private async Task ReplaceSchedulingGroupAsync(IMicrosoftGraphClient client, string teamId, string teamsSchedulingGroupId, IList <string> userIds)
{
// to ensure that we minimise concurrency issues, we should ensure we have populated
// the members cache first
var teamMembers = await GetMemberIdsAsync(client, teamId);
var group = await client.GetSchedulingGroupAsync(teamId, teamsSchedulingGroupId);
var usersToAdd = userIds.Except(group.UserIds).ToList();
if (usersToAdd.Count > 0)
{
// ensure that all users are actually in the Team and remove any that aren't
RemoveInvalidUsers(usersToAdd, teamMembers);
if (usersToAdd.Count == 0)
{
return;
}
if (group.UserIds == null)
{
group.UserIds = userIds;
}
else
{
((List <string>)group.UserIds).AddRange(usersToAdd);
}
await client.ReplaceSchedulingGroupAsync(group, group.Etag, teamId, teamsSchedulingGroupId);
}
}
public PSKeyVault(Vault vault, IMicrosoftGraphClient graphClient)
{
var vaultTenantDisplayName = ModelExtensions.GetDisplayNameForTenant(vault.Properties.TenantId, graphClient);
VaultName = vault.Name;
Location = vault.Location;
ResourceId = vault.Id;
ResourceGroupName = (new ResourceIdentifier(vault.Id)).ResourceGroupName;
Tags = TagsConversionHelper.CreateTagHashtable(vault.Tags);
Sku = vault.Properties.Sku.Name.ToString();
TenantId = vault.Properties.TenantId;
TenantName = vaultTenantDisplayName;
VaultUri = vault.Properties.VaultUri;
EnabledForDeployment = vault.Properties.EnabledForDeployment ?? false;
EnabledForTemplateDeployment = vault.Properties.EnabledForTemplateDeployment;
EnabledForDiskEncryption = vault.Properties.EnabledForDiskEncryption;
EnableSoftDelete = vault.Properties.EnableSoftDelete;
EnablePurgeProtection = vault.Properties.EnablePurgeProtection;
EnableRbacAuthorization = vault.Properties.EnableRbacAuthorization;
PublicNetworkAccess = vault.Properties.PublicNetworkAccess;
SoftDeleteRetentionInDays = vault.Properties.SoftDeleteRetentionInDays;
AccessPolicies = vault.Properties.AccessPolicies.Select(s => new PSKeyVaultAccessPolicy(s, graphClient)).ToArray();
NetworkAcls = InitNetworkRuleSet(vault.Properties);
OriginalVault = vault;
}
/// <summary>
/// Get an existing vault. Returns null if vault is not found.
/// </summary>
/// <param name="vaultName">vault name</param>
/// <param name="resourceGroupName">resource group name</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the retrieved vault</returns>
public PSKeyVault GetVault(string vaultName, string resourceGroupName, IMicrosoftGraphClient graphClient = null)
{
if (string.IsNullOrWhiteSpace(vaultName))
{
throw new ArgumentNullException("vaultName");
}
if (string.IsNullOrWhiteSpace(resourceGroupName))
{
throw new ArgumentNullException("resourceGroupName");
}
try
{
var response = KeyVaultManagementClient.Vaults.Get(resourceGroupName, vaultName);
return(new PSKeyVault(response, graphClient));
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.NotFound)
{
return(null);
}
throw;
}
}
public static async Task <ShiftCollectionResponse> ListShiftsNextPageAsync(this IMicrosoftGraphClient operations, string url, CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.ListNextPageWithHttpMessagesAsync <ShiftCollectionResponse>(url, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
private async Task ReplaceSchedulingGroupAsync(IMicrosoftGraphClient client, string teamId, string teamsSchedulingGroupId, IList <string> userIds)
