public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true) { List<PSRoleDefinition> roleDefinitions = null; try { roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignment.Properties.RoleDefinitionId) }; } catch (CloudException ce) { if (ce.Response.StatusCode == HttpStatusCode.Unauthorized) { //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments roleDefinitions = new List<PSRoleDefinition>(); } else { throw; } } IEnumerable<RoleAssignment> assignments = new List<RoleAssignment> { assignment }; return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals).SingleOrDefault(); }
/// <summary> /// Create a new vault /// </summary> /// <param name="parameters">vault creation parameters</param> /// <param name="adClient">the active directory client</param> /// <returns></returns> public PSVault CreateNewVault(VaultCreationParameters parameters, ActiveDirectoryClient adClient = null) { if (parameters == null) throw new ArgumentNullException("parameters"); if (string.IsNullOrWhiteSpace(parameters.VaultName)) throw new ArgumentNullException("parameters.VaultName"); if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName)) throw new ArgumentNullException("parameters.ResourceGroupName"); if (string.IsNullOrWhiteSpace(parameters.Location)) throw new ArgumentNullException("parameters.Location"); if (string.IsNullOrWhiteSpace(parameters.SkuName)) throw new ArgumentNullException("parameters.SkuName"); if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName)) throw new ArgumentNullException("parameters.SkuFamilyName"); if (parameters.TenantId == null || parameters.TenantId == Guid.Empty) throw new ArgumentException("parameters.TenantId"); if (parameters.ObjectId == null || parameters.ObjectId == Guid.Empty) throw new ArgumentException("parameters.ObjectId"); var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: parameters.ResourceGroupName, vaultName: parameters.VaultName, parameters: new VaultCreateOrUpdateParameters() { Location = parameters.Location, Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true), Properties = new VaultProperties { Sku = new Sku { Family = parameters.SkuFamilyName, Name = parameters.SkuName }, EnabledForDeployment = parameters.EnabledForDeployment, EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment, EnabledForDiskEncryption = parameters.EnabledForDiskEncryption, TenantId = parameters.TenantId, VaultUri = "", AccessPolicies = new [] { new AccessPolicyEntry { TenantId = parameters.TenantId, ObjectId = parameters.ObjectId, PermissionsToKeys = parameters.PermissionsToKeys, PermissionsToSecrets = parameters.PermissionsToSecrets } } } } ); return new PSVault(response.Vault, adClient); }
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinitions, bool excludeAssignmentsForDeletedPrincipals = true) { List<PSRoleDefinition> roleDefinitions = null; try { roleDefinitions = policyClient.GetAllRoleDefinitionsAtScopeAndBelow(scopeForRoleDefinitions); } catch (CloudException ce) { if (ce.Response.StatusCode == HttpStatusCode.Unauthorized) { //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments roleDefinitions = new List<PSRoleDefinition>(); } else { throw; } } return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals); }
/// <summary> /// Creates PoliciesClient using WindowsAzureSubscription instance. /// </summary> /// <param name="subscription">The WindowsAzureSubscription instance</param> public AuthorizationClient(AzureContext context) { ActiveDirectoryClient = new ActiveDirectoryClient(context); AuthorizationManagementClient = AzureSession.ClientFactory.CreateClient<AuthorizationManagementClient>(context, AzureEnvironment.Endpoint.ResourceManager); }
public static string GetDisplayNameForTenant(Guid id, ActiveDirectoryClient adClient) { return id.ToString(); }
public static string GetDisplayNameForADObject(Guid id, ActiveDirectoryClient adClient) { string displayName = ""; if (id == null || adClient == null || id == Guid.Empty) return displayName; else { string upnOrSpn = ""; var obj = adClient.GetADObject(new ADObjectFilterOptions() { Id = id.ToString(), Paging = true, }); if (obj != null) { displayName = obj.DisplayName; if (obj is PSADUser) upnOrSpn = ((PSADUser)obj).UserPrincipalName; else if (obj is PSADServicePrincipal) upnOrSpn = ((PSADServicePrincipal)obj).ServicePrincipalName; } return displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""); } }
