From 481142a71d63ab15a2263c5d704006027370877b Mon Sep 17 00:00:00 2001 From: Ganeshrockz Date: Tue, 3 Nov 2020 13:49:13 +0530 Subject: [PATCH 1/2] Added no subscription support (#73) * Added no subscription support * Added L0s * added no subcriptions login support * test changes Co-authored-by: Ganesh S Co-authored-by: aksm-ms <58936966+aksm-ms@users.noreply.github.com> --- .../PowerShell/ServicePrinicipalLogin.test.ts | 2 +- .../Utilities/ScriptBuilder.test.ts | 25 +++++++++++++++++++ action.yml | 4 +++ src/PowerShell/ServicePrincipalLogin.ts | 11 ++++++-- src/PowerShell/Utilities/ScriptBuilder.ts | 2 +- src/main.ts | 21 ++++++++++++---- 6 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 __tests__/PowerShell/Utilities/ScriptBuilder.test.ts diff --git a/__tests__/PowerShell/ServicePrinicipalLogin.test.ts b/__tests__/PowerShell/ServicePrinicipalLogin.test.ts index f8fdbb24..ffd59881 100644 --- a/__tests__/PowerShell/ServicePrinicipalLogin.test.ts +++ b/__tests__/PowerShell/ServicePrinicipalLogin.test.ts @@ -5,7 +5,7 @@ jest.mock('../../src/PowerShell/Utilities/PowerShellToolRunner'); let spnlogin: ServicePrincipalLogin; beforeAll(() => { - spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", "tenantId", "subscriptionId"); + spnlogin = new ServicePrincipalLogin("servicePrincipalID", "servicePrinicipalkey", "tenantId", "subscriptionId", false); }); afterEach(() => { diff --git a/__tests__/PowerShell/Utilities/ScriptBuilder.test.ts b/__tests__/PowerShell/Utilities/ScriptBuilder.test.ts new file mode 100644 index 00000000..291cbd04 --- /dev/null +++ b/__tests__/PowerShell/Utilities/ScriptBuilder.test.ts @@ -0,0 +1,25 @@ +import ScriptBuilder from "../../../src/PowerShell/Utilities/ScriptBuilder"; +import Constants from "../../../src/PowerShell/Constants"; + +describe("Getting AzLogin PS script" , () => { + const scheme = Constants.ServicePrincipal; + let args: any = { + servicePrincipalId: "service-principal-id", + servicePrincipalKey: "service-principal-key", + environment: "environment", + scopeLevel: Constants.Subscription, + subscriptionId: "subId", + allowNoSubscriptionsLogin: true + } + + test("PS script should not set context while passing allowNoSubscriptionsLogin as true", () => { + const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args); + expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeFalsy(); + }); + + test("PS script should set context while passing allowNoSubscriptionsLogin as false", () => { + args["allowNoSubscriptionsLogin"] = false; + const loginScript = new ScriptBuilder().getAzPSLoginScript(scheme, "tenant-id", args); + expect(loginScript.includes("Set-AzContext -SubscriptionId")).toBeTruthy(); + }); +}); \ No newline at end of file diff --git a/action.yml b/action.yml index c166d10e..e7bd4f63 100644 --- a/action.yml +++ b/action.yml @@ -9,6 +9,10 @@ inputs: description: 'Set this value to true to enable Azure PowerShell Login in addition to Az CLI login' required: false default: false + allow-no-subscriptions: + description: 'Set this value to true to enable support for accessing tenants without subscriptions' + required: false + default: false branding: icon: 'login.svg' color: 'blue' diff --git a/src/PowerShell/ServicePrincipalLogin.ts b/src/PowerShell/ServicePrincipalLogin.ts index 8aa293a4..580bff56 100644 --- a/src/PowerShell/ServicePrincipalLogin.ts +++ b/src/PowerShell/ServicePrincipalLogin.ts @@ -13,12 +13,18 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { servicePrincipalKey: string; tenantId: string; subscriptionId: string; + allowNoSubscriptionsLogin: boolean; - constructor(servicePrincipalId: string, servicePrincipalKey: string, tenantId: string, subscriptionId: string) { + constructor(servicePrincipalId: string, + servicePrincipalKey: string, + tenantId: string, + subscriptionId: string, + allowNoSubscriptionsLogin: boolean) { this.servicePrincipalId = servicePrincipalId; this.servicePrincipalKey = servicePrincipalKey; this.tenantId = tenantId; this.subscriptionId = subscriptionId; + this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin; } async initialize() { @@ -42,7 +48,8 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession { servicePrincipalKey: this.servicePrincipalKey, subscriptionId: this.subscriptionId, environment: ServicePrincipalLogin.environment, - scopeLevel: ServicePrincipalLogin.scopeLevel + scopeLevel: ServicePrincipalLogin.scopeLevel, + allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin } const script: string = new ScriptBuilder().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args); await PowerShellToolRunner.init(); diff --git a/src/PowerShell/Utilities/ScriptBuilder.ts b/src/PowerShell/Utilities/ScriptBuilder.ts index d43060e8..9f383891 100644 --- a/src/PowerShell/Utilities/ScriptBuilder.ts +++ b/src/PowerShell/Utilities/ScriptBuilder.ts @@ -12,7 +12,7 @@ export default class ScriptBuilder { command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \ (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \ -Environment '${args.environment}' | out-null;`; - if (args.scopeLevel === Constants.Subscription) { + if (args.scopeLevel === Constants.Subscription && !args.allowNoSubscriptionsLogin) { command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`; } } diff --git a/src/main.ts b/src/main.ts index cd355f0e..572c352c 100644 --- a/src/main.ts +++ b/src/main.ts @@ -30,17 +30,28 @@ async function main() { let tenantId = secrets.getSecret("$.tenantId", false); let subscriptionId = secrets.getSecret("$.subscriptionId", false); const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; - if (!servicePrincipalId || !servicePrincipalKey || !tenantId || !subscriptionId) { - throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret, tenantId and subscriptionId are supplied."); + const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true"; + if (!servicePrincipalId || !servicePrincipalKey || !tenantId) { + throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied."); } + + if (!subscriptionId && !allowNoSubscriptionsLogin) { + throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied."); + } + // Attempting Az cli login - await executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); - await executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true); + if (allowNoSubscriptionsLogin) { + await executeAzCliCommand(`login --allow-no-subscriptions --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); + } + else { + await executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); + await executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true); + } isAzCLISuccess = true; if (enableAzPSSession) { // Attempting Az PS login console.log(`Running Azure PS Login`); - const spnlogin: ServicePrincipalLogin = new ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId); + const spnlogin: ServicePrincipalLogin = new ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin); await spnlogin.initialize(); await spnlogin.login(); } From 3ca410cd24bd40dd27043e27ec31577a85a3c9c2 Mon Sep 17 00:00:00 2001 From: aksm-ms Date: Tue, 3 Nov 2020 14:14:40 +0530 Subject: [PATCH 2/2] adding lib --- lib/PowerShell/ServicePrincipalLogin.js | 6 +- lib/PowerShell/Utilities/ScriptBuilder.js | 2 +- lib/main.js | 187 ++++++++++++---------- 3 files changed, 103 insertions(+), 92 deletions(-) diff --git a/lib/PowerShell/ServicePrincipalLogin.js b/lib/PowerShell/ServicePrincipalLogin.js index 7a4be40b..519b0d2c 100644 --- a/lib/PowerShell/ServicePrincipalLogin.js +++ b/lib/PowerShell/ServicePrincipalLogin.js @@ -25,11 +25,12 @@ const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellTo const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder")); const Constants_1 = __importDefault(require("./Constants")); class ServicePrincipalLogin { - constructor(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId) { + constructor(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin) { this.servicePrincipalId = servicePrincipalId; this.servicePrincipalKey = servicePrincipalKey; this.tenantId = tenantId; this.subscriptionId = subscriptionId; + this.allowNoSubscriptionsLogin = allowNoSubscriptionsLogin; } initialize() { return __awaiter(this, void 0, void 0, function* () { @@ -54,7 +55,8 @@ class ServicePrincipalLogin { servicePrincipalKey: this.servicePrincipalKey, subscriptionId: this.subscriptionId, environment: ServicePrincipalLogin.environment, - scopeLevel: ServicePrincipalLogin.scopeLevel + scopeLevel: ServicePrincipalLogin.scopeLevel, + allowNoSubscriptionsLogin: this.allowNoSubscriptionsLogin }; const script = new ScriptBuilder_1.default().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.tenantId, args); yield PowerShellToolRunner_1.default.init(); diff --git a/lib/PowerShell/Utilities/ScriptBuilder.js b/lib/PowerShell/Utilities/ScriptBuilder.js index 113f8f35..30cb4421 100644 --- a/lib/PowerShell/Utilities/ScriptBuilder.js +++ b/lib/PowerShell/Utilities/ScriptBuilder.js @@ -23,7 +23,7 @@ class ScriptBuilder { command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \ (New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \ -Environment '${args.environment}' | out-null;`; - if (args.scopeLevel === Constants_1.default.Subscription) { + if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) { command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`; } } diff --git a/lib/main.js b/lib/main.js index 194af6a2..eb708357 100644 --- a/lib/main.js +++ b/lib/main.js @@ -1,89 +1,98 @@ -"use strict"; -var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { - function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } - return new (P || (P = Promise))(function (resolve, reject) { - function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } - function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } - function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } - step((generator = generator.apply(thisArg, _arguments || [])).next()); - }); -}; -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; - result["default"] = mod; - return result; -}; -Object.defineProperty(exports, "__esModule", { value: true }); -const core = __importStar(require("@actions/core")); -const exec = __importStar(require("@actions/exec")); -const io = __importStar(require("@actions/io")); -const actions_secret_parser_1 = require("actions-secret-parser"); -const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin"); -var azPath; -var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : ""; -var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : ""; -function main() { - return __awaiter(this, void 0, void 0, function* () { - try { - // Set user agent variable - var isAzCLISuccess = false; - let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`; - let actionName = 'AzureLogin'; - let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`; - let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`; - core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString); - core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv); - azPath = yield io.which("az", true); - yield