C# (CSharp) Microsoft.Azure.Commands.Resources.Models.Authorization FilterRoleAssignmentsOptionsの例

コード例 #1

ファイル: AuthorizationClient.cs プロジェクト: virakkong/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid   principalId    = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            string principalIdStr = null;

            if (principalId == Guid.Empty)
            {
                principalIdStr = ActiveDirectoryClient.GetAdfsObjectId(parameters.ADObjectFilter);
            }
            else
            {
                principalIdStr = principalId.ToString();
            }

            Guid   roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string scope            = parameters.Scope;
            string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);
            var createProperties = new RoleAssignmentProperties
            {
                PrincipalId      = principalIdStr,
                RoleDefinitionId = roleDefinitionId
            };
            var createParameters = new RoleAssignmentCreateParameters(createProperties);

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
                parameters.Scope, roleAssignmentId.ToString(), createParameters);

            return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
        }

コード例 #2

ファイル: AuthorizationClient.cs プロジェクト: yodarx/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
        {
            string principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);

            roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
            string scope            = parameters.Scope;
            string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);

            parameters.Description      = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
            parameters.Condition        = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
            parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
            var createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId      = principalId.ToString(),
                RoleDefinitionId = roleDefinitionId,
                CanDelegate      = parameters.CanDelegate,
                Description      = parameters.Description,
                Condition        = parameters.Condition,
                ConditionVersion = parameters.ConditionVersion
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
                parameters.Scope, roleAssignmentId.ToString(), createParameters);
            var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);

            return(PSRoleAssignment);
        }

コード例 #3

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
        {
            Guid   principalId      = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid   roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
                : AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties
                {
                    PrincipalId      = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;

            IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
            {
                assignment
            };

            return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
        }

コード例 #4

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid   principalId      = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid   roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string scope            = parameters.Scope;

            ValidateScope(scope);
            string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId);

#if !NETSTANDARD
            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties
                {
                    PrincipalId      = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;
#else
            var createParameters = new RoleAssignmentProperties
            {
                PrincipalId      = principalId.ToString(),
                RoleDefinitionId = roleDefinitionId
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
                parameters.Scope,
                roleAssignmentId.ToString(), createParameters);
#endif
            return(assignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
        }

コード例 #5

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <param name="subscriptionId">Current subscription id</param>
        /// <returns>The deleted role assignments</returns>
        public IEnumerable <PSRoleAssignment> RemoveRoleAssignment(FilterRoleAssignmentsOptions options, string subscriptionId)
        {
            // Match role assignments at exact scope. Ideally, atmost 1 roleAssignment should match the criteria
            // but an edge case can have multiple role assignments to the same role or multiple role assignments to different roles, with same name.
            // The FilterRoleAssignments takes care of paging internally
            IEnumerable <PSRoleAssignment> roleAssignments = FilterRoleAssignments(options, currentSubscription: subscriptionId)
                                                             .Where(ra => ra.Scope.TrimEnd('/').Equals(options.Scope.TrimEnd('/'), StringComparison.OrdinalIgnoreCase));

            if (roleAssignments == null || !roleAssignments.Any())
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }
            else if (roleAssignments.Count() == 1)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignments.Single().RoleAssignmentId);
            }
            else
            {
                // All assignments are to the same roleDefinition Id.
                if (roleAssignments.All(a => a.RoleDefinitionId == roleAssignments.First().RoleDefinitionId))
                {
                    foreach (var assignment in roleAssignments)
                    {
                        AuthorizationManagementClient.RoleAssignments.DeleteById(assignment.RoleAssignmentId);
                    }
                }
                else
                {
                    // Assignments to different roleDefintion Ids. This can happen only if roleDefinition name was provided and multiple roles exists with same name.
                    throw new InvalidOperationException(string.Format(ProjectResources.MultipleRoleDefinitionsFoundWithSameName, options.RoleDefinitionName));
                }
            }

            return(roleAssignments);
        }

コード例 #6

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid   principalId      = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid   roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId      = principalId,
                RoleDefinitionId = roleDefinitionId
            };

            AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
            return(AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient));
        }

