Bugfix/govcloud document intelligence, ai search, content safety managed identity authentication (#388)

* Add support for govt and custom search resource manager, update document intelligence, ai search, and content safety client initialization for govt and custom environments

* Fix Azure Document Intelligence operation via managed identity authentication for government and custom environments by adding base64 encoding support for document uploads, which is required by  current GA document intelligence API version (2024-11-30)

* Fix Azure AI services (content safety, document intelligence, search) managed identity integration for government and custom environments. Consolidated Document Intelligence calls to use same module and API and added base64 document uploads in Document Intelligence API, required by most current API GA version (2024-11-30).

* Update README.md to correct Managed Identity role requirements for Azure services

* Add support for govt and custom search resource manager, update document intelligence, ai search, and content safety client initialization for govt and custom environments

* Fix Azure Document Intelligence operation via managed identity authentication for government and custom environments by adding base64 encoding support for document uploads, which is required by  current GA document intelligence API version (2024-11-30)

* Fix Azure AI services (content safety, document intelligence, search) managed identity integration for government and custom environments. Consolidated Document Intelligence calls to use same module and API and added base64 document uploads in Document Intelligence API, required by most current API GA version (2024-11-30).

* Update README.md to correct Managed Identity role requirements for Azure services

* added search_client_public to managed identity auth flow

---------

Co-authored-by: Joshua Wilshere <joshua.wilshere@oig.dhs.gov>
Co-authored-by: Paul Lizer <paullizer@microsoft.com>

Author: 3 people

application/single_app/config.py

@@ -112,6 +112,8 @@
 CUSTOM_RESOURCE_MANAGER_URL_VALUE = os.getenv("CUSTOM_RESOURCE_MANAGER_URL_VALUE", "")
 CUSTOM_BLOB_STORAGE_URL_VALUE = os.getenv("CUSTOM_BLOB_STORAGE_URL_VALUE", "")
 CUSTOM_COGNITIVE_SERVICES_URL_VALUE = os.getenv("CUSTOM_COGNITIVE_SERVICES_URL_VALUE", "")
+CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE = os.getenv("CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE", "")
+
 
 # Azure AD Configuration
 CLIENT_ID = os.getenv("CLIENT_ID")
@@ -139,11 +141,13 @@
     authority = AzureAuthorityHosts.AZURE_GOVERNMENT
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = "https://cognitiveservices.azure.us/.default"
+    search_resource_manager = "https://search.azure.us"
 elif AZURE_ENVIRONMENT == "custom":
     resource_manager = CUSTOM_RESOURCE_MANAGER_URL_VALUE
     authority = CUSTOM_IDENTITY_URL_VALUE
     credential_scopes=[resource_manager + "/.default"]
     cognitive_services_scope = CUSTOM_COGNITIVE_SERVICES_URL_VALUE  
+    search_resource_manager = CUSTOM_SEARCH_RESOURCE_MANAGER_URL_VALUE
 else:
     OIDC_METADATA_URL = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration"
     resource_manager = "https://management.azure.com"
@@ -447,12 +451,20 @@ def initialize_clients(settings):
                 )
             else:
                 if settings.get("azure_document_intelligence_authentication_type") == "managed_identity":
-                    document_intelligence_client = DocumentIntelligenceClient(
-                        endpoint=form_recognizer_endpoint,
-                        credential=DefaultAzureCredential()
-                    )
+                    if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                        document_intelligence_client = DocumentIntelligenceClient(
+                            endpoint=form_recognizer_endpoint,
+                            credential=DefaultAzureCredential(),
+                            credential_scopes=[cognitive_services_scope],
+                            api_version="2024-11-30"
+                        )
+                    else:
+                        document_intelligence_client = DocumentIntelligenceClient(
+                            endpoint=form_recognizer_endpoint,
+                            credential=DefaultAzureCredential()
+                        )
                 else:
-                    document_intelligence_client = DocumentAnalysisClient(
+                    document_intelligence_client = DocumentIntelligenceClient(
                         endpoint=form_recognizer_endpoint,
                         credential=AzureKeyCredential(form_recognizer_key)
                     )
@@ -479,21 +491,41 @@ def initialize_clients(settings):
                 )
             else:
                 if settings.get("azure_ai_search_authentication_type") == "managed_identity":
-                    search_client_user = SearchClient(
-                        endpoint=azure_ai_search_endpoint,
-                        index_name="simplechat-user-index",
-                        credential=DefaultAzureCredential()
-                    )
-                    search_client_group = SearchClient(
-                        endpoint=azure_ai_search_endpoint,
-                        index_name="simplechat-group-index",
-                        credential=DefaultAzureCredential()
-                    )
-                    search_client_public = SearchClient(
-                        endpoint=azure_ai_search_endpoint,
-                        index_name="simplechat-public-index",
-                        credential=DefaultAzureCredential()
-                    )
+                    if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                        search_client_user = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-user-index",
+                            credential=DefaultAzureCredential(),
+                            audience=search_resource_manager
+                        )
+                        search_client_group = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-group-index",
+                            credential=DefaultAzureCredential(),
+                            audience=search_resource_manager
+                        )
+                        search_client_public = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-public-index",
+                            credential=DefaultAzureCredential(),
+                            audience=search_resource_manager
+                        )
+                    else:
+                        search_client_user = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-user-index",
+                            credential=DefaultAzureCredential()
+                        )
+                        search_client_group = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-group-index",
+                            credential=DefaultAzureCredential()
+                        )
+                        search_client_public = SearchClient(
+                            endpoint=azure_ai_search_endpoint,
+                            index_name="simplechat-public-index",
+                            credential=DefaultAzureCredential()
+                        )
                 else:
                     search_client_user = SearchClient(
                         endpoint=azure_ai_search_endpoint,
@@ -532,10 +564,17 @@ def initialize_clients(settings):
                         )
                     else:
                         if settings.get("content_safety_authentication_type") == "managed_identity":
-                            content_safety_client = ContentSafetyClient(
-                                endpoint=safety_endpoint,
-                                credential=DefaultAzureCredential()
-                            )
+                            if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                                content_safety_client = ContentSafetyClient(
+                                    endpoint=safety_endpoint,
+                                    credential=DefaultAzureCredential(),
+                                    credential_scopes=[cognitive_services_scope]
+                                )
+                            else:
+                                content_safety_client = ContentSafetyClient(
+                                    endpoint=safety_endpoint,
+                                    credential=DefaultAzureCredential()
+                                )
                         else:
                             content_safety_client = ContentSafetyClient(
                                 endpoint=safety_endpoint,

