/// <summary>
/// Set the role assignments for a user. Will not happen if the calling user does not have permission.
/// </summary>
/// <param name="roles">The roles to set.</param>
/// <returns></returns>
public async Task SetRoles(IRoleAssignments roles)
{
var admin = adminRoles.GetAdminRoles();
if (!admin.EditRoles)
{
throw new UnauthorizedAccessException("User not allowed to edit roles.");
}
var targetUser = new User()
{
UserId = roles.UserId,
Name = roles.Name,
};
//Determine if we are changing editroles or superadmin, must be a superadmin user to do this
var targetRoles = await userRepo.GetUserRoles(targetUser.UserId);
var targetIsRoleEditor = targetRoles.Contains(AuthorizationAdminRoles.EditRoles);
var targetIsSuperAdmin = targetRoles.Contains(AuthorizationAdminRoles.SuperAdmin);
if ((roles.EditRoles != targetIsRoleEditor) && !admin.SuperAdmin)
{
throw new UnauthorizedAccessException("User not allowed to change EditRoles permissions on another user, must be a Super Admin.");
}
if ((roles.SuperAdmin != targetIsSuperAdmin) && !admin.SuperAdmin)
{
throw new UnauthorizedAccessException("User not allowed to change SuperAdmin permissions on another user, must be a Super Admin.");
}
await userRepo.UpdateUser(targetUser, roles.GetRoleValues());
}
/// <summary>
/// This method verifies that the Contributor permission has been granted on sufficient scopes to retrieve the key vaults.
/// </summary>
/// <param name="vaultList">The data obtained from deserializing json file</param>
/// <param name="azureClient">The IAzure client used to access role assignments</param>
public void checkAccess(JsonInput vaultList, Microsoft.Azure.Management.Fluent.Azure.IAuthenticated azureClient)
{
log.Info("Verifying access to Vaults...");
List <string> accessNeeded = new List <string>();
IRoleAssignments accessControl = azureClient.RoleAssignments;
foreach (Resource res in vaultList.Resources)
{
try
{
string subsPath = Constants.SUBS_PATH + res.SubscriptionId;
var roleAssignments = accessControl.ListByScope(subsPath).ToLookup(r => r.Inner.Scope);
var subsAccess = roleAssignments[subsPath].Count();
if (subsAccess == 0)
{
// At Subscription scope
if (res.ResourceGroups.Count == 0)
{
accessNeeded.Add(subsPath);
}
else
{
foreach (ResourceGroup resGroup in res.ResourceGroups)
{
string resGroupPath = subsPath + Constants.RESGROUP_PATH + resGroup.ResourceGroupName;
var resGroupAccess = roleAssignments[resGroupPath].Count();
if (resGroupAccess == 0)
{
// At ResourceGroup scope
if (resGroup.KeyVaults.Count == 0)
{
accessNeeded.Add(subsPath);
}
else
{
// At Vault scope
foreach (string vaultName in resGroup.KeyVaults)
{
string vaultPath = resGroupPath + Constants.VAULT_PATH + vaultName;
var vaultAccess = roleAssignments[vaultPath].Count();
if (vaultAccess == 0)
{
accessNeeded.Add(vaultPath);
}
}
}
}
}
}
}
}
catch (CloudException e)
{
log.Error("SubscriptionNotFound");
log.Debug($"{e.Message}. Please verify that your SubscriptionId is valid.");
Exit(e.Message);
}
}
if (accessNeeded.Count() != 0)
{
log.Error("AuthorizationFail");
log.Debug($"Contributor access is needed on the following scope(s): \n{string.Join("\n", accessNeeded)}. \nEnsure that your ResourceGroup and KeyVault names are spelled correctly " +
$"before proceeding. Note that if you are retrieving specific KeyVaults, your AAD must be granted access at either the KeyVault, ResourceGroup, Subscription level. " +
$"If you are retrieving all of the KeyVaults from a ResourceGroup, your AAD must be granted access at either the ResourceGroup or Subscription level. " +
$"If you are retrieving all of the KeyVaults from a SubscriptionId, your AAD must be granted access at the Subscription level. " +
$"Refer to the 'Granting Access to the AAD Application' section for more information on granting this access: https://github.com/microsoft/Managing-RBAC-in-Azure/blob/master/README.md");
Exit($"Contributor access is needed on the following scope(s): \n{string.Join("\n", accessNeeded)}");
}
log.Info("Access verified!");
}
