public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
switch (ParameterSetName)
{
case ParameterSet.InputObject:
RoleAssignmentName = InputObject.Name;
HsmName = InputObject.HsmName;
break;
case RemoveByNameParameterSet:
break;
default:
RoleAssignmentName = GetRoleAssignmentNameFromFilterParameters();
break;
}
if (string.IsNullOrEmpty(RoleAssignmentName))
{
throw new ArgumentException(Resources.RoleAssignmentNotFound);
}
ConfirmAction(
string.Format(Resources.RemoveRole, RoleDefinitionName ?? RoleDefinitionId, SignInName ?? ApplicationId ?? ObjectId, Scope),
HsmName, () =>
{
Track2DataClient.RemoveHsmRoleAssignment(HsmName, Scope, RoleAssignmentName);
if (PassThru)
{
WriteObject(true);
}
});
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
// convert definition name to id
if (ParameterSetName == ParameterSet.DefinitionNameApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameObjectId ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
.FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
if (definition == null)
{
throw new ArgumentException(string.Format(Resources.RoleDefinitionNotFound, RoleDefinitionName));
}
RoleDefinitionId = definition.Id;
}
// convert user sign in name to object id
if (ParameterSetName == ParameterSet.DefinitionIdSignInName ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var user = GraphClient.Users.GetUser(SignInName);
if (user == null)
{
throw new ArgumentException(string.Format(Resources.UserNotFoundBy, SignInName));
}
ObjectId = user.Id;
}
// convert service principal app id to object id
if (ParameterSetName == ParameterSet.DefinitionIdApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameApplicationId)
{
// can't use string.Equals() here as it will result in incorrect filter string
string filter = ODataHelper.FormatFilterString <MicrosoftGraphServicePrincipal>(s => s.AppId == ApplicationId);
var servicePrincipal = GraphClient.ServicePrincipals.ListServicePrincipal(filter: filter).Value.SingleOrDefault();
if (servicePrincipal == null)
{
throw new ArgumentException(string.Format(Resources.ApplicationNotFoundBy, ApplicationId));
}
ObjectId = servicePrincipal.Id;
}
base.ConfirmAction(
string.Format(Resources.AssignRole, RoleDefinitionName ?? RoleDefinitionId, SignInName ?? ApplicationId ?? ObjectId, Scope),
HsmName, () =>
{
PSKeyVaultRoleAssignment roleAssignment = Track2DataClient.CreateHsmRoleAssignment(HsmName, Scope, RoleDefinitionId, ObjectId);
GetAssignmentDetails(roleAssignment, HsmName, Scope);
WriteObject(roleAssignment);
});
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
switch (ParameterSetName)
{
case ListParameterSet:
DoList();
break;
case GetByNameParameterSet:
DoGetByName();
break;
}
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
switch (ParameterSetName)
{
case GetVaultParameterSet:
List <PSKeyVaultIdentityItem> vaults = null;
if (string.IsNullOrWhiteSpace(ResourceGroupName))
{
vaults = ListVaults(ResourceGroupName, Tag);
ResourceGroupName = vaults?.FirstOrDefault(r => r.VaultName.Equals(VaultName, StringComparison.OrdinalIgnoreCase))?.ResourceGroupName;
}
if (ShouldGetByName(ResourceGroupName, VaultName))
{
PSKeyVault vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName,
GraphClient);
WriteObject(FilterByTag(vault, Tag));
}
else
{
WriteObject(TopLevelWildcardFilter(ResourceGroupName, VaultName, vaults ?? ListVaults(ResourceGroupName, Tag)), true);
}
break;
case GetDeletedVaultParameterSet:
WriteObject(KeyVaultManagementClient.GetDeletedVault(VaultName, Location));
break;
case ListDeletedVaultsParameterSet:
WriteObject(KeyVaultManagementClient.ListDeletedVaults(), true);
break;
default:
throw new ArgumentException(Resources.BadParameterSetName);
}
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
switch (ParameterSetName)
{
case GetVaultParameterSet:
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
if (ShouldGetByName(ResourceGroupName, VaultName))
{
PSKeyVault vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName,
GraphClient);
WriteObject(FilterByTag(vault, Tag));
}
else
{
WriteObject(TopLevelWildcardFilter(ResourceGroupName, VaultName, ListVaults(ResourceGroupName, Tag)), true);
}
break;
case GetDeletedVaultParameterSet:
WriteObject(KeyVaultManagementClient.GetDeletedVault(VaultName, Location));
break;
case ListDeletedVaultsParameterSet:
WriteObject(KeyVaultManagementClient.ListDeletedVaults(), true);
break;
default:
throw new ArgumentException(Resources.BadParameterSetName);
}
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
if (ShouldProcess(Name, Properties.Resources.CreateKeyVault))
{
if (VaultExistsInCurrentSubscription(Name))
{
throw new ArgumentException(Resources.VaultAlreadyExists);
}
var userObjectId = string.Empty;
AccessPolicyEntry accessPolicy = null;
try
{
userObjectId = GetCurrentUsersObjectId();
}
catch (Exception ex)
{
// Show the graph exceptions as a warning, but still proceed to create a vault with no access policy
// This is to unblock Key Vault in Fairfax as Graph has issues in this environment.
