public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment assignment, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
        {
            List<PSRoleDefinition> roleDefinitions = null;

            try
            {
                roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignment.Properties.RoleDefinitionId) };
            }
            catch (CloudException ce)
            {
                if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
                {
                    //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
                    roleDefinitions = new List<PSRoleDefinition>();
                }
                else
                {
                    throw;
                }
            }

            IEnumerable<RoleAssignment> assignments = new List<RoleAssignment> { assignment };

            return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals).SingleOrDefault();
        }
        /// <summary>
        /// Create a new vault
        /// </summary>
        /// <param name="parameters">vault creation parameters</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns></returns>
        public PSVault CreateNewVault(VaultCreationParameters parameters, ActiveDirectoryClient adClient = null)
        {            
            if (parameters == null)
                throw new ArgumentNullException("parameters");
            if (string.IsNullOrWhiteSpace(parameters.VaultName))
                throw new ArgumentNullException("parameters.VaultName");
            if (string.IsNullOrWhiteSpace(parameters.ResourceGroupName))
                throw new ArgumentNullException("parameters.ResourceGroupName");
            if (string.IsNullOrWhiteSpace(parameters.Location))
                throw new ArgumentNullException("parameters.Location");
            if (string.IsNullOrWhiteSpace(parameters.SkuName))
                throw new ArgumentNullException("parameters.SkuName");
            if (string.IsNullOrWhiteSpace(parameters.SkuFamilyName))
                throw new ArgumentNullException("parameters.SkuFamilyName");
            if (parameters.TenantId == null || parameters.TenantId == Guid.Empty)
                throw new ArgumentException("parameters.TenantId");
            if (parameters.ObjectId == null || parameters.ObjectId == Guid.Empty)
                throw new ArgumentException("parameters.ObjectId");
            
            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: parameters.ResourceGroupName,
                vaultName: parameters.VaultName,

                parameters: new VaultCreateOrUpdateParameters()
                {
                    Location = parameters.Location,
                    Tags = TagsConversionHelper.CreateTagDictionary(parameters.Tags, validate: true),
                    Properties = new VaultProperties
                    {
                        Sku = new Sku
                        {
                            Family = parameters.SkuFamilyName,
                            Name = parameters.SkuName
                        },
                        EnabledForDeployment = parameters.EnabledForDeployment,
                        EnabledForTemplateDeployment = parameters.EnabledForTemplateDeployment,
                        EnabledForDiskEncryption = parameters.EnabledForDiskEncryption,
                        TenantId = parameters.TenantId,
                        VaultUri = "",
                        AccessPolicies = new []
                        {
                            new AccessPolicyEntry
                            {
                                TenantId = parameters.TenantId,
                                ObjectId = parameters.ObjectId,
                                PermissionsToKeys = parameters.PermissionsToKeys,                                    
                                PermissionsToSecrets = parameters.PermissionsToSecrets
                            }
                        }
                    }
                }
                );

            return new PSVault(response.Vault, adClient);
        }
        public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, string scopeForRoleDefinitions, bool excludeAssignmentsForDeletedPrincipals = true)
        {
            List<PSRoleDefinition> roleDefinitions = null;

            try
            {
                roleDefinitions = policyClient.GetAllRoleDefinitionsAtScopeAndBelow(scopeForRoleDefinitions);
            }
            catch (CloudException ce)
            {
                if (ce.Response.StatusCode == HttpStatusCode.Unauthorized)
                {
                    //Swallow unauthorized errors on RoleDefinition when displaying RoleAssignments
                    roleDefinitions = new List<PSRoleDefinition>();
                }
                else
                {
                    throw;
                }
            }

            return assignments.ToPSRoleAssignments(roleDefinitions, policyClient, activeDirectoryClient, excludeAssignmentsForDeletedPrincipals);
        }
 /// <summary>
 /// Creates PoliciesClient using WindowsAzureSubscription instance.
 /// </summary>
 /// <param name="subscription">The WindowsAzureSubscription instance</param>
 public AuthorizationClient(AzureContext context)
 {
     ActiveDirectoryClient = new ActiveDirectoryClient(context);
     AuthorizationManagementClient = AzureSession.ClientFactory.CreateClient<AuthorizationManagementClient>(context, AzureEnvironment.Endpoint.ResourceManager);
 }
Пример #5
0
 public static string GetDisplayNameForTenant(Guid id, ActiveDirectoryClient adClient)
 {
     return id.ToString();
 }
Пример #6
0
        public static string GetDisplayNameForADObject(Guid id, ActiveDirectoryClient adClient)
        {
            string displayName = "";            

