/// <summary> /// Set the role assignments for a user. Will not happen if the calling user does not have permission. /// </summary> /// <param name="roles">The roles to set.</param> /// <returns></returns> public async Task SetRoles(IRoleAssignments roles) { var admin = adminRoles.GetAdminRoles(); if (!admin.EditRoles) { throw new UnauthorizedAccessException("User not allowed to edit roles."); } var targetUser = new User() { UserId = roles.UserId, Name = roles.Name, }; //Determine if we are changing editroles or superadmin, must be a superadmin user to do this var targetRoles = await userRepo.GetUserRoles(targetUser.UserId); var targetIsRoleEditor = targetRoles.Contains(AuthorizationAdminRoles.EditRoles); var targetIsSuperAdmin = targetRoles.Contains(AuthorizationAdminRoles.SuperAdmin); if ((roles.EditRoles != targetIsRoleEditor) && !admin.SuperAdmin) { throw new UnauthorizedAccessException("User not allowed to change EditRoles permissions on another user, must be a Super Admin."); } if ((roles.SuperAdmin != targetIsSuperAdmin) && !admin.SuperAdmin) { throw new UnauthorizedAccessException("User not allowed to change SuperAdmin permissions on another user, must be a Super Admin."); } await userRepo.UpdateUser(targetUser, roles.GetRoleValues()); }
/// <summary> /// This method verifies that the Contributor permission has been granted on sufficient scopes to retrieve the key vaults. /// </summary> /// <param name="vaultList">The data obtained from deserializing json file</param> /// <param name="azureClient">The IAzure client used to access role assignments</param> public void checkAccess(JsonInput vaultList, Microsoft.Azure.Management.Fluent.Azure.IAuthenticated azureClient) { log.Info("Verifying access to Vaults..."); List <string> accessNeeded = new List <string>(); IRoleAssignments accessControl = azureClient.RoleAssignments; foreach (Resource res in vaultList.Resources) { try { string subsPath = Constants.SUBS_PATH + res.SubscriptionId; var roleAssignments = accessControl.ListByScope(subsPath).ToLookup(r => r.Inner.Scope); var subsAccess = roleAssignments[subsPath].Count(); if (subsAccess == 0) { // At Subscription scope if (res.ResourceGroups.Count == 0) { accessNeeded.Add(subsPath); } else { foreach (ResourceGroup resGroup in res.ResourceGroups) { string resGroupPath = subsPath + Constants.RESGROUP_PATH + resGroup.ResourceGroupName; var resGroupAccess = roleAssignments[resGroupPath].Count(); if (resGroupAccess == 0) { // At ResourceGroup scope if (resGroup.KeyVaults.Count == 0) { accessNeeded.Add(subsPath); } else { // At Vault scope foreach (string vaultName in resGroup.KeyVaults) { string vaultPath = resGroupPath + Constants.VAULT_PATH + vaultName; var vaultAccess = roleAssignments[vaultPath].Count(); if (vaultAccess == 0) { accessNeeded.Add(vaultPath); } } } } } } } } catch (CloudException e) { log.Error("SubscriptionNotFound"); log.Debug($"{e.Message}. Please verify that your SubscriptionId is valid."); Exit(e.Message); } } if (accessNeeded.Count() != 0) { log.Error("AuthorizationFail"); log.Debug($"Contributor access is needed on the following scope(s): \n{string.Join("\n", accessNeeded)}. \nEnsure that your ResourceGroup and KeyVault names are spelled correctly " + $"before proceeding. Note that if you are retrieving specific KeyVaults, your AAD must be granted access at either the KeyVault, ResourceGroup, Subscription level. " + $"If you are retrieving all of the KeyVaults from a ResourceGroup, your AAD must be granted access at either the ResourceGroup or Subscription level. " + $"If you are retrieving all of the KeyVaults from a SubscriptionId, your AAD must be granted access at the Subscription level. " + $"Refer to the 'Granting Access to the AAD Application' section for more information on granting this access: https://github.com/microsoft/Managing-RBAC-in-Azure/blob/master/README.md"); Exit($"Contributor access is needed on the following scope(s): \n{string.Join("\n", accessNeeded)}"); } log.Info("Access verified!"); }