private async Task AssignRolesToUser(Guid objectId, RenderingEnvironment environment, EnvironmentRoleAssignments roleAssignments)
{
var identity = new Identity.Identity {
ObjectId = objectId
};
// Assign RG permissions
// We want to give the correct permissions to the environment RG,
// but we also need to give Reader permissions to the other RGs so
// we can query cost information.
// ResourceId => RoleName
var resourceIdsToRoles = environment.ExtractResourceGroupNames().ToDictionary(
rgName => $"/subscriptions/{environment.SubscriptionId}/resourceGroups/{rgName}",
rgName => rgName == environment.ResourceGroupName ? roleAssignments.EnvironmentResourceGroupRole : "Reader");
// Add the explicit resource roles
resourceIdsToRoles[environment.BatchAccount.ResourceId] = roleAssignments.BatchRole;
resourceIdsToRoles[environment.StorageAccount.ResourceId] = roleAssignments.StorageRole;
resourceIdsToRoles[environment.KeyVault.ResourceId] = roleAssignments.KeyVaultRole;
resourceIdsToRoles[environment.ApplicationInsightsAccount.ResourceId] = roleAssignments.ApplicationInsightsRole;
resourceIdsToRoles[environment.Subnet.VnetResourceId] = roleAssignments.VNetRole;
await Task.WhenAll(resourceIdsToRoles.Select(
kvp => _azureResourceProvider.AssignRoleToIdentityAsync(
environment.SubscriptionId,
kvp.Key, // ResourceId/scope
kvp.Value, // Role
identity)));
}
public bool IsSubscribed(Identity.Identity identity)
{
bool r = false;
if (IsAvailable)
{
var input = new PerceptiveMCAPI.Types.listMemberInfoInput(APIKey, ListId, identity.Email);
var output = new PerceptiveMCAPI.Methods.listMemberInfo(input).Execute();
r = output.result.status == EnumValues.listMembers_status.subscribed;
}
return(r);
}
public bool Unsubscribe(Identity.Identity identity)
{
bool r = false;
if (IsAvailable)
{
var input = new PerceptiveMCAPI.Types.listUnsubscribeInput(APIKey, ListId, identity.Email, false, false, false);
var output = new PerceptiveMCAPI.Methods.listUnsubscribe(input).Execute();
r = output.result;
}
return(r);
}
public async Task AssignManagementIdentityAsync(
Guid subscriptionId,
string resourceId,
string role,
Identity.Identity managementIdentity)
{
await AssignRoleToResource(
subscriptionId,
resourceId,
role,
managementIdentity);
}
public async Task <Vault> CreateKeyVaultAsync(
Identity.Identity portalIdentity,
Identity.Identity ownerIdentity,
Guid subscriptionId,
string resourceGroupName,
string location,
string keyVaultName,
string environmentName)
{
await RegisterProvider(subscriptionId, "Microsoft.KeyVault");
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var kvClient = new KeyVaultManagementClient(token)
{
SubscriptionId = subscriptionId.ToString()
};
var permissions = new Microsoft.Azure.Management.KeyVault.Models.Permissions(
secrets: new[] { "get", "list", "set", "delete" },
certificates: new[] { "get", "list", "update", "delete", "create", "import" });
var accessPolicies = new[]
{
// Portal MSI
new AccessPolicyEntry(
portalIdentity.TenantId,
portalIdentity.ObjectId.ToString(),
permissions),
// Owner
new AccessPolicyEntry(
ownerIdentity.TenantId,
ownerIdentity.ObjectId.ToString(),
permissions)
};
// TODO - Make SKU configurable
var kvParams = new VaultCreateOrUpdateParameters(
location,
new VaultProperties(
portalIdentity.TenantId,
new Microsoft.Azure.Management.KeyVault.Models.Sku(Microsoft.Azure.Management.KeyVault.Models.SkuName.Standard), accessPolicies),
GetEnvironmentTags(environmentName));
return(await kvClient.Vaults.CreateOrUpdateAsync(
resourceGroupName,
keyVaultName,
kvParams));
}
public bool Subscribe(Identity.Identity identity)
{
bool r = false;
if (IsAvailable)
{
Dictionary <string, object> mergeVars = new Dictionary <string, object>();
mergeVars.Add("FullName", identity.FullName);
var input = new PerceptiveMCAPI.Types.listSubscribeInput(APIKey, ListId, identity.Email, mergeVars, EnumValues.emailType.html, false, true, true, false);
