Add minimal authentication package for Azure using client credentials

Add function to create self-signed certificates with PEM format
Update .gitignore to include additional shell secrets and certificate files
2025-11-03 13:41:21 +01:00 · 2025-11-03 13:37:34 +01:00 · 2025-11-03 13:37:25 +01:00
3 changed files with 122 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,11 @@ __pycache__/

 # Ignore prototype scripts
 prototype_*.py
+
+# Shell secrets
+*.secret
+
+# Certificate files
+*.pem
+*.key
+*.crt
--- a/sk/azure.py
+++ b/sk/azure.py
@@ -0,0 +1,28 @@
+"""
+Minimal Authentication package for Azure.
+
+Uses client credentials - a secret or a certificate.
+"""
+
+import os
+import requests
+
+def secret_credentials_auth(
+        scope: str = "https://app.vssps.visualstudio.com/.default",
+        tenant_id: str = os.environ.get("AZURE_TENANT_ID", ""),
+        client_id: str = os.environ.get("AZURE_CLIENT_ID", ""),
+        client_secret: str = os.environ.get("AZURE_CLIENT_SECRET")
+        ) -> str:
+    """
+    Authenticate using client credentials. Pass credentials via environment variables,
+    or directly as function parameters.
+    """
+    token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
+    r = requests.get(token_url, data={
+        "grant_type": "client_credentials",
+        "client_id": client_id,
+        "client_secret": client_secret,
+        "scope": scope
+    })
+    r.raise_for_status()
+    return r.json().get("access_token", "")
--- a/sk/certificates.py
+++ b/sk/certificates.py
@@ -0,0 +1,86 @@
+import datetime
+from cryptography.x509 import Name, NameAttribute, CertificateBuilder, BasicConstraints, random_serial_number
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+import pathlib
+
+def create_self_signed_certificate(
+        file_path: str,
+        subject_name: str,
+        organization_name: str,
+        country_name: str,
+        valid_days: int = 365,
+        key_size: int = 2048
+):
+    """
+    Create a self-signed certificate. It saves the certificate and private key
+    in PEM format to the specified file path. Three files are created:
+
+    - <file_path>.crt : The public certificate
+    - <file_path>.key : The private key
+    - <file_path>.pem : The certificate and private key combined in one file
+
+    :param file_path: Base file path to save the certificate and key.
+    :param subject_name: Common Name (CN) for the certificate.
+    :param organization_name: Organization Name (O) for the certificate.
+    :param country_name: Country Name (C) for the certificate.
+    :param valid_days: Number of days the certificate is valid for.
+    :param key_size: Size of the RSA key.
+
+    Use the following command to replace any credentials already defined for the 
+    App Registration with that certificate:
+    
+    az ad app credential reset --id <CLIENT_ID> --cert @<file_path>.crt
+
+    Use --append to add the certificate without removing existing credentials.
+
+    > Note: Do not upload the private key file (.key) nor the combined PEM file (.pem).
+    """
+    key = rsa.generate_private_key(public_exponent=65537, key_size=key_size)
+
+    subject = issuer = Name([
+        NameAttribute(NameOID.COUNTRY_NAME, country_name),
+        NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
+        NameAttribute(NameOID.COMMON_NAME, subject_name),
+    ])
+
+    cert = (
+        CertificateBuilder()
+        .subject_name(subject)
+        .issuer_name(issuer)
+        .public_key(key.public_key())
+        .serial_number(random_serial_number())
+        .not_valid_before(datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(days=1))
+        .not_valid_after(datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=valid_days))
+        .add_extension(BasicConstraints(ca=True, path_length=None), critical=True)
+        .sign(key, hashes.SHA256())
+    )
+
+    crt_path = pathlib.Path(file_path).with_suffix('.crt')
+    key_path = pathlib.Path(file_path).with_suffix('.key')
+    pem_path = pathlib.Path(file_path).with_suffix('.pem')
+    
+    public_key = cert.public_bytes(serialization.Encoding.PEM)
+    private_key = key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    
+    # Write the certificate
+    with open(crt_path, "wb") as f:
+        f.write(public_key)
+
+    # Write the private key
+    with open(key_path, "wb") as f:
+        f.write(private_key)
+    
+    with open(pem_path, "wb") as f:
+        f.write(public_key)
+        f.write(private_key)
+
+    print(f"Certificate created and saved.")
+    print(f" - Certificate: {crt_path}")
+    print(f" - Private Key: {key_path}")
+    print(f" - PEM File: {pem_path}")
Author	SHA1	Message	Date
Slawek Koszewski	2f2cb1c337	Add minimal authentication package for Azure using client credentials All checks were successful / unit-tests (push) Successful in 11s Details	2025-11-03 13:41:21 +01:00
Slawek Koszewski	ddab4df55f	Add function to create self-signed certificates with PEM format	2025-11-03 13:37:34 +01:00
Slawek Koszewski	6e757dd0b8	Update .gitignore to include additional shell secrets and certificate files	2025-11-03 13:37:25 +01:00