Beispiel #1
0
 private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid?applicationId)
 {
     // If both object id and application id are specified, remove the compound identity policy only.
     // If only object id is specified, remove all policies refer to the object id including the compound identity policies.
     return(applicationId.HasValue ? (ap.ApplicationId == applicationId && ap.ObjectId == objectId) :
            (ap.ObjectId == objectId));
 }
Beispiel #2
0
        private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid?applicationId)
        {
            // If both object id and application id are specified, remove the compound identity policy only.
            // If only object id is specified, remove all policies refer to the object id including the compound identity policies.
            var sameObjectId = string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase);

            return(applicationId.HasValue ? (ap.ApplicationId == applicationId && sameObjectId) : sameObjectId);
        }
 private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid?applicationId)
 {
     return(ap.ApplicationId == applicationId && ap.ObjectId == objectId);
 }
        public override void ExecuteCmdlet()
        {
            if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy))
            {
                if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
                    !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
                }

                ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
                PSKeyVaultModels.PSVault vault = null;

                // Get the vault to be updated
                if (!string.IsNullOrWhiteSpace(ResourceGroupName))
                {
                    vault = KeyVaultManagementClient.GetVault(
                        VaultName,
                        ResourceGroupName);
                }
                if (vault == null)
                {
                    throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
                }

                // Update vault policies
                PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
                {
                    Guid objId = this.ObjectId;
                    if (!this.BypassObjectIdValidation.IsPresent)
                    {
                        objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
                    }

                    if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                    {
                        throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
                    }

                    //All permission arrays cannot be null
                    if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null)
                    {
                        throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
                    }
                    else
                    {
                        //Validate
                        if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                        }
                        if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
                        }
                        if (!IsMeaningfulPermissionSet(PermissionsToCertificates))
                        {
                            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "certificates"));
                        }

                        //Is there an existing policy for this policy identity?
                        var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));

                        //New policy will have permission arrays that are either from cmdlet input
                        //or if that's null, then from the old policy for this object ID if one existed
                        var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                                                         existingPolicy.PermissionsToKeys.ToArray() : null);

                        var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
                                                               existingPolicy.PermissionsToSecrets.ToArray() : null);

                        var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ?
                                                                         existingPolicy.PermissionsToCertificates.ToArray() : null);

                        //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
                        updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
                        if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0))
                        {
                            var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates);
                            updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
                        }
                    }
                }

                // Update the vault
                var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies,
                                                                        EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment,
                                                                        EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
                                                                        EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
                                                                        ActiveDirectoryClient);

                if (PassThru.IsPresent)
                {
                    WriteObject(updatedVault);
                }
            }
        }
        public override void ExecuteCmdlet()
        {
            if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
                !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
            {
                throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
            }

            ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;           
            PSKeyVaultModels.PSVault vault = null;

            // Get the vault to be updated
            if (!string.IsNullOrWhiteSpace(ResourceGroupName))                
                vault = KeyVaultManagementClient.GetVault(
                                                   VaultName,
                                                   ResourceGroupName);
            if (vault == null)
            {
                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
            }

            // Update vault policies
            PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
            if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
            {
                Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);

                if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
                    throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);

                //Both arrays cannot be null
                if (PermissionsToKeys == null && PermissionsToSecrets == null)
                    throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);                
                else
                {
                    //Validate 
                    if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                    if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));

                    //Is there an existing policy for this policy identity?
                    var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));

                    //New policy will have permission arrays that are either from cmdlet input 
                    //or if that's null, then from the old policy for this object ID if one existed
                    var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                        existingPolicy.PermissionsToKeys.ToArray() : null);

                    var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
                        existingPolicy.PermissionsToSecrets.ToArray() : null);                    

                    //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
                    updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
                    if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0))
                    {
                        var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets);
                        updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
                    }

                }
            }

            // Update the vault
            var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies,
                EnabledForDeployment.IsPresent || vault.EnabledForDeployment,
                EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
                EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
                ActiveDirectoryClient);

            if (PassThru.IsPresent)
                WriteObject(updatedVault);
        }
Beispiel #6
0
 private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid?applicationId)
 {
     return(ap.ApplicationId == applicationId && string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase));
 }
        /// <summary>
        /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
        /// </summary>
        /// <param name="existingVault">the existing vault</param>
        /// <param name="updatedPolicies">the update access policies</param>
        /// <param name="updatedEnabledForDeployment">enabled for deployment</param>
        /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
        /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns>the updated vault</returns>
        public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment,
            bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
        {
            if (existingVault == null)
                throw new ArgumentNullException("existingVault");
            if (existingVault.OriginalVault == null)
                throw new ArgumentNullException("existingVault.OriginalVault");

            //Update the vault properties in the object received from server
            //Only access policies and EnabledForDeployment can be changed
            VaultProperties properties = existingVault.OriginalVault.Properties;
            properties.EnabledForDeployment = updatedEnabledForDeployment;
            properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
            properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
            properties.AccessPolicies = (updatedPolicies == null) ? 
                new List<AccessPolicyEntry>() :
                updatedPolicies.Select(a => new AccessPolicyEntry()
                        {
                            TenantId = a.TenantId,
                            ObjectId = a.ObjectId,
                            ApplicationId = a.ApplicationId,
                            PermissionsToKeys = a.PermissionsToKeys.ToArray(),
                            PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
                        }).ToList();

            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: existingVault.ResourceGroupName,
                vaultName: existingVault.VaultName,                
                parameters: new VaultCreateOrUpdateParameters()
                {                                       
                    Location = existingVault.Location,
                    Properties = properties
                }
                );
            return new PSVault(response.Vault, adClient);
        }
Beispiel #8
0
        public override void ExecuteCmdlet()
        {
            ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
            PSKeyVaultModels.PSVault vault = null;

            // Get the vault to be updated
            if (!string.IsNullOrWhiteSpace(ResourceGroupName))
            {
                vault = KeyVaultManagementClient.GetVault(
                    VaultName,
                    ResourceGroupName);
            }
            if (vault == null)
            {
                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
            }

            // Update vault policies
            PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
            if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
            {
                Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);

                //Both arrays cannot be null
                if (PermissionsToKeys == null && PermissionsToSecrets == null)
                {
                    throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
                }
                else
                {
                    //Validate
                    if (!IsMeaningfulPermissionSet(PermissionsToKeys))
                    {
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
                    }
                    if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
                    {
                        throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
                    }

                    //Is there an existing policy for this object ID?
                    var existingPolicy = vault.AccessPolicies.Where(ap => ap.ObjectId == objId).FirstOrDefault();

                    //New policy will have permission arrays that are either from cmdlet input
                    //or if that's null, then from the old policy for this object ID if one existed
                    var keys = PermissionsToKeys != null ? PermissionsToKeys :
                               (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
                                existingPolicy.PermissionsToKeys.ToArray() : null);

                    var secrets = PermissionsToSecrets != null ? PermissionsToSecrets :
                                  (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
                                   existingPolicy.PermissionsToSecrets.ToArray() : null);

                    //Remove old policies for this object ID and add a new one with the right permissions, iff there were some non-empty permissions
                    updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => ap.ObjectId != objId).ToArray();
                    if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0))
                    {
                        var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, keys, secrets);
                        updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
                    }
                }
            }

            // Update the vault
            var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, this.EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, ActiveDirectoryClient);

            if (PassThru.IsPresent)
            {
                WriteObject(updatedVault);
            }
        }