public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null)
{
PSRoleDefinition roleDefinition = null;
PSADObject adObject = null;
// Get role definition name information by role definition ID
try
{
if (string.IsNullOrEmpty(scopeForRoleDefinition))
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId);
}
else
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition);
}
}
catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
}
// Get ab object
try
{
adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId);
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe)
{
if (oe.IsAuthorizationDeniedException() || oe.IsNotFoundException())
{
adObject = new PSADObject()
{
Id = assignment.PrincipalId, Type = UnknownType
};
}
//Swallow exceptions when displaying active directive object
}
return(new PSRoleAssignment()
{
RoleAssignmentName = assignment.Name,
RoleAssignmentId = assignment.Id,
Scope = assignment.Scope,
DisplayName = adObject?.DisplayName,
SignInName = adObject is PSADUser user ? user.UserPrincipalName : null,
RoleDefinitionName = roleDefinition?.Name,
RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId(),
ObjectId = assignment.PrincipalId,
// Use information from adObject first, assignment.PrincipalType is a cached information
ObjectType = adObject?.Type ?? assignment.PrincipalType,
// CanDelegate's value is absent from RoleAssignment
// CanDelegate = null,
Description = assignment.Description,
ConditionVersion = assignment.ConditionVersion,
Condition = assignment.Condition
});
/// <summary>
/// Filters deny assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered deny assignments</returns>
public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription)
{
var result = new List <PSDenyAssignment>();
string principalId = null;
PSADObject adObject = null;
Rest.Azure.OData.ODataQuery <DenyAssignmentFilter> odataQuery = null;
if (options.DenyAssignmentId != Guid.Empty)
{
var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetSubscriptionScope(currentSubscription);
return(new List <PSDenyAssignment>
{
AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.ToString())
.ToPSDenyAssignment(ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals)
});
}
if (!string.IsNullOrEmpty(options.DenyAssignmentName))
{
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName);
}
else if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId);
}
}
result.AddRange(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription));
return(result);
}
/// <summary>
/// Updates a role assignment.
/// </summary>
/// <param name="roleAssignment">The role assignment to update.</param>
/// <returns>The updated role assignment.</returns>
public PSRoleAssignment UpdateRoleAssignment(PSRoleAssignment roleAssignment)
{
string principalType;
// check added in case Set-AzRoleAssignment is called as a create operation but the user didn't add the object type
if (roleAssignment.ObjectType == null)
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(new ADObjectFilterOptions()
{
Id = roleAssignment.ObjectId
});
if (asignee == null)
{
throw new ArgumentException("No AD object could be found with current parameters, please confirm the information provided is correct and try again");
}
principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
}
else
{
principalType = roleAssignment.ObjectType;
}
string principalId = roleAssignment.ObjectId;
var roleAssignmentGuidIndex = roleAssignment.RoleAssignmentId.LastIndexOf("/");
var roleAssignmentId = roleAssignmentGuidIndex != -1 ? roleAssignment.RoleAssignmentId.Substring(roleAssignmentGuidIndex + 1) : roleAssignment.RoleAssignmentId;
string scope = roleAssignment.Scope;
string roleDefinitionId = AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, roleAssignment.RoleDefinitionId);
var Description = string.IsNullOrWhiteSpace(roleAssignment.Description) ? null : roleAssignment.Description;
var Condition = string.IsNullOrWhiteSpace(roleAssignment.Condition) ? null : roleAssignment.Condition;
var ConditionVersion = string.IsNullOrWhiteSpace(roleAssignment.ConditionVersion) ? null : roleAssignment.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
RoleDefinitionId = roleDefinitionId,
PrincipalType = principalType,
CanDelegate = roleAssignment.CanDelegate,
Description = Description,
Condition = Condition,
ConditionVersion = ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
scope, roleAssignmentId, createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinition = null)
{
PSRoleDefinition roleDefinition = null;
PSADObject adObject = null;
// Get role definition name information by role definition ID
try
{
if (string.IsNullOrEmpty(scopeForRoleDefinition))
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId);
}
else
{
roleDefinition = policyClient.GetRoleDefinition(assignment.RoleDefinitionId.GetGuidFromId(), scopeForRoleDefinition);
}
}
catch (CloudException ce) when(ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
}
// Get ab object
try
{
adObject = activeDirectoryClient.GetObjectByObjectId(assignment.PrincipalId);
}
catch
{
//Swallow exceptions when displaying active directive object
}
return(new PSRoleAssignment()
{
RoleAssignmentName = assignment.Name,
RoleAssignmentId = assignment.Id,
Scope = assignment.Scope,
DisplayName = adObject?.DisplayName,
SignInName = adObject is PSADUser user ? user.UserPrincipalName : null,
RoleDefinitionName = roleDefinition?.Name,
RoleDefinitionId = assignment.RoleDefinitionId,
ObjectId = assignment.PrincipalId,
ObjectType = string.IsNullOrEmpty(assignment.PrincipalType) ? adObject?.Type ?? UnknownType : assignment.PrincipalType,
// CanDelegate's value is absent from RoleAssignment
// CanDelegate = null,
Description = assignment.Description,
ConditionVersion = assignment.ConditionVersion,
Condition = assignment.Condition
});
/// <summary>
/// Creates new role assignment.
