Merge pull request #970 from shuagarw/parameterAndBugFixes

Parameter and bug fixes in Role Assignment commands

Author: markcowl

src/ResourceManager/Resources/Commands.Resources.Test/Commands.Resources.Test.csproj

@@ -62,7 +62,7 @@
     </Reference>
     <Reference Include="Microsoft.Azure.Graph.RBAC">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.0-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.1-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Insights">
       <HintPath>..\..\..\packages\Microsoft.Azure.Insights.0.7.7-preview\lib\net45\Microsoft.Azure.Insights.dll</HintPath>

src/ResourceManager/Resources/Commands.Resources/Commands.Resources.csproj

@@ -66,7 +66,7 @@
     </Reference>
     <Reference Include="Microsoft.Azure.Graph.RBAC">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.0-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.1-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Authorization">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.1.0.0\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
@@ -165,9 +165,6 @@
     <Compile Include="Models.Authorization\FilterRoleAssignmentsOptions.cs" />
     <Compile Include="Models.ActiveDirectory\ActiveDirectoryClient.cs" />
     <Compile Include="Models.Authorization\AuthorizationClientExtensions.cs" />
-    <Compile Include="Models.Authorization\PSGroupRoleAssignment.cs" />
-    <Compile Include="Models.Authorization\PSServiceRoleAssignment.cs" />
-    <Compile Include="Models.Authorization\PSUserRoleAssignment.cs" />
     <Compile Include="Models.Authorization\PSRoleAssignment.cs" />
     <Compile Include="Models.Authorization\PSRoleDefinition.cs" />
     <Compile Include="Models.Authorization\PSPermission.cs" />

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ADObjectFilterOptions.cs

@@ -19,6 +19,8 @@ public class ADObjectFilterOptions
     {
         public string SearchString { get; set; }
 
+        public string SignInName { get; set; }
+
         public string Mail { get; set; }
 
         public string UPN { get; set; }
@@ -48,6 +50,8 @@ public string ActiveFilter
                     return SPN;
                 else if (!string.IsNullOrEmpty(Mail))
                     return Mail;
+                else if (!string.IsNullOrEmpty(SignInName))
+                    return SignInName;
                 else if (!string.IsNullOrEmpty(SearchString))
                     return SearchString;
                 else

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ActiveDirectoryClient.cs

@@ -47,7 +47,7 @@ public PSADObject GetADObject(ADObjectFilterOptions options)
 
             Debug.Assert(options != null);
 
-            if (IsSet(options.Mail, options.UPN, options.Id))
+            if (IsSet(options.SignInName, options.Mail, options.UPN, options.Id))
             {
                 result = FilterUsers(options).FirstOrDefault();
             }
@@ -163,11 +163,11 @@ public List<PSADUser> FilterUsers(ADObjectFilterOptions options)
                     users.Add(user.ToPSADUser());
                 }
             }
-            else if (!string.IsNullOrEmpty(options.Mail))
+            else if (!string.IsNullOrEmpty(options.Mail) || !string.IsNullOrEmpty(options.SignInName))
             {
                 try
                 {
-                    user = GraphClient.User.GetBySignInName(options.Mail).Users.FirstOrDefault();
+                    user = GraphClient.User.GetBySignInName(Normalize(options.Mail) ?? Normalize(options.SignInName)).Users.FirstOrDefault();
                 }
                 catch {  /* The user does not exist, ignore the exception. */ }
 
@@ -225,6 +225,14 @@ public List<PSADObject> ListUserGroups(string principal)
             return result;
         }
 
+        public List<PSADObject> GetObjectsByObjectId(List<string> objectIds)
+        {
+            List<PSADObject> result = new List<PSADObject>();
+            var adObjects = GraphClient.Objects.GetObjectsByObjectIds(new GetObjectsParameters { Ids = objectIds }).AADObject;
+            result.AddRange(adObjects.Select(o => o.ToPSADObject()));
+            return result;
+        }
+
         public List<PSADGroup> FilterGroups(ADObjectFilterOptions options)
         {
             List<PSADGroup> groups = new List<PSADGroup>();

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ActiveDirectoryClientExtensions.cs

