|
| 1 | +from office365.directory.certificates.self_signed import SelfSignedCertificate |
| 2 | +from office365.directory.key_credential import KeyCredential |
1 | 3 | from office365.directory.object_collection import DirectoryObjectCollection
|
2 | 4 | from office365.directory.object import DirectoryObject
|
| 5 | +from office365.directory.permissions.scope import PermissionScope |
| 6 | +from office365.runtime.client_result import ClientResult |
| 7 | +from office365.runtime.client_value_collection import ClientValueCollection |
3 | 8 | from office365.runtime.paths.resource_path import ResourcePath
|
| 9 | +from office365.runtime.queries.service_operation import ServiceOperationQuery |
4 | 10 |
|
5 | 11 |
|
6 | 12 | class ServicePrincipal(DirectoryObject):
|
7 | 13 | """Represents an instance of an application in a directory."""
|
8 | 14 |
|
9 | 15 | def add_key(self, key_credential, password_credential, proof):
|
10 |
| - pass |
| 16 | + """ |
| 17 | + Adds a key credential to a servicePrincipal. This method along with removeKey can be used by a servicePrincipal |
| 18 | + to automate rolling its expiring keys. |
| 19 | +
|
| 20 | + :param KeyCredential key_credential: The new application key credential to add. |
| 21 | + The type, usage and key are required properties for this usage. Supported key types are: |
| 22 | + AsymmetricX509Cert: The usage must be Verify. |
| 23 | + X509CertAndPassword: The usage must be Sign |
| 24 | + :param PasswordCredential password_credential: Only secretText is required to be set which should contain the password |
| 25 | + for the key. This property is required only for keys of type X509CertAndPassword. Set it to null otherwise. |
| 26 | + :param str proof: A self-signed JWT token used as a proof of possession of the existing keys |
| 27 | + """ |
| 28 | + payload = { |
| 29 | + "keyCredential": key_credential, |
| 30 | + "passwordCredential": password_credential, |
| 31 | + "proof": proof, |
| 32 | + } |
| 33 | + return_type = ClientResult(self.context, KeyCredential()) |
| 34 | + qry = ServiceOperationQuery(self, "addKey", None, payload, None, return_type) |
| 35 | + self.context.add_query(qry) |
| 36 | + return return_type |
11 | 37 |
|
12 | 38 | def add_password(self):
|
| 39 | + """""" |
13 | 40 | pass
|
14 | 41 |
|
| 42 | + def add_token_signing_certificate(self, display_name, end_datetime=None): |
| 43 | + """ |
| 44 | + Create a self-signed signing certificate and return a selfSignedCertificate object, which is the public part |
| 45 | + of the generated certificate. |
| 46 | +
|
| 47 | + The self-signed signing certificate is composed of the following objects, |
| 48 | + which are added to the servicePrincipal: |
| 49 | +
|
| 50 | + The keyCredentials object with the following objects: |
| 51 | + A private key object with usage set to Sign. |
| 52 | + A public key object with usage set to Verify. |
| 53 | + The passwordCredentials object. |
| 54 | + All the objects have the same value of customKeyIdentifier. |
| 55 | +
|
| 56 | + The passwordCredential is used to open the PFX file (private key). It and the associated private key object |
| 57 | + have the same value of keyId. When set during creation through the displayName property, the subject of the |
| 58 | + certificate cannot be updated. The startDateTime is set to the same time the certificate is created using |
| 59 | + the action. The endDateTime can be up to three years after the certificate is created. |
| 60 | +
|
| 61 | + :param str display_name: Friendly name for the key. It must start with CN=. |
| 62 | + :param str end_datetime: The date and time when the credential expires. It can be up to 3 years from the date |
| 63 | + the certificate is created. If not supplied, the default is three years from the time of creation. |
| 64 | + The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
| 65 | + For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| 66 | + """ |
| 67 | + payload = { |
| 68 | + "displayName": display_name, |
| 69 | + "endDateTime": end_datetime |
| 70 | + } |
| 71 | + return_type = ClientResult(self.context, SelfSignedCertificate()) |
| 72 | + qry = ServiceOperationQuery(self, "addTokenSigningCertificate", None, payload, None, return_type) |
| 73 | + self.context.add_query(qry) |
| 74 | + return return_type |
| 75 | + |
15 | 76 | @property
|
16 | 77 | def app_display_name(self):
|
17 | 78 | """The collection of key credentials associated with the application. Not nullable.
|
@@ -47,8 +108,22 @@ def service_principal_type(self):
|
47 | 108 | def owners(self):
|
48 | 109 | """Directory objects that are owners of this servicePrincipal.
|
49 | 110 | The owners are a set of non-admin users or servicePrincipals who are allowed to modify this object.
|
| 111 | + """ |
| 112 | + return self.properties.get('owners', |
| 113 | + DirectoryObjectCollection(self.context, ResourcePath("owners", self.resource_path))) |
50 | 114 |
|
51 |
| - :rtype: DirectoryObjectCollection |
| 115 | + @property |
| 116 | + def oauth2_permission_scopes(self): |
| 117 | + """ |
| 118 | + The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes |
| 119 | + property on the application entity's api property. |
52 | 120 | """
|
53 |
| - return self.get_property('owners', |
54 |
| - DirectoryObjectCollection(self.context, ResourcePath("owners", self.resource_path))) |
| 121 | + return self.properties.get("oauth2PermissionScopes", ClientValueCollection(PermissionScope)) |
| 122 | + |
| 123 | + def get_property(self, name, default_value=None): |
| 124 | + if default_value is None: |
| 125 | + property_mapping = { |
| 126 | + "oauth2PermissionScopes": self.oauth2_permission_scopes |
| 127 | + } |
| 128 | + default_value = property_mapping.get(name, None) |
| 129 | + return super(ServicePrincipal, self).get_property(name, default_value) |
0 commit comments