Feature/move shared policy fragments (#59)

Author: simonkurtz-MSFT

infrastructure/afd-apim-pe/create.ipynb

@@ -32,7 +32,15 @@
     "rg_tags             = utils.build_infrastructure_tags(deployment)\n",
     "apim_network_mode   = APIMNetworkMode.EXTERNAL_VNET\n",
     "\n",
-    "# 3) Define the APIs and their operations and policies\n",
+    "# 3) Set up the policy fragments\n",
+    "pfs: List[PolicyFragment] = [\n",
+    "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
+    "]\n",
+    "\n",
+    "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
     "hello_world_policy_xml  = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
@@ -92,6 +100,7 @@
     "bicep_parameters = {\n",
     "    'apimSku'           : {'value': apim_sku.value},\n",
     "    'apis'              : {'value': [api.to_dict() for api in apis]},\n",
+    "    'policyFragments'   : {'value': [pf.to_dict() for pf in pfs]},\n",
     "    'apimPublicAccess'  : {'value': apim_network_mode in [APIMNetworkMode.PUBLIC, APIMNetworkMode.EXTERNAL_VNET]},\n",
     "    'useACA'            : {'value': use_ACA}\n",
     "}\n",

infrastructure/afd-apim-pe/main.bicep

@@ -27,6 +27,7 @@ param acaSubnetPrefix string = '10.0.2.0/23'
 param apimName string = 'apim-${resourceSuffix}'
 param apimSku string
 param apis array = []
+param policyFragments array = []
 
 @description('Set to true to make APIM publicly accessible. If false, APIM will be deployed into a VNet subnet for egress only.')
 param apimPublicAccess bool = true
@@ -175,7 +176,21 @@ module apimModule '../../shared/bicep/modules/apim/v1/apim.bicep' = {
   ]
 }
 
-// 7. APIM Backends for ACA
+// 7. APIM Policy Fragments
+module policyFragmentModule '../../shared/bicep/modules/apim/v1/policy-fragment.bicep' = [for pf in policyFragments: {
+  name: 'pf-${pf.name}'
+  params:{
+    apimName: apimName
+    policyFragmentName: pf.name
+    policyFragmentDescription: pf.description
+    policyFragmentValue: pf.policyXml
+  }
+  dependsOn: [
+    apimModule
+  ]
+}]
+
+// 8. APIM Backends for ACA
 module backendModule1 '../../shared/bicep/modules/apim/v1/backend.bicep' = if (useACA) {
   name: 'aca-backend-1'
   params: {
@@ -224,7 +239,7 @@ module backendPoolModule '../../shared/bicep/modules/apim/v1/backend-pool.bicep'
   ]
 }
 
-// 8. APIM APIs
+// 9. APIM APIs
 module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in apis: if(length(apis) > 0) {
   name: 'api-${api.name}'
   params: {
@@ -241,7 +256,7 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
   ]
 }]
 
-// 9. APIM Private DNS Zone, VNet Link, and (optional) DNS Zone Group
+// 10. APIM Private DNS Zone, VNet Link, and (optional) DNS Zone Group
 module apimDnsPrivateLinkModule '../../shared/bicep/modules/dns/v1/dns-private-link.bicep' = {
   name: 'apimDnsPrivateLinkModule'
   params: {
@@ -254,7 +269,7 @@ module apimDnsPrivateLinkModule '../../shared/bicep/modules/dns/v1/dns-private-l
   }
 }
 
-// 10. ACA Private DNS Zone (regional, e.g., eastus2.azurecontainerapps.io), VNet Link, and wildcard A record via shared module
+// 11. ACA Private DNS Zone (regional, e.g., eastus2.azurecontainerapps.io), VNet Link, and wildcard A record via shared module
 module acaDnsPrivateZoneModule '../../shared/bicep/modules/dns/v1/aca-dns-private-zone.bicep' = if (useACA && !empty(acaSubnetResourceId)) {
   name: 'acaDnsPrivateZoneModule'
   params: {
@@ -264,7 +279,7 @@ module acaDnsPrivateZoneModule '../../shared/bicep/modules/dns/v1/aca-dns-privat
   }
 }
 
