In [1]:
#!import "../1-models/AzurePortalIntegration.ipynb"
#!import "../3-operations/Connection.ipynb"

# Azure Subscription

This model is based on the subscription webhooks received from the Azure Marketplace.
The landing page creates these facts.
The portal subscribes to them to determine how many replicators can be configured.

## Enterprise Application Pattern

The Azure landing page app is an enterprise application.
The top-level user is a temporary principal.
It is created to initialize the environment and the first administrator.
And then the private key is discarded.

Administrators represent people.
Administrators are granted permission to add service principals and other administrators to an environment.
That permission can be revoked.

The creator of the environment grants permission to the initial administrator.
Thereafter, an administrator can add new administrators and revoke permissions.

## Azure Marketplace Service Principals

Service principals represents machines.
Different machines play different roles within the process.
The model represents each role as a different type, so that authorization and distribution rules can be granular.

Azure Marketplace service principals run the marketplace admin site and landing page.
They respond to user input, administrator input, and webhooks.
They can record facts about user identities and subscriptions.

Portal service principals run the Replicator portal.
They connect the user and their replicators to Azure user identities and subscriptions.
They use that information to enable and disable endpoints in the multitenant replicator and API gateway.

An administrator creates service principals.
Service principals cannot grant privileges to others.

## Subscriptions

Azure informs the landing page app of subscription activities by and related to a user.
It does so through webhook calls.
The landing page app also permits that user to take actions on the subscription through its own user interface.

This model also represents the user by their identifier.
The model does not treat Azure users as Jinaga users.
It records information _about_ the user, not _by_ the user.

A user can transfer a subscription to another user.
This is modeled using the Entity Reference pattern, a kind of mutable property.

## Subscription Activities

A user can adjust the plan to which a subscription applies.
This is captured as a mutable property.

The user can activate and deactivate their subscription.
Azure can also choose to suspend and reinstate the subscription.
Finally, the user periodically renews their subscription.
Renewal occurs within a monthly period.

## Replicator

A developer can create any number of replicators.
They give them a name and an environment (typically "dev", "test", or "prod").
Both name and environment are mutable properties.

## Authentication

A developer can configure authentication mechanisms for replicators.
Supported authentication mechanisms include Apple and Google.
Given the requirements of each of those providers, these authentication mechanisms take different parameters.

While the end user authenticates with Apple or Google, they use that identity to further authenticate with the replicator.
This phase is a standard OAuth2 authorization code flow.
The developer supplies callback URLs for this flow.

All of this configuration information is shared with an environment.
This environment is well known to the developer.

## RaaS Portal Administrators

Administrators represent people who can configure an environment.
They grant privileges to other administrators and to service principals.
That permission can be revoked.

The creator of the environment grants permission to the first administrator.
Thereafter, an administrator can add new administrators and revoke privileges.

## RaaS Portal Service Principals

Service principals represent machines that perform functions within a RaaS portal environment.
Those functions include configuring authentication providers and generating secrets.

A portal administrator creates a service principal.
Service principals cannot grant permissions to others.

## Request Completions

A portal service principal processes the authentication and endpoint requests.
It responds with a completion fact that sometimes carries generated information.

For example, upon completing a request for an endpoint, the host provides a URL.
And when completing a request for an OAuth2 authentication service, the host responds with the public key that will be used to validate JWT tokens.

## Secrets

When setting up authorization and distribution rules, the developer must provide a shared secret.
They request a secret from the environment.
A service principal responds with a randomly generated secret that can be used to authenticate a CI/CD server.

## Subscription Allocation

The RaaS service principal controls the connection between the Azure Marketplace and the replicator-as-a-service portal.
The connection starts with the user identity.
The service principal associate a Jinaga user to an Azure user identity.
This happens on login.

Then, the user requests an allocation between a replicator and a subscription.
The service principal completes that allocation if the subscription is available.
A replicator will only be activated if a subscription is allocated.
If the subscription is cancelled, then the replicator is deactivated.

