Fix authentication and other azure deployment issues

Author: akshata29

README.md

@@ -363,8 +363,8 @@ Example role assignment commands (PowerShell friendly). Replace placeholders wit
 #$searchId  = "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Search/searchServices/<search-name>"
 #$openaiId  = "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<openai-name>"
 
-az role assignment create --assignee-object-id $objectId --role "Storage Blob Data Reader" --scope $storageId
-az role assignment create --assignee-object-id $objectId --role "Search Index Data Reader" --scope $searchId
+az role assignment create --assignee-object-id $objectId --role "Storage Blob Data Contributor" --scope $storageId
+az role assignment create --assignee-object-id $objectId --role "Search Index Data Contributor" --scope $searchId
 az role assignment create --assignee-object-id $objectId --role "Cognitive Services OpenAI Contributor" --scope $openaiId
 ```
 

src/backend/core/azure_client_factory.py

@@ -66,6 +66,18 @@ async def close(self) -> None:
                 await self.document_intelligence_client.close()
             except Exception:
                 logger.debug("Error closing document_intelligence_client", exc_info=True)
+        # Try to close openai client if it exposes an async close or close method
+        try:
+            if hasattr(self.openai_client, 'aclose'):
+                await getattr(self.openai_client, 'aclose')()
+            elif hasattr(self.openai_client, 'close'):
+                # some clients may expose sync close
+                try:
+                    getattr(self.openai_client, 'close')()
+                except Exception:
+                    logger.debug("Error calling openai_client.close()", exc_info=True)
+        except Exception:
+            logger.debug("Error closing openai client", exc_info=True)
 
 
 class ClientFactory:
@@ -143,6 +155,13 @@ async def get_session_clients(cls, session_id: str, auth_mode: AuthMode) -> Sess
             except Exception as e:
                 logger.error("DefaultAzureCredential failed to acquire storage token", extra={"session_id": session_id, "error": str(e)} , exc_info=True)
 
+            # Diagnostic: attempt to acquire a token for Azure Cognitive Search to detect missing data-plane permissions
+            try:
+                search_token = await credential.get_token("https://search.azure.com/.default")
+                logger.info("Acquired token for Azure Cognitive Search", extra={"session_id": session_id, "search_token_exp": getattr(search_token, 'expires_on', None)})
+            except Exception as e:
+                logger.warning("Could not acquire token for Azure Cognitive Search. This may indicate missing AAD scopes or permissions.", extra={"session_id": session_id, "error": str(e)})
+
             # OpenAI bearer token provider
             token_provider = get_bearer_token_provider(
                 credential,
@@ -241,6 +260,11 @@ async def get_session_clients(cls, session_id: str, auth_mode: AuthMode) -> Sess
             **client_kwargs,
         )
 
+        try:
+            logger.debug("SearchIndexClient created", extra={"endpoint": config.search_service.endpoint, "credential_type": type(search_cred).__name__})
+        except Exception:
+            logger.debug("Could not log search index client creation", exc_info=True)
+
         def get_search_client(index_name: str) -> SearchClient:
             return SearchClient(
                 endpoint=config.search_service.endpoint,

src/backend/data_ingestion/process_file.py

@@ -1393,8 +1393,36 @@ async def _index_documents(self, index_name, documents):
                 return
 
             try:
+                # Log diagnostic info about the search client and credential
+                try:
+                    cred = getattr(self.search_client, '_credential', None)
+                    cred_type = type(cred).__name__ if cred is not None else 'None'
+                except Exception:
+                    cred_type = 'unknown'
+                try:
+                    endpoint = getattr(self.search_client, 'endpoint', None) or getattr(self.search_client, '_endpoint', None)
+                except Exception:
+                    endpoint = None
+                logger.info("Uploading documents to search index", extra={"index": index_name, "document_count": len(documents), "search_credential_type": cred_type, "endpoint": endpoint})
+
                 await self.search_client.upload_documents(documents=documents)
                 print(f"Indexed {len(documents)} documents.")
+            except HttpResponseError as e:
+                # Detailed logging for HTTP errors from the search service
+                status = getattr(e, 'status_code', None) or getattr(e, 'status', None)
+                message = str(e)
+                logger.error("Search service returned HTTP error during upload", extra={"index": index_name, "status": status, "error": message})
+                # If index missing, attempt recreate and retry
+                missing = isinstance(e, ResourceNotFoundError) or (hasattr(e, 'message') and 'not found' in str(e).lower())
+                if missing:
+                    desired = await self._build_index_schema(index_name)
+                    await self._ensure_index_exists(index_name, desired)
+                    await self.search_client.upload_documents(documents=documents)
+                    print(f"Indexed {len(documents)} documents after recreating index.")
