private string GetRoleAssignmentNameFromFilterParameters()
{
// convert definition name to id
if (ParameterSetName == ParameterSet.DefinitionNameApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameObjectId ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
.FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
if (definition == null)
{
throw new ArgumentException(string.Format(Resources.RoleDefinitionNotFound, RoleDefinitionName));
}
RoleDefinitionId = definition.Id;
}
// convert user sign in name to object id
if (ParameterSetName == ParameterSet.DefinitionIdSignInName ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var filter = new ADObjectFilterOptions()
{
UPN = SignInName
};
var user = ActiveDirectoryClient.FilterUsers(filter).FirstOrDefault();
if (user == null)
{
throw new ArgumentException(string.Format(Resources.UserNotFoundBy, SignInName));
}
ObjectId = user.Id.ToString();
}
// convert service principal app id to object id
if (ParameterSetName == ParameterSet.DefinitionIdApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameApplicationId)
{
var odataQuery = new Rest.Azure.OData.ODataQuery <Application>(s => string.Equals(s.AppId, ApplicationId, StringComparison.OrdinalIgnoreCase));
var app = ActiveDirectoryClient.GetApplicationWithFilters(odataQuery).FirstOrDefault();
if (app == null)
{
throw new ArgumentException(string.Format(Resources.ApplicationNotFoundBy, ApplicationId));
}
ObjectId = app.ObjectId.ToString();
}
var roleAssignment = Track2DataClient.GetHsmRoleAssignments(HsmName, Scope)
.FirstOrDefault(assignment => string.Equals(assignment.PrincipalId, ObjectId) && string.Equals(assignment.RoleDefinitionId, RoleDefinitionId));
if (roleAssignment == null)
{
throw new Exception(Resources.RoleAssignmentNotFound);
}
else
{
return(roleAssignment.Name);
}
}
public override void ExecuteCmdlet()
{
MSGraphMessageHelper.WriteMessageForCmdletsSwallowException(this);
// convert definition name to id
if (ParameterSetName == ParameterSet.DefinitionNameApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameObjectId ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
.FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
if (definition == null)
{
throw new ArgumentException(string.Format(Resources.RoleDefinitionNotFound, RoleDefinitionName));
}
RoleDefinitionId = definition.Id;
}
// convert user sign in name to object id
if (ParameterSetName == ParameterSet.DefinitionIdSignInName ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var user = GraphClient.Users.GetUser(SignInName);
if (user == null)
{
throw new ArgumentException(string.Format(Resources.UserNotFoundBy, SignInName));
}
ObjectId = user.Id;
}
// convert service principal app id to object id
if (ParameterSetName == ParameterSet.DefinitionIdApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameApplicationId)
{
// can't use string.Equals() here as it will result in incorrect filter string
string filter = ODataHelper.FormatFilterString <MicrosoftGraphServicePrincipal>(s => s.AppId == ApplicationId);
var servicePrincipal = GraphClient.ServicePrincipals.ListServicePrincipal(filter: filter).Value.SingleOrDefault();
if (servicePrincipal == null)
{
throw new ArgumentException(string.Format(Resources.ApplicationNotFoundBy, ApplicationId));
}
ObjectId = servicePrincipal.Id;
}
base.ConfirmAction(
string.Format(Resources.AssignRole, RoleDefinitionName ?? RoleDefinitionId, SignInName ?? ApplicationId ?? ObjectId, Scope),
HsmName, () =>
{
PSKeyVaultRoleAssignment roleAssignment = Track2DataClient.CreateHsmRoleAssignment(HsmName, Scope, RoleDefinitionId, ObjectId);
GetAssignmentDetails(roleAssignment, HsmName, Scope);
WriteObject(roleAssignment);
});
}
public override void ExecuteCmdlet()
{
// convert definition name to id
