Inheritance: PSVaultIdentityItem
        public override void ExecuteCmdlet()
        {
            if (ShouldProcess(VaultName, Properties.Resources.RemoveVaultAccessPolicy))
            {
                if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
                    !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
                }

                ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;

                // Get the vault to be updated
                PSKeyVaultModels.PSVault existingVault = null;

                if (!string.IsNullOrWhiteSpace(ResourceGroupName))
                {
                    existingVault = KeyVaultManagementClient.GetVault(
                        VaultName,
                        ResourceGroupName);
                }
                if (existingVault == null)
                {
                    throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                }

                if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
                }

                if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId))
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidObjectIdSyntax);
                }

                // Update vault policies
                var updatedPolicies = existingVault.AccessPolicies;
                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
                {
                    if (string.IsNullOrWhiteSpace(this.ObjectId))
                    {
                        ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
                    }
                    updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray();
                }

                // Update the vault
                var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies,
                                                                        EnabledForDeployment.IsPresent ? false : existingVault.EnabledForDeployment,
                                                                        EnabledForTemplateDeployment.IsPresent ? false : existingVault.EnabledForTemplateDeployment,
                                                                        EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption,
                                                                        ActiveDirectoryClient);

                if (PassThru.IsPresent)
                {
                    WriteObject(updatedVault);
                }
            }
        }
        public override void ExecuteCmdlet()
        {
            switch (ParameterSetName)
            {
            case GetVaultParameterSet:
                ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
                PSKeyVaultModels.PSVault vault = null;

                if (!string.IsNullOrWhiteSpace(ResourceGroupName))
                {
                    vault = KeyVaultManagementClient.GetVault(
                        VaultName,
                        ResourceGroupName,
                        ActiveDirectoryClient);
                }
                if (vault == null)
                {
                    throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                }
                else
                {
                    WriteObject(vault);
                }
                break;

            case ListVaultsByRGParameterSet:
            case ListVaultsBySubParameterSet:
                WriteObject(ListVaults(ResourceGroupName, Tag), true);
                break;

            default:
                throw new ArgumentException(PSKeyVaultProperties.Resources.BadParameterSetName);
            }
        }
        public override void ExecuteCmdlet()
        {
            WriteWarning("The usage of Tag parameter in this cmdlet will be modified in a future release. This will impact creating, updating and appending tags for Azure resources. For more details about the change, please visit https://github.com/Azure/azure-powershell/issues/726#issuecomment-213545494");

            switch (ParameterSetName)
            {
            case GetVaultParameterSet:
                ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
                PSKeyVaultModels.PSVault vault = null;

                if (!string.IsNullOrWhiteSpace(ResourceGroupName))
                {
                    vault = KeyVaultManagementClient.GetVault(
                        VaultName,
                        ResourceGroupName,
                        ActiveDirectoryClient);
                }
                if (vault == null)
                {
                    throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                }
                WriteObject(vault);
                break;

            case ListVaultsByRGParameterSet:
            case ListVaultsBySubParameterSet:
                WriteObject(ListVaults(ResourceGroupName, Tag), true);
                break;

            default:
                throw new ArgumentException(PSKeyVaultProperties.Resources.BadParameterSetName);
            }
        }
        /// <summary>
        /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
        /// </summary>
        /// <param name="existingVault">the existing vault</param>
        /// <param name="updatedPolicies">the update access policies</param>
        /// <param name="updatedEnabledForDeployment">enabled for deployment</param>
        /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
        /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns>the updated vault</returns>
        public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool?updatedEnabledForDeployment,
                                   bool?updatedEnabledForTemplateDeployment, bool?updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
        {
            if (existingVault == null)
            {
                throw new ArgumentNullException("existingVault");
            }
            if (existingVault.OriginalVault == null)
            {
                throw new ArgumentNullException("existingVault.OriginalVault");
            }

