Remove email addresses from UPN query in KeyVault Access Policy CmdLets. #4102
Conversation
Before this change, when a UPN argument is passed to one of the vault policy cmdlets the query for object id would include email addresses as well. After this change UPN will mean UPN and there will be a seperate email argument if the user wants to look up the object id by email address.
|
@RandalliLama, |
|
Can one of the admins verify this patch? |
RandalliLama
changed the title
|
@azuresdkci add to whitelist |
|
@RandalliLama it looks like the default reviewers (who are just suggestions) are set by GitHub: "Suggested reviewers are based on git blame data" Feel free to request a review from those who you have mentioned previously. |
|
|
||
| <# | ||
| This test is disabled because it requires a user with an email address that matches their UPN. | ||
| Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByEmail } "Test_SetRemoveAccessPolicyByEmail" } "Test_SetRemoveAccessPolicyByEmail" |
There was a problem hiding this comment.
@RandalliLama is there any way to enable this test so we can (1) ensure that the functionality added does work as intended, (2) ensure that there are no regressions in the future?
There was a problem hiding this comment.
These tests are currently not run under the recording framework. I am still investigating why that is, and what I can do about it. As far as I can tell these tests are run manually by devs before checkin. Since they are not recorded, if this test was enabled by default, the developer would need to ensure that they have a test environment that has a user with an email address, and further, that the email address matched their UPN. That's not easy to set up if you don't already have one. Setting up a user with an email address requires having a user licensed for Exchange, or doing manual REST calls to AAD graph.
If these tests were being run under the recording framework then only one person would need to have the necessary test setup and all other runs would be on recorded data. Alternatively, we could set up a permanent test environment with users that have the necessary pre-reqs. It's also possible to automate this kind of user creation in our current, manual, test infrastructure.
- The right long term answer is to get the tests running in the recording framework. However, it is non-trivial to do so. I need some time to investigate what it takes to get us completely back in to the recording framework. I'd rather not invest significant effort in a temporary solution. I plan on looking in to fixing this the right way in Calcium.
- Without this fix it's possible for a user creating a new vault to inadvertently ACL it for someone other than the person running the CmdLet. While we show the policy created by the CmdLet as part of the output, if the person running it isn't paying attention they may end up with a policy that grants access to the vault that they didn't intend. This should be a very rare occurrence, but I would still like to get this fix out soon. Blocking the release of this fix on test infrastructure investments could significantly delay it.
The risk of having this test disabled is small. The code that does the lookup by email is factored out in to it's own method that is not shared by any other code path.
I may have missed something, and of course I am open to other suggestions.
There was a problem hiding this comment.
There was a problem hiding this comment.
By the way, I ran the test before disabling it. I have verified that the feature works as intended.
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies the email address of the user in Azure Active Directory for which to grant permissions.")] | ||
| [ValidateNotNullOrEmpty()] | ||
| public string Mail { get; set; } |
There was a problem hiding this comment.
@RandalliLama can we rename this parameter to EmailAddress? This seems to be the pattern for a few other KeyVault cmdlets that have a parameter for email address
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies the email address of the user in Azure Active Directory for which to grant permissions.")] | ||
| [ValidateNotNullOrEmpty()] | ||
| public string Mail { get; set; } |
| @@ -230,6 +236,20 @@ Accept pipeline input: True (ByPropertyName) | |||
| Accept wildcard characters: False | |||
| ``` | |||
|
|
|||
There was a problem hiding this comment.
@RandalliLama if you do change this parameter to EmailAddress, the markdown documentation will need to be updated
| [Parameter(Mandatory = false, | ||
| ParameterSetName = ByEmail, | ||
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")] |
There was a problem hiding this comment.
@RandalliLama "Specifies secret operation permissions..."
| [Parameter(Mandatory = false, | ||
| ParameterSetName = ByEmail, | ||
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")] |
There was a problem hiding this comment.
@RandalliLama "Specifies certificate operation permissions..."
| -Mail <String> [-PermissionsToKeys <String[]>] [-PermissionsToSecrets <String[]>] | ||
| [-PermissionsToCertificates <String[]>] [-PermissionsToStorage <String[]>] [-PassThru] [-WhatIf] [-Confirm] | ||
| [<CommonParameters>] | ||
|
|
There was a problem hiding this comment.
