/// <summary>
/// Based on the YOUR AAD ApplicationId determine if the Tenant already has the ServicePrincipal in their directory
/// </summary>
/// <param name="client"></param>
/// <param name="applicationId"></param>
/// <returns></returns>
private static async Task <IServicePrincipal> GetServicePrincipalAsync(IActiveDirectoryClient client, string applicationId)
{
IPagedCollection <IServicePrincipal> servicePrincipals = null;
try
{
servicePrincipals = await client.ServicePrincipals.ExecuteAsync();
}
catch (Exception e)
{
Program.WriteError("\nError getting Service Principal {0}", Program.ExtractErrorMessage(e));
}
while (servicePrincipals != null)
{
List <IServicePrincipal> servicePrincipalsList = servicePrincipals.CurrentPage.ToList();
IServicePrincipal servicePrincipal =
servicePrincipalsList.FirstOrDefault(x => x.AppId.Equals(applicationId));
if (servicePrincipal != null)
{
return(servicePrincipal);
}
servicePrincipals = await servicePrincipals.GetNextPageAsync();
}
return(null);
}
public void CanCRUDServicePrincipal()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
IGraphRbacManager manager = TestHelper.CreateGraphRbacManager();
IServicePrincipal servicePrincipal = null;
string name = SdkContext.RandomResourceName("javasdksp", 20);
try
{
servicePrincipal = manager.ServicePrincipals.Define(name)
.WithNewApplication("http://easycreate.azure.com/anotherapp/" + name)
.DefinePasswordCredential("sppass")
.WithPasswordValue("StrongPass!12")
.Attach()
.DefineCertificateCredential("spcert")
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes("Assets/myTest.cer"))
.WithDuration(TimeSpan.FromDays(1))
.Attach()
.Create();
Console.WriteLine(servicePrincipal.Id + " - " + string.Join(", ", servicePrincipal.ServicePrincipalNames));
Assert.NotNull(servicePrincipal.Id);
Assert.NotNull(servicePrincipal.ApplicationId);
Assert.Equal(2, servicePrincipal.ServicePrincipalNames.Count);
Assert.Equal(1, servicePrincipal.PasswordCredentials.Count);
Assert.Equal(1, servicePrincipal.CertificateCredentials.Count);
// Get
servicePrincipal = manager.ServicePrincipals.GetByName(servicePrincipal.ApplicationId);
Assert.NotNull(servicePrincipal);
Assert.NotNull(servicePrincipal.ApplicationId);
Assert.Equal(2, servicePrincipal.ServicePrincipalNames.Count);
Assert.Equal(1, servicePrincipal.PasswordCredentials.Count);
Assert.Equal(1, servicePrincipal.CertificateCredentials.Count);
// Update
servicePrincipal.Update()
.WithoutCredential("sppass")
.DefineCertificateCredential("spcert")
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes("Assets/myTest2.cer"))
.WithDuration(TimeSpan.FromDays(2))
.Attach()
.Apply();
Assert.NotNull(servicePrincipal);
Assert.NotNull(servicePrincipal.ApplicationId);
Assert.Equal(2, servicePrincipal.ServicePrincipalNames.Count);
Assert.Equal(0, servicePrincipal.PasswordCredentials.Count);
Assert.Equal(2, servicePrincipal.CertificateCredentials.Count);
}
finally
{
if (servicePrincipal != null)
{
manager.ServicePrincipals.DeleteById(servicePrincipal.Id);
manager.Applications.DeleteById(manager.Applications.GetByName(servicePrincipal.ApplicationId).Id);
}
}
}
}
public IServicePrincipal GetServicePrincipal(string appId)
{
IServicePrincipal servicePrincipal = null;
servicePrincipal = _activeDirectoryClient.ServicePrincipals.Where(s => s.AppId == appId).ExecuteSingleAsync().Result;
return(servicePrincipal);
}
/**
* Azure Service Principal sample for managing Service Principal -
* - Create an Active Directory application
* - Create a Service Principal for the application and assign a role
* - Export the Service Principal to an authentication file
* - Use the file to list subcription virtual machines
* - Update the application
* - Update the service principal to revoke the password credential and the role
* - Delete the Service Principal.
