From dda1c7e0bce656f4acfa652e54ea17f8b47f98f8 Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Thu, 15 Feb 2024 15:16:47 -0500 Subject: [PATCH 01/29] Fix: parse paginated replies for users and groups --- plugins/modules/azure_rm_adgroup_info.py | 18 ++++++++++++------ plugins/modules/azure_rm_aduser_info.py | 16 +++++++++++++--- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/plugins/modules/azure_rm_adgroup_info.py b/plugins/modules/azure_rm_adgroup_info.py index 0bf9c92f0..8c6996f9c 100644 --- a/plugins/modules/azure_rm_adgroup_info.py +++ b/plugins/modules/azure_rm_adgroup_info.py @@ -311,6 +311,7 @@ async def get_group(self, group_id): return await self._client.groups.by_group_id(group_id).get() async def get_group_list(self, filter=None): + kwargs = {} if filter: request_configuration = GroupsRequestBuilder.GroupsRequestBuilderGetRequestConfiguration( query_parameters=GroupsRequestBuilder.GroupsRequestBuilderGetQueryParameters( @@ -318,12 +319,17 @@ async def get_group_list(self, filter=None): filter=filter, ), ) - groups = await self._client.groups.get(request_configuration=request_configuration) - else: - groups = await self._client.groups.get() - - if groups and groups.value: - return groups.value + kwargs["request_configuration"] = request_configuration + + groups = [] + # paginated response can be quite large + response = await self._client.groups.get(**kwargs) + if response: + groups += response.value + while response is not None and response.odata_next_link is not None: + response = self._client.groups.with_url(response.odata_next_link).get(**kwargs) + if response: + groups += response.value return [] diff --git a/plugins/modules/azure_rm_aduser_info.py b/plugins/modules/azure_rm_aduser_info.py index 5942c241b..27097590a 100644 --- a/plugins/modules/azure_rm_aduser_info.py +++ b/plugins/modules/azure_rm_aduser_info.py @@ -216,8 +216,8 @@ def exec_module(self, **kwargs): users = asyncio.get_event_loop().run_until_complete(self.get_users_by_filter(self.odata_filter)) ad_users = list(users.value) elif self.all: - users = asyncio.get_event_loop().run_until_complete(self.get_users()) - ad_users = list(users.value) + # this returns as a list, since we parse multiple pages + ad_users = asyncio.get_event_loop().run_until_complete(self.get_users()) self.results['ad_users'] = [self.to_dict(user) for user in ad_users] @@ -251,7 +251,17 @@ async def get_users(self): select=["accountEnabled", "displayName", "mail", "mailNickname", "id", "userPrincipalName", "userType"] ), ) - return await self._client.users.get(request_configuration=request_configuration) + users = [] + # paginated response can be quite large + response = await self._client.users.get(request_configuration=request_configuration) + if response: + users += response.value + while response is not None and response.odata_next_link is not None: + response = self._client.users.with_url(response.odata_next_link).get(request_configuration=request_configuration) + if response: + users += response.value + + return users async def get_users_by_filter(self, filter): return await self._client.users.get( From 0725704d06b90f6ca492849832665ecd4530eca8 Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Thu, 15 Feb 2024 15:26:45 -0500 Subject: [PATCH 02/29] Fix: await --- plugins/modules/azure_rm_adgroup_info.py | 2 +- plugins/modules/azure_rm_aduser_info.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/modules/azure_rm_adgroup_info.py b/plugins/modules/azure_rm_adgroup_info.py index 8c6996f9c..8f9571712 100644 --- a/plugins/modules/azure_rm_adgroup_info.py +++ b/plugins/modules/azure_rm_adgroup_info.py @@ -327,7 +327,7 @@ async def get_group_list(self, filter=None): if response: groups += response.value while response is not None and response.odata_next_link is not None: - response = self._client.groups.with_url(response.odata_next_link).get(**kwargs) + response = await self._client.groups.with_url(response.odata_next_link).get(**kwargs) if response: groups += response.value diff --git a/plugins/modules/azure_rm_aduser_info.py b/plugins/modules/azure_rm_aduser_info.py index 27097590a..297653e0e 100644 --- a/plugins/modules/azure_rm_aduser_info.py +++ b/plugins/modules/azure_rm_aduser_info.py @@ -257,7 +257,7 @@ async def get_users(self): if response: users += response.value while response is not None and response.odata_next_link is not None: - response = self._client.users.with_url(response.odata_next_link).get(request_configuration=request_configuration) + response = await self._client.users.with_url(response.odata_next_link).get(request_configuration=request_configuration) if response: users += response.value From d4289c051739b443b2d446776ee7ce45f94bd62f Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Thu, 15 Feb 2024 15:36:49 -0500 Subject: [PATCH 03/29] wrong var return --- plugins/modules/azure_rm_adgroup_info.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adgroup_info.py b/plugins/modules/azure_rm_adgroup_info.py index 8f9571712..05ff8c1ca 100644 --- a/plugins/modules/azure_rm_adgroup_info.py +++ b/plugins/modules/azure_rm_adgroup_info.py @@ -331,7 +331,7 @@ async def get_group_list(self, filter=None): if response: groups += response.value - return [] + return groups async def get_group_owners(self, group_id): request_configuration = GroupsRequestBuilder.GroupsRequestBuilderGetRequestConfiguration( From e394873dd8a468524735690599bdaea6b0329143 Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Mon, 4 Mar 2024 16:25:54 -0500 Subject: [PATCH 04/29] Fix: optional claims for applications --- plugins/modules/azure_rm_adapplication.py | 178 +++++++++++++++--- .../azure_rm_adapplication/tasks/main.yml | 12 +- 2 files changed, 160 insertions(+), 30 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index c61b35b59..17ea47e5f 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -146,33 +146,104 @@ optional_claims: description: - Declare the optional claims for the application. - type: list - elements: dict + type: complex suboptions: - name: + access_token: description: - - The name of the optional claim. - type: str - required: True - source: - description: - - The source (directory object) of the claim. - - There are predefined claims and user-defined claims from extension properties. - - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property