You need to close the triple backtick here:
```
| @@ -414,4 +414,7 @@ You can find the object ID using Azure Active Directory Module for Windows Power | |||
| <data name="InvalidSasPermission" xml:space="preserve"> | |||
| <value>Invalid Sas permission '{0}'.</value> | |||
| </data> | |||
| <data name="ADObjectAmbiguous" xml:space="preserve"> | |||
| <value>The Email argument specified, '{1}', matches multiple objects in the Azure Active Directory tenant '{2}'. Please use -UserPrincipalName to narrow down the the filter to a single object. The TenantID displayed by the cmdlet 'Get-AzureRmContext' is the current subscription's Azure Active directory.</value> | |||
There was a problem hiding this comment.
"narrow down the the filter" -> "narrow down the filter"
There was a problem hiding this comment.
Consider ensuring that the casing of AAD is consistent.
First it's Azure Active _D_irectory, then it's Azure Active __d__irectory.
|
@cormacpayne I've addressed all your comments. I've also enabled the new test by default. |
|
@adarce Thanks for the review. I've addressed your comments as well. |
| -EmailAddress <String> [-PermissionsToKeys <String[]>] [-PermissionsToSecrets <String[]>] | ||
| [-PermissionsToCertificates <String[]>] [-PermissionsToStorage <String[]>] [-PassThru] [-WhatIf] [-Confirm] | ||
| [<CommonParameters>] | ||
|
|
There was a problem hiding this comment.
This is still missing some closing triple backticks. View the rendered markdown here:
There was a problem hiding this comment.
@adarce I could only find a single instance of missing back ticks. Are there more?
There was a problem hiding this comment.
@RandalliLama That's it as far as what you introduced in to this PR. However, it looks like there's some more broken markdown in the same file that got introduced when PermissionsToStorage was added.
There needs to be a couple of newlines after "service principal." and before the triple backticks here:
https://github.com/RandalliLama/azure-powershell/blame/8a0fc06eadee571cc013612cd6d90f1ff0248998/src/ResourceManager/KeyVault/Commands.KeyVault/help/Set-AzureRmKeyVaultAccessPolicy.md#L370
|
@RandalliLama this is good to merge from our side; just need sign-off from your team. Once this gets merged, let's open an issue to track enabling the KeyVault tests. |
There was a problem hiding this comment.
@RandalliLama would you mind updating the change log with a brief description of what was changed in this PR under the Current Release header?
There was a problem hiding this comment.
@RandalliLama we bump the versions during the release process, so you can revert the changes you made to the version numbers in the three files mentioned. Other than that, LGTM
| @@ -12,7 +12,7 @@ | |||
| # RootModule = '' | |||
|
|
|||
| # Version number of this module. | |||
| ModuleVersion = '3.1.0' | |||
| ModuleVersion = '3.2.0' | |||
There was a problem hiding this comment.
@RandalliLama we will bump the versions during the release, so you can revert this change
| // by using the '*' as shown below: | ||
|
|
||
| [assembly: AssemblyVersion( "3.0.0.0" )] | ||
| [assembly: AssemblyFileVersion("3.1.0")] | ||
| [assembly: AssemblyFileVersion("3.2.0")] |
There was a problem hiding this comment.
@RandalliLama please revert this change to the version
| [assembly: AssemblyVersion("3.1.0")] | ||
| [assembly: AssemblyFileVersion("3.1.0")] | ||
| [assembly: AssemblyVersion("3.2.0")] | ||
| [assembly: AssemblyFileVersion("3.2.0")] |
There was a problem hiding this comment.
@RandalliLama please revert the changes made to version numbers in this file
Description
Before this change, when a UPN argument is passed to one of the vault policy cmdlets the query for object id would include email addresses as well. After this change UPN will mean UPN and there will be a seperate email argument if the user wants to look up the object id by email address.
This checklist is used to make sure that common guidelines for a pull request are followed. You can find a more complete discussion of PowerShell cmdlet best practices here.
General Guidelines
Testing Guidelines
Cmdlet Signature Guidelines
ShouldProcessand haveSupportShouldProcess=truespecified in the cmdlet attribute. You can find more information onShouldProcesshere.OutputTypeattribute if any output is produced - if the cmdlet produces no output, it should implement aPassThruparameter.Cmdlet Parameter Guidelines