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string subscriptionId = authenticated.Subscriptions.List().First <ISubscription>().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
IActiveDirectoryApplication activeDirectoryApplication = null;
string authFilePath = Path.Combine(Utilities.ProjectPath, "Asset", "mySamplAuthdFile.azureauth").ToString();
try
{
activeDirectoryApplication = CreateActiveDirectoryApplication(authenticated);
IServicePrincipal servicePrincipal = CreateServicePrincipalWithRoleForApplicationAndExportToFile(authenticated, activeDirectoryApplication, BuiltInRole.Contributor, subscriptionId, authFilePath);
// Wait until Service Principal is ready
SdkContext.DelayProvider.Delay(15);
UseAuthFile(authFilePath);
UpdateApplication(authenticated, activeDirectoryApplication);
UpdateServicePrincipal(authenticated, servicePrincipal);
}
finally
{
Utilities.Log("Deleting Active Directory application and Service Principal...");
if (activeDirectoryApplication != null)
{
// this will delete Service Principal as well
authenticated.ActiveDirectoryApplications.DeleteById(activeDirectoryApplication.Id);
}
}
}
public ProvisionAzure(ISettings settings, IServicePrincipal principal, IAzureRestClient azureRestClient)
{
Principal = principal;
Settings = settings;
AzureRestClient = azureRestClient;
CommonTags = new Dictionary <string, string>();
}
private static async Task CleanupPermissionGrantsAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
IServicePrincipal servicePrincipal = await GetServicePrincipalAsync(client, grant.Application.AppId);
if (servicePrincipal == null)
{
Log(string.Format("No existing service principal for app {0}", grant.Application.DisplayName));
return;
}
Log(string.Format("Deleting existing service principal for app {0}", grant.Application.DisplayName));
await servicePrincipal.DeleteAsync();
}
/// <summary>
/// To ensure the latest Service Principal with the most up-to-date permissions are created,
/// if exists, remove the existing Service Principal for YOUR AAD application
/// </summary>
/// <param name="client"></param>
/// <param name="grant"></param>
/// <returns></returns>
private static async Task CleanupPermissionGrantsAsync(IActiveDirectoryClient client,
OAuthGrant grant)
{
IServicePrincipal servicePrincipal = await GetServicePrincipalAsync(client, grant.Application.AppId);
if (servicePrincipal == null)
{
Program.WriteInfo($"No existing service principal for app {grant.Application.DisplayName}");
return;
}
Program.WriteInfo($"Deleting existing service principal for app {grant.Application.DisplayName}");
await servicePrincipal.DeleteAsync();
}
static async Task AddAdminRoleAssignmentToServer(IServicePrincipal serverApplication)
{
// Get the admin role,
var role = serverApplication.AppRoles.First(r => r.Value == "admin_signservice");
var ara = new AppRoleAssignment
{
PrincipalId = Guid.Parse(authResult.UserInfo.UniqueId),
PrincipalType = "User",
Id = role.Id,
ResourceId = Guid.Parse(serverApplication.ObjectId)
};
await graphClient.Users.GetByObjectId(authResult.UserInfo.UniqueId).AppRoleAssignments.AddAppRoleAssignmentAsync(ara);
}
/// <summary>
/// If the ServicePrincipal does not already exist in the tenant's directory,
/// then creates a ServicePrincipal for the specified application in the tenant's directory,
/// otherwise return the found ServicePrincipal
/// </summary>
/// <param name="client"></param>
/// <param name="application"></param>
/// <returns>IServicePrincipal</returns>
private static async Task <IServicePrincipal> CreateServicePrincipalAsync(IActiveDirectoryClient client, IApplication application)
{
IServicePrincipal servicePrincipal = null;
if (application.AppId != null)
{
// does the Service Principal already exist?
