public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
{
PSRoleDefinition roleDefinition = null;
if (role != null)
{
roleDefinition = new PSRoleDefinition
{
Name = role.Properties.RoleName,
Actions = new List<string>(role.Properties.Permissions.SelectMany(r => r.Actions)),
NotActions = new List<string>(role.Properties.Permissions.SelectMany(r => r.NotActions)),
Id = role.Id
};
}
return roleDefinition;
}
public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
{
PSRoleDefinition roleDefinition = null;
if (role != null)
{
roleDefinition = new PSRoleDefinition
{
Name = role.RoleName,
Actions = new List <string>(role.Permissions.SelectMany(r => r.Actions)),
NotActions = new List <string>(role.Permissions.SelectMany(r => r.NotActions)),
Id = role.Id.GuidFromFullyQualifiedId(),
AssignableScopes = role.AssignableScopes.ToList(),
Description = role.Description,
IsCustom = role.RoleType == CustomRole ? true : false
};
}
return(roleDefinition);
}
/// <summary>
/// Updates a role definiton.
/// </summary>
/// <param name="roleDefinition">The role definition to update.</param>
/// <returns>The updated role definition.</returns>
public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition roleDefinition)
{
Guid roleDefinitionId;
if (!Guid.TryParse(roleDefinition.Id, out roleDefinitionId))
{
throw new InvalidOperationException(ProjectResources.RoleDefinitionIdShouldBeAGuid);
}
ValidateRoleDefinition(roleDefinition);
PSRoleDefinition fetchedRoleDefinition = this.GetRoleDefinition(roleDefinitionId, roleDefinition.AssignableScopes.First());
if (fetchedRoleDefinition == null)
{
throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, roleDefinition.Id));
}
return(this.CreateOrUpdateRoleDefinition(roleDefinitionId, roleDefinition));
}
public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
{
PSRoleDefinition roleDefinition = null;
if (role != null)
{
roleDefinition = new PSRoleDefinition
{
Name = role.Properties.RoleName,
Actions = new List <string>(role.Properties.Permissions.SelectMany(r => r.Actions)),
NotActions = new List <string>(role.Properties.Permissions.SelectMany(r => r.NotActions)),
Id = role.Id,
AssignableScopes = role.Properties.AssignableScopes.ToList(),
Description = role.Properties.Description,
IsCustom = role.Properties.Type == "CustomRole" ? true : false
};
}
return(roleDefinition);
}
public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
{
PSRoleDefinition roleDefinition = null;
if (role != null)
{
roleDefinition = new PSRoleDefinition
{
Name = role.Properties.RoleName,
Actions = new List<string>(role.Properties.Permissions.SelectMany(r => r.Actions)),
NotActions = new List<string>(role.Properties.Permissions.SelectMany(r => r.NotActions)),
Id = role.Id.GuidFromFullyQualifiedId(),
AssignableScopes = role.Properties.AssignableScopes.ToList(),
Description = role.Properties.Description,
IsCustom = role.Properties.Type == CustomRole ? true : false
};
}
return roleDefinition;
}
private PSRoleDefinition CreateOrUpdateRoleDefinition(Guid roleDefinitionId, PSRoleDefinition roleDefinition)
{
PSRoleDefinition roleDef = null;
var parameters = new RoleDefinition()
{
Name = roleDefinitionId.ToString(),
Properties = new RoleDefinitionProperties()
{
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description,
Permissions = new List <Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
RoleName = roleDefinition.Name,
Type = "CustomRole"
}
};
try
{
roleDef = AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(
roleDefinition.AssignableScopes.First(), roleDefinitionId.ToString(), parameters).ToPSRoleDefinition();
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized &&
ce.Error.Code.Equals("TenantNotAllowed", StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidOperationException("The tenant is not currently authorized to create/update Custom role definition. Please refer to http://aka.ms/customrolespreview for more details");
}
throw;
}
return(roleDef);
}
private static void ValidateRoleDefinition(PSRoleDefinition roleDefinition)
{
if (string.IsNullOrWhiteSpace(roleDefinition.Name))
{
throw new ArgumentException(ProjectResources.InvalidRoleDefinitionName);
}
if (string.IsNullOrWhiteSpace(roleDefinition.Description))
{
throw new ArgumentException(ProjectResources.InvalidRoleDefinitionDescription);
}
if (roleDefinition.AssignableScopes == null || !roleDefinition.AssignableScopes.Any() || roleDefinition.AssignableScopes.Any(s => string.IsNullOrWhiteSpace(s)))
{
throw new ArgumentException(ProjectResources.InvalidAssignableScopes);
}
if ((roleDefinition.Actions == null || !roleDefinition.Actions.Any()) && (roleDefinition.DataActions == null || !roleDefinition.DataActions.Any()))
{
throw new ArgumentException(ProjectResources.InvalidActions);
}
}
/// <summary>
/// Deletes a role definition based on the name.