application/single_app/functions_content.py

@@ -19,11 +19,22 @@ def extract_content_with_azure_di(file_path):
     """
     try:
         document_intelligence_client = CLIENTS['document_intelligence_client'] # Ensure CLIENTS is populated
-        with open(file_path, "rb") as f:
+        if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+            # Required format for Document Intelligence API version 2024-11-30
+            with open(file_path, 'rb') as f:
+                file_bytes = f.read()
+                base64_source = base64.b64encode(file_bytes).decode('utf-8')
+
             poller = document_intelligence_client.begin_analyze_document(
-                model_id="prebuilt-read",
-                document=f
+                "prebuilt-read",
+                {"base64Source": base64_source}
             )
+        else:
+            with open(file_path, 'rb') as f:
+                poller = document_intelligence_client.begin_analyze_document(
+                    model_id="prebuilt-read",
+                    document=f
+                )
 
         max_wait_time = 600
         start_time = time.time()

application/single_app/route_backend_settings.py

@@ -176,6 +176,10 @@ def get_index_client() -> SearchIndexClient:
         endpoint = settings["azure_ai_search_endpoint"].rstrip("/")
         if settings.get("azure_ai_search_authentication_type", "key") == "managed_identity":
             credential = DefaultAzureCredential()
+            if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                return SearchIndexClient(endpoint=endpoint,
+                                          credential=credential,
+                                          audience=search_resource_manager)
         else:
             credential = AzureKeyCredential(settings["azure_ai_search_key"])
 
@@ -415,11 +419,17 @@ def _test_safety_connection(payload):
         key = direct_data.get('key')
 
         if direct_data.get('auth_type') == 'managed_identity':
-            
-            content_safety_client = ContentSafetyClient(
-                endpoint=endpoint,
-                credential=DefaultAzureCredential()
-            )
+            if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                content_safety_client = ContentSafetyClient(
+                    endpoint=endpoint,
+                    credential=DefaultAzureCredential(),
+                    credential_scopes=[cognitive_services_scope]
+                )
+            else:
+                content_safety_client = ContentSafetyClient(
+                    endpoint=endpoint,
+                    credential=DefaultAzureCredential()
+                )
         else:
             content_safety_client = ContentSafetyClient(
                 endpoint=endpoint,
@@ -476,32 +486,6 @@ def _test_azure_ai_search_connection(payload):
     """Attempt to connect to Azure Cognitive Search (or APIM-wrapped)."""
     enable_apim = payload.get('enable_apim', False)
 