{
var teamMembers = await _cacheService.GetKeyAsync <List <string> >(ApplicationConstants.TableNameEmployeeLists, teamId).ConfigureAwait(false);
var group = await client.GetSchedulingGroupAsync(teamId, teamsSchedulingGroupId).ConfigureAwait(false);
var usersToAdd = userIds.Except(group.UserIds).ToList();
if (usersToAdd.Count > 0)
{
// ensure that all users are actually in the Team and remove any that aren't
RemoveInvalidUsers(usersToAdd, teamMembers);
if (usersToAdd.Count == 0)
{
return;
}
if (group.UserIds == null)
{
group.UserIds = userIds;
}
else
{
((List <string>)group.UserIds).AddRange(usersToAdd);
}
await client.ReplaceSchedulingGroupAsync(group, group.Etag, teamId, teamsSchedulingGroupId).ConfigureAwait(false);
}
}
private async Task <List <string> > GetMemberIdsAsync(IMicrosoftGraphClient client, string teamId)
{
await LoadMembersAsync(client, teamId);
return(_teamMembers[teamId]
.Select(m => m.Value.DestinationId)
.ToList());
}
public static string GetDisplayNameForTenant(Guid id, IMicrosoftGraphClient graphClient)
{
if (id == null)
{
return(string.Empty);
}
return(id.ToString());
}
public static IEnumerable <MicrosoftGraphUser> FilterUsers(this IMicrosoftGraphClient client, MicrosoftObjectFilterOptions options)
{
if (!string.IsNullOrEmpty(options.Id))
{
try
{
MicrosoftGraphUser user = client.Users.GetUser(options.Id);
if (user != null)
{
return(new List <MicrosoftGraphUser> {
user
});
}
}
catch { /* The group does not exist, ignore the exception */ }
}
else if (!string.IsNullOrEmpty(options.UPN) || !string.IsNullOrEmpty(options.Mail))
{
IList <MicrosoftGraphUser> result = null;
try
{
string upnOrMail = options.UPN ?? options.Mail;
var odataQuery = new ODataQuery <MicrosoftGraphUser>();
if (!string.IsNullOrEmpty(options.UPN))
{
odataQuery.SetFilter(u => u.UserPrincipalName == upnOrMail);
}
else
{
odataQuery.SetFilter(u => u.Mail == upnOrMail);
}
result = client.Users.ListUser(filter: FormatFilterString(odataQuery)).Value;
}
catch { /* The user does not exist, ignore the exception. */ }
if (result != null)
{
return(result.Select(u => u));
}
}
else
{
ODataQuery <MicrosoftGraphUser> odataQuery = null;
if (!string.IsNullOrEmpty(options.SearchString) && options.SearchString.EndsWith("*"))
{
options.SearchString = options.SearchString.TrimEnd('*');
odataQuery = new ODataQuery <MicrosoftGraphUser>(u => u.DisplayName.StartsWith(options.SearchString));
}
else
{
odataQuery = new ODataQuery <MicrosoftGraphUser>(u => u.DisplayName == options.SearchString);
}
return(client.Users.ListUser(filter: FormatFilterString(odataQuery)).Value);
}
return(new List <MicrosoftGraphUser>());
}
private async Task RemoveUsersFromSchedulingGroupAsync(IMicrosoftGraphClient client, string teamId, string schedulingGroupId)
{
var group = await client.GetSchedulingGroupAsync(teamId, schedulingGroupId);
group.UserIds?.Clear();
var response = await client.ReplaceSchedulingGroupAsync(group, group.Etag, teamId, group.Id);
response.ThrowIfError();
}
public TimeTriggerFunctions(IHttpClientFactory httpClientFactory, IMicrosoftGraphClient microsoftGraphClient,
IInvestecOpenBankingClient
investecOpenBankingClient)
{
_httpClient = httpClientFactory.CreateClient();
_microsoftGraphClient = microsoftGraphClient;
_investecOpenBankingClient = investecOpenBankingClient;
_sharePointGroupId = Environment.GetEnvironmentVariable("SharePointGroupId");
