e2e: app registration cleanup of orphaned app registrations that are expired

Author: bennerv

internal/graph/graphsdk/graph_base_service_client.go

@@ -1,5 +1,5 @@
 {
-  "descriptionHash": "DAC2FA87E0BD82AA2F0BDC3D7EACC6E2A50E16C33B5C67050C1CB898DBB7A8806C7221FF815AF7042586D869CB8C14A6ED3E07FB6F1D13FE2CEB1C70ADFD3B93",
+  "descriptionHash": "81C12085B29621FDC2F8185AE6C59D08B34A9F9C612EBAF4E291DAE77C74D279E4544A848482CFF058AC2CF6B75E6457AD6120BD6DBB73CF9F4E1BDB4ED9A526",
   "descriptionLocation": "../../../tooling/kiota/openapi.yaml",
   "lockFileVersion": "1.0.0",
   "kiotaVersion": "1.28.0",

internal/graph/graphsdk/kiota-lock.json

@@ -20,15 +20,20 @@ import (
 	"fmt"
 	"time"
 
+	abstractions "github.com/microsoft/kiota-abstractions-go"
+
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/applications"
+	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/me"
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/models"
 	"github.com/Azure/ARO-HCP/internal/graph/graphsdk/models/odataerrors"
 )
 
+const AppRegistrationPrefix = "aro-hcp-e2e-"
+
 // Application represents a Microsoft Entra application
 type Application struct {
 	ID          string `json:"id"`
@@ -171,3 +176,59 @@ func (c *Client) GetApplication(ctx context.Context, appID string) (*Application
 		DisplayName: *app.GetDisplayName(),
 	}, nil
 }
+
+// ListOwnedExpiredApplications retrieves applications owned by the current service principal
+// where all their credentials have expired and a display name starting with the e2e prefix.
+// This uses the /me/ownedObjects endpoint to ensure we only return applications we have
+// permission to delete.
+func (c *Client) ListOwnedExpiredApplications(ctx context.Context) ([]Application, error) {
+	var apps []Application
+
+	headers := abstractions.NewRequestHeaders()
+	headers.Add("ConsistencyLevel", "eventual")
+
+	reqConfig := &me.OwnedObjectsGraphApplicationRequestBuilderGetRequestConfiguration{
+		Headers: headers,
+		QueryParameters: &me.OwnedObjectsGraphApplicationRequestBuilderGetQueryParameters{
+			Filter: to.Ptr(fmt.Sprintf("startsWith(displayName,'%s')", AppRegistrationPrefix)),
+			Count:  to.Ptr(true),
+		},
+	}
+
+	resp, err := c.graphClient.Me().OwnedObjects().GraphApplication().Get(ctx, reqConfig)
+	if err != nil {
+		return nil, fmt.Errorf("list owned applications: %w", err)
+	}
+
+	for resp != nil {
+		for _, app := range resp.GetValue() {
+			// Skip app registrations that have credentials not yet expired
+			skipApp := false
+			for _, cred := range app.GetPasswordCredentials() {
+				if cred.GetEndDateTime() != nil && cred.GetEndDateTime().After(time.Now()) {
+					skipApp = true
+					break
+				}
+			}
+			if !skipApp {
+				apps = append(apps, Application{
+					ID:          *app.GetId(),
+					AppID:       *app.GetAppId(),
+					DisplayName: *app.GetDisplayName(),
+				})
+			}
+		}
+
+		nextLink := resp.GetOdataNextLink()
+		if nextLink == nil || *nextLink == "" {
+			break
+		}
+
+		resp, err = c.graphClient.Me().OwnedObjects().GraphApplication().WithUrl(*nextLink).Get(ctx, reqConfig)
+		if err != nil {
+			return nil, fmt.Errorf("list owned applications (next page): %w", err)
+		}
+	}
+
+	return apps, nil
+}

internal/graph/graphsdk/me/me_request_builder.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/Azure/ARO-HCP/test/pkg/logger"
 	"github.com/Azure/ARO-HCP/test/util/cleanup"
+	"github.com/Azure/ARO-HCP/test/util/cleanup/appregistrations"
 	kustoroleassignments "github.com/Azure/ARO-HCP/test/util/cleanup/kusto-role-assignments"
 	"github.com/Azure/ARO-HCP/test/util/cleanup/resourcegroups"
 )
@@ -40,6 +41,7 @@ func NewCommand() *cobra.Command {
 	cmd.PersistentFlags().IntVarP(&opt.Verbosity, "verbosity", "v", opt.Verbosity, "Log verbosity level")
 
 	cmd.AddCommand(newCleanupResourceGroupsCommand())
+	cmd.AddCommand(newCleanupAppRegistrationsCommand())
 	cmd.AddCommand(newDeleteKustoRoleAssignmentsCommand())
 
 	cmd.PersistentPreRun = func(cmd *cobra.Command, args []string) {
@@ -49,6 +51,35 @@ func NewCommand() *cobra.Command {
 	return cmd
 }
 
+func newCleanupAppRegistrationsCommand() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:          "app-registrations",
+		Short:        "Delete expired e2e app registrations",
+		SilenceUsage: true,
+	}
+	rawOpt := appregistrations.DefaultOptions()
+	cmd.Flags().BoolVar(&rawOpt.DryRun, "dry-run", rawOpt.DryRun, "Print which app registrations would be deleted without deleting")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt)
+		defer cancel()
+
+		validatedOpt, err := rawOpt.Validate()
+		if err != nil {
+			return err
+		}
+
+		completedOpt, err := validatedOpt.Complete(ctx)
+		if err != nil {
+			return err
+		}
+
+		return completedOpt.Run(ctx)
+	}
+
+	return cmd
+}
+
 func newDeleteKustoRoleAssignmentsCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:          "kusto-role-assignments",