from the user object. - type: str - essential: + - The optional claims returned in the JWT access token + type: list + elements: dict + suboptions: + name: + description: + - The name of the optional claim. + type: str + required: True + source: + description: + - The source (directory object) of the claim. + - There are predefined claims and user-defined claims from extension properties. + - If the source value is null, the claim is a predefined optional claim. + - If the source value is user, the value in the name property is the extension property + from the user object. + type: str + essential: + description: + - If the value is true, the claim specified by the client is necessary to ensure a + smooth authorization experience for the specific task requested by the end user. + - The default value is false. + default: false + type: bool + additional_properties: + description: + - Additional properties of the claim. + - If a property exists in this collection, it modifies the behavior of the optional claim + specified in the name property. + type: str + id_token: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience - for the specific task requested by the end user. - - The default value is false. - default: false - type: bool - additional_properties: + - The optional claims returned in the JWT ID token + type: list + elements: dict + suboptions: + name: + description: + - The name of the optional claim. + type: str + required: True + source: + description: + - The source (directory object) of the claim. + - There are predefined claims and user-defined claims from extension properties. + - If the source value is null, the claim is a predefined optional claim. + - If the source value is user, the value in the name property is the extension property + from the user object. + type: str + essential: + description: + - If the value is true, the claim specified by the client is necessary to ensure a + smooth authorization experience for the specific task requested by the end user. + - The default value is false. + default: false + type: bool + additional_properties: + description: + - Additional properties of the claim. + - If a property exists in this collection, it modifies the behavior of the optional + claim specified in the name property. + type: str + saml2_token: description: - - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - type: str + - The optional claims returned in the SAML token + type: list + elements: dict + suboptions: + name: + description: + - The name of the optional claim. + type: str + required: True + source: + description: + - The source (directory object) of the claim. + - There are predefined claims and user-defined claims from extension properties. + - If the source value is null, the claim is a predefined optional claim. + - If the source value is user, the value in the name property is the extension property + from the user object. + type: str + essential: + description: + - If the value is true, the claim specified by the client is necessary to ensure a smooth + authorization experience for the specific task requested by the end user. + - The default value is false. + default: false + type: bool + additional_properties: + description: + - Additional properties of the claim. + - If a property exists in this collection, it modifies the behavior of the optional + claim specified in the name property. + type: str password: description: - App password, aka 'client secret'. @@ -266,7 +337,7 @@ description: - Current state of the adapplication. type: complex - returned: awalys + returned: always contains: display_name: description: @@ -347,6 +418,8 @@ from msgraph.generated.models.app_role import AppRole from msgraph.generated.models.web_application import WebApplication from msgraph.generated.models.implicit_grant_settings import ImplicitGrantSettings + from msgraph.generated.models.optional_claim import OptionalClaim + from msgraph.generated.models.optional_claims import OptionalClaims except ImportError: # This is handled in azure_rm_common pass @@ -371,7 +444,7 @@ ) ) -optional_claims_spec = dict( +claims_spec = dict( name=dict( type='str', required=True @@ -387,6 +460,14 @@ type='str' ) ) + +optional_claims_spec = dict( + access_token=dict(type='list', elements='dict', options=claims_spec), + id_token=dict(type='list', elements='dict', options=claims_spec), + saml2_token=dict(type='list', elements='dict', options=claims_spec), + type=dict +) + required_resource_accesses_spec = dict( resource_app_id=dict( type='str' @@ -433,7 +514,7 @@ def __init__(self): key_value=dict(type='str', no_log=True), native_app=dict(type='bool'), oauth2_allow_implicit_flow=dict(type='bool'), - optional_claims=dict(type='list', elements='dict', options=optional_claims_spec), + optional_claims=optional_claims_spec, password=dict(type='str', no_log=True), reply_urls=dict(type='list', elements='str'), start_date=dict(type='str'), @@ -507,6 +588,9 @@ def create_resource(self): if self.app_roles: app_roles = self.build_app_roles(self.app_roles) + if self.optional_claims: + optional_claims = self.build_optional_claims(self.optional_claims) + create_app = Application( sign_in_audience=self.sign_in_audience, web=WebApplication( @@ -522,7 +606,7 @@ def create_resource(self): password_credentials=password_creds, required_resource_access=required_accesses, app_roles=app_roles, - optional_claims=self.optional_claims + optional_claims=optional_claims # allow_guests_sign_in=self.allow_guests_sign_in, ) response = asyncio.get_event_loop().run_until_complete(self.create_application(create_app)) @@ -549,6 +633,9 @@ def update_resource(self, old_response): if self.app_roles: app_roles = self.build_app_roles(self.app_roles) + if self.optional_claims: + optional_claims = self.build_optional_claims(self.optional_claims) + app_update_param = Application( sign_in_audience=self.sign_in_audience, web=WebApplication( @@ -565,7 +652,7 @@ def update_resource(self, old_response): required_resource_access=required_accesses, # allow_guests_sign_in=self.allow_guests_sign_in, app_roles=app_roles, - optional_claims=self.optional_claims) + optional_claims=optional_claims) asyncio.get_event_loop().run_until_complete(self.update_application( obj_id=old_response['object_id'], update_app=app_update_param)) @@ -609,6 +696,15 @@ def check_update(self, response): return True return False + def serialize_claims(self, claims): + if claims is None: + return None + return [{ + "additional_properties": claim.additional_properties, + "essential": claim.essential, + "name": claim.name, + "source": claim.source} for claim in claims] + def to_dict(self, object): app_roles = [{ 'id': app_role.id, @@ -617,6 +713,11 @@ def to_dict(self, object): 'value': app_role.value, "description": app_role.description } for app_role in object.app_roles] + optional_claims = { + "access_token": self.serialize_claims(object.optional_claims.access_token), + "id_token": self.serialize_claims(object.optional_claims.id_token), + "saml2_token": self.serialize_claims(object.optional_claims.saml2_token) + } return dict( app_id=object.app_id, object_id=object.id, @@ -627,7 +728,7 @@ def to_dict(self, object): homepage=object.web.home_page_url, identifier_uris=object.identifier_uris, oauth2_allow_implicit_flow=object.web.implicit_grant_settings.enable_access_token_issuance, - optional_claims=object.optional_claims, + optional_claims=optional_claims, # allow_guests_sign_in=object.allow_guests_sign_in, reply_urls=object.web.redirect_uris ) @@ -704,6 +805,25 @@ def build_app_roles(self, app_roles): result.append(role) return result + def build_optional_claims(self, optional_claims): + + def build_claims(claims_dict): + if claims_dict is None: + return None + return [OptionalClaim( + essential=claim.get("essential"), + name=claim.get("name"), + source=claim.get("source"), + additional_properties=claim.get("additional_properties") + ) for claim in claims_dict] + + claims = OptionalClaims( + access_token=build_claims(optional_claims.get("access_token")), + id_token=build_claims(optional_claims.get("id_token")), + saml2_token=build_claims(optional_claims.get("saml2_token")) + ) + return claims + async def create_application(self, creat_app): return await self._client.applications.post(body=creat_app) diff --git a/tests/integration/targets/azure_rm_adapplication/tasks/main.yml b/tests/integration/targets/azure_rm_adapplication/tasks/main.yml index d19e0b8cd..a5f62936c 100644 --- a/tests/integration/targets/azure_rm_adapplication/tasks/main.yml +++ b/tests/integration/targets/azure_rm_adapplication/tasks/main.yml @@ -21,7 +21,7 @@ ansible.builtin.assert: that: not output.changed -- name: Create application with more parameter +- name: Create application with more parameters azure_rm_adapplication: display_name: "{{ display_name }}-01" sign_in_audience: AzureADandPersonalMicrosoftAccount @@ -37,6 +37,16 @@ display_name: "{{ display_name }}_approle" is_enabled: true value: Password@0329 + optional_claims: + access_token: + - name: aud + essential: true + id_token: + - name: aud + essential: true + saml2_token: + - name: aud + essential: true register: second_output - name: Assert secondary resource create success From e0c36129e1d69501a9a7f2521c4b2e7c6dee0b4a Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Tue, 5 Mar 2024 16:43:50 -0500 Subject: [PATCH 05/29] Chore: correct documentation --- plugins/modules/azure_rm_adapplication.py | 122 ++++++++++------------ 1 file changed, 58 insertions(+), 64 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 17ea47e5f..13873549b 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -333,72 +333,66 @@ ''' RETURN = ''' -output: +display_name: description: - - Current state of the adapplication. - type: complex + - Object's display name or its prefix. + type: str returned: always - contains: - display_name: - description: - - Object's display name or its prefix. - type: str - returned: always - sample: fredAKSCluster - app_id: - description: - - The application ID. - returned: always - type: str - sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - object_id: - description: - - Object ID of the application - returned: always - type: str - sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - sign_in_audience: - description: - - The application can be used from any Azure AD tenants. - returned: always - type: str - sample: AzureADandPersonalMicrosoftAccount - available_to_other_tenants: - description: - - The application can be used from any Azure AD tenants. - returned: always - type: str - sample: AzureADandPersonalMicrosoftAccount - homepage: - description: - - The url where users can sign in and use your app. - returned: always - type: str - sample: null - identifier_uris: - description: - - Space-separated unique URIs that Azure AD can use for this app. - returned: always - type: list - sample: [] - oauth2_allow_implicit_flow: - description: - - Whether to allow implicit grant flow for OAuth2. - returned: always - type: bool - sample: false - optional_claims: - description: - - The optional claims for the application. - returned: always - type: list - sample: [] - reply_urls: - description: - - Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. - returned: always - type: list - sample: [] + sample: fredAKSCluster +app_id: + description: + - The application ID. + returned: always + type: str + sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +object_id: + description: + - Object ID of the application + returned: always + type: str + sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +sign_in_audience: + description: + - The application can be used from any Azure AD tenants. + returned: always + type: str + sample: AzureADandPersonalMicrosoftAccount +available_to_other_tenants: + description: + - The application can be used from any Azure AD tenants. + returned: always + type: str + sample: AzureADandPersonalMicrosoftAccount +homepage: + description: + - The url where users can sign in and use your app. + returned: always + type: str + sample: null +identifier_uris: + description: + - Space-separated unique URIs that Azure AD can use for this app. + returned: always + type: list + sample: [] +oauth2_allow_implicit_flow: + description: + - Whether to allow implicit grant flow for OAuth2. + returned: always + type: bool + sample: false +optional_claims: + description: + - The optional claims for the application. + returned: always + type: list + sample: [] +reply_urls: + description: + - Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. + returned: always + type: list + sample: [] ''' from ansible_collections.azure.azcollection.plugins.module_utils.azure_rm_common_ext import AzureRMModuleBaseExt From 85096af9940d7987038095dcb015cb01417578bc Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Wed, 6 Mar 2024 16:46:49 -0500 Subject: [PATCH 06/29] Fix: check for optional_claims being None --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 13873549b..9ba198720 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -711,7 +711,7 @@ def to_dict(self, object): "access_token": self.serialize_claims(object.optional_claims.access_token), "id_token": self.serialize_claims(object.optional_claims.id_token), "saml2_token": self.serialize_claims(object.optional_claims.saml2_token) - } + } if object.optional_claims is not None else object.optional_claims return dict( app_id=object.app_id, object_id=object.id, From a1ec38a3fe6156dfc30bef5d05a037e2023f162b Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Fri, 15 Mar 2024 10:16:34 -0400 Subject: [PATCH 07/29] Address PR feedback --- plugins/module_utils/azure_rm_common.py | 54 ++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/azure_rm_common.py b/plugins/module_utils/azure_rm_common.py index 526056108..d91e4e8f4 100644 --- a/plugins/module_utils/azure_rm_common.py +++ b/plugins/module_utils/azure_rm_common.py @@ -6,7 +6,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type - +import logging import os import re import types @@ -889,7 +889,57 @@ def get_api_profile(self, client_type_name, api_profile_name): # return client def get_msgraph_client(self): - return GraphServiceClient(self.azure_auth.azure_credential_track2) + + from kiota_http.middleware import BaseMiddleware + import httpx + logger = logging.getLogger(__name__) + logger.addHandler(logging.FileHandler("msgraph.log")) + logger.setLevel(logging.DEBUG) + class DebugHandler(BaseMiddleware): + + async def send( + self, request: httpx.Request, transport: httpx.AsyncBaseTransport + ) -> httpx.Response: + logger.debug("") + logger.debug(f"{request.method} {request.url}") + for key, value in request.headers.items(): + logger.debug(f"{key}: {value}") + if request.content: + logger.debug("") + logger.debug("Request body:") + logger.debug(request.content.decode()) + + response: httpx.Response = await super().send(request, transport) + + logger.debug("") + logger.debug(f"Response: {response.status_code} {response.reason_phrase}") + logger.debug("Response headers:") + for key, value in response.headers.items(): + logger.debug(f"{key}: {value}") + + logger.debug("") + logger.debug("Response body:") + response_content = await response.aread() + logger.debug(f"Response content: {response_content.decode()}") + + return response + + from kiota_authentication_azure.azure_identity_authentication_provider import ( + AzureIdentityAuthenticationProvider + ) + from msgraph import GraphServiceClient, GraphRequestAdapter + from msgraph_core import GraphClientFactory + + _auth_provider = AzureIdentityAuthenticationProvider(self.azure_auth.azure_credential_track2) + + _middleware = GraphClientFactory.get_default_middleware(None) + _middleware.append(DebugHandler()) + _http_client = GraphClientFactory.create_with_custom_middleware( + _middleware + ) + _adapter = GraphRequestAdapter(_auth_provider, _http_client) + + return GraphServiceClient(self.azure_auth.azure_credential_track2, request_adapter=_adapter) def get_mgmt_svc_client(self, client_type, base_url=None, api_version=None, suppress_subscription_id=False): self.log('Getting management service client {0}'.format(client_type.__name__)) From bbe53f62756f863090dd4012d6dadc43677cad3a Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Fri, 15 Mar 2024 10:18:14 -0400 Subject: [PATCH 08/29] Revert "Address PR feedback" This reverts commit a1ec38a3fe6156dfc30bef5d05a037e2023f162b. --- plugins/module_utils/azure_rm_common.py | 54 +------------------------ 1 file changed, 2 insertions(+), 52 deletions(-) diff --git a/plugins/module_utils/azure_rm_common.py b/plugins/module_utils/azure_rm_common.py index d91e4e8f4..526056108 100644 --- a/plugins/module_utils/azure_rm_common.py +++ b/plugins/module_utils/azure_rm_common.py @@ -6,7 +6,7 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type -import logging + import os import re import types @@ -889,57 +889,7 @@ def get_api_profile(self, client_type_name, api_profile_name): # return client def get_msgraph_client(self): - - from kiota_http.middleware import BaseMiddleware - import httpx - logger = logging.getLogger(__name__) - logger.addHandler(logging.FileHandler("msgraph.log")) - logger.setLevel(logging.DEBUG) - class DebugHandler(BaseMiddleware): - - async def send( - self, request: httpx.Request, transport: httpx.AsyncBaseTransport - ) -> httpx.Response: - logger.debug("") - logger.debug(f"{request.method} {request.url}") - for key, value in request.headers.items(): - logger.debug(f"{key}: {value}") - if request.content: - logger.debug("") - logger.debug("Request body:") - logger.debug(request.content.decode()) - - response: httpx.Response = await super().send(request, transport) - - logger.debug("") - logger.debug(f"Response: {response.status_code} {response.reason_phrase}") - logger.debug("Response headers:") - for key, value in response.headers.items(): - logger.debug(f"{key}: {value}") - - logger.debug("") - logger.debug("Response body:") - response_content = await response.aread() - logger.debug(f"Response content: {response_content.decode()}") - - return response - - from kiota_authentication_azure.azure_identity_authentication_provider import ( - AzureIdentityAuthenticationProvider - ) - from msgraph import GraphServiceClient, GraphRequestAdapter - from msgraph_core import GraphClientFactory - - _auth_provider = AzureIdentityAuthenticationProvider(self.azure_auth.azure_credential_track2) - - _middleware = GraphClientFactory.get_default_middleware(None) - _middleware.append(DebugHandler()) - _http_client = GraphClientFactory.create_with_custom_middleware( - _middleware - ) - _adapter = GraphRequestAdapter(_auth_provider, _http_client) - - return GraphServiceClient(self.azure_auth.azure_credential_track2, request_adapter=_adapter) + return GraphServiceClient(self.azure_auth.azure_credential_track2) def get_mgmt_svc_client(self, client_type, base_url=None, api_version=None, suppress_subscription_id=False): self.log('Getting management service client {0}'.format(client_type.