private async Task <ResourceAccessRuleSet> DownloadBlobAsync(string id, string eTag)
{
BlockBlobClient blob = this.Container.GetBlockBlobClient(id);
// Can't use DownloadContentAsync because of https://github.com/Azure/azure-sdk-for-net/issues/22598
try
{
Response <BlobDownloadStreamingResult> response = await blob.DownloadStreamingAsync(
conditions : string.IsNullOrEmpty(eTag)?null : new BlobRequestConditions {
IfNoneMatch = new ETag(eTag !)
})
.ConfigureAwait(false);
int status = response.GetRawResponse().Status;
if (status == 304)
{
// NOP - we are quite happy to ignore that, as the blob hasn't changed.
return(null);
}
// Note: it is technically possible to use System.Text.Json to work directly from
// the UTF-8 data, which is more efficient than decoding to a .NET UTF-16 string
// first. However, we have to do this for the time being because we are in the world of
// IJsonSerializerSettingsProvider, where all serialization options are managed in
// terms of JSON.NET.
using BlobDownloadStreamingResult blobDownloadStreamingResult = response.Value;
BinaryData data = await BinaryData.FromStreamAsync(blobDownloadStreamingResult.Content).ConfigureAwait(false);
string ruleSetJson = data.ToString();
ResourceAccessRuleSet ruleSet = JsonConvert.DeserializeObject <ResourceAccessRuleSet>(ruleSetJson, this.serializerSettings);
ruleSet.ETag = response.Value.Details.ETag.ToString("G");
return(ruleSet);
}
public async Task <OpenApiResult> CreateResourceAccessRuleSetAsync(
string tenantId,
ResourceAccessRuleSet body)
{
ITenant tenant = await this.tenancyHelper.GetRequestingTenantAsync(tenantId).ConfigureAwait(false);
IResourceAccessRuleSetStore store = await this.permissionsStoreFactory.GetResourceAccessRuleSetStoreAsync(tenant).ConfigureAwait(false);
ResourceAccessRuleSet result = await store.PersistAsync(body).ConfigureAwait(false);
return(this.OkResult(result, "application/json"));
}
public async Task <OpenApiResult> GetResourceAccessRuleSetAsync(
string tenantId,
string resourceAccessRuleSetId)
{
ITenant tenant = await this.tenancyHelper.GetRequestingTenantAsync(tenantId).ConfigureAwait(false);
IResourceAccessRuleSetStore store = await this.permissionsStoreFactory.GetResourceAccessRuleSetStoreAsync(tenant).ConfigureAwait(false);
try
{
ResourceAccessRuleSet result = await store.GetAsync(resourceAccessRuleSetId).ConfigureAwait(false);
return(this.OkResult(result, "application/json"));
}
catch (ResourceAccessRuleSetNotFoundException)
{
return(this.NotFoundResult());
}
}
/// <inheritdoc/>
public async Task <ResourceAccessRuleSet> PersistAsync(ResourceAccessRuleSet ruleSet)
{
if (ruleSet is null)
{
throw new ArgumentNullException(nameof(ruleSet));
}
BlockBlobClient blob = this.Container.GetBlockBlobClient(ruleSet.Id);
string serializedPermissions = JsonConvert.SerializeObject(ruleSet, this.serializerSettings);
using var content = BinaryData.FromString(serializedPermissions).ToStream();
Response <BlobContentInfo> response = await blob.UploadAsync(
content,
new BlobUploadOptions { Conditions = new BlobRequestConditions {
IfMatch = new ETag(ruleSet.ETag)
} })
.ConfigureAwait(false);
ruleSet.ETag = response.Value.ETag.ToString("G");
return(ruleSet);
}
private async Task <int> OnExecuteAsync(CommandLineApplication app, CancellationToken cancellationToken = default)
{
RulesetsAndClaimPermissions input = JsonConvert.DeserializeObject <RulesetsAndClaimPermissions>(
File.ReadAllText(this.FilePath));
ClaimsService claimsClient;
if (string.IsNullOrEmpty(this.MarainClaimsHeaderRoleValue))
{
var authenticationOptions = AuthenticationOptions.BuildFrom(this.UseAzCliDevAuth, this.TenantId);
ServiceClientCredentials credentials = await authenticationOptions.GetServiceClientCredentialsFromKeyVault(
this.ClaimsAppId, this.KeyVault, this.SecretName).ConfigureAwait(false);
claimsClient = new ClaimsService(new Uri(this.ClaimsServiceUrl), credentials);
}
else
{
claimsClient = new ClaimsService(new Uri(this.ClaimsServiceUrl), new BasicAuthenticationCredentials());
claimsClient.HttpClient.DefaultRequestHeaders.Add("X-MARAIN-CLAIMS", $"{{ \"roles\": [ \"{this.MarainClaimsHeaderRoleValue}\" ] }}");
}
using (claimsClient)
{
foreach (ResourceAccessRuleSet ruleSet in input.RuleSets)
{
try
{
app.Out.WriteLine($"Ruleset {ruleSet.Id} ('{ruleSet.DisplayName}')");
HttpOperationResponse <ResourceAccessRuleSet> result = await claimsClient.GetResourceAccessRuleSetWithHttpMessagesAsync(
