Merge pull request #2002 from jemrobinson/1980-stalling-bug

Refactor Azure authentication classes

data_safe_haven/administration/users/guacamole_users.py

@@ -2,7 +2,7 @@
 from collections.abc import Sequence
 
 from data_safe_haven.config import Context, DSHPulumiConfig, SREConfig
-from data_safe_haven.external import AzureApi, AzurePostgreSQLDatabase
+from data_safe_haven.external import AzurePostgreSQLDatabase, AzureSdk
 from data_safe_haven.infrastructure import SREProjectManager
 
 from .research_user import ResearchUser
@@ -23,8 +23,8 @@ def __init__(
             pulumi_config=pulumi_config,
         )
         # Read the SRE database secret from key vault
-        azure_api = AzureApi(context.subscription_name)
-        connection_db_server_password = azure_api.get_keyvault_secret(
+        azure_sdk = AzureSdk(context.subscription_name)
+        connection_db_server_password = azure_sdk.get_keyvault_secret(
             sre_stack.output("data")["key_vault_name"],
             sre_stack.output("data")["password_user_database_admin_secret"],
         )

data_safe_haven/commands/pulumi.py

@@ -41,14 +41,14 @@ def run(
     shm_config = SHMConfig.from_remote(context)
     sre_config = SREConfig.from_remote_by_name(context, sre_name)
 
-    graph_api = GraphApi(
-        tenant_id=shm_config.shm.entra_tenant_id,
-        default_scopes=[
+    graph_api = GraphApi.from_scopes(
+        scopes=[
             "Application.ReadWrite.All",
             "AppRoleAssignment.ReadWrite.All",
             "Directory.ReadWrite.All",
             "Group.ReadWrite.All",
         ],
+        tenant_id=shm_config.shm.entra_tenant_id,
     )
 
     project = SREProjectManager(

data_safe_haven/commands/sre.py

@@ -39,15 +39,15 @@ def deploy(
         context = ContextManager.from_file().assert_context()
         shm_config = SHMConfig.from_remote(context)
 
-        # Load GraphAPI as this may require user-interaction
-        graph_api = GraphApi(
-            tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=[
+        # Load GraphAPI
+        graph_api = GraphApi.from_scopes(
+            scopes=[
                 "Application.ReadWrite.All",
                 "AppRoleAssignment.ReadWrite.All",
                 "Directory.ReadWrite.All",
                 "Group.ReadWrite.All",
             ],
+            tenant_id=shm_config.shm.entra_tenant_id,
         )
 
         # Load Pulumi and SRE configs
@@ -65,6 +65,7 @@ def deploy(
             raise DataSafeHavenConfigError(msg)
 
         # Initialise Pulumi stack
+        # Note that requesting a GraphApi token will trigger possible user-interaction
         stack = SREProjectManager(
             context=context,
             config=sre_config,
@@ -145,9 +146,9 @@ def teardown(
         shm_config = SHMConfig.from_remote(context)
 
         # Load GraphAPI as this may require user-interaction
-        graph_api = GraphApi(
+        graph_api = GraphApi.from_scopes(
+            scopes=["Application.ReadWrite.All", "Group.ReadWrite.All"],
             tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=["Application.ReadWrite.All", "Group.ReadWrite.All"],
         )
 
         # Load Pulumi and SRE configs

data_safe_haven/commands/users.py

@@ -41,13 +41,13 @@ def add(
             raise
 
         # Load GraphAPI
-        graph_api = GraphApi(
-            tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=[
+        graph_api = GraphApi.from_scopes(
+            scopes=[
                 "Group.Read.All",
                 "User.ReadWrite.All",
                 "UserAuthenticationMethod.ReadWrite.All",
             ],
+            tenant_id=shm_config.shm.entra_tenant_id,
         )
 
         # Add users to SHM
@@ -80,9 +80,9 @@ def list_users(
             raise
 
         # Load GraphAPI
-        graph_api = GraphApi(
+        graph_api = GraphApi.from_scopes(
+            scopes=["Directory.Read.All", "Group.Read.All"],
             tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=["Directory.Read.All", "Group.Read.All"],
         )
 
