/// <summary>
        /// Creates RBAC role assignments for the virtual machine service principal.
        /// </summary>
        /// <param name="virtualMachine">The virtual machine.</param>
        /// <return>An observable that emits the created role assignments.</return>
        ///GENMHASH:ACFB6162939077C3462B391EB2DD5A18:01A98853651D800A25EE02E4E8B4FAB6
        private async Task <List <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> > CreateRbacRoleAssignmentsAsync(IVirtualMachine virtualMachine, CancellationToken cancellationToken = default(CancellationToken))
        {
            List <IRoleAssignment> roleAssignments = new List <IRoleAssignment>();

            if (!this.rolesToAssign.Any() &&
                !this.roleDefinitionsToAssign.Any())
            {
                return(roleAssignments);
            }
            var servicePrincipal = await rbacManager.ServicePrincipals.GetByIdAsync(virtualMachine.Inner.Identity.PrincipalId, cancellationToken);

            await ResolveCurrentResourceGroupScopeAsync(virtualMachine);

            var roleAssignments1 = await Task.WhenAll(rolesToAssign.Values.Select(async(scopeAndRole) =>
            {
                BuiltInRole role = scopeAndRole.Item2;
                string scope     = scopeAndRole.Item1;
                return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, role.ToString(), scope, true, cancellationToken));
            }));

            roleAssignments.AddRange(roleAssignments1);

            var roleAssignments2 = await Task.WhenAll(roleDefinitionsToAssign.Values.Select(async(scopeAndRole) =>
            {
                string roleDefinition = scopeAndRole.Item2;
                string scope          = scopeAndRole.Item1;
                return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, roleDefinition, scope, false, cancellationToken));
            }));

            roleAssignments.AddRange(roleAssignments2);

            return(roleAssignments.FindAll(roleAssignment => roleAssignment != null));
        }
 internal static void ValidateBuiltInRoleEnumValue(BuiltInRole testMe, string parameterName)
 {
     if (((((((((testMe != BuiltInRole.AccountOperator) && (testMe != BuiltInRole.Administrator)) && (testMe != BuiltInRole.BackupOperator)) && (testMe != BuiltInRole.Guest)) && (testMe != BuiltInRole.PowerUser)) && (testMe != BuiltInRole.PrintOperator)) && (testMe != BuiltInRole.Replicator)) && (testMe != BuiltInRole.SystemOperator)) && (testMe != BuiltInRole.User))
     {
         throw new InvalidEnumArgumentException(parameterName, (int) testMe, typeof(BuiltInRole));
     }
 }
        private static IServicePrincipal CreateServicePrincipalWithRoleForApplicationAndExportToFile(
            Azure.IAuthenticated authenticated,
            IActiveDirectoryApplication activeDirectoryApplication,
            BuiltInRole role,
            string subscriptionId,
            string authFilePath)
        {
            Utilities.Log("Creating Service Principal...");
            string name = SdkContext.RandomResourceName("sp-sample", 20);
            //create a self-sighed certificate
            string      domainName   = name + ".com";
            string      certPassword = Utilities.CreatePassword();
            Certificate certificate  = Certificate.CreateSelfSigned(domainName, certPassword);

            // create  a Service Principal and assign it to a subscription with the role Contributor
            return(authenticated.ServicePrincipals
                   .Define("name")
                   .WithExistingApplication(activeDirectoryApplication)
                   // password credentials definition
                   .DefinePasswordCredential("ServicePrincipalAzureSample")
                   .WithPasswordValue(Utilities.CreatePassword())
                   .Attach()
                   // certificate credentials definition
                   .DefineCertificateCredential("spcert")
                   .WithAsymmetricX509Certificate()
                   .WithPublicKey(File.ReadAllBytes(certificate.CerPath))
                   .WithDuration(TimeSpan.FromDays(7))
                   // export the credentials to the file
                   .WithAuthFileToExport(new StreamWriter(new FileStream(authFilePath, FileMode.OpenOrCreate)))
                   .WithPrivateKeyFile(certificate.PfxPath)
                   .WithPrivateKeyPassword(certPassword)
                   .Attach()
                   .WithNewRoleInSubscription(role, subscriptionId)
                   .Create());
        }
 internal static void ValidateBuiltInRoleEnumValue(BuiltInRole testMe, string parameterName)
 {
     if (((((((((testMe != BuiltInRole.AccountOperator) && (testMe != BuiltInRole.Administrator)) && (testMe != BuiltInRole.BackupOperator)) && (testMe != BuiltInRole.Guest)) && (testMe != BuiltInRole.PowerUser)) && (testMe != BuiltInRole.PrintOperator)) && (testMe != BuiltInRole.Replicator)) && (testMe != BuiltInRole.SystemOperator)) && (testMe != BuiltInRole.User))
     {
         throw new InvalidEnumArgumentException(parameterName, (int)testMe, typeof(BuiltInRole));
     }
 }
        /// <summary>
        /// Specifies that applications running on the virtual machine requires the given access role
        /// with scope of access limited to the arm resource identified by the resource id specified
        /// in the scope parameter.
        /// </summary>
        /// <param name="scope">Scope of the access represented in arm resource id format.</param>
        /// <param name="asRole">Access role to assigned to the virtual machine.</param>
        /// <return>VirtualMachineMsiHelper.</return>
        ///GENMHASH:EFFF7ECD982913DB369E1EF1644031CB:9F5B63517E99FAB38D9622B261E856C1
        internal VirtualMachineMsiHelper WithRoleBasedAccessTo(string scope, BuiltInRole asRole)
        {
            this.requireSetup = true;
            string key = scope.ToLower() + "_" + asRole.ToString().ToLower();

