OctopusDeploy · tothegills · Oct 8, 2021 · Oct 8, 2021 · Oct 8, 2021 · Oct 9, 2021
@@ -0,0 +1,8 @@
+# Run this script after installing a new version of Octopus Server, but before starting it (due to file lock and dependency load issues).
+
+$OctopusServerBinaryLocation = "E:\Program Files\Octopus Deploy\Octopus" # Make sure this points to where you install the Octopus Server binaries
+$OctopusServerCustomExtensionsLocation = "C:\ProgramData\Octopus\CustomExtensions\" # This should always point to where the Octopus Server CustomExtenions folder lives
+
+Copy-Item "$OctopusServerBinaryLocation\Octopus.Data.dll" -Destination "$OctopusServerCustomExtensionsLocation" -Force
+Copy-Item "$OctopusServerBinaryLocation\Octopus.Server.Extensibility.Authentication.dll" -Destination "$OctopusServerCustomExtensionsLocation" -Force
+Copy-Item "$OctopusServerBinaryLocation\BuiltInExtensions\Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.dll" -Destination "$OctopusServerCustomExtensionsLocation" -Force
@@ -24,5 +24,9 @@
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath=""/>
     <None Include="..\..\build\icon.png" Pack="true" PackagePath=""/>
   </ItemGroup>
-
+    <ItemGroup>
+        <Reference Include="Octopus.Server.Client">
+            <HintPath>C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.Client.dll</HintPath>
+        </Reference>
+    </ItemGroup>
 </Project>
@@ -1,6 +1,7 @@
 using System.ComponentModel;
 using Octopus.Client.Extensibility.Attributes;
 using Octopus.Client.Extensibility.Authentication.OpenIDConnect.Configuration;
+using Octopus.Client.Model;
 
 namespace Octopus.Client.Extensibility.Authentication.AzureAD.Configuration
 {
@@ -16,5 +17,10 @@ public AzureADConfigurationResource()
         [Description("Tell Octopus how to find the roles/groups in the security token from Azure Active Directory (usually \"roles\" or \"groups\")")]
         [Writeable]
         public string RoleClaimType { get; set; }
+
+        [DisplayName("Client Access Key")]
+        [Description("The Azure app registration secret access key. This is used for authenticating against the Azure GraphAPI for group overage lookups. If left blank it will disable Azure GraphAPI lookups. [Learn more](https://github.com/StephenShamakian/OpenIDConnectAuthenticationProviders#readme)")]
+        [Writeable]
+        public SensitiveValue ClientKey { get; set; }
     }
 }
@@ -23,5 +23,9 @@
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath=""/>
     <None Include="..\..\build\icon.png" Pack="true" PackagePath=""/>
   </ItemGroup>
-
+    <ItemGroup>
+        <Reference Include="Octopus.Server.Client">
+            <HintPath>C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.Client.dll</HintPath>
+        </Reference>
+    </ItemGroup>
 </Project>
@@ -23,5 +23,9 @@
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath=""/>
     <None Include="..\..\build\icon.png" Pack="true" PackagePath=""/>
   </ItemGroup>
-
+    <ItemGroup>
+        <Reference Include="Octopus.Server.Client">
+            <HintPath>C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.Client.dll</HintPath>
+        </Reference>
+    </ItemGroup>
 </Project>
@@ -23,5 +23,9 @@
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath=""/>
     <None Include="..\..\build\icon.png" Pack="true" PackagePath=""/>
   </ItemGroup>
-
+    <ItemGroup>
+        <Reference Include="Octopus.Server.Client">
+            <HintPath>C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.Client.dll</HintPath>
+        </Reference>
+    </ItemGroup>
 </Project>
@@ -15,13 +15,13 @@
     <PackageProjectUrl>https://github.com/OctopusDeploy/OpenIDConnectAuthenticationProviders</PackageProjectUrl>
   </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Octopus.Server.Client" Version="11.2.3319" />
-  </ItemGroup>
-
   <ItemGroup>
     <None Include="..\..\LICENSE.txt" Pack="true" PackagePath="" />
     <None Include="..\..\build\icon.png" Pack="true" PackagePath="" />
   </ItemGroup>
-
+<ItemGroup>
+    <Reference Include="Octopus.Server.Client">
+        <HintPath>C:\Program Files\Octopus Deploy\Octopus\Octopus.Server.Client.dll</HintPath>
+    </Reference>
+</ItemGroup>
 </Project>
@@ -20,7 +20,7 @@
 
 namespace Octopus.Server.Extensibility.Authentication.AzureAD
 {
-    [OctopusPlugin("AzureAD", "Octopus Deploy")]
+    [OctopusPlugin("AzureAD - GraphAPI Support", "Octopus Deploy (Modified by: Stephen Shamakian)")]
     public class AzureADExtension : OpenIDConnectExtension, IOctopusExtension
     {
         public override void Load(ContainerBuilder builder)

