private void CleanupTestData()
{
foreach (var user in this.createdUsers)
{
this.GraphClient.DeleteUser(user);
}
createdUsers.Clear();
foreach (var group in this.createdGroups)
{
this.GraphClient.DeleteGroup(group);
}
createdGroups.Clear();
foreach (var user in this.GraphClient.ListUsers("testUser"))
{
this.GraphClient.DeleteUser(user);
}
foreach (var group in this.GraphClient.ListGroups("testGroup"))
{
this.GraphClient.DeleteGroup(group);
}
var authorizationClient = new AuthorizationManagementClient(
(SubscriptionCloudCredentials)this.TestEnvironment.Credentials,
this.TestEnvironment.BaseUri);
foreach (var assignment in authorizationClient.RoleAssignments.List(null).RoleAssignments)
{
authorizationClient.RoleAssignments.DeleteById(assignment.Id);
}
}
private async Task <bool> IsCurrentUserClassicAdministrator(AuthorizationManagementClient authClient)
{
var result = await authClient.ClassicAdministrators.ListAsync();
var classicAdmins = result.ToList();
var user = GetUser();
_logger.LogDebug($"[UserClaimsAndRoles] User {user.Identity.Name}");
foreach (var claim in user.Claims)
{
_logger.LogDebug($"[UserClaimsAndRoles] Claim type {claim.Type}={claim.Value}");
}
var names = user.Identities.Select(i => i.Claims.GetName()).Where(c => c != null).ToList();
var emails = user.Identities.Select(i => i.Claims.GetEmailAddress()).Where(c => c != null).ToList();
var upns = user.Identities.Select(i => i.Claims.GetUpn()).Where(c => c != null).ToList();
foreach (var adminEmail in GetClassicAdministratorEmails(classicAdmins))
{
if (names.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase)) ||
upns.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase)) ||
emails.Any(e => e.Equals(adminEmail, StringComparison.InvariantCultureIgnoreCase)))
{
return(true);
}
}
return(false);
}
private static async Task <string> AddRoleAssignmentAsync(AuthenticationResult token, string subscriptionId)
{
var authorizationClient = new AuthorizationManagementClient(new TokenCredentials(token.AccessToken))
{
SubscriptionId = subscriptionId
};
var principalId = await GetPrincipalId(subscriptionId);
var existingAssignments = await authorizationClient.RoleAssignments.ListAsync(new ODataQuery <RoleAssignmentFilter>(filter => filter.PrincipalId == principalId));
if (existingAssignments.Any())
{
return("Already existed: " + existingAssignments.First().Name);
}
var roleAssignmentId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"; // Owner role. Todo, create a new role with precisely the permissions we require
var roleAssignment = await authorizationClient.RoleDefinitions.GetAsync($"/subscriptions/{subscriptionId}", roleAssignmentId);
var newAssignment = await authorizationClient.RoleAssignments.CreateAsync($"/subscriptions/{subscriptionId}", Guid.NewGuid().ToString(), new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleAssignment.Id
});
return(newAssignment.Name);
}
public async void RoleAssignmentTest()
{
Env.Load("../../../../../.env");
var azurePrincipalId = Environment.GetEnvironmentVariable("AZURE_PRINCIPAL_ID");
// Needs to be in Owner role in Azure Subscription, az role assignment create --assignee AZURE_CLIENT_ID --role 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
// You can get the principalId from the AZURE_CLIENT_ID with this command, az ad sp show --id AZURE_CLIENT_ID --query objectId
var azureSubId = Environment.GetEnvironmentVariable("AZURE_SUBSCRIPTION_ID");
var azureRoleDefinitionId = "673868aa-7521-48a0-acc6-0f60742d39f5"; // Data Factory Contributor
var roleAssignmentName = Guid.NewGuid().ToString();
var roleAssignmentScope = $"/subscriptions/{azureSubId}/";
var client = new AuthorizationManagementClient(new DefaultAzureMgmtCredential());
client.SubscriptionId = azureSubId;
var roleDefinitionId = $"/subscriptions/{client.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{azureRoleDefinitionId}";
var roleAssignmentParameters = new RoleAssignmentCreateParameters(roleDefinitionId, azurePrincipalId);
var roleAssignment = await client.RoleAssignments.CreateAsync(roleAssignmentScope, roleAssignmentName, roleAssignmentParameters);
Assert.Equal(roleAssignment.RoleDefinitionId, roleDefinitionId);
var roleAssignmentDelete = await client.RoleAssignments.DeleteAsync(roleAssignmentScope, roleAssignmentName);
