private void CleanupTestData() { foreach (var user in this.createdUsers) { this.GraphClient.DeleteUser(user); } createdUsers.Clear(); foreach (var group in this.createdGroups) { this.GraphClient.DeleteGroup(group); } createdGroups.Clear(); foreach (var user in this.GraphClient.ListUsers("testUser")) { this.GraphClient.DeleteUser(user); } foreach (var group in this.GraphClient.ListGroups("testGroup")) { this.GraphClient.DeleteGroup(group); } var authorizationClient = new AuthorizationManagementClient( (SubscriptionCloudCredentials)this.TestEnvironment.Credentials, this.TestEnvironment.BaseUri); foreach (var assignment in authorizationClient.RoleAssignments.List(null).RoleAssignments) { authorizationClient.RoleAssignments.DeleteById(assignment.Id); } }
private async Task <bool> IsCurrentUserClassicAdministrator(AuthorizationManagementClient authClient) { var result = await authClient.ClassicAdministrators.ListAsync(); var classicAdmins = result.ToList(); var user = GetUser(); _logger.LogDebug($"[UserClaimsAndRoles] User {user.Identity.Name}"); foreach (var claim in user.Claims) { _logger.LogDebug($"[UserClaimsAndRoles] Claim type {claim.Type}={claim.Value}"); } var names = user.Identities.Select(i => i.Claims.GetName()).Where(c => c != null).ToList(); var emails = user.Identities.Select(i => i.Claims.GetEmailAddress()).Where(c => c != null).ToList(); var upns = user.Identities.Select(i => i.Claims.GetUpn()).Where(c => c != null).ToList(); foreach (var adminEmail in GetClassicAdministratorEmails(classicAdmins)) { if (names.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase)) || upns.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase)) || emails.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase))) { return(true); } } return(false); }
private static async Task <string> AddRoleAssignmentAsync(AuthenticationResult token, string subscriptionId) { var authorizationClient = new AuthorizationManagementClient(new TokenCredentials(token.AccessToken)) { SubscriptionId = subscriptionId }; var principalId = await GetPrincipalId(subscriptionId); var existingAssignments = await authorizationClient.RoleAssignments.ListAsync(new ODataQuery <RoleAssignmentFilter>(filter => filter.PrincipalId == principalId)); if (existingAssignments.Any()) { return("Already existed: " + existingAssignments.First().Name); } var roleAssignmentId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"; // Owner role. Todo, create a new role with precisely the permissions we require var roleAssignment = await authorizationClient.RoleDefinitions.GetAsync($"/subscriptions/{subscriptionId}", roleAssignmentId); var newAssignment = await authorizationClient.RoleAssignments.CreateAsync($"/subscriptions/{subscriptionId}", Guid.NewGuid().ToString(), new RoleAssignmentProperties { PrincipalId = principalId, RoleDefinitionId = roleAssignment.Id }); return(newAssignment.Name); }
public async void RoleAssignmentTest() { Env.Load("../../../../../.env"); var azurePrincipalId = Environment.GetEnvironmentVariable("AZURE_PRINCIPAL_ID"); // Needs to be in Owner role in Azure Subscription, az role assignment create --assignee AZURE_CLIENT_ID --role 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 // You can get the principalId from the AZURE_CLIENT_ID with this command, az ad sp show --id AZURE_CLIENT_ID --query objectId var azureSubId = Environment.GetEnvironmentVariable("AZURE_SUBSCRIPTION_ID"); var azureRoleDefinitionId = "673868aa-7521-48a0-acc6-0f60742d39f5"; // Data Factory Contributor var roleAssignmentName = Guid.NewGuid().ToString(); var roleAssignmentScope = $"/subscriptions/{azureSubId}/"; var client = new AuthorizationManagementClient(new DefaultAzureMgmtCredential()); client.SubscriptionId = azureSubId; var roleDefinitionId = $"/subscriptions/{client.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{azureRoleDefinitionId}"; var roleAssignmentParameters = new RoleAssignmentCreateParameters(roleDefinitionId, azurePrincipalId); var roleAssignment = await client.RoleAssignments.CreateAsync(roleAssignmentScope, roleAssignmentName, roleAssignmentParameters); Assert.Equal(roleAssignment.RoleDefinitionId, roleDefinitionId); var roleAssignmentDelete = await client.RoleAssignments.DeleteAsync(roleAssignmentScope, roleAssignmentName); Exception ex = await Assert.ThrowsAsync <Microsoft.Rest.Azure.CloudException>(async() => await client.RoleAssignments.GetAsync(roleAssignmentScope, roleAssignmentName)); Assert.EndsWith("is not found.", ex.Message); }