}
private async Task <string> GetSchedulingGroupIdByNameAsync(IMicrosoftGraphClient client, string teamId, string groupName)
{
// update the cache with the most current set of groups from teams
var schedulingGroups = await RefreshCachedSchedulingGroupsAsync(client, teamId).ConfigureAwait(false);
var group = schedulingGroups.Find(g => g.Name.Equals(groupName, StringComparison.OrdinalIgnoreCase));
return(group?.Id);
}
/// <summary>
/// Gets the scheduling groups dictionary from cache if it is present there, otherwise gets
/// the list from Teams
/// </summary>
/// <param name="client">The client used to communicate with Teams</param>
/// <param name="teamId">The id of the team to get the scheduling groups for.</param>
/// <returns></returns>
private async Task <List <SchedulingGroupModel> > GetSchedulingGroupsAsync(IMicrosoftGraphClient client, string teamId)
{
// firstly get the scheduling groups from cache
var schedulingGroups = await _cacheService.GetKeyAsync <List <SchedulingGroupModel> >(ApplicationConstants.TableNameGroupLists, teamId).ConfigureAwait(false);
if (schedulingGroups == null || schedulingGroups.Count == 0)
{
schedulingGroups = await RefreshCachedSchedulingGroupsAsync(client, teamId).ConfigureAwait(false);
}
return(schedulingGroups);
}
public PSKeyVaultAccessPolicy(KeyVaultManagement.Models.AccessPolicyEntry s, IMicrosoftGraphClient graphClient)
{
ObjectId = s.ObjectId;
DisplayName = ModelExtensions.GetDisplayNameForADObject(s.ObjectId, graphClient);
ApplicationId = s.ApplicationId;
TenantId = s.TenantId;
TenantName = s.TenantId.ToString();
PermissionsToSecrets = s.Permissions.Secrets == null ? new List <string>() : new List <string>(s.Permissions.Secrets);
PermissionsToKeys = s.Permissions.Keys == null ? new List <string>() : new List <string>(s.Permissions.Keys);
PermissionsToCertificates = s.Permissions.Certificates == null ? new List <string>() : new List <string>(s.Permissions.Certificates);
PermissionsToStorage = s.Permissions.Storage == null ? new List <string>() : new List <string>(s.Permissions.Storage);
}
public static (string, string) GetDetailsFromADObjectId(string objectId, IMicrosoftGraphClient graphClient)
{
var displayName = "";
var upnOrSpn = "";
var objectType = "Unknown";
if (graphClient == null || string.IsNullOrWhiteSpace(objectId))
{
return(displayName, objectType);
}
try
{
var obj = graphClient.DirectoryObjects.GetDirectoryObject(objectId);
if (obj != null)
{
if (obj.Odatatype.Equals("#microsoft.graph.user", StringComparison.InvariantCultureIgnoreCase))
{
var user = graphClient.Users.GetUser(objectId);
displayName = user.DisplayName;
upnOrSpn = user.UserPrincipalName;
objectType = "User";
}
else if (obj.Odatatype.Equals("#microsoft.graph.serviceprincipal", StringComparison.InvariantCultureIgnoreCase))
{
var servicePrincipal = graphClient.ServicePrincipals.GetServicePrincipal(objectId);
displayName = servicePrincipal.DisplayName;
upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault();
objectType = "Service Principal";
}
else if (obj.Odatatype.Equals("#microsoft.graph.group", StringComparison.InvariantCultureIgnoreCase))
{
var group = graphClient.Groups.GetGroup(objectId);
displayName = group.DisplayName;
objectType = "Group";
}
}
}
catch
{
// Error occurred. Don't get the friendly name
}
return(
displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""),
