Updated resource provisioning script with creation and assignment of Oauth roles associated with app registrations governing our function app and static website

Author: hvalfangst

README.md

@@ -6,6 +6,9 @@ Once the CSV has been uploaded to the storage blob, another, blob-triggered Azur
 The computed statistics are then stored in a new blob container, which is used to serve the results to the user.
 These two functions are defined in the python script [function_app.py](hvalfangst_function/function_app.py) - which is the main entrypoint of our Azure Function App instance.
 
+The SPA is protected with Oauth2.0 authorization code flow with PKCE and OIDC. The user is redirected to the Azure AD login page, where they must authenticate before being redirected back to the SPA.
+
+
 The associated Azure infrastructure is deployed with a script (more on that below).
 
 A branch-triggered pipeline has been set up to deploy our code to the respective Azure resources using a GitHub Actions Workflows [script](.github/workflows/deploy_to_azure.yml). 
@@ -24,7 +27,7 @@ Thus, deploying the website is simply a matter of uploading the static files to
 
 ## Allocate resources
 
-The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI and a
+The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI in conjunction with a
 [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) template [file](infra/main.bicep). 
 
 It will create the following hierarchy of resources:
@@ -56,4 +59,13 @@ As may be observed in the [script](.github/workflows/deploy_to_azure.yml), these
 - **AZURE_TENANT_ID**: Used to authenticate the service principal in order to deploy the static web app
 - **PUBLISH_PROFILE**: Used to deploy our two functions to the Azure Function App
 
-![img_1.png](images/img_1.png)
+![secrets.png](images/secrets.png)
+
+## Usage
+After provisioning resources, setting up secrets, and pushing the code to the repository, one
+may access the static web app by navigating to the following URL:
+
+```plaintext
+https://<storage_account_name>.z6.web.core.windows.net
+```
+

images/img_1.png renamed to images/secrets.png

@@ -108,37 +108,105 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-# Set up app registration for function app
+
+# Set up app registration for the function app
 echo -e "${YELLOW}Setting up app registration for function app...${RESET}"
 FUNCTION_APP_CLIENT_ID=$(az ad app create \
   --display-name "hvalfangst-function-app" \
+  --identifier-uris "api://hvalfangst-function-app" \
   --query appId -o tsv)
-
 if [ $? -ne 0 ] || [ -z "$FUNCTION_APP_CLIENT_ID" ]; then
     echo -e "${RED}Failed to set up app registration or retrieve the app ID.${RESET}"
     exit 1
 fi
 
-# Set up app settings for the function app
-echo -e "${YELLOW}Setting up app settings for function app...${RESET}"
-az functionapp config appsettings set \
-    --name ${FUNCTION_APP_NAME} \
-    --resource-group ${RESOURCE_GROUP} \
-    --settings TENANT_ID=${TENANT_ID} FUNCTION_APP_CLIENT_ID=${FUNCTION_APP_CLIENT_ID}
-if [ $? -ne 0 ]; then
-    echo -e "${RED}Failed to set up app settings for function app.${RESET}"
+# Get the object ID of the app registration
+FUNCTION_APP_OBJECT_ID=$(az ad app show --id $FUNCTION_APP_CLIENT_ID --query id -o tsv)
+
+# Get an access token for the Microsoft Graph API
+TOKEN=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
+if [ $? -ne 0 ] || [ -z "$TOKEN" ]; then
+    echo -e "${RED}Failed to get access token for Microsoft Graph API.${RESET}"
     exit 1
 fi
 
+# Generate UUIDs for the permissions
+CSV_READER_UUID=$(python -c 'import uuid; print(str(uuid.uuid4()))')
+CSV_WRITER_UUID=$(python -c 'import uuid; print(str(uuid.uuid4()))')
+
+# Add permissions to the app registration by calling the Microsoft Graph API with a PATCH request
+echo -e "${YELLOW}Creating scopes for the Function App...${RESET}"
+curl -X PATCH -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d "{
+           \"api\": {
+               \"oauth2PermissionScopes\": [
+                   {
+                       \"id\": \"$CSV_READER_UUID\",
+                       \"adminConsentDescription\": \"Allows downloading of CSV files\",
+                       \"adminConsentDisplayName\": \"Allows downloading of CSV files\",
+                       \"isEnabled\": true,
+                       \"type\": \"Admin\",
+                       \"value\": \"Csv.Reader\"
+                   },
+                   {
+                       \"id\": \"$CSV_WRITER_UUID\",
+                       \"adminConsentDescription\": \"Allows uploading of CSV files\",
+                       \"adminConsentDisplayName\": \"Allows uploading of CSV files\",
+                       \"isEnabled\": true,
+                       \"type\": \"Admin\",
+                       \"value\": \"Csv.Writer\"
+                   }
+               ]
+           }
+       }" \
+     "https://graph.microsoft.com/v1.0/applications/$FUNCTION_APP_OBJECT_ID"
+
 # Set up app registration for the static web app
 echo -e "${YELLOW}Setting up app registration for static web app...${RESET}"
 STATIC_WEB_APP_CLIENT_ID=$(az ad app create \
   --display-name "hvalfangst-static-web-app" \
+  --web-redirect-uris "http://localhost:3000" \
   --query appId -o tsv)
-
 if [ $? -ne 0 ] || [ -z "STATIC_WEB_APP_CLIENT_ID" ]; then
     echo -e "${RED}Failed to set up app registration or retrieve the app ID.${RESET}"
     exit 1
 fi
 
+STATIC_WEB_APP_OBJECT_ID=$(az ad app show --id $STATIC_WEB_APP_CLIENT_ID --query id -o tsv)
+if [ $? -ne 0 ] || [ -z "$STATIC_WEB_APP_OBJECT_ID" ]; then
+    echo -e "${RED}Failed to retrieve the object ID of the static web app registration.${RESET}"
+    exit 1
+fi
+
+# Add permissions to the app registration by calling the Microsoft Graph API with a PATCH request
+echo -e "${YELLOW}Assigning permissions from Function App to Static Website${RESET}"
+curl -X PATCH -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d "{
+           \"requiredResourceAccess\": [
+               {
+                   \"resourceAppId\": \"$FUNCTION_APP_CLIENT_ID\",
+                   \"resourceAccess\": [
+                       {
+                           \"id\": \"$CSV_WRITER_UUID\",
+                           \"type\": \"Scope\"
+                       }
+                   ]
+               }
+           ]
+       }" \
+     "https://graph.microsoft.com/v1.0/applications/$STATIC_WEB_APP_OBJECT_ID"
+
+# Set up app settings for the function app
+echo -e "${YELLOW}Setting up app settings for function app...${RESET}"
+az functionapp config appsettings set \
+    --name ${FUNCTION_APP_NAME} \
+    --resource-group ${RESOURCE_GROUP} \
+    --settings TENANT_ID=${TENANT_ID} FUNCTION_APP_CLIENT_ID=${FUNCTION_APP_CLIENT_ID}
+if [ $? -ne 0 ]; then
+    echo -e "${RED}Failed to set up app settings for function app.${RESET}"
+    exit 1
+fi
+
 echo -e "${GREEN}All resources have been provisioned.${RESET}"