__name__)) From 7092c15970b0050c890a6c64fc31e601e089f63e Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Fri, 15 Mar 2024 10:18:29 -0400 Subject: [PATCH 09/29] Address PR feedback --- plugins/modules/azure_rm_adapplication.py | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 9ba198720..7b75b6406 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -146,7 +146,7 @@ optional_claims: description: - Declare the optional claims for the application. - type: complex + type: dict suboptions: access_token: description: @@ -164,8 +164,7 @@ - The source (directory object) of the claim. - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property - from the user object. + - If the source value is user, the value in the name property is the extension property from the user object. type: str essential: description: @@ -455,13 +454,6 @@ ) ) -optional_claims_spec = dict( - access_token=dict(type='list', elements='dict', options=claims_spec), - id_token=dict(type='list', elements='dict', options=claims_spec), - saml2_token=dict(type='list', elements='dict', options=claims_spec), - type=dict -) - required_resource_accesses_spec = dict( resource_app_id=dict( type='str' @@ -508,7 +500,11 @@ def __init__(self): key_value=dict(type='str', no_log=True), native_app=dict(type='bool'), oauth2_allow_implicit_flow=dict(type='bool'), - optional_claims=optional_claims_spec, + optional_claims=dict( + access_token=dict(type='list', elements='dict', options=claims_spec), + id_token=dict(type='list', elements='dict', options=claims_spec), + saml2_token=dict(type='list', elements='dict', options=claims_spec), + type=dict), password=dict(type='str', no_log=True), reply_urls=dict(type='list', elements='str'), start_date=dict(type='str'), From bd84d9f63dc4154acb431ab7318543cc7af2abd2 Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Mon, 18 Mar 2024 17:10:16 -0400 Subject: [PATCH 10/29] Fix: line endings --- plugins/modules/azure_rm_adapplication.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 7b75b6406..30710e785 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -169,7 +169,7 @@ essential: description: - If the value is true, the claim specified by the client is necessary to ensure a - smooth authorization experience for the specific task requested by the end user. + - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool @@ -177,7 +177,7 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim - specified in the name property. + - specified in the name property. type: str id_token: description: @@ -196,12 +196,12 @@ - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - If the source value is user, the value in the name property is the extension property - from the user object. + - from the user object. type: str essential: description: - If the value is true, the claim specified by the client is necessary to ensure a - smooth authorization experience for the specific task requested by the end user. + - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool @@ -209,7 +209,7 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional - claim specified in the name property. + - claim specified in the name property. type: str saml2_token: description: @@ -228,12 +228,12 @@ - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - If the source value is user, the value in the name property is the extension property - from the user object. + - from the user object. type: str essential: description: - If the value is true, the claim specified by the client is necessary to ensure a smooth - authorization experience for the specific task requested by the end user. + - authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool @@ -241,7 +241,7 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional - claim specified in the name property. + - claim specified in the name property. type: str password: description: @@ -501,7 +501,7 @@ def __init__(self): native_app=dict(type='bool'), oauth2_allow_implicit_flow=dict(type='bool'), optional_claims=dict( - access_token=dict(type='list', elements='dict', options=claims_spec), + access_token_claims=dict(type='list', elements='dict', options=claims_spec), id_token=dict(type='list', elements='dict', options=claims_spec), saml2_token=dict(type='list', elements='dict', options=claims_spec), type=dict), From 9a89bb0c4a8d2e14a861a1782ad6ee294bc00f26 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Tue, 19 Mar 2024 09:18:38 -0400 Subject: [PATCH 11/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 30710e785..e3fc72e42 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -504,7 +504,14 @@ def __init__(self): access_token_claims=dict(type='list', elements='dict', options=claims_spec), id_token=dict(type='list', elements='dict', options=claims_spec), saml2_token=dict(type='list', elements='dict', options=claims_spec), - type=dict), + optional_claims=dict( + type=dict, + options=dict( + access_token_claims=dict(type='list', elements='dict', options=claims_spec), + id_token=dict(type='list', elements='dict', options=claims_spec), + saml2_token=dict(type='list', elements='dict', options=claims_spec), + ) + ), password=dict(type='str', no_log=True), reply_urls=dict(type='list', elements='str'), start_date=dict(type='str'), From 766f3b2a3ae2a3e5ea448fa7f3cfc8c4b332e32f Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Tue, 19 Mar 2024 09:23:10 -0400 Subject: [PATCH 12/29] Fix: more doc formatting --- plugins/modules/azure_rm_adapplication.py | 26 ++++++++++------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index e3fc72e42..1cc2a4f9c 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -168,7 +168,7 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a + - If the value is true, the claim specified by the client is necessary to ensure a - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false @@ -176,7 +176,7 @@ additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional claim + - If a property exists in this collection, it modifies the behavior of the optional claim - specified in the name property. type: str id_token: @@ -195,12 +195,12 @@ - The source (directory object) of the claim. - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property + - If the source