objectType
);
}
public MicrosoftAuthenticationController(
MicrosoftGraphConfiguration configuration,
IMicrosoftGraphClient microsoftGraphClient,
IJwtService jwtService,
IMapper mapper,
IRngUtil rngUtil,
ISocialMediaUserLinkService socialMediaUserLinkService
)
{
_configuration = configuration;
_microsoftGraphClient = microsoftGraphClient;
_jwtService = jwtService;
_mapper = mapper;
_rngUtil = rngUtil;
_socialMediaUserLinkService = socialMediaUserLinkService;
}
private async Task LoadMembersAsync(IMicrosoftGraphClient client, string teamId)
{
if (!_teamMembers.ContainsKey(teamId))
{
// get the list of members of the team from teams - 999 is the maximum that can be returned in a single call
var response = await client.GetMembersAsync(teamId, "id,displayName,userPrincipalName", 999);
var employees = response.Value
.Select(m => new EmployeeModel
{
DestinationId = m.Id,
DisplayName = m.DisplayName,
LoginName = m.UserPrincipalName
});
_teamMembers.GetValueOrCreate(teamId)
.AddRange(employees, e => e.LoginName);
}
}
public static IEnumerable <MicrosoftGraphGroup> FilterGroups(this IMicrosoftGraphClient client, MicrosoftObjectFilterOptions options)
{
if (!string.IsNullOrEmpty(options.Id))
{
try
{
// use GetObjectsByObjectId to handle Redirects in the CSP scenario
MicrosoftGraphGroup group = client.Groups.GetGroup(options.Id);
if (group != null)
{
return(new List <MicrosoftGraphGroup> {
group
});
}
}
catch { /* The group does not exist, ignore the exception */ }
}
else
{
ODataQuery <MicrosoftGraphGroup> odataQuery = null;
if (options.Mail != null)
{
odataQuery = new ODataQuery <MicrosoftGraphGroup>(g => g.Mail == options.Mail);
}
else
{
if (!string.IsNullOrEmpty(options.SearchString) && options.SearchString.EndsWith("*"))
{
options.SearchString = options.SearchString.TrimEnd('*');
odataQuery = new ODataQuery <MicrosoftGraphGroup>(g => g.DisplayName.StartsWith(options.SearchString));
}
else
{
odataQuery = new ODataQuery <MicrosoftGraphGroup>(g => g.DisplayName == options.SearchString);
}
}
return(client.Groups.ListGroup(filter: FormatFilterString(odataQuery)).Value);
}
return(new List <MicrosoftGraphGroup>());
}
/// <summary>
/// Update an existing vault. Only EnablePurgeProtection, EnableRbacAuthorization and Tags can be updated currently.
/// </summary>
/// <param name="existingVault">the existing vault</param>
/// <param name="updatedParamater">updated paramater</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the updated vault</returns>
public PSKeyVault UpdateVault(
PSKeyVault existingVault,
VaultCreationOrUpdateParameters updatedParamater,
IMicrosoftGraphClient graphClient = null)
{
if (existingVault == null)
{
throw new ArgumentNullException("existingVault");
}
if (existingVault.OriginalVault == null)
{
throw new ArgumentNullException("existingVault.OriginalVault");
}
//Update the vault properties in the object received from server
var properties = existingVault.OriginalVault.Properties;
if (!(properties.EnablePurgeProtection.HasValue && properties.EnablePurgeProtection.Value) &&
updatedParamater.EnablePurgeProtection.HasValue &&
updatedParamater.EnablePurgeProtection.Value)
{
properties.EnablePurgeProtection = updatedParamater.EnablePurgeProtection;
}
properties.EnableRbacAuthorization = updatedParamater.EnableRbacAuthorization;
properties.PublicNetworkAccess = string.IsNullOrEmpty(updatedParamater.PublicNetworkAccess)?