ruleSet.Id, this.MarainTenantId, cancellationToken : cancellationToken).ConfigureAwait(false);
if (result.Response.StatusCode == HttpStatusCode.NotFound)
{
app.Error.WriteLine("Does not yet exist. Creating.");
var request = new ResourceAccessRuleSet
{
Id = ruleSet.Id,
DisplayName = ruleSet.DisplayName,
Rules = ruleSet.Rules,
};
await claimsClient.CreateResourceAccessRuleSetAsync(
this.MarainTenantId, request, cancellationToken : cancellationToken).ConfigureAwait(false);
}
else if (result.Response.IsSuccessStatusCode)
{
app.Out.WriteLine("Already exists. Updating.");
await claimsClient.SetResourceAccessRuleSetResourceAccessRulesAsync(
this.MarainTenantId, ruleSet.Id, ruleSet.Rules, cancellationToken : cancellationToken).ConfigureAwait(false);
}
else
{
app.Error.WriteLine("Error: " + result.Response.StatusCode);
string body = await result.Response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
if (!string.IsNullOrWhiteSpace(body))
{
app.Error.WriteLine(body);
}
}
}
catch (Exception x)
{
app.Error.WriteLine(x);
return(-1);
}
}
foreach (CreateClaimPermissionsRequest claimPermissions in input.ClaimPermissions)
{
try
{
app.Out.WriteLine($"Claim Permissions {claimPermissions.Id}");
HttpOperationResponse <ClaimPermissions> result = await claimsClient.GetClaimPermissionsWithHttpMessagesAsync(
claimPermissions.Id, this.MarainTenantId, cancellationToken : cancellationToken).ConfigureAwait(false);
if (result.Response.StatusCode == HttpStatusCode.NotFound)
{
app.Out.WriteLine("Does not yet exist. Creating.");
var request = new CreateClaimPermissionsRequest
{
Id = claimPermissions.Id,
ResourceAccessRules = claimPermissions.ResourceAccessRules,
ResourceAccessRuleSets = claimPermissions.ResourceAccessRuleSets,
};
await claimsClient.CreateClaimPermissionsAsync(
this.MarainTenantId, request, cancellationToken : cancellationToken).ConfigureAwait(false);
}
else if (result.Response.IsSuccessStatusCode)
{
app.Out.WriteLine("Already exists. Updating resource access rules.");
await claimsClient.SetClaimPermissionsResourceAccessRulesAsync(
this.MarainTenantId,
claimPermissions.Id,
claimPermissions.ResourceAccessRules,
cancellationToken : cancellationToken).ConfigureAwait(false);
app.Out.WriteLine("Updating resource access rule sets");
var ruleSetIds = claimPermissions
.ResourceAccessRuleSets
.Select(rs => new ResourceAccessRuleSetIdOnly(rs.Id))
.ToList();
await claimsClient.SetClaimPermissionsResourceAccessRuleSetsAsync(
this.MarainTenantId,
claimPermissions.Id,
ruleSetIds,
cancellationToken : cancellationToken).ConfigureAwait(false);
}
else
{
app.Error.WriteLine("Error: " + result.Response.StatusCode);
string body = await result.Response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
if (!string.IsNullOrWhiteSpace(body))
{
app.Error.WriteLine(body);
}
}
}
catch (Exception x)
{
app.Error.WriteLine(x);
return(-1);
}
}
}
return(0);
}
/// <summary>
/// Create a resource access rule set
/// </summary>
/// <remarks>
/// Creates a resource access rule set
/// </remarks>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='tenantId'>
/// The tenant within which the request should operate
/// </param>
/// <param name='body'>
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task <object> CreateResourceAccessRuleSetAsync(this IClaimsService operations, string tenantId, ResourceAccessRuleSet body, CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.CreateResourceAccessRuleSetWithHttpMessagesAsync(tenantId, body, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Create a resource access rule set
/// </summary>
/// <remarks>
/// Creates a resource access rule set
/// </remarks>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='tenantId'>
/// The tenant within which the request should operate
/// </param>
/// <param name='body'>
/// </param>
public static object CreateResourceAccessRuleSet(this IClaimsService operations, string tenantId, ResourceAccessRuleSet body)
{
return(operations.CreateResourceAccessRuleSetAsync(tenantId, body).GetAwaiter().GetResult());
}
/// <inheritdoc/>
public async Task <(int HttpStatusCode, ResourceAccessRuleSet Result)> CreateResourceAccessRuleSetAsync(ResourceAccessRuleSet newClaimPermissions)
{
OpenApiResult result = await this.ruleSetService.CreateResourceAccessRuleSetAsync(
this.testTenants.TransientClientTenantId, newClaimPermissions);
result.Results.TryGetValue("application/json", out object claimPermissions);
return(result.StatusCode, claimPermissions as ResourceAccessRuleSet);
}