-// 11. Front Door
+// 12. Front Door
 module afdModule '../../shared/bicep/modules/afd/v1/afd.bicep' = {
   name: 'afdModule'
   params: {

infrastructure/apim-aca/create.ipynb

@@ -30,7 +30,15 @@
     "rg_name = utils.get_infra_rg_name(deployment, index)\n",
     "rg_tags = utils.build_infrastructure_tags(deployment)\n",
     "\n",
-    "# 3) Define the APIs and their operations and policies\n",
+    "# 3) Set up the policy fragments\n",
+    "pfs: List[PolicyFragment] = [\n",
+    "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
+    "]\n",
+    "\n",
+    "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
     "hello_world_policy_xml      = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
@@ -81,7 +89,8 @@
     "# 1) Define the Bicep parameters with serialized APIs\n",
     "bicep_parameters = {\n",
     "    'apimSku'   : {'value': apim_sku.value},\n",
-    "    'apis'      : {'value': [api.to_dict() for api in apis]}\n",
+    "    'apis'      : {'value': [api.to_dict() for api in apis]},\n",
+    "    'policyFragments': {'value': [pf.to_dict() for pf in pfs]}\n",
     "}\n",
     "\n",
     "# 2) Run the deployment\n",

infrastructure/apim-aca/main.bicep

@@ -11,6 +11,7 @@ param resourceSuffix string = uniqueString(subscription().id, resourceGroup().id
 param apimName string = 'apim-${resourceSuffix}'
 param apimSku string
 param apis array = []
+param policyFragments array = []
 
 
 // ------------------
@@ -82,7 +83,21 @@ module apimModule '../../shared/bicep/modules/apim/v1/apim.bicep' = {
   }
 }
 
-// 6. APIM Backends for ACA
+// 6. APIM Policy Fragments
+module policyFragmentModule '../../shared/bicep/modules/apim/v1/policy-fragment.bicep' = [for pf in policyFragments: {
+  name: 'pf-${pf.name}'
+  params:{
+    apimName: apimName
+    policyFragmentName: pf.name
+    policyFragmentDescription: pf.description
+    policyFragmentValue: pf.policyXml
+  }
+  dependsOn: [
+    apimModule
+  ]
+}]
+
+// 7. APIM Backends for ACA
 module backendModule1 '../../shared/bicep/modules/apim/v1/backend.bicep' = {
   name: 'aca-backend-1'
   params: {

infrastructure/simple-apim/create.ipynb

@@ -30,7 +30,15 @@
     "rg_name = utils.get_infra_rg_name(deployment, index)\n",
     "rg_tags = utils.build_infrastructure_tags(deployment)\n",
     "\n",
-    "# 3) Define the APIs and their operations and policies\n",
+    "# 3) Set up the policy fragments\n",
+    "pfs: List[PolicyFragment] = [\n",
+    "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
+    "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
+    "]\n",
+    "\n",
+    "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
     "hello_world_policy_xml = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
@@ -65,7 +73,8 @@
     "# 1) Define the Bicep parameters with serialized APIs\n",
     "bicep_parameters = {\n",
     "    'apimSku'   : {'value': apim_sku.value},\n",
-    "    'apis'      : {'value': [api.to_dict() for api in apis]}\n",
+    "    'apis'      : {'value': [api.to_dict() for api in apis]},\n",
+    "    'policyFragments': {'value': [pf.to_dict() for pf in pfs]}\n",
     "}\n",
     "\n",
     "# 2) Run the deployment\n",

infrastructure/simple-apim/main.bicep

@@ -12,7 +12,7 @@ param apimName string = 'apim-${resourceSuffix}'
 
 param apimSku string
 param apis array = []
-
+param policyFragments array = []
 
 // ------------------
 //    RESOURCES
@@ -47,7 +47,21 @@ module apimModule '../../shared/bicep/modules/apim/v1/apim.bicep' = {
   }
 }
 
-// 4. APIM APIs
+// 4. APIM Policy Fragments
+module policyFragmentModule '../../shared/bicep/modules/apim/v1/policy-fragment.bicep' = [for pf in policyFragments: {
+  name: 'pf-${pf.name}'
+  params:{
+    apimName: apimName
+    policyFragmentName: pf.name
+    policyFragmentDescription: pf.description
+    policyFragmentValue: pf.policyXml
+  }
+  dependsOn: [
+    apimModule
+  ]
+}]
+
+// 5. APIM APIs
 module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in apis: if(length(apis) > 0) {
   name: 'api-${api.name}'
   params: {