@@ -51,6 +51,7 @@ public static PSADObject ToPSADObject(this AADObject obj)
                     Id = new Guid(obj.ObjectId),
                     Type = obj.ObjectType,
                     UserPrincipalName = obj.UserPrincipalName,
+                    SignInName = obj.SignInName,
                     Mail = obj.Mail
                 };
             }
@@ -66,6 +67,16 @@ public static PSADObject ToPSADObject(this AADObject obj)
                 };
 
             }
+            else if (obj.ObjectType == typeof(ServicePrincipal).Name)
+            {
+                return new PSADServicePrincipal()
+                {
+                    DisplayName = obj.DisplayName,
+                    Id = new Guid(obj.ObjectId),
+                    Type = obj.ObjectType,
+                    ServicePrincipalName = obj.ServicePrincipalNames.FirstOrDefault()
+                };
+            }
             else
             {
                 return new PSADObject()
@@ -93,7 +104,8 @@ public static PSADUser ToPSADUser(this User user)
                 DisplayName = user.DisplayName,
                 Id = new Guid(user.ObjectId),
                 UserPrincipalName = user.UserPrincipalName,
-                Mail = user.SignInName
+                Mail = user.SignInName,
+                SignInName = user.SignInName
             };
         }
 

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/PSADUser.cs

@@ -19,5 +19,7 @@ public class PSADUser : PSADObject
         public string UserPrincipalName { get; set; }
 
         public string Mail { get; set; }
+
+        public string SignInName { get; set; }
     }
 }

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ParameterSet.cs

@@ -22,38 +22,34 @@ internal static class ParameterSet
 
         public const string SPN = "SPNParameterSet";
 
+        public const string SignInName = "SignInNameParameterSet";
+
         public const string SearchString = "SearchStringParameterSet";
 
         public const string ObjectId = "ObjectIdParameterSet";
 
         public const string Scope = "ScopeParameterSet";
 
-        public const string ScopeWithMail = "ScopeWithMailParameterSet";
-
-        public const string ScopeWithUPN = "ScopeWithUPNParameterSet";
-
         public const string ScopeWithSPN = "ScopeWithSPNParameterSet";
 
+        public const string ScopeWithSignInName = "ScopeWithSignInNameParameterSet";
+
         public const string ScopeWithObjectId = "ScopeWithObjectIdParameterSet";
 
         public const string ResourceGroup = "ResourceGroupParameterSet";
 
-        public const string ResourceGroupWithMail = "ResourceGroupWithMailParameterSet";
-
-        public const string ResourceGroupWithUPN = "ResourceGroupWithUPNParameterSet";
-
         public const string ResourceGroupWithSPN = "ResourceGroupWithSPNParameterSet";
 
         public const string ResourceGroupWithObjectId = "ResourceGroupWithObjectIdParameterSet";
 
-        public const string Resource = "ResourceParameterSet";
-
-        public const string ResourceWithMail = "ResourceWithMailParameterSet";
+        public const string ResourceGroupWithSignInName = "ResourceGroupWithSignInNameParameterSet";
 
-        public const string ResourceWithUPN = "ResourceWithUPNParameterSet";
+        public const string Resource = "ResourceParameterSet";
 
         public const string ResourceWithSPN = "ResourceWithSPNParameterSet";
 
+        public const string ResourceWithSignInName = "ResourceWithSignInNameParameterSet";
+
         public const string ResourceWithObjectId = "ResourceWithObjectIdParameterSet";
 
         public const string ApplicationWithoutCredential = "ApplicationWithoutCredentialParameterSet";

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/AuthorizationClient.cs

@@ -68,6 +68,7 @@ public PSRoleDefinition GetRoleDefinition(string roleId)
 
         /// <summary>
         /// Filters the existing role Definitions.
+        /// If name is not provided, all role definitions are fetched.
         /// </summary>
         /// <param name="name">The role name</param>
         /// <returns>The matched role Definitions</returns>
@@ -122,7 +123,11 @@ public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parame
             };
 