existingVault.PublicNetworkAccess : updatedParamater.PublicNetworkAccess;
var response = KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: existingVault.ResourceGroupName,
vaultName: existingVault.VaultName,
parameters: new VaultCreateOrUpdateParameters
{
Location = existingVault.Location,
Properties = properties,
Tags = TagsConversionHelper.CreateTagDictionary(updatedParamater.Tags, validate: true)
}
);
return(new PSKeyVault(response, graphClient));
}
private List <PSManagedHsm> ListManagedHsmsBySubscription(IMicrosoftGraphClient graphClient = null)
{
List <PSManagedHsm> managedHsms = new List <PSManagedHsm>();
IPage <ManagedHsm> response = KeyVaultManagementClient.ManagedHsms.ListBySubscriptionAsync().GetAwaiter().GetResult();
foreach (var managedHsm in response)
{
managedHsms.Add(new PSManagedHsm(managedHsm, graphClient));
}
while (response?.NextPageLink != null)
{
response = KeyVaultManagementClient.ManagedHsms.ListBySubscriptionNextAsync(response.NextPageLink).GetAwaiter().GetResult();
foreach (var managedHsm in response)
{
managedHsms.Add(new PSManagedHsm(managedHsm, graphClient));
}
}
return(managedHsms);
}
private async Task <string> GetSchedulingGroupIdByNameAsync(IMicrosoftGraphClient client, string teamId, string groupName)
{
// check the cached active groups first
var groups = await GetSchedulingGroupsAsync(client, teamId);
if (groups.ContainsKey(groupName))
{
return(groups[groupName]);
}
var response = await client.ListSchedulingGroupsAsync(teamId);
var group = response.Value.Where(g => g.IsActive && g.DisplayName.Equals(groupName, StringComparison.OrdinalIgnoreCase)).OrderByDescending(g => g.CreatedDateTime).FirstOrDefault();
if (group != null)
{
// we have found the group in teams, so update the cache while we are here
groups[groupName] = group.Id;
return(group.Id);
}
return(null);
}
public PSManagedHsm(ManagedHsm managedHsm, IMicrosoftGraphClient graphClient)
{
// PSKeyVaultIdentityItem's properties
ResourceId = managedHsm.Id;
VaultName = managedHsm.Name;
ResourceGroupName = (new ResourceIdentifier(managedHsm.Id)).ResourceGroupName;
Location = managedHsm.Location;
Tags = TagsConversionHelper.CreateTagHashtable(managedHsm.Tags);
// PSManagedHsm's properties, hides type
Name = managedHsm.Name;
Sku = managedHsm.Sku.Name.ToString();
TenantId = managedHsm.Properties.TenantId.Value;
TenantName = ModelExtensions.GetDisplayNameForTenant(TenantId, graphClient);
InitialAdminObjectIds = managedHsm.Properties.InitialAdminObjectIds.ToArray <string>();
HsmUri = managedHsm.Properties.HsmUri;
EnablePurgeProtection = managedHsm.Properties.EnablePurgeProtection;
EnableSoftDelete = managedHsm.Properties.EnableSoftDelete;
SoftDeleteRetentionInDays = managedHsm.Properties.SoftDeleteRetentionInDays;
StatusMessage = managedHsm.Properties.StatusMessage;
ProvisioningState = managedHsm.Properties.ProvisioningState;
OriginalManagedHsm = managedHsm;
}
/// <summary>
/// Update an existing Managed HSM.
