Feature/add authx sample (#15)

Author: simonkurtz-MSFT

README.md

@@ -49,6 +49,7 @@ The first time you run a Jupyter notebook, you'll be asked to install the Jupyte
 |:-----------------|:----------------------------------------------------------------------------|:-------------------------------------------|
 | [General](./samples/general/create.ipynb) | Basic demo of APIM sample setup and policy usage. | All infrastructures |
 | [Load Balancing](./samples/load-balancing/create.ipynb) | Priority and weighted load balancing across backends. | apim-aca, afd-apim (with ACA) |
+| [AuthX](./samples/authx/create.ipynb) | Authentication and role-based authorization in a mock HR API. | All infrastructures |
 
 ### Running a Sample
 

requirements.txt

@@ -4,5 +4,6 @@ requests
 setuptools
 pandas
 matplotlib
+pyjwt
 pytest
 pytest-cov

samples/_TEMPLATE/create.ipynb

@@ -18,6 +18,10 @@
     "1. [LEARNING / EXPERIMENTATION OBJECTIVE 2]\n",
     "1. ...\n",
     "\n",
+    "## Scenario\n",
+    "\n",
+    "[IF THE SAMPLE IS DEMONSTRATED THROUGH A USE CASE OR SCENARIO, PLEASE DETAIL IT HERE. OTHERWISE, DELETE THIS SECTION]\n",
+    "\n",
     "## Lab Components\n",
     "\n",
     "[DESCRIBE IN MORE DETAIL WHAT THIS LAB SETS UP AND HOW THIS BENEFITS THE LEARNER/USER.]\n",