@@ -1,4 +1,5 @@
-using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
+using Octopus.Data.Model;
+using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
 
 namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
 {
@@ -10,5 +11,7 @@ public AzureADConfiguration() : base(AzureADConfigurationStore.SingletonId, "Azu
         {
             RoleClaimType = DefaultRoleClaimType;
         }
+
+        public SensitiveString? ClientKey { get; set; }
     }
 }
@@ -1,5 +1,6 @@
 using System.ComponentModel;
 using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
+using Octopus.Server.MessageContracts;
 using Octopus.Server.MessageContracts.Attributes;
 
 namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
@@ -11,5 +12,10 @@ class AzureADConfigurationResource : OpenIDConnectConfigurationResource
         [Description("Tell Octopus how to find the roles/groups in the security token from Azure Active Directory (usually \"roles\" or \"groups\")")]
         [Writeable]
         public string? RoleClaimType { get; set; }
+
+        [DisplayName("Client Access Key")]
+        [Description("The Azure app registration secret access key. This is used for authenticating against the Azure GraphAPI for group overage lookups. If left blank it will disable Azure GraphAPI lookups. [Learn more](https://github.com/StephenShamakian/OpenIDConnectAuthenticationProviders#readme)")]
+        [Writeable]
+        public SensitiveValue? ClientKey { get; set; }
     }
 }
@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using Octopus.Data.Model;
 using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
 using Octopus.Server.Extensibility.Extensions.Infrastructure.Configuration;
 
@@ -21,6 +22,7 @@ public override IEnumerable<IConfigurationValue> GetConfigurationValues()
                 yield return configurationValue;
             }
             yield return new ConfigurationValue<string?>($"Octopus.{ConfigurationDocumentStore.ConfigurationSettingsName}.RoleClaimType", ConfigurationDocumentStore.GetRoleClaimType(), ConfigurationDocumentStore.GetIsEnabled() && ConfigurationDocumentStore.GetRoleClaimType() != AzureADConfiguration.DefaultRoleClaimType, "Role Claim Type");
+            yield return new ConfigurationValue<SensitiveString?>($"Octopus.{ConfigurationDocumentStore.ConfigurationSettingsName}.ClientKey", ConfigurationDocumentStore.GetClientKey(), ConfigurationDocumentStore.GetIsEnabled(), "Client Access Key");
         }
 
     }

@@ -1,19 +1,33 @@
-using Octopus.Data.Storage.Configuration;
+using Octopus.Data.Model;
+using Octopus.Data.Storage.Configuration;
+using Octopus.Diagnostics;
 using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
 
 namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
 {
     class AzureADConfigurationStore : OpenIDConnectConfigurationWithRoleStore<AzureADConfiguration>, IAzureADConfigurationStore
     {
         public const string SingletonId = "authentication-aad";
+        ISystemLog log;
 
         public override string Id => SingletonId;
 
         public override string ConfigurationSettingsName => "AzureAD";
 
         public AzureADConfigurationStore(
-            IConfigurationStore configurationStore) : base(configurationStore)
+            IConfigurationStore configurationStore, ISystemLog log) : base(configurationStore)
         {
+            this.log = log;
         }
+
+        public SensitiveString? GetClientKey() => GetProperty(doc => doc.ClientKey);
+
+        public void SetClientKey(SensitiveString? key) => SetProperty(doc =>
+        {
+            if (!string.IsNullOrEmpty(key?.Value))
+                log.WithSensitiveValue(key.Value);
+
+            doc.ClientKey = key;
+        });
     }
 }
@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using Octopus.Data.Model;
 using Octopus.Diagnostics;
 using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
 using Octopus.Server.Extensibility.Extensions.Infrastructure.Configuration;
@@ -9,12 +10,15 @@ namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
 {
     class AzureADConfigureCommands : OpenIDConnectConfigureCommands<IAzureADConfigurationStore>
     {
+        readonly ISystemLog log;
+
         public AzureADConfigureCommands(
             ISystemLog log,
             Lazy<IAzureADConfigurationStore> configurationStore,
             Lazy<IWebPortalConfigurationStore> webPortalConfigurationStore)
             : base(log, configurationStore, webPortalConfigurationStore)
         {
+            this.log = log;
         }
 
         protected override string ConfigurationSettingsName => "azureAD";
@@ -30,6 +34,19 @@ public override IEnumerable<ConfigureCommandOption> GetOptions()
                 ConfigurationStore.Value.SetRoleClaimType(v);
                 Log.Info($"{ConfigurationSettingsName} RoleClaimType set to: {v}");
             });
+            yield return new ConfigureCommandOption($"{ConfigurationSettingsName}ClientKey=", "The App Registration secret access key. Used for authenticating against the GraphAPI for group overage lookups.", v =>
+            {
+                if (!string.IsNullOrEmpty(v))
+                {
+                    ConfigurationStore.Value.SetClientKey(v.ToSensitiveString());
+                    log.Info("Azure AD Graph API Client Key set to provided value");
+                }
+                else
+                {
+                    ConfigurationStore.Value.SetClientKey(null);
+                    log.Info("Azure AD Graph API Client Key set to null (anonymous bind)");
+                }
+            });
         }
     }
 }
@@ -1,8 +1,13 @@
-using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
+using Octopus.Data.Model;
+using Octopus.Server.Extensibility.Authentication.OpenIDConnect.Common.Configuration;
 
 namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
 {
     interface IAzureADConfigurationStore : IOpenIDConnectConfigurationWithRoleStore<AzureADConfiguration>
     {
+
+        SensitiveString? GetClientKey();
+        void SetClientKey(SensitiveString? key);
+
     }
 }
@@ -0,0 +1,76 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Octopus.Core.Infrastructure.Mapping;
+using Octopus.Data.Model;
+
+namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
+{
+    class MapFromAzureADConfigurationResourceToAzureADConfiguration : IMapToNew<AzureADConfigurationResource, AzureADConfiguration>, IMapToExisting<AzureADConfigurationResource, AzureADConfiguration>
+    {
+        public async Task<AzureADConfiguration> Map(AzureADConfigurationResource source, CancellationToken cancellationToken)
+        {
+            await Task.CompletedTask;
+            var target = new AzureADConfiguration();
+
+            target.IsEnabled = source.IsEnabled;
+            target.Issuer = source.Issuer;
+            target.RoleClaimType = source.RoleClaimType;
+            target.AllowAutoUserCreation = source.AllowAutoUserCreation ?? false;
+            target.ClientId = source.ClientId;
+
+            if (source.ClientSecret is { HasValue: true, NewValue: { } })
+            {
+                target.ClientSecret = source.ClientSecret.NewValue.ToSensitiveString();
+            }
+
+            if (source.ClientSecret is not { HasValue: true })
+            {
+                target.ClientSecret = null;
+            }
+
+            if (source.ClientKey is { HasValue: true, NewValue: { } })
+            {
+                target.ClientKey = source.ClientKey.NewValue.ToSensitiveString();
+            }
+
+            if (source.ClientKey is not { HasValue: true })
+            {
+                target.ClientKey = null;
+            }
+
+            return target;
+        }
+
+        public async Task Map(AzureADConfigurationResource source, AzureADConfiguration target, CancellationToken cancellationToken)
+        {
+            await Task.CompletedTask;
+
+            target.IsEnabled = source.IsEnabled;
+            target.Issuer = source.Issuer;
+            target.RoleClaimType = source.RoleClaimType;
+            target.AllowAutoUserCreation = source.AllowAutoUserCreation ?? false;
+            target.ClientId = source.ClientId;
+
+            if (source.ClientSecret is { HasValue: true, NewValue: { } })
+            {
+                target.ClientSecret = source.ClientSecret.NewValue.ToSensitiveString();
+            }
+
+            if (source.ClientSecret is not { HasValue: true })
+            {
+                target.ClientSecret = null;
+            }
+
+            if (source.ClientKey is { HasValue: true, NewValue: { } })
+            {
+                target.ClientKey = source.ClientKey.NewValue.ToSensitiveString();
+            }
+
+            if (source.ClientKey is not { HasValue: true })
+            {
+                target.ClientKey = null;
+            }
+        }
+    }
+}
@@ -0,0 +1,45 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Octopus.Core.Infrastructure.Mapping;
+using Octopus.Server.MessageContracts;
+
+namespace Octopus.Server.Extensibility.Authentication.AzureAD.Configuration
+{
+    class MapFromAzureADConfigurationToAzureADConfigurationResource : IMapToNew<AzureADConfiguration, AzureADConfigurationResource>
+    {
+        public async Task<AzureADConfigurationResource> Map(AzureADConfiguration source, CancellationToken cancellationToken)
+        {
+            await Task.CompletedTask;
+
+            var target = new AzureADConfigurationResource();
+
+            target.Id = source.Id;
+            target.IsEnabled = source.IsEnabled;
+            target.AllowAutoUserCreation = source.AllowAutoUserCreation;
+            target.RoleClaimType = source.RoleClaimType;
+            target.Issuer = source.Issuer;
+            target.ClientId = source.ClientId;
+
+            if (source.ClientSecret == null)
+            {
+                target.ClientSecret = null;
+            }
+            else
+            {
+                target.ClientSecret = !string.IsNullOrWhiteSpace(source.ClientSecret?.Value) ? new SensitiveValue { HasValue = true } : new SensitiveValue { HasValue = false };
+            }
+
+            if (source.ClientKey == null)
+            {
+                target.ClientKey = null;
+            }
+            else
+            {
+                target.ClientKey = !string.IsNullOrWhiteSpace(source.ClientKey?.Value) ? new SensitiveValue { HasValue = true } : new SensitiveValue { HasValue = false };
+            }
+
+            return target;
+        }
+    }
+}