeditasksatat" @@ -5,8 +7,15 @@ module "task_order_bucket" { name = var.name environment = var.environment region = var.region + policy = "Allow" + subnet_ids = [module.vpc.subnets] + whitelist = var.storage_admin_whitelist } +# TF State should be restricted to admins only, but IP protected +# This has to be public due to a chicken/egg issue of VPN not +# existing until TF is run. If this bucket is private, you would +# not be able to access it when running TF without being on a VPN. module "tf_state" { source = "../../modules/bucket" service_name = "jedidevtfstate" @@ -14,4 +23,7 @@ module "tf_state" { name = var.name environment = var.environment region = var.region + policy = "Deny" + subnet_ids = [] + whitelist = var.storage_admin_whitelist } diff --git a/terraform/providers/dev/container_registry.tf b/terraform/providers/dev/container_registry.tf index 0bbf0901..805ef3e8 100644 --- a/terraform/providers/dev/container_registry.tf +++ b/terraform/providers/dev/container_registry.tf @@ -5,4 +5,7 @@ module "container_registry" { environment = var.environment owner = var.owner backup_region = var.backup_region + policy = "Deny" + subnet_ids = [] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf index 75f7b13d..4d35fa0f 100644 --- a/terraform/providers/dev/keyvault.tf +++ b/terraform/providers/dev/keyvault.tf @@ -7,5 +7,8 @@ module "keyvault" { tenant_id = var.tenant_id principal_id = "f9bcbe58-8b73-4957-aee2-133dc3e58063" admin_principals = var.admin_users + policy = "Deny" + subnet_ids = [module.vpc.subnets] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/redis.tf b/terraform/providers/dev/redis.tf index bfe47a84..8c89dc92 100644 --- a/terraform/providers/dev/redis.tf +++ b/terraform/providers/dev/redis.tf @@ -4,4 +4,7 @@ module "redis" { environment = var.environment region = var.region name = var.name + subnet_id = module.vpc.subnet_list["redis"].id + sku_name = "Premium" + family = "P" } diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf index bccdcf50..7a67205e 100644 --- a/terraform/providers/dev/secrets.tf +++ b/terraform/providers/dev/secrets.tf @@ -7,4 +7,7 @@ module "operator_keyvault" { tenant_id = var.tenant_id principal_id = "" admin_principals = var.admin_users + policy = "Deny" + subnet_ids = [module.vpc.subnets] + whitelist = var.admin_user_whitelist } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 32ba5688..b13c0d57 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -32,7 +32,17 @@ variable "networks" { #format #name = "CIDR, route table, Security Group Name" public = "10.1.1.0/24,public" # LBs - private = "10.1.2.0/24,private" # k8s, postgres, redis, dns, ad + private = "10.1.2.0/24,private" # k8s, postgres, keyvault + redis = "10.1.3.0/24,private" # Redis + } +} + +variable "service_endpoints" { + type = map + default = { + public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop + private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" + redis = "Microsoft.Storage,Microsoft.Sql" # FIXME: There is no Microsoft.Redis } } @@ -48,6 +58,7 @@ variable "route_tables" { default = { public = "Internet" private = "Internet" + redis = "VnetLocal" #private = "VnetLocal" } } @@ -79,3 +90,26 @@ variable "admin_users" { "Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc" } } + +variable "admin_user_whitelist" { + type = map + default = { + "Rob Gil" = "66.220.238.246/32" + "Dan Corrigan Work" = "108.16.207.173/32" + "Dan Corrigan Home" = "71.162.221.27/32" + } +} + +variable "storage_admin_whitelist" { + type = map + default = { + "Rob Gil" = "66.220.238.246" + "Dan Corrigan Work" = "108.16.207.173" + "Dan Corrigan Home" = "71.162.221.27" + } +} + +variable "vpn_client_cidr" { + type = list + default = ["172.16.255.0/24"] +} diff --git a/terraform/providers/dev/vpc.tf b/terraform/providers/dev/vpc.tf index b7fac8ae..8d43a82f 100644 --- a/terraform/providers/dev/vpc.tf +++ b/terraform/providers/dev/vpc.tf @@ -1,13 +1,15 @@ module "vpc" { - source = "../../modules/vpc/" - environment = var.environment - region = var.region - virtual_network = var.virtual_network - networks = var.networks - gateway_subnet = var.gateway_subnet - route_tables = var.route_tables - owner = var.owner - name = var.name - dns_servers = var.dns_servers + source = "../../modules/vpc/" + environment = var.environment + region = var.region + virtual_network = var.virtual_network + networks = var.networks + gateway_subnet = var.gateway_subnet + route_tables = var.route_tables + owner = var.owner + name = var.name + dns_servers = var.dns_servers + service_endpoints = var.service_endpoints + vpn_client_cidr = var.vpn_client_cidr } diff --git a/tests/domain/cloud/test_azure_csp.py b/tests/domain/cloud/test_azure_csp.py index cc6beb5b..0648ec1e 100644 --- a/tests/domain/cloud/test_azure_csp.py +++ b/tests/domain/cloud/test_azure_csp.py @@ -1,22 +1,35 @@ -import pytest from unittest.mock import Mock - from uuid import uuid4 +from tests.factories import ApplicationFactory, EnvironmentFactory +from tests.mock_azure import AUTH_CREDENTIALS, mock_azure + from atst.domain.csp.cloud import AzureCloudProvider +from atst.domain.csp.cloud.models import ( + BillingInstructionCSPPayload, + BillingInstructionCSPResult, + BillingProfileCreationCSPPayload, + BillingProfileCreationCSPResult, + BillingProfileTenantAccessCSPPayload, + BillingProfileTenantAccessCSPResult, + BillingProfileVerificationCSPPayload, + BillingProfileVerificationCSPResult, + TaskOrderBillingCreationCSPPayload, + TaskOrderBillingCreationCSPResult, + TaskOrderBillingVerificationCSPPayload, + TaskOrderBillingVerificationCSPResult, + TenantCSPPayload, + TenantCSPResult, +) -from tests.mock_azure import mock_azure, AUTH_CREDENTIALS -from tests.factories import EnvironmentFactory, ApplicationFactory +creds = { + "home_tenant_id": "tenant_id", + "client_id": "client_id", + "secret_key": "secret_key", +} +BILLING_ACCOUNT_NAME = "52865e4c-52e8-5a6c-da6b-c58f0814f06f:7ea5de9d-b8ce-4901-b1c5-d864320c7b03_2019-05-31" -# TODO: Directly test create subscription, provide all args √ -# TODO: Test create environment (create management group with parent) -# TODO: Test create application (create manageemnt group with parent) -# Create reusable mock for mocking the management group calls for multiple services -# - - -@pytest.mark.skip() def test_create_subscription_succeeds(mock_azure: AzureCloudProvider): environment = EnvironmentFactory.create() @@ -51,14 +64,12 @@ def test_create_subscription_succeeds(mock_azure: AzureCloudProvider): assert result == subscription_id -@pytest.mark.skip() def mock_management_group_create(mock_azure, spec_dict): mock_azure.sdk.managementgroups.ManagementGroupsAPI.return_value.management_groups.create_or_update.return_value.result.return_value = Mock( **spec_dict ) -@pytest.mark.skip() def test_create_environment_succeeds(mock_azure: AzureCloudProvider): environment = EnvironmentFactory.create() @@ -71,7 +82,6 @@ def test_create_environment_succeeds(mock_azure: AzureCloudProvider): assert result.id == "Test Id" -@pytest.mark.skip() def test_create_application_succeeds(mock_azure: AzureCloudProvider): application = ApplicationFactory.create() @@ -82,7 +92,6 @@ def test_create_application_succeeds(mock_azure: AzureCloudProvider): assert result.id == "Test Id" -@pytest.mark.skip() def test_create_atat_admin_user_succeeds(mock_azure: AzureCloudProvider): environment_id = str(uuid4()) @@ -97,7 +106,6 @@ def test_create_atat_admin_user_succeeds(mock_azure: AzureCloudProvider): assert result.get("csp_user_id") == csp_user_id -@pytest.mark.skip() def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): subscription_id = str(uuid4()) management_group_id = str(uuid4()) @@ -121,3 +129,287 @@ def test_create_policy_definition_succeeds(mock_azure: AzureCloudProvider): policy_definition_name=properties.get("displayName"), parameters=mock_policy_definition, ) + + +def test_create_tenant(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.json.return_value = { + "objectId": "0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "tenantId": "60ff9d34-82bf-4f21-b565-308ef0533435", + "userId": "1153801116406515559", + } + mock_result.status_code = 200 + mock_azure.sdk.requests.post.return_value = mock_result + payload = TenantCSPPayload( + **dict( + creds=creds, + user_id="admin", + password="JediJan13$coot", # pragma: allowlist secret + domain_name="jediccpospawnedtenant2", + first_name="Tedry", + last_name="Tenet", + country_code="US", + password_recovery_email_address="thomas@promptworks.com", + ) + ) + result = mock_azure.create_tenant(payload) + body: TenantCSPResult = result.get("body") + assert body.tenant_id == "60ff9d34-82bf-4f21-b565-308ef0533435" + + +def test_create_billing_profile_creation(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.headers = { + "Location": "http://retry-url", + "Retry-After": "10", + } + mock_result.status_code = 202 + mock_azure.sdk.requests.post.return_value = mock_result + payload = BillingProfileCreationCSPPayload( + **dict( + address=dict( + address_line_1="123 S Broad Street, Suite 2400", + company_name="Promptworks", + city="Philadelphia", + region="PA", + country="US", + postal_code="19109", + ), + creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", + billing_profile_display_name="Test Billing Profile", + billing_account_name=BILLING_ACCOUNT_NAME, + ) + ) + result = mock_azure.create_billing_profile_creation(payload) + body: BillingProfileCreationCSPResult = result.get("body") + assert body.billing_profile_retry_after == 10 + + +def test_validate_billing_profile_creation(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.status_code = 200 + mock_result.json.return_value = { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB", + "name": "KQWI-W2SU-BG7-TGB", + "properties": { + "address": { + "addressLine1": "123 S Broad Street, Suite 2400", + "city": "Philadelphia", + "companyName": "Promptworks", + "country": "US", + "postalCode": "19109", + "region": "PA", + }, + "currency": "USD", + "displayName": "First Portfolio Billing Profile", + "enabledAzurePlans": [], + "hasReadAccess": True, + "invoiceDay": 5, + "invoiceEmailOptIn": False, + "invoiceSections": [ + { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/invoiceSections/6HMZ-2HLO-PJA-TGB", + "name": "6HMZ-2HLO-PJA-TGB", + "properties": {"displayName": "First Portfolio Billing Profile"}, + "type": "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections", + } + ], + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles", + } + mock_azure.sdk.requests.get.return_value = mock_result + + payload = BillingProfileVerificationCSPPayload( + **dict( + creds=creds, + billing_profile_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", + ) + ) + + result = mock_azure.create_billing_profile_verification(payload) + body: BillingProfileVerificationCSPResult = result.get("body") + assert body.billing_profile_name == "KQWI-W2SU-BG7-TGB" + assert ( + body.billing_profile_properties.billing_profile_display_name + == "First Portfolio Billing Profile" + ) + + +def test_create_billing_profile_tenant_access(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.status_code = 201 + mock_result.json.return_value = { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/billingRoleAssignments/40000000-aaaa-bbbb-cccc-100000000000_0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "name": "40000000-aaaa-bbbb-cccc-100000000000_0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "properties": { + "createdOn": "2020-01-14T14:39:26.3342192+00:00", + "createdByPrincipalId": "82e2b376-3297-4096-8743-ed65b3be0b03", + "principalId": "0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + "principalTenantId": "60ff9d34-82bf-4f21-b565-308ef0533435", + "roleDefinitionId": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/billingRoleDefinitions/40000000-aaaa-bbbb-cccc-100000000000", + "scope": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB", + }, + "type": "Microsoft.Billing/billingRoleAssignments", + } + + mock_azure.sdk.requests.post.return_value = mock_result + + payload = BillingProfileTenantAccessCSPPayload( + **dict( + creds=creds, + tenant_id="60ff9d34-82bf-4f21-b565-308ef0533435", + user_object_id="0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d", + billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", + billing_profile_name="KQWI-W2SU-BG7-TGB", + ) + ) + + result = mock_azure.create_billing_profile_tenant_access(payload) + body: BillingProfileTenantAccessCSPResult = result.get("body") + assert ( + body.billing_role_assignment_name + == "40000000-aaaa-bbbb-cccc-100000000000_0a5f4926-e3ee-4f47-a6e3-8b0a30a40e3d" + ) + + +def test_create_task_order_billing_creation(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.status_code = 202 + mock_result.headers = { + "Location": "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/patchBillingProfile_KQWI-W2SU-BG7-TGB:02715576-4118-466c-bca7-b1cd3169ff46?api-version=2019-10-01-preview", + "Retry-After": "10", + } + + mock_azure.sdk.requests.patch.return_value = mock_result + + payload = TaskOrderBillingCreationCSPPayload( + **dict( + creds=creds, + billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", + billing_profile_name="KQWI-W2SU-BG7-TGB", + ) + ) + + result = mock_azure.create_task_order_billing_creation(payload) + body: TaskOrderBillingCreationCSPResult = result.get("body") + assert ( + body.task_order_billing_verify_url + == "https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/patchBillingProfile_KQWI-W2SU-BG7-TGB:02715576-4118-466c-bca7-b1cd3169ff46?api-version=2019-10-01-preview" + ) + + +def test_create_task_order_billing_verification(mock_azure): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.status_code = 200 + mock_result.json.return_value = { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB", + "name": "KQWI-W2SU-BG7-TGB", + "properties": { + "address": { + "addressLine1": "123 S Broad Street, Suite 2400", + "city": "Philadelphia", + "companyName": "Promptworks", + "country": "US", + "postalCode": "19109", + "region": "PA", + }, + "currency": "USD", + "displayName": "Test Billing Profile", + "enabledAzurePlans": [ + { + "productId": "DZH318Z0BPS6", + "skuId": "0001", + "skuDescription": "Microsoft Azure Plan", + } + ], + "hasReadAccess": True, + "invoiceDay": 5, + "invoiceEmailOptIn": False, + "invoiceSections": [ + { + "id": "/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/billingProfiles/KQWI-W2SU-BG7-TGB/invoiceSections/CHCO-BAAR-PJA-TGB", + "name": "CHCO-BAAR-PJA-TGB", + "properties": {"displayName": "Test Billing Profile"}, + "type": "Microsoft.Billing/billingAccounts/billingProfiles/invoiceSections", + } + ], + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles", + } + mock_azure.sdk.requests.get.return_value = mock_result + + payload = TaskOrderBillingVerificationCSPPayload( + **dict( + creds=creds, + task_order_billing_verify_url="https://management.azure.com/providers/Microsoft.Billing/billingAccounts/7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31/operationResults/createBillingProfile_478d5706-71f9-4a8b-8d4e-2cbaca27a668?api-version=2019-10-01-preview", + ) + ) + + result = mock_azure.create_task_order_billing_verification(payload) + body: TaskOrderBillingVerificationCSPResult = result.get("body") + assert body.billing_profile_name == "KQWI-W2SU-BG7-TGB" + assert ( + body.billing_profile_enabled_plan_details.enabled_azure_plans[0].get("skuId") + == "0001" + ) + + +def test_create_billing_instruction(mock_azure: AzureCloudProvider): + mock_azure.sdk.adal.AuthenticationContext.return_value.context.acquire_token_with_client_credentials.return_value = { + "accessToken": "TOKEN" + } + + mock_result = Mock() + mock_result.status_code = 200 + mock_result.json.return_value = { + "name": "TO1:CLIN001", + "properties": { + "amount": 1000.0, + "endDate": "2020-03-01T00:00:00+00:00", + "startDate": "2020-01-01T00:00:00+00:00", + }, + "type": "Microsoft.Billing/billingAccounts/billingProfiles/billingInstructions", + } + + mock_azure.sdk.requests.put.return_value = mock_result + + payload = BillingInstructionCSPPayload( + **dict( + creds=creds, + initial_clin_amount=1000.00, + initial_clin_start_date="2020/1/1", + initial_clin_end_date="2020/3/1", + initial_clin_type="1", + initial_task_order_id="TO1", + billing_account_name="7c89b735-b22b-55c0-ab5a-c624843e8bf6:de4416ce-acc6-44b1-8122-c87c4e903c91_2019-05-31", + billing_profile_name="KQWI-W2SU-BG7-TGB", + ) + ) + result = mock_azure.create_billing_instruction(payload) + body: BillingInstructionCSPResult = result.get("body") + assert body.reported_clin_name == "TO1:CLIN001" diff --git a/tests/domain/cloud/test_policy.py b/tests/domain/cloud/test_policy.py index c0189262..18f0a7ab 100644 --- a/tests/domain/cloud/test_policy.py +++ b/tests/domain/cloud/test_policy.py @@ -1,4 +1,4 @@ -from atst.domain.csp.policy import AzurePolicyManager, AzurePolicy +from atst.domain.csp.cloud.policy import AzurePolicyManager, AzurePolicy def test_portfolio_definitions(): diff --git a/tests/domain/test_auth.py b/tests/domain/test_auth.py new file mode 100644 index 00000000..a4002d5c --- /dev/null +++ b/tests/domain/test_auth.py @@ -0,0 +1,29 @@ +from flask import make_response, session + +from atst.domain.auth import logout + + +def _write_session(app): + response = make_response("") + app.session_interface.save_session(app, session, response) + return session + + +def test_logout_destroys_session(app): + session = _write_session(app) + key = app.config.get("SESSION_KEY_PREFIX") + session.sid + assert app.redis.get(key) + logout() + assert app.redis.get(key) is None + + +def test_logout_logs_dod_id_for_current_user(monkeypatch, mock_logger): + dod_id = "3434343434" + monkeypatch.setattr("atst.domain.auth._current_dod_id", lambda: dod_id) + logout() + assert dod_id in mock_logger.messages[-1] + + +def test_logout_logs_message_for_unathenticated_user(mock_logger): + logout() + assert "unauthenticated" in mock_logger.messages[-1] diff --git a/tests/domain/test_portfolio_state_machine.py b/tests/domain/test_portfolio_state_machine.py index 0aa90867..2e412653 100644 --- a/tests/domain/test_portfolio_state_machine.py +++ b/tests/domain/test_portfolio_state_machine.py @@ -1,16 +1,24 @@ import pytest +import re +from unittest import mock from tests.factories import ( - PortfolioFactory, PortfolioStateMachineFactory, + CLINFactory, ) -from atst.models import FSMStates +from atst.models import FSMStates, PortfolioStateMachine, TaskOrder +from atst.models.mixins.state_machines import AzureStages, StageStates, compose_state +from atst.models.portfolio import Portfolio +from atst.models.portfolio_state_machine import get_stage_csp_class + +# TODO: Write failure case tests @pytest.fixture(scope="function") def portfolio(): - portfolio = PortfolioFactory.create() + # TODO: setup clin/to as active/funded/ready + portfolio = CLINFactory.create().task_order.portfolio return portfolio @@ -19,18 +27,132 @@ def test_fsm_creation(portfolio): assert sm.portfolio -def test_fsm_transition_start(portfolio): +def test_state_machine_trigger_next_transition(portfolio): sm = PortfolioStateMachineFactory.create(portfolio=portfolio) + + sm.trigger_next_transition() + assert sm.current_state == FSMStates.STARTING + + sm.trigger_next_transition() + assert sm.current_state == FSMStates.STARTED + + +def test_state_machine_compose_state(portfolio): + PortfolioStateMachineFactory.create(portfolio=portfolio) + assert ( + compose_state(AzureStages.TENANT, StageStates.CREATED) + == FSMStates.TENANT_CREATED + ) + + +def test_state_machine_valid_data_classes_for_stages(portfolio): + PortfolioStateMachineFactory.create(portfolio=portfolio) + for stage in AzureStages: + assert get_stage_csp_class(stage.name.lower(), "payload") is not None + assert get_stage_csp_class(stage.name.lower(), "result") is not None + + +def test_state_machine_initialization(portfolio): + + sm = PortfolioStateMachineFactory.create(portfolio=portfolio) + for stage in AzureStages: + + # check that all stages have a 'create' and 'fail' triggers + stage_name = stage.name.lower() + for trigger_prefix in ["create", "fail"]: + assert hasattr(sm, trigger_prefix + "_" + stage_name) + + # check that machine + in_progress_triggers = sm.machine.get_triggers(stage.name + "_IN_PROGRESS") + assert [ + "reset", + "fail", + "finish_" + stage_name, + "fail_" + stage_name, + ] == in_progress_triggers + + started_triggers = sm.machine.get_triggers("STARTED") + create_trigger = next( + filter( + lambda trigger: trigger.startswith("create_"), + sm.machine.get_triggers(FSMStates.STARTED.name), + ), + None, + ) + assert ["reset", "fail", create_trigger] == started_triggers + + +@mock.patch("atst.domain.csp.cloud.MockCloudProvider") +def test_fsm_transition_start(mock_cloud_provider, portfolio: Portfolio): + mock_cloud_provider._authorize.return_value = None + mock_cloud_provider._maybe_raise.return_value = None + sm: PortfolioStateMachine = PortfolioStateMachineFactory.create(portfolio=portfolio) assert sm.portfolio assert sm.state == FSMStates.UNSTARTED - # next_state does not create the trigger callbacks !!! - # sm.next_state() - sm.init() assert sm.state == FSMStates.STARTING sm.start() assert sm.state == FSMStates.STARTED - sm.create_tenant(a=1, b=2) - assert sm.state == FSMStates.TENANT_CREATED + + expected_states = [ + FSMStates.TENANT_CREATED, + FSMStates.BILLING_PROFILE_CREATION_CREATED, + FSMStates.BILLING_PROFILE_VERIFICATION_CREATED, + FSMStates.BILLING_PROFILE_TENANT_ACCESS_CREATED, + FSMStates.TASK_ORDER_BILLING_CREATION_CREATED, + FSMStates.TASK_ORDER_BILLING_VERIFICATION_CREATED, + FSMStates.BILLING_INSTRUCTION_CREATED, + ] + + # Should source all creds for portfolio? might be easier to manage than per-step specific ones + creds = {"username": "mock-cloud", "password": "shh"} # pragma: allowlist secret + if portfolio.csp_data is not None: + csp_data = portfolio.csp_data + else: + csp_data = {} + + ppoc = portfolio.owner + user_id = f"{ppoc.first_name[0]}{ppoc.last_name}".lower() + domain_name = re.sub("[^0-9a-zA-Z]+", "", portfolio.name).lower() + + initial_task_order: TaskOrder = portfolio.task_orders[0] + initial_clin = initial_task_order.sorted_clins[0] + + portfolio_data = { + "user_id": user_id, + "password": "jklfsdNCVD83nklds2#202", # pragma: allowlist secret + "domain_name": domain_name, + "first_name": ppoc.first_name, + "last_name": ppoc.last_name, + "country_code": "US", + "password_recovery_email_address": ppoc.email, + "address": { # TODO: TBD if we're sourcing this from data or config + "company_name": "", + "address_line_1": "", + "city": "", + "region": "", + "country": "", + "postal_code": "", + }, + "billing_profile_display_name": "My Billing Profile", + "initial_clin_amount": initial_clin.obligated_amount, + "initial_clin_start_date": initial_clin.start_date.strftime("%Y/%m/%d"), + "initial_clin_end_date": initial_clin.end_date.strftime("%Y/%m/%d"), + "initial_clin_type": initial_clin.number, + "initial_task_order_id": initial_task_order.number, + } + + config = {"billing_account_name": "billing_account_name"} + + for expected_state in expected_states: + collected_data = dict( + list(csp_data.items()) + list(portfolio_data.items()) + list(config.items()) + ) + sm.trigger_next_transition(creds=creds, csp_data=collected_data) + assert sm.state == expected_state + if portfolio.csp_data is not None: + csp_data = portfolio.csp_data + else: + csp_data = {} diff --git a/tests/forms/test_application_member.py b/tests/forms/test_application_member.py index 180c6949..b84bf800 100644 --- a/tests/forms/test_application_member.py +++ b/tests/forms/test_application_member.py @@ -43,10 +43,8 @@ def test_update_member_form(): form_data = { "perms_team_mgmt": True, "perms_env_mgmt": False, - "perms_del_env": False, } form = UpdateMemberForm(data=form_data) assert form.validate() assert form.perms_team_mgmt.data assert not