            //Update the vault properties in the object received from server
            //Only access policies and EnabledForDeployment can be changed
            VaultProperties properties = existingVault.OriginalVault.Properties;

            properties.EnabledForDeployment         = updatedEnabledForDeployment;
            properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
            properties.EnabledForDiskEncryption     = updatedEnabledForDiskEncryption;
            properties.AccessPolicies = (updatedPolicies == null) ?
                                        new List <AccessPolicyEntry>() :
                                        updatedPolicies.Select(a => new AccessPolicyEntry()
            {
                TenantId      = a.TenantId,
                ObjectId      = a.ObjectId,
                ApplicationId = a.ApplicationId,
                Permissions   = new Permissions
                {
                    Keys         = a.PermissionsToKeys.ToArray(),
                    Secrets      = a.PermissionsToSecrets.ToArray(),
                    Certificates = a.PermissionsToCertificates.ToArray(),
                    Storage      = a.PermissionsToStorage.ToArray(),
                }
            }).ToList();

            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: existingVault.ResourceGroupName,
                vaultName: existingVault.VaultName,
                parameters: new VaultCreateOrUpdateParameters()
            {
                Location   = existingVault.Location,
                Properties = properties,
                Tags       = TagsConversionHelper.CreateTagDictionary(existingVault.Tags, validate: true)
            }
                );

            return(new PSVault(response, adClient));
        }
Beispiel #5
0
        public override void ExecuteCmdlet()
        {
            ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;

            // Get the vault to be updated
            PSKeyVaultModels.PSVault existingVault = null;

            if (!string.IsNullOrWhiteSpace(ResourceGroupName))
            {
                existingVault = KeyVaultManagementClient.GetVault(
                    VaultName,
                    ResourceGroupName);
            }
            if (existingVault == null)
            {
                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
            }

            if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
            {
                throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
            }

            // Update vault policies
            var updatedPolicies = existingVault.AccessPolicies;

            if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
            {
                Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);

                updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, objId, this.ApplicationId)).ToArray();
            }

            // Update the vault
            var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies, !this.EnabledForDeployment.IsPresent, ActiveDirectoryClient);

            if (PassThru.IsPresent)
            {
                WriteObject(updatedVault);
            }
        }
        /// <summary>
        /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
        /// </summary>
        /// <param name="existingVault"></param>
        /// <returns></returns>
        public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment, ActiveDirectoryClient adClient = null)
        {
            if (existingVault == null)
            {
                throw new ArgumentNullException("existingVault");
            }
            if (existingVault.OriginalVault == null)
            {
                throw new ArgumentNullException("existingVault.OriginalVault");
            }

            //Update the vault properties in the object received from server
            //Only access policies and EnabledForDeployment can be changed
            VaultProperties properties = existingVault.OriginalVault.Properties;

            properties.EnabledForDeployment = updatedEnabledForDeployment;
            properties.AccessPolicies       = (updatedPolicies == null) ?
                                              new List <AccessPolicyEntry>() :
                                              updatedPolicies.Select(a => new AccessPolicyEntry()
            {
                TenantId             = a.TenantId,
                ObjectId             = a.ObjectId,
                PermissionsToKeys    = a.PermissionsToKeys.ToArray(),
                PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
            }).ToList();

            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: existingVault.ResourceGroupName,
                vaultName: existingVault.VaultName,
                parameters: new VaultCreateOrUpdateParameters()
            {
                Location   = existingVault.Location,
                Properties = properties
            }
                );

            return(new PSVault(response.Vault, adClient));
        }
        public override void ExecuteCmdlet()
        {
            if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy))
            {
                if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
                    !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
                }

                ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
                PSKeyVaultModels.PSVault vault = null;

                // Get the vault to be updated
                if (!string.IsNullOrWhiteSpace(ResourceGroupName))
                {
                    vault = KeyVaultManagementClient.GetVault(
                        VaultName,
                        ResourceGroupName);
                }
                if (vault == null)
                {
                    throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                }

                // Update vault policies
                PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
                {
                    Guid objId = this.ObjectId;
                    if (!this.BypassObjectIdValidation.IsPresent)
                    {
                        objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
                    }

                    if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                    {
                        throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
                    }

                    //All permission arrays cannot be null
                    if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null)
                    {
                        throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
                    }
                    else
                    {
                        //Validate
                        if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                        }
                        if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
                        }
                        if (!IsMeaningfulPermissionSet(PermissionsToCertificates))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "certificates"));
                        }