servicePrincipal = await GetServicePrincipalAsync(client, application.AppId);
// if exists then return the found Service Principal
if (servicePrincipal != null)
{
return(servicePrincipal);
}
// if not found then create a Service Principal for this tenant
servicePrincipal = new ServicePrincipal()
{
AccountEnabled = true,
AppId = application.AppId,
DisplayName = application.DisplayName
};
try
{
await client.ServicePrincipals.AddServicePrincipalAsync(servicePrincipal);
}
catch (Exception e)
{
Program.WriteError("\nError creating Service Principal for {0}: {1}", application.DisplayName, Program.ExtractErrorMessage(e));
return(null);
}
}
else
{
Program.WriteError("\nRefusing to create Service Principal for {0} because ApplicationID was not supplied", application.DisplayName);
return(null);
}
return(servicePrincipal);
}
public void CanCRUDKeyVault()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
// Create user service principal
String sp = SdkContext.RandomResourceName("sp", 20);
String us = SdkContext.RandomResourceName("us", 20);
IGraphRbacManager graphManager = TestHelper.CreateGraphRbacManager();
string vaultName1 = TestUtilities.GenerateName("vault1");
string rgName = TestUtilities.GenerateName("rgNEMV");
IKeyVaultManager manager = TestHelper.CreateKeyVaultManager();
IServicePrincipal servicePrincipal = graphManager.ServicePrincipals
.Define(sp)
.WithNewApplication("http://" + sp)
.Create();
IActiveDirectoryUser user = graphManager.Users
.Define(us)
.WithEmailAlias(us)
.WithPassword("P@$$w0rd")
.Create();
//var spnCredentialsClientId = HttpMockServer.Variables[ConnectionStringKeys.ServicePrincipalKey];
try
{
IVault vault = manager.Vaults
.Define(vaultName1)
.WithRegion(Region.USWest)
.WithNewResourceGroup(rgName)
.DefineAccessPolicy()
.ForServicePrincipal("http://" + sp)
.AllowKeyPermissions(KeyPermissions.List)
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get)
.Attach()
.DefineAccessPolicy()
.ForUser(us)
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
.AllowCertificatePermissions(CertificatePermissions.Get, CertificatePermissions.List, CertificatePermissions.Create)
.Attach()
.Create();
Assert.NotNull(vault);
Assert.Equal(vaultName1, vault.Name);
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(1, policy.Permissions.Keys.Count);
Assert.Equal(KeyPermissions.List.Value, policy.Permissions.Keys[0]);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(1, policy.Permissions.Certificates.Count);
Assert.Equal(CertificatePermissions.Get.Value, policy.Permissions.Certificates[0]);
}
if (policy.ObjectId.Equals(user.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(8, policy.Permissions.Secrets.Count);
Assert.Equal(3, policy.Permissions.Certificates.Count);
}
}
vault = vault.Update()
.UpdateAccessPolicy(servicePrincipal.Id)
.AllowKeyAllPermissions()
.DisallowSecretAllPermissions()
.AllowCertificateAllPermissions()
.Parent()
.Apply();
foreach (IAccessPolicy policy in vault.AccessPolicies)
{
if (policy.ObjectId.Equals(servicePrincipal.Id))
{
Assert.Equal(16, policy.Permissions.Keys.Count);
Assert.Equal(0, policy.Permissions.Secrets.Count);
Assert.Equal(14, policy.Permissions.Certificates.Count);
}
}
}
finally
{
try
{
TestHelper.CreateResourceManager().ResourceGroups.DeleteByName(rgName);
}
catch { }
}
}
}
public void CanCRUDGroup()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
IGraphRbacManager manager = TestHelper.CreateGraphRbacManager();
var userName = SdkContext.RandomResourceName("user", 16);
var spName = SdkContext.RandomResourceName("sp", 16);
var group1Name = SdkContext.RandomResourceName("group", 16);
var group2Name = SdkContext.RandomResourceName("group", 16);
IActiveDirectoryUser user = null;
IServicePrincipal servicePrincipal = null;
IActiveDirectoryGroup group1 = null;
IActiveDirectoryGroup group2 = null;
try
{
user = manager.Users.Define(userName)
.WithEmailAlias(userName)
.WithPassword("StrongPass!123")
.Create();
servicePrincipal = manager.ServicePrincipals.Define(spName)