+                else:
+                    # Surface forbidden and other errors with more detail
+                    print(f"Error indexing documents (http): status={status} message={message}")
+                    raise
             except Exception as e:
                 # Retry once if index missing
                 missing = isinstance(e, ResourceNotFoundError) or (hasattr(e, 'message') and 'not found' in str(e).lower())

src/backend/handlers/citation_file_handler.py

@@ -4,6 +4,7 @@
 from typing import Dict, Any
 from aiohttp import web
 from azure.storage.blob.aio import ContainerClient, BlobServiceClient
+from azure.identity.aio import DefaultAzureCredential
 from azure.storage.blob import generate_blob_sas, BlobSasPermissions
 from azure.core.exceptions import AzureError, ResourceNotFoundError
 
@@ -333,17 +334,61 @@ async def _get_file_url(
                     except Exception:
                         logger.debug("Credential diagnostic check failed", extra={"request_id": request_id}, exc_info=True)
 
-                    user_delegation_key = await blob_service_client.get_user_delegation_key(
-                        key_start_time=start_time, key_expiry_time=expiry_time
-                    )
-                    sas_token = generate_blob_sas(
-                        account_name=blob_client.account_name or "",
-                        container_name=container_client.container_name,
-                        blob_name=normalized_blob_name,
-                        user_delegation_key=user_delegation_key,
-                        permission=BlobSasPermissions(read=True),
-                        expiry=datetime.utcnow() + timedelta(minutes=self.sas_duration_minutes),
-                    )
+                    # If the existing blob_service_client is not AAD/Bearer-capable (for example,
+                    # constructed with an account key), the Storage service will reject a
+                    # get_user_delegation_key call. In that case, create a temporary
+                    # AAD-backed BlobServiceClient using DefaultAzureCredential to request
+                    # the user delegation key. This is deliberate and only used when
+                    # auth_mode == MANAGED_IDENTITY and the provided client cannot issue
+                    # a Bearer token. We log the behavior so it is visible in production.
+                    temp_cred = None
+                    temp_blob_service_client = None
+                    try:
+                        cred = getattr(blob_service_client, 'credential', None)
+                        needs_temp_aad = not (cred is not None and hasattr(cred, 'get_token'))
+
+                        if needs_temp_aad:
+                            logger.info(
+                                "BlobServiceClient not AAD-capable; creating temporary AAD-backed client for user-delegation key",
+                                extra={"request_id": request_id, "blob_account": blob_client.account_name}
+                            )
+                            temp_cred = DefaultAzureCredential()
+                            # Use the same account URL as the provided service client
+                            account_url = getattr(blob_service_client, 'url', None)
+                            if not account_url:
+                                # Fallback to constructing from account name
+                                account_name = getattr(blob_client, 'account_name', None) or getattr(blob_service_client, 'account_name', None)
+                                account_url = f"https://{account_name}.blob.core.windows.net"
+
+                            temp_blob_service_client = BlobServiceClient(account_url=account_url, credential=temp_cred)
+                            user_delegation_key = await temp_blob_service_client.get_user_delegation_key(
+                                key_start_time=start_time, key_expiry_time=expiry_time
+                            )
+                        else:
+                            user_delegation_key = await blob_service_client.get_user_delegation_key(
+                                key_start_time=start_time, key_expiry_time=expiry_time
+                            )
+
+                        sas_token = generate_blob_sas(
+                            account_name=blob_client.account_name or "",
+                            container_name=container_client.container_name,
+                            blob_name=normalized_blob_name,
+                            user_delegation_key=user_delegation_key,
+                            permission=BlobSasPermissions(read=True),
+                            expiry=datetime.utcnow() + timedelta(minutes=self.sas_duration_minutes),
+                        )
+                    finally:
+                        # Close temporary clients/credentials if created to avoid leaks
+                        if temp_blob_service_client is not None:
+                            try:
+                                await temp_blob_service_client.close()
+                            except Exception:
+                                logger.debug("Failed closing temporary BlobServiceClient", extra={"request_id": request_id}, exc_info=True)
+                        if temp_cred is not None:
+                            try:
+                                await temp_cred.close()
+                            except Exception:
+                                logger.debug("Failed closing temporary DefaultAzureCredential", extra={"request_id": request_id}, exc_info=True)
                 except Exception as ade:
                     logger.error("Managed Identity auth selected but user-delegation key request failed", extra={"request_id": request_id, "error": str(ade)})
                     # Surface error to caller (no silent fallback allowed)

src/backend/handlers/upload_handler.py

@@ -277,6 +277,8 @@ async def handle_process_document(self, request):
         """Handle document processing with enhanced logging and monitoring"""
         process_start = time.time()
         upload_id = None
+        # Track clients that are created for this request and must be closed explicitly
+        transient_clients = []
 
         try:
             data = await request.json()