/// </summary>
/// <param name="existingManagedHsm">existing Managed HSM</param>
/// <param name="parameters">HSM update parameters</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the updated Managed HSM</returns>
public PSManagedHsm UpdateManagedHsm(PSManagedHsm existingManagedHsm, VaultCreationOrUpdateParameters parameters, IMicrosoftGraphClient graphClient = null)
{
if (existingManagedHsm == null)
{
throw new ArgumentNullException("existingManagedHsm");
}
if (existingManagedHsm.OriginalManagedHsm == null)
{
throw new ArgumentNullException("existingManagedHsm.OriginalManagedHsm");
}
//Update the vault properties in the object received from server
var properties = existingManagedHsm.OriginalManagedHsm.Properties;
properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
var response = KeyVaultManagementClient.ManagedHsms.Update(
resourceGroupName: existingManagedHsm.ResourceGroupName,
name: existingManagedHsm.Name,
parameters: new ManagedHsm
{
Location = existingManagedHsm.Location,
Sku = new ManagedHsmSku
{
Name = (ManagedHsmSkuName)Enum.Parse(typeof(ManagedHsmSkuName), existingManagedHsm.Sku)
},
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = properties
});
return(new PSManagedHsm(response, graphClient));
}
/// <summary>
/// Create a new vault
/// </summary>
/// <param name="parameters">vault creation parameters</param>
/// <param name="graphClient">the active directory client</param>
/// <returns></returns>
public PSKeyVault CreateNewVault(VaultCreationOrUpdateParameters parameters, IMicrosoftGraphClient graphClient = null, PSKeyVaultNetworkRuleSet networkRuleSet = null)
{
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
if (string.IsNullOrWhiteSpace(parameters.Name))
{
throw new ArgumentNullException("parameters.Name");
}
if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName))
{
throw new ArgumentNullException("parameters.ResourceGroupName");
}
if (string.IsNullOrWhiteSpace(parameters.Location))
{
throw new ArgumentNullException("parameters.Location");
}
var properties = new VaultProperties();
if (parameters.CreateMode != CreateMode.Recover)
{
if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName))
{
throw new ArgumentNullException("parameters.SkuFamilyName");
}
if (parameters.TenantId == Guid.Empty)
{
throw new ArgumentException("parameters.TenantId");
}
if (!string.IsNullOrWhiteSpace(parameters.SkuName))
{
if (Enum.TryParse(parameters.SkuName, true, out SkuName skuName))
{
properties.Sku = new Sku(skuName);
}
else
{
throw new InvalidEnumArgumentException("parameters.SkuName");
}
}
properties.EnabledForDeployment = parameters.EnabledForDeployment;
properties.EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = parameters.EnabledForDiskEncryption;
properties.EnableSoftDelete = parameters.EnableSoftDelete;
properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
properties.EnableRbacAuthorization = parameters.EnableRbacAuthorization;
properties.SoftDeleteRetentionInDays = parameters.SoftDeleteRetentionInDays;
properties.TenantId = parameters.TenantId;
properties.VaultUri = "";
properties.AccessPolicies = (parameters.AccessPolicy != null) ? new[] { parameters.AccessPolicy } : new AccessPolicyEntry[] { };
properties.NetworkAcls = parameters.NetworkAcls;
if (networkRuleSet != null)
{
UpdateVaultNetworkRuleSetProperties(properties, networkRuleSet);
}
}
else
{
properties.CreateMode = CreateMode.Recover;
}
var response = KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: parameters.ResourceGroupName,
vaultName: parameters.Name,
parameters: new VaultCreateOrUpdateParameters
{
Location = parameters.Location,
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = properties
});
return(new PSKeyVault(response, graphClient));
}
/// <summary>
/// List all existing Managed HSMs.
/// </summary>
/// <param name="resourceGroupName">resource group name</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the retrieved Managed HSM</returns>
public List <PSManagedHsm> ListManagedHsms(string resourceGroupName, IMicrosoftGraphClient graphClient = null)
{
return(resourceGroupName == null?ListManagedHsmsBySubscription(graphClient) :
ListManagedHsmsByResourceGroup(resourceGroupName, graphClient));
}
/// <summary>
/// Get an existing managed HSM. Returns null if managed HSM is not found.
