private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid?applicationId)
{
// If both object id and application id are specified, remove the compound identity policy only.
// If only object id is specified, remove all policies refer to the object id including the compound identity policies.
return(applicationId.HasValue ? (ap.ApplicationId == applicationId && ap.ObjectId == objectId) :
(ap.ObjectId == objectId));
}
private bool ShallBeRemoved(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid?applicationId)
{
// If both object id and application id are specified, remove the compound identity policy only.
// If only object id is specified, remove all policies refer to the object id including the compound identity policies.
var sameObjectId = string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase);
return(applicationId.HasValue ? (ap.ApplicationId == applicationId && sameObjectId) : sameObjectId);
}
private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, Guid objectId, Guid?applicationId)
{
return(ap.ApplicationId == applicationId && ap.ObjectId == objectId);
}
public override void ExecuteCmdlet()
{
if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy))
{
if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
!EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
{
throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
}
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
PSKeyVaultModels.PSVault vault = null;
// Get the vault to be updated
if (!string.IsNullOrWhiteSpace(ResourceGroupName))
{
vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName);
}
if (vault == null)
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
}
// Update vault policies
PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty))
{
Guid objId = this.ObjectId;
if (!this.BypassObjectIdValidation.IsPresent)
{
objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
}
if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
{
throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
}
//All permission arrays cannot be null
if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null)
{
throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
}
else
{
//Validate
if (!IsMeaningfulPermissionSet(PermissionsToKeys))
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
}
if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
}
if (!IsMeaningfulPermissionSet(PermissionsToCertificates))
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "certificates"));
}
//Is there an existing policy for this policy identity?
var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));
//New policy will have permission arrays that are either from cmdlet input
//or if that's null, then from the old policy for this object ID if one existed
var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
existingPolicy.PermissionsToKeys.ToArray() : null);
var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
existingPolicy.PermissionsToSecrets.ToArray() : null);
var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ?
existingPolicy.PermissionsToCertificates.ToArray() : null);
//Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0))
{
var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates);
updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
}
}
}
// Update the vault
var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies,
EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment,
EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
ActiveDirectoryClient);
if (PassThru.IsPresent)
{
WriteObject(updatedVault);
}
}
}
public override void ExecuteCmdlet()
{
if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent &&
!EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent)
{
throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing);
}
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
PSKeyVaultModels.PSVault vault = null;
// Get the vault to be updated
if (!string.IsNullOrWhiteSpace(ResourceGroupName))
vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName);
if (vault == null)
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
}
// Update vault policies
PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
{
Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)
throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId);
//Both arrays cannot be null
if (PermissionsToKeys == null && PermissionsToSecrets == null)
throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
else
{
//Validate
if (!IsMeaningfulPermissionSet(PermissionsToKeys))
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
//Is there an existing policy for this policy identity?
var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId));
//New policy will have permission arrays that are either from cmdlet input
//or if that's null, then from the old policy for this object ID if one existed
var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
existingPolicy.PermissionsToKeys.ToArray() : null);
var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
existingPolicy.PermissionsToSecrets.ToArray() : null);
//Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions
updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray();
if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0))
{
var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets);
updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
}
}
}
// Update the vault
var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies,
EnabledForDeployment.IsPresent || vault.EnabledForDeployment,
EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment,
EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption,
ActiveDirectoryClient);
if (PassThru.IsPresent)
WriteObject(updatedVault);
}
private bool MatchVaultAccessPolicyIdentity(PSKeyVaultModels.PSVaultAccessPolicy ap, string objectId, Guid?applicationId)
{
return(ap.ApplicationId == applicationId && string.Equals(ap.ObjectId, objectId, StringComparison.OrdinalIgnoreCase));
}
/// <summary>
/// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
/// </summary>
/// <param name="existingVault">the existing vault</param>
/// <param name="updatedPolicies">the update access policies</param>
/// <param name="updatedEnabledForDeployment">enabled for deployment</param>
/// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
/// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
/// <param name="adClient">the active directory client</param>
/// <returns>the updated vault</returns>
public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment,
bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
{
if (existingVault == null)
throw new ArgumentNullException("existingVault");
if (existingVault.OriginalVault == null)
throw new ArgumentNullException("existingVault.OriginalVault");
//Update the vault properties in the object received from server
//Only access policies and EnabledForDeployment can be changed
VaultProperties properties = existingVault.OriginalVault.Properties;
properties.EnabledForDeployment = updatedEnabledForDeployment;
properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
properties.AccessPolicies = (updatedPolicies == null) ?
new List<AccessPolicyEntry>() :
updatedPolicies.Select(a => new AccessPolicyEntry()
{
TenantId = a.TenantId,
ObjectId = a.ObjectId,
ApplicationId = a.ApplicationId,
PermissionsToKeys = a.PermissionsToKeys.ToArray(),
PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
}).ToList();
var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: existingVault.ResourceGroupName,
vaultName: existingVault.VaultName,
parameters: new VaultCreateOrUpdateParameters()
{
Location = existingVault.Location,
Properties = properties
}
);
return new PSVault(response.Vault, adClient);
}
public override void ExecuteCmdlet()
{
ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName;
PSKeyVaultModels.PSVault vault = null;
// Get the vault to be updated
if (!string.IsNullOrWhiteSpace(ResourceGroupName))
{
vault = KeyVaultManagementClient.GetVault(
VaultName,
ResourceGroupName);
}
if (vault == null)
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName));
}
// Update vault policies
PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty))
{
Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
//Both arrays cannot be null
if (PermissionsToKeys == null && PermissionsToSecrets == null)
{
throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified);
}
else
{
//Validate
if (!IsMeaningfulPermissionSet(PermissionsToKeys))
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys"));
}
if (!IsMeaningfulPermissionSet(PermissionsToSecrets))
{
throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets"));
}
//Is there an existing policy for this object ID?
var existingPolicy = vault.AccessPolicies.Where(ap => ap.ObjectId == objId).FirstOrDefault();
//New policy will have permission arrays that are either from cmdlet input
//or if that's null, then from the old policy for this object ID if one existed
var keys = PermissionsToKeys != null ? PermissionsToKeys :
(existingPolicy != null && existingPolicy.PermissionsToKeys != null ?
existingPolicy.PermissionsToKeys.ToArray() : null);
var secrets = PermissionsToSecrets != null ? PermissionsToSecrets :
(existingPolicy != null && existingPolicy.PermissionsToSecrets != null ?
existingPolicy.PermissionsToSecrets.ToArray() : null);
//Remove old policies for this object ID and add a new one with the right permissions, iff there were some non-empty permissions
updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => ap.ObjectId != objId).ToArray();
if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0))
{
var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, keys, secrets);
updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray();
}
}
}
// Update the vault
var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, this.EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, ActiveDirectoryClient);
if (PassThru.IsPresent)
{
WriteObject(updatedVault);
}
}
