Enable Easy Auth Local Dev

[glennamanns]

Main goal: Enable local development with Easy Auth / Middleware (rebranding in process).

This is based on Easy Auth Linux, and cannot be incorporated into this repo until the EA Linux + Windows merge is complete. However, I'd like to get feedback on it now.

One new command, used two different ways:

1. func auth create-aad --aad-name {AADAppName}
   This one is exclusively for local testing. It creates a new AAD application with localhost:7071 in the reply URLs, a homepage of localhost:7071, and a URI with localhost in the name. The client ID, client secret, and other settings that Easy Auth needs to run locally are saved to a new file local.middleware.json. This file can later be consumed by the Easy Auth webhost.

2. func auth create-aad --aad-name {AADAppName} --app-name {ExistingAzureAppName}
   This is designed to link an existing Function/Site with a new AAD application. It creates a new AAD application, but there is nothing related to localhost in its settings. The settings are the same as if you were to create a new app from the Portal's Easy Auth flow. This command also does not create a new .json file (to avoid writing secrets to disk). The existing Function/Site's authsettings (WEBSITE_AUTH_ENABLED, etc) are updated via an ARM call.

Still to do:

• Easy Auth Linux + Windows merge. Need to inject dependency upon EasyAuth/Middleware Nuget.

[ahmelsayed]

I haven't looked at the full PR yet, but this will be a problem. We only have one code path that depends on dotnet right now (other than .NET development scenarios of course) and we are tracking removing that dependency here #367. Ideally we wouldn't add more dependencies on dotnet for other non-.NET specific scenarios. Any plans to have self-contained builds of that console app?

[glennamanns]

We can certainly make it a priority to have a self-contained build if removing the dotnet dependency is important. I'll look into it.

[fabiocav]

Indeed. The dotnet dependency is something we're actively working on moving away from, so we definitely don't want to deepen that dependency if possible. Worse case, we'd need to position Easy Auth as an optional feature that depends on it, but we'd need to make the message here clearer, perhaps also pointing to a fwlink with details.

Looked over the PR and it does seem like a lot of things are still pending/in flux, would you mind adding a comment when you feel this is ready for review?

[ahmelsayed]

I see you have a couple of TODOs in the code, I also added few more comments. Let me know if you have any questions and ping us again once you're done with your TODOs and ready for a final review. Over all looks like a great addition to the core-tools that people have been asking for for a while now!

[ahmelsayed]

You don't really need this class since it's empty, right? you can just drive from BaseAzureAction if you need the access token, or were you planning on adding some common code here?

[ahmelsayed]

I'm a bit unsure about the use of the cancellationToken here. It doesn't look like you really need it. You can also use the Executable class I have defined to help with this. The usage is fairly straight forward. Check here or here for samples

[ahmelsayed]

maybe call it hostPort for clarity.

[ahmelsayed]

same thing here, I think it'll be clearer if you called them hostListenUri and authListenUri

[ahmelsayed]

You could use the dictionary initialization syntax, it makes it a bit more readable, i.e:

var authSettingsToPublish = new Dictionary<string, string>
{
    { "allowedAudiences", serializedArray },
    { "isAadAutoProvisioned", "True" },
    ...
}

[ahmelsayed]

same thing here regarding the error. If this is an error that you would like to communicate as a cli error, then consider either throwing here, or where you call this like I mentioned in the other comment above

[glennamanns]

I based this on PublishAppSettings / UpdateFunctionAppAppSettings, which modifies /config/AppSettings (mine modifies /config/authsettings). Is there a reason those do not throw?

[ahmelsayed]

You can add this method to StringExtensions.cs

[ahmelsayed]

can you explain a bit what this password is for and what its format is like?

[glennamanns]

This generates an AAD application client secret. An example of what it generates is: "77S2ca0Gwf8mTr7s85ZEqe7dcxKnF4DdyMAF5gNFaTBY6gBEDtcPwQWlTP3KWNElvld9eFyXZdvFfmEnqmrHQA7ki0$LRQ8TL3uLrj6S$F0PRtRYnZ8Dp9xReKNQK9z"

[ahmelsayed]

move this class to the Constants.cs class as a nested class there.

[fabiocav]

@glennamanns just saw the last commit land. Would you remove the WIP/let us know when this is ready for review? Just want to make sure we don't ignore your changes once this is ready to go :)

[cgillum]

Some initial feedback. I'm not yet done reviewing, so I'll add more later.

[cgillum]

Naming nit: "AAD" is not really a thing, so AADName sounds unnatural. I'm also not sure what the difference is between an "AADName" and an "AppName". Should they be the same? Or should "AADName" be renamed to "AppRegistrationName"? #Closed

[cgillum]

Same comment for the parameter syntax below.

[glennamanns]

What are your thoughts on AADRegistrationName for both the variable and what goes on the command line? And for Azure App Service apps/functions, appName?

