/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = roleAssignment.ObjectType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Assign built-in "Storage Blob Data Contributor" role for the whole subscription.
/// </summary>
/// <param name="servicePrincipal"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
public async Task <RoleAssignmentInner> AssignStorageBlobDataContributorRoleForSubscriptionAsync(
ServicePrincipal servicePrincipal,
CancellationToken cancellationToken = default
)
{
if (servicePrincipal is null)
{
throw new ArgumentNullException(nameof(servicePrincipal));
}
var storageBlobDataContributorRoleDefinitionId = GetRoleDefinitionId(
STORAGE_BLOB_DATA_CONTRIBUTOR_ROLE_ID
);
var roleAssignmentDefinition = new RoleAssignmentCreateParameters {
PrincipalId = servicePrincipal.Id,
RoleDefinitionId = storageBlobDataContributorRoleDefinitionId
};
var scope = $"/subscriptions/{_subscriptionId}/";
return(await CreateRoleAssignmentWithRetryAsync(
servicePrincipal,
scope,
roleAssignmentDefinition,
"StorageBlobDataContributor",
cancellationToken
));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string scope = parameters.Scope;
ValidateScope(scope);
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);
#if !NETSTANDARD
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
#else
var createParameters = new RoleAssignmentProperties
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope,
roleAssignmentId.ToString(), createParameters);
#endif
return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Create role assignment, retry for 240 seconds if Service Principal does not exist yet.
/// </summary>
/// <param name="servicePrincipal"></param>
/// <param name="scope"></param>
/// <param name="roleAssignmentDefinition"></param>
/// <param name="roleDescription"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
protected async Task <RoleAssignmentInner> CreateRoleAssignmentWithRetryAsync(
ServicePrincipal servicePrincipal,
string scope,
RoleAssignmentCreateParameters roleAssignmentDefinition,
string roleDescription,
CancellationToken cancellationToken = default
)
{
const int retrySeconds = 240;
const int waitSeconds = 5;
Log.Debug($"Assigning {roleDescription} role to Service Principal: {servicePrincipal.DisplayName} ...");
var spIdFormatted = new Guid(servicePrincipal.Id).ToString("N");
var spDoesNotExistMessage = $"principal {spIdFormatted} does not exist";
var stopwatch = new Stopwatch();
stopwatch.Start();
// It can take some time for new service principal to
// propagate throughout Azure AD. So we will retry in
// a loop for retrySeconds.
do
{
try {
var roleAssignmentResult = await _authorizationManagementClient
.RoleAssignments
.CreateAsync(
scope,
Guid.NewGuid().ToString(),
roleAssignmentDefinition,
cancellationToken
);
Log.Debug($"Assigned {roleDescription} role to Service Principal: {servicePrincipal.DisplayName}");
return(roleAssignmentResult);
}
catch (Rest.Azure.CloudException ex) {
if (ex.Message.ToLower().Contains(spDoesNotExistMessage))
{
Log.Debug($"ServicePrincipal creation has not propagated correctly. " +
$"Waiting for {waitSeconds} seconds before retry.");
await Task.Delay(waitSeconds * 1000, cancellationToken);
}
else
{
throw;
}
}
} while (stopwatch.Elapsed < TimeSpan.FromSeconds(retrySeconds));
// We exited do/while loop without successfully creating role assignment.