/// </summary>
/// <param name="managedHsmName">managed HSM name</param>
/// <param name="resourceGroupName">resource group name</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the retrieved Managed HSM</returns>
public PSManagedHsm GetManagedHsm(string managedHsmName, string resourceGroupName, IMicrosoftGraphClient graphClient = null)
{
if (string.IsNullOrWhiteSpace(managedHsmName))
{
throw new ArgumentNullException("vaultName");
}
if (string.IsNullOrWhiteSpace(resourceGroupName))
{
throw new ArgumentNullException("resourceGroupName");
}
try
{
var response = KeyVaultManagementClient.ManagedHsms.Get(resourceGroupName, managedHsmName);
return(new PSManagedHsm(response, graphClient));
}
catch (ManagedHsmErrorException ce) when(ce.IsNotFoundException())
{
return(null);
}
}
/// <summary>
/// Create a Managed HSM pool
/// </summary>
/// <param name="parameters">vault creation parameters</param>
/// <param name="graphClient">the active directory client</param>
/// <returns></returns>
public PSManagedHsm CreateNewManagedHsm(VaultCreationOrUpdateParameters parameters, IMicrosoftGraphClient graphClient = null)
{
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
if (string.IsNullOrWhiteSpace(parameters.Name))
{
throw new ArgumentNullException("parameters.Name");
}
if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName))
{
throw new ArgumentNullException("parameters.ResourceGroupName");
}
if (string.IsNullOrWhiteSpace(parameters.Location))
{
throw new ArgumentNullException("parameters.Location");
}
if (parameters.Administrator.Length == 0)
{
throw new ArgumentNullException("parameters.Administrator");
}
var properties = new ManagedHsmProperties();
var managedHsmSku = new ManagedHsmSku();
if (parameters.CreateMode != CreateMode.Recover)
{
if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName))
{
throw new ArgumentNullException("parameters.SkuFamilyName");
}
if (parameters.TenantId == Guid.Empty)
{
throw new ArgumentException("parameters.TenantId");
}
if (!string.IsNullOrWhiteSpace(parameters.SkuName))
{
if (Enum.TryParse(parameters.SkuName, true, out ManagedHsmSkuName skuName))
{
managedHsmSku.Name = skuName;
}
else
{
throw new InvalidEnumArgumentException("parameters.SkuName");
}
}
properties.TenantId = parameters.TenantId;
properties.InitialAdminObjectIds = parameters.Administrator;
properties.EnableSoftDelete = parameters.EnableSoftDelete;
properties.SoftDeleteRetentionInDays = parameters.SoftDeleteRetentionInDays;
properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
}
else
{
properties.CreateMode = CreateMode.Recover;
}
var response = KeyVaultManagementClient.ManagedHsms.CreateOrUpdate(
resourceGroupName: parameters.ResourceGroupName,
name: parameters.Name,
parameters: new ManagedHsm
{
Location = parameters.Location,
Sku = managedHsmSku,
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = properties
});
return(new PSManagedHsm(response, graphClient));
}
/// <summary>
/// Update an existing Managed HSM.
/// </summary>
/// <param name="existingManagedHsm">existing Managed HSM</param>
/// <param name="parameters">HSM update parameters</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the updated Managed HSM</returns>
public PSManagedHsm UpdateManagedHsm(PSManagedHsm existingManagedHsm, VaultCreationOrUpdateParameters parameters, IMicrosoftGraphClient graphClient = null)
{
if (existingManagedHsm == null)
{
throw new ArgumentNullException("existingManagedHsm");
}
if (existingManagedHsm.OriginalManagedHsm == null)
{
throw new ArgumentNullException("existingManagedHsm.OriginalManagedHsm");
}
//Update the vault properties in the object received from server
var properties = existingManagedHsm.OriginalManagedHsm.Properties;
properties.EnablePurgeProtection = parameters.EnablePurgeProtection;
if (!string.IsNullOrEmpty(parameters.PublicNetworkAccess))
{
properties.PublicNetworkAccess = parameters.PublicNetworkAccess;
properties.NetworkAcls.DefaultAction = PublicNetworkAccess.Enabled.ToString().Equals(parameters.PublicNetworkAccess) ?
