Fixing a vulnerability and template validations (#132)

howieleung · web-flow · commit bf8cabf24fd3 · 2025-06-09T14:45:00.000-07:00
diff --git a/.github/workflows/template-validation.yml b/.github/workflows/template-validation.yml
@@ -17,6 +17,7 @@ jobs:
       - uses: microsoft/template-validation-action@v0.3.2
         id: validation
         env:
+          TEMPLATE_VALIDATION_MODE: true
           AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
@@ -25,16 +26,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Project-specific variables (matches azure-dev.yaml/azure.yaml/main.parameters.json)
           AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
-          AZURE_AIHUB_NAME: ${{ vars.AZURE_AIHUB_NAME }}
-          AZURE_AIPROJECT_NAME: ${{ vars.AZURE_AIPROJECT_NAME }}
           AZURE_AISERVICES_NAME: ${{ vars.AZURE_AISERVICES_NAME }}
           AZURE_SEARCH_SERVICE_NAME: ${{ vars.AZURE_SEARCH_SERVICE_NAME }}
           AZURE_APPLICATION_INSIGHTS_NAME: ${{ vars.AZURE_APPLICATION_INSIGHTS_NAME }}
           AZURE_CONTAINER_REGISTRY_NAME: ${{ vars.AZURE_CONTAINER_REGISTRY_NAME }}
-          AZURE_KEYVAULT_NAME: ${{ vars.AZURE_KEYVAULT_NAME }}
           AZURE_STORAGE_ACCOUNT_NAME: ${{ vars.AZURE_STORAGE_ACCOUNT_NAME }}
           AZURE_LOG_ANALYTICS_WORKSPACE_NAME: ${{ vars.AZURE_LOG_ANALYTICS_WORKSPACE_NAME }}
-          USE_CONTAINER_REGISTRY: ${{ vars.USE_CONTAINER_REGISTRY }}
           USE_APPLICATION_INSIGHTS: ${{ vars.USE_APPLICATION_INSIGHTS }}
           USE_SEARCH_SERVICE: ${{ vars.USE_SEARCH_SERVICE }}
           AZURE_AI_AGENT_NAME: ${{ vars.AZURE_AI_AGENT_NAME }}
diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
@@ -5,7 +5,7 @@ param location string = resourceGroup().location
 param tags object = {}
 @description('The custom subdomain name used to access the API. Defaults to the value of the name parameter.')
 param customSubDomainName string = aiServiceName
-param disableLocalAuth bool = false
+param disableLocalAuth bool = true
 param deployments array = []
 param appInsightsId string
 param appInsightConnectionString string
@@ -51,16 +51,13 @@ resource aiServiceConnection 'Microsoft.CognitiveServices/accounts/connections@2
   parent: account
   properties: {
     category: 'AzureOpenAI'
-    authType: 'ApiKey'
+    authType: 'AAD'
     isSharedToAll: true
     target: account.properties.endpoints['OpenAI Language Model Instance API']
     metadata: {
       ApiType: 'azure'
       ResourceId: account.id
     }
-    credentials: {
-      key: account.listKeys().key1
-    }
   }
 }
 
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -116,8 +116,16 @@ param enableAzureMonitorTracing bool = false
 @description('Do we want to use the Azure Monitor tracing for GenAI content recording')
 param azureTracingGenAIContentRecordingEnabled bool = false
 
+param templateValidationMode bool = false
+
+@description('Random seed to be used during generation of new resources suffixes.')
+param seed string = newGuid()
+
+var runnerPrincipalType = templateValidationMode? 'ServicePrincipal' : 'User'
+
 var abbrs = loadJsonContent('./abbreviations.json')
-var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
+
+var resourceToken = templateValidationMode? toLower(uniqueString(subscription().id, environmentName, location, seed)) :  toLower(uniqueString(subscription().id, environmentName, location))
 
