Fix product check

Author: simonkurtz-MSFT

samples/authX-pro/create.ipynb

@@ -62,7 +62,7 @@
     "products: List[Product] = [\n",
     "    Product(hr_product_name, 'Human Resources', \n",
     "            'Product for Human Resources APIs providing access to employee data, organizational structure, benefits information, and HR management services. Includes JWT-based authentication for HR members.', \n",
-    "            'published', False, False, pol_hr_product)\n",
+    "            'published', True, False, pol_hr_product)\n",
     "]\n",
     "\n",
     "# 6) Define the APIs and their operations and policies\n",
@@ -76,7 +76,7 @@
     "hr_employees_api_path = f'/{api_prefix}employees'\n",
     "hr_employees_get      = GET_APIOperation('Gets the employees', pol_hr_get,)\n",
     "hr_employees_post     = POST_APIOperation('Creates a new employee', pol_hr_post)\n",
-    "hr_employees          = API(f'{api_prefix}Employees', 'Employees Pro', hr_employees_api_path, 'This is a Human Resources API for employee information', \n",
+    "hr_employees          = API(f'{api_prefix}Employees', 'Employees Pro', hr_employees_api_path, 'This is a Human Resources API for employee information', pol_hr_all_operations_pro,\n",
     "                            operations = [hr_employees_get, hr_employees_post], tags = tags, productNames = [hr_product_name], subscriptionRequired = False)\n",
     "\n",
     "# Benefits (HR)\n",
@@ -123,6 +123,7 @@
     "if output.json_data:\n",
     "    apim_name = output.get('apimServiceName', 'APIM Service Name')\n",
     "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "    apim_products = output.getJson('productOutputs', 'Products')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -151,6 +152,9 @@
     "from users import UserHelper\n",
     "from authfactory import AuthFactory\n",
     "\n",
+    "# Test the function\n",
+    "hr_product_apim_subscription_key = apim_products[0]['subscriptionPrimaryKey']\n",
+    "\n",
     "tests = ApimTesting(\"AuthX-Pro Sample Tests\", sample_folder, deployment)\n",
     "\n",
     "# Preflight: Check if the infrastructure architecture deployment uses Azure Front Door. If so, assume that APIM is not directly accessible and use the Front Door URL instead.\n",
@@ -162,7 +166,7 @@
     "print(f'\\nJWT token for HR Admin:\\n{encoded_jwt_token_hr_admin}')  # this value is used to call the APIs via APIM\n",
     "\n",
     "# Set up an APIM requests object with the JWT token\n",
-    "reqsApimAdmin = ApimRequests(endpoint_url)\n",
+    "reqsApimAdmin = ApimRequests(endpoint_url, hr_product_apim_subscription_key)\n",
     "reqsApimAdmin.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_admin}'\n",
     "\n",
     "# Call APIM\n",
@@ -184,7 +188,7 @@
     "print(f'\\nJWT token for HR Associate:\\n{encoded_jwt_token_hr_associate}')  # this value is used to call the APIs via APIM\n",
     "\n",
     "# Set up an APIM requests object with the JWT token\n",
-    "reqsApimAssociate = ApimRequests(endpoint_url)\n",
+    "reqsApimAssociate = ApimRequests(endpoint_url, hr_product_apim_subscription_key)\n",
     "reqsApimAssociate.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_associate}'\n",
     "\n",
     "# Call APIM\n",
@@ -200,6 +204,24 @@
     "output = reqsApimAssociate.singlePost(hr_benefits_api_path, msg = 'Calling POST Benefits API via API Management Gateway URL. Expect 403.')\n",
     "tests.verify(output, 'Access denied - no matching roles found')\n",
     "\n",
+    "# 3) HR Administrator but no HR product subscription key (api-key)\n",
+    "# Set up an APIM requests object with the JWT token\n",
+    "reqsApimAdminNoHrProduct = ApimRequests(endpoint_url)\n",
+    "reqsApimAdminNoHrProduct.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_admin}'\n",
+    "\n",
+    "# Call APIM\n",
+    "output = reqsApimAdminNoHrProduct.singleGet(hr_employees_api_path, msg = 'Calling GET Employees API via API Management Gateway URL but with no HR product subscription key. Expect 403.')\n",
+    "tests.verify(output, 'Access denied - no matching product found')\n",
+    "\n",
+    "# 4) HR Associate but no HR product subscription key (api-key)\n",
+    "# Set up an APIM requests object with the JWT token\n",
+    "reqsApimAssociateNoHrProduct = ApimRequests(endpoint_url)\n",
+    "reqsApimAssociateNoHrProduct.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_associate}'\n",
+    "\n",
+    "# Call APIM\n",
+    "output = reqsApimAssociateNoHrProduct.singleGet(hr_employees_api_path, msg = 'Calling GET Employees API via API Management Gateway URL but with no HR product subscription key. Expect 403.')\n",
+    "tests.verify(output, 'Access denied - no matching product found')\n",
+    "\n",
     "tests.print_summary()\n",
     "\n",
     "utils.print_ok('All done!')"