@@ -317,16 +319,21 @@ async def handle_process_document(self, request):
                 if not self.clients:
                     await self.initialize_clients()
                 bundle_clients = self.clients
+                transient_clients = []
             else:
                 config = get_config()
                 # map bundle to same keys used in self.clients
+                # The SearchClient returned by bundle.get_search_client is request-scoped and should be closed
+                search_client = bundle.get_search_client(config.search_service.index_name)
+                transient_clients = [search_client]
+
                 bundle_clients = {
                     'document': bundle.document_intelligence_client,
                     'text_embedding': type('AOAIWrapper', (), {'embed': lambda self, input: bundle.openai_client.embeddings.create(input=input, model=config.azure_openai.embedding_deployment)})(),
                     'image_embedding': type('AOAIWrapper', (), {'embed': lambda self, input: bundle.openai_client.embeddings.create(input=input, model=config.azure_openai.embedding_deployment)})(),
                     'openai': bundle.openai_client,
                     'instructor_openai': instructor.from_openai(bundle.openai_client),
-                    'search': bundle.get_search_client(config.search_service.index_name),
+                    'search': search_client,
                     'search_index': bundle.search_index_client,
                     'blob_service': bundle.blob_service_client,
                     'blob_container': bundle.blob_service_client.get_container_client(config.storage.artifacts_container)
@@ -521,6 +528,41 @@ async def process_file(self, *args, **kwargs):
                 "timestamp": datetime.datetime.now().isoformat()
             })
             print(f"Document processing error for {upload_id}: {e}")
+        finally:
+            # Close any clients in bundle_clients that are not the handler-level cached clients
+            try:
+                if bundle_clients:
+                    for key, client_obj in list(bundle_clients.items()):
+                        try:
+                            # Skip if this client is the same object as the handler-level cached client
+                            if getattr(self, 'clients', None) and self.clients.get(key) is client_obj:
+                                continue
+
+                            if client_obj is None:
+                                continue
+
+                            # Prefer async close
+                            if hasattr(client_obj, 'aclose') and callable(getattr(client_obj, 'aclose')):
+                                try:
+                                    await client_obj.aclose()
+                                    logger.debug("Closed transient async client", extra={"client_key": key})
+                                except Exception:
+                                    logger.debug("Error closing client aclose()", extra={"client_key": key}, exc_info=True)
+                            elif hasattr(client_obj, 'close') and callable(getattr(client_obj, 'close')):
+                                try:
+                                    result = client_obj.close()
+                                    import asyncio as _asyncio
+                                    if _asyncio.iscoroutine(result):
+                                        await result
+                                        logger.debug("Awaited async close() on client", extra={"client_key": key})
+                                    else:
+                                        logger.debug("Called sync close() on client", extra={"client_key": key})
+                                except Exception:
+                                    logger.debug("Error calling client's close()", extra={"client_key": key}, exc_info=True)
+                        except Exception:
+                            logger.debug("Error while attempting to close a client", exc_info=True)
+            except Exception:
+                logger.debug("Error in final cleanup of clients", exc_info=True)
 
     def update_processing_progress(self, upload_id, step, message, progress=None, details=None, increments=None):
         """Update processing progress with detailed information"""

src/backend/middleware/__init__.py

@@ -223,17 +223,18 @@ async def __call__(self, request: web.Request, handler: Callable) -> web.Respons
     def _add_security_headers(self, response: web.Response) -> None:
         """Add comprehensive security headers to response."""
         # Comprehensive CSP policy that allows necessary resources while maintaining security
+        # Updated CSP: allow trusted CDNs (e.g. Monaco loader on cdn.jsdelivr.net) while keeping strict defaults.
         csp_policy = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "  # Allow inline scripts and eval for React/Vite
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://unpkg.com; "  # Allow Monaco loader from CDNs
             "style-src 'self' 'unsafe-inline' data:; "  # Allow inline styles and data URLs for fonts
             "img-src 'self' *.blob.core.windows.net *.azureedge.net data: blob: https:; "  # Allow Azure storage and common image sources
             "font-src 'self' data: https: *.gstatic.com *.googleapis.com; "  # Allow web fonts
-            "connect-src 'self' *.blob.core.windows.net *.azure.com *.azureedge.net *.openai.azure.com wss: ws:; "  # Allow API connections
+            "connect-src 'self' https://cdn.jsdelivr.net *.blob.core.windows.net *.azure.com *.azureedge.net *.openai.azure.com wss: ws: https:; "  # Allow API connections and CDN module loads
             "media-src 'self' *.blob.core.windows.net data: blob:; "  # Allow media files from storage
             "object-src 'none'; "  # Block plugins for security
             "frame-src 'self'; "  # Allow same-origin frames
-            "worker-src 'self' blob:; "  # Allow web workers
+            "worker-src 'self' blob: https://cdn.jsdelivr.net; "  # Allow web workers and worker scripts from CDN
             "child-src 'self' blob:; "  # Allow child contexts
             "manifest-src 'self'; "  # Allow web app manifest
             "form-action 'self'; "  # Restrict form submissions