Remove email addresses from UPN query.

Before this change, when a UPN argument is passed
to one of the vault policy cmdlets the query
for object id would include email addresses as
well.  After this change UPN will mean UPN and
there will be a seperate email argument if the
user wants to look up the object id by email
address.

Author: RandalliLama

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -440,6 +440,25 @@ function Test-SetRemoveAccessPolicyByUPN
     Assert-AreEqual 0 $vault.AccessPolicies.Count
 }
 
+function Test-SetRemoveAccessPolicyByEmail
+{
+    Param($existingVaultName, $rgName, $email, $upn)
+
+    $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
+    $PermToSecrets = @("get", "list", "set", "delete")
+    $PermToCertificates = @("get", "list", "create", "delete")
+
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -Mail $email -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru
+
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates
+    if (-not $global:noADCmdLetMode) {
+        Assert-AreEqual  $vault.AccessPolicies[0].ObjectId (Get-AzureRmADUser -Mail $upn).Id
+    }
+
+    $vault = Remove-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -Mail $email -PassThru
+    Assert-AreEqual 0 $vault.AccessPolicies.Count
+}
+
 function Test-SetRemoveAccessPolicyBySPN
 {
     Param($existingVaultName, $rgName, $spn)

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1

@@ -211,6 +211,12 @@ function Run-AllControlPlaneTests
 
     # Set-AzureRmKeyVaultAccessPolicy & Remove-AzureRmKeyVaultAccessPolicy tests.
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByUPN } "Test_SetRemoveAccessPolicyByUPN" } "Test_SetRemoveAccessPolicyByUPN"
+
+    <#
+    This test is disabled because it requires a user with an email address that matches their UPN.
+    Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByEmail } "Test_SetRemoveAccessPolicyByEmail" } "Test_SetRemoveAccessPolicyByEmail"
+    #>
+
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyBySPN } "Test_SetRemoveAccessPolicyBySPN" } "Test_SetRemoveAccessPolicyBySPN"
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByObjectId } "Test_SetRemoveAccessPolicyByObjectId" } "Test_SetRemoveAccessPolicyByObjectId"
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByBypassObjectIdValidation } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation" } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation"

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultManagementTests.ps1

@@ -126,6 +126,14 @@ function Test_SetRemoveAccessPolicyByUPN
     Test-SetRemoveAccessPolicyByUPN $global:testVault $global:resourceGroupName $user
 }
 
+function Test_SetRemoveAccessPolicyByEmail
+{
+    # ASSUMPTION: The logged in users UPN is the same as their email address.
+    $user = (Get-AzureRmContext).Account.Id
+    Reset-PreCreatedVault
+    Test-SetRemoveAccessPolicyByEmail $global:testVault $global:resourceGroupName $user $user
+}
+
 function Test_SetRemoveAccessPolicyBySPN
 {
     Reset-PreCreatedVault
@@ -330,7 +338,7 @@ function Initialize-TemporaryState
     {
         Write-Host "Skipping resource group creation since the resource group $global:resourceGroupName is already provided."
     }
-    
+
     if ($global:testVault -ne "" -and $global:testVault -ne $null)
     {
         Write-Host "Skipping vault creation since the vault $global:testVault is already provided."
@@ -339,7 +347,7 @@ function Initialize-TemporaryState
 
     # Create a vault using ARM.
     $vaultName = Get-VaultName $suffix
-    $tenantId = (Get-AzureRmContext).Tenant.TenantId
+    $tenantId = (Get-AzureRmContext).Tenant.Id
     $sku = "premium"
     if ($global:standardVaultOnly)
     {

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RemoveAzureKeyVaultAccessPolicy.cs

@@ -31,6 +31,7 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         private const string ByObjectId = "ByObjectId";
         private const string ByServicePrincipalName = "ByServicePrincipalName";
         private const string ByUserPrincipalName = "ByUserPrincipalName";
+        private const string ByEmail = "ByEmail";
         private const string ForVault = "ForVault";
 
         #endregion
@@ -89,6 +90,16 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [ValidateNotNullOrEmpty()]
         public string ObjectId { get; set; }
 
+        /// <summary>
+        /// Email address
+        /// </summary>
+        [Parameter(Mandatory = true,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies the email address of the user in Azure Active Directory for which to grant permissions.")]
+        [ValidateNotNullOrEmpty()]
+        public string Mail { get; set; }
+
         /// <summary>
         /// Id of the application to which a user delegate to
         /// </summary>
@@ -160,11 +171,14 @@ public override void ExecuteCmdlet()
 
                 // Update vault policies
                 var updatedPolicies = existingVault.AccessPolicies;
-                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
+                if (!string.IsNullOrEmpty(UserPrincipalName)
+                    || !string.IsNullOrEmpty(ServicePrincipalName)
+                    || !string.IsNullOrWhiteSpace(this.ObjectId)
+                    || !string.IsNullOrWhiteSpace(this.Mail))
                 {
                     if (string.IsNullOrWhiteSpace(this.ObjectId))
                     {
-                        ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
+                        ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.Mail, this.ServicePrincipalName);
                     }
                     updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray();
                 }