samples/authX-pro/hr_all_operations_pro.xml

@@ -4,10 +4,9 @@
 <policies>
     <inbound>
         <base />
-        <!-- TODO: Enable this with a proper subscription key tied to the product, then add tests. -->
         <!-- The caller must be using an HR product to call this API.-->
-        <!-- <set-variable name="products" value="hr" />
-        <include-fragment fragment-id="Product-Match-Any" /> -->
+        <set-variable name="products" value="hr" />
+        <include-fragment fragment-id="Product-Match-Any" />
     </inbound>
     <backend>
         <base />

samples/authX-pro/main.bicep

@@ -105,4 +105,18 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
 output apimServiceId string = apimService.id
 output apimServiceName string = apimService.name
 output apimResourceGatewayURL string = apimService.properties.gatewayUrl
-// [ADD RELEVANT OUTPUTS HERE]
+
+// Product outputs
+output productOutputs array = [for i in range(0, length(products)): {
+  productResourceId: productModule[i].outputs.productResourceId
+  productName: productModule[i].outputs.productName
+  productDisplayName: productModule[i].outputs.productDisplayName
+  productState: productModule[i].outputs.productState
+  subscriptionRequired: productModule[i].outputs.subscriptionRequired
+  approvalRequired: productModule[i].outputs.approvalRequired
+  policyResourceId: productModule[i].outputs.policyResourceId
+  hasPolicyAttached: productModule[i].outputs.hasPolicyAttached
+  subscriptionResourceId: productModule[i].outputs.subscriptionResourceId
+  subscriptionPrimaryKey: productModule[i].outputs.subscriptionPrimaryKey
+  subscriptionSecondaryKey: productModule[i].outputs.subscriptionSecondaryKey
+}]

shared/apim-policies/fragments/pf-product-match-any.xml

@@ -9,10 +9,10 @@
         <!-- Check if NONE of the allowed products match the context product name -->
         <when condition="@{
             var allowedProducts = context.Variables.GetValueOrDefault<string>("products", "").ToString().Split(',');
-            var contextProduct = context.Product != null ? context.Product.Name.ToLower().Trim() : string.Empty;
+            var contextProduct = context.Product?.Id ?? string.Empty;
         
             // Check if NO allowed product matches the product names in the context
-            return !allowedProducts.Any(product => contextProduct.Contains(product.Trim().ToLower()));
+            return !allowedProducts.Any(product => contextProduct.Contains(product));
         }">
             <return-response>
                 <set-status code="403" reason="Forbidden" />

shared/bicep/modules/apim/v1/product.bicep

@@ -79,6 +79,21 @@ resource productPolicy 'Microsoft.ApiManagement/service/products/policies@2024-0
   }
 }
 
+// https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service/subscriptions
+resource productSubscription 'Microsoft.ApiManagement/service/subscriptions@2024-05-01' = if (subscriptionRequired) {
+  name: 'subscription-${productName}'
+  parent: apimService
+  properties: {
+    allowTracing: true
+    displayName: 'Subscription for ${productDisplayName}'
+    scope: '/products/${productName}'
+    state: 'active'
+  }
+  dependsOn: [
+    product
+  ]
+}
+
 
 // ------------------------------
 //    OUTPUTS
@@ -107,3 +122,12 @@ output policyResourceId string = !empty(policyXml) ? productPolicy.id : ''
 
