### 🛠️ 1. Initialize notebook variables

Configures everything that's needed for deployment. 

👉 **Modify entries under _1) User-defined parameters_ and _3) Define the APIs and their operations and policies_**.

In [None]:
import utils
import time
from apimtypes import *

# 1) User-defined parameters (change these as needed)
rg_location = 'eastus2'
index       = 1
deployment  = INFRASTRUCTURE.SIMPLE_APIM
tags        = ['authX-pro', 'jwt', 'policy-fragment']       # ENTER DESCRIPTIVE TAG(S)
api_prefix  = 'authX-pro-'               # OPTIONAL: ENTER A PREFIX FOR THE APIS TO REDUCE COLLISION POTENTIAL WITH OTHER SAMPLES

# 2) Service-defined parameters (please do not change these)
rg_name = utils.get_infra_rg_name(deployment, index)
supported_infrastructures = [INFRASTRUCTURE.SIMPLE_APIM, INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.APIM_ACA]        # ENTER SUPPORTED INFRASTRUCTURES HERE, e.g., [INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.AFD_APIM_FE]
utils.validate_infrastructure(deployment, supported_infrastructures)

# Set up the signing key for the JWT policy
jwt_key_name = f'JwtSigningKey{int(time.time())}'
jwt_key_value, jwt_key_value_bytes_b64 = utils.generate_signing_key()
utils.print_val('JWT key value', jwt_key_value)                         # this value is used to create the signed JWT token for requests to APIM
utils.print_val('JWT key value (base64)', jwt_key_value_bytes_b64)      # this value is used in the APIM validate-jwt policy's issuer-signing-key attribute  

# 3) Set up the named values
nvs: List[NamedValue] = [
    NamedValue(jwt_key_name, jwt_key_value_bytes_b64, True),
    NamedValue('HRMemberRoleId', Role.HR_MEMBER),
    NamedValue('HRAssociateRoleId', Role.HR_ASSOCIATE),
    NamedValue('HRAdministratorRoleId', Role.HR_ADMINISTRATOR)
]

# 4) Set up the policy fragments
pf_authx_hr_member_xml = utils.read_policy_xml('./pf-authx-hr-member.xml').format(
    jwt_signing_key = '{{' + jwt_key_name + '}}',
    hr_member_role_id = '{{HRMemberRoleId}}'
)
# TODO: These shared policies may be better applied as part of each infrastructure deployments. 
pf_authz_match_any_xml = utils.read_policy_xml('../../shared/apim-policies/fragments/pf-authz-match-any.xml')
pf_http_response_200_xml = utils.read_policy_xml('../../shared/apim-policies/fragments/pf-http-response-200.xml')

pfs: List[PolicyFragment] = [
    PolicyFragment('AuthX-HR-Member', pf_authx_hr_member_xml, 'Authenticates and authorizes HR members.'),
    PolicyFragment('AuthZ-Match-Any', pf_authz_match_any_xml, 'Authorizes if any of the specified roles match the JWT role claims.'),
    PolicyFragment('Http-Response-200', pf_http_response_200_xml, 'Returns a 200 OK response for the current HTTP method.')
]

# 5) Define the Products

# HR Product with authentication policy, including authorization via a required claim check for HR member role
hr_product_xml = utils.read_policy_xml('./hr_product.xml').format(
    jwt_signing_key = '{{' + jwt_key_name + '}}', 
    hr_member_role_id = '{{HRMemberRoleId}}'
)

hr_product_name = 'hr'
products: List[Product] = [
    Product(hr_product_name, 'Human Resources', 
            'Product for Human Resources APIs providing access to employee data, organizational structure, benefits information, and HR management services. Includes JWT-based authentication for HR members.', 
            'published', False, False, hr_product_xml)
]

# 6) Define the APIs and their operations and policies

# Employees (HR)
hremployees_api_path = f'/{api_prefix}employees'
hremployees_get = GET_APIOperation('Gets the employees', utils.read_policy_xml('./hr_get.xml'))
hremployees_post = POST_APIOperation('Creates a new employee', utils.read_policy_xml('./hr_post.xml'))
hremployees = API(f'{api_prefix}Employees', 'Employees Pro', hremployees_api_path, 'This is a Human Resources API for employee information', utils.read_policy_xml(REQUIRE_PRODUCT_XML_POLICY_PATH), 
                  operations = [hremployees_get, hremployees_post], tags = tags, productNames = [hr_product_name], subscriptionRequired = False)

# Benefits (HR)
hrbenefits_api_path = f'/{api_prefix}benefits'
hrbenefits_get = GET_APIOperation('Gets employee benefits', utils.read_policy_xml('./hr_get.xml'))
hrbenefits_post = POST_APIOperation('Creates employee benefits', utils.read_policy_xml('./hr_post.xml'))
hrbenefits = API(f'{api_prefix}Benefits', 'Benefits Pro', hrbenefits_api_path, 'This is a Human Resources API for employee benefits', utils.read_policy_xml(REQUIRE_PRODUCT_XML_POLICY_PATH), 
                 operations = [hrbenefits_get, hrbenefits_post], tags = tags, productNames = [hr_product_name], subscriptionRequired = False)

# APIs Array
apis: List[API] = [hremployees, hrbenefits]

utils.print_ok('Notebook initialized')

### 🚀 2. Create deployment using Bicep

Creates the bicep deployment into the previously-specified resource group. A bicep parameters file will be created prior to execution.