.WithNewApplication("https://" + spName)
.Create();
group1 = manager.Groups.Define(group1Name)
.WithEmailAlias(group1Name)
.Create();
SdkContext.DelayProvider.Delay(15000);
group2 = manager.Groups.Define(group2Name)
.WithEmailAlias(group2Name)
.WithMember(user.Id)
.WithMember(servicePrincipal.Id)
.WithMember(group1.Id)
.Create();
Assert.NotNull(group2);
Assert.NotNull(group2.Id);
var members = group2.ListMembers();
Assert.Equal(3, members.Count());
var enumerator = members.GetEnumerator();
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.False(enumerator.MoveNext());
}
finally
{
if (servicePrincipal != null)
{
manager.ServicePrincipals.DeleteById(servicePrincipal.Id);
}
// cannot delete users or groups from service principal
// if (user != null) {
// manager.Users.DeleteById(user.Id);
// }
// if (group != null) {
// manager.Groups.DeleteById(group.Id);
// }
}
}
}
public void CanCRUDServicePrincipalWithRole()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
IGraphRbacManager manager = TestHelper.CreateGraphRbacManager();
IServicePrincipal servicePrincipal = null;
string subscriptionId = TestHelper.CreateResourceManager().SubscriptionId;
string authFile = "mytest.azureauth";
string name = SdkContext.RandomResourceName("javasdksp", 20);
string rgName = SdkContext.RandomResourceName("rg", 20);
try
{
servicePrincipal = manager.ServicePrincipals.Define(name)
.WithNewApplication("http://easycreate.azure.com/" + name)
.DefinePasswordCredential("sppass")
.WithPasswordValue("StrongPass!12")
.Attach()
.DefineCertificateCredential("spcert")
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes("Assets/myTest.cer"))
.WithDuration(TimeSpan.FromDays(100))
.WithAuthFileToExport(new StreamWriter(new FileStream(authFile, FileMode.OpenOrCreate)))
.WithPrivateKeyFile("Assets/myTest._pfx")
.WithPrivateKeyPassword("Abc123")
.Attach()
.WithNewRoleInSubscription(BuiltInRole.Contributor, subscriptionId)
.Create();
Console.WriteLine(servicePrincipal.Id + " - " + string.Join(", ", servicePrincipal.ServicePrincipalNames));
Assert.NotNull(servicePrincipal.Id);
Assert.NotNull(servicePrincipal.ApplicationId);
Assert.Equal(2, servicePrincipal.ServicePrincipalNames.Count);
Assert.Equal(1, servicePrincipal.PasswordCredentials.Count);
Assert.Equal(1, servicePrincipal.CertificateCredentials.Count);
SdkContext.DelayProvider.Delay(10000);
IResourceManager resourceManager = Microsoft.Azure.Management.ResourceManager.Fluent.ResourceManager.Authenticate(
new AzureCredentialsFactory().FromFile(authFile)).WithSubscription(subscriptionId);
var group = resourceManager.ResourceGroups.Define(rgName).WithRegion(Region.USWest).Create();
// Update
IRoleAssignment ra = servicePrincipal.RoleAssignments.First();
servicePrincipal.Update()
.WithoutRole(ra)
.WithNewRoleInResourceGroup(BuiltInRole.Contributor, group)
.Apply();
SdkContext.DelayProvider.Delay(120000);
Assert.NotNull(resourceManager.ResourceGroups.GetByName(group.Name));
try
{
resourceManager.ResourceGroups.Define(rgName + "2")
.WithRegion(Region.USWest).Create();
}
catch (Exception)
{
// expected
}
}
finally
{
if (servicePrincipal != null)
{
manager.ServicePrincipals.DeleteById(servicePrincipal.Id);
manager.Applications.DeleteById(manager.Applications.GetByName(servicePrincipal.ApplicationId).Id);
}
}
}
}
/// <summary>
/// Specifies the Active Directory service principal this access policy is for.
/// </summary>
/// <param name="servicePrincipal">The AD service principal object.</param>
/// <return>The next stage of access policy definition.</return>
Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithAttach <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithIdentity <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> .ForServicePrincipal(IServicePrincipal servicePrincipal)
{
return(this.ForServicePrincipal(servicePrincipal));
}
public ActiveDirectoryGroupImpl WithMember(IServicePrincipal servicePrincipal)
{
return(WithMember(servicePrincipal.Id));
}
/**
* Azure Users, Groups and Roles sample.