 @description('Whether a policy is attached to this product.')
 output hasPolicyAttached bool = !empty(policyXml)
+
+@description('The resource ID of the product subscription, if created.')
+output subscriptionResourceId string = subscriptionRequired ? productSubscription.id : ''
+
+@description('The primary key of the product subscription, if created.')
+output subscriptionPrimaryKey string = subscriptionRequired ? listSecrets('${apimService.id}/subscriptions/subscription-${productName}', '2024-05-01').primaryKey : ''
+
+@description('The secondary key of the product subscription, if created.')
+output subscriptionSecondaryKey string = subscriptionRequired ? listSecrets('${apimService.id}/subscriptions/subscription-${productName}', '2024-05-01').secondaryKey : ''

shared/python/apimtypes.py

@@ -41,7 +41,7 @@ def _get_project_root() -> Path:
 REQUEST_HEADERS_XML_POLICY_PATH     = str(_SHARED_XML_POLICY_BASE_PATH / 'request-headers.xml')
 BACKEND_XML_POLICY_PATH             = str(_SHARED_XML_POLICY_BASE_PATH / 'backend.xml')
 
-SUBSCRIPTION_KEY_PARAMETER_NAME = 'api_key'
+SUBSCRIPTION_KEY_PARAMETER_NAME = 'api-key'
 SLEEP_TIME_BETWEEN_REQUESTS_MS  = 50
 
 

shared/python/utils.py

@@ -2,6 +2,7 @@
 Module providing utility functions.
 """
 
+import ast
 import datetime
 import json
 import os
@@ -152,6 +153,74 @@ def get(self, key: str, label: str = '', secure: bool = False) -> str | None:
 
             return None
 
+    def getJson(self, key: str, label: str = '', secure: bool = False) -> any:
+        """
+        Retrieve a deployment output property by key and return it as a JSON object.
+        This method is independent from get() and retrieves the raw deployment output value.
+
+        Args:
+            key (str): The output key to retrieve.
+            label (str, optional): Optional label for logging.
+            secure (bool, optional): If True, masks the value in logs.
+
+        Returns:
+            any: The value as a JSON object (dict, list, etc.), or the original value if not JSON, or None if not found.
+        """
+
+        try:
+            if not isinstance(self.json_data, dict):
+                raise KeyError("json_data is not a dict")
+
+            if 'properties' in self.json_data:
+                properties = self.json_data.get('properties')
+                if not isinstance(properties, dict):
+                    raise KeyError("'properties' is not a dict in deployment result")
+
+                outputs = properties.get('outputs')
+                if not isinstance(outputs, dict):
+                    raise KeyError("'outputs' is missing or not a dict in deployment result")
+
+                output_entry = outputs.get(key)
+                if not isinstance(output_entry, dict) or 'value' not in output_entry:
+                    raise KeyError(f"Output key '{key}' not found in deployment outputs")
+
+                deployment_output = output_entry['value']
+            elif key in self.json_data:
+                deployment_output = self.json_data[key]['value']
+
+            if label:
+                if secure and isinstance(deployment_output, str) and len(deployment_output) >= 4:
+                    print_val(label, f"****{deployment_output[-4:]}")
+                else:
+                    print_val(label, deployment_output)
+
+            # If the result is a string, try to parse it as JSON
+            if isinstance(deployment_output, str):
+                # First try JSON parsing (handles double quotes)
+                try:
+                    return json.loads(deployment_output)
+                except json.JSONDecodeError:
+                    pass
+
+                # If JSON fails, try Python literal evaluation (handles single quotes)
+                try:
+                    return ast.literal_eval(deployment_output)
+                except (ValueError, SyntaxError) as e:
+                    print_error(e)
+                    pass
+
+            # Return the original result if it's not a string or can't be parsed
+            return deployment_output
+
+        except Exception as e:
+            error = f"Failed to retrieve output property: '{key}'\nError: {e}"
+            print_error(error)
+
+            if label:
+                raise Exception(error)
+
+            return None
+
 
 class NotebookHelper:
     def __init__(self, sample_folder: str, rg_name: str, rg_location: str, deployment: INFRASTRUCTURE, supported_infrastructures = list[INFRASTRUCTURE], use_jwt: bool = False):
@@ -221,7 +290,6 @@ def deploy_bicep(self, bicep_parameters: dict) -> Output:
 
 
 
-
 # ------------------------------
 #    PRIVATE METHODS
 # ------------------------------
@@ -836,11 +904,21 @@ def is_string_json(text: str) -> bool:
     if not isinstance(text, (str, bytes, bytearray)):
         return False
 
+    # First try JSON parsing (handles double quotes)
     try:
         json.loads(text)
         return True
-    except (ValueError, TypeError):
-        return False
+    except:
+        pass
+
+    # If JSON fails, try Python literal evaluation (handles single quotes)
+    try:
+        ast.literal_eval(text)
+        return True
+    except (ValueError, SyntaxError):
+        pass
+
+    return False
 
 def get_account_info() -> Tuple[str, str, str]:
     """