samples/authX/create.ipynb

@@ -0,0 +1,246 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Samples: AuthX - Authentication & Authorization\n",
+    "\n",
+    "[BRIEF SAMPLE DESCRIPTION]\n",
+    "\n",
+    "⚙️ **Supported infrastructures**: All infrastructures\n",
+    "\n",
+    "⌚ **Expected *Run All* runtime (excl. infrastructure prerequisite): ~[NOTEBOOK RUNTIME] minute**\n",
+    "\n",
+    "## Objectives\n",
+    "\n",
+    "1. Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).\n",
+    "1. Learn how authorization (authZ) can be accomplished based on JWT claims.\n",
+    "1. Configure authN and authZ at various levels in the API Management hierarchy.\n",
+    "1. Use external secrets in policies.\n",
+    "\n",
+    "## Scenario\n",
+    "\n",
+    "This sample combines _authentication (authN)_ and _authorization (authZ)_ into _authX_. This scenario focuses on a Human Resources API that requires privileged role-based access to GET and to POST data. This is simplistic but shows the combination of authN and authZ.\n",
+    "\n",
+    "There are two personas at play:\n",
+    "\n",
+    "- `HR Administrator` - holds broad rights to the API\n",
+    "- `HR Associate` - has read-only permissions\n",
+    "\n",
+    "Both personas are part of an HR_Members group and may access the HR API Management Product. Subsequent access to the APIs and their operations must be granular.\n",
+    "\n",
+    "### Notes\n",
+    "\n",
+    "Many organizations require 100% authentication for their APIs. While that is prudent and typically done at the global _All APIs_ level, we refrain from doing so here as to not impact other samples. Instead, we focus on authentication at the API Management API and API operation levels.\n",
+    "\n",
+    "## Lab Components\n",
+    "\n",
+    "While OAuth 2.0 includes an identity provider (IDP), for sake of the sample, we can remove the complexity of including real identities. It is sufficient to use mock JWTs that we can \"authenticate\" by way of a signing key. This is a valid, albeit not the default method for authentication. \n",
+    "\n",
+    "We do not need real APIs and can rely on mock returns.\n",
+    "\n",
+    "Furthermore, secrets would ideally be kept in a secret store such as Azure Key Vault and be accessed via API Management's managed identity. Adding a Key Vault to our architecture is a stretch goal that provides value but is not immediately necessary to showcase the authX sample.\n",
+    "\n",
+    "JSON Web Tokens are defined in [RFC 7519](https://www.rfc-editor.org/rfc/rfc7519). Two websites to use with JWTs are [Okta's](https://jwt.io/) and [Microsoft's](https://jwt.ms/). Okta's may be preferential due to its features.\n",
+    "\n",
+    "## Configuration\n",
+    "\n",
+    "1. Decide which of the [Infrastructure Architectures](../../README.md#infrastructure-architectures) you wish to use.\n",
+    "    1. If the infrastructure _does not_ yet exist, navigate to the desired [infrastructure](../../infrastructure/) folder and follow its README.md.\n",
+    "    1. If the infrastructure _does_ exist, adjust the `user-defined parameters` in the _Initialize notebook variables_ below. Please ensure that all parameters match your infrastructure."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### Initialize notebook variables\n",
+    "\n",
+    "Configures everything that's needed for deployment. \n",
+    "\n",
+    "[ADD ANY SPECIAL INSTRUCTIONS]\n",
+    "\n",
+    "**Modify entries under _1) User-defined parameters_ and _3) Define the APIs and their operations and policies_**."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "import time\n",
+    "from apimtypes import *\n",
+    "\n",
+    "# 1) User-defined parameters (change these as needed)\n",
+    "rg_location = 'eastus2'\n",
+    "index       = 1\n",
+    "deployment  = INFRASTRUCTURE.SIMPLE_APIM\n",
+    "tags        = ['authX', 'jwt', 'hr']       # ENTER DESCRIPTIVE TAG(S)\n",
+    "api_prefix  = 'authX-'               # OPTIONAL: ENTER A PREFIX FOR THE APIS TO REDUCE COLLISION POTENTIAL WITH OTHER SAMPLES\n",
+    "\n",
+    "# 2) Service-defined parameters (please do not change these)\n",
+    "rg_name = utils.get_infra_rg_name(deployment, index)\n",
+    "supported_infrastructures = [INFRASTRUCTURE.SIMPLE_APIM, INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.APIM_ACA]        # ENTER SUPPORTED INFRASTRUCTURES HERE, e.g., [INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.AFD_APIM_FE]\n",
+    "utils.validate_infrastructure(deployment, supported_infrastructures)\n",
+    "\n",
+    "# Set up the signing key for the JWT policy\n",
+    "jwt_key_name = f'JwtSigningKey{int(time.time())}'\n",
+    "jwt_key_value, jwt_key_value_bytes_b64 = utils.generate_signing_key()\n",
+    "utils.print_val('JWT key value', jwt_key_value)                         # this value is used to create the signed JWT token for requests to APIM\n",
+    "utils.print_val('JWT key value (base64)', jwt_key_value_bytes_b64)      # this value is used in the APIM validate-jwt policy's issuer-signing-key attribute  \n",
+    "\n",
+    "# 3) Define the APIs and their operations and policies\n",
+    "\n",
+    "# Policies\n",
+    "# Named values must be set up a bit differently as they need to have two surrounding curly braces\n",
+    "hr_all_operations_xml = utils.read_policy_xml('./hr_all_operations.xml').format(\n",
+    "    jwt_signing_key = '{{' + jwt_key_name + '}}', \n",
+    "    hr_member_role_id = '{{HRMemberRoleId}}'\n",
+    ")\n",
+    "hr_get_xml = utils.read_policy_xml('./hr_get.xml').format(\n",
+    "    hr_administrator_role_id = '{{HRAdministratorRoleId}}',\n",
