Merge pull request #4228 from wisexp/preview

	apply scope check for all Role related commands

Author: markcowl

src/ResourceManager/Resources/Commands.Resources.Test/Commands.Resources.Test.csproj

@@ -674,6 +674,9 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleDefinitionTests\RdPositiveScenarios.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleDefinitionTests\RdValidateInputParameters.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleDefinitionTests\RoleDefinitionCreateTests.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

src/ResourceManager/Resources/Commands.Resources.Test/RoleAssignment/RoleAssignmentUnitTests.cs

@@ -11,7 +11,7 @@ private void VerifyInvalidScope(string scope, string error)
         {
             try
             {
-                AuthorizationClient.ValidateScope(scope);
+                AuthorizationClient.ValidateScope(scope, false);
                 Assert.True(false);
             }
             catch(ArgumentException ex)
@@ -22,7 +22,7 @@ private void VerifyInvalidScope(string scope, string error)
 
         private void VerifyValidScope(string scope) 
         {
-            AuthorizationClient.ValidateScope(scope);
+            AuthorizationClient.ValidateScope(scope, false);
         }
 
         [Fact]
@@ -57,6 +57,10 @@ public void VerifyValidScopes()
             {
                 VerifyValidScope(scope);
             }
+
+            // verify empty scope
+
+            AuthorizationClient.ValidateScope(null, true);
         }
     }
 }

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleAssignmentTests.cs

@@ -83,7 +83,10 @@ public void RaByResource()
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void RaValidateInputParameters()
         {
-            ResourcesController.NewInstance.RunPsTest("Test-RaValidateInputParameters");
+            var instance = ResourcesController.NewInstance;
+            instance.RunPsTest("Test-RaValidateInputParameters Get-AzureRmRoleAssignment");
+            instance.RunPsTest("Test-RaValidateInputParameters New-AzureRmRoleAssignment");
+            instance.RunPsTest("Test-RaValidateInputParameters Remove-AzureRmRoleAssignment");
         }
 
         [Fact]

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleAssignmentTests.ps1

@@ -57,11 +57,6 @@ function Test-RaNegativeScenarios
     # Bad SPN
     $badSpn = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb'
     Assert-Throws { Get-AzureRmRoleAssignment -ServicePrincipalName $badSpn } $badObjectResult
-    
-    # Bad Scope
-    $badScope = '/subscriptions/'+ $subscription[0].Id +'/providers/nonexistent'
-    $badScopeException = "InvalidResourceNamespace: The resource namespace 'nonexistent' is invalid."
-    Assert-Throws { Get-AzureRmRoleAssignment -Scope $badScope } $badScopeException
 }
 
 <#
@@ -173,7 +168,7 @@ function Test-RaByResource
 .SYNOPSIS
 Tests validate input parameters 
 #>
-function Test-RaValidateInputParameters
+function Test-RaValidateInputParameters ($cmdName)
 {
     # Setup
     Add-Type -Path ".\\Microsoft.Azure.Commands.Resources.dll"
@@ -190,32 +185,31 @@ function Test-RaValidateInputParameters
     # Check if Scope is valid.
     $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name"
     $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name' should begin with '/subscriptions/<subid>/resourceGroups'."
-    Assert-Throws { New-AzureRmRoleAssignment -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
+    Assert-Throws { invoke-expression ($cmdName + " -Scope `"" + $scope  + "`" -ObjectId " + $groups[0].Id.Guid + " -RoleDefinitionName " + $definitionName) } $invalidScope
 
     $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups"
     $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups' should have even number of parts."
-    Assert-Throws { New-AzureRmRoleAssignment -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
+    Assert-Throws { &$cmdName -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
 
     $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/"
     $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/' should not have any empty part."
-    Assert-Throws { New-AzureRmRoleAssignment -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
+    Assert-Throws { &$cmdName -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
 
     $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name"
     $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name' should begin with '/subscriptions/<subid>/resourceGroups/<groupname>/providers'."
-    Assert-Throws { New-AzureRmRoleAssignment -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
+    Assert-Throws { &$cmdName -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
 
     $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername"
     $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername' should have at least one pair of resource type and resource name. e.g. '/subscriptions/<subid>/resourceGroups/<groupname>/providers/<providername>/<resourcetype>/<resourcename>'."
-    Assert-Throws { New-AzureRmRoleAssignment -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
+    Assert-Throws { &$cmdName -Scope $scope -ObjectId $groups[0].Id.Guid -RoleDefinitionName $definitionName } $invalidScope
 
     # Check if ResourceType is valid
-    [Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient]::RoleAssignmentNames.Enqueue("4FAB3AF0-E7CF-4305-97D1-23A65EDCE8E6")
     Assert-AreEqual $resource.ResourceType "Microsoft.Sql/servers"
 
     # Below invalid resource type should not return 'Not supported api version'.
     $resource.ResourceType = "Microsoft.Sql/"
-    $invalidResourceType = "Scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testrg16987/providers/Microsoft.Sql/testserver13673' should have even number of parts."
-    Assert-Throws { New-AzureRmRoleAssignment `
+    $invalidResourceType = "Scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/testrg19972/providers/Microsoft.Sql/testserver1342' should have even number of parts."
+    Assert-Throws { &$cmdName `
                         -ObjectId $groups[0].Id.Guid `
                         -RoleDefinitionName $definitionName `
                         -ResourceGroupName $resource.ResourceGroupName `