WriteWarning(ex.Message);
}
if (!string.IsNullOrWhiteSpace(userObjectId))
{
accessPolicy = new AccessPolicyEntry()
{
TenantId = GetTenantId(),
ObjectId = userObjectId,
Permissions = new Permissions
{
Keys = DefaultPermissionsToKeys,
Secrets = DefaultPermissionsToSecrets,
Certificates = DefaultPermissionsToCertificates,
Storage = DefaultPermissionsToStorage
}
};
}
var newVault = KeyVaultManagementClient.CreateNewVault(new VaultCreationOrUpdateParameters()
{
Name = this.Name,
ResourceGroupName = this.ResourceGroupName,
Location = this.Location,
EnabledForDeployment = this.EnabledForDeployment.IsPresent,
EnabledForTemplateDeployment = EnabledForTemplateDeployment.IsPresent,
EnabledForDiskEncryption = EnabledForDiskEncryption.IsPresent,
EnableSoftDelete = null,
EnablePurgeProtection = EnablePurgeProtection.IsPresent ? true : (bool?)null, // false is not accepted
EnableRbacAuthorization = EnableRbacAuthorization.IsPresent,
/*
* If retention days is not specified, use the default value,
* else use the vault user provides
*/
SoftDeleteRetentionInDays = this.IsParameterBound(c => c.SoftDeleteRetentionInDays)
? SoftDeleteRetentionInDays
: Constants.DefaultSoftDeleteRetentionDays,
SkuFamilyName = DefaultSkuFamily,
SkuName = this.Sku,
TenantId = GetTenantId(),
AccessPolicy = accessPolicy,
NetworkAcls = new NetworkRuleSet(), // New key-vault takes in default network rule set
Tags = this.Tag
},
GraphClient,
NetworkRuleSet);
this.WriteObject(newVault);
if (accessPolicy == null)
{
WriteWarning(Resources.VaultNoAccessPolicyWarning);
}
}
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
if (ShouldProcess(VaultName, Properties.Resources.RemoveVaultAccessPolicy))
{
if (InputObject != null)
{
VaultName = InputObject.VaultName;
ResourceGroupName = InputObject.ResourceGroupName;
}
else if (!string.IsNullOrEmpty(ResourceId))
{
var parsedResourceId = new ResourceIdentifier(ResourceId);
VaultName = parsedResourceId.ResourceName;
ResourceGroupName = parsedResourceId.ResourceGroupName;
}
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
// Get the vault to be updated
PSKeyVault existingVault = null;
if (!string.IsNullOrWhiteSpace(ResourceGroupName))
{
existingVault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName);
}
if (existingVault == null)
{
throw new ArgumentException(string.Format(Resources.VaultNotFound, VaultName, ResourceGroupName));
}
if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
{
throw new ArgumentException(Resources.InvalidApplicationId);
}
if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId))
{
throw new ArgumentException(Resources.InvalidObjectIdSyntax);
}
// Update vault policies
var updatedPolicies = existingVault.AccessPolicies;
if (!string.IsNullOrEmpty(UserPrincipalName) ||
!string.IsNullOrEmpty(ServicePrincipalName) ||
!string.IsNullOrWhiteSpace(this.ObjectId) ||
!string.IsNullOrWhiteSpace(this.EmailAddress))
{
if (string.IsNullOrWhiteSpace(this.ObjectId))
{
if (GraphClient == null)
{
throw new Exception(Resources.ActiveDirectoryClientNull);
}
ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName);
}
updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray();
}
// Update the vault
var updatedVault = KeyVaultManagementClient.UpdateVault(
existingVault,
updatedPolicies,
EnabledForDeployment.IsPresent ? false : existingVault.EnabledForDeployment,
EnabledForTemplateDeployment.IsPresent ? false : existingVault.EnabledForTemplateDeployment,
EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption,
existingVault.EnableSoftDelete,
existingVault.EnablePurgeProtection,
existingVault.EnableRbacAuthorization,
existingVault.SoftDeleteRetentionInDays,
existingVault.NetworkAcls,
GraphClient);
if (PassThru.IsPresent)
{
WriteObject(updatedVault);
