This method is added to the Azure cloud interface. We need to set the
AAD user's alternate email, which is a subsequent PATCH call to the API.
These two calls are handled with a single interface method and payload
because ATAT would never create a user without an associated email.
This commit also:
- Expands internal method for getting principal tokens so that it can be
scoped to different resources.
- Retains the tenant domain name in the portfolios.csp_data column
because ATAT needs that information for provisioning users via API.
Like claim_for_update, the claim_many_for_update claims resources with
an expiring lock. This was written to allow the updating of multiple
application roles with a single cloud_id, since multiple application
roles will map to a single Azure Active Directory user.
This adds a query method to return the IDs of the application roles that
should be provisioned as users in Azure. We will provision one Azure
Active Directory user per ATAT user in a portfolio, meaning that one AAD
user might correspond to multiple application roles under a single
portfolio. The query method returns IDs in a nested list grouped by
portfolio and user because of this.
add method for getting app roles that are pending creation
update application_roles query to group by portfolio
check for user existing and role status correct when filtering ApplicationRole for creation
Adds cloud_id and claimed_until columns to the application_roles table
so that rows can be locked when they're being processed and updated with
relevant Azure information when processing is finished. Since the
claimed_until column is now common to a few different models, I've also
moved it to a mixin.
Renames Python classes that refer to Upload to something to FileService.
We added this change because these classes now handle downloading as
well as uploading.
This is a temporary fix to avoid spending too much time trying to use app.config variables in a Form class field descriptions and labels. This is tech debt and should be fixed in the future.
This fixes a bug I introduced with commit
6edc7b138b0745d0b3f9d99da76c445fe954c5a7
The value for SESSION_COOKIE_SECURE was being read in as a truthy string
every time. In order for it to be interpreted correctly, we need to map
it to a boolean.
In order for the cluster app registration to create new load balancers,
it needs to have the Network Contributor role for the virtual network.
In the future, we should create a custom policy scoped to exactly the
permissions the cluster needs, per:
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
Currently the create call will be consumed by on-demand requests from the frontend, and the 2 stage create will be used by the enviroment management group provisioning to verify an initial subscription was created.