/// </summary>
/// <param name="parameters">The create parameters</param>
/// <returns>The created role assignment object</returns>
public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parameters, Guid roleAssignmentId = default(Guid))
{
PSADObject asignee = ActiveDirectoryClient.GetADObject(parameters.ADObjectFilter);
if (asignee == null)
{
throw new ArgumentException(ProjectResources.NoADObjectFound);
}
string principalId = asignee.Id;
string principalType = asignee is PSADUser ? "User" : asignee is PSADServicePrincipal ? "ServicePrincipal" : asignee is PSADGroup ? "Group" : null;
roleAssignmentId = roleAssignmentId == default(Guid) ? Guid.NewGuid() : roleAssignmentId;
string scope = parameters.Scope;
string roleDefinitionId = string.IsNullOrEmpty(parameters.RoleDefinitionName)
? AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, parameters.RoleDefinitionId)
: AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(scope, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, scope).Id);
parameters.Description = string.IsNullOrWhiteSpace(parameters.Description) ? null : parameters.Description;
parameters.Condition = string.IsNullOrWhiteSpace(parameters.Condition) ? null : parameters.Condition;
parameters.ConditionVersion = string.IsNullOrWhiteSpace(parameters.ConditionVersion) ? null : parameters.ConditionVersion;
var createParameters = new RoleAssignmentCreateParameters
{
PrincipalId = principalId.ToString(),
PrincipalType = principalType,
RoleDefinitionId = roleDefinitionId,
CanDelegate = parameters.CanDelegate,
Description = parameters.Description,
Condition = parameters.Condition,
ConditionVersion = parameters.ConditionVersion
};
RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Create(
parameters.Scope, roleAssignmentId.ToString(), createParameters);
var PSRoleAssignment = assignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
return(PSRoleAssignment);
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString()));
objectIds = objectIds.Distinct().ToList();
List <PSADObject> adObjects = null;
try
{
adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
}
catch (CloudException ce) when(IsAuthorizationDeniedException(ce))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
foreach (RoleAssignment assignment in assignments)
{
assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ??
new PSADObject()
{
Id = assignment.PrincipalId
};
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.RoleDefinitionId
};
bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false;
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
CanDelegate = delegationFlag,
ObjectType = DeletedObject
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
public static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
List <PSRoleDefinition> roleDefinitions = policyClient.FilterRoleDefinitions(name: null);
foreach (RoleAssignment assignment in assignments)
{
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject()
{
Id = assignment.Properties.PrincipalId
};
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition()
{
Id = assignment.Properties.RoleDefinitionId
};
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).SignInName,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription, ulong first = ulong.MaxValue, ulong skip = 0)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
string principalId = null;
PSADObject adObject = null;
Rest.Azure.OData.ODataQuery <RoleAssignmentFilter> odataQuery = null;
if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId);
}
if (!string.IsNullOrEmpty(options.Scope))
{
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(odataQuery);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromSubscriptionAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, AuthorizationHelper.GetSubscriptionScope(currentSubscription), options.ExcludeAssignmentsForDeletedPrincipals));
}
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
var classicAdministratorsSubscription = currentSubscription;
if (options.Scope != null)
{
classicAdministratorsSubscription = AuthorizationHelper.GetResourceSubscription(options.Scope) ?? currentSubscription;
}
List <ClassicAdministrator> classicAdministrators = new List <ClassicAdministrator>();
if (currentSubscription != classicAdministratorsSubscription)
{
var client = AzureSession.Instance.ClientFactory.CreateArmClient <AuthorizationManagementClient>(AzureRmProfileProvider.Instance.Profile.DefaultContext, AzureEnvironment.Endpoint.ResourceManager);
client.SubscriptionId = classicAdministratorsSubscription;
classicAdministrators = client.ClassicAdministrators.List().ToList();
}
else
{
classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ToList();
}
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(classicAdministratorsSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
string assignedToPrincipalId = null;
string principalId = null;
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
assignedToPrincipalId = adObject.Id.ToString();
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id.ToString()) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
// Filter out by scope
if (!string.IsNullOrEmpty(options.Scope))
{
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(
options.Scope,
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(
f => f.AtScope() && f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextPageLink);
result.AddRange(tempResult.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(
new Rest.Azure.OData.ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == principalId && f.AssignedTo(assignedToPrincipalId)));
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
while (!string.IsNullOrWhiteSpace(tempResult.NextPageLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextPageLink);