if (ParameterSetName == ParameterSet.DefinitionNameApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameObjectId ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
.FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
if (definition == null)
{
throw new ArgumentException(string.Format(Resources.RoleDefinitionNotFound, RoleDefinitionName));
}
RoleDefinitionId = definition.Id;
}
// convert user sign in name to object id
if (ParameterSetName == ParameterSet.DefinitionIdSignInName ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var filter = new ADObjectFilterOptions()
{
UPN = SignInName
};
var user = ActiveDirectoryClient.FilterUsers(filter).FirstOrDefault();
if (user == null)
{
throw new ArgumentException(string.Format(Resources.UserNotFoundBy, SignInName));
}
ObjectId = user.Id.ToString();
}
// convert service principal app id to object id
if (ParameterSetName == ParameterSet.DefinitionIdApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameApplicationId)
{
var odataQuery = new Rest.Azure.OData.ODataQuery <Application>(s => string.Equals(s.AppId, ApplicationId, StringComparison.OrdinalIgnoreCase));
var app = ActiveDirectoryClient.GetApplicationWithFilters(odataQuery).FirstOrDefault();
if (app == null)
{
throw new ArgumentException(string.Format(Resources.ApplicationNotFoundBy, ApplicationId));
}
ObjectId = app.ObjectId.ToString();
}
base.ConfirmAction(
string.Format(Resources.AssignRole, RoleDefinitionName ?? RoleDefinitionId, SignInName ?? ApplicationId ?? ObjectId, Scope),
HsmName, () =>
{
PSKeyVaultRoleAssignment roleAssignment = Track2DataClient.CreateHsmRoleAssignment(HsmName, Scope, RoleDefinitionId, ObjectId);
GetAssignmentDetails(roleAssignment, HsmName, Scope);
WriteObject(roleAssignment);
});
}
private string GetRoleAssignmentNameFromFilterParameters()
{
// convert definition name to id
if (ParameterSetName == ParameterSet.DefinitionNameApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameObjectId ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
.FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
if (definition == null)
{
throw new ArgumentException(string.Format(Resources.RoleDefinitionNotFound, RoleDefinitionName));
}
RoleDefinitionId = definition.Id;
}
// convert user sign in name to object id
if (ParameterSetName == ParameterSet.DefinitionIdSignInName ||
ParameterSetName == ParameterSet.DefinitionNameSignInName)
{
var user = GraphClient.Users.GetUser(SignInName);
if (user == null)
{
throw new ArgumentException(string.Format(Resources.UserNotFoundBy, SignInName));
}
ObjectId = user.Id;
}
// convert service principal app id to object id
if (ParameterSetName == ParameterSet.DefinitionIdApplicationId ||
ParameterSetName == ParameterSet.DefinitionNameApplicationId)
{
string filter = ODataHelper.FormatFilterString <MicrosoftGraphServicePrincipal>(s => s.AppId == ApplicationId);
var servicePrincipal = GraphClient.ServicePrincipals.ListServicePrincipal(filter: filter).Value.SingleOrDefault();
if (servicePrincipal == null)
{
throw new ArgumentException(string.Format(Resources.ApplicationNotFoundBy, ApplicationId));
}
ObjectId = servicePrincipal.Id;
}
var roleAssignment = Track2DataClient.GetHsmRoleAssignments(HsmName, Scope)
.FirstOrDefault(assignment => string.Equals(assignment.PrincipalId, ObjectId) && string.Equals(assignment.RoleDefinitionId, RoleDefinitionId));
if (roleAssignment == null)
{
throw new Exception(Resources.RoleAssignmentNotFound);
}
else
{
return(roleAssignment.Name);
}
}
public override void ExecuteCmdlet()
{
NormalizeKeySourceParameters();
var result = Track2DataClient.GetManagedHsmRandomNumber(HsmName, Count);
if (AsBase64String.IsPresent)
{
this.WriteObject(Convert.ToBase64String(result));
}
else
{
this.WriteObject(result, true);
}
}
/// <summary>
/// Get details of the role assignment -- principal name, role definition name, etc.,
/// and assign them back in the role assignment object.