var errorMessage = $"Failed to assign {roleDescription} role within {retrySeconds} " +
$"seconds to Service Principal: {servicePrincipal.DisplayName}";
throw new Exception(errorMessage);
}
public async void RoleAssignmentTest()
{
Env.Load("../../../../../.env");
var azurePrincipalId = Environment.GetEnvironmentVariable("AZURE_PRINCIPAL_ID");
// Needs to be in Owner role in Azure Subscription, az role assignment create --assignee AZURE_CLIENT_ID --role 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
// You can get the principalId from the AZURE_CLIENT_ID with this command, az ad sp show --id AZURE_CLIENT_ID --query objectId
var azureSubId = Environment.GetEnvironmentVariable("AZURE_SUBSCRIPTION_ID");
var azureRoleDefinitionId = "673868aa-7521-48a0-acc6-0f60742d39f5"; // Data Factory Contributor
var roleAssignmentName = Guid.NewGuid().ToString();
var roleAssignmentScope = $"/subscriptions/{azureSubId}/";
var client = new AuthorizationManagementClient(new DefaultAzureMgmtCredential());
client.SubscriptionId = azureSubId;
var roleDefinitionId = $"/subscriptions/{client.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{azureRoleDefinitionId}";
var roleAssignmentParameters = new RoleAssignmentCreateParameters(roleDefinitionId, azurePrincipalId);
var roleAssignment = await client.RoleAssignments.CreateAsync(roleAssignmentScope, roleAssignmentName, roleAssignmentParameters);
Assert.Equal(roleAssignment.RoleDefinitionId, roleDefinitionId);
var roleAssignmentDelete = await client.RoleAssignments.DeleteAsync(roleAssignmentScope, roleAssignmentName);
Exception ex = await Assert.ThrowsAsync <Microsoft.Rest.Azure.CloudException>(async() => await client.RoleAssignments.GetAsync(roleAssignmentScope, roleAssignmentName));
Assert.EndsWith("is not found.", ex.Message);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
: AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
{
assignment
};
return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
string principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
public void RoleAssignmentByIdTests()
{
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
Assert.NotNull(client);
Assert.NotNull(client.HttpClient);
var principalId = testContext.Users.ElementAt(4);
var roleDefinition = client.RoleDefinitions.List().RoleDefinitions.ElementAt(1);
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
Properties = new RoleAssignmentProperties()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = principalId
}
};
var scope = "subscriptions/" + client.Credentials.SubscriptionId;
var assignmentName = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "AssignmentName");
var assignmentId = string.Format(
"{0}/providers/Microsoft.Authorization/roleAssignments/{1}",
scope,
assignmentName);
// Create
var createResult = client.RoleAssignments.CreateById(assignmentId, newRoleAssignment);
Assert.NotNull(createResult);
Assert.Equal(HttpStatusCode.Created, createResult.StatusCode);
Assert.NotNull(createResult.RoleAssignment);
Assert.NotNull(createResult.RoleAssignment.Id);
Assert.NotNull(createResult.RoleAssignment.Name);
Assert.Equal(createResult.RoleAssignment.Name, assignmentName);
// Get
var getResult = client.RoleAssignments.GetById(assignmentId);
Assert.NotNull(getResult);
Assert.Equal(HttpStatusCode.OK, getResult.StatusCode);
Assert.NotNull(getResult.RoleAssignment);
Assert.Equal(createResult.RoleAssignment.Id, getResult.RoleAssignment.Id);
Assert.Equal(createResult.RoleAssignment.Name, getResult.RoleAssignment.Name);
//Delete
var deleteResult = client.RoleAssignments.DeleteById(assignmentId);
Assert.NotNull(deleteResult);
Assert.Equal(HttpStatusCode.OK, deleteResult.StatusCode);
var allRoleAssignments = client.RoleAssignments.List(null);
var createdAssignment = allRoleAssignments.RoleAssignments.FirstOrDefault(
a => a.Name == assignmentName);
Assert.Null(createdAssignment);
}
}
public async Task <RoleAssignmentInner> AssignNetworkContributorRoleForResourceAsync(
ServicePrincipal servicePrincipal,
string resourceId,
CancellationToken cancellationToken = default
)
{
var networkContributorRoleDefinitionId = GetRoleDefinitionId(
NETWORK_CONTRIBUTOR_ROLE_ID
);
var roleAssignmentDefinition = new RoleAssignmentCreateParameters {
PrincipalId = servicePrincipal.Id,
RoleDefinitionId = networkContributorRoleDefinitionId
};
var scope = resourceId;
return(await CreateRoleAssignmentWithRetryAsync(
servicePrincipal,
scope,
roleAssignmentDefinition,
"NetworkContributor",
cancellationToken
));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
string principalIdStr = null;
if (principalId == Guid.Empty)
{
principalIdStr = ActiveDirectoryClient.GetAdfsObjectId(parameters.ADObjectFilter);
}
else
{
principalIdStr = principalId.ToString();
}
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string scope = parameters.Scope;
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);
var createProperties = new RoleAssignmentProperties
{
PrincipalId = principalIdStr,
RoleDefinitionId = roleDefinitionId
};
var createParameters = new RoleAssignmentCreateParameters(createProperties);
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Assign built-in "Network Contributor" role for specified resource.