 var tags = { 'azd-env-name': environmentName }
 
@@ -299,7 +307,7 @@ module userRoleAzureAIDeveloper 'core/security/role.bicep' = {
   name: 'user-role-azureai-developer'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: '64702f94-c441-49e6-a78b-ef80e0188fee'
   }
@@ -309,7 +317,7 @@ module userCognitiveServicesUser  'core/security/role.bicep' = if (empty(azureEx
   name: 'user-role-cognitive-services-user'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
   }
@@ -319,7 +327,7 @@ module userAzureAIUser  'core/security/role.bicep' = if (empty(azureExistingAIPr
   name: 'user-role-azure-ai-user'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: '53ca6127-db72-4b80-b1b0-d745d6d5456d'
   }
@@ -330,7 +338,7 @@ module userCognitiveServicesUser2  'core/security/role.bicep' = if (!empty(azure
   name: 'user-role-cognitive-services-user2'
   scope: existingProjectRG
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
   }
@@ -391,7 +399,7 @@ module userRoleSearchIndexDataContributorRG 'core/security/role.bicep' = if (use
   name: 'user-role-azure-index-data-contributor-rg'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
   }
@@ -401,7 +409,7 @@ module userRoleSearchIndexDataReaderRG 'core/security/role.bicep' = if (useSearc
   name: 'user-role-azure-index-data-reader-rg'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
   }
@@ -411,7 +419,7 @@ module userRoleSearchServiceContributorRG 'core/security/role.bicep' = if (useSe
   name: 'user-role-azure-search-service-contributor-rg'
   scope: rg
   params: {
-    principalType: 'User'
+    principalType: runnerPrincipalType
     principalId: principalId
     roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
   }
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
@@ -112,6 +112,9 @@
     },
     "azureTracingGenAIContentRecordingEnabled": {
       "value": "${AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED=false}"
+    },
+    "templateValidationMode": {
+      "value": "${TEMPLATE_VALIDATION_MODE=false}"
     }
   }
 }
diff --git a/scripts/resolve_model_quota.sh b/scripts/resolve_model_quota.sh
@@ -47,6 +47,7 @@ MissingParams=()
 [[ -z "$Location" ]] && MissingParams+=("location")
 [[ -z "$Model" ]] && MissingParams+=("model")
 [[ -z "$Capacity" ]] && MissingParams+=("capacity")
+[[ -z "$Format" ]] && MissingParams+=("format")
 [[ -z "$DeploymentType" ]] && MissingParams+=("deployment-type")
 
 if [[ ${#MissingParams[@]} -gt 0 ]]; then
diff --git a/scripts/set_default_models.sh b/scripts/set_default_models.sh
@@ -57,12 +57,12 @@ if [ -n "$resourceId" ]; then
 fi
 
 # --- Build Chat Deployment ---
-chatDeployment_name="${AZURE_AI_AGENT_DEPLOYMENT_NAME}"
-chatDeployment_model_name="${AZURE_AI_AGENT_MODEL_NAME}"
-chatDeployment_model_version="${AZURE_AI_AGENT_MODEL_VERSION}"
-chatDeployment_model_format="${AZURE_AI_AGENT_MODEL_FORMAT}"
-chatDeployment_sku_name="${AZURE_AI_AGENT_DEPLOYMENT_SKU}"
-chatDeployment_capacity="${AZURE_AI_AGENT_DEPLOYMENT_CAPACITY}"
+chatDeployment_name="${envVars[AZURE_AI_AGENT_DEPLOYMENT_NAME]}"
+chatDeployment_model_name="${envVars[AZURE_AI_AGENT_MODEL_NAME]}"
+chatDeployment_model_version="${envVars[AZURE_AI_AGENT_MODEL_VERSION]}"
+chatDeployment_model_format="${envVars[AZURE_AI_AGENT_MODEL_FORMAT]}"
+chatDeployment_sku_name="${envVars[AZURE_AI_AGENT_DEPLOYMENT_SKU]}"
+chatDeployment_capacity="${envVars[AZURE_AI_AGENT_DEPLOYMENT_CAPACITY]}"
 chatDeployment_capacity_env="AZURE_AI_AGENT_DEPLOYMENT_CAPACITY"
 
