Feature/valet key with blob storage (#36)

Author: simonkurtz-MSFT

TEMPLATE_PARAMETERS_USAGE.md

@@ -0,0 +1,69 @@
+# Azure APIM templateParameters Support
+
+The Python APIMTypes now support optional `templateParameters` for API operations. This resolves the issue where APIM operations with template parameters in their URL templates (like `/{blob-name}`) would fail with the error:
+
+> "All template parameters used in the UriTemplate must be defined in the Operation"
+
+## What was changed
+
+1. **Bicep module** (`shared/bicep/modules/apim/v1/api.bicep`): Added support for optional `templateParameters` using the safe access operator:
+   ```bicep
+   templateParameters: op.?templateParameters ?? []
+   ```
+
+2. **Python APIMTypes** (`shared/python/apimtypes.py`): Added optional `templateParameters` field to:
+   - `APIOperation` base class
+   - `GET_APIOperation2` class (most commonly used for operations with parameters)
+
+## Usage Example
+
+### Before (would cause deployment error):
+```python
+blob_get = GET_APIOperation2('GET', 'GET', '/{blob-name}', 'Gets the blob access valet key', blob_get_policy_xml)
+```
+
+### After (with templateParameters):
+```python
+# Define template parameters for the {blob-name} parameter
+blob_name_template_params = [
+    {
+        "name": "blob-name",
+        "description": "The name of the blob to access",
+        "type": "string",
+        "required": True
+    }
+]
+
+# Create operation with template parameters
+blob_get = GET_APIOperation2(
+    name='GET',
+    displayName='GET', 
+    urlTemplate='/{blob-name}', 
+    description='Gets the blob access valet key',
+    policyXml=blob_get_policy_xml,
+    templateParameters=blob_name_template_params
+)
+```
+
+## Template Parameter Format
+
+Template parameters should be a list of dictionaries with the following properties:
+
+```python
+{
+    "name": "parameter-name",           # Required: matches the parameter in URL template
+    "description": "Parameter description",  # Optional: human-readable description  
+    "type": "string",                   # Optional: parameter type (string, int, etc.)
+    "required": True                    # Optional: whether parameter is required
+}
+```
+
+## Common Use Cases
+
+1. **Blob/File Access**: `/{file-name}`, `/{blob-name}`
+2. **Resource IDs**: `/{user-id}`, `/{product-id}`
+3. **Nested Resources**: `/{category}/{item-id}`
+
+## Backward Compatibility
+
+The `templateParameters` field is optional, so existing code will continue to work without changes. However, operations with template parameters in their URL templates should add the `templateParameters` field to avoid deployment errors.

diagrams/src/secure-blob-access-architecture.puml

@@ -0,0 +1,49 @@
+@startuml "Secure Blob Access Architecture"
+
+!include ./base.puml
+!includeurl AzurePuml/Storage/AzureBlobStorage.puml
+!includeurl AzurePuml/Identity/AzureManagedIdentity.puml
+
+title Secure Blob Access with JWT Authentication & Valet Key Pattern
+
+' Main components
+actor "Client\n(HR Member)" as client #LightBlue
+AzureAPIManagement(apim, "API Management", "JWT Auth + Valet Key")
+AzureManagedIdentity(mi, "Managed Identity", "APIM Identity")
+AzureBlobStorage(storage, "Blob Storage", "Private Container")
+AzureApplicationInsights(insights, "Application Insights", "Monitoring")
+
+' Authentication flow
+note over client, apim
+  **Authentication Flow**
+  1. Client sends JWT with HR Member role
+  2. APIM validates JWT signature & role claims
+  3. APIM authorizes based on role ID
+end note
+
+' Valet key flow
+note over apim, storage
+  **Valet Key Generation**
+  4. APIM uses managed identity
+  5. Generates time-limited SAS token (5 min)
+  6. Returns secure URL to client
+end note
+
+' Direct access
+note over client, storage
+  **Direct Access**
+  7. Client accesses blob directly
+  8. No bandwidth through APIM
+end note
+
+' Define the relationships
+client --> apim : "1. Request blob access\n(JWT with HR Member role)"
+apim --> apim : "2. Validate JWT &\nauthorize role"
+apim --> mi : "3. Use managed identity"
+mi --> storage : "4. Generate SAS token\n(Storage Blob Data Reader)"
+storage --> apim : "5. Return SAS URL"
+apim --> client : "6. Return secure URL\n(time-limited)"
+client --> storage : "7. Direct blob access\n(using SAS URL)"
+apim --> insights : "Log requests\n& telemetry"
+
+@enduml