In [None]:
import utils

# 1) Define the Bicep parameters with serialized APIs
bicep_parameters = {
    'apis': {'value': [api.to_dict() for api in apis]},
    'namedValues': {'value': [nv.to_dict() for nv in nvs]},
    'policyFragments': {'value': [pf.to_dict() for pf in pfs]},
    'products': {'value': [product.to_dict() for product in products]}
}

# 2) Infrastructure must be in place before samples can be layered on top
if not utils.does_resource_group_exist(rg_name):
    utils.print_error(f'The specified infrastructure resource group and its resources must exist first. Please check that the user-defined parameters above are correctly referencing an existing infrastructure. If it does not yet exist, run the desired infrastructure in the /infra/ folder first.')
    raise SystemExit(1)

# 3) Run the deployment
output = utils.create_bicep_deployment_group(rg_name, rg_location, deployment, bicep_parameters)

# 4) Print a deployment summary, if successful; otherwise, exit with an error
if not output.success:
    raise SystemExit('Deployment failed')

if output.success and output.json_data:
    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')

utils.print_ok('Deployment completed')

### ✅ 3. Verify API Request Success

Assert that the deployment was successful by making simple calls to APIM. 

❗️ If the infrastructure shields APIM and requires a different ingress (e.g. Azure Front Door), the request to the APIM gateway URl will fail by design. Obtain the Front Door endpoint hostname and try that instead.

In [None]:
import utils
from apimrequests import ApimRequests
from apimtypes import Role
from users import UserHelper
from authfactory import AuthFactory

# Preflight: Check if the infrastructure architecture deployment uses Azure Front Door. If so, assume that APIM is not directly accessible and use the Front Door URL instead.
endpoint_url = utils.test_url_preflight_check(deployment, rg_name, apim_gateway_url)

# 1) HR Administrator
# Create a JSON Web Token with a payload and sign it with the symmetric key from above.
encoded_jwt_token_hr_admin = AuthFactory.create_symmetric_jwt_token_for_user(UserHelper.get_user_by_role(Role.HR_ADMINISTRATOR), jwt_key_value)
print(f'\nJWT token for HR Admin:\n{encoded_jwt_token_hr_admin}')  # this value is used to call the APIs via APIM

# Set up an APIM requests object with the JWT token
reqsApimAdmin = ApimRequests(endpoint_url)
reqsApimAdmin.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_admin}'

# Call APIM
reqsApimAdmin.singleGet(hremployees_api_path, msg = 'Calling GET Employees API via API Management Gateway URL. Expect 200.')
reqsApimAdmin.singlePost(hremployees_api_path, msg = 'Calling POST Employees API via API Management Gateway URL. Expect 200.')
reqsApimAdmin.singleGet(hrbenefits_api_path, msg = 'Calling GET Benefits API via API Management Gateway URL. Expect 200.')
reqsApimAdmin.singlePost(hrbenefits_api_path, msg = 'Calling POST Benefits API via API Management Gateway URL. Expect 200.')

# 2) HR Associate
# Create a JSON Web Token with a payload and sign it with the symmetric key from above.
encoded_jwt_token_hr_associate = AuthFactory.create_symmetric_jwt_token_for_user(UserHelper.get_user_by_role(Role.HR_ASSOCIATE), jwt_key_value)
print(f'\nJWT token for HR Associate:\n{encoded_jwt_token_hr_associate}')  # this value is used to call the APIs via APIM

# Set up an APIM requests object with the JWT token
reqsApimAssociate = ApimRequests(endpoint_url)
reqsApimAssociate.headers['Authorization'] = f'Bearer {encoded_jwt_token_hr_associate}'

# Call APIM
reqsApimAssociate.singleGet(hremployees_api_path, msg = 'Calling GET Employees API via API Management Gateway URL. Expect 200.')
reqsApimAssociate.singlePost(hremployees_api_path, msg = 'Calling POST Employees API via API Management Gateway URL. Expect 403.')
reqsApimAssociate.singleGet(hrbenefits_api_path, msg = 'Calling GET Benefits API via API Management Gateway URL. Expect 200.')
reqsApimAssociate.singlePost(hrbenefits_api_path, msg = 'Calling POST Benefits API via API Management Gateway URL. Expect 403.')

utils.print_ok('All done!')