private List <PSDenyAssignment> FilterDenyAssignmentsByScope(FilterDenyAssignmentsOptions options, ODataQuery <DenyAssignmentFilter> odataQuery, string currentSubscription)
{
if (!string.IsNullOrEmpty(options.Scope))
{
return(AuthorizationManagementClient.DenyAssignments.ListForScope(options.Scope, odataQuery).ToPSDenyAssignments(ActiveDirectoryClient).ToList());
}
return(AuthorizationManagementClient.DenyAssignments.List(odataQuery).ToPSDenyAssignments(ActiveDirectoryClient).ToList());
}
/// <summary>
/// Filters deny assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered deny assignments</returns>
public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription)
{
var result = new List <PSDenyAssignment>();
string principalId = null;
PSADObject adObject = null;
Rest.Azure.OData.ODataQuery <DenyAssignmentFilter> odataQuery = null;
if (options.DenyAssignmentId != Guid.Empty)
{
var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetSubscriptionScope(currentSubscription);
return(new List <PSDenyAssignment>
{
AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.ToString())
.ToPSDenyAssignment(ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals)
});
}
if (!string.IsNullOrEmpty(options.DenyAssignmentName))
{
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName);
}
else if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id) || options.ExpandPrincipalGroups)
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new Rest.Azure.OData.ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId);
}
}
result.AddRange(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription));
return(result);
}
private List <PSDenyAssignment> FilterDenyAssignmentsByScope(FilterDenyAssignmentsOptions options, Rest.Azure.OData.ODataQuery <DenyAssignmentFilter> odataQuery, string currentSubscription)
{
List <PSDenyAssignment> result = null;
if (!string.IsNullOrEmpty(options.Scope))
{
var tempResult = AuthorizationManagementClient.DenyAssignments.ListForScope(options.Scope, odataQuery);
result = tempResult.ToPSDenyAssignments(ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals).ToList();
result.RemoveAll(r => !options.Scope.StartsWith(r.Scope, StringComparison.OrdinalIgnoreCase));
}
else
{
var tempResult = AuthorizationManagementClient.DenyAssignments.List(odataQuery);
result = tempResult.ToPSDenyAssignments(ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals).ToList();
}
return(result);
}
/// <summary>
/// Filters deny assignments based on the passed options.
/// </summary>
/// <param name="options">The filtering options</param>
/// <param name="currentSubscription">The current subscription</param>
/// <returns>The filtered deny assignments</returns>
public List <PSDenyAssignment> FilterDenyAssignments(FilterDenyAssignmentsOptions options, string currentSubscription)
{
// Get a specified deny assignment by DenyAssignmentId
if (!string.IsNullOrEmpty(options.DenyAssignmentId) &&
(Guid.Empty != options.DenyAssignmentId.GetGuidFromId()))
{
var scope = !string.IsNullOrEmpty(options.Scope) ? options.Scope : AuthorizationHelper.GetScopeFromFullyQualifiedId(options.DenyAssignmentId) ?? AuthorizationHelper.GetSubscriptionScope(currentSubscription);
return(new List <PSDenyAssignment>
{
AuthorizationManagementClient.DenyAssignments.Get(scope, options.DenyAssignmentId.GuidFromFullyQualifiedId()).ToPSDenyAssignment(ActiveDirectoryClient)
});
}
// Filter deny assignments by given assumptions
string principalId = null;
PSADObject adObject = null;
ODataQuery <DenyAssignmentFilter> odataQuery = null;
if (!string.IsNullOrEmpty(options.DenyAssignmentName))
{
odataQuery = new ODataQuery <DenyAssignmentFilter>(item => item.DenyAssignmentName == options.DenyAssignmentName);
}
else if (options.ADObjectFilter.HasFilter)
{
if (string.IsNullOrEmpty(options.ADObjectFilter.Id))
{
adObject = ActiveDirectoryClient.GetADObject(options.ADObjectFilter);
if (adObject == null)
{
throw new KeyNotFoundException(ProjectResources.PrincipalNotFound);
}
}
// Filter first by principal
if (options.ExpandPrincipalGroups)
{
try
{
adObject = adObject ?? ActiveDirectoryClient.GetObjectByObjectId(options.ADObjectFilter.Id);
}
catch (Common.MSGraph.Version1_0.DirectoryObjects.Models.OdataErrorException oe) when(OdataHelper.IsAuthorizationDeniedException(oe))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
if (!(adObject is PSADUser))
{
throw new InvalidOperationException(ProjectResources.ExpandGroupsNotSupported);
}
principalId = adObject.Id.ToString();
odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.AssignedTo(principalId));
}
else
{
principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
odataQuery = new ODataQuery <DenyAssignmentFilter>(f => f.PrincipalId == principalId);
}
}
return(this.FilterDenyAssignmentsByScope(options, odataQuery, currentSubscription));
}
