Merge pull request #340 from microsoft/dev

support for github environments

Author: markusheiliger

src/TeamCloud.Adapters.AzureDevOps/AzureDevOpsAdapter.cs

@@ -79,6 +79,7 @@ public sealed class AzureDevOpsAdapter : AdapterWithIdentity, IAdapterAuthorize
     // however; it is used to managed singleton function execution within the functions fx !!!
 
     public AzureDevOpsAdapter(
+        IAdapterProvider adapterProvider,
         IAuthorizationSessionClient sessionClient,
         IAuthorizationTokenClient tokenClient,
         IDistributedLockManager distributedLockManager,
@@ -94,7 +95,7 @@ public AzureDevOpsAdapter(
         IGraphService graphService,
         IFunctionsHost functionsHost = null,
         ILoggerFactory loggerFactory = null)
-        : base(sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
+        : base(adapterProvider, sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
     {
         this.httpClientFactory = httpClientFactory ?? new DefaultHttpClientFactory();
         this.userRepository = userRepository ?? throw new ArgumentNullException(nameof(userRepository));

src/TeamCloud.Adapters.AzureResourceManager/AzureResourceManagerAdapter.cs

@@ -24,7 +24,7 @@
 
 namespace TeamCloud.Adapters.AzureResourceManager;
 
-public sealed class AzureResourceManagerAdapter : Adapter
+public sealed class AzureResourceManagerAdapter : AdapterWithIdentity
 {
     private readonly IAzureService azure;
     private readonly IAzureResourceService azureResourceService;
@@ -40,7 +40,9 @@ public sealed class AzureResourceManagerAdapter : Adapter
     // IDistributedLockManager is marked as obsolete, because it's not ready for "prime time"
     // however; it is used to managed singleton function execution within the functions fx !!!
 
-    public AzureResourceManagerAdapter(IAuthorizationSessionClient sessionClient,
+    public AzureResourceManagerAdapter(
+        IAdapterProvider adapterProvider, 
+        IAuthorizationSessionClient sessionClient,
         IAuthorizationTokenClient tokenClient,
         IDistributedLockManager distributedLockManager,
         IAzureService azure,
@@ -52,7 +54,7 @@ public AzureResourceManagerAdapter(IAuthorizationSessionClient sessionClient,
         IProjectRepository projectRepository,
         IComponentRepository componentRepository,
         IComponentTemplateRepository componentTemplateRepository)
-        : base(sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
+        : base(adapterProvider, sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
     {
         this.azure = azure ?? throw new ArgumentNullException(nameof(azure));
         this.azureResourceService = azureResourceService ?? throw new ArgumentNullException(nameof(azureResourceService));
@@ -197,6 +199,16 @@ async Task UpdateComponentRoleAssignmentsAsync()
                     .Add(identity.PrincipalId, Enumerable.Repeat(AzureRoleDefinition.Contributor, 1));
             }
 
+            if (this is IAdapterIdentity adapterIdentity)
+            {
+                var componentDeploymentScopeServiceIdentity = await adapterIdentity
+                    .GetServiceIdentityAsync(componentDeploymentScope)
+                    .ConfigureAwait(false);
+
+                roleAssignmentMap
+                    .Add(componentDeploymentScopeServiceIdentity.Id.ToString(), Enumerable.Repeat(AzureRoleDefinition.Contributor, 1));
+            }
+
             if (string.IsNullOrEmpty(componentResourceId.ResourceGroup))
             {
                 var subscription = await azureResourceService

src/TeamCloud.Adapters.GitHub/GitHubAdapter.cs

@@ -153,6 +153,7 @@ <h1>GitHub Provider Setup</h1>
                 "default_permissions": {
                     "actions": "write",
                     "administration": "write",
+                    "environments": "write",
                     "checks": "write",
                     "contents": "write",
                     "issues": "write",

src/TeamCloud.Adapters.GitHub/GitHubAdapter_Register.html

@@ -15,7 +15,7 @@ public sealed class GitHubData
     [TeamCloudFormDescription("GitHub organization's name or base URL.")]
     public string Organization
     {
-        get => string.IsNullOrWhiteSpace(organization) ? null : GitHubToken.FormatOrganizationUrl(organization);
+        get => string.IsNullOrWhiteSpace(organization) ? null : GitHubToken.SanitizeOrganizationUrl(organization);
         set => organization = value;
     }
 

src/TeamCloud.Adapters.GitHub/GitHubData.cs

@@ -5,6 +5,7 @@
 
 using System;
 using System.Runtime.Serialization;
+using Newtonsoft.Json;
 using TeamCloud.Adapters.Authorization;
 using TeamCloud.Model.Data;
 using User = Octokit.User;
@@ -13,7 +14,7 @@ namespace TeamCloud.Adapters.GitHub;
 
 public sealed class GitHubToken : AuthorizationToken
 {
-    internal static string FormatOrganizationUrl(string organization)
+    internal static string SanitizeOrganizationUrl(string organization)
     {
         if (string.IsNullOrWhiteSpace(organization))
             return null;
@@ -39,27 +40,23 @@ public GitHubToken(DeploymentScope deployementScope) : base(GetEntityId(deployem
     public bool Enabled
         => !Suspended && long.TryParse(ApplicationId, out _) && long.TryParse(InstallationId, out _);
 
