From 502afa30876585e7a70fa1bd2a0ac2f09b1051be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Pa=C3=9F?= Date: Mon, 16 May 2022 14:13:24 +0200 Subject: [PATCH 1/3] Fix missing permissions for keyvault .. as we create the keyvaults without providing the current user the permissions to write content into it. Also remove deprecated "Force" flag. --- ModuleOne/create.ps1 | 6 +++++- ModuleThree/create.ps1 | 3 +++ ModuleThree/teardown.ps1 | 2 +- ModuleTwo/create.ps1 | 3 +++ Utils/create_users.ps1 | 5 ++++- Utils/delete_users.ps1 | 4 ++-- convex.ps1 | 2 +- 7 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ModuleOne/create.ps1 b/ModuleOne/create.ps1 index 5f32391..5e0f537 100644 --- a/ModuleOne/create.ps1 +++ b/ModuleOne/create.ps1 @@ -1,4 +1,4 @@ -# This PowerShell Script will create Module 1 +# This PowerShell Script will create Module 1 param($SubTwo, $SubOne, $userNum, $domainname) @@ -66,12 +66,16 @@ Write-Host "Starting Key Vault created" Write-Host "Creating User Key Vault" New-AzKeyVault -Name $UserVaultName -ResourceGroupName $RG1Name -Location $Location Write-Host "User Key Vault created" + +$currentUser = az ad signed-in-user show --query objectId -o tsv +Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $group.Id -PermissionsToKeys get,list -PermissionsToSecrets get,list New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -ResourceName $theVault.VaultName -ResourceType Microsoft.KeyVault/vaults -ResourceGroupName $RG1Name # Fill the Vaults with secrets Write-Host "Adding secrets to starting Key Vault" Set-AzKeyVaultSecret -VaultName $VaultName -Name $KeyName -SecretValue $SecretKey1 +Remove-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser # Create the Users ..\Utils\create_users.ps1 $guid1 $domainname "m1" $userNum diff --git a/ModuleThree/create.ps1 b/ModuleThree/create.ps1 index 3f4c3bc..cdeac64 100644 --- a/ModuleThree/create.ps1 +++ b/ModuleThree/create.ps1 @@ -111,7 +111,10 @@ New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -Scope $dsco Write-Host "John Doe created" # Add user info to KV +$currentUser = az ad signed-in-user show --query objectId -o tsv +Set-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all Set-AzKeyVaultSecret -VaultName $VaultName -Name $displayname -SecretValue $sspw +Remove-AzKeyVaultAccessPolicy -VaultName $VaultName -ObjectId $currentUser # Switch Subscription Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-AzContext diff --git a/ModuleThree/teardown.ps1 b/ModuleThree/teardown.ps1 index d3e8801..4feb872 100644 --- a/ModuleThree/teardown.ps1 +++ b/ModuleThree/teardown.ps1 @@ -19,7 +19,7 @@ Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-A ..\Utils\delete_users.ps1 "m3" # Delete dummy value -Remove-AzADUser -DisplayName "JohnDoe" -Force +Remove-AzADUser -DisplayName "JohnDoe" # ------Sub One------ # diff --git a/ModuleTwo/create.ps1 b/ModuleTwo/create.ps1 index 2974e61..4943e2d 100644 --- a/ModuleTwo/create.ps1 +++ b/ModuleTwo/create.ps1 @@ -78,10 +78,13 @@ New-AzStorageContainer -Name $BlobName -Context $ctx -Permission Blob Set-AzStorageBlobContent -File "..\Utils\flag.txt" -Container $BlobName -Blob flag.txt -Context $ctx # Add in the appKey to the prived app +$currentUser = az ad signed-in-user show --query objectId -o tsv +Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appKey" -SecretValue $sp2.Secret # Set Key Vault permissions Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $sp1.Id -PermissionsToKeys get,list -PermissionsToSecrets get,list +Remove-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser # ------In Sub One------ # Get-AzSubscription -SubscriptionId $SubOne.Id -TenantId $SubOne.TenantId | Set-AzContext diff --git a/Utils/create_users.ps1 b/Utils/create_users.ps1 index 2bd1eb2..2ce7b42 100644 --- a/Utils/create_users.ps1 +++ b/Utils/create_users.ps1 @@ -26,8 +26,11 @@ for ($cur = 1; $cur -le $n; $cur++) { $thisuser = New-AzADUser -DisplayName $displayname -UserPrincipalName $upn -Password $sspw -MailNickname $displayname Add-AzADGroupMember -MemberObjectId $thisuser.Id -TargetGroupObjectId $toAdd.Id - # Store username and password in keyvault + # Store username and password in