예제 #1
0
        public async Task AssignContributorRole(ClaimsPrincipal principal, DomainObjects.Subscription subscription, ServicePrincipal servicePrincipal)
        {
            // Contributor role: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
            var contributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c";
            var assignmentId      = Guid.NewGuid();
            var url  = $"https://management.azure.com/subscriptions/{subscription.SubscriptionId}/providers/Microsoft.Authorization/roleAssignments/{assignmentId}?api-version=2015-07-01";
            var body = new
            {
                properties = new
                {
                    roleDefinitionId = $"/subscriptions/{subscription.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{contributorRoleId}",
                    principalId      = servicePrincipal.Id
                }
            };

            var content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json");

            var token = await _tokenService.GetAccessTokenAsync(principal, _adOptions.ManagementAzureScope);

            _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
            var response = await _httpClient.PutAsync(url, content);

            response.EnsureSuccessStatusCode();

            await _repository.Add(subscription);
        }
예제 #2
0
        public async Task <DomainObjects.ServicePrincipal> CreateServicePrincipal(ClaimsPrincipal principal)
        {
            // create a password for the ServicePrincipal
            var secret = Guid.NewGuid().ToString();

            // create the GraphClient
            var client = new GraphServiceClient(new DelegateAuthenticationProvider(async requestMessage =>
            {
                var token = await _tokenService.GetAccessTokenAsync(principal, "https://graph.microsoft.com/Directory.AccessAsUser.All");
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
            }));

            // Create the Azure AD application
            var app = await client.Applications.Request().AddAsync(new Application
            {
                DisplayName         = $"demosprbac-{Guid.NewGuid()}",
                PasswordCredentials = new List <PasswordCredential>()
                {
                    new PasswordCredential()
                    {
                        DisplayName   = "ClientSecret",
                        SecretText    = secret,
                        StartDateTime = DateTimeOffset.Now.AddMinutes(-2),
                        EndDateTime   = DateTimeOffset.Now.AddYears(1)
                    }
                }
            });

            // now create an instance of the application in the current Azure AD tenant, this is the ServicePrincipal
            var sp = await client.ServicePrincipals.Request().AddAsync(new ServicePrincipal()
            {
                AppId = app.AppId
            });

            return(await _repository.Add(new DomainObjects.ServicePrincipal
            {
                Id = sp.Id,
                AppId = sp.AppId,
                AppObjectId = app.Id,
                DisplayName = sp.DisplayName,
                SecretText = secret
            }));
        }