/// <summary> /// Filters role assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered role assignments</returns> public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription, ulong first = ulong.MaxValue, ulong skip = 0) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); string principalId = null; PSADObject adObject = null; Rest.Azure.OData.ODataQuery <RoleAssignmentFilter> odataQuery = null; if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } principalId = adObject.Id.ToString(); odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(principalId)); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id; odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId); } if (!string.IsNullOrEmpty(options.Scope)) { var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals)); } // Filter out by scope if (!string.IsNullOrEmpty(options.Scope)) { result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals)); } if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments var classicAdministratorsSubscription = currentSubscription; if (options.Scope != null) { classicAdministratorsSubscription = AuthorizationHelper.GetResourceSubscription(options.Scope) ?? currentSubscription; } List <ClassicAdministrator> classicAdministrators = new List <ClassicAdministrator>(); if (currentSubscription != classicAdministratorsSubscription) { var client = AzureSession.Instance.ClientFactory.CreateArmClient <AuthorizationManagementClient>(AzureRmProfileProvider.Instance.Profile.DefaultContext, AzureEnvironment.Endpoint.ResourceManager); client.SubscriptionId = classicAdministratorsSubscription; classicAdministrators = client.ClassicAdministrators.List().ToList(); } else { classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ToList(); } List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(classicAdministratorsSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
/// <summary> /// Filters role assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered role assignments</returns> #if !NETSTANDARD public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); List <RoleAssignment> roleAssignments = new List <RoleAssignment>(); ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters(); PSADObject adObject = null; if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } parameters.AssignedToPrincipalId = adObject.Id; } else { parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id); } var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } // Filter out by scope if (!string.IsNullOrWhiteSpace(options.Scope)) { roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly parameters.AtScope = true; var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); while (!string.IsNullOrWhiteSpace(tempResult.NextLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink); roleAssignments.AddRange(tempResult.RoleAssignments.ToList()); } } // To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope; result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId) .ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals)); if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList(); List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription) { List <PSRoleAssignment> result = new List <PSRoleAssignment>(); string assignedToPrincipalId = null; string principalId = null; PSADObject adObject = null; if (options.ADObjectFilter.HasFilter) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } // Filter first by principal if (options.ExpandPrincipalGroups) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } assignedToPrincipalId = adObject.Id.ToString(); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id.ToString()) ? adObject.Id.ToString() : options.ADObjectFilter.Id; } var tempResult = AuthorizationManagementClient.RoleAssignments.List( new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } // Filter out by scope if (!string.IsNullOrEmpty(options.Scope)) { result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase)); } } else if (!string.IsNullOrEmpty(options.Scope)) { // Filter by scope and above directly var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope( options.Scope, new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>( f => f.AtScope() && f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextPageLink); result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } } else { var tempResult = AuthorizationManagementClient.RoleAssignments.List( new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId))); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink)) { tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink); result.AddRange(tempResult .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId)) .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals)); } } if (!string.IsNullOrEmpty(options.RoleDefinitionName)) { result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList(); } if (options.IncludeClassicAdministrators) { // Get classic administrator access assignments List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators .List(AuthorizationManagementClient.ApiVersion).ToList(); List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList(); // Filter by principal if provided if (options.ADObjectFilter.HasFilter) { if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported); } var userObject = adObject as PSADUser; classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c => c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList(); } result.AddRange(classicAdministratorsAssignments); } return(result); }
/// <summary> /// Filters deny assignments based on the passed options. /// </summary> /// <param name="options">The filtering options</param> /// <param name="currentSubscription">The current subscription</param> /// <returns>The filtered deny assignments</returns> public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription) { // Get a specified deny assignment by DenyAssignmentId if (!string.IsNullOrEmpty(options.DenyAssignmentId) && (Guid.Empty != options.DenyAssignmentId.GetGuidFromId())) { var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetScopeFromFullyQualifiedId(options.DenyAssignmentId) ?? AuthorizationHelper.GetSubscriptionScope(currentSubscription); return(new List <PSDenyAssignment> { AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.GuidFromFullyQualifiedId()).ToPSDenyAssignment(ActiveDirectoryClient) }); } // Filter deny assignments by given assumptions string principalId = null; PSADObject adObject = null; ODataQuery <DenyAssignmentFilter> odataQuery = null; if (!string.IsNullOrEmpty(options.DenyAssignmentName)) { odataQuery = new ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName); } else if (options.ADObjectFilter.HasFilter) { if (string.IsNullOrEmpty(options.ADObjectFilter.Id)) { adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter); if (adObject == null) { throw new KeyNotFoundException(ProjectResources.PrincipalNotFound); } } // Filter first by principal if (options.ExpandPrincipalGroups) { try { adObject = adObject ?? ActiveDirectoryClient.GetObjectByObjectId(options.ADObjectFilter.Id); } catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe) when(OdataHelper.IsAuthorizationDeniedException(oe)) { throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission); } if (!(adObject is PSADUser)) { throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported); } principalId = adObject.Id.ToString(); odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId)); } else { principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id; odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId); } } return(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription)); }