private static void ValidateRole(List <Role> existingRoles, IRoleDefinition roleDefinition)
{
if (string.IsNullOrWhiteSpace(roleDefinition.Title))
{
throw new PropertyValidationException("Role title cannot be empty", nameof(IRoleDefinition.Title));
}
if (string.IsNullOrWhiteSpace(roleDefinition.RoleCode))
{
throw new PropertyValidationException("Role RoleCode cannot be empty", nameof(IRoleDefinition.RoleCode));
}
if (roleDefinition.RoleCode.Length != 3)
{
throw new PropertyValidationException("Role RoleCode must be 3 characters in length", nameof(IRoleDefinition.RoleCode));
}
if (existingRoles
.Any(r =>
r.Title.Equals(roleDefinition.Title?.Trim(), StringComparison.OrdinalIgnoreCase) &&
r.UserAreaCode == roleDefinition.UserAreaCode)
)
{
throw new UniqueConstraintViolationException($"A role with the title '{ roleDefinition.Title }' already exists", nameof(Role.Title));
}
}
/// <summary>
/// Creates an instance of a role initializer for the specified role
/// definition if one has been implemented; otherwise returns null
/// </summary>
/// <param name="roleDefinition">The role to find an initializer for</typeparam>
/// <returns>IRoleInitializer if one has been implemented; otherwise null</returns>
public IRoleInitializer Create(IRoleDefinition roleDefinition)
{
Condition.Requires(roleDefinition).IsNotNull();
// Never add permission to the super admin role
if (roleDefinition is SuperAdminRole)
{
return(null);
}
var type = typeof(IRoleInitializer <>).MakeGenericType(roleDefinition.GetType());
if (_resolutionContext.IsRegistered(type))
{
return((IRoleInitializer)_resolutionContext.Resolve(type));
}
else if (roleDefinition is AnonymousRole)
{
// We use a default initializer just for the anonymous role
// as it's the only built in role with permissions
return(new DefaultAnonymousRoleInitializer());
}
return(null);
}
public async Task CreateWebRoleDefinition()
{
//TestCommon.Instance.Mocking = false;
using (var context = await TestCommon.Instance.GetContextAsync(TestCommon.TestSite))
{
context.Web.Load(w => w.RoleDefinitions);
IRoleDefinition roleDefinition = null;
try
{
// get existing role def
var adminRoleDef = context.Web.RoleDefinitions.AsEnumerable().Where(r => r.Name == "Administrator");
Assert.IsNotNull(adminRoleDef);
roleDefinition = await context.Web.RoleDefinitions.AddAsync("Test RoleDef 2", Model.SharePoint.RoleType.Administrator, new Model.SharePoint.PermissionKind[] { Model.SharePoint.PermissionKind.AddAndCustomizePages }, "", false, 0);
Assert.IsTrue(roleDefinition.Requested);
}
finally
{
if (roleDefinition != null)
{
await roleDefinition.DeleteAsync();
}
}
}
}
/// <summary>
/// Creates an instance of a role initializer for the specified role
/// definition if one has been implemented; otherwise returns null
/// </summary>
/// <param name="roleDefinition">The role to find an initializer for</typeparam>
/// <returns>IRoleInitializer if one has been implemented; otherwise null</returns>
public IRoleInitializer Create(IRoleDefinition roleDefinition)
{
if (roleDefinition == null)
{
throw new ArgumentNullException(nameof(roleDefinition));
}
// Never add permission to the super admin role
if (roleDefinition is SuperAdminRole)
{
return(null);
}
var roleInitializerType = typeof(IRoleInitializer <>).MakeGenericType(roleDefinition.GetType());
var roleInitializer = _serviceProvider.GetService(roleInitializerType);
if (roleInitializer != null)
{
return((IRoleInitializer)roleInitializer);
}
else if (roleDefinition is AnonymousRole)
{
// We use a default initializer just for the anonymous role
// as it's the only built in role with permissions
return(new DefaultAnonymousRoleInitializer());
}
return(null);
}
public RoleDefinitionRolePermissionInitializer(IRoleDefinition roleDefinition)
{
if (roleDefinition == null)
{
throw new ArgumentNullException(nameof(roleDefinition));
}
_roleDefinition = roleDefinition;
}
/// <summary>
/// Consructs a new instance of InvalidRoleDefinitionException.