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleDefinitionTests.cs

@@ -62,5 +62,16 @@ public void RDGetScenario()
         {
             ResourcesController.NewInstance.RunPsTest("Test-RDGet");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void RdValidateInputParameters() 
+        {
+            var instance = ResourcesController.NewInstance;
+            instance.RunPsTest("Test-RdValidateInputParameters Get-AzureRmRoleDefinition");
+            instance.RunPsTest("Test-RdValidateInputParameters Remove-AzureRmRoleDefinition");
+            instance.RunPsTest("Test-RdValidateInputParameters2 New-AzureRmRoleDefinition");
+            instance.RunPsTest("Test-RdValidateInputParameters2 Set-AzureRmRoleDefinition");
+        }
     }
 }

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleDefinitionTests.ps1

@@ -237,4 +237,82 @@ function Test-RDGet
 	# delete roles
 	$deletedRd = Remove-AzureRmRoleDefinition -Id $roleDefResourceScope.Id -Scope $resourceScope -Force -PassThru
 	Assert-AreEqual $roleDefResourceScope.Name $deletedRd.Name
+}
+
+<#
+.SYNOPSIS
+Tests validate input parameters 
+#>
+function Test-RdValidateInputParameters ($cmdName)
+{
+    # Setup
+    Add-Type -Path ".\\Microsoft.Azure.Commands.Resources.dll"
+
+    # Note: All below scenarios are invalid, we'll expect an exception during scope validation so the ID parameter doesn't need to be a valid one. 
+
+    # Test
+    # Check if Scope is valid.
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name' should begin with '/subscriptions/<subid>/resourceGroups'."
+    Assert-Throws { invoke-expression ($cmdName + " -Scope `"" + $scope  + "`" -Id D46245F8-7E18-4499-8E1F-784A6DA5BE25") } $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups' should have even number of parts."
+    Assert-Throws { &$cmdName -Scope $scope -Id D46245F8-7E18-4499-8E1F-784A6DA5BE25} $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/' should not have any empty part."
+    Assert-Throws { &$cmdName -Scope $scope -Id D46245F8-7E18-4499-8E1F-784A6DA5BE25} $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name' should begin with '/subscriptions/<subid>/resourceGroups/<groupname>/providers'."
+    Assert-Throws { &$cmdName -Scope $scope -Id D46245F8-7E18-4499-8E1F-784A6DA5BE25} $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername' should have at least one pair of resource type and resource name. e.g. '/subscriptions/<subid>/resourceGroups/<groupname>/providers/<providername>/<resourcetype>/<resourcename>'."
+    Assert-Throws { &$cmdName -Scope $scope -Id D46245F8-7E18-4499-8E1F-784A6DA5BE25} $invalidScope
+}
+
+
+<#
+.SYNOPSIS
+Tests validate input parameters 
+#>
+function Test-RdValidateInputParameters2 ($cmdName)
+{
+    # Setup
+    Add-Type -Path ".\\Microsoft.Azure.Commands.Resources.dll"
+
+    # Note: All below scenarios are invalid, we'll expect an exception during scope validation so the ID parameter doesn't need to be a valid one. 
+
+	$roleDef = Get-AzureRmRoleDefinition -Name "Reader"
+	$roleDef.Name = "CustomRole_99CC0F56-7395-4097-A31E-CC63874AC5EF"
+	$roleDef.Description = "Test Get RD"
+
+    # Test
+    # Check if Scope is valid.
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/Should be 'ResourceGroups'/any group name' should begin with '/subscriptions/<subid>/resourceGroups'."
+    $roleDef.AssignableScopes[0] = $scope;
+    Assert-Throws { &$cmdName -Role $roleDef } $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups' should have even number of parts."
+    $roleDef.AssignableScopes[0] = $scope;
+    Assert-Throws { &$cmdName -Role $roleDef } $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/' should not have any empty part."
+    $roleDef.AssignableScopes[0] = $scope;
+    Assert-Throws { &$cmdName -Role $roleDef } $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Should be 'Providers'/any provider name' should begin with '/subscriptions/<subid>/resourceGroups/<groupname>/providers'."
+    $roleDef.AssignableScopes[0] = $scope;
+    Assert-Throws { &$cmdName -Role $roleDef } $invalidScope
+    
+    $scope = "/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername"
+    $invalidScope = "Scope '/subscriptions/e9ee799d-6ab2-4084-b952-e7c86344bbab/ResourceGroups/groupname/Providers/providername' should have at least one pair of resource type and resource name. e.g. '/subscriptions/<subid>/resourceGroups/<groupname>/providers/<providername>/<resourcetype>/<resourcename>'."
+    $roleDef.AssignableScopes[0] = $scope;
+    Assert-Throws { &$cmdName -Role $roleDef } $invalidScope
 }