value is user, the value in the name property is the extension property - from the user object. type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a + - If the value is true, the claim specified by the client is necessary to ensure a - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false @@ -208,7 +208,7 @@ additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional + - If a property exists in this collection, it modifies the behavior of the optional - claim specified in the name property. type: str saml2_token: @@ -227,12 +227,12 @@ - The source (directory object) of the claim. - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property + - If the source value is user, the value in the name property is the extension property - from the user object. type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth + - If the value is true, the claim specified by the client is necessary to ensure a smooth - authorization experience for the specific task requested by the end user. - The default value is false. default: false @@ -240,7 +240,7 @@ additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional + - If a property exists in this collection, it modifies the behavior of the optional - claim specified in the name property. type: str password: @@ -500,16 +500,12 @@ def __init__(self): key_value=dict(type='str', no_log=True), native_app=dict(type='bool'), oauth2_allow_implicit_flow=dict(type='bool'), - optional_claims=dict( - access_token_claims=dict(type='list', elements='dict', options=claims_spec), - id_token=dict(type='list', elements='dict', options=claims_spec), - saml2_token=dict(type='list', elements='dict', options=claims_spec), optional_claims=dict( type=dict, options=dict( - access_token_claims=dict(type='list', elements='dict', options=claims_spec), - id_token=dict(type='list', elements='dict', options=claims_spec), - saml2_token=dict(type='list', elements='dict', options=claims_spec), + access_token_claims=dict(type='list', elements='dict', options=claims_spec), + id_token=dict(type='list', elements='dict', options=claims_spec), + saml2_token=dict(type='list', elements='dict', options=claims_spec), ) ), password=dict(type='str', no_log=True), From 2ce4fcbb04e3ab9b5468865f53ba013d4192362e Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:09:35 -0400 Subject: [PATCH 13/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 1cc2a4f9c..8bf543097 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -501,7 +501,7 @@ def __init__(self): native_app=dict(type='bool'), oauth2_allow_implicit_flow=dict(type='bool'), optional_claims=dict( - type=dict, + type='dict', options=dict( access_token_claims=dict(type='list', elements='dict', options=claims_spec), id_token=dict(type='list', elements='dict', options=claims_spec), From 040b3b67fe91f66ac783c0f997b98137b7fc8992 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:00 -0400 Subject: [PATCH 14/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 8bf543097..eccd6ba05 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -148,7 +148,7 @@ - Declare the optional claims for the application. type: dict suboptions: - access_token: + access_token_claims : description: - The optional claims returned in the JWT access token type: list From c00bc83f25c110878bf8a12a59a8ad957058b4fa Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:11 -0400 Subject: [PATCH 15/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index eccd6ba05..922cb9ebb 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -503,7 +503,7 @@ def __init__(self): optional_claims=dict( type='dict', options=dict( - access_token_claims=dict(type='list', elements='dict', options=claims_spec), + access_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), id_token=dict(type='list', elements='dict', options=claims_spec), saml2_token=dict(type='list', elements='dict', options=claims_spec), ) From 2f99856a86025d265ef371097559efea00379ee7 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:20 -0400 Subject: [PATCH 16/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 922cb9ebb..35bf4a47f 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -504,7 +504,7 @@ def __init__(self): type='dict', options=dict( access_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), - id_token=dict(type='list', elements='dict', options=claims_spec), + id_token=dict(type='list', elements='dict', no_log=True, options=claims_spec), saml2_token=dict(type='list', elements='dict', options=claims_spec), ) ), From 6d60d2584248fe86a5d9a62f0f864ee4a38c7ea2 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:25 -0400 Subject: [PATCH 17/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 35bf4a47f..d0a4c3826 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -505,7 +505,7 @@ def __init__(self): options=dict( access_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), id_token=dict(type='list', elements='dict', no_log=True, options=claims_spec), - saml2_token=dict(type='list', elements='dict', options=claims_spec), + saml2_token=dict(type='list', elements='dict', no_log=True, options=claims_spec), ) ), password=dict(type='str', no_log=True), From 95a3caf55ff855693249b8ba704561ee1fe9b2d5 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:36 -0400 Subject: [PATCH 18/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index d0a4c3826..0780922cd 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -168,7 +168,7 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false From 31ce327bac1ad9702bd96d94f6adaf95cb70952a Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:48 -0400 Subject: [PATCH 19/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 0780922cd..c864172c6 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -228,7 +228,6 @@ - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - If the source value is user, the value in the name property is the extension property - - from the user object. type: str essential: description: From b878315f324a65a9a4782b3468826e0b866cfb18 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:53 -0400 Subject: [PATCH 20/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index c864172c6..c6cac0d34 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -231,7 +231,7 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. - authorization experience for the specific