         # Load Pulumi config
@@ -136,9 +136,9 @@ def register(
             raise DataSafeHavenError(msg)
 
         # Load GraphAPI
-        graph_api = GraphApi(
+        graph_api = GraphApi.from_scopes(
+            scopes=["Group.ReadWrite.All", "GroupMember.ReadWrite.All"],
             tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=["Group.ReadWrite.All", "GroupMember.ReadWrite.All"],
         )
 
         logger.debug(
@@ -187,9 +187,9 @@ def remove(
             raise
 
         # Load GraphAPI
-        graph_api = GraphApi(
+        graph_api = GraphApi.from_scopes(
+            scopes=["User.ReadWrite.All"],
             tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=["User.ReadWrite.All"],
         )
 
         # Remove users from SHM
@@ -241,9 +241,9 @@ def unregister(
             raise DataSafeHavenError(msg)
 
         # Load GraphAPI
-        graph_api = GraphApi(
+        graph_api = GraphApi.from_scopes(
+            scopes=["Group.ReadWrite.All", "GroupMember.ReadWrite.All"],
             tenant_id=shm_config.shm.entra_tenant_id,
-            default_scopes=["Group.ReadWrite.All", "GroupMember.ReadWrite.All"],
         )
 
         logger.debug(

data_safe_haven/config/context.py

@@ -9,7 +9,7 @@
 
 from data_safe_haven import __version__
 from data_safe_haven.directories import config_dir
-from data_safe_haven.external import AzureApi
+from data_safe_haven.external import AzureSdk
 from data_safe_haven.serialisers import ContextBase
 from data_safe_haven.types import (
     AzureSubscriptionName,
@@ -67,8 +67,8 @@ def pulumi_backend_url(self) -> str:
     @property
     def pulumi_encryption_key(self) -> KeyVaultKey:
         if not self._pulumi_encryption_key:
-            azure_api = AzureApi(subscription_name=self.subscription_name)
-            self._pulumi_encryption_key = azure_api.get_keyvault_key(
+            azure_sdk = AzureSdk(subscription_name=self.subscription_name)
+            self._pulumi_encryption_key = azure_sdk.get_keyvault_key(
                 key_name=self.pulumi_encryption_key_name,
                 key_vault_name=self.key_vault_name,
             )

data_safe_haven/config/shm_config.py

@@ -4,7 +4,7 @@
 
 from typing import ClassVar, Self
 
-from data_safe_haven.external import AzureApi, AzureCliSingleton
+from data_safe_haven.external import AzureSdk
 from data_safe_haven.serialisers import AzureSerialisableModel, ContextBase
 
 from .config_sections import ConfigSectionAzure, ConfigSectionSHM
@@ -26,15 +26,15 @@ def from_args(
         location: str,
     ) -> SHMConfig:
         """Construct an SHMConfig from arguments."""
-        azure_api = AzureApi(subscription_name=context.subscription_name)
-        admin_group_id = AzureCliSingleton().group_id_from_name(
+        azure_sdk = AzureSdk(subscription_name=context.subscription_name)
+        admin_group_id = azure_sdk.entra_directory.get_id_from_groupname(
             context.admin_group_name
         )
         return SHMConfig.model_construct(
             azure=ConfigSectionAzure.model_construct(
                 location=location,
-                subscription_id=azure_api.subscription_id,
-                tenant_id=azure_api.tenant_id,
+                subscription_id=azure_sdk.subscription_id,
+                tenant_id=azure_sdk.tenant_id,
             ),
             shm=ConfigSectionSHM.model_construct(
                 admin_group_id=admin_group_id,

data_safe_haven/external/__init__.py

@@ -1,14 +1,12 @@
-from .api.azure_api import AzureApi
-from .api.azure_cli import AzureCliSingleton
+from .api.azure_sdk import AzureSdk
 from .api.graph_api import GraphApi
 from .interface.azure_container_instance import AzureContainerInstance
 from .interface.azure_ipv4_range import AzureIPv4Range
 from .interface.azure_postgresql_database import AzurePostgreSQLDatabase
 from .interface.pulumi_account import PulumiAccount
 
 __all__ = [
-    "AzureApi",
-    "AzureCliSingleton",
+    "AzureSdk",
     "AzureContainerInstance",
     "AzureIPv4Range",
     "AzurePostgreSQLDatabase",