/// </summary>
/// <param name="servicePrincipal"></param>
/// <param name="resourceId"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
public async Task <RoleAssignmentInner> AssignNetworkContributorRoleForResourceAsync(
ServicePrincipal servicePrincipal,
string resourceId,
CancellationToken cancellationToken = default
)
{
if (servicePrincipal is null)
{
throw new ArgumentNullException(nameof(servicePrincipal));
}
if (string.IsNullOrEmpty(resourceId))
{
throw new ArgumentNullException(nameof(resourceId));
}
var networkContributorRoleDefinitionId = GetRoleDefinitionId(
NETWORK_CONTRIBUTOR_ROLE_ID
);
var roleAssignmentDefinition = new RoleAssignmentCreateParameters {
PrincipalId = servicePrincipal.Id,
RoleDefinitionId = networkContributorRoleDefinitionId
};
var scope = resourceId;
return(await CreateRoleAssignmentWithRetryAsync(
servicePrincipal,
scope,
roleAssignmentDefinition,
"NetworkContributor",
cancellationToken
));
}
public override void Execute()
{
var client = new AzureResourceManagerClient();
var subscription = client.GetSubscriptionOperations(Context.SubscriptionId);
// Create Resource Group
Console.WriteLine($"--------Start create group {Context.RgName}--------");
var resourceGroup = subscription.GetResourceGroupContainer().Construct(Context.Loc).CreateOrUpdate(Context.RgName).Value;
CleanUp.Add(resourceGroup.Id);
Console.WriteLine("--------Start create Assignment--------");
var input = new RoleAssignmentCreateParameters($"/subscriptions/{Context.SubscriptionId}/resourceGroups/{Context.RgName}/providers/Microsoft.Authorization/roleDefinitions/{Context.RoleId}", Context.PrincipalId);
var assign = resourceGroup.GetRoleAssignmentContainer().Create(Guid.NewGuid().ToString(), input).Value;
Console.WriteLine("--------Done create Assignment--------");
assign = assign.Get().Value;
// Create AvailabilitySet
Console.WriteLine("--------Start create AvailabilitySet--------");
var aset = resourceGroup.GetAvailabilitySetContainer().Construct("Aligned").CreateOrUpdate(Context.VmName + "_aSet").Value;
// Create VNet
Console.WriteLine("--------Start create VNet--------");
string vnetName = Context.VmName + "_vnet";
var vnet = resourceGroup.GetVirtualNetworkContainer().Construct("10.0.0.0/16").CreateOrUpdate(vnetName).Value;
//create subnet
Console.WriteLine("--------Start create Subnet--------");
var subnet = vnet.GetSubnetContainer().Construct("10.0.0.0/24").CreateOrUpdate(Context.SubnetName).Value;
//create network security group
Console.WriteLine("--------Start create NetworkSecurityGroup--------");
_ = resourceGroup.GetNetworkSecurityGroupContainer().Construct(80).CreateOrUpdate(Context.NsgName).Value;
// Create Network Interface
Console.WriteLine("--------Start create Network Interface--------");
var nic = resourceGroup.GetNetworkInterfaceContainer().Construct(subnet.Id).CreateOrUpdate($"{Context.VmName}_nic").Value;
// Create VM
Console.WriteLine("--------Start create VM--------");
var vm = resourceGroup.GetVirtualMachineContainer().Construct(Context.Hostname, "admin-user", "!@#$%asdfA", nic.Id, aset.Id).CreateOrUpdate(Context.VmName).Value;
Console.WriteLine("VM ID: " + vm.Id);
Console.WriteLine("--------Done create VM--------");
Console.WriteLine("--------Start create Assignment--------");
var input2 = new RoleAssignmentCreateParameters($"{vm.Id}/providers/Microsoft.Authorization/roleDefinitions/{Context.RoleId}", Context.PrincipalId);
var assign2 = vm.GetRoleAssignmentContainer().Create(Guid.NewGuid().ToString(), input2).Value;