コード例 #7

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <returns>The deleted role assignments</returns>
        public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
        {
            PSRoleAssignment roleAssignment = FilterRoleAssignments(options).FirstOrDefault();

            if (roleAssignment != null)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
            }
            else
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }

            return(roleAssignment);
        }

コード例 #8

ファイル: AuthorizationClient.cs プロジェクト: vadimp-msft/azure-powershell

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <returns>The deleted role assignments</returns>
        public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
        {
            // Match role assignments at exact scope. At most 1 roleAssignment should match the criteria
            PSRoleAssignment roleAssignment = FilterRoleAssignments(options, currentSubscription: string.Empty)
                                              .Where(ra => ra.Scope == options.Scope.TrimEnd('/'))
                                              .FirstOrDefault();

            if (roleAssignment != null)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
            }
            else
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }

            return(roleAssignment);
        }

コード例 #9

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
        {
            var assigneeID         = parameters.ADObjectFilter?.Id;
            var assigneeObjectType = parameters.ADObjectFilter?.ObjectType;

            if (string.IsNullOrWhiteSpace(assigneeObjectType) || string.IsNullOrWhiteSpace(assigneeID))
            {
                try
                {
                    var assigneeObject = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
                    assigneeID         = assigneeID ?? assigneeObject?.Type;
                    assigneeObjectType = assigneeObjectType ?? assigneeObject?.Type;
                }
                catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException) when(!string.IsNullOrEmpty(assigneeID))
                {
                    // If assigneeID is not null, swallow OdataErrorException
                }
            }

            string principalId = assigneeID;

            roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
            string scope            = parameters.Scope;
            string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);

            parameters.Description      = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
            parameters.Condition        = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
            parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;

            var createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId      = principalId,
                PrincipalType    = assigneeObjectType,
                RoleDefinitionId = roleDefinitionId,
                Description      = parameters.Description,
                Condition        = parameters.Condition,
                ConditionVersion = parameters.ConditionVersion
            };

            return(AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId.ToString(), createParameters).ToPSRoleAssignment(this, ActiveDirectoryClient));
        }

コード例 #10

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
        {
            var asigneeID = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);

            string asigneeObjectType = parameters.ADObjectFilter?.ObjectType;

            if (string.IsNullOrWhiteSpace(asigneeObjectType))
            {
                var asigneeObject = ActiveDirectoryClient.GetObjectsByObjectId(new List <string>()
                {
                    asigneeID
                }).SingleOrDefault();
                asigneeObjectType = (!(asigneeObject is PSErrorHelperObject) && asigneeObject != null) ? asigneeObject.Type : null;
            }

            string principalId = asigneeID;

            roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
            string scope            = parameters.Scope;
            string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);

            parameters.Description      = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
            parameters.Condition        = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
            parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
            var createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId      = principalId.ToString(),
                PrincipalType    = asigneeObjectType,
                RoleDefinitionId = roleDefinitionId,
                CanDelegate      = parameters.CanDelegate,
                Description      = parameters.Description,
                Condition        = parameters.Condition,
                ConditionVersion = parameters.ConditionVersion
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
                parameters.Scope, roleAssignmentId.ToString(), createParameters);
            var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);

            return(PSRoleAssignment);
        }

コード例 #11

ファイル: AuthorizationClient.cs プロジェクト: sharmasecureservicesusa/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
        {
            PSADObject asignee = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);

            if (asignee == null)
            {
                throw new ArgumentException(ProjectResources.NoADObjectFound);
            }

            string principalId   = asignee.Id;
            string principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;

            roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
            string scope            = parameters.Scope;
            string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);

            parameters.Description      = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
            parameters.Condition        = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
            parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
            var createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId      = principalId.ToString(),
                PrincipalType    = principalType,
                RoleDefinitionId = roleDefinitionId,
                CanDelegate      = parameters.CanDelegate,
                Description      = parameters.Description,
                Condition        = parameters.Condition,
                ConditionVersion = parameters.ConditionVersion
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
                parameters.Scope, roleAssignmentId.ToString(), createParameters);
            var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);

            return(PSRoleAssignment);
        }

コード例 #12

        /// <summary>
        /// Filters role assignments based on the passed options.
        /// </summary>
        /// <param name="options">The filtering options</param>
        /// <returns>The filtered role assignments</returns>
        public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options)
        {
            List <PSRoleAssignment>         result     = new List <PSRoleAssignment>();
            ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();

            if (options.ADObjectFilter.HasFilter)
            {
                // Filter first by principal
                parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
                result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
                                .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));