In [2]:
var azureCreator = configuration.ContainsKey("azureCreator") ?
    configuration["azureCreator"] :
    null;

var environmentIdentifier = configuration.ContainsKey("environmentIdentifier") ?
    configuration["environmentIdentifier"] :
    "test";

AzureEnvironment azureEnvironment;

if (azureCreator != null)
{
    // Use the existing environment.
    azureEnvironment = new AzureEnvironment(
        new User(azureCreator),
        environmentIdentifier
    );
}

jinagaClient.Hash(azureEnvironment)

Lgb9GmG3CR1AcMhvkolV3Vt+rA+rdia6A5wAxeHwa+GsJZ/RskdEIXmYBdkz/68a9sYKI9r0UJBX4mFoRZ1stg==

In [3]:
if (false)
{
    // Make the Microsoft login an Azure administrator.

    var microsoftUser = new User("-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu5WfisRF9xNpi6P7CoWH\r\n57EeQrcDLlm2N69L\u002BXBGZh/UG6k4tzHyQKUZsJxXQk4J5MsXNPN2REK0EV1MIQjO\r\ngEGsYVDJiiATSnEbf3x3rX/WoLc1beByoU1yr3/kTT62jokShAPhnB3EjjGQaPtU\r\ntAh4TZrF0xOOgRqe7C1UOBVJVezUGjrKxoG7atkcvPCBazZpai0VcshqBQnESre3\r\ngpp2fNLzyeivrv/DrxLj8GqGoV35BqANgu1LAh\u002B1KknJPCPdbAZvIriklAxU6R20\r\nsBeuat1p8zfBk6L\u002BL1b/SMbfXKp0RKMPTPO8I6RATudn6KNjzqXW3gEiwG4VKD3S\r\n5wIDAQAB\r\n-----END PUBLIC KEY-----\r\n");

    var admin = await jinagaClient.Fact(new AzureAdministrator(microsoftUser, azureEnvironment, DateTime.UtcNow));

    display(jinagaClient.RenderFacts(admin));
}

## User Identity

Who am I?

In [4]:
var userIdentityForUser = Given<User>.Match((user, facts) =>
    facts.OfType<RaasUserIdentity>(rui => rui.user == user)
);

var userIdentities = await jinagaClient.Query(userIdentityForUser, user);

jinagaClient.RenderFacts(user, userIdentities)

What identities are available?

In [5]:
var userIdentitiesInEnvironment = Given<AzureEnvironment>.Match((environment, facts) =>
    facts.OfType<UserIdentity>(ui => ui.environment == environment)
    .Select(ui => ui.userId)
);

var userIdentities = await jinagaClient.Query(userIdentitiesInEnvironment, azureEnvironment);

userIdentities

Create a new user identity.

In [6]:
if (false)
{
    var userIdentity = await jinagaClient.Fact(new UserIdentity(azureEnvironment, "me@michaelperry.net"));

    display(jinagaClient.RenderFacts(userIdentity));
}

## Subscriptions Available

List the subscriptions available to the user.

In [15]:
var subscriptionsForUser = Given<User>.Match((user, facts) =>
    from raasUserIdentity in facts.OfType<RaasUserIdentity>()
    where raasUserIdentity.user == user
    from subscriptionUserIdentity in facts.OfType<SubscriptionUserIdentity>()
    where subscriptionUserIdentity.userIdentity == raasUserIdentity.userIdentity &&
        !facts.Any<SubscriptionUserIdentity>(next => next.prior.Contains(subscriptionUserIdentity))
    from subscription in facts.OfType<Subscription>()
    where subscription == subscriptionUserIdentity.subscription &&
        !facts.Any<ReplicatorSubscriptionRequest>(req => req.subscription == subscription &&
            !facts.Any<ReplicatorSubscriptionReject>(rej => rej.request == req)
        ) &&
        !facts.Any<Unsubscribe>(unsub => unsub.subscription == subscription)
    select new
    {
        Subscription = subscription,
        Names = facts.OfType<SubscriptionName>(sn => sn.subscription == subscription &&
            !facts.Any<SubscriptionName>(next => next.prior.Contains(sn)))
            .Select(sn => sn.value)
    }
);

var subscriptions = await jinagaClient.Query(subscriptionsForUser, user);

subscriptions

## Test Subscription

Set up a subscription for the Microsoft user so that it can appear in the list.

In [8]:
if (false)
{
    var userIdentity = new UserIdentity(azureEnvironment, "me@michaelperry.net");

    var subscription = await jinagaClient.Fact(new Subscription(azureEnvironment, Guid.NewGuid()));
    await jinagaClient.Fact(new SubscriptionUserIdentity(subscription, userIdentity, []));
    await jinagaClient.Fact(new SubscriptionName(subscription, "Blog", []));
}