hvalfangst
diff --git a/‎README.md
+34-2 b/‎README.md
+34-2
diff --git a/‎images/img_1.png renamed to ‎images/secrets.png b/‎images/img_1.png renamed to ‎images/secrets.png
diff --git a/‎img.png
93.6 KB b/‎img.png
93.6 KB
diff --git a/‎img_1.png
85.5 KB b/‎img_1.png
85.5 KB
diff --git a/‎infra/allocate_resources.sh
+92-11 b/‎infra/allocate_resources.sh
+92-11
@@ -6,6 +6,9 @@ Once the CSV has been uploaded to the storage blob, another, blob-triggered Azur
 The computed statistics are then stored in a new blob container, which is used to serve the results to the user.
 These two functions are defined in the python script [function_app.py](hvalfangst_function/function_app.py) - which is the main entrypoint of our Azure Function App instance.
 
+The SPA is protected with Oauth2.0 authorization code flow with PKCE and OIDC. The user is redirected to the Azure AD login page, where they must authenticate before being redirected back to the SPA.
+
+
 The associated Azure infrastructure is deployed with a script (more on that below).
 
 A branch-triggered pipeline has been set up to deploy our code to the respective Azure resources using a GitHub Actions Workflows [script](.github/workflows/deploy_to_azure.yml). 
@@ -24,7 +27,7 @@ Thus, deploying the website is simply a matter of uploading the static files to
 
 ## Allocate resources
 
-The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI and a
+The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI in conjunction with a
 [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) template [file](infra/main.bicep). 
 
 It will create the following hierarchy of resources:
@@ -47,6 +50,26 @@ graph TD
     B -->|Contains| F
 ```
 
+## Registrations
+In addition to the resources listed above, the script will also create a **service principal** and two Microsoft Entra ID **app registrations.** 
+
+### Service Principal for GitHub Actions
+The service principal has been assigned contributor role to our resource group, which is sufficient in order to deploy the static web app to the storage blob.
+It has been assigned a federated credential configured to work with this repository as it is utilized in our CI/CD [GitHub Actions Workflow script](.github/workflows/deploy_to_azure.yml).
+
+### App Registration for Azure Function App
+
+Exposes two scopes; **Csv.Writer** and **Csv.Reader**.
+
+![img.png](img.png)
+
+### App Registration for SPA
+
+Has a redirect URI configured to the static web app's URL and the permissions **Csv.Writer** and the OIDC ones.
+
+![img_1.png](img_1.png)
+
+
 ## GitHub secrets
 Four secrets are required in order for the GitHub Actions Workflow script to deploy the code to the Azure resources. 
 As may be observed in the [script](.github/workflows/deploy_to_azure.yml), these are:
@@ -56,4 +79,13 @@ As may be observed in the [script](.github/workflows/deploy_to_azure.yml), these
 - **AZURE_TENANT_ID**: Used to authenticate the service principal in order to deploy the static web app
 - **PUBLISH_PROFILE**: Used to deploy our two functions to the Azure Function App
 
-![img_1.png](images/img_1.png)
+![secrets.png](images/secrets.png)
+
+## Usage
+After provisioning resources, setting up secrets, and pushing the code to the repository, one
+may access the static web app by navigating to the following URL:
+
+```plaintext
+https://<storage_account_name>.z6.web.core.windows.net
+```
+
@@ -108,37 +108,118 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
-# Set up app registration for function app
+
+# Set up app registration for the function app
 echo -e "${YELLOW}Setting up app registration for function app...${RESET}"
 FUNCTION_APP_CLIENT_ID=$(az ad app create \
   --display-name "hvalfangst-function-app" \
+  --identifier-uris "api://hvalfangst-function-app" \
   --query appId -o tsv)
-
 if [ $? -ne 0 ] || [ -z "$FUNCTION_APP_CLIENT_ID" ]; then
     echo -e "${RED}Failed to set up app registration or retrieve the app ID.${RESET}"
     exit 1
 fi
 
-# Set up app settings for the function app
-echo -e "${YELLOW}Setting up app settings for function app...${RESET}"
-az functionapp config appsettings set \
-    --name ${FUNCTION_APP_NAME} \
-    --resource-group ${RESOURCE_GROUP} \
-    --settings TENANT_ID=${TENANT_ID} FUNCTION_APP_CLIENT_ID=${FUNCTION_APP_CLIENT_ID}
-if [ $? -ne 0 ]; then
-    echo -e "${RED}Failed to set up app settings for function app.${RESET}"
+# Get the object ID of the app registration
+FUNCTION_APP_OBJECT_ID=$(az ad app show --id $FUNCTION_APP_CLIENT_ID --query id -o tsv)
+
+# Get an access token for the Microsoft Graph API to be used for patching app regs associated with function app and static website
+TOKEN=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
+if [ $? -ne 0 ] || [ -z "$TOKEN" ]; then
+    echo -e "${RED}Failed to get access token for Microsoft Graph API.${RESET}"
     exit 1
 fi
 
+# Generate UUIDs for the permissions
+CSV_READER_UUID=$(python -c 'import uuid; print(str(uuid.uuid4()))')
+CSV_WRITER_UUID=$(python -c 'import uuid; print(str(uuid.uuid4()))')
+
+# Add permissions to the app registration by calling the Microsoft Graph API with a PATCH request
+echo -e "${YELLOW}Creating scopes for the Function App...${RESET}"
+curl -X PATCH -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d "{
+           \"api\": {
+               \"oauth2PermissionScopes\": [
+                   {
+                       \"id\": \"$CSV_READER_UUID\",
+                       \"adminConsentDescription\": \"Allows downloading of CSV files\",
+                       \"adminConsentDisplayName\": \"Allows downloading of CSV files\",
+                       \"isEnabled\": true,
+                       \"type\": \"Admin\",
+                       \"value\": \"Csv.Reader\"
+                   },
+                   {
+                       \"id\": \"$CSV_WRITER_UUID\",
+                       \"adminConsentDescription\": \"Allows uploading of CSV files\",
+                       \"adminConsentDisplayName\": \"Allows uploading of CSV files\",
+                       \"isEnabled\": true,
+                       \"type\": \"Admin\",
+                       \"value\": \"Csv.Writer\"
+                   }
+               ]
+           }
+       }" \
+     "https://graph.microsoft.com/v1.0/applications/$FUNCTION_APP_OBJECT_ID"
+
 # Set up app registration for the static web app
 echo -e "${YELLOW}Setting up app registration for static web app...${RESET}"
 STATIC_WEB_APP_CLIENT_ID=$(az ad app create \
   --display-name "hvalfangst-static-web-app" \
+  --web-redirect-uris "http://localhost:3000" \
   --query appId -o tsv)
-
 if [ $? -ne 0 ] || [ -z "STATIC_WEB_APP_CLIENT_ID" ]; then
     echo -e "${RED}Failed to set up app registration or retrieve the app ID.${RESET}"
     exit 1
 fi
 
+STATIC_WEB_APP_OBJECT_ID=$(az ad app show --id $STATIC_WEB_APP_CLIENT_ID --query id -o tsv)
+if [ $? -ne 0 ] || [ -z "$STATIC_WEB_APP_OBJECT_ID" ]; then
+    echo -e "${RED}Failed to retrieve the object ID of the static web app registration.${RESET}"
+    exit 1
+fi
+
+# Add permissions to the app registration associated with website by calling the Microsoft Graph API with a PATCH request
+echo -e "${YELLOW}Adding OpenID permissions for Microsoft Graph API to Static Website${RESET}"
+curl -X PATCH -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d "{
+           \"requiredResourceAccess\": [
+               {
+                   \"resourceAppId\": \"00000003-0000-0000-c000-000000000000\",
+                   \"resourceAccess\": [
+                       {
+                           \"id\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",
+                           \"type\": \"Scope\"
+                       },
+                       {
+                           \"id\": \"14dad69e-099b-42c9-810b-d002981feec1\",
+                           \"type\": \"Scope\"
+                       }
+                   ]
+               },
+               {
+                   \"resourceAppId\": \"$FUNCTION_APP_CLIENT_ID\",
+                   \"resourceAccess\": [
+                       {
+                           \"id\": \"$CSV_WRITER_UUID\",
+                           \"type\": \"Scope\"
+                       }
+                   ]
+               }
+           ]
+       }" \
+     "https://graph.microsoft.com/v1.0/applications/$STATIC_WEB_APP_OBJECT_ID"
+
+# Set up app settings for the function app
+echo -e "${YELLOW}Setting up app settings for function app...${RESET}"
+az functionapp config appsettings set \
+    --name ${FUNCTION_APP_NAME} \
+    --resource-group ${RESOURCE_GROUP} \
+    --settings TENANT_ID=${TENANT_ID} FUNCTION_APP_CLIENT_ID=${FUNCTION_APP_CLIENT_ID}
+if [ $? -ne 0 ]; then
+    echo -e "${RED}Failed to set up app settings for function app.${RESET}"
+    exit 1
+fi
+
 echo -e "${GREEN}All resources have been provisioned.${RESET}"