/// <summary> /// Creates or updates a role definition. /// </summary> /// <param name='operations'> /// Reference to the /// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations. /// </param> /// <param name='roleDefinitionId'> /// Required. Role definition id. /// </param> /// <param name='parameters'> /// Required. Role definition. /// </param> /// <returns> /// Role definition create or update operation result. /// </returns> public static Task <RoleDefinitionCreateOrUpdateResult> CreateOrUpdateAsync(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters) { return(operations.CreateOrUpdateAsync(roleDefinitionId, parameters, CancellationToken.None)); }
public void RoleDefinitionCreateTests() { const string RoleDefIdPrefix = "/providers/Microsoft.Authorization/roleDefinitions/"; using (UndoContext context = UndoContext.Current) { context.Start(); var client = testContext.GetAuthorizationManagementClient(); RoleDefinitionCreateOrUpdateParameters createOrUpdateParams; var roleDefinitionId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition1"); string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId; string fullRoleId = currentSubscriptionId + RoleDefIdPrefix + roleDefinitionId; Guid newRoleId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition2"); var resourceGroup = "newtestrg"; string resourceGroupScope = currentSubscriptionId + "/resourceGroups/" + resourceGroup; // Create a custom role definition try { createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters() { RoleDefinition = new RoleDefinition() { Properties = new RoleDefinitionProperties() { RoleName = "NewRoleName_" + roleDefinitionId.ToString(), Description = "New Test Custom Role", Permissions = new List <Permission>() { new Permission() { Actions = new List <string> { "Microsoft.Authorization/*/Read" } } }, AssignableScopes = new List <string>() { currentSubscriptionId }, }, } }; var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); // Validate the roleDefinition properties. Assert.NotNull(roleDefinition); Assert.NotNull(roleDefinition.RoleDefinition); Assert.Equal(fullRoleId, roleDefinition.RoleDefinition.Id); Assert.Equal(roleDefinitionId, roleDefinition.RoleDefinition.Name); Assert.NotNull(roleDefinition.RoleDefinition.Properties); Assert.Equal("CustomRole", roleDefinition.RoleDefinition.Properties.Type); Assert.Equal("New Test Custom Role", roleDefinition.RoleDefinition.Properties.Description); Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.AssignableScopes); Assert.Equal(currentSubscriptionId.ToLower(), roleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower()); Assert.NotEmpty(roleDefinition.RoleDefinition.Properties.Permissions); Assert.Equal("Microsoft.Authorization/*/Read", roleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Single()); // create resource group var resourceClient = PermissionsTests.GetResourceManagementClient(); resourceClient.ResourceGroups.CreateOrUpdate(resourceGroup, new Microsoft.Azure.Management.Resources.Models.ResourceGroup { Location = "westus" }); createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string> { resourceGroupScope }; createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + newRoleId.ToString(); roleDefinition = client.RoleDefinitions.CreateOrUpdate(newRoleId, resourceGroupScope, createOrUpdateParams); Assert.NotNull(roleDefinition); } finally { var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId); Assert.NotNull(deleteResult); deleteResult = client.RoleDefinitions.Delete(newRoleId, resourceGroupScope); Assert.NotNull(deleteResult); } TestUtilities.Wait(1000 * 15); // Negative test - create a roledefinition with same name (but different id) as an already existing custom role try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); var roleDefinition2Id = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition3"); client.RoleDefinitions.CreateOrUpdate(roleDefinition2Id, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("RoleDefinitionWithSameNameExists", ce.Error.Code); Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode); } finally { var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId); Assert.NotNull(deleteResult); } // Negative test - create a roledefinition with same id as a built-in role try { var allRoleDefinitions = client.RoleDefinitions.List(); Assert.NotNull(allRoleDefinitions); Assert.NotNull(allRoleDefinitions.RoleDefinitions); RoleDefinition builtInRole = allRoleDefinitions.RoleDefinitions.First(x => x.Properties.Type == "BuiltInRole"); createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + builtInRole.Name.ToString(); client.RoleDefinitions.CreateOrUpdate(builtInRole.Name, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("RoleDefinitionExists", ce.Error.Code); Assert.Equal(HttpStatusCode.Conflict, ce.Response.StatusCode); } // Negative test - create a roledefinition with type=BuiltInRole createOrUpdateParams.RoleDefinition.Properties.Type = "BuiltInRole"; try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("InvalidRoleDefinitionType", ce.Error.Code); Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); } // Negative Test - create a custom role with empty role name // reset the role type createOrUpdateParams.RoleDefinition.Properties.Type = null; createOrUpdateParams.RoleDefinition.Properties.RoleName = string.Empty; try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code); Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); } // Negative