                // Filter out by scope
                if (!string.IsNullOrEmpty(options.Scope))
                {
                    result.RemoveAll(r => !options.Scope.StartsWith(r.Scope));
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                parameters.AtScope = true;
                result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
                                .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
            }
            else
            {
                result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
                                .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
            }

            if (!string.IsNullOrEmpty(options.RoleDefinition))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinition, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            return(result);
        }

コード例 #13

ファイル: AuthorizationClient.cs プロジェクト: vadimp-msft/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid   principalId      = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid   roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties {
                    PrincipalId      = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
            IEnumerable <RoleAssignment> assignments = new List <RoleAssignment>()
            {
                assignment
            };

            return(assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault());
        }

コード例 #14

ファイル: AuthorizationClient.cs プロジェクト: rbramwell/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties {
                    PrincipalId = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
            IEnumerable<RoleAssignment> assignments = new List<RoleAssignment>() { assignment };

            return assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault();
        }

コード例 #15

        public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
        {
            List <PSRoleAssignment> result = new List <PSRoleAssignment>();
            string assignedToPrincipalId   = null;
            string principalId             = null;

            PSADObject adObject = null;

            if (options.ADObjectFilter.HasFilter)
            {
                adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
                if (adObject == null)
                {
                    throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
                }

                // Filter first by principal
                if (options.ExpandPrincipalGroups)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
                    }

                    assignedToPrincipalId = adObject.Id.ToString();
                }
                else
                {
                    principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id.ToString()) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
                }

                var tempResult = AuthorizationManagementClient.RoleAssignments.List(
                    new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
                result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));

                while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
                    result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                    .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
                }

                // Filter out by scope
                if (!string.IsNullOrEmpty(options.Scope))
                {
                    result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(
                    options.Scope,
                    new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(
                        f => f.AtScope() && f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));

                result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));

                while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextPageLink);
                    result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                    .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
                }
            }
            else
            {
                var tempResult = AuthorizationManagementClient.RoleAssignments.List(
                    new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
                result.AddRange(tempResult
                                .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));

                while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
                    result.AddRange(tempResult
                                    .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                    .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
                }
            }

            if (!string.IsNullOrEmpty(options.RoleDefinitionName))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            if (options.IncludeClassicAdministrators)
            {
                // Get classic administrator access assignments
                List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators
                                                                    .List(AuthorizationManagementClient.ApiVersion).ToList();
                List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();

                // Filter by principal if provided
                if (options.ADObjectFilter.HasFilter)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
                    }

                    var userObject = adObject as PSADUser;
                    classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
                                                                                              c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
                }

                result.AddRange(classicAdministratorsAssignments);
            }

            return(result);
        }

コード例 #16

ファイル: AuthorizationClient.cs プロジェクト: rbramwell/azure-powershell

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <returns>The deleted role assignments</returns>
        public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
        {
            // Match role assignments at exact scope. At most 1 roleAssignment should match the criteria
            PSRoleAssignment roleAssignment = FilterRoleAssignments(options, currentSubscription: string.Empty)
                                                .Where(ra => ra.Scope == options.Scope.TrimEnd('/'))
                                                .FirstOrDefault();

            if (roleAssignment != null)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
            }
            else
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }

            return roleAssignment;
        }

コード例 #17

ファイル: AuthorizationClient.cs プロジェクト: kjohn-msft/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, string subscriptionId)
        {
            Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
                : AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties
                {
                    PrincipalId = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;

            IEnumerable<RoleAssignment> assignments = new List<RoleAssignment>() { assignment };

            return assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault();
        }

コード例 #18

        /// <summary>
        /// Filters role assignments based on the passed options.
        /// </summary>
        /// <param name="options">The filtering options</param>
        /// <param name="currentSubscription">The current subscription</param>
        /// <returns>The filtered role assignments</returns>
#if !NETSTANDARD
        public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
        {
            List <PSRoleAssignment>         result          = new List <PSRoleAssignment>();
            List <RoleAssignment>           roleAssignments = new List <RoleAssignment>();
            ListAssignmentsFilterParameters parameters      = new ListAssignmentsFilterParameters();

            PSADObject adObject = null;

            if (options.ADObjectFilter.HasFilter)
            {
                if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
                {
                    adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);

                    if (adObject == null)
                    {
                        throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
                    }
                }

                // Filter first by principal
                if (options.ExpandPrincipalGroups)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
                    }

                    parameters.AssignedToPrincipalId = adObject.Id;
                }
                else
                {
                    parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
                }

                var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }

                // Filter out by scope
                if (!string.IsNullOrWhiteSpace(options.Scope))
                {
                    roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase));
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                parameters.AtScope = true;

                var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }
            }
            else
            {
                var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }
            }

