/// <summary>
/// Creates or updates a role definition.
/// </summary>
/// <param name='operations'>
/// Reference to the
/// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations.
/// </param>
/// <param name='roleDefinitionId'>
/// Required. Role definition id.
/// </param>
/// <param name='parameters'>
/// Required. Role definition.
/// </param>
/// <returns>
/// Role definition create or update operation result.
/// </returns>
public static Task <RoleDefinitionCreateOrUpdateResult> CreateOrUpdateAsync(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters)
{
return(operations.CreateOrUpdateAsync(roleDefinitionId, parameters, CancellationToken.None));
}
public void RoleDefinitionCreateTests()
{
const string RoleDefIdPrefix = "/providers/Microsoft.Authorization/roleDefinitions/";
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
RoleDefinitionCreateOrUpdateParameters createOrUpdateParams;
var roleDefinitionId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition1");
string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId;
string fullRoleId = currentSubscriptionId + RoleDefIdPrefix + roleDefinitionId;
Guid newRoleId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition2");
var resourceGroup = "newtestrg";
string resourceGroupScope = currentSubscriptionId + "/resourceGroups/" + resourceGroup;
// Create a custom role definition
try
{
createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Properties = new RoleDefinitionProperties()
{
RoleName = "NewRoleName_" + roleDefinitionId.ToString(),
Description = "New Test Custom Role",
Permissions = new List <Permission>()
{
new Permission()
{
Actions = new List <string> {
"Microsoft.Authorization/*/Read"
}
}
},
AssignableScopes = new List <string>()
{
currentSubscriptionId
},
},
}
};
var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
// Validate the roleDefinition properties.
Assert.NotNull(roleDefinition);
Assert.NotNull(roleDefinition.RoleDefinition);
Assert.Equal(fullRoleId, roleDefinition.RoleDefinition.Id);
Assert.Equal(roleDefinitionId, roleDefinition.RoleDefinition.Name);
Assert.NotNull(roleDefinition.RoleDefinition.Properties);
Assert.Equal("CustomRole", roleDefinition.RoleDefinition.Properties.Type);
Assert.Equal("New Test Custom Role", roleDefinition.RoleDefinition.Properties.Description);
Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.AssignableScopes);
Assert.Equal(currentSubscriptionId.ToLower(), roleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower());
Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.Permissions);
Assert.Equal("Microsoft.Authorization/*/Read", roleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Single());
// create resource group
var resourceClient = PermissionsTests.GetResourceManagementClient();
resourceClient.ResourceGroups.CreateOrUpdate(resourceGroup, new Microsoft.Azure.Management.Resources.Models.ResourceGroup {
Location = "westus"
});
createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string> {
resourceGroupScope
};
createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + newRoleId.ToString();
roleDefinition = client.RoleDefinitions.CreateOrUpdate(newRoleId, resourceGroupScope, createOrUpdateParams);
Assert.NotNull(roleDefinition);
}
finally
{
var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
Assert.NotNull(deleteResult);
deleteResult = client.RoleDefinitions.Delete(newRoleId, resourceGroupScope);
Assert.NotNull(deleteResult);
}
TestUtilities.Wait(1000 * 15);
// Negative test - create a roledefinition with same name (but different id) as an already existing custom role
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
var roleDefinition2Id = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition3");
client.RoleDefinitions.CreateOrUpdate(roleDefinition2Id, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("RoleDefinitionWithSameNameExists", ce.Error.Code);
Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode);
}
finally
{
var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
Assert.NotNull(deleteResult);
}
// Negative test - create a roledefinition with same id as a built-in role
try
{
var allRoleDefinitions = client.RoleDefinitions.List();
Assert.NotNull(allRoleDefinitions);
Assert.NotNull(allRoleDefinitions.RoleDefinitions);
RoleDefinition builtInRole = allRoleDefinitions.RoleDefinitions.First(x => x.Properties.Type == "BuiltInRole");
createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + builtInRole.Name.ToString();
client.RoleDefinitions.CreateOrUpdate(builtInRole.Name, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("RoleDefinitionExists", ce.Error.Code);
Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode);
}
// Negative test - create a roledefinition with type=BuiltInRole
createOrUpdateParams.RoleDefinition.Properties.Type = "BuiltInRole";
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("InvalidRoleDefinitionType", ce.Error.Code);
Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
}
// Negative Test - create a custom role with empty role name
// reset the role type
createOrUpdateParams.RoleDefinition.Properties.Type = null;
createOrUpdateParams.RoleDefinition.Properties.RoleName = string.Empty;
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code);
Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
}
// Negative Test - create a custom role with empty assignable scopes
// reset the role name
createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + roleDefinitionId.ToString();
createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string>();
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("MissingAssignableScopes", ce.Error.Code);
Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
}
// Negative Test - create a custom role with invalid value for assignable scopes
createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add("Invalid_Scope");
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("LinkedInvalidPropertyId", ce.Error.Code);
Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
}
// Negative Test - create a custom role with empty permissions
// reset assignable scopes
/* TODO: Uncomment the below test case when PAS/PAS-RP determine whether to implement blocking of
* create with empty Permission list
*/
////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Remove("Invalid_Scope");
////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add(currentSubscriptionId);
////createOrUpdateParams.RoleDefinition.Properties.Permissions = new List<Permission>();
////try
////{
//// client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, createOrUpdateParams);
////}
////catch (CloudException ce)
////{
//// Assert.Equal("AssignableScopeNotUnderSubscriptionScope", ce.Error.Code);
//// Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
////}
TestUtilities.EndTest();
}
}
/// <summary>
/// Creates or updates a role definition.