            if (!this.rolesToAssign.ContainsKey(key))
            {
                this.rolesToAssign.Add(key, new System.Tuple <string, BuiltInRole>(scope, asRole));
            }
            return(this);
        }
 public bool IsInRole(BuiltInRole role)
 {
     ValidateBuiltInRoleEnumValue(role, "role");
     TypeConverter converter = TypeDescriptor.GetConverter(typeof(BuiltInRole));
     if (this.IsWindowsPrincipal())
     {
         WindowsBuiltInRole role2 = (WindowsBuiltInRole) converter.ConvertTo(role, typeof(WindowsBuiltInRole));
         return ((WindowsPrincipal) this.InternalPrincipal).IsInRole(role2);
     }
     return this.InternalPrincipal.IsInRole(converter.ConvertToString(role));
 }
        public bool IsInRole(BuiltInRole role)
        {
            ValidateBuiltInRoleEnumValue(role, "role");
            TypeConverter converter = TypeDescriptor.GetConverter(typeof(BuiltInRole));

            if (this.IsWindowsPrincipal())
            {
                WindowsBuiltInRole role2 = (WindowsBuiltInRole)converter.ConvertTo(role, typeof(WindowsBuiltInRole));
                return(((WindowsPrincipal)this.InternalPrincipal).IsInRole(role2));
            }
            return(this.InternalPrincipal.IsInRole(converter.ConvertToString(role)));
        }
        /// <summary>
        /// Creates RBAC role assignments for the virtual machine scale set MSI service principal.
        /// </summary>
        /// <param name="scaleSet">The virtual machine scale set.</param>
        /// <return>An observable that emits the created role assignments.</return>
        ///GENMHASH:2E7E577AEA0C43B5B8D7B57BEFEF1E29:DDAE54B3372466B701A29E3B6A6362B2
        internal async Task <List <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> > CreateMSIRbacRoleAssignmentsAsync(IVirtualMachineScaleSet scaleSet, CancellationToken cancellationToken = default(CancellationToken))
        {
            if (!requireSetup)
            {
                return(new List <IRoleAssignment>());
            }
            else if (!scaleSet.IsManagedServiceIdentityEnabled)
            {
                return(new List <IRoleAssignment>());
            }
            else if (!this.rolesToAssign.Any() && !this.roleDefinitionsToAssign.Any())
            {
                return(new List <IRoleAssignment>());
            }

            try
            {
                var servicePrincipal = await rbacManager
                                       .ServicePrincipals
                                       .GetByIdAsync(scaleSet.Inner.Identity.PrincipalId, cancellationToken);

                await ResolveCurrentResourceGroupScopeAsync(scaleSet);

                List <IRoleAssignment> roleAssignments = new List <IRoleAssignment>();
                var roleAssignments1 = await Task.WhenAll(rolesToAssign.Values.Select(async(scopeAndRole) =>
                {
                    BuiltInRole role = scopeAndRole.Item2;
                    string scope     = scopeAndRole.Item1;
                    return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, role.ToString(), scope, true, cancellationToken));
                }));

                roleAssignments.AddRange(roleAssignments1);

                var roleAssignments2 = await Task.WhenAll(roleDefinitionsToAssign.Values.Select(async(scopeAndRole) =>
                {
                    string roleDefinition = scopeAndRole.Item2;
                    string scope          = scopeAndRole.Item1;
                    return(await CreateRbacRoleAssignmentIfNotExistsAsync(servicePrincipal, roleDefinition, scope, false, cancellationToken));
                }));

                roleAssignments.AddRange(roleAssignments2);

                return(roleAssignments.FindAll(roleAssignment => roleAssignment != null));
            }
            finally
            {
                Clear();
            }
        }
Example #9
0
    // Methods