             AuthorizationManagementClient.RoleAssignments.Create(parameters.Scope, roleAssignmentId, createParameters);
-            return AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment.ToPSRoleAssignment(this, ActiveDirectoryClient);
+
+            RoleAssignment assignment = AuthorizationManagementClient.RoleAssignments.Get(parameters.Scope, roleAssignmentId).RoleAssignment;
+            IEnumerable<RoleAssignment> assignments = new List<RoleAssignment>() { assignment };
+
+            return assignments.ToPSRoleAssignments(this, ActiveDirectoryClient).FirstOrDefault();
         }
 
         /// <summary>
@@ -159,9 +164,10 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                 {
                     parameters.PrincipalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id : Guid.Parse(options.ADObjectFilter.Id);
                 }
-                
+
                 result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
-                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals)).Where(r => r != null));
+                    .RoleAssignments.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
+
 
                 // Filter out by scope
                 if (!string.IsNullOrEmpty(options.Scope))
@@ -173,13 +179,14 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
             {
                 // Filter by scope and above directly
                 parameters.AtScope = true;
+
                 result.AddRange(AuthorizationManagementClient.RoleAssignments.ListForScope(options.Scope, parameters)
-                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals)).Where(r => r != null));
+                    .RoleAssignments.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
             }
             else
             {
                 result.AddRange(AuthorizationManagementClient.RoleAssignments.List(parameters)
-                    .RoleAssignments.Select(r => r.ToPSRoleAssignment(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals)).Where(r => r != null));
+                    .RoleAssignments.ToPSRoleAssignments(this, ActiveDirectoryClient, options.ExcludeAssignmentsForDeletedPrincipals));
             }
 
             if (!string.IsNullOrEmpty(options.RoleDefinition))
@@ -204,7 +211,8 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                     var userObject = adObject as PSADUser;
                     classicAdministratorsAssignments = classicAdministratorsAssignments.Where(c =>
                            c.DisplayName.Equals(userObject.UserPrincipalName, StringComparison.OrdinalIgnoreCase) ||
-                           c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase)).ToList();
+                           c.DisplayName.Equals(userObject.Mail, StringComparison.OrdinalIgnoreCase) ||
+                           c.DisplayName.Equals(userObject.SignInName, StringComparison.OrdinalIgnoreCase)).ToList();
                 }
 
                 result.AddRange(classicAdministratorsAssignments);

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/AuthorizationClientExtensions.cs

@@ -44,69 +44,82 @@ public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
             return roleDefinition;
         }
 
