Skip to content

Commit a87032d

Browse files
Tejasri-MicrosoftTejasri-Microsoft
committed
commit
1 parent 1b75747 commit a87032d

2 files changed

Lines changed: 37 additions & 14 deletions

File tree

infra/scripts/configure_auth.sh

Lines changed: 35 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,29 @@
99

1010
set -euo pipefail
1111

12+
TEMP_FILES=()
13+
14+
cleanup_temp_files() {
15+
local f
16+
for f in "${TEMP_FILES[@]:-}"; do
17+
[[ -n "$f" ]] && rm -f "$f"
18+
done
19+
}
20+
21+
make_temp_file() {
22+
local prefix="$1"
23+
local tmp_file
24+
if ! tmp_file="$(mktemp "${TMPDIR:-/tmp}/${prefix}.XXXXXX" 2>/dev/null)"; then
25+
tmp_file="$(mktemp -t "${prefix}.XXXXXX" 2>/dev/null)" || {
26+
echo "❌ Failed to create temp file for ${prefix}" >&2
27+
exit 1
28+
}
29+
fi
30+
TEMP_FILES+=("$tmp_file")
31+
printf '%s\n' "$tmp_file"
32+
}
33+
34+
trap cleanup_temp_files EXIT
1235
if [[ "${AZURE_SKIP_AUTH_SETUP:-false}" == "true" ]]; then
1336
echo "⏭️ AZURE_SKIP_AUTH_SETUP=true — skipping auth configuration."
1437
exit 0
@@ -343,7 +366,8 @@ API_SCOPE_ID="$(az ad app show --id "$API_CLIENT_ID" \
343366
--query "api.oauth2PermissionScopes[?value=='user_impersonation'].id | [0]" -o tsv)"
344367
if [[ -z "$API_SCOPE_ID" || "$API_SCOPE_ID" == "null" ]]; then
345368
API_SCOPE_ID="$(generate_uuid)"
346-
cat > /tmp/api_scope_patch.json <<EOF
369+
api_scope_patch_file="$(make_temp_file api_scope_patch)"
370+
cat > "$api_scope_patch_file" <<EOF
347371
{
348372
"identifierUris": ["$API_IDENTIFIER_URI"],
349373
"api": {
@@ -363,8 +387,7 @@ EOF
363387
retry az rest --method PATCH \
364388
--url "https://graph.microsoft.com/v1.0/applications/${API_APP_OBJECT_ID}" \
365389
--headers "Content-Type=application/json" \
366-
--body @/tmp/api_scope_patch.json >/dev/null
367-
rm -f /tmp/api_scope_patch.json
390+
--body @"$api_scope_patch_file" >/dev/null
368391
echo " ✓ Exposed scope api://${API_CLIENT_ID}/user_impersonation"
369392
else
370393
echo " ↺ API scope already exposed"
@@ -408,7 +431,8 @@ WEB_SCOPE_ID="$(az ad app show --id "$WEB_CLIENT_ID" \
408431
--query "api.oauth2PermissionScopes[?value=='user_impersonation'].id | [0]" -o tsv)"
409432
[[ -z "$WEB_SCOPE_ID" || "$WEB_SCOPE_ID" == "null" ]] && WEB_SCOPE_ID="$(generate_uuid)"
410433

411-
cat > /tmp/web_patch.json <<EOF
434+
web_patch_file="$(make_temp_file web_patch)"
435+
cat > "$web_patch_file" <<EOF
412436
{
413437
"identifierUris": ["$WEB_IDENTIFIER_URI"],
414438
"spa": { "redirectUris": ["$WEB_URL", "$WEB_URL/"] },
@@ -440,8 +464,7 @@ EOF
440464
retry az rest --method PATCH \
441465
--url "https://graph.microsoft.com/v1.0/applications/${WEB_APP_OBJECT_ID}" \
442466
--headers "Content-Type=application/json" \
443-
--body @/tmp/web_patch.json >/dev/null
444-
rm -f /tmp/web_patch.json
467+
--body @"$web_patch_file" >/dev/null
445468
echo " ✓ Web SPA redirect, scope, and required permissions configured"
446469

447470
WEB_SCOPE_VALUE="api://${WEB_CLIENT_ID}/user_impersonation"
@@ -452,13 +475,13 @@ WEB_SCOPE_VALUE="api://${WEB_CLIENT_ID}/user_impersonation"
452475
echo ""
453476
echo "➡️ Step 3/6: Granting admin consent"
454477
CONSENT_OK=true
455-
if ! retry az ad app permission admin-consent --id "$WEB_CLIENT_ID" 2>/tmp/consent_err; then
478+
consent_err_file="$(make_temp_file consent_err)"
479+
if ! retry az ad app permission admin-consent --id "$WEB_CLIENT_ID" 2>"$consent_err_file"; then
456480
CONSENT_OK=false
457481
echo " ⚠️ Admin consent failed. Sign-in may fail until a tenant admin runs:"
458482
echo " az ad app permission admin-consent --id $WEB_CLIENT_ID"
459483
echo " Or visit: https://login.microsoftonline.com/${TENANT_ID}/adminconsent?client_id=${WEB_CLIENT_ID}"
460-
cat /tmp/consent_err | sed 's/^/ /'
461-
rm -f /tmp/consent_err
484+
sed 's/^/ /' "$consent_err_file"
462485
else
463486
echo " ✓ Admin consent granted"
464487
fi
@@ -608,11 +631,11 @@ else:
608631
gv['redirectToProvider'] = 'azureactivedirectory'
609632
print(json.dumps(d))
610633
")"
611-
echo "$patched" > /tmp/authconfig_patch.json
634+
authconfig_patch_file="$(make_temp_file authconfig_patch)"
635+
echo "$patched" > "$authconfig_patch_file"
612636
retry az rest --method put --url "$url" \
613637
--headers "Content-Type=application/json" \
614-
--body @/tmp/authconfig_patch.json >/dev/null
615-
rm -f /tmp/authconfig_patch.json
638+
--body @"$authconfig_patch_file" >/dev/null
616639
}
617640

618641
patch_authconfig "$API_NAME" "$API_CLIENT_ID" "true"

infra/scripts/post_deployment.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,8 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
3737
# Go from infra/scripts → root → src
3838
DATA_SCRIPT_PATH="$SCRIPT_DIR/../../src/ContentProcessorAPI/samples/schemas"
3939

40-
# Normalize the path (optional, in case of ../..)
41-
DATA_SCRIPT_PATH="$(realpath "$DATA_SCRIPT_PATH")"
40+
# Normalize the directory path portably (resolves ../.. without requiring realpath)
41+
DATA_SCRIPT_PATH="$(cd "$DATA_SCRIPT_PATH" && pwd -P)"
4242

4343
POST_DEPLOYMENT_MODE="${POST_DEPLOYMENT_MODE:-all}"
4444
case "$POST_DEPLOYMENT_MODE" in

0 commit comments

Comments
 (0)