/// </summary>
/// <param name="message">The exception message.</param>
/// <param name="invalidDefinition">The role definition that caused the exception.</param>
/// <param name="allDefinitions">Optional collection of all the role definitions when available.</param>
public InvalidRoleDefinitionException(
string message,
IRoleDefinition invalidDefinition,
IEnumerable <IRoleDefinition> allDefinitions = null
)
: base(message)
{
InvalidDefinition = invalidDefinition;
AllDefinitions = allDefinitions?.ToArray();
}
private Role MapAndAddRole(IRoleDefinition roleDefinition)
{
var dbRole = new Role();
dbRole.Title = roleDefinition.Title.Trim();
dbRole.UserAreaCode = roleDefinition.UserAreaCode;
dbRole.RoleCode = roleDefinition.RoleCode;
_dbContext.Roles.Add(dbRole);
return(dbRole);
}
public IRolePermissionInitializer Create(IRoleDefinition roleDefinition)
{
if (roleDefinition is AnonymousRole)
{
return(new AnonymousRolePermissionInitializer(_serviceProvider));
}
else
{
return(new RoleDefinitionRolePermissionInitializer(roleDefinition));
}
}
private static void ValidateRole(List <Role> existingRoles, IRoleDefinition roleDefinition)
{
if (existingRoles
.Any(r =>
r.Title.Equals(roleDefinition.Title?.Trim(), StringComparison.OrdinalIgnoreCase) &&
r.UserAreaCode == roleDefinition.UserAreaCode)
)
{
throw new UniqueConstraintViolationException($"A role with the title '{ roleDefinition.Title }' already exists", nameof(Role.Title));
}
}
public async Task CreateUpdateDeleteWebRoleDefinitionBatch()
{
//TestCommon.Instance.Mocking = false;
using (var context = await TestCommon.Instance.GetContextAsync(TestCommon.TestSite))
{
context.Web.Load(w => w.RoleDefinitions);
IRoleDefinition roleDefinition = null;
try
{
// get existing role def
var adminRoleDef = context.Web.RoleDefinitions.AsEnumerable().Where(r => r.Name == "Administrator");
Assert.IsNotNull(adminRoleDef);
// Add new one
roleDefinition = await context.Web.RoleDefinitions.AddBatchAsync("Test RoleDef 2", Model.SharePoint.RoleType.Administrator, new Model.SharePoint.PermissionKind[] { Model.SharePoint.PermissionKind.AddAndCustomizePages }, "", false, 0);
await context.ExecuteAsync();
Assert.IsTrue(roleDefinition.Requested);
// grab added role def again from server
var addedRoleDefinition = await context.Web.RoleDefinitions.FirstOrDefaultAsync(d => d.Name == "Test RoleDef 2");
// Remove AddAndCustomizePages role, add other + set description
addedRoleDefinition.BasePermissions.Clear(Model.SharePoint.PermissionKind.AddAndCustomizePages);
addedRoleDefinition.BasePermissions.Set(Model.SharePoint.PermissionKind.AddListItems);
addedRoleDefinition.Description = "hi new role";
await addedRoleDefinition.UpdateBatchAsync();
await context.ExecuteAsync();
// read again from server
addedRoleDefinition = await context.Web.RoleDefinitions.FirstOrDefaultAsync(d => d.Name == "Test RoleDef 2");
// Verify
Assert.IsTrue(addedRoleDefinition.Description == "hi new role");
Assert.IsTrue(addedRoleDefinition.BasePermissions.Has(Model.SharePoint.PermissionKind.AddListItems));
Assert.IsFalse(addedRoleDefinition.BasePermissions.Has(Model.SharePoint.PermissionKind.AddAndCustomizePages));
}
finally
{
if (roleDefinition != null)
{
await roleDefinition.DeleteBatchAsync();
await context.ExecuteAsync();
}
}
}
}
/// <summary>
/// Removes RBAC role assignments for the service principal exposed by IdProvider.