-    [DataMember(Name = "id")]
     public string ApplicationId { get; set; }
 
     public string InstallationId { get; set; }
 
-    [DataMember(Name = "client_id")]
     public string ClientId { get; set; }
 
-    [DataMember(Name = "client_secret")]
     public string ClientSecret { get; set; }
 
     public string AccessToken { get; set; }
 
     // [IgnoreDataMember]
     public DateTime? AccessTokenExpires { get; set; }
 
-    [IgnoreDataMember]
+    [JsonIgnore]
     public bool AccessTokenExpired
         => !AccessTokenExpires.HasValue || AccessTokenExpires < DateTime.UtcNow;
 
-    [DataMember(Name = "webhook_secret")]
     public string WebhookSecret { get; set; }
 
     public string Pem { get; set; }

src/TeamCloud.Adapters.GitHub/GitHubToken.cs

@@ -25,7 +25,7 @@
     <PackageReference Include="FluentValidation" Version="9.2.2" />
     <PackageReference Include="Flurl.Http" Version="3.2.2" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.2.5" />
-    <PackageReference Include="Octokit" Version="0.50.0" />
+    <PackageReference Include="Octokit" Version="0.51.0" />
     <PackageReference Include="Sodium.Core" Version="1.2.3" />
   </ItemGroup>
 

src/TeamCloud.Adapters.GitHub/TeamCloud.Adapters.GitHub.csproj

@@ -38,7 +38,8 @@ public sealed class KubernetesAdapter : Adapter
     // IDistributedLockManager is marked as obsolete, because it's not ready for "prime time"
     // however; it is used to managed singleton function execution within the functions fx !!!
 
-    public KubernetesAdapter(IAuthorizationSessionClient sessionClient,
+    public KubernetesAdapter(IAdapterProvider adapterProvider,
+                             IAuthorizationSessionClient sessionClient,
                              IAuthorizationTokenClient tokenClient,
                              IDistributedLockManager distributedLockManager,
                              IAzureService azure,
@@ -48,7 +49,7 @@ public KubernetesAdapter(IAuthorizationSessionClient sessionClient,
                              IDeploymentScopeRepository deploymentScopeRepository,
                              IProjectRepository projectRepository,
                              IUserRepository userRepository)
-        : base(sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
+        : base(adapterProvider, sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
     {
         this.azureResourceService = azureResourceService ?? throw new ArgumentNullException(nameof(azureResourceService));
     }

src/TeamCloud.Adapters.Kubernetes/KubernetesAdapter.cs

@@ -27,6 +27,7 @@ public abstract class Adapter : IAdapter
 {
     private static readonly JSchema dataSchemaEmpty = new() { Type = JSchemaType.Object };
     private static readonly JObject formSchemaEmpty = new();
+    private readonly IAdapterProvider adapterProvider;
 
 #pragma warning disable CS0618 // Type or member is obsolete
 
@@ -43,7 +44,8 @@ public abstract class Adapter : IAdapter
     private readonly IProjectRepository projectRepository;
     private readonly IUserRepository userRepository;
 
-    protected Adapter(IAuthorizationSessionClient sessionClient,
+    protected Adapter(IAdapterProvider adapterProvider,
+                      IAuthorizationSessionClient sessionClient,
                       IAuthorizationTokenClient tokenClient,
                       IDistributedLockManager distributedLockManager,
                       IAzureService azure,
@@ -53,6 +55,7 @@ protected Adapter(IAuthorizationSessionClient sessionClient,
                       IProjectRepository projectRepository,
                       IUserRepository userRepository)
     {
+        this.adapterProvider = adapterProvider ?? throw new ArgumentNullException(nameof(adapterProvider));
         this.sessionClient = sessionClient ?? throw new ArgumentNullException(nameof(sessionClient));
         this.tokenClient = tokenClient ?? throw new ArgumentNullException(nameof(tokenClient));
         this.distributedLockManager = distributedLockManager ?? throw new ArgumentNullException(nameof(distributedLockManager));

src/TeamCloud.Adapters/Adapter.cs

@@ -17,24 +17,37 @@ namespace TeamCloud.Adapters;
 
 public abstract class AdapterWithIdentity : Adapter, IAdapterIdentity
 {
-    private readonly IAzureService azure;
+    private readonly IAzureService azureService;
     private readonly IGraphService graphService;
     private readonly IOrganizationRepository organizationRepository;
     private readonly IProjectRepository projectRepository;
 