Exception ex = await Assert.ThrowsAsync <Microsoft.Rest.Azure.CloudException>(async() => await client.RoleAssignments.GetAsync(roleAssignmentScope, roleAssignmentName));
Assert.EndsWith("is not found.", ex.Message);
}
/// <summary>
/// Creates new ResourcesClient instance
/// </summary>
/// <param name="resourceManagementClient">The IResourceManagementClient instance</param>
/// <param name="galleryTemplatesClient">The IGalleryClient instance</param>
/// <param name="authorizationManagementClient">The management client instance</param>
public ResourceClient(
ResourceManagementClient resourceManagementClient,
AuthorizationManagementClient authorizationManagementClient)
{
AuthorizationManagementClient = authorizationManagementClient;
this.ResourceManagementClient = resourceManagementClient;
}
public async Task <bool> CanCreateResources(
Guid subscriptionId)
{
var subscriptionScope = $"/subscriptions/{subscriptionId}";
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token, _httpClientFactory.CreateClient(), false)
{
SubscriptionId = subscriptionId.ToString()
};
var isClassicAdminTask = IsCurrentUserClassicAdministrator(authClient);
var result = await GetRoleDefinitions(authClient, $"/subscriptions/{subscriptionId}");
var roleDefs = result.Where(rd =>
rd.Permissions.Any(p =>
p.Actions.Any(a => ActionsThatCanCreate.Contains(a.ToLower(CultureInfo.InvariantCulture))))).ToList();
var subscriptionRoles = await GetRoleAssignmentsForCurrentUser(authClient, subscriptionScope, roleDefs);
var isClassicAdmin = await isClassicAdminTask;
return(isClassicAdmin || subscriptionRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId)));
}
public async Task <bool> CanCreateRoleAssignments(
Guid subscriptionId,
string resourceGroupName)
{
var subscriptionScope = $"/subscriptions/{subscriptionId}";
var resourceGroupScope = $"{subscriptionScope}/resourceGroups/{resourceGroupName}";
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token)
{
SubscriptionId = subscriptionId.ToString()
};
var result = await GetRoleDefinitions(authClient, $"/subscriptions/{subscriptionId}");
var roleDefs = result.Where(rd =>
rd.Permissions.Any(p =>
p.Actions.Any(a => ActionsThatCanAssign.Contains(a.ToLower(CultureInfo.InvariantCulture))) &&
p.NotActions.All(na => !ActionsThatCanAssign.Contains(na.ToLower(CultureInfo.InvariantCulture))))).ToList();
var subscriptionRolesTask = GetRoleAssignmentsForCurrentUser(authClient, subscriptionScope, roleDefs);
var resourceGroupRoles = await GetRoleAssignmentsForCurrentUser(authClient, resourceGroupScope, roleDefs);
var subscriptionRoles = await subscriptionRolesTask;
return(subscriptionRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId)) ||
resourceGroupRoles.Any(ra => roleDefs.Any(rd => rd.Id == ra.RoleDefinitionId)));
}
private async Task <IPage <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> > GetRoleDefinitions(
AuthorizationManagementClient authClient,
string scope)
{
var roleFilter = new ODataQuery <RoleDefinitionFilter>(f => f.Type == "BuiltInRole");
return(await authClient.RoleDefinitions.ListAsync(scope, roleFilter));
}
public static void Run([TimerTrigger("0 0 0 1 1 *", RunOnStartup = true)] TimerInfo myTimer, TraceWriter log)
{
log.Info($"C# Timer trigger function executed at: {DateTime.Now}");
var tenantId = GetEnvironmentVariable("tenantId");
var subscriptionId = GetEnvironmentVariable("subscriptionId");
var resourceGroup = GetEnvironmentVariable("resourceGroupName");
var storageAccountName = GetEnvironmentVariable("storageAccountName");
var resourceGroupScope = $"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}";
var resourceScope = $"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}";
var ownerRole = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635";
var contributorRole = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c";
//var token = GetEnvironmentVariable("token");
var token = GetAzureAccessTokenFromKeyVault();
var client = new AuthorizationManagementClient(new CustomLoginCredentials(token));
client.SubscriptionId = subscriptionId;
var roleAssignments = client.RoleAssignments.ListForResourceGroup(resourceGroup);
//foreach (var ra in roleAssignments)