/// </summary>
/// <param name="cancellationToken"></param>
/// <returns></returns>
private async Task RemoveRbacRoleAssignmentsAsync(CancellationToken cancellationToken = default(CancellationToken))
{
if (!this.roleAssignmentIdsToRemove.Any() && !this.roleAssignmentsToRemove.Any())
{
return;
}
else
{
try
{
// Delete using role assignment Ids
//
await Task.WhenAll(roleAssignmentIdsToRemove.Select(async(id) =>
{
await this.rbacManager
.RoleAssignments
.DeleteByIdAsync(id, cancellationToken);
}));
// Delete using role assignment scope and role
//
await Task.WhenAll(roleAssignmentsToRemove.Select(r => r.Value).Select(async(scopeAndRole) =>
{
var scope = scopeAndRole.Item1;
var role = scopeAndRole.Item2;
IRoleDefinition roleDefinition = await this.rbacManager.RoleDefinitions.GetByScopeAndRoleNameAsync(scope, role.ToString(), cancellationToken);
if (roleDefinition != null)
{
var roleAssignments = await this.rbacManager
.RoleAssignments
.ListByScopeAsync(scope, cancellationToken);
var roleAssignment = roleAssignments
.FirstOrDefault(r => r.RoleDefinitionId.Equals(roleDefinition.Id, StringComparison.OrdinalIgnoreCase) &&
r.PrincipalId.Equals(this.idProvider.PrincipalId, StringComparison.OrdinalIgnoreCase));
if (roleAssignment != null)
{
await this.rbacManager
.RoleAssignments
.DeleteByIdAsync(roleAssignment.Id, cancellationToken);
}
}
}));
}
finally
{
roleAssignmentIdsToRemove.Clear();
roleAssignmentsToRemove.Clear();
}
}
}
public CircularDependencyGuard(IRoleDefinition roleDefinition)
{
baseRoleType = roleDefinition.GetType();
_executingRoles.Add(baseRoleType);
}
/**
* Azure Users, Groups and Roles sample.
* - Create a user
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - Create service principal
* - Assign role to service principal
* - Create 2 Active Directory groups
* - Add the user, the service principal, and the 1st group as members of the 2nd group
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string userEmail = Utilities.CreateRandomName("test");
string userName = userEmail.Replace("test", "Test ");
string spName = Utilities.CreateRandomName("sp");
string raName1 = SdkContext.RandomGuid();
string raName2 = SdkContext.RandomGuid();
string groupEmail1 = Utilities.CreateRandomName("group1");
string groupEmail2 = Utilities.CreateRandomName("group2");
string groupName1 = groupEmail1.Replace("group1", "Group ");
string groupName2 = groupEmail2.Replace("group2", "Group ");
String spId = "";
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
// ============================================================
// Create a user
Utilities.Log("Creating an Active Directory user " + userName + "...");
var user = authenticated.ActiveDirectoryUsers
.Define(userName)
.WithEmailAlias(userEmail)
.WithPassword("StrongPass!12")
.Create();
Utilities.Log("Created Active Directory user " + userName);
Utilities.Print(user);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(user)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// Create Service Principal
IServicePrincipal sp = authenticated.ServicePrincipals.Define(spName)
.WithNewApplication("http://" + spName)
.Create();
// wait till service principal created and propagated
SdkContext.DelayProvider.Delay(15000);
Utilities.Log("Created Service Principal:");
Utilities.Print(sp);
spId = sp.Id;
// ============================================================
// Assign role to Service Principal
string defaultSubscription = authenticated.Subscriptions.List().First().SubscriptionId;
IRoleAssignment roleAssignment2 = authenticated.RoleAssignments
.Define(raName2)
.ForServicePrincipal(sp)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithSubscriptionScope(defaultSubscription)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment2);
// ============================================================
// Create Active Directory groups
Utilities.Log("Creating Active Directory group " + groupName1 + "...");
var group1 = authenticated.ActiveDirectoryGroups
.Define(groupName1)
.WithEmailAlias(groupEmail1)
.Create();
Utilities.Log("Created Active Directory group " + groupName1);
Utilities.Print(group1);
var group2 = authenticated.ActiveDirectoryGroups
.Define(groupName2)
.WithEmailAlias(groupEmail2)
.Create();
Utilities.Log("Created Active Directory group " + groupName2);
Utilities.Print(group2);
Utilities.Log("Adding group members to group " + groupName2 + "...");
group2.Update()
.WithMember(user)
.WithMember(sp)
.WithMember(group1)
.Apply();
Utilities.Log("Group members added to group " + groupName2);
Utilities.Print(group2);
}
private async Task UpdatePermissions(
Role dbRole,
IRoleDefinition roleDefinition,
RegisterDefinedRolesCommand command,
IEnumerable <IPermission> allPermissions,
List <Permission> allDbPermissions
)
{