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs

@@ -91,6 +91,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         private const string ByObjectId = "ByObjectId";
         private const string ByServicePrincipalName = "ByServicePrincipalName";
         private const string ByUserPrincipalName = "ByUserPrincipalName";
+        private const string ByEmail = "ByEmail";
         private const string ForVault = "ForVault";
 
         #endregion
@@ -149,6 +150,16 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [ValidateNotNullOrEmpty()]
         public string ObjectId { get; set; }
 
+        /// <summary>
+        /// Email address
+        /// </summary>
+        [Parameter(Mandatory = true,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies the email address of the user in Azure Active Directory for which to grant permissions.")]
+        [ValidateNotNullOrEmpty()]
+        public string Mail { get; set; }
+
         /// <summary>
         /// Id of the application to which a user delegate to
         /// </summary>
@@ -173,6 +184,10 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             ParameterSetName = ByUserPrincipalName,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
+        [Parameter(Mandatory = false,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
         [ValidateSet("decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore", "recover", "purge", "all")]
         public string[] PermissionsToKeys { get; set; }
 
@@ -191,6 +206,10 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             ParameterSetName = ByUserPrincipalName,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Specifies secret operation permissions to grant to a user or service principal.")]
+        [Parameter(Mandatory = false,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
         [ValidateSet("get", "list", "set", "delete", "backup", "restore", "recover", "purge", "all")]
         public string[] PermissionsToSecrets { get; set; }
 
@@ -209,6 +228,10 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
             ParameterSetName = ByUserPrincipalName,
             ValueFromPipelineByPropertyName = true,
             HelpMessage = "Specifies certificate operation permissions to grant to a user or service principal.")]
+        [Parameter(Mandatory = false,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
         [ValidateSet("get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "all")]
         public string[] PermissionsToCertificates { get; set; }
 
@@ -293,12 +316,15 @@ public override void ExecuteCmdlet()
 
                 // Update vault policies
                 PSKeyVaultModels.PSVaultAccessPolicy[] updatedListOfAccessPolicies = vault.AccessPolicies;
-                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
+                if (!string.IsNullOrEmpty(UserPrincipalName)
+                    || !string.IsNullOrEmpty(ServicePrincipalName)
+                    || !string.IsNullOrWhiteSpace(this.ObjectId)
+                    || !string.IsNullOrWhiteSpace(this.Mail))
                 {
                     var objId = this.ObjectId;
                     if (!this.BypassObjectIdValidation.IsPresent)
                     {
-                        objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
+                        objId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.Mail, this.ServicePrincipalName);
                     }
 
                     if (ApplicationId.HasValue && ApplicationId.Value == Guid.Empty)

src/ResourceManager/KeyVault/Commands.KeyVault/Models/KeyVaultManagementCmdletBase.cs

@@ -183,47 +183,118 @@ protected string GetCurrentUsersObjectId()
             if (DefaultContext.Account == null)
                 throw new InvalidOperationException(PSKeyVaultProperties.Resources.NoDefaultUserAccount);
 
+            string objectId = null;
+            if (DefaultContext.Account.Type == AzureAccount.AccountType.User)
+            {
+                var userFetcher = ActiveDirectoryClient.Me.ToUser();
+                var user = userFetcher.ExecuteAsync().Result;
+                objectId = user.ObjectId;
+            }
 
-            return GetObjectId(
-                    upn: DefaultContext.Account.Id,
-                    objectId: string.Empty,
-                    spn: null
-                    );
+            return objectId;
         }
 
-        protected string GetObjectId(string objectId, string upn, string spn)
+        private void ThrowIfMultipleObjectIds<AADType>(IEnumerable<AADType> principal, string objectFilter)
         {
-            var objId = string.Empty;
-            var objectFilter = objectId ?? string.Empty;
+            // If there is a second element then there are too many.
+            if (principal.ElementAtOrDefault(1) != null)
+            {
+                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.ADObjectAmbiguous, objectFilter,
+                (_dataServiceCredential != null) ? _dataServiceCredential.TenantId : string.Empty));
+            }
+        }
 
