File Upload App using Flask and Azure

This is a work-in-progress demo. If it works out, a LICENSE will be added when it is done. Otherwise this repository will probably go away.

_{Created: 2023-01-19}

Started with a copy of the files in the flask-file-up project as of commit 4f4ee83.

Rather than clone that project, and bring along all of its history, a ZIP download was used to get the files. Code related to the database model (SQLAlchemy-derived classes), and for managing user identities within the app, was removed. This project will use only Azure Active Directory (via MSAL) for user identity management and Azure Storage for receiving uploaded files.

A new Git repository was created after pruning the code and successfully running the main functions of the app locally (the Flask app ran in the local development server, but was connected to live Azure resources).

Configuration

Environment Variables

The following envirionment variables configure the application:

FILEUP_SECRET_KEY=""
FILEUP_ENABLE_FEATURES=""
FILEUP_UPLOAD_ACCEPT=""
FILEUP_MAX_UPLOAD_MB=""
FILEUP_MSAL_REDIRECT_PATH=""
FILEUP_MSAL_AUTHORITY=""
FILEUP_MSAL_CLIENT_ID=""
FILEUP_MSAL_CLIENT_SECRET=""
FILEUP_MSAL_SCOPE=""
FILEUP_STORAGE_ACCOUNT_NAME=""
FILEUP_STORAGE_CONTAINER=""
FILEUP_STORAGE_TABLE=""
FILEUP_STORAGE_ACCOUNT_KEY=""
FILEUP_STORAGE_ENDPOINT_SUFFIX=""

The puropse of each environment variable is described below.

Web Application Settings

FILEUP_SECRET_KEY Sets the Flask SECRET_KEY.

FILEUP_PROXY_LEVEL Set this to the number of proxies the app is running behind to Tell Flask it is Behind a Proxy. That enables the X-Forwarded-For Proxy Fix. If not running behind a proxy, set the level to '0' (zero) to disable the ProxyFix middleware.

FILEUP_ENABLE_FEATURES - Enable optional features in the application. Options are enabled using option names. Enable multiple options by separating the names with a space.

• CheckStorage enables a /checkstorage route that calls a function to ckeck access to Azure Blob and Table storage.
• LogDebug sets the Flask logging level to DEBUG (most verbose).
• LogInfo sets the Flask logging level to INFO (default logging level is WARNING).
• NoPrefix disables adding a "upload-date_time-" prefix to the name of uploaded files.
• NoRole allows any authenticated user to upload files without an App Role assignment.

FILEUP_UPLOAD_ACCEPT - Comma-separated list of file types (extensions) to accept in uploaded file names. The default settings is ".csv,.xls,.xlsx". This is used limit the upload file selection on the client side (form input field) and for server-side file name validation.

FILEUP_MAX_UPLOAD_MB - Maximum allowed file size, in megabytes, for uploaded files. If not set, the default maximum size is 2 MB.

User Identity (Authentication/Authorization) Settings

FILEUP_APP_ROLE - App Role that must be assigned to authorize a user to upload files (unelss NoRole feature is enabled). Default value is File.Upload.

FILEUP_MSAL_REDIRECT_PATH - Not yet implemented - currently hard-coded as "/signin-oidc"

FILEUP_MSAL_AUTHORITY - Authority to which the web app delegates sign-in. In this case, the Azure Active Directory providing user identity. (TODO: More detail; links to docs)

FILEUP_MSAL_CLIENT_ID - Client ID assigned to the App Registration in Azure Active Directory. (TODO: More detail; links to docs)

FILEUP_MSAL_CLIENT_SECRET - Client Secret assigned to the App Registration (Azure Active Directory). (TODO: More detail; links to docs)

FILEUP_MSAL_SCOPE - Currently left blank - not used

Azure Storage Settings

FILEUP_STORAGE_ACCOUNT_NAME - Name of the Azure Storage Account. (TODO: More detail; links to docs)

FILEUP_STORAGE_CONTAINER - Name of the Blob container, in the Azure Storage Account, that receives uploaded files. Container name must be all lower case. If not set, the default is fileup. (TODO: More detail; links to docs)

FILEUP_STORAGE_TABLE - Name of the table, in the Azure Storage Account, that receives data about uploaded files. This is optional. If not set, files can still be uploaded to blob storage, but no data about the uploads is recorded.

FILEUP_STORAGE_ACCOUNT_KEY - Azure Storage Account Key to use in connection strings. Leave blank when using IAM roles, instead of connection strings, to access storage. (TODO: More detail; links to docs)

FILEUP_STORAGE_ENDPOINT_SUFFIX - Suffix used to construct URLs for storage targets. Used to build connection strings. (TODO: More detail; links to docs)

---

Reference Links

Flask

Flask Documentation

Modular Applications with Blueprints

Use flask.current_app to access app.config values in view modules using blueprints. Only available in the Request Context.

Flask WTForms

Flask-WTF - PyPI Flask-WTF - Documentation WTForms - Documentation Fields / Convenience Fields Validators

MSAL

AzureAD/microsoft-authentication-library-for-python - GitHub

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Azure Active Directory. These documented APIs are stable https://msal-python.readthedocs.io. If you have questions but do not have a github account, ask your questions on Stackoverflow with tag "msal" + "python".

Wiki: AzureAD/microsoft-authentication-library-for-python - GitHub

Microsoft identity platform overview - Microsoft Entra - Microsoft Learn

Azure Storage

Understanding the Table service data model (REST API)

Deploy to Azure

Quickstart: Deploy a Python (Django or Flask) web app to Azure - Microsoft Learn

az webapp deploy - Microsoft Learn

Azure AD

Add app roles and get them from a token - Microsoft Entra