/// <summary> /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently. /// </summary> /// <param name="existingVault">the existing vault</param> /// <param name="updatedPolicies">the update access policies</param> /// <param name="updatedEnabledForDeployment">enabled for deployment</param> /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param> /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param> /// <param name="adClient">the active directory client</param> /// <returns>the updated vault</returns> public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment, bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null) { if (existingVault == null) throw new ArgumentNullException("existingVault"); if (existingVault.OriginalVault == null) throw new ArgumentNullException("existingVault.OriginalVault"); //Update the vault properties in the object received from server //Only access policies and EnabledForDeployment can be changed VaultProperties properties = existingVault.OriginalVault.Properties; properties.EnabledForDeployment = updatedEnabledForDeployment; properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment; properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption; properties.AccessPolicies = (updatedPolicies == null) ? new List<AccessPolicyEntry>() : updatedPolicies.Select(a => new AccessPolicyEntry() { TenantId = a.TenantId, ObjectId = a.ObjectId, ApplicationId = a.ApplicationId, PermissionsToKeys = a.PermissionsToKeys.ToArray(), PermissionsToSecrets = a.PermissionsToSecrets.ToArray() }).ToList(); var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: existingVault.ResourceGroupName, vaultName: existingVault.VaultName, parameters: new VaultCreateOrUpdateParameters() { Location = existingVault.Location, Properties = properties } ); return new PSVault(response.Vault, adClient); }
/// <summary> /// Get an existing vault. Returns null if vault is not found. /// </summary> /// <param name="vaultName">vault name</param> /// <param name="resourceGroupName">resource group name</param> /// <param name="adClient">the active directory client</param> /// <returns>the retrieved vault</returns> public PSVault GetVault(string vaultName, string resourceGroupName, ActiveDirectoryClient adClient = null) { if (string.IsNullOrWhiteSpace(vaultName)) throw new ArgumentNullException("vaultName"); if (string.IsNullOrWhiteSpace(resourceGroupName)) throw new ArgumentNullException("resourceGroupName"); try { var response = this.KeyVaultManagementClient.Vaults.Get(resourceGroupName, vaultName); return new PSVault(response.Vault, adClient); } catch(CloudException ce) { if (ce.Response.StatusCode == HttpStatusCode.NotFound) return null; else throw; } }
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true) { List<PSRoleAssignment> psAssignments = new List<PSRoleAssignment>(); if(assignments ==null || !assignments.Any()) { return psAssignments; } List<string> objectIds = new List<string>(); objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString())); List<PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); List<PSRoleDefinition> roleDefinitions; if (assignments.Count() == 1) { roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignments.Single().Properties.RoleDefinitionId) }; } else { roleDefinitions = policyClient.GetRoleDefinitions(); } foreach (RoleAssignment assignment in assignments) { assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId(); PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId }; PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId }; if (adObject is PSADUser) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, SignInName = ((PSADUser)adObject).SignInName, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (adObject is PSADGroup) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (adObject is PSADServicePrincipal) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type }); } else if (!excludeAssignmentsForDeletedPrincipals) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = adObject.Id, }); } // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true } return psAssignments; }
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient) { PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId); PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId }; if (adObject is PSADUser) { return new PSUserRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, UserPrincipalName = ((PSADUser)adObject).UserPrincipalName, Mail = ((PSADUser)adObject).Mail, ObjectId = adObject.Id }; } else if (adObject is PSADGroup) { return new PSGroupRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, Mail = ((PSADGroup)adObject).Mail, ObjectId = adObject.Id }; } else if (adObject is PSADServicePrincipal) { return new PSServiceRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName, ObjectId = adObject.Id }; } else { return new PSRoleAssignment() { RoleAssignmentId = role.Id, DisplayName = adObject.DisplayName, Actions = roleDefinition.Actions, NotActions = roleDefinition.NotActions, RoleDefinitionName = roleDefinition.Name, Scope = role.Properties.Scope, ObjectId = adObject.Id }; } }