            // To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
            string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;

            result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
                            .ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));

            if (!string.IsNullOrEmpty(options.RoleDefinitionName))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            if (options.IncludeClassicAdministrators)
            {
                // Get classic administrator access assignments
                List <ClassicAdministrator> classicAdministrators            = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
                List <PSRoleAssignment>     classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();

                // Filter by principal if provided
                if (options.ADObjectFilter.HasFilter)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
                    }

                    var userObject = adObject as PSADUser;
                    classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
                                                                                              c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
                }

                result.AddRange(classicAdministratorsAssignments);
            }

            return(result);
        }

コード例 #19

ファイル: AuthorizationClient.cs プロジェクト: dulems/azure-powershell

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <param name="subscriptionId">Current subscription id</param>
        /// <returns>The deleted role assignments</returns>
        public IEnumerable<PSRoleAssignment> RemoveRoleAssignment(FilterRoleAssignmentsOptions options, string subscriptionId)
        {
            // Match role assignments at exact scope. Ideally, atmost 1 roleAssignment should match the criteria 
            // but an edge case can have multiple role assignments to the same role or multiple role assignments to different roles, with same name.
            // The FilterRoleAssignments takes care of paging internally
            IEnumerable<PSRoleAssignment> roleAssignments = FilterRoleAssignments(options, currentSubscription: subscriptionId)
                                                .Where(ra => ra.Scope == options.Scope.TrimEnd('/'));

            if (roleAssignments == null || !roleAssignments.Any())
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }
            else if (roleAssignments.Count() == 1)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignments.Single().RoleAssignmentId);
            }
            else
            {
                // All assignments are to the same roleDefinition Id.
                if (roleAssignments.All(a => a.RoleDefinitionId == roleAssignments.First().RoleDefinitionId))
                {
                    foreach (var assignment in roleAssignments)
                    {
                        AuthorizationManagementClient.RoleAssignments.DeleteById(assignment.RoleAssignmentId);
                    }
                }
                else
                {
                    // Assignments to different roleDefintion Ids. This can happen only if roleDefinition name was provided and multiple roles exists with same name.
                    throw new InvalidOperationException(string.Format(ProjectResources.MultipleRoleDefinitionsFoundWithSameName, options.RoleDefinitionName));
                }
            }

            return roleAssignments;
        }

コード例 #20

ファイル: AuthorizationClient.cs プロジェクト: randorfer/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = GetRoleRoleDefinition(parameters.RoleDefinition).Id;

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                PrincipalId = principalId,
                RoleDefinitionId = roleDefinitionId
            };

            AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
            return AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
        }

コード例 #21

ファイル: NewAzureRoleAssignmentCommand.cs プロジェクト: hovsepm/azure-sdk-tools

        public override void ExecuteCmdlet()
        {
            FilterRoleAssignmentsOptions parameters = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinition = RoleDefinitionName,
                ADObjectFilter = new ADObjectFilterOptions
                {
                    Mail = Mail,
                    UPN = UserPrincipalName,
                    SPN = ServicePrincipalName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = CurrentContext.Subscription.Id.ToString(),
                }
            };

            WriteObject(PoliciesClient.CreateRoleAssignment(parameters));
        }

コード例 #22

ファイル: AuthorizationClient.cs プロジェクト: randorfer/azure-powershell

        /// <summary>
        /// Filters role assignments based on the passed options.
        /// </summary>
        /// <param name="options">The filtering options</param>
        /// <returns>The filtered role assignments</returns>
        public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options)
        {
            List<PSRoleAssignment> result = new List<PSRoleAssignment>();
            ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();

            if (options.ADObjectFilter.HasFilter)
            {
                // Filter first by principal
                parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? ActiveDirectoryClient.GetObjectId(options.ADObjectFilter) : Guid.Parse(options.ADObjectFilter.Id);
                result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));

                // Filter out by scope
                if (!string.IsNullOrEmpty(options.Scope))
                {
                    result.RemoveAll(r => !options.Scope.StartsWith(r.Scope));                    
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                parameters.AtScope = true;
                result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
            }
            else
            {
                result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient)));
            }

            if (!string.IsNullOrEmpty(options.RoleDefinition))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinition, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            return result;
        }