-        public static PSRoleAssignment ToPSRoleAssignment(this RoleAssignment role, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
+        public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable<RoleAssignment> assignments, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true)
         {
-            PSRoleDefinition roleDefinition = policyClient.GetRoleDefinition(role.Properties.RoleDefinitionId);
-            PSADObject adObject = activeDirectoryClient.GetADObject(new ADObjectFilterOptions { Id = role.Properties.PrincipalId.ToString() }) ?? new PSADObject() { Id = role.Properties.PrincipalId };
-
-            if (adObject is PSADUser)
+            List<PSRoleAssignment> psAssignments = new List<PSRoleAssignment>();
+            if(assignments ==null || !assignments.Any())
             {
-                return new PSUserRoleAssignment()
-                {
-                    RoleAssignmentId = role.Id,
-                    DisplayName = adObject.DisplayName,
-                    Actions = roleDefinition.Actions,
-                    NotActions = roleDefinition.NotActions,
-                    RoleDefinitionName = roleDefinition.Name,
-                    Scope = role.Properties.Scope,
-                    UserPrincipalName = ((PSADUser)adObject).UserPrincipalName,
-                    Mail = ((PSADUser)adObject).Mail,
-                    ObjectId = adObject.Id
-                };
+                return psAssignments;
             }
-            else if (adObject is PSADGroup)
+
+            List<string> objectIds = new List<string>();
+            objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString()));
+            List<PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds);
+
+            List<PSRoleDefinition> roleDefinitions = policyClient.FilterRoleDefinitions(name: null);
+
+            foreach (RoleAssignment assignment in assignments)
             {
-                return new PSGroupRoleAssignment()
+                PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.Properties.PrincipalId) ?? new PSADObject() { Id = assignment.Properties.PrincipalId };
+                PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId };
+
+                if (adObject is PSADUser)
                 {
-                    RoleAssignmentId = role.Id,
-                    DisplayName = adObject.DisplayName,
-                    Actions = roleDefinition.Actions,
-                    NotActions = roleDefinition.NotActions,
-                    RoleDefinitionName = roleDefinition.Name,
-                    Scope = role.Properties.Scope,
-                    Mail = ((PSADGroup)adObject).Mail,
-                    ObjectId = adObject.Id
-                };
-            }
-            else if (adObject is PSADServicePrincipal)
-            {
-                return new PSServiceRoleAssignment()
+                    psAssignments.Add(new PSRoleAssignment()
+                    {
+                        RoleAssignmentId = assignment.Id,
+                        DisplayName = adObject.DisplayName,
+                        RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
+                        RoleDefinitionName = roleDefinition.Name,
+                        Scope = assignment.Properties.Scope,
+                        SignInName = ((PSADUser)adObject).SignInName,
+                        ObjectId = adObject.Id,
+                        ObjectType = adObject.Type
+                    });
+                }
+                else if (adObject is PSADGroup)
                 {
-                    RoleAssignmentId = role.Id,
-                    DisplayName = adObject.DisplayName,
-                    Actions = roleDefinition.Actions,
-                    NotActions = roleDefinition.NotActions,
-                    RoleDefinitionName = roleDefinition.Name,
-                    Scope = role.Properties.Scope,
-                    ServicePrincipalName = ((PSADServicePrincipal)adObject).ServicePrincipalName,
-                    ObjectId = adObject.Id
-                };
-            }
-            else if (!excludeAssignmentsForDeletedPrincipals)
-            {
-                return new PSRoleAssignment()
+                    psAssignments.Add(new PSRoleAssignment()
+                    {
+                        RoleAssignmentId = assignment.Id,
+                        DisplayName = adObject.DisplayName,
+                        RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
+                        RoleDefinitionName = roleDefinition.Name,
+                        Scope = assignment.Properties.Scope,
+                        ObjectId = adObject.Id,
+                        ObjectType = adObject.Type
+                    });
+                }
+                else if (adObject is PSADServicePrincipal)
                 {
-                    RoleAssignmentId = role.Id,
-                    DisplayName = adObject.DisplayName,
-                    Actions = roleDefinition.Actions,
-                    NotActions = roleDefinition.NotActions,
-                    RoleDefinitionName = roleDefinition.Name,
-                    Scope = role.Properties.Scope,
-                    ObjectId = adObject.Id
-                };
+                    psAssignments.Add(new PSRoleAssignment()
+                    {
+                        RoleAssignmentId = assignment.Id,
+                        DisplayName = adObject.DisplayName,
+                        RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
+                        RoleDefinitionName = roleDefinition.Name,
+                        Scope = assignment.Properties.Scope,
+                        ObjectId = adObject.Id,
+                        ObjectType = adObject.Type
+                    });
+                }
+                else if (!excludeAssignmentsForDeletedPrincipals)
+                {
+                    psAssignments.Add(new PSRoleAssignment()
+                    {
+                        RoleAssignmentId = assignment.Id,
+                        DisplayName = adObject.DisplayName,
+                        RoleDefinitionId = roleDefinition.Id.GuidFromFullyQualifiedId(),
+                        RoleDefinitionName = roleDefinition.Name,
+                        Scope = assignment.Properties.Scope,
+                        ObjectId = adObject.Id,
+                    });
+                }
+
+                // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true
             }
 
-            return null;
+            return psAssignments;
         }
 
         public static PSRoleAssignment ToPSRoleAssignment(this ClassicAdministrator classicAdministrator, string currentSubscriptionId)
@@ -115,9 +128,15 @@ public static PSRoleAssignment ToPSRoleAssignment(this ClassicAdministrator clas
             {
                 RoleDefinitionName = classicAdministrator.Properties.Role,
                 DisplayName = classicAdministrator.Properties.EmailAddress,
+                SignInName = classicAdministrator.Properties.EmailAddress,
                 Scope = "/subscriptions/" + currentSubscriptionId,
-                Actions = new List<string>() {"*"}
+                ObjectType = "User"
             };
         }
+
+        private static string GuidFromFullyQualifiedId(this string Id)
+        {
+            return Id.TrimEnd('/').Substring(Id.LastIndexOf('/') + 1);
+        }
     }
 }