            if (id == null || adClient == null || id == Guid.Empty)
                return displayName;
            else
            {
                string upnOrSpn = "";

                var obj = adClient.GetADObject(new ADObjectFilterOptions()
                {
                    Id = id.ToString(),                    
                    Paging = true,
                });

                if (obj != null)
                {
                    displayName = obj.DisplayName;
                    if (obj is PSADUser)
                        upnOrSpn = ((PSADUser)obj).UserPrincipalName;
                    else if (obj is PSADServicePrincipal)
                        upnOrSpn = ((PSADServicePrincipal)obj).ServicePrincipalName;
                }

                return displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : "");
            }
        }
        /// <summary>
        /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently.
        /// </summary>
        /// <param name="existingVault">the existing vault</param>
        /// <param name="updatedPolicies">the update access policies</param>
        /// <param name="updatedEnabledForDeployment">enabled for deployment</param>
        /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param>
        /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns>the updated vault</returns>
        public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment,
            bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null)
        {
            if (existingVault == null)
                throw new ArgumentNullException("existingVault");
            if (existingVault.OriginalVault == null)
                throw new ArgumentNullException("existingVault.OriginalVault");

            //Update the vault properties in the object received from server
            //Only access policies and EnabledForDeployment can be changed
            VaultProperties properties = existingVault.OriginalVault.Properties;
            properties.EnabledForDeployment = updatedEnabledForDeployment;
            properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment;
            properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption;
            properties.AccessPolicies = (updatedPolicies == null) ? 
                new List<AccessPolicyEntry>() :
                updatedPolicies.Select(a => new AccessPolicyEntry()
                        {
                            TenantId = a.TenantId,
                            ObjectId = a.ObjectId,
                            ApplicationId = a.ApplicationId,
                            PermissionsToKeys = a.PermissionsToKeys.ToArray(),
                            PermissionsToSecrets = a.PermissionsToSecrets.ToArray()
                        }).ToList();

            var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate(
                resourceGroupName: existingVault.ResourceGroupName,
                vaultName: existingVault.VaultName,                
                parameters: new VaultCreateOrUpdateParameters()
                {                                       
                    Location = existingVault.Location,
                    Properties = properties
                }
                );
            return new PSVault(response.Vault, adClient);
        }
        /// <summary>
        /// Get an existing vault. Returns null if vault is not found.
        /// </summary>
        /// <param name="vaultName">vault name</param>
        /// <param name="resourceGroupName">resource group name</param>
        /// <param name="adClient">the active directory client</param>
        /// <returns>the retrieved vault</returns>
        public PSVault GetVault(string vaultName, string resourceGroupName, ActiveDirectoryClient adClient = null)
        {
            if (string.IsNullOrWhiteSpace(vaultName))
                throw new ArgumentNullException("vaultName");
            if (string.IsNullOrWhiteSpace(resourceGroupName))
                throw new ArgumentNullException("resourceGroupName");

            try
            {
                var response = this.KeyVaultManagementClient.Vaults.Get(resourceGroupName, vaultName);

                return new PSVault(response.Vault, adClient);
            }
            catch(CloudException ce)
            {
                if (ce.Response.StatusCode == HttpStatusCode.NotFound)
                    return null;
                else
                    throw;
            }
        }
        public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
        {
            List<PSRoleAssignment> psAssignments = new List<PSRoleAssignment>();
            if(assignments ==null || !assignments.Any())
            {
                return psAssignments;
            }

