Merge pull request Azure#5023 from darshanhs90/preview

update New Roleassignment creation calls to have delegation flag

Author: cormacpayne

setup/azurecmdfiles.wxi

@@ -1206,6 +1206,9 @@
                         <Component Id="cmpEDD37ABAAA61D07995A186AEF9E62727" Guid="*">
                             <File Id="filDCDBE738CB8210E371547BD5AC4CCB6C" KeyPath="yes" Source="$(var.sourceDir)\ResourceManager\AzureResourceManager\AzureRM.Resources\Microsoft.Azure.Commands.Resources.format.ps1xml" />
                         </Component>
+                        <Component Id="cmpEE349C51ED897F3FA2EB83EC1B30FE67" Guid="*">
+                            <File Id="fil9477562706B70731726149EAF65B1FB8" KeyPath="yes" Source="$(var.sourceDir)\ResourceManager\AzureResourceManager\AzureRM.Resources\Microsoft.Azure.Management.Authorization.dll" />
+                        </Component>
                         <Component Id="cmpF4C5AB0BA43DC11E22F9BA4B39EEB532" Guid="*">
                             <File Id="filFBCFA6A78D2871F4657A269FF2DFE1E5" KeyPath="yes" Source="$(var.sourceDir)\ResourceManager\AzureResourceManager\AzureRM.Resources\Microsoft.Azure.Management.ResourceManager.dll" />
                         </Component>
@@ -3462,6 +3465,7 @@
             <ComponentRef Id="cmpEAECD7C56D29DB281ACD2868F2194EDB" />
             <ComponentRef Id="cmp0714732719C5405F2BCE5004F205B22E" />
             <ComponentRef Id="cmpEDD37ABAAA61D07995A186AEF9E62727" />
+            <ComponentRef Id="cmpEE349C51ED897F3FA2EB83EC1B30FE67" />
             <ComponentRef Id="cmpF4C5AB0BA43DC11E22F9BA4B39EEB532" />
             <ComponentRef Id="cmp8F0D94EDAEEDE0C50766C20F5F1D03D9" />
             <ComponentRef Id="cmp890B1E2923E26CE2A15A652293EA92BE" />

src/ResourceManager/Resources/AzureRM.Resources.psd1

@@ -54,8 +54,9 @@ CLRVersion = '4.0'
 RequiredModules = @(@{ModuleName = 'AzureRM.Profile'; ModuleVersion = '4.0.0'; })
 
 # Assemblies that must be loaded prior to importing this module
-RequiredAssemblies = '.\Microsoft.Azure.Management.ResourceManager.dll', 
-               '.\Microsoft.Azure.ResourceManager.dll'
+RequiredAssemblies = '.\Microsoft.Azure.Management.ResourceManager.dll',
+                     '.\Microsoft.Azure.ResourceManager.dll',
+                     '.\Microsoft.Azure.Management.Authorization.dll'
 
 # Script files (.ps1) that are run in the caller's environment prior to importing this module.
 # ScriptsToProcess = @()

src/ResourceManager/Resources/ChangeLog.md

@@ -26,6 +26,8 @@
     - Users can now use Set-AzureRMRoleRoleDefinition with assignable scopes including new scopes irrespective of the position of the scope
 * Allow scopes to end with "/"
     - Users can now use RoleDefinition and RoleAssignment commandlets with scopes ending with "/" ,consistent with API and CLI
+* Allow users to create RoleAssignment using delegation flag
+    - Users can now use New-AzureRMRoleAssignment with an option of adding the delegation flag
 * Fix RoleAssignment get to respect the scope parameter
 
 ## Version 5.0.0

src/ResourceManager/Resources/Commands.Resources.Test/Commands.Resources.Test.csproj