+        private string GetObjectIdByUpn(string upn)
+        {
+            string objId = null;
             if (!string.IsNullOrWhiteSpace(upn))
             {
-                objectFilter = upn;
-                var user = ActiveDirectoryClient.Users.Where(FilterByUpn(upn)).ExecuteAsync().GetAwaiter().GetResult().CurrentPage.FirstOrDefault();
+                var user = ActiveDirectoryClient.Users.Where(u => u.UserPrincipalName.Equals(upn, StringComparison.OrdinalIgnoreCase))
+                    .ExecuteAsync().GetAwaiter().GetResult().CurrentPage.SingleOrDefault();
                 if (user != null)
                     objId = user.ObjectId;
             }
-            else if (!string.IsNullOrWhiteSpace(spn))
+            return objId;
+        }
+
+        private string GetObjectIdBySpn(string spn)
+        {
+            string objId = null;
+            if (!string.IsNullOrWhiteSpace(spn))
             {
-                objectFilter = spn;
                 var servicePrincipal = ActiveDirectoryClient.ServicePrincipals.Where(s =>
                     s.ServicePrincipalNames.Any(n => n.Equals(spn, StringComparison.OrdinalIgnoreCase)))
-                    .ExecuteAsync().GetAwaiter().GetResult().CurrentPage.FirstOrDefault();
+                    .ExecuteAsync().GetAwaiter().GetResult().CurrentPage.SingleOrDefault();
                 if (servicePrincipal != null)
                     objId = servicePrincipal.ObjectId;
             }
-            else if (!string.IsNullOrWhiteSpace(objectId))
+            return objId;
+        }
+
+        private string GetObjectIdByEmail(string email)
+        {
+            string objId = null;
+            // In ADFS, Graph cannot handle this particular combination of filters.
+            if (!DefaultProfile.DefaultContext.Environment.OnPremise && !string.IsNullOrWhiteSpace(email))
             {
-                var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objectId }, new string[] { }).GetAwaiter().GetResult();
-                if (objectCollection.Any())
-                    objId = objectId;
+                var users = ActiveDirectoryClient.Users.Where(FilterByEmail(email)).ExecuteAsync().GetAwaiter().GetResult().CurrentPage;
+                if (users != null)
+                {
+                    ThrowIfMultipleObjectIds(users, email);
+                    var user = users.FirstOrDefault();
+                    objId = user?.ObjectId;
+                }
             }
+            return objId;
+        }
 
+        private bool ValidateObjectId(string objId)
+        {
+            bool isValid = false;
             if (!string.IsNullOrWhiteSpace(objId))
-                return objId;
+            {
+                var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objId }, new string[] { }).GetAwaiter().GetResult();
+                if (objectCollection.Any())
+                {
+                    isValid = true;
+                }
+            }
+            return isValid;
+        }
 
-            throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.ADObjectNotFound, objectFilter,
-                (_dataServiceCredential != null) ? _dataServiceCredential.TenantId : string.Empty));
+        protected string GetObjectId(string objectId, string upn, string email, string spn)
+        {
+            string objId = null;
+            var objectFilter = objectId ?? string.Empty;
+
+            if (!string.IsNullOrEmpty(objectId))
+            {
+                objId = ValidateObjectId(objectId) ? objectId : null;
+            }
+            else if (!string.IsNullOrEmpty(upn))
+            {
+                objId = GetObjectIdByUpn(upn);
+            }
+            else if (!string.IsNullOrEmpty(email))
+            {
+                objId = GetObjectIdByEmail(email);
+            }
+            else if (!string.IsNullOrEmpty(spn))
+            {
+                objId = GetObjectIdBySpn(spn);
+            }
+
+            if (string.IsNullOrWhiteSpace(objId))
+                throw new ArgumentException(string.Format(PSKeyVaultProperties.Resources.ADObjectNotFound, objectFilter,
+                    (_dataServiceCredential != null) ? _dataServiceCredential.TenantId : string.Empty));
+
+            return objId;
+        }
+
+        private bool IsValidGUid(string stringGuid)
+        {
+            Guid parsedGuid;
+            return Guid.TryParse(stringGuid, out parsedGuid);
         }
 
         /// <summary>
@@ -246,21 +317,13 @@ protected bool IsValidObjectIdSyntax(string objectId)
             }
 
             // In AAD, object IDs must be parsable as Guids.
-            Guid dummyValue;
-            return Guid.TryParse(objectId, out dummyValue);
+            return IsValidGUid(objectId);
         }
 
-        private Expression<Func<IUser, bool>> FilterByUpn(string upn)
+        private Expression<Func<IUser, bool>> FilterByEmail(string email)
         {
-            // In ADFS, Graph cannot handle this particular combination of filters.
-            if (!DefaultProfile.DefaultContext.Environment.OnPremise)
-            {
-                return u => u.UserPrincipalName.Equals(upn, StringComparison.OrdinalIgnoreCase) ||
-                    u.Mail.Equals(upn, StringComparison.OrdinalIgnoreCase) ||
-                    u.OtherMails.Any(m => m.Equals(upn, StringComparison.OrdinalIgnoreCase));
-            }
-
-            return u => u.UserPrincipalName.Equals(upn, StringComparison.OrdinalIgnoreCase);
+            return u => u.Mail.Equals(email, StringComparison.OrdinalIgnoreCase) ||
+                u.OtherMails.Any(m => m.Equals(email, StringComparison.OrdinalIgnoreCase));
         }
 
         protected readonly string[] DefaultPermissionsToKeys =