e2e: app registration cleanup of orphaned app registrations that are expired

Author: bennerv

internal/graph/graphsdk/graph_base_service_client.go

@@ -1,5 +1,5 @@
 {
-  "descriptionHash": "DAC2FA87E0BD82AA2F0BDC3D7EACC6E2A50E16C33B5C67050C1CB898DBB7A8806C7221FF815AF7042586D869CB8C14A6ED3E07FB6F1D13FE2CEB1C70ADFD3B93",
+  "descriptionHash": "81C12085B29621FDC2F8185AE6C59D08B34A9F9C612EBAF4E291DAE77C74D279E4544A848482CFF058AC2CF6B75E6457AD6120BD6DBB73CF9F4E1BDB4ED9A526",
   "descriptionLocation": "../../../tooling/kiota/openapi.yaml",
   "lockFileVersion": "1.0.0",
   "kiotaVersion": "1.28.0",

internal/graph/graphsdk/kiota-lock.json

@@ -20,15 +20,19 @@ import (
 	"fmt"
 	"time"
 
+	abstractions "github.com/microsoft/kiota-abstractions-go"
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/applications"
+	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/me"
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/models"
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/models/odataerrors"
 )
 
+const AppRegistrationPrefix = "aro-hcp-e2e-"
+
 // Application represents a Microsoft Entra application
 type Application struct {
 	ID          string `json:"id"`
@@ -171,3 +175,46 @@ func (c *Client) GetApplication(ctx context.Context, appID string) (*Application
 		DisplayName: *app.GetDisplayName(),
 	}, nil
 }
+
+// ListOwnedExpiredApplications retrieves applications owned by the current service principal
+// where all their credentials have expired and a display name starting with the e2e prefix.
+// This uses the /me/ownedObjects endpoint to ensure we only return applications we have
+// permission to delete.
+func (c *Client) ListOwnedExpiredApplications(ctx context.Context) ([]Application, error) {
+	var apps []Application
+
+	headers := abstractions.NewRequestHeaders()
+	headers.Add("ConsistencyLevel", "eventual")
+
+	resp, err := c.graphClient.Me().OwnedObjects().GraphApplication().Get(ctx,
+		&me.OwnedObjectsGraphApplicationRequestBuilderGetRequestConfiguration{
+			Headers: headers,
+			QueryParameters: &me.OwnedObjectsGraphApplicationRequestBuilderGetQueryParameters{
+				Filter: to.Ptr(fmt.Sprintf("startsWith(displayName,'%s')", AppRegistrationPrefix)),
+				Count:  to.Ptr(true),
+			},
+		})
+	if err != nil {
+		return nil, fmt.Errorf("list owned applications: %w", err)
+	}
+
+	for _, app := range resp.GetValue() {
+		// Skip app registrations that have credentials not yet expired
+		skipApp := false
+		for _, cred := range app.GetPasswordCredentials() {
+			if cred.GetEndDateTime() != nil && cred.GetEndDateTime().After(time.Now()) {
+				skipApp = true
+				break
+			}
+		}
+		if !skipApp {
+			apps = append(apps, Application{
+				ID:          *app.GetId(),
+				AppID:       *app.GetAppId(),
+				DisplayName: *app.GetDisplayName(),
+			})
+		}
+	}
+
+	return apps, nil
+}

internal/graph/graphsdk/me/me_request_builder.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/Azure/ARO-HCP/test/pkg/logger"
 	"github.com/Azure/ARO-HCP/test/util/cleanup"
+	"github.com/Azure/ARO-HCP/test/util/cleanup/appregistrations"
 	kustoroleassignments "github.com/Azure/ARO-HCP/test/util/cleanup/kusto-role-assignments"
 	"github.com/Azure/ARO-HCP/test/util/cleanup/resourcegroups"
 )
@@ -40,6 +41,7 @@ func NewCommand() *cobra.Command {
 	cmd.PersistentFlags().IntVarP(&opt.Verbosity, "verbosity", "v", opt.Verbosity, "Log verbosity level")
 
 	cmd.AddCommand(newCleanupResourceGroupsCommand())
+	cmd.AddCommand(newCleanupAppRegistrationsCommand())
 	cmd.AddCommand(newDeleteKustoRoleAssignmentsCommand())
 
 	cmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
@@ -49,6 +51,35 @@ func NewCommand() *cobra.Command {
 	return cmd
 }
 
+func newCleanupAppRegistrationsCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:          "app-registrations",
+		Short:        "Delete expired e2e app registrations",
+		SilenceUsage: true,
+	}
+	rawOpt := appregistrations.DefaultOptions()
+	cmd.Flags().BoolVar(&rawOpt.DryRun, "dry-run", rawOpt.DryRun, "Print which app registrations would be deleted without deleting")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt)
+		defer cancel()
+
+		validatedOpt, err := rawOpt.Validate()
+		if err != nil {
+			return err
+		}
+
+		completedOpt, err := validatedOpt.Complete(ctx)
+		if err != nil {
+			return err
+		}
+
+		return completedOpt.Run(ctx)
+	}
+
+	return cmd
+}
+
 func newDeleteKustoRoleAssignmentsCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:          "kusto-role-assignments",

internal/graph/graphsdk/me/owned_objects_graph_application_request_builder.go

@@ -0,0 +1,58 @@
+// Copyright 2026 Microsoft Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package appregistrations
+
+import (
+	"context"
+	"fmt"
+
+	graphutil "github.com/Azure/ARO-HCP/internal/graph/util"
+	"github.com/Azure/ARO-HCP/test/util/framework"
+)
+
+type RawOptions struct {
+	DryRun bool
+}
+
+type ValidatedOptions struct {
+	*RawOptions
+}
+
+type Options struct {
+	DryRun      bool
+	GraphClient *graphutil.Client
+}
+
+func DefaultOptions() *RawOptions {
+	return &RawOptions{}
+}
+
+func (o *RawOptions) Validate() (*ValidatedOptions, error) {
+	return &ValidatedOptions{RawOptions: o}, nil
+}
+
+func (o *ValidatedOptions) Complete(ctx context.Context) (*Options, error) {
+	tc := framework.NewTestContext()
+
+	graphClient, err := tc.GetGraphClient(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get graph client: %w", err)
+	}
+
+	return &Options{
+		DryRun:      o.DryRun,
+		GraphClient: graphClient,
+	}, nil
+}