[cgillum]

Maybe AADAppRegistrationName instead of AADRegistrationName? appName is fine for the function app name. #Closed

[cgillum]

Product naming nit: "Name of the Azure Active Directory app registration to create." #Closed

[cgillum]

Grammar and product naming nits: "Name of the Azure App Service or Azure Functions app which corresponds to the Azure AD app registration." #Closed

[cgillum]

I get nit-picky about this since these strings are public-facing and therefore need to be considered somewhat official. #Closed

[cgillum]

Make this a case-insensitive dictionary: new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase). That way you don't have to remember to use case-sensitive lookups every time you reference this. #Closed

[cgillum]

This would be a bit cleaner:

bool authenticationEnabled = 
    middlewareAuthSettings.TryGetValue(Constants.MiddlewareAuthEnabledSetting, out string enabledValue) &&
    bool.TryParse(enabledValue, out bool isEnabled) &&
    isEnabled;
``` #Closed

[cgillum]

It feels unnatural to fetch the certificate and both its path and password. Is this because the Easy Auth code you're calling expects these? Could the Easy Auth code be refactored to take an X509Certificate2 for embedded scenarios like this? #Closed

[glennamanns]

Removing all of this altogether. Easy Auth, when truly middleware (which it is now), doesn't need its own reference to the certificate.

[cgillum]

Is it necessary to cast v.Value to string explicitly? Isn't it already a string? #Closed

[cgillum]

Suggested change

	var rootPath = ScriptHostHelpers.GetFunctionAppRootDirectory(Environment.CurrentDirectory, new List<string>
	var rootPath = ScriptHostHelpers.GetFunctionAppRootDirectory(Environment.CurrentDirectory, new []
	``` #Closed

[cgillum]

Yes, and they are more immutable (you cannot add or remove elements, making them easier to reason about). Generally speaking you should try to use the most restrictive data types. #Closed

[cgillum]

Is _storageApiVersion correct? This is an ARM call, not a storage call, so this seems not quite right.

[glennamanns]

GetStorageAccount, an existing method+ARM call, uses it. Authsettings requires a later API version than appsettings, because I got the following error with the older version: "The current api-version doesn't support RBAC users. Please use a newer version instead"

I think I'll add a second string called _authSettingsApiVersion and hardcode it to 2018-02-01, which is what the storage api version is. That way, it's clear the two are used for separate endpoints and can be changed independently of one another.

[cgillum]

Who is using this new API?

[glennamanns]

The create-aad command. In order to know which permissions to add, I need to know the bindings and their direction

[cgillum]

Who uses this new API?

[glennamanns]

create-aad to generate an encryption and signing key

[cgillum]

Do you need this to be a List<string> or can you instead use string[]. string[] array is preferred since it is less overhead and it is a fixed size, making it easier to reason about how it is used throughout the code (i.e. nobody is going to add to it or remove from it).

[glennamanns]

It's a List in order to get the serialized array (string serializedArray = JsonConvert.SerializeObject(replyUrls, Formatting.Indented)) that we use to update /authsettings in the proper format. The other parts of the code could use string[], but not this one. I can either change all of them to string[] and then convert to List in the publish to /authsettings scenario, or eat the overhead elsewhere.

[cgillum]

From a serialization perspective, List<string> and string[] create exactly the same JSON and can be used interchangeably.

[cgillum]

Should this be named GetCommandLineArguments? #Closed

[cgillum]

It's important that variable names give us an idea of what the data actually is and/or what it will be used for. In this case, replyUrlArray or something similar seems more appropriate.

[cgillum]

allowedAudiences should not be the same as the reply URLs. It should just be the base URL - e.g. "https://myapp.azurewebsites.net" or "http://myapp.localhost".

[glennamanns]

I could be misunderstanding, but I'm not sure that's true. I looked at the allowed_audiences of several function apps set up with Easy Auth (via the portal, not this new command) and they have the /.auth/login/aad/callback in their allowed audiences.

Examples: glennahttps, graphbinding-experiment, graphextension-beta1, FunctionsEasyAuth

[cgillum]

A few more feedback items.

[cgillum]

nit: I don't think you need the .ToArray<string>() here.

[cgillum]

From a serialization perspective, List<string> and string[] create exactly the same JSON and can be used interchangeably.

[cgillum]

I suggest "create-aad-app" as the action name since "aad" is not really a thing you can create.

[cgillum]

Use Environment.NewLine instead of \n.

[cgillum]

If we rename create-aad, don't forget to update it here as well.

[cgillum]

C# scripts (.csx) are .NET, but they don't have a .csproj file. Will this exception exclude those users? I wonder if it's safer to just skip that step and write an informational trace if we can't find the .csproj file.

[cgillum]

What about .fsproj for F# developers?

[cgillum]

GitHub isn't letting me reply to our existing comment thread on this, but the portal behavior you observed is wrong, and a bug which can cause CRIs. The allowed_audiences should NOT contain /.auth/login/aad/callback.

[cgillum]

(Duplicating my comment from elsewhere)

GitHub isn't letting me reply to our existing comment thread on this, but the portal behavior you observed is wrong, and a bug which can cause CRIs. The allowed_audiences should NOT contain /.auth/login/aad/callback.

[cgillum]

nit: Since this is a class intended to create extension methods, it's better to be consistent and make this method also an extension method:

Suggested change

	public static string ComputeSha256Hash(string rawData)
	public static string ComputeSha256Hash(this string rawData)

[glennamanns]

todo: revert this to the original logic

[jabbera]

Any chance of this making it any time soon? This breaks so many things. (Such as not being able to debug authenticated serverless Azure Functions locally at all)

[ahmelsayed]

Closing old PR. Please reopen if this still needs to be looked at

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.