public override void ExecuteCmdlet() { if (ShouldProcess(VaultName, Properties.Resources.RemoveVaultAccessPolicy)) { if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent && !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent) { throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing); } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; // Get the vault to be updated PSKeyVaultModels.PSVault existingVault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { existingVault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (existingVault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId)) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidObjectIdSyntax); } // Update vault policies var updatedPolicies = existingVault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId)) { if (string.IsNullOrWhiteSpace(this.ObjectId)) { ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); } updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray(); } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies, EnabledForDeployment.IsPresent ? false : existingVault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? false : existingVault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } } }
protected PSKeyVault UpdateCurrentVault(PSKeyVault existingVault, PSKeyVaultNetworkRuleSet updatedNetworkAcls) { return(KeyVaultManagementClient.UpdateVault( existingVault, existingVault.AccessPolicies, existingVault.EnabledForDeployment, existingVault.EnabledForTemplateDeployment, existingVault.EnabledForDiskEncryption, existingVault.EnableSoftDelete, existingVault.EnablePurgeProtection, updatedNetworkAcls, ActiveDirectoryClient)); }
public override void ExecuteCmdlet() { if (this.IsParameterBound(c => c.InputObject)) { this.ResourceGroupName = this.InputObject.ResourceGroupName; this.VaultName = this.InputObject.VaultName; } if (this.IsParameterBound(c => c.ResourceId)) { var resourceIdentifier = new ResourceIdentifier(this.ResourceId); this.ResourceGroupName = resourceIdentifier.ResourceGroupName; this.VaultName = resourceIdentifier.ResourceName; } PSKeyVault existingResource = null; try { existingResource = KeyVaultManagementClient.GetVault(this.VaultName, this.ResourceGroupName); } catch { existingResource = null; } if (existingResource == null) { throw new Exception(string.Format("A key vault with name '{0}' in resource group '{1}' does not exist. Please use New-AzKeyVault to create a key vault with these properties.", this.VaultName, this.ResourceGroupName)); } if (this.ShouldProcess(this.VaultName, string.Format("Updating key vault '{0}' in resource group '{1}'.", this.VaultName, this.ResourceGroupName))) { var result = KeyVaultManagementClient.UpdateVault(existingResource, existingResource.AccessPolicies, existingResource.EnabledForDeployment, existingResource.EnabledForTemplateDeployment, existingResource.EnabledForDiskEncryption, EnableSoftDelete.IsPresent ? (true as bool?) : null, EnablePurgeProtection.IsPresent ? (true as bool?) : null, EnableRbacAuthorization, this.IsParameterBound(c => c.SoftDeleteRetentionInDays) ? (SoftDeleteRetentionInDays as int?) : (existingResource.SoftDeleteRetentionInDays ?? Constants.DefaultSoftDeleteRetentionDays), existingResource.NetworkAcls ); WriteObject(result); } }
protected PSKeyVault UpdateCurrentVault(PSKeyVault existingVault, PSKeyVaultNetworkRuleSet updatedNetworkAcls) { return(KeyVaultManagementClient.UpdateVault( existingVault, existingVault.AccessPolicies, existingVault.EnabledForDeployment, existingVault.EnabledForTemplateDeployment, existingVault.EnabledForDiskEncryption, existingVault.EnableSoftDelete, existingVault.EnablePurgeProtection, existingVault.EnableRbacAuthorization, existingVault.SoftDeleteRetentionInDays, updatedNetworkAcls, GraphClient)); }
public override void ExecuteCmdlet() { if (this.IsParameterBound(c => c.InputObject)) { this.ResourceGroupName = this.InputObject.ResourceGroupName; this.VaultName = this.InputObject.VaultName; } if (this.IsParameterBound(c => c.ResourceId)) { var resourceIdentifier = new ResourceIdentifier(this.ResourceId); this.ResourceGroupName = resourceIdentifier.ResourceGroupName; this.VaultName = resourceIdentifier.ResourceName; } PSKeyVault existingResource = null; try { existingResource = KeyVaultManagementClient.GetVault(this.VaultName, this.ResourceGroupName); } catch { existingResource = null; } if (existingResource == null) { throw new Exception(string.Format("A key vault with name '{0}' in resource group '{1}' does not exist. Please use New-AzKeyVault to create a key vault with these properties.", this.VaultName, this.ResourceGroupName)); } if (this.ShouldProcess(this.VaultName, string.Format("Updating key vault '{0}' in resource group '{1}'.", this.VaultName, this.ResourceGroupName))) { var result = KeyVaultManagementClient.UpdateVault( existingResource, updatedParamater: new VaultCreationOrUpdateParameters { EnablePurgeProtection = this.EnablePurgeProtection.IsPresent ? (true as bool?) : null, EnableRbacAuthorization = this.EnableRbacAuthorization, PublicNetworkAccess = this.PublicNetworkAccess, Tags = this.Tag } ); WriteObject(result); } }
public override void ExecuteCmdlet() { ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; // Get the vault to be updated PSKeyVaultModels.PSVault existingVault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { existingVault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (existingVault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } // Update vault policies var updatedPolicies = existingVault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty)) { Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, objId, this.ApplicationId)).ToArray(); } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies, !this.EnabledForDeployment.IsPresent, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } }
public override void ExecuteCmdlet() { if (InputObject != null) { VaultName = InputObject.VaultName; ResourceGroupName = InputObject.ResourceGroupName; } else if (ResourceId != null) { var resourceIdentifier = new ResourceIdentifier(ResourceId); VaultName = resourceIdentifier.ResourceName; ResourceGroupName = resourceIdentifier.ResourceGroupName; } if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy)) { if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent && !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent) { throw new ArgumentException(Resources.VaultPermissionFlagMissing); } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; if (ResourceGroupName == null) { throw new ArgumentException(string.Format(Resources.VaultDoesNotExist, VaultName)); } PSKeyVault vault = null; // Get the vault to be updated if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (vault == null) { throw new ArgumentException(string.Format(Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId)) { throw new ArgumentException(Resources.InvalidObjectIdSyntax); } // Update vault policies PSKeyVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId) || !string.IsNullOrWhiteSpace(this.EmailAddress)) { var objId = this.ObjectId; if (!this.BypassObjectIdValidation.IsPresent && ActiveDirectoryClient != null) { objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName); } else if (ActiveDirectoryClient == null && objId == null) { throw new Exception(Resources.ActiveDirectoryClientNull); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(Resources.InvalidApplicationId); } //All permission arrays cannot be null if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null && PermissionsToStorage == null) { throw new ArgumentException(Resources.PermissionsNotSpecified); } else { //Is there an existing policy for this policy identity? var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId)); //New policy will have permission arrays that are either from cmdlet input //or if that's null, then from the old policy for this object ID if one existed var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ? existingPolicy.PermissionsToKeys.ToArray() : null); var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ? existingPolicy.PermissionsToSecrets.ToArray() : null); var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ? existingPolicy.PermissionsToCertificates.ToArray() : null); var managedStorage = PermissionsToStorage ?? (existingPolicy != null && existingPolicy.PermissionsToStorage != null ? existingPolicy.PermissionsToStorage.ToArray() : null); //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray(); if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0) || (managedStorage != null && managedStorage.Length > 0)) { var policy = new PSKeyVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates, managedStorage); updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray(); } } } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault( vault, updatedListOfAccessPolicies, EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption, vault.EnableSoftDelete, vault.EnablePurgeProtection, vault.NetworkAcls, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } } }
public override void ExecuteCmdlet() { if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent && !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent) { throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing); } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; PSKeyVaultModels.PSVault vault = null; // Get the vault to be updated if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (vault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } // Update vault policies PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty)) { Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } //Both arrays cannot be null if (PermissionsToKeys == null && PermissionsToSecrets == null) { throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified); } else { //Validate if (!IsMeaningfulPermissionSet(PermissionsToKeys)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys")); } if (!IsMeaningfulPermissionSet(PermissionsToSecrets)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets")); } //Is there an existing policy for this policy identity? var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId)); //New policy will have permission arrays that are either from cmdlet input //or if that's null, then from the old policy for this object ID if one existed var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ? existingPolicy.PermissionsToKeys.ToArray() : null); var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ? existingPolicy.PermissionsToSecrets.ToArray() : null); //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray(); if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0)) { var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets); updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray(); } } } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, EnabledForDeployment.IsPresent || vault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } }
public override void ExecuteCmdlet() { if (ShouldProcess(VaultName, Properties.Resources.RemoveVaultAccessPolicy)) { if (InputObject != null) { VaultName = InputObject.VaultName; ResourceGroupName = InputObject.ResourceGroupName; } else if (!string.IsNullOrEmpty(ResourceId)) { var parsedResourceId = new ResourceIdentifier(ResourceId); VaultName = parsedResourceId.ResourceName; ResourceGroupName = parsedResourceId.ResourceGroupName; } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; // Get the vault to be updated PSKeyVault existingVault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { existingVault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (existingVault == null) { throw new ArgumentException(string.Format(Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(Resources.InvalidApplicationId); } if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId)) { throw new ArgumentException(Resources.InvalidObjectIdSyntax); } // Update vault policies var updatedPolicies = existingVault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId) || !string.IsNullOrWhiteSpace(this.EmailAddress)) { if (string.IsNullOrWhiteSpace(this.ObjectId)) { if (ActiveDirectoryClient == null) { throw new Exception(Resources.ActiveDirectoryClientNull); } ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName); } updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray(); } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault( existingVault, updatedPolicies, EnabledForDeployment.IsPresent ? false : existingVault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? false : existingVault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption, existingVault.EnableSoftDelete, existingVault.EnablePurgeProtection, existingVault.SoftDeleteRetentionInDays, existingVault.NetworkAcls, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } } }