[KeyVault] Supports creating custom role definitions (#15953)

* [KeyVault] Supports creating custom role definitions

* Add ShouldProcess to New-RoleDefinition

Author: isra-fel

src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDataPlaneTests.Tests.ps1

@@ -4,7 +4,7 @@ $sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.'
 
 . $PSScriptRoot/ManagedHsmDataPlaneTests.ps1
 # ImportModules
-$hsmName = 'bezmhsm'
+$hsmName = 'yeminghsm'
 $signInName = '[email protected]'
 $storageAccount = 'bezstorageaccount'
 $containerName = 'backup'
@@ -171,19 +171,19 @@ Describe "BackupAndRestoreAzManagedHsmKey" {
 Describe "BackupAndRestoreAzManagedHsm" {
     $script:backupUri = ''
     $containerUri = "https://$storageAccount.blob.core.windows.net/$containerName"
-    It "Backup then restore a managed HSM" {
+    It "Backup a managed HSM" {
         $script:backupUri = Backup-AzKeyVault -HsmName $hsmName -StorageContainerUri $containerUri -SasToken $sasToken
         $script:backupUri | Should -Not -Be $null
     }
 
-    It "Selective restore a managed HSM"{
+    It "Selective restore a key to managed HSM"{
         $script:backupUri = [System.Uri]::new($script:backupUri)
         $backupFolder = $script:backupUri.Segments[$script:backupUri.Segments.Length - 1]
         $restoreResult = Restore-AzKeyVault -HsmName $hsmName -KeyName $keyName -StorageContainerUri $containerUri -BackupFolder $backupFolder -SasToken $sasToken -PassThru
         $restoreResult | Should -Be $True
     }
 
-    It "Restore a managed HSM" {
+    It "Restore whole managed HSM" {
         $script:backupUri = [System.Uri]::new($script:backupUri)
         $backupFolder = $script:backupUri.Segments[$script:backupUri.Segments.Length - 1]
         # Clean hsm
@@ -276,4 +276,34 @@ Describe 'Export Import Security domain' {
 
     # Cannot test importing because it needs another HSM
     #   Import-AzKeyVaultSecurityDomain -Name $hsmName -Keys $certsKeys -SecurityDomainPath $sd.FullName
+}
+
+Describe 'Custom Role Definition' {
+    $roleName = "my custom role"
+    $roleDesc = "description for my role"
+    $roleAction = @("Microsoft.KeyVault/managedHsm/roleAssignments/write/action", "Microsoft.KeyVault/managedHsm/roleAssignments/delete/action")
+    It 'Can create' {
+        # 0 custom role
+        Get-AzKeyVaultRoleDefinition -HsmName $hsmName -Custom | Should -BeNullOrEmpty
+
+        # create by object
+        $role = Get-AzKeyVaultRoleDefinition -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User'
+        $role.Name = $null
+        $role.RoleName = $roleName
+        $role.Description = $roleDesc
+        $role.Permissions[0].AllowedDataActions = $roleAction
+        New-AzKeyVaultRoleDefinition -HsmName $hsmName -Role $role
+
+        # 1 custom role
+        $actual = Get-AzKeyVaultRoleDefinition -HsmName $hsmName -Custom
+        $actual | Should -Not -BeNullOrEmpty
+        $actual.RoleName | Should -Be $roleName
+        $actual.Description | Should -Be $roleDesc
+        $actual.Permissions[0].AllowedDataActions | Should -Be $roleAction
+    }
+
+    It 'Can remove' {
+        Remove-AzKeyVaultRoleDefinition -HsmName $hsmName -RoleName $roleName -Force
+        Get-AzKeyVaultRoleDefinition -HsmName $hsmName -Custom | Should -BeNullOrEmpty
+    }
 }