examples/template_parameters_usage.py

@@ -0,0 +1,197 @@
+#!/usr/bin/env python3
+"""
+Example usage of templateParameters support in APIMTypes.
+
+This example demonstrates how to create API operations with template parameters
+that match URL template variables used in APIM operations.
+"""
+
+import sys
+import os
+
+# Add the shared python module to the path
+sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..', 'shared', 'python'))
+
+from apimtypes import API, APIOperation, GET_APIOperation2, HTTP_VERB
+
+def create_blob_access_api_example():
+    """
+    Example: Create an API with a blob access operation that uses template parameters.
+    
+    This matches the secure-blob-access sample where we need:
+    - URL Template: /blobs/{blob-name}
+    - Template Parameter: blob-name (required, string)
+    """
+    
+    # Define template parameters for the blob name
+    blob_template_parameters = [
+        {
+            "name": "blob-name",
+            "description": "The name of the blob to access",
+            "type": "string",
+            "required": True
+        }
+    ]
+    
+    # Read the policy XML (in a real scenario, you'd read from the actual file)
+    # For this example, we'll use a simple mock policy
+    blob_policy_xml = """<policies>
+    <inbound>
+        <base />
+        <set-backend-service base-url="https://yourstorageaccount.blob.core.windows.net/container" />
+        <rewrite-uri template="/{{blob-name}}" />
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>"""
+    
+    # Create the GET operation with template parameters
+    blob_get_operation = GET_APIOperation2(
+        name="get-blob",
+        displayName="Get Blob",
+        urlTemplate="/blobs/{blob-name}",
+        description="Retrieve a blob by name",
+        policyXml=blob_policy_xml,
+        templateParameters=blob_template_parameters
+    )
+      # Create the API with the operation (use explicit policy to avoid file path issues)
+    simple_policy = """<policies>
+    <inbound>
+        <base />
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>"""
+    
+    blob_api = API(
+        name="blob-access-api",
+        displayName="Blob Access API", 
+        path="/blob",
+        description="API for secure blob access",
+        policyXml=simple_policy,
+        operations=[blob_get_operation]
+    )
+    
+    return blob_api
+
+def create_user_management_api_example():
+    """
+    Example: Create a user management API with multiple template parameters.
+    """
+    
+    # Template parameters for user operations
+    user_template_parameters = [
+        {
+            "name": "user-id",
+            "description": "The unique identifier of the user",
+            "type": "string", 
+            "required": True
+        },
+        {
+            "name": "department",
+            "description": "The department code",
+            "type": "string",
+            "required": False
+        }
+    ]
+      # Create a user operation using the base APIOperation class (with explicit policy)
+    user_policy = """<policies>
+    <inbound>
+        <base />
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>"""
+    
+    get_user_operation = APIOperation(
+        name="get-user-by-dept",
+        displayName="Get User by Department",
+        urlTemplate="/users/{user-id}/department/{department}",
+        method=HTTP_VERB.GET,
+        description="Get user information filtered by department",
+        policyXml=user_policy,
+        templateParameters=user_template_parameters
+    )
+    
+    # Create the API (with explicit policy)
+    user_api = API(
+        name="user-management-api",
+        displayName="User Management API",
+        path="/users",
+        description="API for user management operations",
+        policyXml=user_policy,
+        operations=[get_user_operation]
+    )
+    
+    return user_api
+
+def main():
+    """
+    Demonstrate the usage of templateParameters in API operations.
+    """
+    
+    print("=== APIMTypes templateParameters Usage Examples ===\n")
+    
+    # Example 1: Blob access API
+    print("1. Blob Access API Example:")
+    blob_api = create_blob_access_api_example()
+    blob_dict = blob_api.to_dict()
+    
+    print(f"   API Name: {blob_dict['name']}")
+    print(f"   API Path: {blob_dict['path']}")
+    
+    if blob_dict['operations']:
+        operation = blob_dict['operations'][0]
+        print(f"   Operation: {operation['name']}")
+        print(f"   URL Template: {operation['urlTemplate']}")
+        print(f"   Template Parameters: {len(operation.get('templateParameters', []))}")
+        
+        for param in operation.get('templateParameters', []):
+            print(f"     - {param['name']}: {param['description']} (required: {param.get('required', False)})")
+    
+    print()
+    
+    # Example 2: User management API  
+    print("2. User Management API Example:")
+    user_api = create_user_management_api_example()
+    user_dict = user_api.to_dict()
+    
+    print(f"   API Name: {user_dict['name']}")
+    print(f"   API Path: {user_dict['path']}")
+    
+    if user_dict['operations']:
+        operation = user_dict['operations'][0]
+        print(f"   Operation: {operation['name']}")
+        print(f"   URL Template: {operation['urlTemplate']}")
+        print(f"   Template Parameters: {len(operation.get('templateParameters', []))}")
+        
+        for param in operation.get('templateParameters', []):
+            print(f"     - {param['name']}: {param['description']} (required: {param.get('required', False)})")
+    
+    print("\n=== Conversion to Bicep-compatible format ===")
+    print("These API objects can now be serialized and passed to Bicep templates")
+    print("that support the templateParameters property for APIM operations.")
+
+if __name__ == "__main__":
+    main()