/// </summary>
/// <param name="roleDefinitionName">The role definition name.</param>
/// <returns>The deleted role definition.</returns>
public PSRoleDefinition RemoveRoleDefinition(string roleDefinitionName, string scope)
{
PSRoleDefinition roleDefinition = this.GetSingleRoleDefinitionByName(roleDefinitionName, scope);
return(AuthorizationManagementClient.RoleDefinitions.Delete(scope, roleDefinition.Id).ToPSRoleDefinition());
}
public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient)
{
PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions {
Id = role.Properties.PrincipalId.ToString()
}) ?? new PSADObject()
{
Id = role.Properties.PrincipalId
};
if (adObject is PSADUser)
{
return(new PSUserRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
Mail = ((PSADUser)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADGroup)
{
return(new PSGroupRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
Mail = ((PSADGroup)adObject).Mail,
ObjectId = adObject.Id
});
}
else if (adObject is PSADServicePrincipal)
{
return(new PSServiceRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
ObjectId = adObject.Id
});
}
else
{
return(new PSRoleAssignment()
{
RoleAssignmentId = role.Id,
DisplayName = adObject.DisplayName,
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions,
RoleDefinitionName = roleDefinition.Name,
Scope = role.Properties.Scope,
ObjectId = adObject.Id
});
}
}
/// <summary>
/// Updates a role definiton.
/// </summary>
/// <param name="role">The role definition to update.</param>
/// <returns>The updated role definition.</returns>
public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition role, string subscriptionId)
{
Guid roleDefinitionId;
if (!Guid.TryParse(role.Id, out roleDefinitionId))
{
throw new InvalidOperationException(ProjectResources.RoleDefinitionIdShouldBeAGuid);
}
PSRoleDefinition roleDefinition = this.GetRoleDefinition(roleDefinitionId);
if (roleDefinition == null)
{
throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, role.Id));
}
string roleDefinitionFullyQualifiedId = AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, role.Id);
roleDefinition.Name = role.Name ?? roleDefinition.Name;
roleDefinition.Actions = role.Actions ?? roleDefinition.Actions;
roleDefinition.NotActions = role.NotActions ?? roleDefinition.NotActions;
roleDefinition.AssignableScopes = role.AssignableScopes ?? roleDefinition.AssignableScopes;
roleDefinition.Description = role.Description ?? roleDefinition.Description;
ValidateRoleDefinition(roleDefinition);
return
AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(
roleDefinitionId,
roleDefinition.AssignableScopes.First(),
new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Id = roleDefinitionFullyQualifiedId,
Name = roleDefinitionId,
Properties =
new RoleDefinitionProperties()
{
RoleName = roleDefinition.Name,
Permissions =
new List<Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description
}
}
}).RoleDefinition.ToPSRoleDefinition();
}
private static void ValidateRoleDefinition(PSRoleDefinition roleDefinition)
{
if (string.IsNullOrWhiteSpace(roleDefinition.Name))
{
throw new ArgumentException(ProjectResources.InvalidRoleDefinitionName);
}
if (string.IsNullOrWhiteSpace(roleDefinition.Description))
{
throw new ArgumentException(ProjectResources.InvalidRoleDefinitionDescription);
}
if (roleDefinition.AssignableScopes == null || !roleDefinition.AssignableScopes.Any() || roleDefinition.AssignableScopes.Any(s => string.IsNullOrWhiteSpace(s)))
{
throw new ArgumentException(ProjectResources.InvalidAssignableScopes);
}
if (roleDefinition.Actions == null || !roleDefinition.Actions.Any())
{
throw new ArgumentException(ProjectResources.InvalidActions);
}
}
private PSRoleDefinition CreateOrUpdateRoleDefinition(Guid roleDefinitionId, PSRoleDefinition roleDefinition)
{
RoleDefinitionCreateOrUpdateParameters parameters = new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Name = roleDefinitionId,
Properties = new RoleDefinitionProperties()
{
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description,
Permissions = new List<Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
RoleName = roleDefinition.Name,
Type = "CustomRole"
}
}
};
PSRoleDefinition roleDef = null;
try
{
roleDef = AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(roleDefinitionId, roleDefinition.AssignableScopes.First(), parameters).RoleDefinition.ToPSRoleDefinition();
}
catch (CloudException ce)
{
if (ce.Response.StatusCode == HttpStatusCode.Unauthorized && ce.Error.Code.Equals("TenantNotAllowed", StringComparison.InvariantCultureIgnoreCase))
{
throw new InvalidOperationException("The tenant is not currently authorized to create/update Custom role definition. Please refer to http://aka.ms/customrolespreview for more details");
}
throw;
}
return roleDef;
}
/// <summary>
/// Creates a new role definition.
/// </summary>
/// <param name="roleDefinition">The role definition to create.</param>
/// <returns>The created role definition.</returns>
public PSRoleDefinition CreateRoleDefinition(PSRoleDefinition roleDefinition)
{
ValidateRoleDefinition(roleDefinition);
Guid newRoleDefinitionId = RoleDefinitionNames.Count == 0 ? Guid.NewGuid() : RoleDefinitionNames.Dequeue();
return this.CreateOrUpdateRoleDefinition(newRoleDefinitionId, roleDefinition);
}
/// <summary>
/// Updates a role definiton.
