[DC][OIDC] Check for both managed identity and role assignment write …

…permissions on resource group (#7499) (#7501) * [DC] Check for both managed identity and role assignment write permissions on resource group * Update error message
Azure · Dec 1, 2023 · 8a9945d · 8a9945d
1 parent 9335a5a
commit 8a9945d
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 36 deletions.
diff --git a/client-react/src/pages/app/deployment-center/DeploymentCenter.types.ts b/client-react/src/pages/app/deployment-center/DeploymentCenter.types.ts
@@ -321,7 +321,7 @@ export interface DeploymentCenterCommonFormData {
   authType?: AuthType;
   authIdentityClientId?: string;
   authIdentity?: UserAssignedIdentity;
-  hasPermissionToAssignRBAC?: boolean;
+  hasPermissionToUseOIDC?: boolean;
   hasOidcFlightEnabled?: boolean;
 }
 

diff --git a/client-react/src/pages/app/deployment-center/DeploymentCenterFormBuilder.ts b/client-react/src/pages/app/deployment-center/DeploymentCenterFormBuilder.ts
@@ -143,17 +143,17 @@ export abstract class DeploymentCenterFormBuilder {
         }),
       externalRepoType: Yup.mixed().notRequired(),
       devOpsProjectName: Yup.mixed().notRequired(),
-      authType: Yup.mixed().when('hasPermissionToAssignRBAC', {
+      authType: Yup.mixed().when('hasPermissionToUseOIDC', {
         is: true,
         then: Yup.mixed().test('authTypeRequired', this._t('deploymentCenterFieldRequiredMessage'), function(value) {
           return this.parent.hasOidcFlightEnabled ? !!value : true;
         }),
-        otherwise: Yup.mixed().test('authTypeIsNotOidc', '', function(value) {
+        otherwise: Yup.mixed().test('authTypeIsNotOidc', this._t('authenticationSettingsOidcPermissionsValidationError'), function(value) {
           return value !== AuthType.Oidc;
         }),
       }),
       authIdentity: Yup.mixed().notRequired(),
-      hasPermissionToAssignRBAC: Yup.boolean().notRequired(),
+      hasPermissionToUseOIDC: Yup.boolean().notRequired(),
       hasOidcFlightEnabled: Yup.boolean().notRequired(),
     };
   }

diff --git a/...src/pages/app/deployment-center/authentication/DeploymentCenterAuthenticationSettings.tsx b/...src/pages/app/deployment-center/authentication/DeploymentCenterAuthenticationSettings.tsx
@@ -10,14 +10,15 @@ import {
   DeploymentCenterCodeFormData,
   DeploymentCenterContainerFormData,
   DeploymentCenterFieldProps,
-  UserAssignedIdentity,
 } from '../DeploymentCenter.types';
 import CustomBanner from '../../../../components/CustomBanner/CustomBanner';
 import { DeploymentCenterLinks } from '../../../../utils/FwLinks';
 import RadioButton from '../../../../components/form-controls/RadioButton';
 import { Link } from '@fluentui/react/lib/Link';
 import { learnMoreLinkStyle } from '../../../../components/form-controls/formControl.override.styles';
 import RbacConstants from '../../../../utils/rbac-constants';
+import { ArmResourceDescriptor } from '../../../../utils/resourceDescriptors';
+import { getTelemetryInfo } from '../utility/DeploymentCenterUtility';
 
 export const DeploymentCenterAuthenticationSettings = React.memo<
   DeploymentCenterFieldProps<DeploymentCenterContainerFormData | DeploymentCenterCodeFormData>
@@ -26,7 +27,8 @@ export const DeploymentCenterAuthenticationSettings = React.memo<
   const { formProps } = props;
   const portalContext = React.useContext(PortalContext);
   const deploymentCenterContext = React.useContext(DeploymentCenterContext);
-  const managedIdentityInfo = React.useRef<{ [key: string]: UserAssignedIdentity }>({});
+  const [hasRoleAssignmentWritePermission, setHasRoleAssignmentWritePermission] = React.useState<boolean>(false);
+  const [hasManagedIdentityWritePermission, setHasManagedIdentityWritePermission] = React.useState<boolean>(false);
 
   const authTypeOptions = React.useMemo(() => {
     return [
@@ -35,27 +37,62 @@ export const DeploymentCenterAuthenticationSettings = React.memo<
     ];
   }, []);
 