keyvault + $currentUser = az ad signed-in-user show --query objectId -o tsv + Set-AzKeyVaultAccessPolicy -VaultName $UserKV.Name -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all Set-AzKeyVaultSecret -VaultName $UserKV.Name -Name $displayname -SecretValue $sspw + Remove-AzKeyVaultAccessPolicy -VaultName $UserKV.Name -ObjectId $currentUser } Write-Host "Finished creating $module users" diff --git a/Utils/delete_users.ps1 b/Utils/delete_users.ps1 index 88d6732..d30aca4 100644 --- a/Utils/delete_users.ps1 +++ b/Utils/delete_users.ps1 @@ -10,7 +10,7 @@ $toDel = $groups | Where-Object DisplayName -Clike $groupname # Remove all the users $usrList = Get-AzADGroupMember -GroupObjectId $toDel.Id -foreach ($usr in $usrList) {Remove-AzADUser -DisplayName $usr.DisplayName -Force} +foreach ($usr in $usrList) {Remove-AzADUser -DisplayName $usr.DisplayName} # Remove the group from AAD -Remove-AzADGroup -ObjectId $toDel.id -Force +Remove-AzADGroup -ObjectId $toDel.id diff --git a/convex.ps1 b/convex.ps1 index 598e436..c6194f2 100644 --- a/convex.ps1 +++ b/convex.ps1 @@ -107,7 +107,7 @@ foreach ($mod in $dirs.Name) { if ($decision -eq "create") { .\create.ps1 $SubOne $SubTwo $users $domainname } else { - .\teardown $SubOne $SubTwo + .\teardown.ps1 $SubOne $SubTwo } Set-Location .. } From 088f56a806639fd3e6094e33dcbc9dba560ee31f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Pa=C3=9F?= Date: Mon, 16 May 2022 14:54:00 +0200 Subject: [PATCH 2/3] Update PowerShell usage. - The field "Secret" of a service principal is deprecated. - The app id of the other service principal is not visible via Stormspotter. - The service principal has no access to the storage account just by having the scope. We need to create role assignments. --- ModuleTwo/create.ps1 | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ModuleTwo/create.ps1 b/ModuleTwo/create.ps1 index 4943e2d..d64eb61 100644 --- a/ModuleTwo/create.ps1 +++ b/ModuleTwo/create.ps1 @@ -70,6 +70,9 @@ $sp1 = New-AzADServicePrincipal -DisplayName $sp1Name -Role Reader -Scope $sp1Sc $sp2Name = "m2webapp-admin" $sp2Scope = '/subscriptions/' + $SubTwo.Id + '/resourceGroups/' + $RG2Name $sp2 = New-AzADServicePrincipal -DisplayName $sp2Name -Scope $sp2Scope +New-AzRoleAssignment -ObjectId $sp2.Id -RoleDefinitionName "Reader" -Scope $sp2Scope +$sa2Scope = $sp2Scope + '/providers/Microsoft.Storage/storageAccounts/' + $SA2Name +New-AzRoleAssignment -ObjectId $sp2.Id -RoleDefinitionName "Classic Storage Account Key Operator Service Role" -Scope $sa2Scope Write-Host "Service Principals created" # Add the flag to the SA @@ -80,7 +83,11 @@ Set-AzStorageBlobContent -File "..\Utils\flag.txt" -Container $BlobName -Blob fl # Add in the appKey to the prived app $currentUser = az ad signed-in-user show --query objectId -o tsv Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $currentUser -PermissionsToKeys all -PermissionsToSecrets all -Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appKey" -SecretValue $sp2.Secret +$sp2AppId = $sp2.AppId.ToString() +$ssid = ConvertTo-SecureString -String $sp2AppId -AsPlainText -Force +Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appId" -SecretValue $ssid +$sspw = ConvertTo-SecureString -String $sp2.PasswordCredentials.SecretText -AsPlainText -Force +Set-AzKeyVaultSecret -VaultName $theVault.VaultName -Name "appKey" -SecretValue $sspw # Set Key Vault permissions Set-AzKeyVaultAccessPolicy -VaultName $theVault.VaultName -ObjectId $sp1.Id -PermissionsToKeys get,list -PermissionsToSecrets get,list @@ -97,11 +104,9 @@ $settings = @{} foreach ($kvp in $appSettings) { $settings[$kvp.Name] = $kvp.Value } -$spAppId = $sp1.ApplicationId.ToString() +$spAppId = $sp1.AppId.ToString() $settings['application_id'] = $spAppId -$secret = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp1.Secret) -$secret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($secret) -$settings['application_key'] = $secret.ToString() +$settings['application_key'] = $sp1.PasswordCredentials.SecretText Set-AzWebApp -ResourceGroupName $RG1Name -Name $webServiceName -AppSettings $settings Write-Host "Web App Application settings updated" From 589270f693d24cd0c404cd26085a7cb5b7908b64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Pa=C3=9F?