/// </summary>
/// <param name='operations'>
/// Reference to the
/// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations.
/// </param>
/// <param name='roleDefinitionId'>
/// Required. Role definition id.
/// </param>
/// <param name='parameters'>
/// Required. Role definition.
/// </param>
/// <returns>
/// Role definition create or update operation result.
/// </returns>
public static RoleDefinitionCreateOrUpdateResult CreateOrUpdate(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters)
{
return(Task.Factory.StartNew((object s) =>
{
return ((IRoleDefinitionOperations)s).CreateOrUpdateAsync(roleDefinitionId, parameters);
}
, operations, CancellationToken.None, TaskCreationOptions.None, TaskScheduler.Default).Unwrap().GetAwaiter().GetResult());
}
public void RoleDefinitionUpdateTests()
{
using (UndoContext context = UndoContext.Current)
{
context.Start();
var client = testContext.GetAuthorizationManagementClient();
RoleDefinitionCreateOrUpdateParameters createOrUpdateParams;
var roleDefinitionId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition");
string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId;
// Create a custom role definition
try
{
createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
// Name = roleDefinitionId,
Properties = new RoleDefinitionProperties()
{
RoleName = "NewRoleName_" + roleDefinitionId.ToString(),
Description = "New Test Custom Role",
Permissions = new List <Permission>()
{
new Permission()
{
Actions = new List <string> {
"Microsoft.Authorization/*/Read"
}
}
},
AssignableScopes = new List <string>()
{
currentSubscriptionId
},
},
}
};
var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
// Update role name, permissions for the custom role
createOrUpdateParams.RoleDefinition.Properties.RoleName = "UpdatedRoleName_" + roleDefinitionId.ToString();
createOrUpdateParams.RoleDefinition.Properties.Permissions.Single().Actions.Add("Microsoft.Support/*/read");
var updatedRoleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
// Validate the updated roleDefinition properties.
Assert.NotNull(updatedRoleDefinition);
Assert.NotNull(updatedRoleDefinition.RoleDefinition);
Assert.Equal(updatedRoleDefinition.RoleDefinition.Id, roleDefinition.RoleDefinition.Id);
Assert.Equal(updatedRoleDefinition.RoleDefinition.Name, roleDefinition.RoleDefinition.Name);
// Role name and permissions should be updated
Assert.Equal("UpdatedRoleName_" + roleDefinitionId.ToString(), updatedRoleDefinition.RoleDefinition.Properties.RoleName);
Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.Permissions);
Assert.Equal("Microsoft.Authorization/*/Read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.First());
Assert.Equal("Microsoft.Support/*/read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Last());
// Same assignable scopes
Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes);
Assert.Equal(currentSubscriptionId.ToLower(), updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower());
// Negative test: Update the role with an empty RoleName
createOrUpdateParams.RoleDefinition.Properties.RoleName = null;
try
{
client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
}
catch (CloudException ce)
{
Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code);
Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
}
}
finally
{
var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
Assert.NotNull(deleteResult);
}
TestUtilities.EndTest();
}
}
