public static MyUser Create(IActiveDirectoryUser aad)
{
return(new MyUser
{
Displayname = aad.Name,
Givenname = aad.Inner.GivenName,
Surname = aad.Inner.Surname,
Upn = aad.UserPrincipalName
});
}
/// <summary>
/// https://blogs.msdn.microsoft.com/premier_developer/2017/09/29/getting-started-with-the-azure-ad-b2b-invite-api/
/// </summary>
/// <param name="userPrincipalName"></param>
/// <returns></returns>
private async Task <string> EnsureAzureADGuestUserExists(string userDisplayName, string userEmailAddress, string redirectUri)
{
var client = RestClient
.Configure()
.WithEnvironment(AzureEnvironment.AzureGlobalCloud)
.WithLogLevel(HttpLoggingDelegatingHandler.Level.None)
.WithCredentials(_authenticationHelper.GetAzureCrendentials())
.Build();
GraphRbacManager graphRbacManager = new GraphRbacManager(client, _appSettings.TenantId);
IActiveDirectoryUser user = await graphRbacManager.Users.GetByNameAsync(userDisplayName);
if (user == null)
{
return(await InviteUser(userDisplayName, userEmailAddress, redirectUri));
}
else
{
return(user.Id);
}
}
public void CanCRUDGroup()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
IGraphRbacManager manager = TestHelper.CreateGraphRbacManager();
var userName = SdkContext.RandomResourceName("user", 16);
var spName = SdkContext.RandomResourceName("sp", 16);
var group1Name = SdkContext.RandomResourceName("group", 16);
var group2Name = SdkContext.RandomResourceName("group", 16);
IActiveDirectoryUser user = null;
IServicePrincipal servicePrincipal = null;
IActiveDirectoryGroup group1 = null;
IActiveDirectoryGroup group2 = null;
try
{
user = manager.Users.Define(userName)
.WithEmailAlias(userName)
.WithPassword("StrongPass!123")
.Create();
servicePrincipal = manager.ServicePrincipals.Define(spName)
.WithNewApplication("https://" + spName)
.Create();
group1 = manager.Groups.Define(group1Name)
.WithEmailAlias(group1Name)
.Create();
SdkContext.DelayProvider.Delay(15000);
group2 = manager.Groups.Define(group2Name)
.WithEmailAlias(group2Name)
.WithMember(user.Id)
.WithMember(servicePrincipal.Id)
.WithMember(group1.Id)
.Create();
Assert.NotNull(group2);
Assert.NotNull(group2.Id);
var members = group2.ListMembers();
Assert.Equal(3, members.Count());
var enumerator = members.GetEnumerator();
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.False(enumerator.MoveNext());
}
finally
{
if (servicePrincipal != null)
{
manager.ServicePrincipals.DeleteById(servicePrincipal.Id);
}
// cannot delete users or groups from service principal
// if (user != null) {
// manager.Users.DeleteById(user.Id);
// }
// if (group != null) {
// manager.Groups.DeleteById(group.Id);
// }
}
}
}
public void CanCRUDKeyVault()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
// Create user service principal
String sp = SdkContext.RandomResourceName("sp", 20);
String us = SdkContext.RandomResourceName("us", 20);
IGraphRbacManager graphManager = TestHelper.CreateGraphRbacManager();
string vaultName1 = TestUtilities.GenerateName("vault1");
string rgName = TestUtilities.GenerateName("rgNEMV");
IKeyVaultManager manager = TestHelper.CreateKeyVaultManager();
IServicePrincipal servicePrincipal = graphManager.ServicePrincipals
.Define(sp)
.WithNewApplication("http://" + sp)
.Create();
IActiveDirectoryUser user = graphManager.Users
.Define(us)
.WithEmailAlias(us)
.WithPassword("P@$$w0rd")
.Create();
//var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey];
try
{
IVault vault = manager.Vaults
.Define(vaultName1)
.WithRegion(Region.USWest)
.WithNewResourceGroup(rgName)
.DefineAccessPolicy()
.ForServicePrincipal("http://" + sp)
.AllowKeyPermissions(KeyPermissions.List)
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get)
.Attach()
.DefineAccessPolicy()
.ForUser(us)
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get, CertificatePermissions.List, CertificatePermissions.Create)
.Attach()
.Create();
Assert.NotNull(vault);
Assert.Equal(vaultName1, vault.Name);
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(1, policy.Permissions.Keys.Count);
Assert.Equal(KeyPermissions.List.Value, policy.Permissions.Keys[0]);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(1, policy.Permissions.Certificates.Count);
Assert.Equal(CertificatePermissions.Get.Value, policy.Permissions.Certificates[0]);
}
if (policy.ObjectId.Equals(user.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(3, policy.Permissions.Certificates.Count);
}
}
vault = vault.Update()
.UpdateAccessPolicy(servicePrincipal.Id)
.AllowKeyAllPermissions()
.DisallowSecretAllPermissions()
.AllowCertificateAllPermissions()
.Parent()
.Apply();
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(0, policy.Permissions.Secrets.Count);
Assert.Equal(14, policy.Permissions.Certificates.Count);
}
}
}
finally
{
try
{
TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName);
}
catch { }
}
}
}
/// <summary>
/// Specifies the Active Directory user this access policy is for.