/// </summary>
/// <param name="roleDefinition">The role definition to update.</param>
/// <returns>The updated role definition.</returns>
public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition roleDefinition)
{
Guid roleDefinitionId;
if (!Guid.TryParse(roleDefinition.Id, out roleDefinitionId))
{
throw new InvalidOperationException(ProjectResources.RoleDefinitionIdShouldBeAGuid);
}
ValidateRoleDefinition(roleDefinition);
PSRoleDefinition fetchedRoleDefinition = this.GetRoleDefinition(roleDefinitionId, roleDefinition.AssignableScopes.First());
if (fetchedRoleDefinition == null)
{
throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, roleDefinition.Id));
}
return this.CreateOrUpdateRoleDefinition(roleDefinitionId, roleDefinition);
}
/// <summary>
/// Deletes a role definition based on the name.
/// </summary>
/// <param name="roleDefinitionName">The role definition name.</param>
/// <returns>The deleted role definition.</returns>
public PSRoleDefinition RemoveRoleDefinition(string roleDefinitionName, string subscriptionId)
{
PSRoleDefinition roleDefinition = this.GetRoleRoleDefinition(roleDefinitionName);
return(AuthorizationManagementClient.RoleDefinitions.Delete(Guid.Parse(roleDefinition.Id), roleDefinition.AssignableScopes.First()).RoleDefinition.ToPSRoleDefinition());
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString()));
objectIds = objectIds.Distinct().ToList();
List <PSADObject> adObjects = null;
try
{
adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
}
catch (CloudException ce) when(IsAuthorizationDeniedException(ce))
{
throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission);
}
foreach (RoleAssignment assignment in assignments)
{
assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId();
PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ??
new PSADObject()
{
Id = assignment.PrincipalId
};
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.RoleDefinitionId
};
bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false;
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
ObjectType = adObject.Type,
CanDelegate = delegationFlag
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Scope,
ObjectId = adObject.Id,
CanDelegate = delegationFlag,
ObjectType = DeletedObject
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, List <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals)
{
List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>();
if (assignments == null || !assignments.Any())
{
return(psAssignments);
}
List <string> objectIds = new List <string>();
objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
foreach (RoleAssignment assignment in assignments)
{
assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId();
Guid pid;
PSADObject adObject;
if (Guid.TryParse(assignment.Properties.PrincipalId, out pid))
{
adObject = adObjects.SingleOrDefault(o => o.Id == Guid.Parse(assignment.Properties.PrincipalId)) ??
new PSADObject()
{
Id = Guid.Parse(assignment.Properties.PrincipalId)
};
}
else
{
adObject = adObjects.SingleOrDefault(o => o.AdfsId == assignment.Properties.PrincipalId) ??
new PSADObject()
{
AdfsId = assignment.Properties.PrincipalId
};
}
PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ??
new PSRoleDefinition()
{
Id = assignment.Properties.RoleDefinitionId
};
if (adObject is PSADUser)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
SignInName = ((PSADUser)adObject).UserPrincipalName,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADGroup)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (adObject is PSADServicePrincipal)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
ObjectType = adObject.Type
});
}
else if (!excludeAssignmentsForDeletedPrincipals)
{
psAssignments.Add(new PSRoleAssignment()
{
RoleAssignmentId = assignment.Id,
DisplayName = adObject.DisplayName,
RoleDefinitionId = roleDefinition.Id,
RoleDefinitionName = roleDefinition.Name,
Scope = assignment.Properties.Scope,
ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId,
});
}
// Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
}
return(psAssignments);
}
/// <summary>
/// Updates a role definiton.
/// </summary>
/// <param name="role">The role definition to update.</param>
/// <returns>The updated role definition.</returns>
public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition role)
{
PSRoleDefinition roleDefinition = this.GetRoleDefinition(role.Id);
if (roleDefinition == null)
{
throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, role.Id));
}
roleDefinition.Name = role.Name ?? roleDefinition.Name;
roleDefinition.Actions = role.Actions ?? roleDefinition.Actions;
roleDefinition.NotActions = role.NotActions ?? roleDefinition.NotActions;
roleDefinition.AssignableScopes = role.AssignableScopes ?? roleDefinition.AssignableScopes;
roleDefinition.Description = role.Description ?? roleDefinition.Description;
// TODO: confirm with ARM on what exception will be thrown when the last segment of the roleDefinition's ID is not a GUID.
// This will be done after their API is designed.
string[] scopes = roleDefinition.Id.Split('/');
Guid roleDefinitionId = Guid.Parse(scopes.Last());
return
AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(
roleDefinitionId,
new RoleDefinitionCreateOrUpdateParameters()
{
RoleDefinition = new RoleDefinition()
{
Id = roleDefinition.Id,
Name = roleDefinitionId,
Properties =
new RoleDefinitionProperties()
{
RoleName = roleDefinition.Name,
Permissions =
new List<Permission>()
{
new Permission()
{
Actions = roleDefinition.Actions,
NotActions = roleDefinition.NotActions
}
},
AssignableScopes = roleDefinition.AssignableScopes,
Description = roleDefinition.Description
}
}
}).RoleDefinition.ToPSRoleDefinition();
}