form.perms_env_mgmt.data - assert not form.perms_del_env.data diff --git a/tests/mock_azure.py b/tests/mock_azure.py index 417e69fb..7fa67667 100644 --- a/tests/mock_azure.py +++ b/tests/mock_azure.py @@ -8,6 +8,7 @@ AZURE_CONFIG = { "AZURE_SECRET_KEY": "MOCK", "AZURE_TENANT_ID": "MOCK", "AZURE_POLICY_LOCATION": "policies", + "AZURE_VAULT_URL": "http://vault", } AUTH_CREDENTIALS = { @@ -53,16 +54,38 @@ def mock_policy(): return Mock(spec=policy) +def mock_adal(): + import adal + + return Mock(spec=adal) + + +def mock_requests(): + import requests + + return Mock(spec=requests) + + +def mock_secrets(): + from azure.keyvault import secrets + + return Mock(spec=secrets) + + class MockAzureSDK(object): def __init__(self): from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD self.subscription = mock_subscription() self.authorization = mock_authorization() + self.policy = mock_policy() + self.adal = mock_adal() self.managementgroups = mock_managementgroups() self.graphrbac = mock_graphrbac() self.credentials = mock_credentials() self.policy = mock_policy() + self.secrets = mock_secrets() + self.requests = mock_requests() # may change to a JEDI cloud self.cloud = AZURE_PUBLIC_CLOUD diff --git a/tests/routes/applications/test_new.py b/tests/routes/applications/test_new.py index f3f54c44..75f62f74 100644 --- a/tests/routes/applications/test_new.py +++ b/tests/routes/applications/test_new.py @@ -160,7 +160,6 @@ def test_post_new_member(monkeypatch, client, user_session, session): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, }, ) @@ -208,7 +207,6 @@ def test_post_update_member(client, user_session): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, }, ) diff --git a/tests/routes/applications/test_settings.py b/tests/routes/applications/test_settings.py index d990f6ad..8f2595f2 100644 --- a/tests/routes/applications/test_settings.py +++ b/tests/routes/applications/test_settings.py @@ -12,7 +12,7 @@ from atst.domain.application_roles import ApplicationRoles from atst.domain.environment_roles import EnvironmentRoles from atst.domain.invitations import ApplicationInvitations from atst.domain.common import Paginator -from atst.domain.csp.cloud import GeneralCSPException +from atst.domain.csp.cloud.exceptions import GeneralCSPException from atst.domain.permission_sets import PermissionSets from atst.models.application_role import Status as ApplicationRoleStatus from atst.models.environment_role import CSPRole, EnvironmentRole @@ -206,7 +206,6 @@ def test_get_members_data(app, client, user_session): assert member["permission_sets"] == { "perms_team_mgmt": False, "perms_env_mgmt": False, - "perms_del_env": False, } assert member["environment_roles"] == [ { @@ -409,7 +408,6 @@ def test_create_member(monkeypatch, client, user_session, session): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, }, ) @@ -538,7 +536,6 @@ def test_update_member(client, user_session, session): "environment_roles-2-environment_name": env_2.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, }, ) @@ -558,9 +555,6 @@ def test_update_member(client, user_session, session): assert bool( app_role.has_permission_set(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS) ) - assert bool( - app_role.has_permission_set(PermissionSets.DELETE_APPLICATION_ENVIRONMENTS) - ) environment_roles = application.roles[0].environment_roles # check that the user has roles in the correct envs @@ -702,7 +696,6 @@ def test_handle_create_member(monkeypatch, set_g, session): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, } ) handle_create_member(application.id, form_data) @@ -739,7 +732,6 @@ def test_handle_update_member_success(set_g): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, } ) @@ -780,9 +772,45 @@ def test_handle_update_member_with_error(set_g, monkeypatch, mock_logger): "environment_roles-1-environment_name": env_1.name, "perms_env_mgmt": True, "perms_team_mgmt": True, - "perms_del_env": True, } ) handle_update_member(application.id, app_role.id, form_data) assert