/// <summary> /// Creates new ResourcesClient instance /// </summary> /// <param name="resourceManagementClient">The IResourceManagementClient instance</param> /// <param name="galleryTemplatesClient">The IGalleryClient instance</param> /// <param name="authorizationManagementClient">The management client instance</param> public ResourceClient( ResourceManagementClient resourceManagementClient, AuthorizationManagementClient authorizationManagementClient) { AuthorizationManagementClient = authorizationManagementClient; this.ResourceManagementClient = resourceManagementClient; }
public async Task <bool> CanCreateResources( Guid subscriptionId) { var subscriptionScope = $"/subscriptions/{subscriptionId}"; var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var authClient = new AuthorizationManagementClient(token, _httpClientFactory.CreateClient(), false) { SubscriptionId = subscriptionId.ToString() }; var isClassicAdminTask = IsCurrentUserClassicAdministrator(authClient); var result = await GetRoleDefinitions(authClient, $"/subscriptions/{subscriptionId}"); var roleDefs = result.Where(rd => rd.Permissions.Any(p => p.Actions.Any(a => ActionsThatCanCreate.Contains(a.ToLower(CultureInfo.InvariantCulture))))).ToList(); var subscriptionRoles = await GetRoleAssignmentsForCurrentUser(authClient, subscriptionScope, roleDefs); var isClassicAdmin = await isClassicAdminTask; return(isClassicAdmin || subscriptionRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId))); }
public async Task <bool> CanCreateRoleAssignments( Guid subscriptionId, string resourceGroupName) { var subscriptionScope = $"/subscriptions/{subscriptionId}"; var resourceGroupScope = $"{subscriptionScope}/resourceGroups/{resourceGroupName}"; var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var authClient = new AuthorizationManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; var result = await GetRoleDefinitions(authClient, $"/subscriptions/{subscriptionId}"); var roleDefs = result.Where(rd => rd.Permissions.Any(p => p.Actions.Any(a => ActionsThatCanAssign.Contains(a.ToLower(CultureInfo.InvariantCulture))) && p.NotActions.All(na => !ActionsThatCanAssign.Contains(na.ToLower(CultureInfo.InvariantCulture))))).ToList(); var subscriptionRolesTask = GetRoleAssignmentsForCurrentUser(authClient, subscriptionScope, roleDefs); var resourceGroupRoles = await GetRoleAssignmentsForCurrentUser(authClient, resourceGroupScope, roleDefs); var subscriptionRoles = await subscriptionRolesTask; return(subscriptionRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId)) || resourceGroupRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId))); }
private async Task <IPage <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> > GetRoleDefinitions( AuthorizationManagementClient authClient, string scope) { var roleFilter = new ODataQuery <RoleDefinitionFilter>(f => f.Type == "BuiltInRole"); return(await authClient.RoleDefinitions.ListAsync(scope, roleFilter)); }
public static void Run([TimerTrigger("0 0 0 1 1 *", RunOnStartup = true)] TimerInfo myTimer, TraceWriter log) { log.Info($"C# Timer trigger function executed at: {DateTime.Now}"); var tenantId = GetEnvironmentVariable("tenantId"); var subscriptionId = GetEnvironmentVariable("subscriptionId"); var resourceGroup = GetEnvironmentVariable("resourceGroupName"); var storageAccountName = GetEnvironmentVariable("storageAccountName"); var resourceGroupScope = $"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}"; var resourceScope = $"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"; var ownerRole = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"; var contributorRole = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"; //var token = GetEnvironmentVariable("token"); var token = GetAzureAccessTokenFromKeyVault(); var client = new AuthorizationManagementClient(new