Test - create a custom role with empty assignable scopes // reset the role name createOrUpdateParams.RoleDefinition.Properties.RoleName = "NewRoleName_" + roleDefinitionId.ToString(); createOrUpdateParams.RoleDefinition.Properties.AssignableScopes = new List <string>(); try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("MissingAssignableScopes", ce.Error.Code); Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); } // Negative Test - create a custom role with invalid value for assignable scopes createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add("Invalid_Scope"); try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("LinkedInvalidPropertyId", ce.Error.Code); Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); } // Negative Test - create a custom role with empty permissions // reset assignable scopes /* TODO: Uncomment the below test case when PAS/PAS-RP determine whether to implement blocking of * create with empty Permission list */ ////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Remove("Invalid_Scope"); ////createOrUpdateParams.RoleDefinition.Properties.AssignableScopes.Add(currentSubscriptionId); ////createOrUpdateParams.RoleDefinition.Properties.Permissions = new List<Permission>(); ////try ////{ //// client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, createOrUpdateParams); ////} ////catch (CloudException ce) ////{ //// Assert.Equal("AssignableScopeNotUnderSubscriptionScope", ce.Error.Code); //// Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); ////} TestUtilities.EndTest(); } }
/// <summary> /// Creates or updates a role definition. /// </summary> /// <param name='operations'> /// Reference to the /// Microsoft.Azure.Management.Authorization.IRoleDefinitionOperations. /// </param> /// <param name='roleDefinitionId'> /// Required. Role definition id. /// </param> /// <param name='parameters'> /// Required. Role definition. /// </param> /// <returns> /// Role definition create or update operation result. /// </returns> public static RoleDefinitionCreateOrUpdateResult CreateOrUpdate(this IRoleDefinitionOperations operations, Guid roleDefinitionId, RoleDefinitionCreateOrUpdateParameters parameters) { return(Task.Factory.StartNew((object s) => { return ((IRoleDefinitionOperations)s).CreateOrUpdateAsync(roleDefinitionId, parameters); } , operations, CancellationToken.None, TaskCreationOptions.None, TaskScheduler.Default).Unwrap().GetAwaiter().GetResult()); }
public void RoleDefinitionUpdateTests() { using (UndoContext context = UndoContext.Current) { context.Start(); var client = testContext.GetAuthorizationManagementClient(); RoleDefinitionCreateOrUpdateParameters createOrUpdateParams; var roleDefinitionId = GetValueFromTestContext(Guid.NewGuid, Guid.Parse, "RoleDefinition"); string currentSubscriptionId = "/subscriptions/" + client.Credentials.SubscriptionId; // Create a custom role definition try { createOrUpdateParams = new RoleDefinitionCreateOrUpdateParameters() { RoleDefinition = new RoleDefinition() { // Name = roleDefinitionId, Properties = new RoleDefinitionProperties() { RoleName = "NewRoleName_" + roleDefinitionId.ToString(), Description = "New Test Custom Role", Permissions = new List <Permission>() { new Permission() { Actions = new List <string> { "Microsoft.Authorization/*/Read" } } }, AssignableScopes = new List <string>() { currentSubscriptionId }, }, } }; var roleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); // Update role name, permissions for the custom role createOrUpdateParams.RoleDefinition.Properties.RoleName = "UpdatedRoleName_" + roleDefinitionId.ToString(); createOrUpdateParams.RoleDefinition.Properties.Permissions.Single().Actions.Add("Microsoft.Support/*/read"); var updatedRoleDefinition = client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); // Validate the updated roleDefinition properties. Assert.NotNull(updatedRoleDefinition); Assert.NotNull(updatedRoleDefinition.RoleDefinition); Assert.Equal(updatedRoleDefinition.RoleDefinition.Id, roleDefinition.RoleDefinition.Id); Assert.Equal(updatedRoleDefinition.RoleDefinition.Name, roleDefinition.RoleDefinition.Name); // Role name and permissions should be updated Assert.Equal("UpdatedRoleName_" + roleDefinitionId.ToString(), updatedRoleDefinition.RoleDefinition.Properties.RoleName); Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.Permissions); Assert.Equal("Microsoft.Authorization/*/Read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.First()); Assert.Equal("Microsoft.Support/*/read", updatedRoleDefinition.RoleDefinition.Properties.Permissions.Single().Actions.Last()); // Same assignable scopes Assert.NotEmpty(updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes); Assert.Equal(currentSubscriptionId.ToLower(), updatedRoleDefinition.RoleDefinition.Properties.AssignableScopes.Single().ToLower()); // Negative test: Update the role with an empty RoleName createOrUpdateParams.RoleDefinition.Properties.RoleName = null; try { client.RoleDefinitions.CreateOrUpdate(roleDefinitionId, currentSubscriptionId, createOrUpdateParams); } catch (CloudException ce) { Assert.Equal("RoleDefinitionNameNullOrEmpty", ce.Error.Code); Assert.Equal(HttpStatusCode.BadRequest, ce.Response.StatusCode); } } finally { var deleteResult = client.RoleDefinitions.Delete(roleDefinitionId, currentSubscriptionId); Assert.NotNull(deleteResult); } TestUtilities.EndTest(); } }