-    if enable_apim:
-        apim_data = payload.get('apim', {})
-        endpoint = apim_data.get('endpoint')
-        subscription_key = apim_data.get('subscription_key')
-
-        content_safety_client = ContentSafetyClient(
-            endpoint=endpoint,
-            credential=AzureKeyCredential(subscription_key)
-        )
-    else:
-        direct_data = payload.get('direct', {})
-        endpoint = direct_data.get('endpoint')
-        key = direct_data.get('key')
-
-        if direct_data.get('auth_type') == 'managed_identity':
-            
-            content_safety_client = ContentSafetyClient(
-                endpoint=endpoint,
-                credential=DefaultAzureCredential()
-            )
-        else:
-            content_safety_client = ContentSafetyClient(
-                endpoint=endpoint,
-                credential=AzureKeyCredential(key)
-            )
-
     if enable_apim:
         apim_data = payload.get('apim', {})
         endpoint = apim_data.get('endpoint')  # e.g. https://my-apim.azure-api.net/search
@@ -516,10 +500,22 @@ def _test_azure_ai_search_connection(payload):
         endpoint = direct_data.get('endpoint')  # e.g. https://<searchservice>.search.windows.net
         key = direct_data.get('key')
         url = f"{endpoint.rstrip('/')}/indexes?api-version=2023-11-01"
-        headers = {
-            'api-key': key,
-            'Content-Type': 'application/json'
-        }
+
+        if direct_data.get('auth_type') == 'managed_identity':
+            if AZURE_ENVIRONMENT in ("usgovernment", "custom"): # change credential scopes for US Gov or custom environments
+                credential_scopes=search_resource_manager + "/.default"
+            arm_scope = credential_scopes
+            credential = DefaultAzureCredential()
+            arm_token = credential.get_token(arm_scope).token
+            headers = {
+                'Authorization': f'Bearer {arm_token}',
+                'Content-Type': 'application/json'
+            }
+        else:
+            headers = {
+                'api-key': key,
+                'Content-Type': 'application/json'
+            }
 
     # A small GET to /indexes to verify we have connectivity
     resp = requests.get(url, headers=headers, timeout=10)
@@ -540,7 +536,7 @@ def _test_azure_doc_intelligence_connection(payload):
         endpoint = apim_data.get('endpoint')
         subscription_key = apim_data.get('subscription_key')
 
-        document_intelligence_client = DocumentAnalysisClient(
+        document_intelligence_client = DocumentIntelligenceClient(
             endpoint=endpoint,
             credential=AzureKeyCredential(subscription_key)
         )
@@ -550,24 +546,42 @@ def _test_azure_doc_intelligence_connection(payload):
         key = direct_data.get('key')
 
         if direct_data.get('auth_type') == 'managed_identity':
-            
-            document_intelligence_client = DocumentAnalysisClient(
-                endpoint=endpoint,
-                credential=DefaultAzureCredential()
-            )
+            if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+                document_intelligence_client = DocumentIntelligenceClient(
+                    endpoint=endpoint,
+                    credential=DefaultAzureCredential(),
+                    credential_scopes=[cognitive_services_scope],
+                    api_version="2024-11-30"    # Must be specified otherwise looks for 2023-07-31-preview by default which is not a valid version in Azure Government
+                )
+            else:
+                document_intelligence_client = DocumentIntelligenceClient(
+                    endpoint=endpoint,
+                    credential=DefaultAzureCredential()
+                )
         else:
-            document_intelligence_client = DocumentAnalysisClient(
+            document_intelligence_client = DocumentIntelligenceClient(
                 endpoint=endpoint,
                 credential=AzureKeyCredential(key)
             )
 
     # Use local test file instead of URL for better offline testing
     test_file_path = os.path.join(current_app.root_path, 'static', 'test_files', 'test_document.pdf')
-    with open(test_file_path, 'rb') as f:
+    if AZURE_ENVIRONMENT in ("usgovernment", "custom"):
+        # Required format for Document Intelligence API version 2024-11-30 and later
+        with open(test_file_path, 'rb') as f:
+            file_bytes = f.read()
+            base64_source = base64.b64encode(file_bytes).decode('utf-8')
+
         poller = document_intelligence_client.begin_analyze_document(
-            model_id="prebuilt-read",
-            document=f
+            "prebuilt-read",
+            {"base64Source": base64_source}
         )
+    else:
+        with open(test_file_path, 'rb') as f:
+            poller = document_intelligence_client.begin_analyze_document(
+                model_id="prebuilt-read",
+                document=f
+            )
 
     max_wait_time = 600
     start_time = time.time()
@@ -578,7 +592,7 @@ def _test_azure_doc_intelligence_connection(payload):
             break
         if time.time() - start_time > max_wait_time:
             raise TimeoutError("Document analysis took too long.")
-        time.sleep(30)
+        time.sleep(10)
 
     if status == "succeeded":
         return jsonify({'message': 'Azure document intelligence connection successful'}), 200