コード例 #23

ファイル: RemoveAzureRoleAssignmentCommand.cs プロジェクト: shuainie/azure-powershell

        public override void ExecuteCmdlet()
        {
            PSRoleAssignment roleAssignment = null;
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinition = RoleDefinitionName,
                ADObjectFilter = new ADObjectFilterOptions
                {
                    Mail = Mail,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                    UPN = UserPrincipalName,
                    SPN = ServicePrincipalName
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = Profile.Context.Subscription.Id.ToString()
                }
            };

            ConfirmAction(
                Force.IsPresent,
                string.Format(ProjectResources.RemovingRoleAssignment,
                options.ADObjectFilter.ActiveFilter,
                options.Scope,
                options.RoleDefinition),
                ProjectResources.RemovingRoleAssignment,
                null,
                () => roleAssignment = PoliciesClient.RemoveRoleAssignment(options));

            if (PassThru)
            {
                WriteObject(roleAssignment);
            }
        }

コード例 #24

ファイル: RemoveAzureRoleAssignmentCommand.cs プロジェクト: rbramwell/azure-powershell

        protected override void ProcessRecord()
        {
            PSRoleAssignment roleAssignment = null;
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinition = RoleDefinitionName,
                ADObjectFilter = new ADObjectFilterOptions
                {
                    SignInName = SignInName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                    SPN = ServicePrincipalName
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = DefaultProfile.Context.Subscription.Id.ToString()
                },
                ExcludeAssignmentsForDeletedPrincipals = false
            };

            ConfirmAction(
                Force.IsPresent,
                string.Format(ProjectResources.RemovingRoleAssignment,
                options.ADObjectFilter.ActiveFilter,
                options.Scope,
                options.RoleDefinition),
                ProjectResources.RemovingRoleAssignment,
                null,
                () => roleAssignment = PoliciesClient.RemoveRoleAssignment(options));

            if (PassThru)
            {
                WriteObject(roleAssignment);
            }
        }

コード例 #25

ファイル: GetAzureRoleAssignmentCommand.cs プロジェクト: shuainie/azure-powershell

        public override void ExecuteCmdlet()
        {
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinition = RoleDefinitionName,
                ADObjectFilter = new ADObjectFilterOptions
                {
                    Mail = Mail,
                    UPN = UserPrincipalName,
                    SPN = ServicePrincipalName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = string.IsNullOrEmpty(ResourceGroupName) ? null : Profile.Context.Subscription.Id.ToString()
                }
            };

            WriteObject(PoliciesClient.FilterRoleAssignments(options), true);
        }

コード例 #26

ファイル: NewAzureRoleAssignmentCommand.cs プロジェクト: rbramwell/azure-powershell

        protected override void ProcessRecord()
        {
            FilterRoleAssignmentsOptions parameters = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinition = RoleDefinitionName,
                ADObjectFilter = new ADObjectFilterOptions
                {
                    SignInName = SignInName,
                    SPN = ServicePrincipalName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = DefaultProfile.Context.Subscription.Id.ToString(),
                }
            };

            WriteObject(PoliciesClient.CreateRoleAssignment(parameters));
        }

コード例 #27

ファイル: AuthorizationClient.cs プロジェクト: dulems/azure-powershell

        /// <summary>
        /// Creates new role assignment.
        /// </summary>
        /// <param name="parameters">The create parameters</param>
        /// <returns>The created role assignment object</returns>
        public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters)
        {
            Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
            Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
            string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
                ? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(parameters.Scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, parameters.Scope).Id)
                : AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(parameters.Scope, parameters.RoleDefinitionId);

            RoleAssignmentCreateParameters createParameters = new RoleAssignmentCreateParameters
            {
                Properties = new RoleAssignmentProperties
                {
                    PrincipalId = principalId,
                    RoleDefinitionId = roleDefinitionId
                }
            };

            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters).RoleAssignment;

            return assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
        }

コード例 #28

ファイル: RemoveAzureRoleAssignmentCommand.cs プロジェクト: dulems/azure-powershell

        public override void ExecuteCmdlet()
        {
            IEnumerable<PSRoleAssignment> roleAssignments = null;
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinitionName = RoleDefinitionName,
                RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
                ADObjectFilter = new ADObjectFilterOptions
                {
                    UPN = SignInName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                    SPN = ServicePrincipalName
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = DefaultProfile.Context.Subscription.Id.ToString()
                },
                ExcludeAssignmentsForDeletedPrincipals = false
            };