foreach (var ra in roleAssignments.Where(ra => ra.Properties.Scope == resourceGroupScope))
{
log.Info("Found matching role assignment at resource group scope");
log.Info(JsonConvert.SerializeObject(ra));
var roleDefinition = client.RoleDefinitions.GetById(ra.Properties.RoleDefinitionId);
log.Info(JsonConvert.SerializeObject(roleDefinition));
if (roleDefinition.Properties.Type != "BuiltInRole" && roleDefinition.Properties.RoleName.StartsWith("cal-role"))
{
log.Info("Found cal-role assignment at resource group scope");
var principalId = ra.Properties.PrincipalId;
var assignment = client.RoleAssignments.Create(resourceScope, Guid.NewGuid().ToString(), new Microsoft.Azure.Management.Authorization.Models.RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = ownerRole
});
log.Info("Assigned principal to role");
//client.RoleAssignments.DeleteById(assignment.Id);
/*
* var httpClient = new HttpClient();
* httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
* var user = httpClient.GetAsync($"https://graph.windows.net/me?api-version=1.6").GetAwaiter().GetResult();
* log.Info(user.Content.AsString());
*/
return;
}
}
log.Info("Did not find matching role assignment");
}
private void SetupManagementClients()
{
IStorageAdminManagementClient storageAdminClient = GetStorageManagementClient();
ResourceManagementClient resourceManagementClient = GetResourceManagementClient();
GalleryClient galleryClient = GetGalleryClient();
AuthorizationManagementClient authorizationManagementClient = this.GetAuthorizationManagementClient();
helper.SetupManagementClients(storageAdminClient, resourceManagementClient, galleryClient, authorizationManagementClient);
}
/// <summary>
/// Initializes a new instance of the <see cref="StorageSyncClientWrapper" /> class.
/// </summary>
/// <param name="storageSyncManagementClient">The storage sync management client.</param>
/// <param name="authorizationManagementClient">The authorization management client.</param>
/// <param name="resourceManagementClient">The resource management client.</param>
public StorageSyncClientWrapper(
IStorageSyncManagementClient storageSyncManagementClient,
AuthorizationManagementClient authorizationManagementClient,
ResourceManagementClient resourceManagementClient)
{
StorageSyncManagementClient = storageSyncManagementClient;
AuthorizationManagementClient = authorizationManagementClient;
ResourceManagementClient = resourceManagementClient;
}
public KeyVault(string accessToken, string subscriptionId, string rgName, string keyVaultName)
{
_accessToken = accessToken;
_subscriptionId = subscriptionId;
_rgName = rgName;
_keyVaultName = keyVaultName;
_tokenCredentials = new TokenCredentials(accessToken);
_client = new AuthorizationManagementClient(_tokenCredentials);
_client.SubscriptionId = _subscriptionId;
}
public DeploymentManagerClientHelper(TestBase testBase, MockContext context, RecordedDelegatingHandler handler)
{
_testBase = testBase;
_context = context;
resourceManagementClient = DeploymentManagerTestUtilities.GetResourceManagementClient(context, handler);
storageManagementClient = DeploymentManagerTestUtilities.GetStorageManagementClient(context, handler);
managedServiceIdentityClient = DeploymentManagerTestUtilities.GetManagedServiceIdentityClient(context, handler);
authorizationClient = DeploymentManagerTestUtilities.GetAuthorizationManagementClient(context, handler);
}
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignmentsForCurrentUser(
AuthorizationManagementClient authClient,
string scope,
List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions)
{
var user = GetUser();
var ownerObjectId = user.Claims.GetObjectId();
return(await GetRoleAssignmentsForUser(authClient, scope, ownerObjectId, roleDefinitions));
}
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignmentsForUser(
AuthorizationManagementClient authClient,
string scope,
string objectId,
List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions)
{
var filter = new ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == objectId);
return(await GetRoleAssignments(authClient, scope, roleDefinitions, filter));
}
/// <summary>
/// Ctor
/// </summary>
/// <param name="commonData"></param>
/// <param name="context"></param>
public HDInsightManagementHelper(CommonTestFixture commonData, HDInsightMockContext context)
{
resourceManagementClient = context.GetServiceClient <ResourceManagementClient>();
storageManagementClient = context.GetServiceClient <StorageManagementClient>();
identityManagementClient = context.GetServiceClient <ManagedServiceIdentityClient>();
authorizationManagementClient = context.GetServiceClient <AuthorizationManagementClient>();
keyVaultManagementClient = context.GetServiceClient <KeyVaultManagementClient>();
keyVaultClient = GetKeyVaultClient();
this.commonData = commonData;
}
protected AuthorizationManagementClient GetAuthorizationManagementClient()
{
AuthorizationManagementClient client = TestBase.GetServiceClient <AuthorizationManagementClient>(new CSMTestEnvironmentFactory());
if (HttpMockServer.Mode == HttpRecorderMode.Playback)
{
client.LongRunningOperationInitialTimeout = 0;
client.LongRunningOperationRetryTimeout = 0;
}
return(client);
}
private void SetupManagementClients(MockContext context)
{
ContainerServiceClient = GetContainerServiceClient(context);
InternalResourceManagementClient = GetInternalResourceManagementClient(context);
InternalAuthorizationManagementClient = GetAuthorizationManagementClient(context);
InternalGraphManagementClient = GetGraphManagementClient(context);
_helper.SetupManagementClients(ContainerServiceClient,
InternalResourceManagementClient,
InternalAuthorizationManagementClient,
InternalGraphManagementClient);
}
private void SetupManagementClients(MockContext context)
{
IStorageAdminManagementClient storageAdminClient = GetStorageManagementClient();
Microsoft.Azure.Management.Internal.Resources.ResourceManagementClient internalResourceManagementClient = GetInternalResourceManagementClient(context);
Microsoft.Azure.Management.ResourceManager.ResourceManagementClient legacyResourceManagementClient = GetLegacyResourceManagementClient(context);
GalleryClient galleryClient = GetGalleryClient();
AuthorizationManagementClient authorizationManagementClient = this.GetAuthorizationManagementClient();
helper.SetupManagementClients(storageAdminClient, internalResourceManagementClient, legacyResourceManagementClient, galleryClient, authorizationManagementClient);
}
public async Task <bool> IsCurrentUserClassicAdministrator(Guid subscriptionId)
{
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token)
{
SubscriptionId = subscriptionId.ToString()
};
return(await IsCurrentUserClassicAdministrator(authClient));
}
public AuthorizationMgmtClient(
string subscriptionId,
RestClient restClient
)
{
_authorizationManagementClient = new AuthorizationManagementClient(restClient)
{
SubscriptionId = subscriptionId
};
_networkContributorRoleDefinitionId = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{NETWORK_CONTRIBUTOR_ROLE_ID}";
}
public AuthorizationMgmtClient(
string subscriptionId,
RestClient restClient
)
{
_authorizationManagementClient = new AuthorizationManagementClient(restClient)
{
SubscriptionId = subscriptionId
};
_subscriptionId = subscriptionId;
}
public static AuthorizationManagementClient GetAuthorizationManagementClient(MockContext context, RecordedDelegatingHandler handler)
{
if (IsTestTenant)
{
return(null);
}
else
{
handler.IsPassThrough = true;
AuthorizationManagementClient authorizationManagementClient = context.GetServiceClient <AuthorizationManagementClient>(handlers: handler);
return(authorizationManagementClient);
}
}
public Storage(string accessToken, string subscriptionId, string rgName, string storageAccount, string containerName, int storageType)
{
_accessToken = accessToken;
_subscriptionId = subscriptionId;
_rgName = rgName;
_storageAccount = storageAccount;
_storageType = (storageTypes)storageType;
_containerName = containerName;
_type = "MSI";
_tokenCredentials = new TokenCredentials(accessToken);
_client = new AuthorizationManagementClient(_tokenCredentials);
_client.SubscriptionId = _subscriptionId;
}
public async Task <List <ClassicAdministrator> > ListClassicAdministrators(Guid subscriptionId)
{
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token)
{
SubscriptionId = subscriptionId.ToString()
};
var result = await authClient.ClassicAdministrators.ListAsync();
return(result.ToList());
}
/// <summary>
/// Add role assignment by role name.