samples/authX-pro/create.ipynb

@@ -54,16 +54,8 @@
     "    'hr_member_role_id': 'HRMemberRoleId'\n",
     "}, sample_folder)\n",
     "\n",
-    "# TODO: These shared policies may be better applied as part of each infrastructure deployments. \n",
-    "from apimtypes import _get_project_root\n",
-    "project_root = _get_project_root()\n",
-    "pf_authz_match_any_xml = utils.read_policy_xml(str(project_root / 'shared' / 'apim-policies' / 'fragments' / 'pf-authz-match-any.xml'))\n",
-    "pf_http_response_200_xml = utils.read_policy_xml(str(project_root / 'shared' / 'apim-policies' / 'fragments' / 'pf-http-response-200.xml'))\n",
-    "\n",
     "pfs: List[PolicyFragment] = [\n",
-    "    PolicyFragment('AuthX-HR-Member', pf_authx_hr_member_xml, 'Authenticates and authorizes HR members.'),\n",
-    "    PolicyFragment('AuthZ-Match-Any', pf_authz_match_any_xml, 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
-    "    PolicyFragment('Http-Response-200', pf_http_response_200_xml, 'Returns a 200 OK response for the current HTTP method.')\n",
+    "    PolicyFragment('AuthX-HR-Member', pf_authx_hr_member_xml, 'Authenticates and authorizes HR members.')\n",
     "]\n",
     "\n",
     "# 5) Define the Products\n",

samples/secure-blob-access/create.ipynb

@@ -56,14 +56,9 @@
     "\n",
     "pf_create_sas_token_xml = utils.read_policy_xml('pf-create-sas-token.xml', sample_name = sample_folder)\n",
     "pf_check_blob_existence_via_mi = utils.read_policy_xml('pf-check-blob-existence-via-managed-identity.xml', sample_name = sample_folder)\n",
-    "# TODO: These shared policies may be better applied as part of each infrastructure deployments. \n",
-    "from apimtypes import _get_project_root\n",
-    "project_root = _get_project_root()\n",
-    "pf_authz_match_any_xml = utils.read_policy_xml(str(project_root / 'shared' / 'apim-policies' / 'fragments' / 'pf-authz-match-any.xml'))\n",
     "\n",
     "pfs: List[PolicyFragment] = [\n",
     "    PolicyFragment('AuthX-HR-Member', pf_authx_hr_member_xml, 'Authenticates and authorizes users with HR Member role.'),\n",
-    "    PolicyFragment('AuthZ-Match-Any', pf_authz_match_any_xml, 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Create-Sas-Token', pf_create_sas_token_xml, 'Creates a SAS token to use with access to a blob.'),\n",
     "    PolicyFragment('Check-Blob-Existence-via-Managed-Identity', pf_check_blob_existence_via_mi, 'Checks whether the specified blob exists at the blobUrl. A boolean value for blobExists will be available afterwards.')\n",
     "]\n",

shared/apim-policies/fragments/pf-remove-request-headers.xml

@@ -0,0 +1,11 @@
+<!--
+    - This fragment removes incoming request headers prior to calling a backend or external service.
+-->
+<fragment>
+    <!-- Remove APIM API keys to not inadvertently leak them. -->
+    <set-header name="api-key" exists-action="delete" />
+    <set-header name="ocp-apim-subscription-key" exists-action="delete" />
+
+    <!-- The Do Not Track (DNT) header is deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/DNT -->
+    <set-header name="DNT" exists-action="delete" />
+</fragment>

shared/python/utils.py

@@ -13,6 +13,8 @@
 import string
 import secrets
 import base64
+import inspect
+from pathlib import Path
 
 from typing import Optional, Tuple
 from apimtypes import APIM_SKU, HTTP_VERB, INFRASTRUCTURE
@@ -418,6 +420,7 @@ def create_bicep_deployment_group(rg_name: str, rg_location: str, deployment: st
         f"Deployment '{deployment_name}' succeeded", f"Deployment '{deployment_name}' failed.")
 
 
+# TODO: Reconcile this with apimtypes.py _get_project_root
 def find_project_root() -> str:
     """
     Find the project root directory by looking for specific marker files.
@@ -573,11 +576,10 @@ def read_and_modify_policy_xml(policy_xml_filepath: str, replacements: dict[str,
 
     return policy_template_xml
 
+def determine_shared_policy_path(policy_xml_filename: str) -> str:
+    return str(Path(find_project_root()) / 'shared' / 'apim-policies' / 'fragments' / policy_xml_filename)
+
 def determine_policy_path(policy_xml_filepath_or_filename: str, sample_name: str = None) -> str:
-    import inspect
-    import os
-    from pathlib import Path
-    
     # Determine if this is a full path or just a filename
     path_obj = Path(policy_xml_filepath_or_filename)