public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null) { PSRoleDefinition roleDefinition = null; PSADObject adObject = null; // Get role definition name information by role definition ID try { if (string.IsNullOrEmpty(scopeForRoleDefinition)) { roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId); } else { roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition); } } catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized) { //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments } // Get ab object try { adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId); } catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe) { if (oe.IsAuthorizationDeniedException() || oe.IsNotFoundException()) { adObject = new PSADObject() { Id = assignment.PrincipalId, Type = UnknownType }; } //Swallow exceptions when displaying active directive object } return(new PSRoleAssignment() { RoleAssignmentName = assignment.Name, RoleAssignmentId = assignment.Id, Scope = assignment.Scope, DisplayName = adObject?.DisplayName, SignInName = adObject is PSADUser user ? user.UserPrincipalName : null, RoleDefinitionName = roleDefinition?.Name, RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId(), ObjectId = assignment.PrincipalId, // Use information from adObject first, assignment.PrincipalType is a cached information ObjectType = adObject?.Type ?? assignment.PrincipalType, // CanDelegate's value is absent from RoleAssignment // CanDelegate = null, Description = assignment.Description, ConditionVersion = assignment.ConditionVersion, Condition = assignment.Condition });
/// <summary> /// Filters deny assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered deny assignments</returns> public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription) { var result = new List <PSDenyAssignment>(); string principalId = null; PSADObject adObject = null; Rest.Azure.OData.ODataQuery <DenyAssignmentFilter> odataQuery = null; if (options.DenyAssignmentId != Guid.Empty) { var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetSubscriptionScope(currentSubscription); return(new List <PSDenyAssignment> { AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.ToString()) .ToPSDenyAssignment(ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals) }); } if (!string.IsNullOrEmpty(options.DenyAssignmentName)) { odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName); } else if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } principalId = adObject.Id.ToString(); odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId)); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id; odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId); } } result.AddRange(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription)); return(result); }
/// <summary> /// Updates a role assignment. /// </summary> /// <param name="roleAssignment">The role assignment to update.</param> /// <returns>The updated role assignment.</returns> public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment) { string principalType; // check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type if (roleAssignment.ObjectType == null) { PSADObject asignee = ActiveDirectoryClient.GetADObject(new ADObjectFilterOptions() { Id = roleAssignment.ObjectId }); if (asignee == null) { throw new ArgumentException("No AD object could be found with current parameters, please confirm the information provided is correct and try again"); } principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null; } else { principalType = roleAssignment.ObjectType; } string principalId = roleAssignment.ObjectId; var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/"); var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId; string scope = roleAssignment.Scope; string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId); var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description; var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition; var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion; var createParameters = new RoleAssignmentCreateParameters { PrincipalId = principalId.ToString(), RoleDefinitionId = roleDefinitionId, PrincipalType = principalType, CanDelegate = roleAssignment.CanDelegate, Description = Description, Condition = Condition, ConditionVersion = ConditionVersion }; RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create( scope, roleAssignmentId, createParameters); var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient); return(PSRoleAssignment); }
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null) { PSRoleDefinition roleDefinition = null; PSADObject adObject = null; // Get role definition name information by role definition ID try { if (string.IsNullOrEmpty(scopeForRoleDefinition)) { roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId); } else { roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition); } } catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized) { //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments } // Get ab object try { adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId); } catch { //Swallow exceptions when displaying active directive object } return(new PSRoleAssignment() { RoleAssignmentName = assignment.Name, RoleAssignmentId = assignment.Id, Scope = assignment.Scope, DisplayName = adObject?.DisplayName, SignInName = adObject is PSADUser user ? user.UserPrincipalName : null, RoleDefinitionName = roleDefinition?.Name, RoleDefinitionId = assignment.RoleDefinitionId, ObjectId = assignment.PrincipalId, ObjectType = string.IsNullOrEmpty(assignment.PrincipalType) ? adObject?.Type ?? UnknownType : assignment.PrincipalType, // CanDelegate's value is absent from RoleAssignment // CanDelegate = null, Description = assignment.Description, ConditionVersion = assignment.ConditionVersion, Condition = assignment.Condition });
/// <summary> /// Creates new role assignment. /// </summary> /// <param name="parameters">The create parameters</param> /// <returns>The created role assignment object</returns> public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid)) { PSADObject asignee = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter); if (asignee == null) { throw new ArgumentException(ProjectResources.NoADObjectFound); } string principalId = asignee.Id; string principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null; roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId; string scope = parameters.Scope; string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName) ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId) : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id); parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description; parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition; parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion; var createParameters = new RoleAssignmentCreateParameters { PrincipalId = principalId.ToString(), PrincipalType = principalType, RoleDefinitionId = roleDefinitionId, CanDelegate = parameters.CanDelegate, Description = parameters.Description, Condition = parameters.Condition, ConditionVersion = parameters.ConditionVersion }; RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create( parameters.Scope, roleAssignmentId.ToString(), createParameters); var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient); return(PSRoleAssignment); }
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals) { List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>(); if (assignments == null || !assignments.Any()) { return(psAssignments); } List <string> objectIds = new List <string>(); objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString())); objectIds = objectIds.Distinct().ToList(); List <PSADObject> adObjects = null; try { adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); } catch (CloudException ce) when(IsAuthorizationDeniedException(ce)) { throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission); } foreach (RoleAssignment assignment in assignments) { assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId(); PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ?? new PSADObject() { Id = assignment.PrincipalId }; PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.RoleDefinitionId }; bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false; if (adObject is PSADUser) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, SignInName = ((PSADUser)adObject).UserPrincipalName, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (adObject is PSADGroup) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (adObject is PSADServicePrincipal) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (!excludeAssignmentsForDeletedPrincipals) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, CanDelegate = delegationFlag, ObjectType = DeletedObject }); } // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true } return(psAssignments); }