requirements.txt

@@ -6,4 +6,6 @@ pandas
 matplotlib
 pyjwt
 pytest
-pytest-cov
+pytest-cov
+azure.storage.blob
+azure.identity

samples/authX-pro/create.ipynb

@@ -127,7 +127,7 @@
     "    PolicyFragment('Http-Response-200', pf_http_response_200_xml, 'Returns a 200 OK response for the current HTTP method.')\n",
     "]\n",
     "\n",
-    "# 5) Define the Products (NEW: moved authentication to product level)\n",
+    "# 5) Define the Products\n",
     "\n",
     "# HR Product with authentication policy, including authorization via a required claim check for HR member role\n",
     "hr_product_xml = utils.read_policy_xml('./hr_product.xml').format(\n",

samples/authX-pro/main.bicep

@@ -35,7 +35,7 @@ resource apimService 'Microsoft.ApiManagement/service@2024-06-01-preview' existi
 }
 
 // APIM Named Values
-module namedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = [for nv in namedValues: {
+module namedValueModule '../../shared/bicep/modules/apim/v1/named-value.bicep' = [for nv in namedValues: {
   name: 'nv-${nv.name}'
   params:{
     apimName: apimName
@@ -46,7 +46,7 @@ module namedValue '../../shared/bicep/modules/apim/v1/named-value.bicep' = [for
 }]
 
 // APIM Policy Fragments
-module policyFragment '../../shared/bicep/modules/apim/v1/policy-fragment.bicep' = [for pf in policyFragments: {
+module policyFragmentModule '../../shared/bicep/modules/apim/v1/policy-fragment.bicep' = [for pf in policyFragments: {
   name: 'pf-${pf.name}'
   params:{
     apimName: apimName
@@ -55,12 +55,12 @@ module policyFragment '../../shared/bicep/modules/apim/v1/policy-fragment.bicep'
     policyFragmentValue: pf.policyXml
   }
   dependsOn: [
-    namedValue
+    namedValueModule
   ]
 }]
 
 // APIM Products
-module productHr '../../shared/bicep/modules/apim/v1/product.bicep' = [for product in products: {
+module productModule '../../shared/bicep/modules/apim/v1/product.bicep' = [for product in products: {
   name: 'product-${product.name}'
   params: {
     apimName: apimName
@@ -73,8 +73,8 @@ module productHr '../../shared/bicep/modules/apim/v1/product.bicep' = [for produ
     policyXml: product.policyXml
   }
   dependsOn: [
-    namedValue
-    policyFragment
+    namedValueModule
+    policyFragmentModule
   ]
 }]
 
@@ -90,9 +90,9 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
     productNames: api.productNames ?? []
   }
   dependsOn: [
-    namedValue              // ensure all named values are created before APIs
-    policyFragment          // ensure all policy fragments are created before APIs
-    productHr               // ensure all products are fully created before APIs
+    namedValueModule              // ensure all named values are created before APIs
+    policyFragmentModule          // ensure all policy fragments are created before APIs
+    productModule              // ensure all products are fully created before APIs
   ]
 }]