            List<string> objectIds = new List<string>();
            objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
            List<PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
            List<PSRoleDefinition> roleDefinitions;

            if (assignments.Count() == 1)
            {
                roleDefinitions = new List<PSRoleDefinition> { policyClient.GetRoleDefinition(assignments.Single().Properties.RoleDefinitionId) };
            }
            else
            {
                roleDefinitions = policyClient.GetRoleDefinitions();
            }

            foreach (RoleAssignment assignment in assignments)
            {
                assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
                PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId };
                PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId };

                if (adObject is PSADUser)
                {
                    psAssignments.Add(new PSRoleAssignment()
                    {
                        RoleAssignmentId = assignment.Id,
                        DisplayName = adObject.DisplayName,
                        RoleDefinitionId = roleDefinition.Id,
                        RoleDefinitionName = roleDefinition.Name,
                        Scope = assignment.Properties.Scope,
                        SignInName = ((PSADUser)adObject).SignInName,
                        ObjectId = adObject.Id,
                        ObjectType = adObject.Type
                    });
                }
                else if (adObject is PSADGroup)
                {
                    psAssignments.Add(new PSRoleAssignment()
                    {
                        RoleAssignmentId = assignment.Id,
                        DisplayName = adObject.DisplayName,
                        RoleDefinitionId = roleDefinition.Id,
                        RoleDefinitionName = roleDefinition.Name,
                        Scope = assignment.Properties.Scope,
                        ObjectId = adObject.Id,
                        ObjectType = adObject.Type
                    });
                }
                else if (adObject is PSADServicePrincipal)
                {
                    psAssignments.Add(new PSRoleAssignment()
                    {
                        RoleAssignmentId = assignment.Id,
                        DisplayName = adObject.DisplayName,
                        RoleDefinitionId = roleDefinition.Id,
                        RoleDefinitionName = roleDefinition.Name,
                        Scope = assignment.Properties.Scope,
                        ObjectId = adObject.Id,
                        ObjectType = adObject.Type
                    });
                }
                else if (!excludeAssignmentsForDeletedPrincipals)
                {
                    psAssignments.Add(new PSRoleAssignment()
                    {
                        RoleAssignmentId = assignment.Id,
                        DisplayName = adObject.DisplayName,
                        RoleDefinitionId = roleDefinition.Id,
                        RoleDefinitionName = roleDefinition.Name,
                        Scope = assignment.Properties.Scope,
                        ObjectId = adObject.Id,
                    });
                }

                // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
            }

            return psAssignments;
        }
        public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
        {
            PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
            PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId };

            if (adObject is PSADUser)
            {
                return new PSUserRoleAssignment()
                {
                    RoleAssignmentId = role.Id,
                    DisplayName = adObject.DisplayName,
                    Actions = roleDefinition.Actions,
                    NotActions = roleDefinition.NotActions,
                    RoleDefinitionName = roleDefinition.Name,
                    Scope = role.Properties.Scope,
                    UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
                    Mail = ((PSADUser)adObject).Mail,
                    ObjectId = adObject.Id
                };
            }
            else if (adObject is PSADGroup)
            {
                return new PSGroupRoleAssignment()
                {
                    RoleAssignmentId = role.Id,
                    DisplayName = adObject.DisplayName,
                    Actions = roleDefinition.Actions,
                    NotActions = roleDefinition.NotActions,
                    RoleDefinitionName = roleDefinition.Name,
                    Scope = role.Properties.Scope,
                    Mail = ((PSADGroup)adObject).Mail,
                    ObjectId = adObject.Id
                };
            }
            else if (adObject is PSADServicePrincipal)
            {
                return new PSServiceRoleAssignment()
                {
                    RoleAssignmentId = role.Id,
                    DisplayName = adObject.DisplayName,
                    Actions = roleDefinition.Actions,
                    NotActions = roleDefinition.NotActions,
                    RoleDefinitionName = roleDefinition.Name,
                    Scope = role.Properties.Scope,
                    ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
                    ObjectId = adObject.Id
                };
            }
            else
            {
                return new PSRoleAssignment()
                {
                    RoleAssignmentId = role.Id,
                    DisplayName = adObject.DisplayName,
                    Actions = roleDefinition.Actions,
                    NotActions = roleDefinition.NotActions,
                    RoleDefinitionName = roleDefinition.Name,
                    Scope = role.Properties.Scope,
                    ObjectId = adObject.Id
                };
            }
        }