executeAzCliCommand("--version"); - let creds = core.getInput('creds', { required: true }); - let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON); - let servicePrincipalId = secrets.getSecret("$.clientId", false); - let servicePrincipalKey = secrets.getSecret("$.clientSecret", true); - let tenantId = secrets.getSecret("$.tenantId", false); - let subscriptionId = secrets.getSecret("$.subscriptionId", false); - const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; - if (!servicePrincipalId || !servicePrincipalKey || !tenantId || !subscriptionId) { - throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret, tenantId and subscriptionId are supplied."); - } - // Attempting Az cli login - yield executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); - yield executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true); - isAzCLISuccess = true; - if (enableAzPSSession) { - // Attempting Az PS login - console.log(`Running Azure PS Login`); - const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId); - yield spnlogin.initialize(); - yield spnlogin.login(); - } - console.log("Login successful."); - } - catch (error) { - if (!isAzCLISuccess) { - core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"); - } - else { - core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`); - } - core.setFailed(error); - } - finally { - // Reset AZURE_HTTP_USER_AGENT - core.exportVariable('AZURE_HTTP_USER_AGENT', prefix); - core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv); - } - }); -} -function executeAzCliCommand(command, silent) { - return __awaiter(this, void 0, void 0, function* () { - try { - yield exec.exec(`"${azPath}" ${command}`, [], { silent: !!silent }); - } - catch (error) { - throw new Error(error); - } - }); -} -main(); +"use strict"; +var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { + function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } + return new (P || (P = Promise))(function (resolve, reject) { + function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } + function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } + function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } + step((generator = generator.apply(thisArg, _arguments || [])).next()); + }); +}; +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k]; + result["default"] = mod; + return result; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +const core = __importStar(require("@actions/core")); +const exec = __importStar(require("@actions/exec")); +const io = __importStar(require("@actions/io")); +const actions_secret_parser_1 = require("actions-secret-parser"); +const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin"); +var azPath; +var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : ""; +var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : ""; +function main() { + return __awaiter(this, void 0, void 0, function* () { + try { + // Set user agent variable + var isAzCLISuccess = false; + let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`; + let actionName = 'AzureLogin'; + let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`; + let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`; + core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString); + core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv); + azPath = yield io.which("az", true); + yield executeAzCliCommand("--version"); + let creds = core.getInput('creds', { required: true }); + let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON); + let servicePrincipalId = secrets.getSecret("$.clientId", false); + let servicePrincipalKey = secrets.getSecret("$.clientSecret", true); + let tenantId = secrets.getSecret("$.tenantId", false); + let subscriptionId = secrets.getSecret("$.subscriptionId", false); + const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true"; + const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true"; + if (!servicePrincipalId || !servicePrincipalKey || !tenantId) { + throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied."); + } + if (!subscriptionId && !allowNoSubscriptionsLogin) { + throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied."); + } + // Attempting Az cli login + if (allowNoSubscriptionsLogin) { + yield executeAzCliCommand(`login --allow-no-subscriptions --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); + } + else { + yield executeAzCliCommand(`login --service-principal -u "${servicePrincipalId}" -p "${servicePrincipalKey}" --tenant "${tenantId}"`, true); + yield executeAzCliCommand(`account set --subscription "${subscriptionId}"`, true); + } + isAzCLISuccess = true; + if (enableAzPSSession) { + // Attempting Az PS login + console.log(`Running Azure PS Login`); + const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin); + yield spnlogin.initialize(); + yield spnlogin.login(); + } + console.log("Login successful."); + } + catch (error) { + if (!isAzCLISuccess) { + core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"); + } + else { + core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`); + } + core.setFailed(error); + } + finally { + // Reset AZURE_HTTP_USER_AGENT + core.exportVariable('AZURE_HTTP_USER_AGENT', prefix); + core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv); + } + }); +} +function executeAzCliCommand(command, silent) { + return __awaiter(this, void 0, void 0, function* () { + try { + yield exec.exec(`"${azPath}" ${command}`, [], { silent: !!silent }); + } + catch (error) { + throw new Error(error); + } + }); +} +main();