}
}
}
/// <summary>
/// Entry point for the cmdlet
/// </summary>
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
base.ExecuteCmdlet();
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
if (InputObject != null)
{
VaultName = InputObject.VaultName;
ResourceGroupName = InputObject.ResourceGroupName;
}
else if (ResourceId != null)
{
var resourceIdentifier = new ResourceIdentifier(ResourceId);
VaultName = resourceIdentifier.ResourceName;
ResourceGroupName = resourceIdentifier.ResourceGroupName;
}
if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy))
{
if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
!EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
{
throw new ArgumentException(Resources.VaultPermissionFlagMissing);
}
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
if (ResourceGroupName == null)
{
throw new ArgumentException(string.Format(Resources.VaultDoesNotExist, VaultName));
}
PSKeyVault vault = null;
// Get the vault to be updated
if (!string.IsNullOrWhiteSpace(ResourceGroupName))
{
vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName);
}
if (vault == null)
{
throw new ArgumentException(string.Format(Resources.VaultNotFound, VaultName, ResourceGroupName));
}
if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId))
{
throw new ArgumentException(Resources.InvalidObjectIdSyntax);
}
// Update vault policies
PSKeyVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
if (!string.IsNullOrEmpty(UserPrincipalName) ||
!string.IsNullOrEmpty(ServicePrincipalName) ||
!string.IsNullOrWhiteSpace(this.ObjectId) ||
!string.IsNullOrWhiteSpace(this.EmailAddress))
{
var objId = this.ObjectId;
if (!this.BypassObjectIdValidation.IsPresent && GraphClient != null)
{
objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName);
}
else if (GraphClient == null && objId == null)
{
throw new Exception(Resources.ActiveDirectoryClientNull);
}
if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
{
throw new ArgumentException(Resources.InvalidApplicationId);
}
//All permission arrays cannot be null
if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null && PermissionsToStorage == null)
{
throw new ArgumentException(Resources.PermissionsNotSpecified);
}
else
{
//Is there an existing policy for this policy identity?
var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));
//New policy will have permission arrays that are either from cmdlet input
//or if that's null, then from the old policy for this object ID if one existed
var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
existingPolicy.PermissionsToKeys.ToArray() : null);
var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
existingPolicy.PermissionsToSecrets.ToArray() : null);
var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ?
existingPolicy.PermissionsToCertificates.ToArray() : null);
var managedStorage = PermissionsToStorage ?? (existingPolicy != null && existingPolicy.PermissionsToStorage != null ?
existingPolicy.PermissionsToStorage.ToArray() : null);
//Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0) || (managedStorage != null && managedStorage.Length > 0))
{
var policy = new PSKeyVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates, managedStorage);
updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
}
}
}
// Update the vault
var updatedVault = KeyVaultManagementClient.UpdateVault(
vault,
updatedListOfAccessPolicies,
EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment,
EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
vault.EnableSoftDelete,
vault.EnablePurgeProtection,
vault.EnableRbacAuthorization,
vault.SoftDeleteRetentionInDays,
vault.NetworkAcls,
GraphClient);
if (PassThru.IsPresent)
{
WriteObject(updatedVault);
}
}
}