public static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true) { List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>(); if (assignments == null || !assignments.Any()) { return(psAssignments); } List <string> objectIds = new List <string>(); objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString())); List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); List <PSRoleDefinition> roleDefinitions = policyClient.FilterRoleDefinitions(name: null); foreach (RoleAssignment assignment in assignments) { PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId }; PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId }; if (adObject is PSADUser) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(), RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, SignInName = ((PSADUser)adObject).SignInName, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (adObject is PSADGroup) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(), RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (adObject is PSADServicePrincipal) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(), RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (!excludeAssignmentsForDeletedPrincipals) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(), RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, }); } // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true } return(psAssignments); }
/// <summary> /// Filters role assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered role assignments</returns> public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription, ulong first = ulong.MaxValue, ulong skip = 0) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); string principalId = null; PSADObject adObject = null; Rest.Azure.OData.ODataQuery <RoleAssignmentFilter> odataQuery = null; if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } principalId = adObject.Id.ToString(); odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(principalId)); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id; odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId); } if (!string.IsNullOrEmpty(options.Scope)) { var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals)); } // Filter out by scope if (!string.IsNullOrEmpty(options.Scope)) { result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals)); } if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments var classicAdministratorsSubscription = currentSubscription; if (options.Scope != null) { classicAdministratorsSubscription = AuthorizationHelper.GetResourceSubscription(options.Scope) ?? currentSubscription; } List <ClassicAdministrator> classicAdministrators = new List <ClassicAdministrator>(); if (currentSubscription != classicAdministratorsSubscription) { var client = AzureSession.Instance.ClientFactory.CreateArmClient <AuthorizationManagementClient>(AzureRmProfileProvider.Instance.Profile.DefaultContext, AzureEnvironment.Endpoint.ResourceManager); client.SubscriptionId = classicAdministratorsSubscription; classicAdministrators = client.ClassicAdministrators.List().ToList(); } else { classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ToList(); } List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(classicAdministratorsSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); string assignedToPrincipalId = null; string principalId = null; PSADObject adObject = null; if (options.ADObjectFilter.HasFilter) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } assignedToPrincipalId = adObject.Id.ToString(); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id.ToString()) ? adObject.Id.ToString() : options.ADObjectFilter.Id; } var tempResult = AuthorizationManagementClient.RoleAssignments.List( new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } // Filter out by scope if (!string.IsNullOrEmpty(options.Scope)) { result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope( options.Scope, new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>( f => f.AtScope() && f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextPageLink); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List( new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } } if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators .List(AuthorizationManagementClient.ApiVersion).ToList(); List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
/// <summary> /// Filters role assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered role assignments</returns> #if !NETSTANDARD public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); List <RoleAssignment> roleAssignments = new List <RoleAssignment>(); ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters(); PSADObject adObject = null; if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } parameters.AssignedToPrincipalId = adObject.Id; } else { parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id); } var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } // Filter out by scope if (!string.IsNullOrWhiteSpace(options.Scope)) { roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly parameters.AtScope = true; var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } } // To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope; result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId) .ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals)); if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList(); List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient) { PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId); PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId }; if (adObject is PSADUser) { return(new PSUserRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, UserPrincipalName = ((PSADUser)adObject).UserPrincipalName, Mail = ((PSADUser)adObject).Mail, ObjectId = adObject.Id }); } else if (adObject is PSADGroup) { return(new PSGroupRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, Mail = ((PSADGroup)adObject).Mail, ObjectId = adObject.Id }); } else if (adObject is PSADServicePrincipal) { return(new PSServiceRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName, ObjectId = adObject.Id }); } else { return(new PSRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, ObjectId = adObject.Id }); } }
/// <summary> /// Filters deny assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered deny assignments</returns> public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription) { // Get a specified deny assignment by DenyAssignmentId if (!string.IsNullOrEmpty(options.DenyAssignmentId) && (Guid.Empty != options.DenyAssignmentId.GetGuidFromId())) { var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetScopeFromFullyQualifiedId(options.DenyAssignmentId) ?? AuthorizationHelper.GetSubscriptionScope(currentSubscription); return(new List <PSDenyAssignment> { AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.GuidFromFullyQualifiedId()).ToPSDenyAssignment(ActiveDirectoryClient) }); } // Filter deny assignments by given assumptions string principalId = null; PSADObject adObject = null; ODataQuery <DenyAssignmentFilter> odataQuery = null; if (!string.IsNullOrEmpty(options.DenyAssignmentName)) { odataQuery = new ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName); } else if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id)) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { try { adObject = adObject ?? ActiveDirectoryClient.GetObjectByObjectId(options.ADObjectFilter.Id); } catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe) when(OdataHelper.IsAuthorizationDeniedException(oe)) { throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission); } if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } principalId = adObject.Id.ToString(); odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId)); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id; odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId); } } return(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription)); }