/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <returns>The filtered role assignments</returns>
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
if (options.ADObjectFilter.HasFilter)
{
// Filter first by principal
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
else
{
result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
.RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
}
if (!string.IsNullOrEmpty(options.RoleDefinition))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinition, StringComparison.OrdinalIgnoreCase)).ToList();
}
return(result);
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
#if !NETSTANDARD
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
List <RoleAssignment> roleAssignments = new List <RoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
parameters.AssignedToPrincipalId = adObject.Id;
}
else
{
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
// Filter out by scope
if (!string.IsNullOrWhiteSpace(options.Scope))
{
roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
// To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;
result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
.ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
