From 79db0db3f6dfd01357419752b41207790ac0ab59 Mon Sep 17 00:00:00 2001 From: Josiah Vinson <88204686+jovinson-ms@users.noreply.github.com> Date: Tue, 19 Oct 2021 16:50:49 -0700 Subject: [PATCH] Using verified tenantId to fix AAD breaking change (#1125) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using verified tenantId to fix AAD breaking change (#1125) Co-authored-by: Josiah Vinson Co-authored-by: Karthik Balasubramanian 👍 --- build/add-aad-test-environment.yml | 2 +- build/ci-variables.yml | 2 ++ build/cleanup.yml | 2 +- build/deploy.yml | 2 +- build/pr-variables.yml | 2 ++ build/run-e2e-tests.yml | 4 ++-- .../Private/SharedModuleFunctions.ps1 | 10 ++++++---- .../Public/Add-AadTestAuthEnvironment.ps1 | 9 ++++++--- .../Public/Remove-AadTestAuthEnvironment.ps1 | 11 +++++++---- .../New-DicomServerApiApplicationRegistration.ps1 | 14 +++++++------- 10 files changed, 35 insertions(+), 23 deletions(-) diff --git a/build/add-aad-test-environment.yml b/build/add-aad-test-environment.yml index e31cae5131..e22140a5d6 100644 --- a/build/add-aad-test-environment.yml +++ b/build/add-aad-test-environment.yml @@ -50,4 +50,4 @@ steps: Import-Module $(System.DefaultWorkingDirectory)/samples/scripts/PowerShell/DicomServer.psd1 Import-Module $(System.DefaultWorkingDirectory)/release/scripts/PowerShell/DicomServerRelease/DicomServerRelease.psd1 - $output = Add-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantAdminCredential $adminCredential -EnvironmentLocation $(resourceGroupRegion) + $output = Add-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantAdminCredential $adminCredential -EnvironmentLocation $(resourceGroupRegion) -TenantIdDomain $tenantId diff --git a/build/ci-variables.yml b/build/ci-variables.yml index a08f2a2214..af95199b70 100644 --- a/build/ci-variables.yml +++ b/build/ci-variables.yml @@ -1,6 +1,8 @@ variables: deploymentName: 'dcm-ci-permanent' testEnvironmentUrl: 'https://$(deploymentName).azurewebsites.net/' + testApplicationScope: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com/.default' + testApplicationResource: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com' resourceGroupName: $(deploymentName) resourceGroupRegion: 'southcentralus' appServicePlanResourceGroup: 'msh-dicom-pr' diff --git a/build/cleanup.yml b/build/cleanup.yml index a2dcb9d047..f4c909e777 100644 --- a/build/cleanup.yml +++ b/build/cleanup.yml @@ -65,4 +65,4 @@ jobs: Import-Module $(System.DefaultWorkingDirectory)/samples/scripts/PowerShell/DicomServer.psd1 Import-Module $(System.DefaultWorkingDirectory)/release/scripts/PowerShell/DicomServerRelease/DicomServerRelease.psd1 - Remove-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) + Remove-AadTestAuthEnvironment -TestAuthEnvironmentPath $(System.DefaultWorkingDirectory)/testauthenvironment.json -EnvironmentName $(deploymentName) -TenantIdDomain $tenantId diff --git a/build/deploy.yml b/build/deploy.yml index ceb8ec64d5..3452172d42 100644 --- a/build/deploy.yml +++ b/build/deploy.yml @@ -38,7 +38,7 @@ jobs: additionalDicomServerConfigProperties = $additionalProperties sqlAdminPassword = "$(-join((((33,35,37,38,42,43,45,46,95) + (48..57) + (65..90) + (97..122) | Get-Random -Count 20) + ((33,35,37,38,42,43,45,46,95) | Get-Random -Count 1) + ((48..57) | Get-Random -Count 1) + ((65..90) | Get-Random -Count 1) + ((97..122) | Get-Random -Count 1) | Get-Random -Count 24) | % {[char]$_}))" securityAuthenticationAuthority = "https://login.microsoftonline.com/$(tenant-id)" - securityAuthenticationAudience = "$(testEnvironmentUrl)" + securityAuthenticationAudience = "$(testApplicationResource)" deployPackage = $false } diff --git a/build/pr-variables.yml b/build/pr-variables.yml index fca72059b2..91a925108a 100644 --- a/build/pr-variables.yml +++ b/build/pr-variables.yml @@ -2,6 +2,8 @@ variables: prNumber: $(system.pullRequest.pullRequestNumber) deploymentName: 'msh-dicom-pr-$(prNumber)' testEnvironmentUrl: 'https://$(deploymentName).azurewebsites.net/' + testApplicationScope: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com/.default' + testApplicationResource: 'https://$(deploymentName).resoluteopensource.onmicrosoft.com' resourceGroupName: $(deploymentName) resourceGroupRegion: 'southcentralus' appServicePlanResourceGroup: 'msh-dicom-pr' diff --git a/build/run-e2e-tests.yml b/build/run-e2e-tests.yml index b805003908..01c32b89b8 100644 --- a/build/run-e2e-tests.yml +++ b/build/run-e2e-tests.yml @@ -26,8 +26,8 @@ jobs: } Write-Host "##vso[task.setvariable variable=Resource]$(testEnvironmentUrl)" - Write-Host "##vso[task.setvariable variable=security_scope]$(testEnvironmentUrl)" - Write-Host "##vso[task.setvariable variable=security_resource]$(testEnvironmentUrl)" + Write-Host "##vso[task.setvariable variable=security_scope]$(testApplicationScope)" + Write-Host "##vso[task.setvariable variable=security_resource]$(testApplicationResource)" Write-Host "##vso[task.setvariable variable=security_enabled]$true" dotnet dev-certs https diff --git a/release/scripts/PowerShell/DicomServerRelease/Private/SharedModuleFunctions.ps1 b/release/scripts/PowerShell/DicomServerRelease/Private/SharedModuleFunctions.ps1 index 9b0dfb0ddd..43d402a7bd 100644 --- a/release/scripts/PowerShell/DicomServerRelease/Private/SharedModuleFunctions.ps1 +++ b/release/scripts/PowerShell/DicomServerRelease/Private/SharedModuleFunctions.ps1 @@ -50,14 +50,16 @@ function Get-ServiceAudience { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] - [string]$EnvironmentName, + [string]$ServiceName, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] - [string]$WebAppSuffix + [string]$TenantIdDomain ) - - return "https://$EnvironmentName.$WebAppSuffix/" + # AppId Uri in single tenant applications will require use of default scheme or verified domains + # It needs to be in one of the many formats mentioned in https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes + # We use the format https://. + return "https://$ServiceName.$TenantIdDomain" } function Get-UserId { diff --git a/release/scripts/PowerShell/DicomServerRelease/Public/Add-AadTestAuthEnvironment.ps1 b/release/scripts/PowerShell/DicomServerRelease/Public/Add-AadTestAuthEnvironment.ps1 index 26dfaa0e53..fa51f76f7c 100644 --- a/release/scripts/PowerShell/DicomServerRelease/Public/Add-AadTestAuthEnvironment.ps1 +++ b/release/scripts/PowerShell/DicomServerRelease/Public/Add-AadTestAuthEnvironment.ps1 @@ -9,6 +9,8 @@ function Add-AadTestAuthEnvironment { Environment name used for the test environment. This is used throughout for making names unique. .PARAMETER TenantAdminCredential Credentials for a tenant admin user. Needed to grant admin consent to client apps. + .PARAMETER TenantIdDomain + TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application. #> param ( @@ -27,8 +29,9 @@ function Add-AadTestAuthEnvironment { [ValidateNotNull()] [pscredential]$TenantAdminCredential, - [Parameter(Mandatory = $false )] - [String]$WebAppSuffix = "azurewebsites.net", + [Parameter(Mandatory = $true )] + [ValidateNotNullOrEmpty()] + [String]$TenantIdDomain, [Parameter(Mandatory = $false)] [string]$ResourceGroupName = $EnvironmentName, @@ -98,7 +101,7 @@ function Add-AadTestAuthEnvironment { Write-Host "Ensuring API application exists" - $dicomServiceAudience = Get-ServiceAudience -EnvironmentName $EnvironmentName -WebAppSuffix $WebAppSuffix + $dicomServiceAudience = Get-ServiceAudience -ServiceName $EnvironmentName -TenantIdDomain $TenantIdDomain $application = Get-AzureAdApplicationByIdentifierUri $dicomServiceAudience diff --git a/release/scripts/PowerShell/DicomServerRelease/Public/Remove-AadTestAuthEnvironment.ps1 