The tenant ID should be hashed and used as the key for the JSON blob of
relevant creds for any given tenant. Azure CSP interface methods that
need to source creds should call the internal `_source_creds` method,
either with a `tenant_id` or no parameters. That method will source the
creds. If a tenant ID is provided, it will source them from the Key
Vault. If not provided, it will return the default creds for the app
registration in the home tenant.
- Fixes LGTM warnings for an unused import and equality comparisons to
None in SQLAlchemy filters.
- Removes part of a unit test asserting that the claimed_until locking
mechanism works correctly. If I recall correctly, this does not work
in unit tests because the test takes place inside a transaction, and
the database provider does evaluate the current time until the
transaction is written.
Having `get_stage_csp_class` in the csp module meant that any file that interacted with that import path would throw an error in a REPL. This will allow importing of the Azure and Mock providers for interactive dev.
Move cloud.py to a module init. Move policy with it. Update related unit tests. Also adds a patch to state machine test to prevent randomness in mock from failing test.
This adds:
- A Celery beat task for enqueuing application creation tasks
- A Celery task for creating the application
- Payload and Response dataclasses for creating management groups
It also does some incidental cleanup.
Adds a method to the Applications domain class that can return a list of
UUIDs for applications that are ready to be provisioned. It requires
that:
- the associated portfolio and state machine have a state of COMPLETED
- the application not have been marked deleted
- the application not have an existing cloud_id
- the application does not have an existing claim on it
To comply with security guidelines, we need to destroy the session when
a user logs out. This means that the session's key in the Redis cache
needs to be deleted. Flask expects to _always_ have a session object. If
the current session object does not exist in the Redis cache, Flask will
reserialize and store it at the end of the request. In order for
session deletion to work, we need to delete the key for the existing
session and then replace the session object with a new, empty one.
This also updates the SessionLimiter class so that the session prefix is
configurable.
- Update the form to use BooleanFields for the permissions and make the
form more similar to the Application Members form
- Use MemberFormTemplate macro in the portfolio settings template
- fix tests affected by the form changes
Before this commit, if a portfolio wasn't present in the spending fixture
data, the reporting screen would be empty -- even if the portfolio had
applications and environments associated with it on the database. Now,
0s appear if an application and / or environment isn't present in the
fixture data.
The implementation here is meant to wrap a library of JSON policy
documents. Policies should be added to directories corresponding to
where they will be defined (portfolio, application, environment).
Functionality for parsing portfolio policy definitions is included. When
the policies need to be defined on a management group, the
AzureCloudProvider can iterate the appropriate tier of the policy
manager and add those definitions.
This adds some initial example policies:
- One for region restrictions
- One for service restrictions
Note that the MS ARM team has said that region restrictions may be
controlled by ARM, so that policy might prove unnecessary. The
parameters list for the service restrictions is stubbed for now, pending
the full list.
I also added an internal method for adding policy definitions to a
management group. This method is agnostic about what tier of management
group the policy is being defined at. It requires that a dictionary
representing the properties section of a valid Azure JSON policy
definition be passed as an argument.