/// </summary>
/// <param name="assignment"></param>
protected void GetAssignmentDetails(PSKeyVaultRoleAssignment assignment, string hsmName, string scope)
{
// get all role definition
var definitions = Track2DataClient.GetHsmRoleDefinitions(hsmName, scope);
// get info about assignee
var assignee = ModelExtensions.GetDetailsFromADObjectId(assignment.PrincipalId, GraphClient);
(assignment.DisplayName, assignment.ObjectType) = assignee;
// traverse role definitions to find the correct one
assignment.RoleDefinitionName = definitions
.FirstOrDefault(definition => string.Equals(definition.Id, assignment.RoleDefinitionId, StringComparison.OrdinalIgnoreCase))
?.RoleName;
}
public override void ExecuteCmdlet()
{
var roleDefinitions = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope);
switch (ParameterSetName)
{
case InteractiveCreateParameterSet:
WriteObject(roleDefinitions, enumerateCollection: true);
break;
case ByNameParameterSet:
WriteObject(roleDefinitions.FirstOrDefault(def => string.Equals(RoleDefinitionName, def.RoleName, StringComparison.OrdinalIgnoreCase)));
break;
}
}
public override void DoExecuteCmdlet()
{
ConfirmAction(
string.Format(Resources.DoFullBackup, StorageContainerUri),
Name, () =>
{
try
{
WriteObject(Track2DataClient.BackupHsm(Name, StorageContainerUri, SasToken.ConvertToString()).AbsoluteUri);
}
catch (Exception ex)
{
throw new Exception(string.Format(Resources.FullBackupFailed, Name), ex);
}
});
}
public override void ExecuteCmdlet()
{
switch (ParameterSetName)
{
case ByNameParameterSet:
var roles = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope).Where(r => r.RoleName == RoleName);
if (roles.Count() > 1)
{
WriteWarning($"There are more than 1 role definitions with the name {RoleName}. Please use `-InputObject` instead to specify which role to remove.");
if (PassThru)
{
WriteObject(false);
}
return;
}
if (!roles.Any())
{
throw new AzPSArgumentException(
$"Could not find any role definition matching the name {RoleName} at scope {Scope}",
nameof(RoleName));
}
InputObject = roles.First();
break;
case InputObjectParameterSet:
break;
}
ConfirmAction(
Force,
$"Removing role definition {InputObject.Name} (RoleName: \"{InputObject.RoleName}\")",
"Removing role definition",
InputObject.Name,
() =>
{
Track2DataClient.RemoveHsmRoleDefinition(HsmName, Scope, InputObject.Name);
}
);
if (PassThru)
{
WriteObject(true);
}
}
public override void DoExecuteCmdlet()
{
ConfirmAction(
string.Format(Resources.DoFullRestore, StorageContainerUri),
Name, () =>
{
try
{
Track2DataClient.RestoreHsm(Name, StorageContainerUri, SasToken.ConvertToString(), BackupFolder);
}
catch (Exception ex)
{
throw new Exception(string.Format(Resources.FullRestoreFailed, Name), ex);
}
if (PassThru)
{
WriteObject(true);
}
}
);
}
internal void NormalizeParameterSets()
{
if (null != InputObject)
{
Name = InputObject.Name;
if (InputObject.IsHsm)
{
throw new NotImplementedException("Updating key rotation policy on managed HSM is not supported yet");
}
else
{
VaultName = InputObject.VaultName;
}
}
switch (this.ParameterSetName)
{
case SetByRotationPolicyFileViaVaultName:
case SetByRotationPolicyFileViaKeyInputObject:
KeyRotationPolicy = ConstructKeyRotationPolicyFromFile(PolicyPath);
break;
case SetByExpandedPropertiesViaVaultName:
case SetByExpandedPropertiesViaKeyInputObject:
KeyRotationPolicy = new PSKeyRotationPolicy()
{
VaultName = VaultName,
KeyName = Name,
ExpiresIn = ExpiresIn ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).ExpiresIn,
LifetimeActions = KeyRotationLifetimeAction ?? Track2DataClient.GetKeyRotationPolicy(VaultName, Name).LifetimeActions
};
break;
default:
// do nothing
break;
}
}
internal override void NormalizeParameterSets()
{
if (null != InputObject)
{
Name = InputObject.Name;
if (InputObject.IsHsm)
{
throw new NotImplementedException("Updating key rotation policy on managed HSM is not supported yet");
}
else
{
VaultName = InputObject.VaultName;
}
}
if (!this.ParameterSetName.Equals(ByKeyRotationPolicyInputObjectParameterSet))
{
// Only update specified parameter, others keep same
KeyRotationPolicy = Track2DataClient.GetKeyRotationPolicy(VaultName, Name) ??
new PSKeyRotationPolicy()
{
VaultName = VaultName,
KeyName = Name,
ExpiresIn = null,
LifetimeActions = null
};
if (MyInvocation.BoundParameters.ContainsKey("ExpiresIn"))
{
KeyRotationPolicy.ExpiresIn = ExpiresIn;
}
if (MyInvocation.BoundParameters.ContainsKey("KeyRotationLifetimeAction"))
{
KeyRotationPolicy.LifetimeActions = KeyRotationLifetimeAction;
}
}
}