+    "    hr_associate_role_id = '{{HRAssociateRoleId}}'\n",
+    ")\n",
+    "hr_post_xml = utils.read_policy_xml('./hr_post.xml').format(\n",
+    "    hr_administrator_role_id = '{{HRAdministratorRoleId}}'\n",
+    ")\n",
+    "\n",
+    "# Employees (HR)\n",
+    "hremployees_get = GET_APIOperation('Gets the employees', hr_get_xml)\n",
+    "hremployees_post = POST_APIOperation('Creates a new employee', hr_post_xml)\n",
+    "hremployees = API('Employees', 'Employees', '/employees', 'This is a Human Resources API to obtain employee information', hr_all_operations_xml, operations = [hremployees_get, hremployees_post], tags = tags)\n",
+    "\n",
+    "# APIs Array\n",
+    "apis: List[API] = [hremployees]\n",
+    "\n",
+    "# 4) Set up the named values\n",
+    "nvs: List[NamedValue] = [\n",
+    "    NamedValue(jwt_key_name, jwt_key_value_bytes_b64, True),\n",
+    "    NamedValue('HRMemberRoleId', HR_MEMBER_ROLE_ID),\n",
+    "    NamedValue('HRAssociateRoleId', HR_ASSOCIATE_ROLE_ID),\n",
+    "    NamedValue('HRAdministratorRoleId', HR_ADMINISTRATOR_ROLE_ID)\n",
+    "]\n",
+    "\n",
+    "utils.print_ok('Notebook initialized')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### Create deployment using Bicep\n",
+    "\n",
+    "Creates the bicep deployment into the previously-specified resource group. A bicep parameters file will be created prior to execution."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "\n",
+    "# 1) Define the Bicep parameters with serialized APIs\n",
+    "bicep_parameters = {\n",
+    "    'apis': {'value': [api.to_dict() for api in apis]},\n",
+    "    'namedValues': {'value': [nv.to_dict() for nv in nvs]}\n",
+    "}\n",
+    "\n",
+    "# 2) Infrastructure must be in place before samples can be layered on top\n",
+    "if not utils.does_resource_group_exist(rg_name):\n",
+    "    utils.print_error(f'The specified infrastructure resource group and its resources must exist first. Please check that the user-defined parameters above are correctly referencing an existing infrastructure. If it does not yet exist, run the desired infrastructure in the /infra/ folder first.')\n",
+    "    raise SystemExit(1)\n",
+    "\n",
+    "# 3) Run the deployment\n",
+    "output = utils.create_bicep_deployment_group(rg_name, rg_location, deployment, bicep_parameters)\n",
+    "\n",
+    "# 4) Print a deployment summary, if successful; otherwise, exit with an error\n",
+    "if not output.success:\n",
+    "    raise SystemExit('Deployment failed')\n",
+    "\n",
+    "if output.success and output.json_data:\n",
+    "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
+    "\n",
+    "utils.print_ok('Deployment completed')"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### Verify API Request Success\n",
+    "\n",
+    "Assert that the deployment was successful by making simple calls to APIM. \n",
+    "\n",
+    "❗️ If the infrastructure shields APIM and requires a different ingress (e.g. Azure Front Door), the request to the APIM gateway URl will fail by design. Obtain the Front Door endpoint hostname and try that instead."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import utils\n",
+    "from apimrequests import ApimRequests\n",
+    "from apimjwt import JwtPayload, SymmetricJwtToken\n",
+    "from apimtypes import HR_MEMBER_ROLE_ID, HR_ADMINISTRATOR_ROLE_ID, HR_ASSOCIATE_ROLE_ID\n",
+    "\n",
+    "# 1) HR Administrator\n",
+    "# Create a JSON Web Token with a payload and sign it with the symmetric key from above.\n",
+    "jwt_payload_hr_admin = JwtPayload(subject = 'user123', name = 'Angie Administrator', roles = [HR_MEMBER_ROLE_ID, HR_ADMINISTRATOR_ROLE_ID])\n",
+    "encoded_jwt_token_hr_admin = SymmetricJwtToken(jwt_key_value, jwt_payload_hr_admin).encode()\n",
+    "print(f'JWT token HR Admin: {encoded_jwt_token_hr_admin}')  # this value is used to call the APIs via APIM\n",
+    "\n",
+    "# Set up an APIM requests object with the JWT token\n",
+    "reqsApimAdmin = ApimRequests(apim_gateway_url)\n",
+    "reqsApimAdmin.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_admin}'\n",
+    "\n",
+    "# Call APIM\n",
+    "reqsApimAdmin.singleGet('/employees', msg = 'Calling GET Employees API via API Management Gateway URL. Expect 200.')\n",
+    "reqsApimAdmin.singlePost('/employees', msg = 'Calling POST Employees API via API Management Gateway URL. Expect 200.')\n",
+    "\n",
+    "# 2) HR Associate\n",
+    "# Create a JSON Web Token with a payload and sign it with the symmetric key from above.\n",
+    "jwt_payload_hr_associate = JwtPayload(subject = 'user789', name = 'Aaron Associate', roles = [HR_MEMBER_ROLE_ID, HR_ASSOCIATE_ROLE_ID])\n",
+    "encoded_jwt_token_hr_associate = SymmetricJwtToken(jwt_key_value, jwt_payload_hr_associate).encode()\n",
+    "print(f'\\n\\nJWT token HR Associate: {encoded_jwt_token_hr_associate}')  # this value is used to call the APIs via APIM\n",
+    "\n",
+    "# Set up an APIM requests object with the JWT token\n",
+    "reqsApimAssociate = ApimRequests(apim_gateway_url)\n",
+    "reqsApimAssociate.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_associate}'\n",
+    "\n",
+    "# Call APIM\n",
+    "reqsApimAssociate.singleGet('/employees', msg = 'Calling GET Employees API via API Management Gateway URL. Expect 200.')\n",
+    "reqsApimAssociate.singlePost('/employees', msg = 'Calling POST Employees API via API Management Gateway URL. Expect 403.')\n",
+    "\n",
+    "utils.print_ok('All done!')"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": ".venv",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.12.10"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 2
+}