CustomLoginCredentials(token)); client.SubscriptionId = subscriptionId; var roleAssignments = client.RoleAssignments.ListForResourceGroup(resourceGroup); //foreach (var ra in roleAssignments) foreach (var ra in roleAssignments.Where(ra => ra.Properties.Scope == resourceGroupScope)) { log.Info("Found matching role assignment at resource group scope"); log.Info(JsonConvert.SerializeObject(ra)); var roleDefinition = client.RoleDefinitions.GetById(ra.Properties.RoleDefinitionId); log.Info(JsonConvert.SerializeObject(roleDefinition)); if (roleDefinition.Properties.Type != "BuiltInRole" && roleDefinition.Properties.RoleName.StartsWith("cal-role")) { log.Info("Found cal-role assignment at resource group scope"); var principalId = ra.Properties.PrincipalId; var assignment = client.RoleAssignments.Create(resourceScope, Guid.NewGuid().ToString(), new Microsoft.Azure.Management.Authorization.Models.RoleAssignmentProperties { PrincipalId = principalId, RoleDefinitionId = ownerRole }); log.Info("Assigned principal to role"); //client.RoleAssignments.DeleteById(assignment.Id); /* * var httpClient = new HttpClient(); * httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); * var user = httpClient.GetAsync($"https://graph.windows.net/me?api-version=1.6").GetAwaiter().GetResult(); * log.Info(user.Content.AsString()); */ return; } } log.Info("Did not find matching role assignment"); }
private void SetupManagementClients() { IStorageAdminManagementClient storageAdminClient = GetStorageManagementClient(); ResourceManagementClient resourceManagementClient = GetResourceManagementClient(); GalleryClient galleryClient = GetGalleryClient(); AuthorizationManagementClient authorizationManagementClient = this.GetAuthorizationManagementClient(); helper.SetupManagementClients(storageAdminClient, resourceManagementClient, galleryClient, authorizationManagementClient); }
/// <summary> /// Initializes a new instance of the <see cref="StorageSyncClientWrapper" /> class. /// </summary> /// <param name="storageSyncManagementClient">The storage sync management client.</param> /// <param name="authorizationManagementClient">The authorization management client.</param> /// <param name="resourceManagementClient">The resource management client.</param> public StorageSyncClientWrapper( IStorageSyncManagementClient storageSyncManagementClient, AuthorizationManagementClient authorizationManagementClient, ResourceManagementClient resourceManagementClient) { StorageSyncManagementClient = storageSyncManagementClient; AuthorizationManagementClient = authorizationManagementClient; ResourceManagementClient = resourceManagementClient; }
public KeyVault(string accessToken, string subscriptionId, string rgName, string keyVaultName) { _accessToken = accessToken; _subscriptionId = subscriptionId; _rgName = rgName; _keyVaultName = keyVaultName; _tokenCredentials = new TokenCredentials(accessToken); _client = new AuthorizationManagementClient(_tokenCredentials); _client.SubscriptionId = _subscriptionId; }
public DeploymentManagerClientHelper(TestBase testBase, MockContext context, RecordedDelegatingHandler handler) { _testBase = testBase; _context = context; resourceManagementClient = DeploymentManagerTestUtilities.GetResourceManagementClient(context, handler); storageManagementClient = DeploymentManagerTestUtilities.GetStorageManagementClient(context, handler); managedServiceIdentityClient = DeploymentManagerTestUtilities.GetManagedServiceIdentityClient(context, handler); authorizationClient = DeploymentManagerTestUtilities.GetAuthorizationManagementClient(context, handler); }
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignmentsForCurrentUser( AuthorizationManagementClient authClient, string scope, List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions) { var user = GetUser(); var ownerObjectId = user.Claims.GetObjectId(); return(await GetRoleAssignmentsForUser(authClient, scope, ownerObjectId, roleDefinitions)); }
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignmentsForUser( AuthorizationManagementClient authClient, string scope, string objectId, List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions) { var filter = new ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == objectId); return(await GetRoleAssignments(authClient, scope, roleDefinitions, filter)); }