            ConfirmAction(
                Force.IsPresent,
                string.Format(ProjectResources.RemovingRoleAssignment,
                options.ADObjectFilter.ActiveFilter,
                options.Scope,
                options.RoleDefinitionName ?? RoleDefinitionId.ToString()),
                ProjectResources.RemovingRoleAssignment,
                null,
                () => roleAssignments = PoliciesClient.RemoveRoleAssignment(options, DefaultProfile.Context.Subscription.Id.ToString()));

            if (PassThru)
            {
                WriteObject(roleAssignments, enumerateCollection: true);
            }
        }

コード例 #29

ファイル: AuthorizationClient.cs プロジェクト: randorfer/azure-powershell

        /// <summary>
        /// Deletes a role assignments based on the used options.
        /// </summary>
        /// <param name="options">The role assignment filtering options</param>
        /// <returns>The deleted role assignments</returns>
        public PSRoleAssignment RemoveRoleAssignment(FilterRoleAssignmentsOptions options)
        {
            PSRoleAssignment roleAssignment = FilterRoleAssignments(options).FirstOrDefault();

            if (roleAssignment != null)
            {
                AuthorizationManagementClient.RoleAssignments.DeleteById(roleAssignment.RoleAssignmentId);
            }
            else
            {
                throw new KeyNotFoundException("The provided information does not map to a role assignment.");
            }

            return roleAssignment;
        }

コード例 #30

        /// <summary>
        /// Filters role assignments based on the passed options.
        /// </summary>
        /// <param name="options">The filtering options</param>
        /// <param name="currentSubscription">The current subscription</param>
        /// <returns>The filtered role assignments</returns>
        public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription, ulong first = ulong.MaxValue, ulong skip = 0)
        {
            List <PSRoleAssignment> result = new List <PSRoleAssignment>();
            string principalId             = null;

            PSADObject adObject = null;

            Rest.Azure.OData.ODataQuery <RoleAssignmentFilter> odataQuery = null;
            if (options.ADObjectFilter.HasFilter)
            {
                if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
                {
                    adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);

                    if (adObject == null)
                    {
                        throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
                    }
                }

                // Filter first by principal
                if (options.ExpandPrincipalGroups)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
                    }

                    principalId = adObject.Id.ToString();
                    odataQuery  = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(principalId));
                }
                else
                {
                    principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
                    odataQuery  = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId);
                }

                if (!string.IsNullOrEmpty(options.Scope))
                {
                    var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
                    result.AddRange(tempResult
                                    .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                    .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
                }
                else
                {
                    var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
                    result.AddRange(tempResult
                                    .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                    .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
                }

                // Filter out by scope
                if (!string.IsNullOrEmpty(options.Scope))
                {
                    result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
                result.AddRange(tempResult
                                .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                .ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
            }
            else
            {
                var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
                result.AddRange(tempResult
                                .FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
                                .ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
            }

            if (!string.IsNullOrEmpty(options.RoleDefinitionName))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            if (options.IncludeClassicAdministrators)
            {
                // Get classic administrator access assignments
                var classicAdministratorsSubscription = currentSubscription;
                if (options.Scope != null)
                {
                    classicAdministratorsSubscription = AuthorizationHelper.GetResourceSubscription(options.Scope) ?? currentSubscription;
                }

                List <ClassicAdministrator> classicAdministrators = new List <ClassicAdministrator>();
                if (currentSubscription != classicAdministratorsSubscription)
                {
                    var client = AzureSession.Instance.ClientFactory.CreateArmClient <AuthorizationManagementClient>(AzureRmProfileProvider.Instance.Profile.DefaultContext, AzureEnvironment.Endpoint.ResourceManager);
                    client.SubscriptionId = classicAdministratorsSubscription;
                    classicAdministrators = client.ClassicAdministrators.List().ToList();
                }
                else
                {
                    classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ToList();
                }

                List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(classicAdministratorsSubscription)).ToList();

                // Filter by principal if provided
                if (options.ADObjectFilter.HasFilter)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
                    }

                    var userObject = adObject as PSADUser;
                    classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
                                                                                              c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
                }

                result.AddRange(classicAdministratorsAssignments);
            }

            return(result);
        }

コード例 #31

ファイル: AuthorizationClient.cs プロジェクト: dulems/azure-powershell

        /// <summary>
        /// Filters role assignments based on the passed options.
        /// </summary>
        /// <param name="options">The filtering options</param>
        /// <param name="currentSubscription">The current subscription</param>
        /// <returns>The filtered role assignments</returns>
        public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
        {
            List<PSRoleAssignment> result = new List<PSRoleAssignment>();
            List<RoleAssignment> roleAssignments = new List<RoleAssignment>();
            ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();