    /// <summary>
    /// Initializes the class by authenticating the user and then setting the
    /// user name and role, based on a name and a password
    /// </summary>
    /// <param name="name"></param>
    /// <param name="password"></param>
    public SampleIIdentity(string name, string password)
    {
        if (this.IsValidNameAndPassword(name, password))
        {
            this.nameValue          = name;
            this.authenticatedValue = true;
            this.roleValue          = BuiltInRole.Administrator;
        }
        else
        {
            this.nameValue          = "anonymouse";
            this.authenticatedValue = false;
            this.roleValue          = BuiltInRole.Guest;
        }
    }
        private IRoleAssignment LookupRoleAssignmentUsingScopeAndRole(string scope, BuiltInRole role, string principalId, IAzure azure)
        {
            var roleDefinition = azure.AccessManagement.RoleDefinitions
                                 .GetByScopeAndRoleName(scope, role.Value);

            var roleAssignments = azure.AccessManagement.RoleAssignments
                                  .ListByScope(scope);

            if (roleDefinition != null)
            {
                return(roleAssignments.FirstOrDefault(a =>
                                                      a.RoleDefinitionId.Equals(roleDefinition.Id, StringComparison.OrdinalIgnoreCase) &&
                                                      a.PrincipalId.Equals(principalId, StringComparison.OrdinalIgnoreCase)));
            }
            return(null);
        }
        /// <summary>
        /// Creates a RBAC role assignment (using role or role definition) for the given service principal.
        /// </summary>
        /// <param name="servicePrincipal">The service principal.</param>
        /// <param name="roleOrRoleDefinition">The role or role definition.</param>
        /// <param name="scope">The scope for the role assignment.</param>
        /// <return>An observable that emits the role assignment if it is created, null if assignment already exists.</return>
        ///GENMHASH:85AA7846D5642A1F7125332B46A901BE:A2437532CFAD0C7032A34C1FD573957E
        private async Task <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> CreateRbacRoleAssignmentIfNotExistsAsync(IServicePrincipal servicePrincipal, string roleOrRoleDefinition, string scope, bool isRole, CancellationToken cancellationToken = default(CancellationToken))
        {
            string roleAssignmentName = SdkContext.RandomGuid();

