/// <summary>
 /// Creates or updates a role definition.
 /// </summary>
 /// <param name='operations'>
 /// Reference to the
 /// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations.
 /// </param>
 /// <param name='roleDefinitionId'>
 /// Required. Role definition id.
 /// </param>
 /// <param name='parameters'>
 /// Required. Role definition.
 /// </param>
 /// <returns>
 /// Role definition create or update operation result.
 /// </returns>
 public static Task <RoleDefinitionCreateOrUpdateResult> CreateOrUpdateAsync(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters)
 {
     return(operations.CreateOrUpdateAsync(roleDefinitionId, parameters, CancellationToken.None));
 }
Exemplo n.º 2
0
        public void RoleDefinitionCreateTests()
        {
            const string RoleDefIdPrefix = "/providers/Microsoft.Authorization/roleDefinitions/";

            using (UndoContext context = UndoContext.Current)
            {
                context.Start();
                var client = testContext.GetAuthorizationManagementClient();

                RoleDefinitionCreateOrUpdateParameters createOrUpdateParams;
                var    roleDefinitionId      = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition1");
                string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId;
                string fullRoleId            = currentSubscriptionId + RoleDefIdPrefix + roleDefinitionId;

                Guid   newRoleId          = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition2");
                var    resourceGroup      = "newtestrg";
                string resourceGroupScope = currentSubscriptionId + "/resourceGroups/" + resourceGroup;

                // Create a custom role definition
                try
                {
                    createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters()
                    {
                        RoleDefinition = new RoleDefinition()
                        {
                            Properties = new RoleDefinitionProperties()
                            {
                                RoleName    = "NewRoleName_" + roleDefinitionId.ToString(),
                                Description = "New Test Custom Role",
                                Permissions = new List <Permission>()
                                {
                                    new Permission()
                                    {
                                        Actions = new List <string> {
                                            "Microsoft.Authorization/*/Read"
                                        }
                                    }
                                },
                                AssignableScopes = new List <string>()
                                {
                                    currentSubscriptionId
                                },
                            },
                        }
                    };

                    var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);

                    // Validate the roleDefinition properties.
                    Assert.NotNull(roleDefinition);
                    Assert.NotNull(roleDefinition.RoleDefinition);
                    Assert.Equal(fullRoleId, roleDefinition.RoleDefinition.Id);
                    Assert.Equal(roleDefinitionId, roleDefinition.RoleDefinition.Name);
                    Assert.NotNull(roleDefinition.RoleDefinition.Properties);
                    Assert.Equal("CustomRole", roleDefinition.RoleDefinition.Properties.Type);
                    Assert.Equal("New Test Custom Role", roleDefinition.RoleDefinition.Properties.Description);
                    Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.AssignableScopes);
                    Assert.Equal(currentSubscriptionId.ToLower(), roleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower());
                    Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.Permissions);
                    Assert.Equal("Microsoft.Authorization/*/Read", roleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Single());

                    // create resource group
                    var resourceClient = PermissionsTests.GetResourceManagementClient();
                    resourceClient.ResourceGroups.CreateOrUpdate(resourceGroup, new Microsoft.Azure.Management.Resources.Models.ResourceGroup {
                        Location = "westus"
                    });
                    createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string> {
                        resourceGroupScope
                    };
                    createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + newRoleId.ToString();

                    roleDefinition = client.RoleDefinitions.CreateOrUpdate(newRoleId, resourceGroupScope, createOrUpdateParams);
                    Assert.NotNull(roleDefinition);
                }
                finally
                {
                    var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
                    Assert.NotNull(deleteResult);

                    deleteResult = client.RoleDefinitions.Delete(newRoleId, resourceGroupScope);
                    Assert.NotNull(deleteResult);
                }


                TestUtilities.Wait(1000 * 15);

                // Negative test - create a roledefinition with same name (but different id) as an already existing custom role
                try
                {
                    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                    var roleDefinition2Id = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition3");
                    client.RoleDefinitions.CreateOrUpdate(roleDefinition2Id, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("RoleDefinitionWithSameNameExists", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode);
                }
                finally
                {
                    var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
                    Assert.NotNull(deleteResult);
                }

                // Negative test - create a roledefinition with same id as a built-in role
                try
                {
                    var allRoleDefinitions = client.RoleDefinitions.List();
                    Assert.NotNull(allRoleDefinitions);
                    Assert.NotNull(allRoleDefinitions.RoleDefinitions);
                    RoleDefinition builtInRole = allRoleDefinitions.RoleDefinitions.First(x => x.Properties.Type == "BuiltInRole");

                    createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + builtInRole.Name.ToString();
                    client.RoleDefinitions.CreateOrUpdate(builtInRole.Name, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("RoleDefinitionExists", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode);
                }

                // Negative test - create a roledefinition with type=BuiltInRole
                createOrUpdateParams.RoleDefinition.Properties.Type = "BuiltInRole";

                try
                {
                    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("InvalidRoleDefinitionType", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                }