                        //Is there an existing policy for this policy identity?
                        var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));

                        //New policy will have permission arrays that are either from cmdlet input
                        //or if that's null, then from the old policy for this object ID if one existed
                        var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                                                         existingPolicy.PermissionsToKeys.ToArray() : null);

                        var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
                                                               existingPolicy.PermissionsToSecrets.ToArray() : null);

                        var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ?
                                                                         existingPolicy.PermissionsToCertificates.ToArray() : null);

                        //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
                        updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
                        if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0))
                        {
                            var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates);
                            updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
                        }
                    }
                }

                // Update the vault
                var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies,
                                                                        EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment,
                                                                        EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
                                                                        EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
                                                                        ActiveDirectoryClient);

                if (PassThru.IsPresent)
                {
                    WriteObject(updatedVault);
                }
            }
        }
        /// <summary>
        /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
        /// </summary>
        /// <param name="existingVault">the existing vault</param>
        /// <param name="updatedPolicies">the update access policies</param>
        /// <param name="updatedEnabledForDeployment">enabled for deployment</param>
        /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
        /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns>the updated vault</returns>
        public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment,
            bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
        {
            if (existingVault == null)
                throw new ArgumentNullException("existingVault");
            if (existingVault.OriginalVault == null)
                throw new ArgumentNullException("existingVault.OriginalVault");

            //Update the vault properties in the object received from server
            //Only access policies and EnabledForDeployment can be changed
            VaultProperties properties = existingVault.OriginalVault.Properties;
            properties.EnabledForDeployment = updatedEnabledForDeployment;
            properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
            properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
            properties.AccessPolicies = (updatedPolicies == null) ? 
                new List<AccessPolicyEntry>() :
                updatedPolicies.Select(a => new AccessPolicyEntry()
                        {
                            TenantId = a.TenantId,
                            ObjectId = a.ObjectId,
                            ApplicationId = a.ApplicationId,
                            PermissionsToKeys = a.PermissionsToKeys.ToArray(),
                            PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
                        }).ToList();

            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: existingVault.ResourceGroupName,
                vaultName: existingVault.VaultName,                
                parameters: new VaultCreateOrUpdateParameters()
                {                                       
                    Location = existingVault.Location,
                    Properties = properties
                }
                );
            return new PSVault(response.Vault, adClient);
        }
Beispiel #9
0
        public override void ExecuteCmdlet()
        {
            ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
            PSKeyVaultModels.PSVault vault = null;

            // Get the vault to be updated
            if (!string.IsNullOrWhiteSpace(ResourceGroupName))
            {
                vault = KeyVaultManagementClient.GetVault(
                    VaultName,
                    ResourceGroupName);
            }
            if (vault == null)
            {
                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
            }

            // Update vault policies
            PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
            if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
            {
                Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);

                //Both arrays cannot be null
                if (PermissionsToKeys == null && PermissionsToSecrets == null)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
                }
                else
                {
                    //Validate
                    if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                    {
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                    }
                    if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
                    {
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
                    }

                    //Is there an existing policy for this object ID?
                    var existingPolicy = vault.AccessPolicies.Where(ap => ap.ObjectId == objId).FirstOrDefault();

                    //New policy will have permission arrays that are either from cmdlet input
                    //or if that's null, then from the old policy for this object ID if one existed
                    var keys = PermissionsToKeys != null ? PermissionsToKeys :
                               (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                                existingPolicy.PermissionsToKeys.ToArray() : null);

                    var secrets = PermissionsToSecrets != null ? PermissionsToSecrets :
                                  (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
                                   existingPolicy.PermissionsToSecrets.ToArray() : null);

                    //Remove old policies for this object ID and add a new one with the right permissions, iff there were some non-empty permissions
                    updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => ap.ObjectId != objId).ToArray();
                    if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0))
                    {
                        var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, keys, secrets);
                        updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
                    }
                }
            }

            // Update the vault
            var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, this.EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, ActiveDirectoryClient);

            if (PassThru.IsPresent)
            {
                WriteObject(updatedVault);
            }
        }