NetworkRuleAction.Allow.ToString() : NetworkRuleAction.Deny.ToString();
}
var response = KeyVaultManagementClient.ManagedHsms.Update(
resourceGroupName: existingManagedHsm.ResourceGroupName,
name: existingManagedHsm.Name,
parameters: new ManagedHsm
{
Location = existingManagedHsm.Location,
Sku = new ManagedHsmSku
{
Name = (ManagedHsmSkuName)Enum.Parse(typeof(ManagedHsmSkuName), existingManagedHsm.Sku)
},
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = properties
});
return(new PSManagedHsm(response, graphClient));
}
public static string GetDisplayNameForADObject(string objectId, IMicrosoftGraphClient graphClient) => GetDetailsFromADObjectId(objectId, graphClient).Item1;
public static TimeOffCollectionResponse ListTimeOffNextPage(this IMicrosoftGraphClient operations, string url)
{
return(operations.ListTimeOffNextPageAsync(url).GetAwaiter().GetResult());
}
/// <summary>
/// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
/// </summary>
/// <param name="existingVault">the existing vault</param>
/// <param name="updatedPolicies">the update access policies</param>
/// <param name="updatedEnabledForDeployment">enabled for deployment</param>
/// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
/// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
/// <param name="updatedNetworkAcls">updated network rule set</param>
/// <param name="graphClient">the active directory client</param>
/// <returns>the updated vault</returns>
public PSKeyVault UpdateVault(
PSKeyVault existingVault,
PSKeyVaultAccessPolicy[] updatedPolicies,
bool?updatedEnabledForDeployment,
bool?updatedEnabledForTemplateDeployment,
bool?updatedEnabledForDiskEncryption,
bool?updatedSoftDeleteSwitch,
bool?updatedPurgeProtectionSwitch,
bool?updatedRbacAuthorization,
int?softDeleteRetentionInDays,
PSKeyVaultNetworkRuleSet updatedNetworkAcls,
IMicrosoftGraphClient graphClient = null)
{
if (existingVault == null)
{
throw new ArgumentNullException("existingVault");
}
if (existingVault.OriginalVault == null)
{
throw new ArgumentNullException("existingVault.OriginalVault");
}
//Update the vault properties in the object received from server
//Only access policies and EnabledForDeployment can be changed
var properties = existingVault.OriginalVault.Properties;
properties.EnabledForDeployment = updatedEnabledForDeployment;
properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
properties.SoftDeleteRetentionInDays = softDeleteRetentionInDays;
// soft delete flags can only be applied if they enable their respective behaviors
// and if different from the current corresponding properties on the vault.
if (!(properties.EnableSoftDelete.HasValue && properties.EnableSoftDelete.Value) &&
updatedSoftDeleteSwitch.HasValue &&
updatedSoftDeleteSwitch.Value)
{
properties.EnableSoftDelete = updatedSoftDeleteSwitch;
}
if (!(properties.EnablePurgeProtection.HasValue && properties.EnablePurgeProtection.Value) &&
updatedPurgeProtectionSwitch.HasValue &&
updatedPurgeProtectionSwitch.Value)
{
properties.EnablePurgeProtection = updatedPurgeProtectionSwitch;
}
// Update EnableRbacAuthorization when specified, otherwise stay current value
properties.EnableRbacAuthorization = updatedRbacAuthorization;
properties.AccessPolicies = (updatedPolicies == null) ?
new List <AccessPolicyEntry>() :
updatedPolicies.Select(a => new AccessPolicyEntry
{
TenantId = a.TenantId,
ObjectId = a.ObjectId,
ApplicationId = a.ApplicationId,
Permissions = new Permissions
{
Keys = a.PermissionsToKeys.ToArray(),
Secrets = a.PermissionsToSecrets.ToArray(),
Certificates = a.PermissionsToCertificates.ToArray(),
Storage = a.PermissionsToStorage.ToArray(),
}
}).ToList();
UpdateVaultNetworkRuleSetProperties(properties, updatedNetworkAcls);
var response = KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: existingVault.ResourceGroupName,
vaultName: existingVault.VaultName,
parameters: new VaultCreateOrUpdateParameters
{
Location = existingVault.Location,
Properties = properties,
Tags = TagsConversionHelper.CreateTagDictionary(existingVault.Tags, validate: true)
}
);
return(new PSKeyVault(response, graphClient));
}