src/KeyVault/KeyVault/Az.KeyVault.psd1

@@ -96,8 +96,8 @@ CmdletsToExport = 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
                'Update-AzKeyVaultManagedHsm', 'Get-AzKeyVault', 'New-AzKeyVault', 
                'Remove-AzKeyVault', 'Undo-AzKeyVaultRemoval', 'Backup-AzKeyVault', 
                'Restore-AzKeyVault', 'Get-AzKeyVaultRoleDefinition', 
-               'Get-AzKeyVaultRoleAssignment', 'New-AzKeyVaultRoleAssignment', 
-               'Remove-AzKeyVaultRoleAssignment', 'Remove-AzKeyVaultAccessPolicy', 
+               'Get-AzKeyVaultRoleAssignment', 'New-AzKeyVaultRoleAssignment', 'New-AzKeyVaultRoleDefinition', 
+               'Remove-AzKeyVaultRoleDefinition', 'Remove-AzKeyVaultRoleAssignment', 'Remove-AzKeyVaultAccessPolicy', 
                'Set-AzKeyVaultAccessPolicy', 'Backup-AzKeyVaultKey', 
                'Get-AzKeyVaultKey', 'Get-AzKeyVaultSecret', 
                'Undo-AzKeyVaultKeyRemoval', 'Undo-AzKeyVaultSecretRemoval', 
@@ -132,7 +132,7 @@ CmdletsToExport = 'Add-AzKeyVaultCertificate', 'Update-AzKeyVaultCertificate',
 # VariablesToExport = @()
 
 # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
-AliasesToExport = 'Set-AzKeyVaultKey', 'Set-AzKeyVaultSecretAttribute', 
+AliasesToExport = 'Set-AzKeyVaultKey', 'Set-AzKeyVaultRoleDefinition', 'Set-AzKeyVaultSecretAttribute', 
                'Set-AzKeyVaultKeyAttribute', 'Set-AzKeyVaultCertificateAttribute'
 
 # DSC resources to export from this module

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,7 +18,11 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
-* Supports Encrypt/Decrypt/Wrap/Unwrap using keys [#15679]
+* Supported custom role definitions on managed HSM:
+    - Create via `New-AzKeyVaultRoleDefinition`,
+    - Delete via `Remove-AzKeyVaultRoleDefinition`,
+    - Filter all custom roles via `Get-AzKeyVaultRoleDefinition -Custom`.
+* Supported Encrypt/Decrypt/Wrap/Unwrap using keys [#15679]
 * Enabled managing resources in other subscriptions without switching the context by adding `-Subscription <String>`.
 
 ## Version 3.5.0

src/KeyVault/KeyVault/Commands/Constants.cs

@@ -56,7 +56,7 @@ public static class CmdletNoun
         public const string AzureKeyVaultManagedStorageShareSasParameters = "AzureKeyVaultManagedStorageShareSasParameters";
         public const string AzureKeyVaultManagedStorageTableSasParameters = "AzureKeyVaultManagedStorageTableSasParameters";
         public const string KeyVault = "KeyVault";
-        public const string KeyVaultHsmRoleDefinition = KeyVault + "RoleDefinition";
+        public const string KeyVaultRoleDefinition = KeyVault + "RoleDefinition";
         public const string KeyVaultRoleAssignment = KeyVault + "RoleAssignment";
     }
 

src/KeyVault/KeyVault/Commands/RBAC/GetAzureManagedHsmRoleAssignment.cs

@@ -1,4 +1,18 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;
 using Microsoft.Azure.Graph.RBAC.Version1_6.Models;

src/KeyVault/KeyVault/Commands/RBAC/GetAzureManagedHsmRoleDefinition.cs

@@ -1,17 +1,32 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using System;
 using System.Linq;
 using System.Management.Automation;
 
 namespace Microsoft.Azure.Commands.KeyVault.Commands
 {
-    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVaultHsmRoleDefinition, DefaultParameterSetName = InteractiveCreateParameterSet)]
+    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVaultRoleDefinition, DefaultParameterSetName = InteractiveParameterSet)]
     [OutputType(typeof(PSKeyVaultRoleDefinition))]
     public class GetAzureManagedHsmRoleDefinition : RbacCmdletBase
     {
-        private const string InteractiveCreateParameterSet = "Interactive";
+        private const string InteractiveParameterSet = "Interactive";
         private const string ByNameParameterSet = "ByName";
+        private const string CustomOnlyParameterSet = "CustomOnly";
 
         [Parameter(Mandatory = true, Position = 1,
             HelpMessage = "Name of the HSM.")]
@@ -21,6 +36,10 @@ public class GetAzureManagedHsmRoleDefinition : RbacCmdletBase
         [Parameter(Mandatory = false, HelpMessage = "Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'.")]
         public string Scope { get; set; } = string.Empty;
 