* - Create a user
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - Create service principal
* - Assign role to service principal
* - Create 2 Active Directory groups
* - Add the user, the service principal, and the 1st group as members of the 2nd group
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string userEmail = Utilities.CreateRandomName("test");
string userName = userEmail.Replace("test", "Test ");
string spName = Utilities.CreateRandomName("sp");
string raName1 = SdkContext.RandomGuid();
string raName2 = SdkContext.RandomGuid();
string groupEmail1 = Utilities.CreateRandomName("group1");
string groupEmail2 = Utilities.CreateRandomName("group2");
string groupName1 = groupEmail1.Replace("group1", "Group ");
string groupName2 = groupEmail2.Replace("group2", "Group ");
String spId = "";
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
// ============================================================
// Create a user
Utilities.Log("Creating an Active Directory user " + userName + "...");
var user = authenticated.ActiveDirectoryUsers
.Define(userName)
.WithEmailAlias(userEmail)
.WithPassword("StrongPass!12")
.Create();
Utilities.Log("Created Active Directory user " + userName);
Utilities.Print(user);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(user)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// Create Service Principal
IServicePrincipal sp = authenticated.ServicePrincipals.Define(spName)
.WithNewApplication("http://" + spName)
.Create();
// wait till service principal created and propagated
SdkContext.DelayProvider.Delay(15000);
Utilities.Log("Created Service Principal:");
Utilities.Print(sp);
spId = sp.Id;
// ============================================================
// Assign role to Service Principal
string defaultSubscription = authenticated.Subscriptions.List().First().SubscriptionId;
IRoleAssignment roleAssignment2 = authenticated.RoleAssignments
.Define(raName2)
.ForServicePrincipal(sp)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithSubscriptionScope(defaultSubscription)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment2);
// ============================================================
// Create Active Directory groups
Utilities.Log("Creating Active Directory group " + groupName1 + "...");
var group1 = authenticated.ActiveDirectoryGroups
.Define(groupName1)
.WithEmailAlias(groupEmail1)
.Create();
Utilities.Log("Created Active Directory group " + groupName1);
Utilities.Print(group1);
var group2 = authenticated.ActiveDirectoryGroups
.Define(groupName2)
.WithEmailAlias(groupEmail2)
.Create();
Utilities.Log("Created Active Directory group " + groupName2);
Utilities.Print(group2);
Utilities.Log("Adding group members to group " + groupName2 + "...");
group2.Update()
.WithMember(user)
.WithMember(sp)
.WithMember(group1)
.Apply();
Utilities.Log("Group members added to group " + groupName2);
Utilities.Print(group2);
}
/// <summary>
/// Creates a RBAC role assignment (using role or role definition) for the given service principal.
/// </summary>
/// <param name="servicePrincipal">The service principal.</param>
/// <param name="roleOrRoleDefinition">The role or role definition.</param>
/// <param name="scope">The scope for the role assignment.</param>
/// <return>An observable that emits the role assignment if it is created, null if assignment already exists.</return>
///GENMHASH:85AA7846D5642A1F7125332B46A901BE:A2437532CFAD0C7032A34C1FD573957E
private async Task <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> CreateRbacRoleAssignmentIfNotExistsAsync(IServicePrincipal servicePrincipal, string roleOrRoleDefinition, string scope, bool isRole, CancellationToken cancellationToken = default(CancellationToken))
{
string roleAssignmentName = SdkContext.RandomGuid();
try
{
if (isRole)
{
return(await rbacManager
.RoleAssignments
.Define(roleAssignmentName)
.ForServicePrincipal(servicePrincipal)
.WithBuiltInRole(BuiltInRole.Parse(roleOrRoleDefinition))
.WithScope(scope)
.CreateAsync(cancellationToken));
}
else
{
return(await rbacManager
.RoleAssignments
.Define(roleAssignmentName)
.ForServicePrincipal(servicePrincipal)
.WithRoleDefinition(roleOrRoleDefinition)
.WithScope(scope)
.CreateAsync(cancellationToken));
}
}
catch (CloudException cloudException)
{
if (cloudException.Body != null && cloudException.Body.Code != null && cloudException.Body.Code.Equals("RoleAssignmentExists", StringComparison.OrdinalIgnoreCase))
{
// NOTE: We are unable to lookup the role assignment from principal.RoleAssignments() list
// because role assignment object does not contain 'role' name (the roleDefinitionId refer
// 'role' using id with GUID).