Console.WriteLine("--------Done create Assignment--------");
assign2 = assign2.Get().Value;
Console.WriteLine($"Created assignment: '{assign.Data.Id}'");
}
public void RoleAssignmentsListGetTests()
{
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
Assert.NotNull(client);
Assert.NotNull(client.HttpClient);
var assignmentName = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "AssignmentName");
var scope = "subscriptions/" + client.Credentials.SubscriptionId;
var principalId = testContext.Users.ElementAt(5);
Assert.NotNull(client);
Assert.NotNull(client.HttpClient);
var roleDefinition = client.RoleDefinitions.List().RoleDefinitions.Where(r => r.Properties.Type == "BuiltInRole").Last();
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
Properties = new RoleAssignmentProperties()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = principalId
}
};
var createResult = client.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
Assert.NotNull(createResult);
var allRoleAssignments = client.RoleAssignments.List(null);
Assert.NotNull(allRoleAssignments);
Assert.NotNull(allRoleAssignments.RoleAssignments);
foreach (var assignment in allRoleAssignments.RoleAssignments)
{
var singleAssignment = client.RoleAssignments.Get(assignment.Properties.Scope, assignment.Name);
Assert.NotNull(singleAssignment);
Assert.NotNull(singleAssignment.StatusCode);
Assert.NotNull(singleAssignment.RoleAssignment);
Assert.NotNull(singleAssignment.RoleAssignment.Id);
Assert.NotNull(singleAssignment.RoleAssignment.Name);
Assert.NotNull(singleAssignment.RoleAssignment.Type);
Assert.NotNull(singleAssignment.RoleAssignment.Properties);
Assert.NotNull(singleAssignment.RoleAssignment.Properties.PrincipalId);
Assert.NotNull(singleAssignment.RoleAssignment.Properties.RoleDefinitionId);
Assert.NotNull(singleAssignment.RoleAssignment.Properties.Scope);
}
var deleteResult = client.RoleAssignments.Delete(scope, assignmentName);
Assert.NotNull(deleteResult);
}
}
/// <summary>
/// Ensures the role assignment.
/// </summary>
/// <param name="serverPrincipal">The server principal.</param>
/// <param name="storageAccountSubscriptionId">The storage account subscription identifier.</param>
/// <param name="storageAccountResourceId">The storage account resource identifier.</param>
/// <returns>RoleAssignment.</returns>
public RoleAssignment EnsureRoleAssignment(MicrosoftGraphServicePrincipal serverPrincipal, string storageAccountSubscriptionId, string storageAccountResourceId)
{
string currentSubscriptionId = AuthorizationManagementClient.SubscriptionId;
bool hasMismatchSubscription = currentSubscriptionId != storageAccountSubscriptionId;
try
{
if (hasMismatchSubscription)
{
AuthorizationManagementClient.SubscriptionId = storageAccountSubscriptionId;
}
var resourceIdentifier = new ResourceIdentifier(storageAccountResourceId);
string roleDefinitionScope = "/";
RoleDefinition roleDefinition = AuthorizationManagementClient.RoleDefinitions.Get(roleDefinitionScope, BuiltInRoleDefinitionId);
var serverPrincipalId = serverPrincipal.Id.ToString();
var roleAssignments = AuthorizationManagementClient.RoleAssignments
.ListForResource(
resourceIdentifier.ResourceGroupName,
ResourceIdentifier.GetProviderFromResourceType(resourceIdentifier.ResourceType),
resourceIdentifier.ParentResource ?? "/",
ResourceIdentifier.GetTypeFromResourceType(resourceIdentifier.ResourceType),
resourceIdentifier.ResourceName,
odataQuery: new ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(serverPrincipalId)));
var roleAssignmentScope = storageAccountResourceId;