            PSADObject adObject = null;
            if (options.ADObjectFilter.HasFilter)
            {
                adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
                if (adObject == null)
                {
                    throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
                }

                // Filter first by principal
                if (options.ExpandPrincipalGroups)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
                    }

                    parameters.AssignedToPrincipalId = adObject.Id;
                }
                else
                {
                    parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
                }

                var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }

                // Filter out by scope
                if (!string.IsNullOrEmpty(options.Scope))
                {
                    result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.InvariantCultureIgnoreCase));
                }
            }
            else if (!string.IsNullOrEmpty(options.Scope))
            {
                // Filter by scope and above directly
                parameters.AtScope = true;

                var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }
            }
            else
            {
                var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
                roleAssignments.AddRange(tempResult.RoleAssignments.ToList());

                while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
                {
                    tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
                    roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
                }
            }

            // To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
            string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;

            result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
                .ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));

            if (!string.IsNullOrEmpty(options.RoleDefinitionName))
            {
                result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
            }

            if (options.IncludeClassicAdministrators)
            {
                // Get classic administrator access assignments 
                List<ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
                List<PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();

                // Filter by principal if provided
                if (options.ADObjectFilter.HasFilter)
                {
                    if (!(adObject is PSADUser))
                    {
                        throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
                    }

                    var userObject = adObject as PSADUser;
                    classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
                           c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase) ||
                           c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase)).ToList();
                }

                result.AddRange(classicAdministratorsAssignments);
            }

            return result;
        }

コード例 #32

ファイル: GetAzureRoleAssignmentCommand.cs プロジェクト: kjohn-msft/azure-powershell

        protected override void ProcessRecord()
        {
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinitionName = RoleDefinitionName,
                RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
                ADObjectFilter = new ADObjectFilterOptions
                {
                    SignInName = SignInName,
                    SPN = ServicePrincipalName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = string.IsNullOrEmpty(ResourceGroupName) ? null : DefaultProfile.Context.Subscription.Id.ToString()
                },
                ExpandPrincipalGroups = ExpandPrincipalGroups.IsPresent,
                IncludeClassicAdministrators = IncludeClassicAdministrators.IsPresent,
                ExcludeAssignmentsForDeletedPrincipals = true
            };

            WriteObject(PoliciesClient.FilterRoleAssignments(options, DefaultProfile.Context.Subscription.Id.ToString()), enumerateCollection: true);
        }

コード例 #33

ファイル: RemoveAzureRoleAssignmentCommand.cs プロジェクト: Azure/azure-powershell

        public override void ExecuteCmdlet()
        {
            IEnumerable<PSRoleAssignment> roleAssignments = null;
            FilterRoleAssignmentsOptions options = new FilterRoleAssignmentsOptions()
            {
                Scope = Scope,
                RoleDefinitionName = RoleDefinitionName,
                RoleDefinitionId = RoleDefinitionId == Guid.Empty ? null : RoleDefinitionId.ToString(),
                ADObjectFilter = new ADObjectFilterOptions
                {
                    UPN = SignInName,
                    Id = ObjectId == Guid.Empty ? null : ObjectId.ToString(),
                    SPN = ServicePrincipalName
                },
                ResourceIdentifier = new ResourceIdentifier()
                {
                    ParentResource = ParentResource,
                    ResourceGroupName = ResourceGroupName,
                    ResourceName = ResourceName,
                    ResourceType = ResourceType,
                    Subscription = DefaultProfile.Context.Subscription.Id.ToString()
                },
                ExcludeAssignmentsForDeletedPrincipals = false,
                // we should never expand principal groups in the Delete scenario
                ExpandPrincipalGroups = false,
                // never include classic administrators in the Delete scenario
                IncludeClassicAdministrators = false
            };

            ConfirmAction(
                ProjectResources.RemovingRoleAssignment,
                string.Empty,
                () =>
                {
                    roleAssignments = PoliciesClient.RemoveRoleAssignment(options,
                        DefaultProfile.Context.Subscription.Id.ToString());
                    if (PassThru)
                    {
                        WriteObject(roleAssignments, enumerateCollection: true);
                    }
                });

        }