add validate cert

Author: bryansan-local

samples/web-app-sql-database/python/scripts/deploy.sh

@@ -392,10 +392,15 @@ fi
 # Create certificate in Key Vault
 echo "Creating certificate [$CERT_NAME] in Key Vault [$KEY_VAULT_NAME]..."
 $AZ keyvault certificate create \
-	--vault-name "$KEY_VAULT_NAME" \
-	--name "$CERT_NAME" \
-	--policy "$(az keyvault certificate get-default-policy)" \
-	--only-show-errors 1>/dev/null
+    --vault-name "$KEY_VAULT_NAME" \
+    --name "$CERT_NAME" \
+    --policy '{
+        "issuerParameters": {"name": "Self"},
+        "keyProperties": {"exportable": true, "keySize": 2048, "keyType": "RSA", "reuseKey": false},
+        "secretProperties": {"contentType": "application/x-pkcs12"},
+        "x509CertificateProperties": {"subject": "CN=sample-web-app-sql", "validityInMonths": 12}
+    }' \
+    --only-show-errors
 
 if [ $? -eq 0 ]; then
 	echo "Certificate [$CERT_NAME] created successfully in Key Vault [$KEY_VAULT_NAME]."
@@ -482,34 +487,6 @@ WEB_APP_URL=$($AZ webapp show \
     --query "defaultHostName" \
     --output tsv)
 
-# Wait for web app to be ready
-echo "Waiting for web app to be ready..."
-MAX_RETRIES=10
-for i in $(seq 1 $MAX_RETRIES); do
-    HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$WEB_APP_URL" --insecure)
-    if [ "$HTTP_STATUS" -eq 200 ]; then
-        echo "Web app is responding with HTTP 200"
-        break
-    fi
-    echo "Attempt $i/$MAX_RETRIES - HTTP $HTTP_STATUS. Retrying in 5 seconds..."
-    sleep 5
-done
-
-if [ "$HTTP_STATUS" -ne 200 ]; then
-    echo "Web app failed to respond with HTTP 200 after $MAX_RETRIES attempts"
-    exit 1
-fi
-
-echo "Validating certificate from Key Vault..."
-CERT_NAME_RESPONSE=$(curl -s "https://$WEB_APP_URL/api/certificate/validate" --insecure | jq -r '.name')
-
-if [ "$CERT_NAME_RESPONSE" == "$CERT_NAME" ]; then
-    echo "Certificate [$CERT_NAME] validated successfully from web app."
-else
-    echo "Certificate validation failed. Expected [$CERT_NAME], got [$CERT_NAME_RESPONSE]."
-    exit 1
-fi
-
 # Remove the zip package of the web app
 if [ -f "$ZIPFILE" ]; then
 	rm "$ZIPFILE"

samples/web-app-sql-database/python/scripts/get-web-app-url.sh

@@ -65,6 +65,28 @@ get_docker_container_port_mapping() {
 	echo "$host_port"
 }
 
+wait_for_http_response() {
+	local url="$1"
+	local description="$2"
+	local max_retries="${3:-5}"
+	local retry_interval="${4:-5}"
+
+	echo "Waiting for [$description] to respond at [$url]..."
+
+	for i in $(seq 1 $max_retries); do
+		http_status=$(curl -s -o /dev/null -w "%{http_code}" "$url" --max-time 5)
+		if [ "$http_status" -eq 200 ]; then
+			echo "[$description] is responding with HTTP 200"
+			return 0
+		fi
+		echo "Attempt $i/$max_retries - HTTP $http_status. Retrying in ${retry_interval}s..."
+		sleep $retry_interval
+	done
+
+	echo "Error: [$description] failed to respond with HTTP 200 after $max_retries attempts" >&2
+	return 1
+}
+
 call_web_app() {
 	# Get the web app name
 	echo "Getting web app name..."
@@ -180,6 +202,35 @@ call_web_app() {
 	else
 		echo "Failed to retrieve host port"
 	fi
+
+	echo "Validating certificate from Key Vault..."
+	KV_RESPONSE=$(curl -sk "https://$container_ip:8443/api/certificate/validate")
+	KV_THUMBPRINT=$(echo "$KV_RESPONSE" | jq -r '.thumbprint')
+	KV_NAME=$(echo "$KV_RESPONSE" | jq -r '.name')
+	KV_SUBJECT=$(echo "$KV_RESPONSE" | jq -r '.subject')
+
+	SSL_THUMBPRINT=$(echo | openssl s_client -connect "$container_ip:8443" 2>/dev/null \
+		| openssl x509 -fingerprint -noout -sha1 \
+		| sed 's/.*=//;s/://g' \
+		| tr '[:upper:]' '[:lower:]')
+
+	if [ "$KV_THUMBPRINT" == "$SSL_THUMBPRINT" ]; then
+		echo "Certificate [$KV_NAME] validated: SSL cert matches Key Vault cert."
+	else
+		echo "Certificate mismatch! KV: $KV_THUMBPRINT, SSL: $SSL_THUMBPRINT"
+		exit 1
+	fi
+	
+	SSL_SUBJECT=$(echo "$SSL_CERT" \
+		| openssl x509 -noout -subject \
+		| sed 's/subject=//')
+
+	if echo "$SSL_SUBJECT" | grep -q "$KV_SUBJECT"; then
+		echo "Certificate subject [$KV_SUBJECT] matches SSL certificate."
+	else
+		echo "Certificate subject mismatch! KV: $KV_SUBJECT, SSL: $SSL_SUBJECT"
+		exit 1
+	fi
 }
 
 call_web_app

samples/web-app-sql-database/python/src/app.py

@@ -183,6 +183,6 @@ def validate_certificate():
 
     if vault_uri and cert_name:
         ssl_ctx = get_ssl_context_from_keyvault(vault_uri, cert_name)
-        app.run(host='0.0.0.0', port=443, ssl_context=ssl_ctx)
+        app.run(host='0.0.0.0', port=8443, ssl_context=ssl_ctx)
     else:
         app.run(debug=debug)

samples/web-app-sql-database/python/src/certificates.py

@@ -1,5 +1,6 @@
 """Certificate helper module for Azure Key Vault integration."""
 import base64
+import hashlib
 import logging
 import os
 import ssl
@@ -81,6 +82,17 @@ def get_certificate_info(vault_url: str, cert_name: str) -> dict:
     cert_client = CertificateClient(vault_url=vault_url, credential=credential)
     cert = cert_client.get_certificate(cert_name)
 
+    x509_cert_bytes = cert.cer
+    if x509_cert_bytes is None:
+        raise ValueError(f"Certificate '{cert_name}' has no public bytes (cer is None)")
+
+    if cert.policy is None:
+        raise ValueError(f"Certificate '{cert_name}' has no policy")
+
+    thumbprint = hashlib.sha1(x509_cert_bytes).hexdigest()
+
     return {
-        "name": cert.name
+        "name": cert.name,
+        "subject": cert.policy.subject,
+        "thumbprint": thumbprint,
     }