public override void ExecuteCmdlet() { if (ShouldProcess(VaultName, Properties.Resources.RemoveVaultAccessPolicy)) { if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent && !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent) { throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing); } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; // Get the vault to be updated PSKeyVaultModels.PSVault existingVault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { existingVault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (existingVault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } if (!string.IsNullOrWhiteSpace(this.ObjectId) && !this.IsValidObjectIdSyntax(this.ObjectId)) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidObjectIdSyntax); } // Update vault policies var updatedPolicies = existingVault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId)) { if (string.IsNullOrWhiteSpace(this.ObjectId)) { ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); } updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray(); } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies, EnabledForDeployment.IsPresent ? false : existingVault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? false : existingVault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? false : existingVault.EnabledForDiskEncryption, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } } }
public override void ExecuteCmdlet() { switch (ParameterSetName) { case GetVaultParameterSet: ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; PSKeyVaultModels.PSVault vault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName, ActiveDirectoryClient); } if (vault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } else { WriteObject(vault); } break; case ListVaultsByRGParameterSet: case ListVaultsBySubParameterSet: WriteObject(ListVaults(ResourceGroupName, Tag), true); break; default: throw new ArgumentException(PSKeyVaultProperties.Resources.BadParameterSetName); } }
public override void ExecuteCmdlet() { WriteWarning("The usage of Tag parameter in this cmdlet will be modified in a future release. This will impact creating, updating and appending tags for Azure resources. For more details about the change, please visit https://github.com/Azure/azure-powershell/issues/726#issuecomment-213545494"); switch (ParameterSetName) { case GetVaultParameterSet: ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; PSKeyVaultModels.PSVault vault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName, ActiveDirectoryClient); } if (vault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } WriteObject(vault); break; case ListVaultsByRGParameterSet: case ListVaultsBySubParameterSet: WriteObject(ListVaults(ResourceGroupName, Tag), true); break; default: throw new ArgumentException(PSKeyVaultProperties.Resources.BadParameterSetName); } }
/// <summary> /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently. /// </summary> /// <param name="existingVault">the existing vault</param> /// <param name="updatedPolicies">the update access policies</param> /// <param name="updatedEnabledForDeployment">enabled for deployment</param> /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param> /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param> /// <param name="adClient">the active directory client</param> /// <returns>the updated vault</returns> public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool?updatedEnabledForDeployment, bool?updatedEnabledForTemplateDeployment, bool?updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null) { if (existingVault == null) { throw new ArgumentNullException("existingVault"); } if (existingVault.OriginalVault == null) { throw new ArgumentNullException("existingVault.OriginalVault"); } //Update the vault properties in the object received from server //Only access policies and EnabledForDeployment can be changed VaultProperties properties = existingVault.OriginalVault.Properties; properties.EnabledForDeployment = updatedEnabledForDeployment; properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment; properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption; properties.AccessPolicies = (updatedPolicies == null) ? new List <AccessPolicyEntry>() : updatedPolicies.Select(a => new AccessPolicyEntry() { TenantId = a.TenantId, ObjectId = a.ObjectId, ApplicationId = a.ApplicationId, Permissions = new Permissions { Keys = a.PermissionsToKeys.ToArray(), Secrets = a.PermissionsToSecrets.ToArray(), Certificates = a.PermissionsToCertificates.ToArray(), Storage = a.PermissionsToStorage.ToArray(), } }).ToList(); var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: existingVault.ResourceGroupName, vaultName: existingVault.VaultName, parameters: new VaultCreateOrUpdateParameters() { Location = existingVault.Location, Properties = properties, Tags = TagsConversionHelper.CreateTagDictionary(existingVault.Tags, validate: true) } ); return(new PSVault(response, adClient)); }