task requested by the end user. - The default value is false. default: false From 9a167bdaf2df3d30843ef0a6e3c1aecae6cfb10e Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:10:58 -0400 Subject: [PATCH 21/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index c6cac0d34..88db353b1 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -232,7 +232,6 @@ essential: description: - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. - - authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool From 30e7d5a53ac4f79ff227bed24c25fd57877a8671 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:11:02 -0400 Subject: [PATCH 22/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 88db353b1..1778d4e1d 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -238,7 +238,7 @@ additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional + - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - claim specified in the name property. type: str password: From e49c608abbf7ed3dc3672470a4d7a742e4af0ac9 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:11:06 -0400 Subject: [PATCH 23/29] Update plugins/modules/azure_rm_adapplication.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 1778d4e1d..4a4080325 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -239,7 +239,6 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - - claim specified in the name property. type: str password: description: From f9f3bc394dbb6976acb231363356c1dfe08c76c9 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Wed, 20 Mar 2024 09:11:41 -0400 Subject: [PATCH 24/29] Apply suggestions from code review Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 4a4080325..aa4d3fbb5 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -169,15 +169,13 @@ essential: description: - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. - - smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional claim - - specified in the name property. + - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. type: str id_token: description: @@ -195,21 +193,18 @@ - The source (directory object) of the claim. - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property - - from the user object. + - If the source value is user, the value in the name property is the extension property from the user object. type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a - - smooth authorization experience for the specific task requested by the end user. + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. - The default value is false. default: false type: bool additional_properties: description: - Additional properties of the claim. - - If a property exists in this collection, it modifies the behavior of the optional - - claim specified in the name property. + - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. type: str saml2_token: description: @@ -227,7 +222,7 @@ - The source (directory object) of the claim. - There are predefined claims and user-defined claims from extension properties. - If the source value is null, the claim is a predefined optional claim. - - If the source value is user, the value in the name property is the extension property + - If the source value is user, the value in the name property is the extension property rom the user object. type: str essential: description: From c11322f892eb1674e12301829ef060d28a1fdd79 Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Wed, 20 Mar 2024 09:17:01 -0400 Subject: [PATCH 25/29] add `_claims` suffix to all three new parameters --- plugins/modules/azure_rm_adapplication.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index aa4d3fbb5..46c1cb584 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -177,7 +177,7 @@ - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. type: str - id_token: + id_token_claims: description: - The optional claims returned in the JWT ID token type: list @@ -206,7 +206,7 @@ - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. type: str - saml2_token: + saml2_token_claims: description: - The optional claims returned in the SAML token type: list @@ -496,8 +496,8 @@ def __init__(self): type='dict', options=dict( access_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), - id_token=dict(type='list', elements='dict', no_log=True, options=claims_spec), - saml2_token=dict(type='list', elements='dict', no_log=True, options=claims_spec), + id_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), + saml2_token_claims=dict(type='list', elements='dict', no_log=True, options=claims_spec), ) ), password=dict(type='str', no_log=True), From 7669ca06845579cbff60de4a9be99f913549c790 Mon Sep 17 00:00:00 2001 From: Kent McDonough Date: Thu, 21 Mar 2024 09:56:43 -0400 Subject: [PATCH 26/29] Apply suggestions from code review Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/modules/azure_rm_adapplication.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 12ac21715..d761c8ac4 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -168,7 +168,8 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience\ + for the specific task requested by the end user. - The default value is false. default: false type: bool @@ -197,7 +198,8 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience\ + for the specific task requested by the end user. - The default value is false. default: false type: bool @@ -226,7 +228,8 @@ type: str essential: description: - - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. + - If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience\ + for the specific task requested by the end user. - The default value is false. default: false type: bool From 8ff40b3619dc078dafc82da485c933d80bdf41a5 Mon Sep 17 00:00:00 2001 From: Fred-sun Date: Fri, 22 Mar 2024 15:28:38 +0800 Subject: [PATCH 27/29] Add 'optional_claims' to the return value of azure_rm_adapplication --- plugins/modules/azure_rm_adapplication.py | 30 +++++++++++-- .../modules/azure_rm_adapplication_info.py | 44 ++++++++++++++++++- .../azure_rm_adapplication/tasks/main.yml | 10 ++--- 3 files changed, 74 insertions(+), 10 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 12ac21715..7e7ce98fe 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -430,6 +430,30 @@ returned: always type: list sample: [] +optional_claims: + description: + - Declare the optional claims for the application. + type: complex + returned: always + contains: + access_token_claims : + description: + - The optional claims returned in the JWT access token + type: list + returned: always + sample: ['name': 'aud', 'source': null, 'essential': false, 'additional_properties': []] + id_token_claims: + description: + - The optional claims returned in the JWT ID token + type: list + returned: always + sample: ['name': 'acct', 'source': null, 'essential': false, 'additional_properties': []] + saml2_token_claims: + description: + - The optional claims returned in the SAML token + type: list + returned: always + sample: ['name': 'acct', 'source': null, 'essential': false, 'additional_properties': []] ''' from ansible_collections.azure.azcollection.plugins.module_utils.azure_rm_common_ext import AzureRMModuleBaseExt @@ -861,9 +885,9 @@ def build_claims(claims_dict): ) for claim in claims_dict] claims = OptionalClaims( - access_token=build_claims(optional_claims.get("access_token")), - id_token=build_claims(optional_claims.get("id_token")), - saml2_token=build_claims(optional_claims.get("saml2_token")) + access_token=build_claims(optional_claims.get("access_token_claims")), + id_token=build_claims(optional_claims.get("id_token_claims")), + saml2_token=build_claims(optional_claims.get("saml2_token_claims")) ) return claims diff --git a/plugins/modules/azure_rm_adapplication_info.py b/plugins/modules/azure_rm_adapplication_info.py index 167b82552..e3eb53aac 100644 --- a/plugins/modules/azure_rm_adapplication_info.py +++ b/plugins/modules/azure_rm_adapplication_info.py @@ -129,6 +129,30 @@ returned: always type: list sample: [] + optional_claims: + description: + - Declare the optional claims for the application. + type: complex + returned: always + contains: + access_token_claims : + description: + - The optional claims returned in the JWT access token + type: list + returned: always + sample: ['name': 'aud', 'source': null, 'essential': false, 'additional_properties': []] + id_token_claims: + description: + - The optional claims returned in the JWT ID token + type: list + returned: always + sample: ['name': 'acct', 'source': null, 'essential': false, 'additional_properties': []] + saml2_token_claims: + description: + - The optional claims returned in the SAML token + type: list + returned: always + sample: ['name': 'acct', 'source': null, 'essential': false, 'additional_properties': []] ''' from ansible_collections.azure.azcollection.plugins.module_utils.azure_rm_common_ext import AzureRMModuleBase @@ -191,8 +215,17 @@ def exec_module(self, **kwargs): return self.results + def serialize_claims(self, claims): + if claims is None: + return None + return [{ + "additional_properties": claim.additional_properties, + "essential": claim.essential, + "name": claim.name, + "source": claim.source} for claim in claims] + def to_dict(self, object): - return dict( + response = dict( app_id=object.app_id, object_id=object.id, app_display_name=object.display_name, @@ -201,9 +234,16 @@ def to_dict(self, object): sign_in_audience=object.sign_in_audience, web_reply_urls=object.web.redirect_uris, spa_reply_urls=object.spa.redirect_uris, - public_client_reply_urls=object.public_client.redirect_uris + public_client_reply_urls=object.public_client.redirect_uris, + optional_claims=dict(access_token=[], id_token=[], saml2_token=[]) ) + if object.optional_claims is not None: + response['optional_claims']['id_token'] = self.serialize_claims(object.optional_claims.id_token) + response['optional_claims']['saml2_token'] = self.serialize_claims(object.optional_claims.saml2_token) + response['optional_claims']['access_token'] = self.serialize_claims(object.optional_claims.access_token) + return response + async def get_application(self, obj_id): return await self._client.applications.by_application_id(obj_id).get() diff --git a/tests/integration/targets/azure_rm_adapplication/tasks/main.yml b/tests/integration/targets/azure_rm_adapplication/tasks/main.yml index a5f62936c..86a06c675 100644 --- a/tests/integration/targets/azure_rm_adapplication/tasks/main.yml +++ b/tests/integration/targets/azure_rm_adapplication/tasks/main.yml @@ -38,14 +38,14 @@ is_enabled: true value: Password@0329 optional_claims: - access_token: + access_token_claims: - name: aud essential: true - id_token: - - name: aud + id_token_claims: + - name: acct essential: true - saml2_token: - - name: aud + saml2_token_claims: + - name: acct essential: true register: second_output From a5001c455e8fe7325b32517eefe214ef7e15e43f Mon Sep 17 00:00:00 2001 From: Fred-sun Date: Fri, 22 Mar 2024 15:45:19 +0800 Subject: [PATCH 28/29] Modify 'additional_properties' type to 'list' --- plugins/modules/azure_rm_adapplication.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index 7e7ce98fe..4e7fd58ad 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -176,7 +176,8 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - type: str + type: list + elements: str id_token_claims: description: - The optional claims returned in the JWT ID token @@ -205,7 +206,8 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - type: str + type: list + elements: str saml2_token_claims: description: - The optional claims returned in the SAML token @@ -234,7 +236,8 @@ description: - Additional properties of the claim. - If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. - type: str + type: list + elements: str password: description: - App password, aka 'client secret'. @@ -514,7 +517,8 @@ default=False ), additional_properties=dict( - type='str' + type='list', + elements='str' ) ) From ad898495da308f7d729d83bb75d4d29c3a570a8f Mon Sep 17 00:00:00 2001 From: kmcdonough Date: Mon, 25 Mar 2024 11:35:59 -0400 Subject: [PATCH 29/29] remove duplicate keys --- plugins/modules/azure_rm_adapplication.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/plugins/modules/azure_rm_adapplication.py b/plugins/modules/azure_rm_adapplication.py index c6c2d1d0b..33270da27 100644 --- a/plugins/modules/azure_rm_adapplication.py +++ b/plugins/modules/azure_rm_adapplication.py @@ -409,12 +409,6 @@ returned: always type: bool sample: false -optional_claims: - description: - - The optional claims for the application. - returned: always - type: list - sample: [] public_client_reply_urls: description: - The public client redirect urls.