/// <summary> /// Ctor /// </summary> /// <param name="commonData"></param> /// <param name="context"></param> public HDInsightManagementHelper(CommonTestFixture commonData, HDInsightMockContext context) { resourceManagementClient = context.GetServiceClient <ResourceManagementClient>(); storageManagementClient = context.GetServiceClient <StorageManagementClient>(); identityManagementClient = context.GetServiceClient <ManagedServiceIdentityClient>(); authorizationManagementClient = context.GetServiceClient <AuthorizationManagementClient>(); keyVaultManagementClient = context.GetServiceClient <KeyVaultManagementClient>(); keyVaultClient = GetKeyVaultClient(); this.commonData = commonData; }
protected AuthorizationManagementClient GetAuthorizationManagementClient() { AuthorizationManagementClient client = TestBase.GetServiceClient <AuthorizationManagementClient>(new CSMTestEnvironmentFactory()); if (HttpMockServer.Mode == HttpRecorderMode.Playback) { client.LongRunningOperationInitialTimeout = 0; client.LongRunningOperationRetryTimeout = 0; } return(client); }
private void SetupManagementClients(MockContext context) { ContainerServiceClient = GetContainerServiceClient(context); InternalResourceManagementClient = GetInternalResourceManagementClient(context); InternalAuthorizationManagementClient = GetAuthorizationManagementClient(context); InternalGraphManagementClient = GetGraphManagementClient(context); _helper.SetupManagementClients(ContainerServiceClient, InternalResourceManagementClient, InternalAuthorizationManagementClient, InternalGraphManagementClient); }
private void SetupManagementClients(MockContext context) { IStorageAdminManagementClient storageAdminClient = GetStorageManagementClient(); Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient internalResourceManagementClient = GetInternalResourceManagementClient(context); Microsoft.Azure.Management.ResourceManager.ResourceManagementClient legacyResourceManagementClient = GetLegacyResourceManagementClient(context); GalleryClient galleryClient = GetGalleryClient(); AuthorizationManagementClient authorizationManagementClient = this.GetAuthorizationManagementClient(); helper.SetupManagementClients(storageAdminClient, internalResourceManagementClient, legacyResourceManagementClient, galleryClient, authorizationManagementClient); }
public async Task <bool> IsCurrentUserClassicAdministrator(Guid subscriptionId) { var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var authClient = new AuthorizationManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; return(await IsCurrentUserClassicAdministrator(authClient)); }
public AuthorizationMgmtClient( string subscriptionId, RestClient restClient ) { _authorizationManagementClient = new AuthorizationManagementClient(restClient) { SubscriptionId = subscriptionId }; _networkContributorRoleDefinitionId = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{NETWORK_CONTRIBUTOR_ROLE_ID}"; }
public AuthorizationMgmtClient( string subscriptionId, RestClient restClient ) { _authorizationManagementClient = new AuthorizationManagementClient(restClient) { SubscriptionId = subscriptionId }; _subscriptionId = subscriptionId; }
public static AuthorizationManagementClient GetAuthorizationManagementClient(MockContext context, RecordedDelegatingHandler handler) { if (IsTestTenant) { return(null); } else { handler.IsPassThrough = true; AuthorizationManagementClient authorizationManagementClient = context.GetServiceClient <AuthorizationManagementClient>(handlers: handler); return(authorizationManagementClient); } }
public Storage(string accessToken, string subscriptionId, string rgName, string storageAccount, string containerName, int storageType) { _accessToken = accessToken; _subscriptionId = subscriptionId; _rgName = rgName; _storageAccount = storageAccount; _storageType = (storageTypes)storageType; _containerName = containerName; _type = "MSI"; _tokenCredentials = new TokenCredentials(accessToken); _client = new AuthorizationManagementClient(_tokenCredentials); _client.SubscriptionId = _subscriptionId; }