-  const hasPermissionOverResource = React.useCallback(async () => {
+  const hasPermissionOverResourceGroup = React.useCallback(async () => {
     if (deploymentCenterContext.resourceId) {
-      const hasRoleAssignmentWritePermission = await portalContext.hasPermission(deploymentCenterContext.resourceId, [
-        RbacConstants.roleAssignmentWriteScope,
-      ]);
-      return formProps.setFieldValue('hasPermissionToAssignRBAC', hasRoleAssignmentWritePermission);
+      const armId = new ArmResourceDescriptor(deploymentCenterContext.resourceId);
+      const resourceGroup = `/subscriptions/${armId.subscription}/resourceGroups/${armId.resourceGroup}`;
+      const hasRoleAssignmentPermission = await portalContext.hasPermission(resourceGroup, [RbacConstants.roleAssignmentWriteScope]);
+      const hasManagedIdentityPermission = await portalContext.hasPermission(resourceGroup, [RbacConstants.identityWriteScope]);
+      portalContext.log(
+        getTelemetryInfo('info', 'hasPermissionToUseOIDC', 'check', {
+          hasRoleAssignmentWritePermission: hasRoleAssignmentPermission.toString(),
+          hasManagedIdentityWritePermission: hasManagedIdentityPermission.toString(),
+        })
+      );
+      formProps.setFieldValue('hasPermissionToUseOIDC', hasRoleAssignmentPermission && hasManagedIdentityPermission);
+      setHasRoleAssignmentWritePermission(hasRoleAssignmentPermission);
+      setHasManagedIdentityWritePermission(hasManagedIdentityPermission);
+    } else {
+      formProps.setFieldValue('hasPermissionToUseOIDC', false);
+      setHasRoleAssignmentWritePermission(false);
+      setHasManagedIdentityWritePermission(false);
     }
-
-    return formProps.setFieldValue('hasPermissionToAssignRBAC', false);
-  }, [deploymentCenterContext.resourceId, formProps.values.hasPermissionToAssignRBAC]);
+  }, [deploymentCenterContext.resourceId]);
 
   React.useEffect(() => {
-    const authIdentityClientId = formProps.values.authIdentityClientId;
-    if (authIdentityClientId && managedIdentityInfo.current[authIdentityClientId]) {
-      formProps.values.authIdentity = managedIdentityInfo.current[authIdentityClientId];
-    }
-  }, [formProps.values.authIdentityClientId]);
+    hasPermissionOverResourceGroup();
+  }, [hasPermissionOverResourceGroup]);
 
-  React.useEffect(() => {
-    hasPermissionOverResource();
-  }, [hasPermissionOverResource]);
+  const errorBanner = React.useMemo(() => {
+    if (formProps.values.authType === AuthType.Oidc && formProps.values.hasPermissionToUseOIDC === false) {
+      return (
+        <div className={deploymentCenterInfoBannerDiv}>
+          {!hasManagedIdentityWritePermission ? (
+            <CustomBanner
+              id="deployment-center-msi-permissions-error"
+              message={t('authenticationSettingsIdentityCreationPermissionsError')}
+              type={MessageBarType.blocked}
+              learnMoreLink={DeploymentCenterLinks.managedIdentityCreationPrereqs}
+              learnMoreLinkAriaLabel={t('authenticationSettingsIdentityCreationPrerequisitesLinkAriaLabel')}
+            />
+          ) : (
+            <CustomBanner
+              id="deployment-center-msi-permissions-error"
+              message={t('authenticationSettingsIdentityAssignmentPermissionsError')}
+              type={MessageBarType.blocked}
+              learnMoreLink={DeploymentCenterLinks.roleAssignmentPrereqs}
+              learnMoreLinkAriaLabel={t('authenticationSettingsRoleAssignmentPrerequisitesLinkAriaLabel')}
+            />
+          )}
+        </div>
+      );
+    }
+  }, [
+    hasManagedIdentityWritePermission,
+    hasRoleAssignmentWritePermission,
+    formProps.values.authType,
+    formProps.values.hasPermissionToUseOIDC,
+  ]);
 
   return (
     <div className={deploymentCenterContent}>
@@ -74,17 +111,7 @@ export const DeploymentCenterAuthenticationSettings = React.memo<
         </p>
       </>
 
-      {formProps.values.authType === AuthType.Oidc && formProps.values.hasPermissionToAssignRBAC === false && (
-        <div className={deploymentCenterInfoBannerDiv}>
-          <CustomBanner
-            id="deployment-center-msi-permissions-error"
-            message={t('authenticationSettingsIdentityPermissionsError')}
-            type={MessageBarType.blocked}
-            learnMoreLink={DeploymentCenterLinks.roleAssignmentPrereqs}
-            learnMoreLinkAriaLabel={t('authenticationSettingsRoleAssignmentPrerequisitesLinkAriaLabel')}
-          />
-        </div>
-      )}
+      {errorBanner}
 
