-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3 from almenscorner/msal
v1.1.0
- Loading branch information
Showing
10 changed files
with
215 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
munki_manifest_generator/graph/get_authentication_token.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
This module is used to get the access token for the tenant. | ||
""" | ||
|
||
import os | ||
import json | ||
|
||
from munki_manifest_generator.graph.obtain_access_token import obtain_accesstoken_app, obtain_accesstoken_cert, obtain_accesstoken_interactive | ||
|
||
def getAuth(app, certauth, interactiveauth): | ||
""" | ||
This function authenticates to MS Graph and returns the access token. | ||
:param mode: The mode used when using this tool | ||
:param localauth: Path to dict with keys to authenticate | ||
:param tenant: Which tenant to authenticate to, PROD or DEV | ||
:return: The access token | ||
""" | ||
|
||
if certauth: | ||
KEY_FILE = os.environ.get("KEY_FILE") | ||
THUMBPRINT = os.environ.get("THUMBPRINT") | ||
TENANT_NAME = os.environ.get("TENANT_NAME") | ||
CLIENT_ID = os.environ.get("CLIENT_ID") | ||
|
||
if not all([KEY_FILE, THUMBPRINT, TENANT_NAME, CLIENT_ID]): | ||
raise Exception("One or more os.environ variables not set") | ||
return obtain_accesstoken_cert(TENANT_NAME, CLIENT_ID, THUMBPRINT, KEY_FILE) | ||
|
||
if interactiveauth: | ||
TENANT_NAME = os.environ.get("TENANT_NAME") | ||
CLIENT_ID = os.environ.get("CLIENT_ID") | ||
|
||
if not all([TENANT_NAME, CLIENT_ID]): | ||
raise Exception("One or more os.environ variables not set") | ||
|
||
return obtain_accesstoken_interactive(TENANT_NAME, CLIENT_ID) | ||
|
||
if app: | ||
TENANT_NAME = os.environ.get("TENANT_NAME") | ||
CLIENT_ID = os.environ.get("CLIENT_ID") | ||
CLIENT_SECRET = os.environ.get("CLIENT_SECRET") | ||
if not all([TENANT_NAME, CLIENT_ID, CLIENT_SECRET]): | ||
raise Exception("One or more os.environ variables not set") | ||
|
||
return obtain_accesstoken_app(TENANT_NAME, CLIENT_ID, CLIENT_SECRET) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,126 @@ | ||
#!/usr/bin/env python3 | ||
|
||
""" | ||
This module is used to obtain an access token for use with Graph API. | ||
This module contains the functions used to get the access token for MS Graph. | ||
""" | ||
|
||
from adal import AuthenticationContext | ||
|
||
from msal import ConfidentialClientApplication, PublicClientApplication | ||
|
||
def obtain_access_token(client_id, client_secret, tenant_name): | ||
"""Return an access token for use with Graph API.""" | ||
AUTHORITY = "https://login.microsoftonline.com/" | ||
SCOPE = ["https://graph.microsoft.com/.default"] | ||
|
||
auth_context = AuthenticationContext( | ||
"https://login.microsoftonline.com/" + tenant_name | ||
|
||
def obtain_accesstoken_app(TENANT_NAME, CLIENT_ID, CLIENT_SECRET): | ||
""" | ||
This function is used to get an access token to MS Graph using client credentials. | ||
:param TENANT_NAME: The name of the Azure tenant | ||
:param CLIENT_ID: The ID of the registered Azure AD application | ||
:param CLIENT_SECRET: Secret of the registered Azure AD application | ||
:return: The access token | ||
""" | ||
|
||
# Create app instance | ||
app = ConfidentialClientApplication( | ||
client_id=CLIENT_ID, | ||
client_credential=CLIENT_SECRET, | ||
authority=AUTHORITY + TENANT_NAME, | ||
) | ||
|
||
token = None | ||
|
||
try: | ||
# Check if token is already cached | ||
token = app.acquire_token_silent(SCOPE, account=None) | ||
|
||
# If not, get a new token | ||
if not token: | ||
token = app.acquire_token_for_client(scopes=SCOPE) | ||
if not token: | ||
raise Exception("No token returned") | ||
|
||
except Exception as e: | ||
raise Exception("Error obtaining access token: " + str(e)) | ||
|
||
return token | ||
|
||
|
||
def obtain_accesstoken_cert(TENANT_NAME, CLIENT_ID, THUMBPRINT, KEY_FILE): | ||
""" | ||
This function is used to get an access token to MS Graph using a certificate. | ||
:param TENANT_NAME: The name of the Azure tenant | ||
:param CLIENT_ID: The ID of the registered Azure AD application | ||
:param THUMBPRINT Thumbprint of the certificate uploaded to Azure AD | ||
:param KEY_FILE: Path to the private key of the certificate | ||
:return: The access token | ||
""" | ||
|
||
# Create app instance | ||
app = ConfidentialClientApplication( | ||
client_id=CLIENT_ID, | ||
client_credential={ | ||
"thumbprint": THUMBPRINT, | ||
"private_key": open(KEY_FILE).read(), | ||
}, | ||
authority=AUTHORITY + TENANT_NAME, | ||
) | ||
|
||
token = auth_context.acquire_token_with_client_credentials( | ||
resource="https://graph.microsoft.com", | ||
client_id=client_id, | ||
client_secret=client_secret, | ||
token = None | ||
|
||
try: | ||
# Check if token is already cached | ||
token = app.acquire_token_silent(SCOPE, account=None) | ||
|
||
# If not, get a new token | ||
if not token: | ||
token = app.acquire_token_for_client(scopes=SCOPE) | ||
if not token: | ||
raise Exception("No token returned") | ||
|
||
except Exception as e: | ||
raise Exception("Error obtaining access token: " + str(e)) | ||
|
||
return token | ||
|
||
|
||
def obtain_accesstoken_interactive(TENANT_NAME, CLIENT_ID): | ||
""" | ||
This function is used to get an access token to MS Graph interactivly. | ||
:param TENANT_NAME: The name of the Azure tenant | ||
:param CLIENT_ID: The ID of the registered Azure AD application | ||
:return: The access token | ||
""" | ||
|
||
# Create app instance | ||
app = PublicClientApplication( | ||
client_id=CLIENT_ID, | ||
client_credential=None, | ||
authority=AUTHORITY + TENANT_NAME, | ||
) | ||
|
||
token = None | ||
|
||
# Set the required scopes | ||
scopes = [ | ||
"DeviceManagementManagedDevices.Read.All", | ||
"Directory.Read.All", | ||
"GroupMember.Read.All", | ||
"Group.Read.All" | ||
] | ||
|
||
try: | ||
# Get the token interactively | ||
token = app.acquire_token_interactive( | ||
scopes=scopes, max_age=1200, prompt="select_account" | ||
) | ||
|
||
if not token: | ||
raise Exception("No token returned") | ||
|
||
except Exception as e: | ||
raise Exception("Error obtaining access token: " + str(e)) | ||
|
||
return token |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.