b/release/scripts/PowerShell/DicomServerRelease/Public/Remove-AadTestAuthEnvironment.ps1 index 35ab3005fb..8a7f36259d 100644 --- a/release/scripts/PowerShell/DicomServerRelease/Public/Remove-AadTestAuthEnvironment.ps1 +++ b/release/scripts/PowerShell/DicomServerRelease/Public/Remove-AadTestAuthEnvironment.ps1 @@ -7,6 +7,8 @@ function Remove-AadTestAuthEnvironment { Path for the testauthenvironment.json file .PARAMETER EnvironmentName Environment name used for the test environment. This is used throughout for making names unique. + .PARAMETER TenantIdDomain + TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application. #> param ( @@ -18,8 +20,9 @@ function Remove-AadTestAuthEnvironment { [ValidateNotNullOrEmpty()] [string]$EnvironmentName, - [Parameter(Mandatory = $false )] - [String]$WebAppSuffix = "azurewebsites.net" + [Parameter(Mandatory = $true )] + [ValidateNotNullOrEmpty()] + [String]$TenantIdDomain ) Set-StrictMode -Version Latest @@ -36,7 +39,7 @@ function Remove-AadTestAuthEnvironment { $testAuthEnvironment = Get-Content -Raw -Path $TestAuthEnvironmentPath | ConvertFrom-Json - $dicomServiceAudience = Get-ServiceAudience -EnvironmentName $EnvironmentName -WebAppSuffix $WebAppSuffix + $dicomServiceAudience = Get-ServiceAudience -ServiceName $EnvironmentName -TenantIdDomain $TenantIdDomain $application = Get-AzureAdApplicationByIdentifierUri $dicomServiceAudience @@ -64,4 +67,4 @@ function Remove-AadTestAuthEnvironment { Remove-AzureAdApplication -ObjectId $aadClientApplication.ObjectId | Out-Null } } -} \ No newline at end of file +} diff --git a/samples/scripts/PowerShell/Identity/New-DicomServerApiApplicationRegistration.ps1 b/samples/scripts/PowerShell/Identity/New-DicomServerApiApplicationRegistration.ps1 index 9bbca95d0b..fe4c849b3a 100644 --- a/samples/scripts/PowerShell/Identity/New-DicomServerApiApplicationRegistration.ps1 +++ b/samples/scripts/PowerShell/Identity/New-DicomServerApiApplicationRegistration.ps1 @@ -8,14 +8,13 @@ function New-DicomServerApiApplicationRegistration { .EXAMPLE New-DicomServerApiApplicationRegistration -DicomServiceName "mydicomservice" -AppRoles admin,nurse .EXAMPLE - New-DicomServerApiApplicationRegistration -DicomServiceAudience "https://mydicomservice.azurewebsites.net" -AppRoles admin,nurse + New-DicomServerApiApplicationRegistration -DicomServiceAudience "https://mydicomservice.resoluteopensource.onmicrosoft.com" -AppRoles admin,nurse .PARAMETER DicomServiceName Name of the Dicom service instance. .PARAMETER DicomServiceAudience Full URL of the Dicom service. - .PARAMETER WebAppSuffix - Will be appended to Dicom service name to form the DicomServiceAudience if one is not supplied, - e.g., azurewebsites.net or azurewebsites.us (for US Government cloud) + .PARAMETER TenantIdDomain + TenantId domain ("*.onmicrosoft.com") used for creating service audience while creating AAD application. .PARAMETER AppRoles Names of AppRoles to be defined in the AAD Application registration #> @@ -29,8 +28,9 @@ function New-DicomServerApiApplicationRegistration { [ValidateNotNullOrEmpty()] [string]$DicomServiceAudience, - [Parameter(Mandatory = $false, ParameterSetName = 'ByDicomServiceName' )] - [String]$WebAppSuffix = "azurewebsites.net", + [Parameter(Mandatory = $true, ParameterSetName = 'ByDicomServiceName' )] + [ValidateNotNullOrEmpty()] + [String]$TenantIdDomain, [Parameter(Mandatory = $false)] [String[]]$AppRoles = "admin" @@ -47,7 +47,7 @@ function New-DicomServerApiApplicationRegistration { } if ([string]::IsNullOrEmpty($DicomServiceAudience)) { - $DicomServiceAudience = "https://$DicomServiceName.$WebAppSuffix" + $DicomServiceAudience = Get-ServiceAudience -ServiceName $DicomServiceName -TenantIdDomain $TenantIdDomain } $desiredAppRoles = @()