var output = new PerceptiveMCAPI.Methods.listSubscribe(input).Execute();
r = output.result;
}
return(r);
}
public void SendRegistrationEmail(Identity.Identity user)
{
using (var context = new Data.SizeUpContext())
{
var strings = context.ResourceStrings.Where(i => i.Name.StartsWith("Registration.Email")).ToList();
var template = strings.Where(i => i.Name == "Registration.Email.Body").Select(i => i.Value).FirstOrDefault();
var subject = strings.Where(i => i.Name == "Registration.Email.Subject").Select(i => i.Value).FirstOrDefault();
var uri = HttpContext.Current.Request.Url;
var t = Templates.TemplateFactory.GetTemplate(template);
t.Add("User", user);
t.Add("ConfirmKey", HttpContext.Current.Server.UrlEncode(user.GetEncryptedToken()));
t.Add("OptOutKey", HttpContext.Current.Server.UrlEncode(user.GetEncryptedToken()));
t.Add("AppDomain", uri.Scheme + Uri.SchemeDelimiter + uri.Host + ":" + uri.Port);
string body = t.Render();
SendMail(user.Email, subject, body);
}
}
public async Task AssignRoleToIdentityAsync(
Guid subscriptionId,
string scope,
string role,
Identity.Identity identity)
{
var accessToken = await GetAccessToken();
var token = new TokenCredentials(accessToken);
var authClient = new AuthorizationManagementClient(token, _httpClientFactory.CreateClient(), false)
{
SubscriptionId = subscriptionId.ToString()
};
var result = await GetRoleDefinitions(authClient, scope);
var roleDefs = result.Where(rd => rd.RoleName == role).ToList();
var roleDef = roleDefs.FirstOrDefault();
if (roleDef == null)
{
throw new Exception($"No {role} role definition found for resource group");
}
var roleAssignments = await GetRoleAssignmentsForUser(
authClient,
scope,
identity.ObjectId.ToString(),
roleDefs);
if (roleAssignments.All(ra => ra.RoleDefinitionId != roleDef.Id))
{
try
{
await authClient.RoleAssignments.CreateAsync(
scope,
Guid.NewGuid().ToString(),
new RoleAssignmentCreateParameters(roleDef.Id, identity.ObjectId.ToString()));
}
catch (CloudException ce) when(ce.Body?.Code == "RoleAssignmentExists")
{
// Ignore
}
}
}
public void SendResetPasswordEmail(Identity.Identity user)
{
using (var context = new Data.SizeUpContext())
{
var strings = context.ResourceStrings.Where(i => i.Name.StartsWith("PasswordReset.Email")).ToList();
var template = strings.Where(i => i.Name == "PasswordReset.Email.Body").Select(i => i.Value).FirstOrDefault();
var subject = strings.Where(i => i.Name == "PasswordReset.Email.Subject").Select(i => i.Value).FirstOrDefault();
var uri = HttpContext.Current.Request.Url;
var t = Templates.TemplateFactory.GetTemplate(template);
t.Add("User", user);
t.Add("PasswordResetKey", HttpContext.Current.Server.UrlEncode(user.GetEncryptedToken()));
t.Add("OptOutKey", HttpContext.Current.Server.UrlEncode(user.GetEncryptedToken()));
//t.Add("AppDomain", uri.Scheme + Uri.SchemeDelimiter + uri.Host + ":" + uri.Port);
//t.Add("AppDomain", (HttpContext.Current.Request.IsSecureConnection ? "https" : "http") + Uri.SchemeDelimiter + uri.Host);
t.Add("AppDomain", (ConfigurationManager.AppSettings["HostingEnvironment"] == "LOCALHOST" ? "http" : "https") + Uri.SchemeDelimiter + uri.Host);
string body = t.Render();
SendMail(user.Email, subject, body);
}
}
public LoginResult(bool success, Identity.Identity identity, UserLoginMessage messageToPublish)
{
Success = success;
Identity = identity;
MessageToPublish = messageToPublish;
}
public Task <Vault> CreateKeyVaultAsync(Identity.Identity portalIdentity, Identity.Identity ownerIdentity, Guid subscriptionId, string resourceGroupName, string location, string keyVaultName, string environmentName)
{
throw new NotImplementedException();
}
public Task AssignRoleToIdentityAsync(Guid subscriptionId, string resourceId, string role, Identity.Identity identity)
{
throw new NotImplementedException();
}