mock_logger.messages[-1] == exception + + +def test_create_subscription_success(client, user_session): + environment = EnvironmentFactory.create() + + user_session(environment.portfolio.owner) + response = client.post( + url_for("applications.create_subscription", environment_id=environment.id), + ) + + assert response.status_code == 302 + assert response.location == url_for( + "applications.settings", + application_id=environment.application.id, + _external=True, + fragment="application-environments", + _anchor="application-environments", + ) + + +def test_create_subscription_failure(client, user_session, monkeypatch): + environment = EnvironmentFactory.create() + + def _raise_csp_exception(*args, **kwargs): + raise GeneralCSPException("An error occurred.") + + monkeypatch.setattr( + "atst.domain.csp.cloud.MockCloudProvider.create_subscription", + _raise_csp_exception, + ) + + user_session(environment.portfolio.owner) + response = client.post( + url_for("applications.create_subscription", environment_id=environment.id), + ) + + assert response.status_code == 400 diff --git a/tests/test_auth.py b/tests/test_auth.py index f47c8750..8444c14f 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -97,25 +97,12 @@ def test_protected_routes_redirect_to_login(client, app): def test_unprotected_routes_set_user_if_logged_in(client, app, user_session): user = UserFactory.create() - resp = client.get(url_for("atst.helpdocs")) + resp = client.get(url_for("atst.about")) assert resp.status_code == 200 assert user.full_name not in resp.data.decode() user_session(user) - resp = client.get(url_for("atst.helpdocs")) - assert resp.status_code == 200 - assert user.full_name in resp.data.decode() - - -def test_unprotected_routes_set_user_if_logged_in(client, app, user_session): - user = UserFactory.create() - - resp = client.get(url_for("atst.helpdocs")) - assert resp.status_code == 200 - assert user.full_name not in resp.data.decode() - - user_session(user) - resp = client.get(url_for("atst.helpdocs")) + resp = client.get(url_for("atst.about")) assert resp.status_code == 200 assert user.full_name in resp.data.decode() diff --git a/translations.yaml b/translations.yaml index f587d8a1..d9615c4d 100644 --- a/translations.yaml +++ b/translations.yaml @@ -46,6 +46,7 @@ common: delete_confirm: "Please type the word {word} to confirm:" dod_id: DoD ID disable: Disable + edit: Edit email: Email lorem: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. name: Name @@ -127,6 +128,12 @@ flash: deleted: title: "{environment_name} deleted" message: The environment "{environment_name}" has been deleted + subscription_failure: + title: Environment subscription error + message: An unexpected problem occurred with your request, please try again. If the problem persists, contact an administrator. + subscription_success: + title: Success! + message: "A subscription has been added to {name} environment" form: errors: title: There were some errors @@ -406,9 +413,13 @@ portfolios: create_new_env_info: Creating an environment gives you access to the Cloud Service Provider. This environment will function within the constraints of the task order, and any costs will be billed against the portfolio. csp_link: Cloud Service Provider Link enter_env_name: "Enter environment name:" + environments: + add_subscription: Add new subscription + blank_slate: This Application has no environments + disabled: ": Access Suspended" environments_heading: Application Environments existing_application_title: "{application_name} Application Settings" - member_count: "{count} members" + member_count: "{count} Members" new_application_title: New Application settings: name_description: Application name and description @@ -448,11 +459,9 @@ portfolios: "False": View Team "True": Edit Team perms_env_mgmt: + "False": View Environments "True": Edit Environments - perms_del_env: - "False": "" - "True": Delete Application roles: ADMIN: Admin BILLING_READ: Billing Read-only