Add Data Plane RBAC functionality (#1878)

* Fix API endpoint for CassandraProxy query API * activate Mongo Proxy and Cassandra Proxy in Prod * Add CP Prod endpoint * Run npm format and tests * Revert code * fix bug that blocked local mongo proxy and cassandra proxy development * Add prod endpoint * fix pr check tests * Remove prod * Remove prod endpoint * Remove dev endpoint * Support data plane RBAC * Support data plane RBAC * Add additional changes for Portal RBAC functionality * Address errors and checks * Cleanup DP RBAC code * Run format * Fix unit tests * Remove unnecessary code * Run npm format * Fix enableAadDataPlane feature flag behavior * Fix enable AAD dataplane feature flag behavior * Address feedback comments * Minor fix * Add new fixes * Fix Tables test * Run npm format --------- Co-authored-by: Asier Isayas <aisayas@microsoft.com>
2025-12-21 09:51:11 +00:00 · 2024-07-01 09:33:07 -07:00
parent 17754cba05
commit c30a9681fe
11 changed files with 312 additions and 31 deletions
--- a/src/Common/Constants.ts
+++ b/src/Common/Constants.ts
@@ -197,6 +197,12 @@ export class Queries {
  public static readonly DefaultMaxWaitTimeInSeconds = 30;
 }

+export class RBACOptions {
+  public static setAutomaticRBACOption: string = "Automatic";
+  public static setTrueRBACOption: string = "True";
+  public static setFalseRBACOption: string = "False";
+}
+
 export class SavedQueries {
  public static readonly CollectionName: string = "___Query";
  public static readonly DatabaseName: string = "___Cosmos";
--- a/src/Common/CosmosClient.test.ts
+++ b/src/Common/CosmosClient.test.ts
@@ -28,19 +28,6 @@ describe("tokenProvider", () => {
  afterEach(() => {
    jest.restoreAllMocks();
  });
-
-  it("calls the auth token service if no master key is set", async () => {
-    await tokenProvider(options);
-    expect((window.fetch as any).mock.calls.length).toBe(1);
-  });
-
-  it("does not call the auth service if a master key is set", async () => {
-    updateUserContext({
-      masterKey: "foo",
-    });
-    await tokenProvider(options);
-    expect((window.fetch as any).mock.calls.length).toBe(0);
-  });
 });

 describe("getTokenFromAuthService", () => {
--- a/src/Common/CosmosClient.ts
+++ b/src/Common/CosmosClient.ts
@@ -3,10 +3,12 @@ import { getAuthorizationTokenUsingResourceTokens } from "Common/getAuthorizatio
 import { AuthorizationToken } from "Contracts/FabricMessageTypes";
 import { checkDatabaseResourceTokensValidity } from "Platform/Fabric/FabricUtil";
 import { LocalStorageUtility, StorageKey } from "Shared/StorageUtility";
+import { listKeys } from "Utils/arm/generatedClients/cosmos/databaseAccounts";
+import { DatabaseAccountListKeysResult } from "Utils/arm/generatedClients/cosmos/types";
 import { AuthType } from "../AuthType";
 import { PriorityLevel } from "../Common/Constants";
 import { Platform, configContext } from "../ConfigContext";
-import { userContext } from "../UserContext";
+import { updateUserContext, userContext } from "../UserContext";
 import { logConsoleError } from "../Utils/NotificationConsoleUtils";
 import * as PriorityBasedExecutionUtils from "../Utils/PriorityBasedExecutionUtils";
 import { EmulatorMasterKey, HttpHeaders } from "./Constants";
@@ -17,7 +19,16 @@ const _global = typeof self === "undefined" ? window : self;
 export const tokenProvider = async (requestInfo: Cosmos.RequestInfo) => {
  const { verb, resourceId, resourceType, headers } = requestInfo;

-  if (userContext.features.enableAadDataPlane && userContext.aadToken) {
+  const aadDataPlaneFeatureEnabled =
+    userContext.features.enableAadDataPlane && userContext.databaseAccount.properties.disableLocalAuth;
+  const dataPlaneRBACOptionEnabled = userContext.dataPlaneRbacEnabled && userContext.apiType === "SQL";
+  if (aadDataPlaneFeatureEnabled || (!userContext.features.enableAadDataPlane && dataPlaneRBACOptionEnabled)) {
+    if (!userContext.aadToken) {
+      logConsoleError(
+        `AAD token does not exist. Please use "Login for Entra ID" prior to performing Entra ID RBAC operations`,
+      );
+      return null;
+    }
    const AUTH_PREFIX = `type=aad&ver=1.0&sig=`;
    const authorizationToken = `${AUTH_PREFIX}${userContext.aadToken}`;
    return authorizationToken;
@@ -72,8 +83,30 @@ export const tokenProvider = async (requestInfo: Cosmos.RequestInfo) => {

  if (userContext.masterKey) {
    // TODO This SDK method mutates the headers object. Find a better one or fix the SDK.
-    await Cosmos.setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, EmulatorMasterKey);
+    await Cosmos.setAuthorizationTokenHeaderUsingMasterKey(
+      verb,
+      resourceId,
+      resourceType,
+      headers,
+      userContext.masterKey,
+    );
    return decodeURIComponent(headers.authorization);
+  } else if (userContext.dataPlaneRbacEnabled == false) {
+    const { databaseAccount: account, subscriptionId, resourceGroup } = userContext;
+    const keys: DatabaseAccountListKeysResult = await listKeys(subscriptionId, resourceGroup, account.name);
+
+    if (keys.primaryMasterKey) {
+      updateUserContext({ masterKey: keys.primaryMasterKey });
+      // TODO This SDK method mutates the headers object. Find a better one or fix the SDK.
+      await Cosmos.setAuthorizationTokenHeaderUsingMasterKey(
+        verb,
+        resourceId,
+        resourceType,
+        headers,
+        keys.primaryMasterKey,
+      );
+      return decodeURIComponent(headers.authorization);
+    }
  }

  if (userContext.resourceToken) {
@@ -157,7 +190,6 @@ export function client(): Cosmos.CosmosClient {

  const options: Cosmos.CosmosClientOptions = {
    endpoint: endpoint() || "https://cosmos.azure.com", // CosmosClient gets upset if we pass a bad URL. This should never actually get called
-    key: userContext.masterKey,
    tokenProvider,
    userAgentSuffix: "Azure Portal",
    defaultHeaders: _defaultHeaders,