            try
            {
                if (isRole)
                {
                    return(await rbacManager
                           .RoleAssignments
                           .Define(roleAssignmentName)
                           .ForServicePrincipal(servicePrincipal)
                           .WithBuiltInRole(BuiltInRole.Parse(roleOrRoleDefinition))
                           .WithScope(scope)
                           .CreateAsync(cancellationToken));
                }
                else
                {
                    return(await rbacManager
                           .RoleAssignments
                           .Define(roleAssignmentName)
                           .ForServicePrincipal(servicePrincipal)
                           .WithRoleDefinition(roleOrRoleDefinition)
                           .WithScope(scope)
                           .CreateAsync(cancellationToken));
                }
            }
            catch (CloudException cloudException)
            {
                if (cloudException.Body != null && cloudException.Body.Code != null && cloudException.Body.Code.Equals("RoleAssignmentExists", StringComparison.OrdinalIgnoreCase))
                {
                    // NOTE: We are unable to lookup the role assignment from principal.RoleAssignments() list
                    // because role assignment object does not contain 'role' name (the roleDefinitionId refer
                    // 'role' using id with GUID).
                    return(null);
                }
                throw cloudException;
            }
        }
 ///GENMHASH:E52BA5580C6DD688687D5F7962138CA3:C76E712B3F0BFB0C78333420FF42894C
 public IdentityImpl WithAccessToCurrentResourceGroup(BuiltInRole role)
 {
     this.roleAssignmentHelper.WithAccessToCurrentResourceGroup(role);
     return(this);
 }
Example #13
0
 public IWithSystemAssignedIdentityBasedAccessOrCreate WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(BuiltInRole role)
 {
     this.containerGroupMsiHandler.WithAccessToCurrentResourceGroup(role);
     return(this);
 }
Example #14
0
 public IWithSystemAssignedIdentityBasedAccessOrCreate WithSystemAssignedIdentityBasedAccessTo(string resourceId, BuiltInRole role)
 {
     this.containerGroupMsiHandler.WithAccessTo(resourceId, role);
     return(this);
 }
Example #15
0
 /// <summary>
 /// Specifies a system assigned managed service identity with access to the current resource group and with the specified role.
 /// </summary>
 /// <param name="role">Access role to be assigned to the identity.</param>
 /// <return>The next stage of the definition.</return>
 ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreate ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreateBeta.WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(BuiltInRole role)
 {
     return(this.WithSystemAssignedIdentityBasedAccessToCurrentResourceGroup(role));
 }
Example #16
0
 /// <summary>
 /// Specifies a system assigned managed service identity with access to a specific resource with a specified role.
 /// </summary>
 /// <param name="resourceId">The id of the resource you are setting up access to.</param>
 /// <param name="role">Access role to be assigned to the identity.</param>
 /// <return>The next stage of the definition.</return>
 ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreate ContainerGroup.Definition.IWithSystemAssignedIdentityBasedAccessOrCreateBeta.WithSystemAssignedIdentityBasedAccessTo(string resourceId, BuiltInRole role)
 {
     return(this.WithSystemAssignedIdentityBasedAccessTo(resourceId, role));
 }
 public bool IsInRole(BuiltInRole role)
 {
 }
 public bool IsInRole(BuiltInRole role)
 {
 }
 /// <summary>
 /// Specifies that applications running on the virtual machine requires the given access role
 /// with scope of access limited to the current resource group that the virtual machine
 /// resides.
 /// </summary>
 /// <param name="asRole">Access role to assigned to the virtual machine.</param>
 /// <return>VirtualMachineMsiHelper.</return>
 ///GENMHASH:F6C5721A84FA825F62951BE51537DD36:3B28EC7DC783C825B70ABCF4EB8FC542
 internal VirtualMachineMsiHelper WithRoleBasedAccessToCurrentResourceGroup(BuiltInRole asRole)
 {
     return(this.WithRoleBasedAccessTo(CURRENT_RESOURCE_GROUP_SCOPE, asRole));
 }
Example #20
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on an ARM resource identified by the given resource id. An applications running
 /// on an Azure service with this identity can use this permission to access the resource.
 /// </summary>
 /// <param name="resourceId">Id of the resource to access.</param>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the definition.</return>
 Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessTo(string resourceId, BuiltInRole role)
 {
     return(this.WithAccessTo(resourceId, role));
 }
Example #21
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on an ARM resource. An applications running on an Azure service with this identity
 /// can use this permission to access the resource.
 /// </summary>
 /// <param name="resource">The resource to access.</param>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the definition.</return>
 Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessTo(IResource resource, BuiltInRole role)
 {
     return(this.WithAccessTo(resource, role));
 }
 ///GENMHASH:0CEE95C0D1098AAAC5BF7C869DE68D7D:E5512083F6DA7EA2BA516BF9E845E0A9
 public IdentityImpl WithAccessTo(string resourceId, BuiltInRole role)
 {
     this.roleAssignmentHelper.WithAccessTo(resourceId, role);
     return(this);
 }
Example #23
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on the resource group that identity resides. An applications running on an Azure
 /// service with this identity can use this permission to access the resource group.
 /// </summary>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the definition.</return>
 Identity.Definition.IWithCreate Identity.Definition.IWithAccess.WithAccessToCurrentResourceGroup(BuiltInRole role)
 {
     return(this.WithAccessToCurrentResourceGroup(role));
 }
Example #24
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on an ARM resource. An applications running on an Azure service with this identity
 /// can use this permission to access the resource.
 /// </summary>
 /// <param name="resource">The resource to access.</param>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the update.</return>
 Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessTo(IResource resource, BuiltInRole role)
 {
     return(this.WithAccessTo(resource, role));
 }
Example #25
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on the resource group that identity resides. An applications running on an Azure
 /// service with this identity can use this permission to access the resource group.
 /// </summary>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the update.</return>
 Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessToCurrentResourceGroup(BuiltInRole role)
 {
     return(this.WithAccessToCurrentResourceGroup(role));
 }
Example #26
0
 /// <summary>
 /// Specifies that the identity should have the given access (described by the role)
 /// on an ARM resource identified by the given resource id. An applications running
 /// on an Azure service with this identity can use this permission to access the resource.
 /// </summary>
 /// <param name="resourceId">Id of the resource to access.</param>
 /// <param name="role">Access role to assigned to the identity.</param>
 /// <return>The next stage of the update.</return>
 Identity.Update.IUpdate Identity.Update.IWithAccess.WithAccessTo(string resourceId, BuiltInRole role)
 {
     return(this.WithAccessTo(resourceId, role));
 }