+        [Parameter(Mandatory = true, ParameterSetName = CustomOnlyParameterSet,
+            HelpMessage = "If specified, only displays the custom created roles in the directory.")]
+        public SwitchParameter Custom { get; set; }
+
         [Parameter(ParameterSetName = ByNameParameterSet, Mandatory = true,
             HelpMessage = "Name of the role definition to get.")]
         [Alias("RoleName")]
@@ -31,12 +50,15 @@ public override void ExecuteCmdlet()
             var roleDefinitions = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope);
             switch (ParameterSetName)
             {
-                case InteractiveCreateParameterSet:
+                case InteractiveParameterSet:
                     WriteObject(roleDefinitions, enumerateCollection: true);
                     break;
                 case ByNameParameterSet:
                     WriteObject(roleDefinitions.FirstOrDefault(def => string.Equals(RoleDefinitionName, def.RoleName, StringComparison.OrdinalIgnoreCase)));
                     break;
+                case CustomOnlyParameterSet:
+                    WriteObject(roleDefinitions.Where(def => def.RoleType == PSKeyVaultRoleDefinition.CustomRoleType), enumerateCollection: true);
+                    break;
             }
         }
     }

src/KeyVault/KeyVault/Commands/RBAC/NewAzureKeyVaultRoleDefinition.cs

@@ -0,0 +1,77 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Newtonsoft.Json;
+using System;
+using System.IO;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    [Cmdlet("New", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVaultRoleDefinition, DefaultParameterSetName = InputObjectParameterSet, SupportsShouldProcess = true)]
+    [Alias("Set-" + ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVaultRoleDefinition)]
+    [OutputType(typeof(PSKeyVaultRoleDefinition))]
+    public class NewAzureKeyVaultRoleDefinition : RbacCmdletBase
+    {
+        private const string InputObjectParameterSet = "InputObject";
+        private const string InputFileParameterSet = "InputFile";
+
+        [Parameter(Mandatory = true, Position = 1, HelpMessage = "Name of the HSM.")]
+        [ResourceNameCompleter(ResourceType.ManagedHsm, "IntentionalFakeParameterName")]
+        public string HsmName { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. '/' is used when omitted.")]
+        public string Scope { get; set; } = "/";
+
+        [ValidateNotNullOrEmpty]
+        [Parameter(ParameterSetName = InputObjectParameterSet, Mandatory = true, Position = 2, HelpMessage = "A role definition object.")]
+        public PSKeyVaultRoleDefinition Role { get; set; }
+
+        [ValidateNotNullOrEmpty]
+        [Parameter(ParameterSetName = InputFileParameterSet, Mandatory = true, Position = 2, HelpMessage = "File name containing a single role definition.")]
+        public string InputFile { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            if (ParameterSetName == InputFileParameterSet)
+            {
+                string fileName = this.TryResolvePath(InputFile);
+                if (!(new FileInfo(fileName)).Exists)
+                {
+                    throw new AzPSArgumentException(string.Format("File {0} does not exist", fileName), nameof(InputFile));
+                }
+
+                try
+                {
+                    Role = JsonConvert.DeserializeObject<PSKeyVaultRoleDefinition>(File.ReadAllText(fileName));
+                }
+                catch (JsonException)
+                {
+                    WriteVerbose("Failed to deserialize the input role definition file.");
+                    throw;
+                }
+            }
+            base.ConfirmAction(
+                "Creating custom role",
+                HsmName, () =>
+            {
+                WriteObject(Track2DataClient.CreateOrUpdateHsmRoleDefinition(HsmName, Scope, Role));
+            });
+        }
+    }
+}

src/KeyVault/KeyVault/Commands/RBAC/NewAzureManagedHsmRoleAssignment.cs

@@ -1,4 +1,18 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;

src/KeyVault/KeyVault/Commands/RBAC/RbacCmdletBase.cs

@@ -1,11 +1,25 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;
 using System;
 using System.Linq;
 
 namespace Microsoft.Azure.Commands.KeyVault.Commands
 {
-    public class RbacCmdletBase: KeyVaultCmdletBase
+    public class RbacCmdletBase : KeyVaultCmdletBase
     {
         private ActiveDirectoryClient _activeDirectoryClient;
 

src/KeyVault/KeyVault/Commands/RBAC/RemoveAzureManagedHsmRoleAssignment.cs

@@ -1,4 +1,18 @@
-using Microsoft.Azure.Commands.KeyVault.Models;
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
 using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;