/// </summary>
/// <param name="context">Object representing a HpcCacheTestContext.</param>
/// <param name="scope">The scope of the role assignment to create.</param>
/// <param name="roleName">The role name.</param>
/// <param name="assignmentName">The name of the role assignment to create.</param>
public void AddRoleAssignment(HpcCacheTestContext context, string scope, string roleName, string assignmentName)
{
AuthorizationManagementClient authorizationManagementClient = context.GetClient <AuthorizationManagementClient>();
var roleDefinition = authorizationManagementClient.RoleDefinitions
.List(scope)
.First(role => role.RoleName.StartsWith(roleName));
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = Constants.StorageCacheResourceProviderPrincipalId,
};
authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
public static void AddRoleAssignment(AuthorizationManagementClient authorizationManagementClient, string scope, string roleName, string assignmentName, string assigneePrincipalId)
{
var roleDefinition = authorizationManagementClient.RoleDefinitions
.List(scope)
.First(role => role.RoleName.StartsWith(roleName));
var newRoleAssignment = new RoleAssignmentCreateParameters()
{
RoleDefinitionId = roleDefinition.Id,
PrincipalId = assigneePrincipalId,
PrincipalType = PrincipalType.ServicePrincipal,
CanDelegate = false
};
authorizationManagementClient.RoleAssignments.Create(scope, assignmentName, newRoleAssignment);
}
private async Task <List <Microsoft.Azure.Management.Authorization.Models.RoleAssignment> > GetRoleAssignments(
AuthorizationManagementClient authClient,
string scope,
List <Microsoft.Azure.Management.Authorization.Models.RoleDefinition> roleDefinitions,
ODataQuery <RoleAssignmentFilter> filter = null)
{
var result = await authClient.RoleAssignments.ListForScopeAsync(scope, filter);
var roleAssignments = result.ToList();
foreach (var ra in roleAssignments)
{
Console.WriteLine($"Current Role Assignment: RoleName: {roleDefinitions.FirstOrDefault(rd => rd.Id == ra.RoleDefinitionId)?.RoleName}, Scope: {ra.Scope}");
}
return(roleAssignments);
}
private void SetupManagementClients(MockContext context)
{
DeploymentManagerClient = GetDeploymentManagementClient(context);
ResourceManagementClient = GetResourceManagementClient(context);
StorageClient = GetStorageManagementClient(context);
ManagedServiceIdentityClient = GetManagedServiceIdentityClient(context);
GraphManagementClient = GetGraphManagementClient(context);
AuthorizationManagementClient = GetAuthorizationManagementClient(context);
_helper.SetupManagementClients(
DeploymentManagerClient,
StorageClient,
ResourceManagementClient,
ManagedServiceIdentityClient,
GraphManagementClient,
AuthorizationManagementClient);
}
public async Task AssignRoleToIdentityAsync(
Guid subscriptionId,
string scope,
string role,
Identity.Identity identity)
{
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token, _httpClientFactory.CreateClient(), false)
{
SubscriptionId = subscriptionId.ToString()
};
var result = await GetRoleDefinitions(authClient, scope);
var roleDefs = result.Where(rd => rd.RoleName == role).ToList();
var roleDef = roleDefs.FirstOrDefault();
if (roleDef == null)
{
throw new Exception($"No {role} role definition found for resource group");
}
var roleAssignments = await GetRoleAssignmentsForUser(
authClient,
scope,
identity.ObjectId.ToString(),
roleDefs);
if (roleAssignments.All(ra => ra.RoleDefinitionId != roleDef.Id))
{
try
{
await authClient.RoleAssignments.CreateAsync(
scope,
Guid.NewGuid().ToString(),
new RoleAssignmentCreateParameters(roleDef.Id, identity.ObjectId.ToString()));
}
catch (CloudException ce) when(ce.Body?.Code == "RoleAssignmentExists")
{
// Ignore
}
}
}
