public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignment.Properties.RoleDefinitionId) };
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List<PSRoleDefinition>();
}
else
{
throw;
}
}
IEnumerable<RoleAssignment> assignments = new List<RoleAssignment> { assignment };
return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals).SingleOrDefault();
}
/// <summary>
/// Create a new vault
/// </summary>
/// <param name="parameters">vault creation parameters</param>
/// <param name="adClient">the active directory client</param>
/// <returns></returns>
public PSVault CreateNewVault(VaultCreationParameters parameters, ActiveDirectoryClient adClient = null)
{
if (parameters == null)
throw new ArgumentNullException("parameters");
if (string.IsNullOrWhiteSpace(parameters.VaultName))
throw new ArgumentNullException("parameters.VaultName");
if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName))
throw new ArgumentNullException("parameters.ResourceGroupName");
if (string.IsNullOrWhiteSpace(parameters.Location))
throw new ArgumentNullException("parameters.Location");
if (string.IsNullOrWhiteSpace(parameters.SkuName))
throw new ArgumentNullException("parameters.SkuName");
if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName))
throw new ArgumentNullException("parameters.SkuFamilyName");
if (parameters.TenantId == null || parameters.TenantId == Guid.Empty)
throw new ArgumentException("parameters.TenantId");
if (parameters.ObjectId == null || parameters.ObjectId == Guid.Empty)
throw new ArgumentException("parameters.ObjectId");
var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: parameters.ResourceGroupName,
vaultName: parameters.VaultName,
parameters: new VaultCreateOrUpdateParameters()
{
Location = parameters.Location,
Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
Properties = new VaultProperties
{
Sku = new Sku
{
Family = parameters.SkuFamilyName,
Name = parameters.SkuName
},
EnabledForDeployment = parameters.EnabledForDeployment,
EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment,
EnabledForDiskEncryption = parameters.EnabledForDiskEncryption,
TenantId = parameters.TenantId,
VaultUri = "",
AccessPolicies = new []
{
new AccessPolicyEntry
{
TenantId = parameters.TenantId,
ObjectId = parameters.ObjectId,
PermissionsToKeys = parameters.PermissionsToKeys,
PermissionsToSecrets = parameters.PermissionsToSecrets
}
}
}
}
);
return new PSVault(response.Vault, adClient);
}
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinitions, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleDefinition> roleDefinitions = null;
try
{
roleDefinitions = policyClient.GetAllRoleDefinitionsAtScopeAndBelow(scopeForRoleDefinitions);
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
{
//Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
roleDefinitions = new List<PSRoleDefinition>();
}
else
{
throw;
}
}
return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals);
}
/// <summary>
/// Creates PoliciesClient using WindowsAzureSubscription instance.
/// </summary>
/// <param name="subscription">The WindowsAzureSubscription instance</param>
public AuthorizationClient(AzureContext context)
{
ActiveDirectoryClient = new ActiveDirectoryClient(context);
AuthorizationManagementClient = AzureSession.ClientFactory.CreateClient<AuthorizationManagementClient>(context, AzureEnvironment.Endpoint.ResourceManager);
}
public static string GetDisplayNameForTenant(Guid id, ActiveDirectoryClient adClient)
{
return id.ToString();
}
public static string GetDisplayNameForADObject(Guid id, ActiveDirectoryClient adClient)
{
string displayName = "";
if (id == null || adClient == null || id == Guid.Empty)
return displayName;
else
{
string upnOrSpn = "";
var obj = adClient.GetADObject(new ADObjectFilterOptions()
{
Id = id.ToString(),
Paging = true,
});
if (obj != null)
{
displayName = obj.DisplayName;
if (obj is PSADUser)
upnOrSpn = ((PSADUser)obj).UserPrincipalName;
else if (obj is PSADServicePrincipal)
upnOrSpn = ((PSADServicePrincipal)obj).ServicePrincipalName;
}
return displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : "");
}
}
/// <summary>
/// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
/// </summary>
/// <param name="existingVault">the existing vault</param>
/// <param name="updatedPolicies">the update access policies</param>
/// <param name="updatedEnabledForDeployment">enabled for deployment</param>
/// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
/// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
/// <param name="adClient">the active directory client</param>
/// <returns>the updated vault</returns>
public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment,
bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
{
if (existingVault == null)
throw new ArgumentNullException("existingVault");
if (existingVault.OriginalVault == null)
throw new ArgumentNullException("existingVault.OriginalVault");
//Update the vault properties in the object received from server
//Only access policies and EnabledForDeployment can be changed
VaultProperties properties = existingVault.OriginalVault.Properties;
properties.EnabledForDeployment = updatedEnabledForDeployment;
properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
properties.AccessPolicies = (updatedPolicies == null) ?
new List<AccessPolicyEntry>() :
updatedPolicies.Select(a => new AccessPolicyEntry()
{
TenantId = a.TenantId,
ObjectId = a.ObjectId,
ApplicationId = a.ApplicationId,
PermissionsToKeys = a.PermissionsToKeys.ToArray(),
PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
}).ToList();
var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
resourceGroupName: existingVault.ResourceGroupName,
vaultName: existingVault.VaultName,
parameters: new VaultCreateOrUpdateParameters()
{
Location = existingVault.Location,
Properties = properties
}
);
return new PSVault(response.Vault, adClient);
}
/// <summary>
/// Get an existing vault. Returns null if vault is not found.
/// </summary>
/// <param name="vaultName">vault name</param>
/// <param name="resourceGroupName">resource group name</param>
/// <param name="adClient">the active directory client</param>
/// <returns>the retrieved vault</returns>
public PSVault GetVault(string vaultName, string resourceGroupName, ActiveDirectoryClient adClient = null)
{
if (string.IsNullOrWhiteSpace(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrWhiteSpace(resourceGroupName))
throw new ArgumentNullException("resourceGroupName");
try
{
var response = this.KeyVaultManagementClient.Vaults.Get(resourceGroupName, vaultName);
return new PSVault(response.Vault, adClient);
}
catch(CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.NotFound)
return null;
else
throw;
}
}
public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
{
List<PSRoleAssignment> psAssignments = new List<PSRoleAssignment>();
if(assignments ==null || !assignments.Any())
{
return psAssignments;
}
List<string> objectIds = new List<string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List<PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
List<PSRoleDefinition> roleDefinitions;
if (assignments.Count() == 1)
{
roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignments.Single().Properties.RoleDefinitionId) };
}
else
{
roleDefinitions = policyClient.GetRoleDefinitions();
}
foreach (RoleAssignment assignment in assignments)
{
assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId };
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId };
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).SignInName,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = adObject.Id,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return psAssignments;
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
{
PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId };
if (adObject is PSADUser)
{
return new PSUserRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
Mail = ((PSADUser)adObject).Mail,
ObjectId = adObject.Id
};
}
else if (adObject is PSADGroup)
{
return new PSGroupRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
Mail = ((PSADGroup)adObject).Mail,
ObjectId = adObject.Id
};
}
else if (adObject is PSADServicePrincipal)
{
return new PSServiceRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
ObjectId = adObject.Id
};
}
else
{
return new PSRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ObjectId = adObject.Id
};
}
}