return(null);
}
throw cloudException;
}
}
public RoleAssignmentImpl ForServicePrincipal(IServicePrincipal servicePrincipal)
{
this.objectId = servicePrincipal.Id;
return(this);
}
static async Task CreateOrUpdateResourceGroup(IServicePrincipal serverApplication)
{
Console.WriteLine("Add or update Key Vault Resource Group (required once)? [y/N] to continue: ");
var key = Console.ReadLine()
.ToUpperInvariant()
.Trim();
if (key != "Y")
{
return;
}
Console.Write("SubscriptionId: ");
var subscriptionId = Console.ReadLine();
Console.Write("Resource Group Name (blank for default 'SignService-KeyVaults'): ");
var name = Console.ReadLine();
if (string.IsNullOrWhiteSpace(name))
{
name = "SignService-KeyVaults";
}
Console.WriteLine("Location (eastus, westus, etc): ");
var location = Console.ReadLine();
var accessToken = await authContext.AcquireTokenSilentAsync(azureRmResourceId, ClientId);
using var rgc = new ResourceManagementClient(new TokenCredentials(accessToken.AccessToken))
{
SubscriptionId = subscriptionId,
BaseUri = new Uri(configuration["AzureRM:Instance"])
};
var rg = new ResourceGroup(location, name: name);
rg = await rgc.ResourceGroups.CreateOrUpdateAsync(name, rg);
using var ac = new AuthorizationManagementClient(new TokenCredentials(accessToken.AccessToken))
{
SubscriptionId = subscriptionId,
BaseUri = new Uri(configuration["AzureRM:Instance"])
};
// See if the resource group has the reader role
// Get the reader role
var roleFilter = new ODataQuery <RoleDefinitionFilter>(f => f.RoleName == "Reader");
var roleDefinitions = await ac.RoleDefinitions.ListAsync(rg.Id, roleFilter);
var roleDefinition = roleDefinitions.First();
var roleId = roleDefinition.Id;
var spid = serverApplication.ObjectId;
var raps = await ac.RoleAssignments.ListForScopeAsync(rg.Id, new ODataQuery <RoleAssignmentFilter>(f => f.PrincipalId == spid));
if (raps.All(ra => ra.RoleDefinitionId != roleId))
{
// none found, add one
var rap = new RoleAssignmentCreateParameters
{
PrincipalId = spid,
RoleDefinitionId = roleId
};
var ra = await ac.RoleAssignments.CreateAsync(rg.Id, Guid.NewGuid().ToString(), rap);
}
}
/// <summary>
/// Removes a service principal as a member in the group.
/// </summary>
/// <param name="servicePrincipal">The service principal to remove.</param>
/// <return>The next AD group update stage.</return>
ActiveDirectoryGroup.Update.IUpdate ActiveDirectoryGroup.Update.IWithMemberBeta.WithoutMember(IServicePrincipal servicePrincipal)
{
return(this.WithoutMember(servicePrincipal));
}
/// <summary>
/// Adds a service principal as a member in the group.
/// </summary>
/// <param name="servicePrincipal">The service principal to add.</param>
/// <return>The next AD group definition stage.</return>
ActiveDirectoryGroup.Definition.IWithCreate ActiveDirectoryGroup.Definition.IWithMemberBeta.WithMember(IServicePrincipal servicePrincipal)
{
return(this.WithMember(servicePrincipal));
}
public AzureRestClient(IServicePrincipal principal)
{
this.principal = principal;
httpClient = new HttpClient();
}
/**
* Azure Service Principal sample for managing Service Principal -
* - Create an Active Directory application
* - Create a Service Principal for the application and assign a role
* - Export the Service Principal to an authentication file
* - Use the file to list subcription virtual machines
* - Update the application
* - Delete the application and Service Principal.