public override void ExecuteCmdlet() { ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; // Get the vault to be updated PSKeyVaultModels.PSVault existingVault = null; if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { existingVault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (existingVault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } // Update vault policies var updatedPolicies = existingVault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty)) { Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, objId, this.ApplicationId)).ToArray(); } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(existingVault, updatedPolicies, !this.EnabledForDeployment.IsPresent, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } }
/// <summary> /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently. /// </summary> /// <param name="existingVault"></param> /// <returns></returns> public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment, ActiveDirectoryClient adClient = null) { if (existingVault == null) { throw new ArgumentNullException("existingVault"); } if (existingVault.OriginalVault == null) { throw new ArgumentNullException("existingVault.OriginalVault"); } //Update the vault properties in the object received from server //Only access policies and EnabledForDeployment can be changed VaultProperties properties = existingVault.OriginalVault.Properties; properties.EnabledForDeployment = updatedEnabledForDeployment; properties.AccessPolicies = (updatedPolicies == null) ? new List <AccessPolicyEntry>() : updatedPolicies.Select(a => new AccessPolicyEntry() { TenantId = a.TenantId, ObjectId = a.ObjectId, PermissionsToKeys = a.PermissionsToKeys.ToArray(), PermissionsToSecrets = a.PermissionsToSecrets.ToArray() }).ToList(); var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: existingVault.ResourceGroupName, vaultName: existingVault.VaultName, parameters: new VaultCreateOrUpdateParameters() { Location = existingVault.Location, Properties = properties } ); return(new PSVault(response.Vault, adClient)); }
public override void ExecuteCmdlet() { if (ShouldProcess(VaultName, Properties.Resources.SetVaultAccessPolicy)) { if (ParameterSetName == ForVault && !EnabledForDeployment.IsPresent && !EnabledForTemplateDeployment.IsPresent && !EnabledForDiskEncryption.IsPresent) { throw new ArgumentException(PSKeyVaultProperties.Resources.VaultPermissionFlagMissing); } ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; PSKeyVaultModels.PSVault vault = null; // Get the vault to be updated if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (vault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } // Update vault policies PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != Guid.Empty)) { Guid objId = this.ObjectId; if (!this.BypassObjectIdValidation.IsPresent) { objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); } if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty) { throw new ArgumentException(PSKeyVaultProperties.Resources.InvalidApplicationId); } //All permission arrays cannot be null if (PermissionsToKeys == null && PermissionsToSecrets == null && PermissionsToCertificates == null) { throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified); } else { //Validate if (!IsMeaningfulPermissionSet(PermissionsToKeys)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys")); } if (!IsMeaningfulPermissionSet(PermissionsToSecrets)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets")); } if (!IsMeaningfulPermissionSet(PermissionsToCertificates)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "certificates")); } //Is there an existing policy for this policy identity? var existingPolicy = vault.AccessPolicies.FirstOrDefault(ap => MatchVaultAccessPolicyIdentity(ap, objId, ApplicationId)); //New policy will have permission arrays that are either from cmdlet input //or if that's null, then from the old policy for this object ID if one existed var keys = PermissionsToKeys ?? (existingPolicy != null && existingPolicy.PermissionsToKeys != null ? existingPolicy.PermissionsToKeys.ToArray() : null); var secrets = PermissionsToSecrets ?? (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ? existingPolicy.PermissionsToSecrets.ToArray() : null); var certificates = PermissionsToCertificates ?? (existingPolicy != null && existingPolicy.PermissionsToCertificates != null ? existingPolicy.PermissionsToCertificates.ToArray() : null); //Remove old policies for this policy identity and add a new one with the right permissions, iff there were some non-empty permissions updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => !MatchVaultAccessPolicyIdentity(ap, objId, this.ApplicationId)).ToArray(); if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0) || (certificates != null && certificates.Length > 0)) { var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, this.ApplicationId, keys, secrets, certificates); updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray(); } } } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, EnabledForTemplateDeployment.IsPresent ? true : vault.EnabledForTemplateDeployment, EnabledForDiskEncryption.IsPresent ? true : vault.EnabledForDiskEncryption, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } } }
/// <summary> /// Update an existing vault. Only EnabledForDeployment and AccessPolicies can be updated currently. /// </summary> /// <param name="existingVault">the existing vault</param> /// <param name="updatedPolicies">the update access policies</param> /// <param name="updatedEnabledForDeployment">enabled for deployment</param> /// <param name="updatedEnabledForTemplateDeployment">enabled for template deployment</param> /// <param name="updatedEnabledForDiskEncryption">enabled for disk encryption</param> /// <param name="adClient">the active directory client</param> /// <returns>the updated vault</returns> public PSVault UpdateVault(PSVault existingVault, PSVaultAccessPolicy[] updatedPolicies, bool updatedEnabledForDeployment, bool? updatedEnabledForTemplateDeployment, bool? updatedEnabledForDiskEncryption, ActiveDirectoryClient adClient = null) { if (existingVault == null) throw new ArgumentNullException("existingVault"); if (existingVault.OriginalVault == null) throw new ArgumentNullException("existingVault.OriginalVault"); //Update the vault properties in the object received from server //Only access policies and EnabledForDeployment can be changed VaultProperties properties = existingVault.OriginalVault.Properties; properties.EnabledForDeployment = updatedEnabledForDeployment; properties.EnabledForTemplateDeployment = updatedEnabledForTemplateDeployment; properties.EnabledForDiskEncryption = updatedEnabledForDiskEncryption; properties.AccessPolicies = (updatedPolicies == null) ? new List<AccessPolicyEntry>() : updatedPolicies.Select(a => new AccessPolicyEntry() { TenantId = a.TenantId, ObjectId = a.ObjectId, ApplicationId = a.ApplicationId, PermissionsToKeys = a.PermissionsToKeys.ToArray(), PermissionsToSecrets = a.PermissionsToSecrets.ToArray() }).ToList(); var response = this.KeyVaultManagementClient.Vaults.CreateOrUpdate( resourceGroupName: existingVault.ResourceGroupName, vaultName: existingVault.VaultName, parameters: new VaultCreateOrUpdateParameters() { Location = existingVault.Location, Properties = properties } ); return new PSVault(response.Vault, adClient); }
public override void ExecuteCmdlet() { ResourceGroupName = string.IsNullOrWhiteSpace(ResourceGroupName) ? GetResourceGroupName(VaultName) : ResourceGroupName; PSKeyVaultModels.PSVault vault = null; // Get the vault to be updated if (!string.IsNullOrWhiteSpace(ResourceGroupName)) { vault = KeyVaultManagementClient.GetVault( VaultName, ResourceGroupName); } if (vault == null) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.VaultNotFound, VaultName, ResourceGroupName)); } // Update vault policies PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies; if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || (ObjectId != null && ObjectId != Guid.Empty)) { Guid objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName); //Both arrays cannot be null if (PermissionsToKeys == null && PermissionsToSecrets == null) { throw new ArgumentException(PSKeyVaultProperties.Resources.PermissionsNotSpecified); } else { //Validate if (!IsMeaningfulPermissionSet(PermissionsToKeys)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "keys")); } if (!IsMeaningfulPermissionSet(PermissionsToSecrets)) { throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.PermissionSetIncludesAllPlusOthers, "secrets")); } //Is there an existing policy for this object ID? var existingPolicy = vault.AccessPolicies.Where(ap => ap.ObjectId == objId).FirstOrDefault(); //New policy will have permission arrays that are either from cmdlet input //or if that's null, then from the old policy for this object ID if one existed var keys = PermissionsToKeys != null ? PermissionsToKeys : (existingPolicy != null && existingPolicy.PermissionsToKeys != null ? existingPolicy.PermissionsToKeys.ToArray() : null); var secrets = PermissionsToSecrets != null ? PermissionsToSecrets : (existingPolicy != null && existingPolicy.PermissionsToSecrets != null ? existingPolicy.PermissionsToSecrets.ToArray() : null); //Remove old policies for this object ID and add a new one with the right permissions, iff there were some non-empty permissions updatedListOfAccessPolicies = vault.AccessPolicies.Where(ap => ap.ObjectId != objId).ToArray(); if ((keys != null && keys.Length > 0) || (secrets != null && secrets.Length > 0)) { var policy = new PSKeyVaultModels.PSVaultAccessPolicy(vault.TenantId, objId, keys, secrets); updatedListOfAccessPolicies = updatedListOfAccessPolicies.Concat(new[] { policy }).ToArray(); } } } // Update the vault var updatedVault = KeyVaultManagementClient.UpdateVault(vault, updatedListOfAccessPolicies, this.EnabledForDeployment.IsPresent ? true : vault.EnabledForDeployment, ActiveDirectoryClient); if (PassThru.IsPresent) { WriteObject(updatedVault); } }