Guid roleAssignmentId = StorageSyncResourceManager.GetGuid();
RoleAssignment roleAssignment = roleAssignments.FirstOrDefault();
if (roleAssignment == null)
{
VerboseLogger.Invoke(StorageSyncResources.CreateRoleAssignmentMessage);
var createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = serverPrincipalId,
RoleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(resourceIdentifier.Subscription, BuiltInRoleDefinitionId)
}
};
roleAssignment = AuthorizationManagementClient.RoleAssignments.Create(roleAssignmentScope, roleAssignmentId.ToString(), createParameters);
StorageSyncResourceManager.Wait();
}
return(roleAssignment);
}
finally
{
if (hasMismatchSubscription)
{
AuthorizationManagementClient.SubscriptionId = currentSubscriptionId;
}
}
}
public void RoleAssignmentListByFilterTest()
{
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
Assert.NotNull(client);
Assert.NotNull(client.HttpClient);
var principalId = testContext.Users.ElementAt(1);
// Read/write the PrincipalId from Testcontext to enable Playback mode test execution
principalId = GetValueFromTestContext(() => principalId, Guid.Parse, "PrincipalId");
var scope = "subscriptions/" + client.Credentials.SubscriptionId;
var roleDefinition = client.RoleDefinitions.List().RoleDefinitions.First();
for (int i = 0; i < testContext.Users.Count; i++)
{
var pId = testContext.Users.ElementAt(i);
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
Properties = new RoleAssignmentProperties()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = pId
}
};
var assignmentName = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "AssignmentName_" + i);
var createResult = client.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
var allRoleAssignments = client.RoleAssignments.List(new ListAssignmentsFilterParameters
{
PrincipalId = principalId
});
Assert.NotNull(allRoleAssignments);
Assert.NotNull(allRoleAssignments.RoleAssignments);
foreach (var assignment in allRoleAssignments.RoleAssignments)
{
Assert.NotNull(assignment);
Assert.NotNull(assignment.Id);
Assert.NotNull(assignment.Name);
Assert.NotNull(assignment.Type);
Assert.NotNull(assignment.Properties);
Assert.NotNull(assignment.Properties.PrincipalId);
Assert.NotNull(assignment.Properties.RoleDefinitionId);
Assert.NotNull(assignment.Properties.Scope);
Assert.Equal(principalId, assignment.Properties.PrincipalId);
}
}
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (roleAssignment.ObjectType == null)
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(new ADObjectFilterOptions()
{
Id = roleAssignment.ObjectId
});
if (asignee == null)
{
throw new ArgumentException("No AD object could be found with current parameters, please confirm the information provided is correct and try again");
}
principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Add role assignment by role name
/// </summary>
/// <param name="scope"></param>
/// <param name="roleName"></param>
/// <param name="assignmentName"></param>
/// <param name="assigneePrincipalId"></param>
public void AddRoleAssignment(string scope, string roleName, string assignmentName, string assigneePrincipalId)
{
var roleDefinition = authorizationManagementClient.RoleDefinitions
.List(scope)
.First(role => role.RoleName.StartsWith(roleName));
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = assigneePrincipalId,
CanDelegate = false
};
authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
return(AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Add role assignment by role name.