*/
public static void RunSample(Azure.IAuthenticated authenticated, AzureEnvironment environment)
{
string spName = Utilities.CreateRandomName("sp");
string appName = SdkContext.RandomResourceName("app", 20);
string appUrl = "https://" + appName;
string passwordName1 = SdkContext.RandomResourceName("password", 20);
string password1 = "P@ssw0rd";
string passwordName2 = SdkContext.RandomResourceName("password", 20);
string password2 = "StrongP@ss!12";
string certName1 = SdkContext.RandomResourceName("cert", 20);
string raName = SdkContext.RandomGuid();
string servicePrincipalId = "";
try
{
// ============================================================
// Create application
Utilities.Log("Creating a service principal " + spName + "...");
IServicePrincipal servicePrincipal = authenticated.ServicePrincipals
.Define(appName)
.WithNewApplication(appUrl)
.DefinePasswordCredential(passwordName1)
.WithPasswordValue(password1)
.Attach()
.DefinePasswordCredential(passwordName2)
.WithPasswordValue(password2)
.Attach()
.DefineCertificateCredential(certName1)
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes(Path.Combine(Utilities.ProjectPath, "Asset", "NetworkTestCertificate1.cer")))
.WithDuration(TimeSpan.FromDays(1))
.Attach()
.Create();
Utilities.Log("Created service principal " + spName + ".");
Utilities.Print(servicePrincipal);
servicePrincipalId = servicePrincipal.Id;
// ============================================================
// Create role assignment
Utilities.Log("Creating a Contributor role assignment " + raName + " for the service principal...");
SdkContext.DelayProvider.Delay(15000);
IRoleAssignment roleAssignment = authenticated.RoleAssignments
.Define(raName)
.ForServicePrincipal(servicePrincipal)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithSubscriptionScope(authenticated.Subscriptions.List().First <ISubscription>().SubscriptionId)
.Create();
Utilities.Log("Created role assignment " + raName + ".");
Utilities.Print(roleAssignment);
// ============================================================
// Verify the credentials are valid
Utilities.Log("Verifying password credential " + passwordName1 + " is valid...");
AzureCredentials testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password1, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + passwordName1 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + passwordName1 + " is valid. Exception: " + e.Message);
}
Utilities.Log("Verifying password credential " + passwordName2 + " is valid...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password2, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + passwordName2 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + passwordName2 + " is valid. Exception: " + e.Message);
}
Utilities.Log("Verifying certificate credential " + certName1 + " is valid...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId,
Path.Combine(Utilities.ProjectPath, "Asset", "NetworkTestCertificate1.pfx"),
"Abc123",
authenticated.TenantId,
environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + certName1 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + certName1 + " is valid. Exception: " + e.Message);
}
// ============================================================
// Revoke access of the 1st password credential
Utilities.Log("Revoking access for password credential " + passwordName1 + "...");
servicePrincipal.Update()
.WithoutCredential(passwordName1)
.Apply();
SdkContext.DelayProvider.Delay(15000);
Utilities.Log("Credential revoked.");
// ============================================================
// Verify the revoked password credential is no longer valid
Utilities.Log("Verifying password credential " + passwordName1 + " is revoked...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password1, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Failed to verify " + passwordName1 + " is revoked.");
}
catch (Exception e)
{
Utilities.Log("Verified " + passwordName1 + " is revoked. Exception: " + e.Message);
}
// ============================================================
// Revoke the role assignment
Utilities.Log("Revoking role assignment " + raName + "...");
authenticated.RoleAssignments.DeleteById(roleAssignment.Id);
SdkContext.DelayProvider.Delay(5000);
// ============================================================
// Verify the revoked password credential is no longer valid
Utilities.Log("Verifying password credential " + passwordName2 + " has no access to subscription...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password2, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription()
.ResourceGroups.List();
Utilities.Log("Failed to verify " + passwordName2 + " has no access to subscription.");
}
catch (Exception e)
{
Utilities.Log("Verified " + passwordName2 + " has no access to subscription. Exception: " + e.Message);
}
}
catch (Exception f)
{
Utilities.Log(f.Message);
}
finally
{
try
{
Utilities.Log("Deleting application: " + appName);
authenticated.ServicePrincipals.DeleteById(servicePrincipalId);
Utilities.Log("Deleted application: " + appName);
}
catch (Exception e)
{
Utilities.Log("Did not create applications in Azure. No clean up is necessary. Exception: " + e.Message);
}
}
}
/// <summary>
/// Specifies the assignee of the role assignment to be a service principal.
