/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
{
Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
: AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);
RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
{
Properties = new RoleAssignmentProperties
{
PrincipalId = principalId,
RoleDefinitionId = roleDefinitionId
}
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
{
assignment
};
return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
}
/// <summary>
/// Updates a role definiton.
/// </summary>
/// <param name="role">The role definition to update.</param>
/// <returns>The updated role definition.</returns>
public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition role, string subscriptionId)
{
Guid roleDefinitionId;
if (!Guid.TryParse(role.Id, out roleDefinitionId))
{
throw new InvalidOperationException(ProjectResources.RoleDefinitionIdShouldBeAGuid);
}
PSRoleDefinition roleDefinition = this.GetRoleDefinition(roleDefinitionId);
if (roleDefinition == null)
{
throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, role.Id));
}
string roleDefinitionFullyQualifiedId = AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, role.Id);
roleDefinition.Name = role.Name ?? roleDefinition.Name;
roleDefinition.Actions = role.Actions ?? roleDefinition.Actions;
roleDefinition.NotActions = role.NotActions ?? roleDefinition.NotActions;
roleDefinition.AssignableScopes = role.AssignableScopes ?? roleDefinition.AssignableScopes;
roleDefinition.Description = role.Description ?? roleDefinition.Description;
ValidateRoleDefinition(roleDefinition);
return
(AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(
roleDefinitionId,
roleDefinition.AssignableScopes.First(),
new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Id = roleDefinitionFullyQualifiedId,
Name = roleDefinitionId,
Properties =
new RoleDefinitionProperties()
{
RoleName = roleDefinition.Name,
Permissions =
new List <Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description
}
}
}).RoleDefinition.ToPSRoleDefinition());
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
parameters.AssignedToPrincipalId = adObject.Id;
}
else
{
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
result.AddRange(tempResult.RoleAssignments.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
result.AddRange(tempResult.RoleAssignments.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.InvariantCultureIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
result.AddRange(tempResult.RoleAssignments.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
result.AddRange(tempResult.RoleAssignments.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
result.AddRange(tempResult.RoleAssignments
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
result.AddRange(tempResult.RoleAssignments
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase) ||
c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase) ||
c.DisplayName.Equals(userObject.SignInName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}