                // Negative Test - create a custom role with empty role name
                // reset the role type
                createOrUpdateParams.RoleDefinition.Properties.Type     = null;
                createOrUpdateParams.RoleDefinition.Properties.RoleName = string.Empty;

                try
                {
                    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                }

                // Negative Test - create a custom role with empty assignable scopes
                // reset the role name
                createOrUpdateParams.RoleDefinition.Properties.RoleName         = "NewRoleName_" + roleDefinitionId.ToString();
                createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string>();

                try
                {
                    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("MissingAssignableScopes", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                }

                // Negative Test - create a custom role with invalid value for assignable scopes
                createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add("Invalid_Scope");

                try
                {
                    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                }
                catch (CloudException ce)
                {
                    Assert.Equal("LinkedInvalidPropertyId", ce.Error.Code);
                    Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                }

                // Negative Test - create a custom role with empty permissions
                // reset assignable scopes

                /* TODO: Uncomment the below test case when PAS/PAS-RP determine whether to implement blocking of
                 * create with empty Permission list
                 */
                ////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Remove("Invalid_Scope");
                ////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add(currentSubscriptionId);
                ////createOrUpdateParams.RoleDefinition.Properties.Permissions = new List<Permission>();

                ////try
                ////{
                ////    client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, createOrUpdateParams);
                ////}
                ////catch (CloudException ce)
                ////{
                ////    Assert.Equal("AssignableScopeNotUnderSubscriptionScope", ce.Error.Code);
                ////    Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                ////}

                TestUtilities.EndTest();
            }
        }
 /// <summary>
 /// Creates or updates a role definition.
 /// </summary>
 /// <param name='operations'>
 /// Reference to the
 /// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations.
 /// </param>
 /// <param name='roleDefinitionId'>
 /// Required. Role definition id.
 /// </param>
 /// <param name='parameters'>
 /// Required. Role definition.
 /// </param>
 /// <returns>
 /// Role definition create or update operation result.
 /// </returns>
 public static RoleDefinitionCreateOrUpdateResult CreateOrUpdate(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters)
 {
     return(Task.Factory.StartNew((object s) =>
     {
         return ((IRoleDefinitionOperations)s).CreateOrUpdateAsync(roleDefinitionId, parameters);
     }
                                  , operations, CancellationToken.None, TaskCreationOptions.None, TaskScheduler.Default).Unwrap().GetAwaiter().GetResult());
 }
Exemplo n.º 4
0
        public void RoleDefinitionUpdateTests()
        {
            using (UndoContext context = UndoContext.Current)
            {
                context.Start();
                var client = testContext.GetAuthorizationManagementClient();

                RoleDefinitionCreateOrUpdateParameters createOrUpdateParams;
                var    roleDefinitionId      = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition");
                string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId;

                // Create a custom role definition
                try
                {
                    createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters()
                    {
                        RoleDefinition = new RoleDefinition()
                        {
                            // Name = roleDefinitionId,
                            Properties = new RoleDefinitionProperties()
                            {
                                RoleName    = "NewRoleName_" + roleDefinitionId.ToString(),
                                Description = "New Test Custom Role",
                                Permissions = new List <Permission>()
                                {
                                    new Permission()
                                    {
                                        Actions = new List <string> {
                                            "Microsoft.Authorization/*/Read"
                                        }
                                    }
                                },
                                AssignableScopes = new List <string>()
                                {
                                    currentSubscriptionId
                                },
                            },
                        }
                    };

                    var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);

                    // Update role name, permissions for the custom role
                    createOrUpdateParams.RoleDefinition.Properties.RoleName = "UpdatedRoleName_" + roleDefinitionId.ToString();
                    createOrUpdateParams.RoleDefinition.Properties.Permissions.Single().Actions.Add("Microsoft.Support/*/read");

                    var updatedRoleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);

                    // Validate the updated roleDefinition properties.
                    Assert.NotNull(updatedRoleDefinition);
                    Assert.NotNull(updatedRoleDefinition.RoleDefinition);
                    Assert.Equal(updatedRoleDefinition.RoleDefinition.Id, roleDefinition.RoleDefinition.Id);
                    Assert.Equal(updatedRoleDefinition.RoleDefinition.Name, roleDefinition.RoleDefinition.Name);
                    // Role name and permissions should be updated
                    Assert.Equal("UpdatedRoleName_" + roleDefinitionId.ToString(), updatedRoleDefinition.RoleDefinition.Properties.RoleName);
                    Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.Permissions);
                    Assert.Equal("Microsoft.Authorization/*/Read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.First());
                    Assert.Equal("Microsoft.Support/*/read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Last());
                    // Same assignable scopes
                    Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes);
                    Assert.Equal(currentSubscriptionId.ToLower(), updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower());

                    // Negative test: Update the role with an empty RoleName
                    createOrUpdateParams.RoleDefinition.Properties.RoleName = null;

                    try
                    {
                        client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams);
                    }
                    catch (CloudException ce)
                    {
                        Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code);
                        Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode);
                    }
                }
                finally
                {
                    var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId);
                    Assert.NotNull(deleteResult);
                }

                TestUtilities.EndTest();
            }
        }