var roleInitializer = _roleInitializerFactory.Create(roleDefinition);
if (roleInitializer == null)
{
return;
}
var permissionsToInclude = roleInitializer
.GetPermissions(allPermissions)
.ToList();
// Remove permissions
if (command.UpdateExistingRoles)
{
var permissionsToRemove = dbRole
.RolePermissions
.Where(p => !permissionsToInclude.Any(i => i.GetUniqueCode() == p.Permission.GetUniqueCode()))
.ToList();
foreach (var permissonToRemove in permissionsToRemove)
{
dbRole.RolePermissions.Remove(permissonToRemove);
}
}
if (!permissionsToInclude.Any())
{
return;
}
ValidatePermissions(permissionsToInclude);
// add new permissions
IEnumerable <IPermission> permissionsToAdd;
if (dbRole.RolePermissions.Count == 0)
{
permissionsToAdd = permissionsToInclude;
}
else
{
permissionsToAdd = permissionsToInclude
.Where(i => !dbRole.RolePermissions.Any(p => p.Permission.GetUniqueCode() == i.GetUniqueCode()));
}
foreach (var permissionToAdd in permissionsToAdd)
{
var uniquePermissionCode = permissionToAdd.GetUniqueCode();
var dbPermission = allDbPermissions
.Where(p => uniquePermissionCode == p.GetUniqueCode())
.SingleOrDefault();
// Create if not exists
if (dbPermission == null)
{
dbPermission = new Permission();
dbPermission.PermissionCode = permissionToAdd.PermissionType.Code;
if (permissionToAdd is IEntityPermission)
{
var definitionCode = ((IEntityPermission)permissionToAdd).EntityDefinition.EntityDefinitionCode;
await _commandExecutor.ExecuteAsync(new EnsureEntityDefinitionExistsCommand(definitionCode));
dbPermission.EntityDefinitionCode = definitionCode;
}
allDbPermissions.Add(dbPermission);
_dbContext.Permissions.Add(dbPermission);
}
var rolePermission = new RolePermission();
rolePermission.Permission = dbPermission;
dbRole.RolePermissions.Add(rolePermission);
}
}
private void UpdatePermissions(
Role dbRole,
IRoleDefinition roleDefinition,
IEnumerable <IPermission> codePermissions,
Dictionary <string, Permission> dbPermissions,
Dictionary <string, EntityDefinition> dbEntityDefinitions,
bool allowDeletions
)
{
var roleInitializer = _roleInitializerFactory.Create(roleDefinition);
if (roleInitializer == null)
{
return;
}
var permissionsToInclude = roleInitializer
.GetPermissions(codePermissions)
.ToList();
// Remove permissions
if (allowDeletions)
{
var permissionsToRemove = dbRole
.RolePermissions
.Where(p => !permissionsToInclude.Any(i => i.GetUniqueCode() == p.Permission.GetUniqueCode()))
.ToList();
foreach (var permissonToRemove in permissionsToRemove)
{
dbRole.RolePermissions.Remove(permissonToRemove);
}
}
if (!permissionsToInclude.Any())
{
return;
}
ValidatePermissions(dbRole.RolePermissions, permissionsToInclude);
// add new permissions
IEnumerable <IPermission> permissionsToAdd;
if (dbRole.RolePermissions.Count == 0)
{
permissionsToAdd = permissionsToInclude;
}
else
{
permissionsToAdd = permissionsToInclude
.Where(i => !dbRole.RolePermissions.Any(p => p.Permission.GetUniqueCode() == i.GetUniqueCode()));
}
foreach (var permissionToAdd in permissionsToAdd)
{
var uniquePermissionCode = permissionToAdd.GetUniqueCode();
var dbPermission = dbPermissions.GetOrDefault(uniquePermissionCode);
if (dbPermission == null)
{
throw new Exception("dbPermissions lookup does not contain the specified permission, but was expected: " + uniquePermissionCode);
}
var rolePermission = new RolePermission();
rolePermission.Permission = dbPermission;
dbRole.RolePermissions.Add(rolePermission);
}
}
/**
* Azure Users, Groups and Roles sample.
* - List users
* - Get user by email
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - List roles
* - List Active Directory groups.
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
string raName1 = SdkContext.RandomGuid();
// ============================================================
// List users
var users = authenticated.ActiveDirectoryUsers.List();
Utilities.Log("Active Directory Users:");
foreach (var user in users)
{
Utilities.Print(user);
}
// ============================================================
// Get user by email
IActiveDirectoryUser adUser = authenticated.ActiveDirectoryUsers.GetByName("*****@*****.**");
Utilities.Log("Found User with email \"[email protected]\": ");
Utilities.Print(adUser);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(adUser)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// List roles
var roles = authenticated.RoleDefinitions
.ListByScope("subscriptions/" + subscriptionId);
Utilities.Log("Roles: ");
foreach (var role in roles)
{
Utilities.Print(role);
}
// ============================================================
// List Active Directory groups
var groups = authenticated.ActiveDirectoryGroups.List();
Utilities.Log("Active Directory Groups:");
foreach (var group in groups)
{
Utilities.Print(group);
}
}