/// </summary>
/// <param name="servicePrincipal">The service principal object.</param>
/// <return>The next stage in role assignment definition.</return>
RoleAssignment.Definition.IWithRole RoleAssignment.Definition.IWithAssignee.ForServicePrincipal(IServicePrincipal servicePrincipal)
{
return(this.ForServicePrincipal(servicePrincipal) as RoleAssignment.Definition.IWithRole);
}
private static void UpdateServicePrincipal(Azure.IAuthenticated authenticated, IServicePrincipal servicePrincipal)
{
Utilities.Log("Updating Service Principal...");
servicePrincipal.Update()
// add another password credentials
.WithoutCredential("ServicePrincipalAzureSample")
.WithoutRole(servicePrincipal.RoleAssignments.First())
.Apply();
}
public void CanSetMSIOnNewVMWithMultipleRoleAssignments()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
var groupName = TestUtilities.GenerateName("rgmsi");
var storageAccountName = TestUtilities.GenerateName("ja");
var region = Region.USSouthCentral;
var vmName = "javavm";
IAzure azure = null;
try
{
azure = TestHelper.CreateRollupClient();
IStorageAccount storageAccount = azure.StorageAccounts
.Define(storageAccountName)
.WithRegion(region)
.WithNewResourceGroup(groupName)
.Create();
var resourceGroup = azure.ResourceGroups.GetByName(storageAccount.ResourceGroupName);
IVirtualMachine virtualMachine = azure.VirtualMachines
.Define(vmName)
.WithRegion(region)
.WithExistingResourceGroup(groupName)
.WithNewPrimaryNetwork("10.0.0.0/28")
.WithPrimaryPrivateIPAddressDynamic()
.WithoutPrimaryPublicIPAddress()
.WithPopularLinuxImage(KnownLinuxVirtualMachineImage.UbuntuServer16_04_Lts)
.WithRootUsername("Foo12")
.WithRootPassword("abc!@#F0orL")
.WithSize(VirtualMachineSizeTypes.StandardDS2V2)
.WithOSDiskCaching(CachingTypes.ReadWrite)
.WithSystemAssignedManagedServiceIdentity()
.WithSystemAssignedIdentityBasedAccessTo(resourceGroup.Id, BuiltInRole.Contributor)
.WithSystemAssignedIdentityBasedAccessTo(storageAccount.Id, BuiltInRole.Contributor)
.Create();
var authenticatedClient = TestHelper.CreateAuthenticatedClient();
// Validate service created service principal
//
IServicePrincipal servicePrincipal = authenticatedClient
.ServicePrincipals
.GetById(virtualMachine.SystemAssignedManagedServiceIdentityPrincipalId);
Assert.NotNull(servicePrincipal);
Assert.NotNull(servicePrincipal.Inner);
// Ensure the MSI extension is set
//
var extensions = virtualMachine.ListExtensions();
bool extensionFound = false;
foreach (var extension in extensions.Values)
{
if (extension.PublisherName.Equals("Microsoft.ManagedIdentity", StringComparison.OrdinalIgnoreCase) &&
extension.TypeName.Equals("ManagedIdentityExtensionForLinux", StringComparison.OrdinalIgnoreCase))
{
extensionFound = true;
break;
}
}
Assert.True(extensionFound);
// Ensure role assigned for resource group
//
var rgRoleAssignments = authenticatedClient.RoleAssignments.ListByScope(resourceGroup.Id);
Assert.NotNull(rgRoleAssignments);
bool found = false;
foreach (var roleAssignment in rgRoleAssignments)
{
if (roleAssignment.PrincipalId != null && roleAssignment.PrincipalId.Equals(virtualMachine.SystemAssignedManagedServiceIdentityPrincipalId, StringComparison.OrdinalIgnoreCase))
{
found = true;
break;
}
}
Assert.True(found, "Resource group should have a role assignment with virtual machine MSI principal");
// Ensure role assigned for storage account
//
var stgRoleAssignments = authenticatedClient.RoleAssignments.ListByScope(storageAccount.Id);
Assert.NotNull(stgRoleAssignments);
found = false;
foreach (var roleAssignment in stgRoleAssignments)
{
if (roleAssignment.PrincipalId != null && roleAssignment.PrincipalId.Equals(virtualMachine.SystemAssignedManagedServiceIdentityPrincipalId, StringComparison.OrdinalIgnoreCase))
{
found = true;
break;
}
}
Assert.True(found, "Storage account should have a role assignment with virtual machine MSI principal");
}
finally
{
try
{
if (azure != null)
{
azure.ResourceGroups.BeginDeleteByName(groupName);
}
}
catch { }
}
}
}
///GENMHASH:7B10596856964977EC5E018A031EE6E9:E17FF884EE021904E2BD4F8BD9BDB6FC
public AccessPolicyImpl ForServicePrincipal(IServicePrincipal servicePrincipal)
{
Inner.ObjectId = servicePrincipal.Id;
return(this);
}