public async Task <List <ClassicAdministrator> > ListClassicAdministrators(Guid subscriptionId) { var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var authClient = new AuthorizationManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; var result = await authClient.ClassicAdministrators.ListAsync(); return(result.ToList()); }
/// <summary> /// Add role assignment by role name. /// </summary> /// <param name="context">Object representing a HpcCacheTestContext.</param> /// <param name="scope">The scope of the role assignment to create.</param> /// <param name="roleName">The role name.</param> /// <param name="assignmentName">The name of the role assignment to create.</param> public void AddRoleAssignment(HpcCacheTestContext context, string scope, string roleName, string assignmentName) { AuthorizationManagementClient authorizationManagementClient = context.GetClient <AuthorizationManagementClient>(); var roleDefinition = authorizationManagementClient.RoleDefinitions .List(scope) .First(role => role.RoleName.StartsWith(roleName)); var newRoleAssignment = new RoleAssignmentCreateParameters() { RoleDefinitionId = roleDefinition.Id, PrincipalId = Constants.StorageCacheResourceProviderPrincipalId, }; authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment); }
public static void AddRoleAssignment(AuthorizationManagementClient authorizationManagementClient, string scope, string roleName, string assignmentName, string assigneePrincipalId) { var roleDefinition = authorizationManagementClient.RoleDefinitions .List(scope) .First(role => role.RoleName.StartsWith(roleName)); var newRoleAssignment = new RoleAssignmentCreateParameters() { RoleDefinitionId = roleDefinition.Id, PrincipalId = assigneePrincipalId, PrincipalType = PrincipalType.ServicePrincipal, CanDelegate = false }; authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment); }
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignments( AuthorizationManagementClient authClient, string scope, List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions, ODataQuery <RoleAssignmentFilter> filter = null) { var result = await authClient.RoleAssignments.ListForScopeAsync(scope, filter); var roleAssignments = result.ToList(); foreach (var ra in roleAssignments) { Console.WriteLine($"Current Role Assignment: RoleName: {roleDefinitions.FirstOrDefault(rd => rd.Id == ra.RoleDefinitionId)?.RoleName}, Scope: {ra.Scope}"); } return(roleAssignments); }
private void SetupManagementClients(MockContext context) { DeploymentManagerClient = GetDeploymentManagementClient(context); ResourceManagementClient = GetResourceManagementClient(context); StorageClient = GetStorageManagementClient(context); ManagedServiceIdentityClient = GetManagedServiceIdentityClient(context); GraphManagementClient = GetGraphManagementClient(context); AuthorizationManagementClient = GetAuthorizationManagementClient(context); _helper.SetupManagementClients( DeploymentManagerClient, StorageClient, ResourceManagementClient, ManagedServiceIdentityClient, GraphManagementClient, AuthorizationManagementClient); }
public async Task AssignRoleToIdentityAsync( Guid subscriptionId, string scope, string role, Identity.Identity identity) { var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var authClient = new AuthorizationManagementClient(token, _httpClientFactory.CreateClient(), false) { SubscriptionId = subscriptionId.ToString() }; var result = await GetRoleDefinitions(authClient, scope); var roleDefs = result.Where(rd => rd.RoleName == role).ToList(); var roleDef = roleDefs.FirstOrDefault(); if (roleDef == null) { throw new Exception($"No {role} role definition found for resource group"); } var roleAssignments = await GetRoleAssignmentsForUser( authClient, scope, identity.ObjectId.ToString(), roleDefs); if (roleAssignments.All(ra => ra.RoleDefinitionId != roleDef.Id)) { try { await authClient.RoleAssignments.CreateAsync( scope, Guid.NewGuid().ToString(), new RoleAssignmentCreateParameters(roleDef.Id, identity.ObjectId.ToString())); } catch (CloudException ce) when(ce.Body?.Code == "RoleAssignmentExists") { // Ignore } } }