result.AddRange(tempResult
.FilterRoleAssignmentsOnRoleId(AuthorizationHelper.ConstructFullyQualifiedRoleDefinitionIdFromScopeAndIdAsGuid(currentSubscription, options.RoleDefinitionId))
.ToPSRoleAssignments(this, ActiveDirectoryClient, options.Scope, options.ExcludeAssignmentsForDeletedPrincipals));
}
}
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators
.List(AuthorizationManagementClient.ApiVersion).ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
/// <summary>
/// Filters role assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered role assignments</returns>
#if !NETSTANDARD
public List <PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions options, string currentSubscription)
{
List <PSRoleAssignment> result = new List <PSRoleAssignment>();
List <RoleAssignment> roleAssignments = new List <RoleAssignment>();
ListAssignmentsFilterParameters parameters = new ListAssignmentsFilterParameters();
PSADObject adObject = null;
if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups || options.IncludeClassicAdministrators)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
parameters.AssignedToPrincipalId = adObject.Id;
}
else
{
parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
}
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
// Filter out by scope
if (!string.IsNullOrWhiteSpace(options.Scope))
{
roleAssignments.RemoveAll(r => !options.Scope.StartsWith(r.Properties.Scope, StringComparison.InvariantCultureIgnoreCase));
}
}
else if (!string.IsNullOrEmpty(options.Scope))
{
// Filter by scope and above directly
parameters.AtScope = true;
var tempResult = AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListForScopeNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
else
{
var tempResult = AuthorizationManagementClient.RoleAssignments.List(parameters);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
while (!string.IsNullOrWhiteSpace(tempResult.NextLink))
{
tempResult = AuthorizationManagementClient.RoleAssignments.ListNext(tempResult.NextLink);
roleAssignments.AddRange(tempResult.RoleAssignments.ToList());
}
}
// To look for RoleDefinitions at the stated scope - if scope is Null then default to subscription scope
string scopeForRoleDefinitions = string.IsNullOrEmpty(options.Scope) ? AuthorizationHelper.GetSubscriptionScope(currentSubscription) : options.Scope;
result.AddRange(roleAssignments.FilterRoleAssignmentsOnRoleId(options.RoleDefinitionId)
.ToPSRoleAssignments(this, ActiveDirectoryClient, scopeForRoleDefinitions, options.ExcludeAssignmentsForDeletedPrincipals));
if (!string.IsNullOrEmpty(options.RoleDefinitionName))
{
result = result.Where(r => r.RoleDefinitionName.Equals(options.RoleDefinitionName, StringComparison.OrdinalIgnoreCase)).ToList();
}
if (options.IncludeClassicAdministrators)
{
// Get classic administrator access assignments
List <ClassicAdministrator> classicAdministrators = AuthorizationManagementClient.ClassicAdministrators.List().ClassicAdministrators.ToList();
List <PSRoleAssignment> classicAdministratorsAssignments = classicAdministrators.Select(a => a.ToPSRoleAssignment(currentSubscription)).ToList();
// Filter by principal if provided
if (options.ADObjectFilter.HasFilter)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.IncludeClassicAdminsNotSupported);
}
var userObject = adObject as PSADUser;
classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase)).ToList();
}
result.AddRange(classicAdministratorsAssignments);
}
return(result);
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
{
PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions {
Id = role.Properties.PrincipalId.ToString()
}) ?? new PSADObject()
{
Id = role.Properties.PrincipalId
};
if (adObject is PSADUser)
{
return(new PSUserRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
Mail = ((PSADUser)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADGroup)
{
return(new PSGroupRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
Mail = ((PSADGroup)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADServicePrincipal)
{
return(new PSServiceRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
ObjectId = adObject.Id
});
}
else
{
return(new PSRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ObjectId = adObject.Id
});
}
}
/// <summary>
/// Filters deny assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered deny assignments</returns>
public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription)
{
// Get a specified deny assignment by DenyAssignmentId
if (!string.IsNullOrEmpty(options.DenyAssignmentId) &&
(Guid.Empty != options.DenyAssignmentId.GetGuidFromId()))
{
var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetScopeFromFullyQualifiedId(options.DenyAssignmentId) ?? AuthorizationHelper.GetSubscriptionScope(currentSubscription);
return(new List <PSDenyAssignment>
{
AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.GuidFromFullyQualifiedId()).ToPSDenyAssignment(ActiveDirectoryClient)
});
}
// Filter deny assignments by given assumptions
string principalId = null;
PSADObject adObject = null;
ODataQuery <DenyAssignmentFilter> odataQuery = null;
if (!string.IsNullOrEmpty(options.DenyAssignmentName))
{
odataQuery = new ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName);
}
else if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id))
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
try
{
adObject = adObject ?? ActiveDirectoryClient.GetObjectByObjectId(options.ADObjectFilter.Id);
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe) when(OdataHelper.IsAuthorizationDeniedException(oe))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId);
}
}
return(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription));
}