samples/authX/hr_all_operations.xml

@@ -0,0 +1,27 @@
+<!--
+    This policy authenticates the caller based on their JSON Web Token. It is not calling an Identity Provider as this is a mock policy.
+-->
+<policies>
+    <inbound>
+        <base />
+        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" output-token-variable-name="jwt">
+            <issuer-signing-keys>
+                <key>{jwt_signing_key}</key>
+            </issuer-signing-keys>
+            <required-claims>
+                <claim name="roles" match="all">
+                    <value>{hr_member_role_id}</value>
+                </claim>
+            </required-claims>
+        </validate-jwt>
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>

samples/authX/hr_get.xml

@@ -0,0 +1,31 @@
+<!--
+    This policy authenticates gets mock information about employees. The payload is not relevant for this sample. We are only interested in the authX aspects.
+-->
+<policies>
+    <inbound>
+        <base />
+        <choose>
+            <!-- HR Administrators and HR Associates can both obtain employee information -->
+            <when condition="@(((Jwt)context.Variables[&quot;jwt&quot;]).Claims[&quot;roles&quot;].Contains(&quot;{hr_administrator_role_id}&quot;) || ((Jwt)context.Variables[&quot;jwt&quot;]).Claims[&quot;roles&quot;].Contains(&quot;{hr_associate_role_id}&quot;))">
+                <return-response>
+                    <set-status code="200" reason="OK" />
+                    <set-body>Returning a mock employee</set-body>
+                </return-response>
+            </when>
+            <otherwise>
+                <return-response>
+                    <set-status code="403" reason="Forbidden" />
+                </return-response>
+            </otherwise>
+        </choose>
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>

samples/authX/hr_post.xml

@@ -0,0 +1,31 @@
+<!--
+    This policy mocks the creation of a new employee. The payload is not relevant for this sample. We are only interested in the authX aspects.
+-->
+<policies>
+    <inbound>
+        <base />
+        <choose>
+            <!-- Only HR Administrators can create employees -->
+            <when condition="@(((Jwt)context.Variables[&quot;jwt&quot;]).Claims[&quot;roles&quot;].Contains(&quot;{hr_administrator_role_id}&quot;))">
+                <return-response>
+                    <set-status code="200" reason="OK" />
+                    <set-body>A mock employee has been created.</set-body>
+                </return-response>
+            </when>
+            <otherwise>
+                <return-response>
+                    <set-status code="403" reason="Forbidden" />
+                </return-response>
+            </otherwise>
+        </choose>
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>