       <Field
         id="deployment-center-auth-type-option"

diff --git a/client-react/src/utils/FwLinks.ts b/client-react/src/utils/FwLinks.ts
@@ -79,4 +79,5 @@ export const DeploymentCenterLinks = {
   azureDevOpsPortal: 'https://go.microsoft.com/fwlink/?linkid=2245703',
   managedIdentityOidc: 'https://go.microsoft.com/fwlink/?linkid=2247951',
   roleAssignmentPrereqs: 'https://go.microsoft.com/fwlink/?linkid=2249489',
+  managedIdentityCreationPrereqs: 'https://go.microsoft.com/fwlink/?linkid=2253463',
 };
diff --git a/client-react/src/utils/rbac-constants.ts b/client-react/src/utils/rbac-constants.ts
@@ -8,4 +8,5 @@ export default class RbacConstants {
   public static configListActionScope = 'Microsoft.Web/sites/config/list/action';
   public static configReadScope = 'Microsoft.Web/sites/config/read';
   public static configWriteScope = 'Microsoft.Web/sites/config/write';
+  public static identityWriteScope = 'Microsoft.ManagedIdentity/userAssignedIdentities/write';
 }
diff --git a/client/src/app/shared/models/portal-resources.ts b/client/src/app/shared/models/portal-resources.ts
@@ -2580,7 +2580,11 @@ export class PortalResources {
   public static authenticationSettingsAuthenticationType = 'authenticationSettingsAuthenticationType';
   public static authenticationSettingsAuthenticationPlaceholder = 'authenticationSettingsAuthenticationPlaceholder';
   public static authenticationSettingsIdentity = 'authenticationSettingsIdentity';
-  public static authenticationSettingsIdentityPermissionsError = 'authenticationSettingsIdentityPermissionsError';
+  public static authenticationSettingsOidcPermissionsValidationError = 'authenticationSettingsOidcPermissionsValidationError';
+  public static authenticationSettingsIdentityCreationPermissionsError = 'authenticationSettingsIdentityCreationPermissionsError';
+  public static authenticationSettingsIdentityAssignmentPermissionsError = 'authenticationSettingsIdentityAssignmentPermissionsError';
+  public static authenticationSettingsIdentityCreationPrerequisitesLinkAriaLabel =
+    'authenticationSettingsIdentityCreationPrerequisitesLinkAriaLabel';
   public static authenticationSettingsRoleAssignmentPrerequisitesLinkAriaLabel =
     'authenticationSettingsRoleAssignmentPrerequisitesLinkAriaLabel';
   public static authenticationSettingsFederatedCredentialsLinkAriaLabel = 'authenticationSettingsFederatedCredentialsLinkAriaLabel';

diff --git a/server/Resources/Resources.resx b/server/Resources/Resources.resx
@@ -7882,8 +7882,17 @@ Set to "External URL" to use an API definition that is hosted elsewhere.</value>
     <data name="authenticationSettingsIdentity" xml:space="preserve">
         <value>Identity</value>
     </data>
-    <data name="authenticationSettingsIdentityPermissionsError" xml:space="preserve">
-        <value>You do not have sufficient permissions on this app to assign role-based access to a managed identity and configure federated credentials.</value>
+    <data name="authenticationSettingsOidcPermissionsValidationError" xml:space="preserve">
+        <value>You do not have sufficient permissions to authenticate with user-assigned identity.</value>
+    </data>    
+    <data name="authenticationSettingsIdentityCreationPermissionsError" xml:space="preserve">
+        <value>You do not have sufficient permissions to create a managed identity within this resource group.</value>
+    </data>    
+    <data name="authenticationSettingsIdentityAssignmentPermissionsError" xml:space="preserve">
+        <value>You do not have sufficient permissions to assign role-based access to a managed identity within this resource group and configure federated credentials.</value>
+    </data>
+    <data name="authenticationSettingsIdentityCreationPrerequisitesLinkAriaLabel" xml:space="preserve">
+        <value>Click here to learn more about how to create a managed identity.</value>
     </data>    
     <data name="authenticationSettingsRoleAssignmentPrerequisitesLinkAriaLabel" xml:space="preserve">
         <value>Click here to learn more about how to assign role-based access to a managed identity.</value>