/// </summary>
/// <param name="context">Object representing a HpcCacheTestContext.</param>
/// <param name="scope">The scope of the role assignment to create.</param>
/// <param name="roleName">The role name.</param>
/// <param name="assignmentName">The name of the role assignment to create.</param>
public void AddRoleAssignment(HpcCacheTestContext context, string scope, string roleName, string assignmentName)
{
AuthorizationManagementClient authorizationManagementClient = context.GetClient <AuthorizationManagementClient>();
var roleDefinition = authorizationManagementClient.RoleDefinitions
.List(scope)
.First(role => role.RoleName.StartsWith(roleName));
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = Constants.StorageCacheResourceProviderPrincipalId,
};
authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType = null;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (roleAssignment.ObjectType == null)
{
var asignee = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> {
roleAssignment.ObjectId
}).SingleOrDefault();
if (!(asignee is PSErrorHelperObject) && asignee.Type != null)
{
principalType = asignee.Type;
}
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
public void RoleAssignmentsCreateDeleteTests()
{
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
var assignmentName = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "AssignmentName");
var scope = "subscriptions/" + client.Credentials.SubscriptionId;
var principalId = testContext.Users.ElementAt(3);
Assert.NotNull(client);
Assert.NotNull(client.HttpClient);
var roleDefinition = client.RoleDefinitions.List().RoleDefinitions.Last();
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
Properties = new RoleAssignmentProperties()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = principalId
}
};
var createResult = client.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
Assert.NotNull(createResult);
Assert.Equal(HttpStatusCode.Created, createResult.StatusCode);
Assert.NotNull(createResult.RoleAssignment);
var deleteResult = client.RoleAssignments.Delete(scope, assignmentName);
Assert.NotNull(deleteResult);
Assert.Equal(HttpStatusCode.OK, deleteResult.StatusCode);
var deletedRoleAssignment = deleteResult.RoleAssignment;
Assert.NotNull(deletedRoleAssignment);
Assert.Equal(deletedRoleAssignment.Id, createResult.RoleAssignment.Id);
var allRoleAssignments = client.RoleAssignments.List(null);
var createdAssignment = allRoleAssignments.RoleAssignments.FirstOrDefault(
a => a.Name == assignmentName);
Assert.Null(createdAssignment);
}
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
var assigneeID = parameters.ADObjectFilter?.Id;
var assigneeObjectType = parameters.ADObjectFilter?.ObjectType;
if (string.IsNullOrWhiteSpace(assigneeObjectType) || string.IsNullOrWhiteSpace(assigneeID))
{
try
{
var assigneeObject = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
assigneeID = assigneeID ?? assigneeObject?.Type;
assigneeObjectType = assigneeObjectType ?? assigneeObject?.Type;
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException) when(!string.IsNullOrEmpty(assigneeID))
{
// If assigneeID is not null, swallow OdataErrorException
}
}
string principalId = assigneeID;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId,
PrincipalType = assigneeObjectType,
RoleDefinitionId = roleDefinitionId,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
return(AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId.ToString(), createParameters).ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
var asigneeID = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
string asigneeObjectType = parameters.ADObjectFilter?.ObjectType;
if (string.IsNullOrWhiteSpace(asigneeObjectType))
{
var asigneeObject = ActiveDirectoryClient.GetObjectsByObjectId(new List <string>()
{
asigneeID
}).SingleOrDefault();
asigneeObjectType = (!(asigneeObject is PSErrorHelperObject) && asigneeObject != null) ? asigneeObject.Type : null;
}
string principalId = asigneeID;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
PrincipalType = asigneeObjectType,
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
public IEnumerable <RoleAssignment> CreateAndAssignRoleForGroup(ResourceGroupExtended group, Guid principal, IEnumerable <String> roles)
{
var assignments = new List <RoleAssignment>();
foreach (var roleName in roles)
{
var role = ServerRoles.Where(x => String.Equals(x.Properties.RoleName, roleName, StringComparison.OrdinalIgnoreCase)).First();
var roleCreate = new RoleAssignmentCreateParameters()
{
Properties = new RoleAssignmentProperties()
{
PrincipalId = principal,
RoleDefinitionId = role.Id
}
};
try
{
var t = this.Client.RoleAssignments.CreateAsync(group.Id, Guid.NewGuid(), roleCreate);
t.Wait();
assignments.Add(t.Result.RoleAssignment);
}
catch (Exception)
{
IEnumerable <RoleAssignment> userAssignments = this.Client.RoleAssignments.ListForResourceGroup(group.Name, new ListAssignmentsFilterParameters()
{
PrincipalId = principal
}).RoleAssignments;
userAssignments = userAssignments.Where(x => x.Properties.RoleDefinitionId == role.Id);
if (userAssignments == null || !userAssignments.Any())
{
throw;
}
assignments.AddRange(userAssignments);
}
}
return(assignments);
}
/// <summary>
/// Add role assignment by role name.