= Date: Mon, 16 May 2022 15:03:18 +0200 Subject: [PATCH 3/3] Update PowerShell and func usage for module three. - The field "Secret" of a service principal is deprecated. - Update the usage of the Azure Functions Core Tools to version 4. - The service principal has no access to the storage account just by having the scope. We need to create role assignments. - "$dir" is the absolute path. --- ModuleThree/create.ps1 | 13 +++++++------ ModuleThree/run.ps1 | 8 ++++---- ModuleThree/teardown.ps1 | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/ModuleThree/create.ps1 b/ModuleThree/create.ps1 index cdeac64..719d030 100644 --- a/ModuleThree/create.ps1 +++ b/ModuleThree/create.ps1 @@ -60,7 +60,8 @@ Update-AzFunctionApp -Name $functionApp -ResourceGroupName $RG1Name -Application New-AzRoleAssignment -ObjectId $group.Id -RoleDefinitionName Reader -ResourceName $appInsightsName -ResourceType Microsoft.Insights/components -ResourceGroupName $RG1Name # Create function -func new -n $function -t "Timer trigger" -l PowerShell +func init --worker-runtime powershell +func new -n $function -t "Timer trigger" # Switch Subscriptions Get-AzSubscription -SubscriptionId $SubTwo.Id -TenantId $SubTwo.TenantId | Set-AzContext @@ -91,6 +92,7 @@ Write-Host "Key Vault created" Write-Host "Creating Service Principal" $appScope = '/subscriptions/' + $SubTwo.Id + '/resourceGroups/' + $RG2Name + '/providers/Microsoft.KeyVault/vaults/' + $VaultName $app = New-AzADServicePrincipal -DisplayName $appName -Scope $appScope +New-AzRoleAssignment -ObjectId $app.Id -RoleDefinitionName Reader -Scope $appScope Write-Host "Service Principal created" # Set KV policy @@ -125,11 +127,10 @@ Copy-Item .\run.ps1 .\$function\ Set-Location .\$function\ $str = '$TenantId = "' + $SubTwo.TenantId + '"' (Get-Content .\run.ps1).replace('$TenantId = ', $str) | Set-Content .\run.ps1 -$str = '$AppObjectId = "' + $app.ApplicationId + '"' -(Get-Content .\run.ps1).replace('$AppObjectId = ', $str) | Set-Content .\run.ps1 -$secret = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($app.Secret) -$secret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($secret) -$str = '$Password = "' + $secret.ToString() + '"' +$spAppId = $app.AppId.ToString() +$str = '$AppId = "' + $spAppId + '"' +(Get-Content .\run.ps1).replace('$AppId = ', $str) | Set-Content .\run.ps1 +$str = '$Password = "' + $app.PasswordCredentials.SecretText + '"' (Get-Content .\run.ps1).replace('$Password = ', $str) | Set-Content .\run.ps1 Set-Location .. Write-Host "Function code modified" diff --git a/ModuleThree/run.ps1 b/ModuleThree/run.ps1 index c4b8144..514f470 100644 --- a/ModuleThree/run.ps1 +++ b/ModuleThree/run.ps1 @@ -1,11 +1,11 @@ # Input bindings are passed in via param block. param($Timer) -Write-Host "Entering function ProcessData. TIME: $currentUTCtime" - # Get the current universal time in the default string format $currentUTCtime = (Get-Date).ToUniversalTime() +Write-Host "Entering function ProcessData. TIME: $currentUTCtime" + # The 'IsPastDue' porperty is 'true' when the current function invocation is later than scheduled. if ($Timer.IsPastDue) { Write-Host "Timer is running late!" @@ -15,10 +15,10 @@ Write-Host "Processing request..." $Resource = "https://vault.azure.net" $TenantId = -$AppObjectId = +$AppId = $Password = -$body = @{Resource = $Resource; client_id = $AppObjectId; grant_type = "client_credentials"; client_secret = $Password} +$body = @{Resource = $Resource; client_id = $AppId; grant_type = "client_credentials"; client_secret = $Password} $url = "https://login.microsoftonline.com/$TenantId/oauth2/token" diff --git a/ModuleThree/teardown.ps1 b/ModuleThree/teardown.ps1 index 4feb872..7165f22 100644 --- a/ModuleThree/teardown.ps1 +++ b/ModuleThree/teardown.ps1 @@ -38,7 +38,7 @@ Remove-AzResourceGroup -Name $RG2.ResourceGroupName -Force # Remove created directory and files $dir = Get-ChildItem . -Directory -if ($dir) {Remove-Item .\$dir -Recurse} +if ($dir) {Remove-Item $dir -Recurse} Remove-Item "host.json" Remove-Item "local.settings.json" \ No newline at end of file