/// </summary>
/// <param name="user">The AD user object.</param>
/// <return>The next stage of access policy definition.</return>
Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithAttach <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithIdentity <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> .ForUser(IActiveDirectoryUser user)
{
return(this.ForUser(user));
}
public ActiveDirectoryGroupImpl WithMember(IActiveDirectoryUser user)
{
return(WithMember(user.Id));
}
public RoleAssignmentImpl ForUser(IActiveDirectoryUser user)
{
this.objectId = user.Id;
return(this);
}
/// <summary>
/// Specifies the assignee of the role assignment to be a user.
/// </summary>
/// <param name="user">The user object.</param>
/// <return>The next stage in role assignment definition.</return>
RoleAssignment.Definition.IWithRole RoleAssignment.Definition.IWithAssignee.ForUser(IActiveDirectoryUser user)
{
return(this.ForUser(user) as RoleAssignment.Definition.IWithRole);
}
/// <summary>
/// Adds a user as a member in the group.
/// </summary>
/// <param name="user">The Active Directory user to add.</param>
/// <return>The next AD group definition stage.</return>
ActiveDirectoryGroup.Definition.IWithCreate ActiveDirectoryGroup.Definition.IWithMemberBeta.WithMember(IActiveDirectoryUser user)
{
return(this.WithMember(user));
}
/// <summary>
/// Removes a user as a member in the group.
/// </summary>
/// <param name="user">The Active Directory user to remove.</param>
/// <return>The next AD group update stage.</return>
ActiveDirectoryGroup.Update.IUpdate ActiveDirectoryGroup.Update.IWithMemberBeta.WithoutMember(IActiveDirectoryUser user)
{
return(this.WithoutMember(user));
}
///GENMHASH:9E92F3BA1758AAE198E09D586436080A:0A1851786DBC209232600425DAE0D55D
public AccessPolicyImpl ForUser(IActiveDirectoryUser user)
{
Inner.ObjectId = user.Id;
return(this);
}
/**
* Azure Users, Groups and Roles sample.
* - List users
* - Get user by email
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - List roles
* - List Active Directory groups.
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
string raName1 = SdkContext.RandomGuid();
// ============================================================
// List users
var users = authenticated.ActiveDirectoryUsers.List();
Utilities.Log("Active Directory Users:");
foreach (var user in users)
{
Utilities.Print(user);
}
// ============================================================
// Get user by email
IActiveDirectoryUser adUser = authenticated.ActiveDirectoryUsers.GetByName("*****@*****.**");
Utilities.Log("Found User with email \"[email protected]\": ");
Utilities.Print(adUser);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(adUser)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// List roles
var roles = authenticated.RoleDefinitions
.ListByScope("subscriptions/" + subscriptionId);
Utilities.Log("Roles: ");
foreach (var role in roles)
{
Utilities.Print(role);
}
// ============================================================
// List Active Directory groups
var groups = authenticated.ActiveDirectoryGroups.List();
Utilities.Log("Active Directory Groups:");
foreach (var group in groups)
{
Utilities.Print(group);
}
}
public UserController(ILogger <UserController> logger, IUser user, IActiveDirectoryUser adUser)
{
_logger = logger;
_user = user;
_adUser = adUser;
}
private static void Log(int level, IActiveDirectoryUser cur)
{
Log(level, $"{cur.Name}");
Log(level + 1, $"{cur.Inner.GivenName}");
Log(level + 1, $"{cur.Inner.Surname}");
}