 #pragma warning disable CS0618 // Type or member is obsolete
 
-    protected AdapterWithIdentity(IAuthorizationSessionClient sessionClient,
-                                  IAuthorizationTokenClient tokenClient,
-                                  IDistributedLockManager distributedLockManager,
-                                  IAzureService azure,
-                                  IGraphService graphService,
-                                  IOrganizationRepository organizationRepository,
-                                  IDeploymentScopeRepository deploymentScopeRepository,
-                                  IProjectRepository projectRepository,
-                                  IUserRepository userRepository) : base(sessionClient, tokenClient, distributedLockManager, azure, graphService, organizationRepository, deploymentScopeRepository, projectRepository, userRepository)
+    protected AdapterWithIdentity(
+        IAdapterProvider adapterProvider,
+        IAuthorizationSessionClient sessionClient,
+        IAuthorizationTokenClient tokenClient,
+        IDistributedLockManager distributedLockManager,
+        IAzureService azureService,
+        IGraphService graphService,
+        IOrganizationRepository organizationRepository,
+        IDeploymentScopeRepository deploymentScopeRepository,
+        IProjectRepository projectRepository,
+        IUserRepository userRepository) 
+        : base(
+            adapterProvider,
+            sessionClient, 
+            tokenClient, 
+            distributedLockManager, 
+            azureService, 
+            graphService, 
+            organizationRepository, 
+            deploymentScopeRepository, 
+            projectRepository, 
+            userRepository)
     {
-        this.azure = azure ?? throw new ArgumentNullException(nameof(azure));
+        this.azureService = azureService ?? throw new ArgumentNullException(nameof(azureService));
         this.graphService = graphService ?? throw new ArgumentNullException(nameof(graphService));
         this.organizationRepository = organizationRepository ?? throw new ArgumentNullException(nameof(organizationRepository));
         this.projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
@@ -65,7 +78,7 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Compone
                     .CreateServicePrincipalAsync(servicePrincipalName)
                     .ConfigureAwait(false);
             }
-            else if (servicePrincipal.ExpiresOn.GetValueOrDefault(DateTime.MinValue) < DateTime.UtcNow)
+            else if (servicePrincipal.ExpiresOn.GetValueOrDefault(DateTime.MinValue.ToUniversalTime()) < DateTime.UtcNow)
             {
                 // a service principal exists, but its secret is expired. lets refresh
                 // the service principal (create a new secret) so we can move on
@@ -82,7 +95,7 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Compone
                     .GetAsync(component.Organization, component.ProjectId)
                     .ConfigureAwait(false);
 
-                var secretClient = await azure.KeyVaults
+                var secretClient = await azureService.KeyVaults
                     .GetSecretClientAsync(project.SecretsVaultId, ensureIdentityAccess: true)
                     .ConfigureAwait(false);
 
@@ -96,7 +109,7 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Compone
                     .GetAsync(component.Organization, component.ProjectId)
                     .ConfigureAwait(false);
 
-                var secretClient = await azure.KeyVaults
+                var secretClient = await azureService.KeyVaults
                     .GetSecretClientAsync(project.SecretsVaultId, ensureIdentityAccess: true)
                     .ConfigureAwait(false);
 
@@ -134,7 +147,7 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Deploym
                     .CreateServicePrincipalAsync(servicePrincipalName)
                     .ConfigureAwait(false);
             }
-            else if (servicePrincipal.ExpiresOn.GetValueOrDefault(DateTime.MinValue) < DateTime.UtcNow)
+            else if (servicePrincipal.ExpiresOn.GetValueOrDefault(DateTime.MinValue.ToUniversalTime()) < DateTime.UtcNow)
             {
                 // a service principal exists, but its secret is expired. lets refresh
                 // the service principal (create a new secret) so we can move on
@@ -147,15 +160,15 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Deploym
 
             if (!string.IsNullOrEmpty(servicePrincipal.Password))
             {
-                var tenantId = await azure
+                var tenantId = await azureService
                     .GetTenantIdAsync()
                     .ConfigureAwait(false);
 
                 var organization = await organizationRepository
                     .GetAsync(tenantId, deploymentScope.Organization)
                     .ConfigureAwait(false);
 
-                var secretClient = await azure.KeyVaults
+                var secretClient = await azureService.KeyVaults
                     .GetSecretClientAsync(organization.SecretsVaultId, ensureIdentityAccess: true)
                     .ConfigureAwait(false);
 
@@ -165,15 +178,15 @@ public virtual async Task<AzureServicePrincipal> GetServiceIdentityAsync(Deploym
             }
             else if (withPassword)
             {
-                var tenantId = await azure
+                var tenantId = await azureService
                     .GetTenantIdAsync()
                     .ConfigureAwait(false);
 
                 var organization = await organizationRepository
                     .GetAsync(tenantId, deploymentScope.Organization)
                     .ConfigureAwait(false);
 
-                var secretClient = await azure.KeyVaults
+                var secretClient = await azureService.KeyVaults
                     .GetSecretClientAsync(organization.SecretsVaultId, ensureIdentityAccess: true)
                     .ConfigureAwait(false);