/// </summary>
/// <param name="context">Object representing a StorageCacheTestContext.</param>
/// <param name="scope">The scope of the role assignment to create.</param>
/// <param name="roleName">The role name.</param>
/// <param name="assignmentName">The name of the role assignment to create.</param>
public void AddRoleAssignment(StorageCacheTestContext context, string scope, string roleName, string assignmentName)
{
AuthorizationManagementClient authorizationManagementClient = context.GetClient <AuthorizationManagementClient>();
var roleDefinition = authorizationManagementClient.RoleDefinitions
.List(scope)
.First(role => role.RoleName.StartsWith(roleName));
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = Constants.StorageCacheResourceProviderPrincipalId,
// The principal ID assigned to the role.
// This maps to the ID inside the Active Directory.
// It can point to a user, service principal, or security group.
CanDelegate = false,
};
authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType = null;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (string.IsNullOrEmpty(roleAssignment.ObjectType))
{
try
{
var assignee = ActiveDirectoryClient.GetObjectByObjectId(roleAssignment.ObjectId);
principalType = assignee?.Type;
}
catch
{
// Ignore
}
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentId = roleAssignment.RoleAssignmentId.GuidFromFullyQualifiedId();
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
return(AuthorizationManagementClient.RoleAssignments.Create(scope, roleAssignmentId, createParameters).ToPSRoleAssignment(this, ActiveDirectoryClient));
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
if (asignee == null)
{
throw new ArgumentException(ProjectResources.NoADObjectFound);
}
string principalId = asignee.Id;
string principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
PrincipalType = principalType,
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties {
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
{
assignment
};
return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
}
public async Task <Response <KeyVaultRoleAssignment> > CreateAsync(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters, CancellationToken cancellationToken = default)
{
if (vaultBaseUrl == null)
{
throw new ArgumentNullException(nameof(vaultBaseUrl));
}
if (scope == null)
{
throw new ArgumentNullException(nameof(scope));
}
if (roleAssignmentName == null)
{
throw new ArgumentNullException(nameof(roleAssignmentName));
}
if (parameters == null)
{
throw new ArgumentNullException(nameof(parameters));
}
using var message = CreateCreateRequest(vaultBaseUrl, scope, roleAssignmentName, parameters);
await _pipeline.SendAsync(message, cancellationToken).ConfigureAwait(false);
switch (message.Response.Status)
{
case 201:
{
KeyVaultRoleAssignment value = default;
using var document = await JsonDocument.ParseAsync(message.Response.ContentStream, default, cancellationToken).ConfigureAwait(false);
value = KeyVaultRoleAssignment.DeserializeKeyVaultRoleAssignment(document.RootElement);
return(Response.FromValue(value, message.Response));
}
internal HttpMessage CreateCreateRequest(string vaultBaseUrl, string scope, string roleAssignmentName, RoleAssignmentCreateParameters parameters)
{
var message = _pipeline.CreateMessage();
var request = message.Request;
request.Method = RequestMethod.Put;
var uri = new RawRequestUriBuilder();
uri.AppendRaw(vaultBaseUrl, false);
uri.AppendPath("/", false);
uri.AppendPath(scope, false);
uri.AppendPath("/providers/Microsoft.Authorization/roleAssignments/", false);
uri.AppendPath(roleAssignmentName, true);
uri.AppendQuery("api-version", apiVersion, true);
request.Uri = uri;
request.Headers.Add("Accept", "application/json");
request.Headers.Add("Content-Type", "application/json");
var content = new Utf8JsonRequestContent();
content.JsonWriter.WriteObjectValue(parameters);
request.Content = content;
return(message);
}