 aiModelDeployments=(
@@ -71,12 +71,12 @@ aiModelDeployments=(
 
 # --- Optional Embed Deployment ---
 if [ "$USE_AZURE_AI_SEARCH_SERVICE" == "true" ]; then
-    embedDeployment_name="${AZURE_AI_EMBED_DEPLOYMENT_NAME}"
-    embedDeployment_model_name="${AZURE_AI_EMBED_MODEL_NAME}"
-    embedDeployment_model_version="${AZURE_AI_EMBED_MODEL_VERSION}"
-    embedDeployment_model_format="${AZURE_AI_EMBED_MODEL_FORMAT}"
-    embedDeployment_sku_name="${AZURE_AI_EMBED_DEPLOYMENT_SKU}"
-    embedDeployment_capacity="${AZURE_AI_EMBED_DEPLOYMENT_CAPACITY}"
+    embedDeployment_name="${envVars[AZURE_AI_EMBED_DEPLOYMENT_NAME]}"
+    embedDeployment_model_name="${envVars[AZURE_AI_EMBED_MODEL_NAME]}"
+    embedDeployment_model_version="${envVars[AZURE_AI_EMBED_MODEL_VERSION]}"
+    embedDeployment_model_format="${envVars[AZURE_AI_EMBED_MODEL_FORMAT]}"
+    embedDeployment_sku_name="${envVars[AZURE_AI_EMBED_DEPLOYMENT_SKU]}"
+    embedDeployment_capacity="${envVars[AZURE_AI_EMBED_DEPLOYMENT_CAPACITY]}"
     embedDeployment_capacity_env="AZURE_AI_EMBED_DEPLOYMENT_CAPACITY"
 
     aiModelDeployments+=(
diff --git a/scripts/setup_credential.sh b/scripts/setup_credential.sh
@@ -1,33 +1,40 @@
 #!/bin/bash
 
-# Prompt for username with validation
-while true; do
-  read -rp "👤 Create a new username for the web app (no spaces, at least 1 character): " username
-
-  if [[ -z "$username" || "$username" =~ [[:space:]] ]]; then
-    echo "❌ Username cannot be empty or contain spaces." >&2
-  else
-    break
-  fi
-done
-
-# Prompt for password with validation
-while true; do
-  read -rsp "🔑 Create a new password for the web app (no spaces, at least 1 character): " password
-  echo
-  read -rsp "🔑 Confirm the new password: " confirmPassword
-  echo
-
-  if [[ -z "$password" ]]; then
-    echo "❌ Password cannot be empty." >&2
-  elif [[ "$password" != "$confirmPassword" ]]; then
-    echo "❌ Passwords do not match." >&2
-  elif [[ "$password" =~ [[:space:]] ]]; then
-    echo "❌ Password cannot contain spaces." >&2
-  else
-    break
-  fi
-done
+templateValidationMode="${TEMPLATE_VALIDATION_MODE}"
+
+if [[ "$templateValidationMode" == true ]]; then
+  username="user"
+  password="pwd"
+else
+  # Prompt for username with validation
+  while true; do
+    read -rp "👤 Create a new username for the web app (no spaces, at least 1 character): " username
+
+    if [[ -z "$username" || "$username" =~ [[:space:]] ]]; then
+      echo "❌ Username cannot be empty or contain spaces." >&2
+    else
+      break
+    fi
+  done
+
+  # Prompt for password with validation
+  while true; do
+    read -rsp "🔑 Create a new password for the web app (no spaces, at least 1 character): " password
+    echo
+    read -rsp "🔑 Confirm the new password: " confirmPassword
+    echo
+
+    if [[ -z "$password" ]]; then
+      echo "❌ Password cannot be empty." >&2
+    elif [[ "$password" != "$confirmPassword" ]]; then
+      echo "❌ Passwords do not match." >&2
+    elif [[ "$password" =~ [[:space:]] ]]; then
+      echo "❌ Password cannot contain spaces." >&2
+    else
+      break
+    fi
+  done
+fi
 
 # Get resource group and container app name from azd
 resourceGroupName=$(azd env get-value AZURE_RESOURCE_GROUP)
diff --git a/src/Dockerfile b/src/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM python:3.11
+FROM python:3.11.11-slim-bookworm
 
 WORKDIR /code
 
diff --git a/src/frontend/package.json b/src/frontend/package.json
@@ -40,7 +40,7 @@
     "remark-math": "^6.0.0",
     "remark-parse": "^11.0.0",
     "remark-supersub": "^1.0.0",
-    "vite": "6.3.3",
+    "vite": "6.3.4",
     "prismjs": "1.30.0"
   },
   "devDependencies": {

Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,9 @@`
`112`	`112`	`},`
`113`	`113`	`"azureTracingGenAIContentRecordingEnabled": {`
`114`	`114`	`"value": "${AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED=false}"`
	`115`	`+ },`
	`116`	`+ "templateValidationMode": {`
	`117`	`+ "value": "${TEMPLATE_VALIDATION_MODE=false}"`
`115`	`118`	`}`
`116`	`119`	`}`
`117`	`120`	`}`