@@ -61,6 +61,9 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.3.4.0-preview\lib\net452\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
+    <Reference Include="Microsoft.Azure.Management.Authorization, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.2.6.0-preview\lib\net452\Microsoft.Azure.Management.Authorization.dll</HintPath>
+    </Reference>
     <Reference Include="Microsoft.Azure.Insights">
       <HintPath>..\..\..\packages\Microsoft.Azure.Insights.0.10.0-preview\lib\net45\Microsoft.Azure.Insights.dll</HintPath>
     </Reference>
@@ -246,10 +249,6 @@
       <Project>{d3804b64-c0d3-48f8-82ec-1f632f833c9e}</Project>
       <Name>Commands.Common.Authentication</Name>
     </ProjectReference>
-    <ProjectReference Include="..\..\..\Common\Commands.Common.Authorization\Commands.Common.Authorization.csproj">
-      <Project>{24508e26-154d-47f1-80ee-439bf0710996}</Project>
-      <Name>Commands.Common.Authorization</Name>
-    </ProjectReference>
     <ProjectReference Include="..\..\..\Common\Commands.Common.Graph.RBAC\Commands.Common.Graph.RBAC.csproj">
       <Project>{269acf73-0a34-42dc-ab9c-4b15931a489d}</Project>
       <Name>Commands.Common.Graph.RBAC</Name>
@@ -712,6 +711,9 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleAssignmentTests\RaPropertiesValidation.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleAssignmentTests\RaDelegation.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleAssignmentTests\RaGetByScope.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

src/ResourceManager/Resources/Commands.Resources.Test/Models.ResourceGroups/ResourceClientTests.cs

@@ -27,7 +27,7 @@
 using Microsoft.Azure.Commands.ResourceManager.Cmdlets.SdkModels;
 using Microsoft.Azure.Commands.Resources.Models;
 using Microsoft.Azure.Commands.ScenarioTest;
-using Microsoft.Azure.Management.Authorization.Version2015_07_01;
+using Microsoft.Azure.Management.Authorization;
 using Microsoft.Azure.Management.ResourceManager;
 using Microsoft.Azure.Management.ResourceManager.Models;
 using Microsoft.Rest.Azure;

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/ResourcesController.cs

@@ -23,7 +23,7 @@
 using Microsoft.Azure.Commands.ResourceManager.Cmdlets.Extensions;
 using Microsoft.Azure.Graph.RBAC.Version1_6;
 using Microsoft.Azure.Insights;
-using Microsoft.Azure.Management.Authorization.Version2015_07_01;
+using Microsoft.Azure.Management.Authorization;
 using Microsoft.Azure.Management.ResourceManager;
 using Microsoft.Azure.Test.HttpRecorder;
 using Microsoft.Rest.ClientRuntime.Azure.TestFramework;

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleAssignmentTests.cs

@@ -15,7 +15,7 @@
 
 using Microsoft.Azure.Graph.RBAC.Version1_6;
 using Microsoft.Azure.Graph.RBAC.Version1_6.Models;
-using Microsoft.Azure.Management.Authorization.Version2015_07_01;
+using Microsoft.Azure.Management.Authorization;
 using Microsoft.Azure.Management.ResourceManager;
 using Microsoft.Azure.Management.ResourceManager.Models;
 using Microsoft.Azure.ServiceManagemenet.Common.Models;
@@ -115,6 +115,13 @@ public void RaDeletionByScopeAtRootScope()
         {
             ResourcesController.NewInstance.RunPsTest("Test-RaDeletionByScopeAtRootScope");
         }
+        
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void RaDelegation()
+        {
+            ResourcesController.NewInstance.RunPsTest("Test-RaDelegation");
+        }
 
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleAssignmentTests.ps1

@@ -18,15 +18,15 @@ Tests retrieval of classic administrators
 #>
 function Test-RaClassicAdmins
 {
-	# Setup
-	$subscription = Get-AzureRmSubscription
-
-	# Test
-	$classic =  Get-AzureRmRoleAssignment -IncludeClassicAdministrators  | Where-Object { $_.Scope -ieq ('/subscriptions/' + $subscription[0].Id) -and $_.RoleDefinitionName.ToLower().Contains('administrator')}	
-	
-	# Assert
-	Assert-NotNull $classic
-	Assert-True { $classic.Length -ge 1 }
+    # Setup
+    $subscription = Get-AzureRmSubscription
+
+    # Test
+    $classic =  Get-AzureRmRoleAssignment -IncludeClassicAdministrators  | Where-Object { $_.Scope -ieq ('/subscriptions/' + $subscription[0].Id) -and $_.RoleDefinitionName.ToLower().Contains('administrator')}   
+    
+    # Assert
+    Assert-NotNull $classic
+    Assert-True { $classic.Length -ge 1 }
 }
 
 <#
@@ -41,11 +41,11 @@ function Test-RaNegativeScenarios
     # Bad OID returns zero role assignments
     $badOid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
     $badObjectResult = "Cannot find principal using the specified options"
-	$assignments = Get-AzureRmRoleAssignment -ObjectId $badOid
+    $assignments = Get-AzureRmRoleAssignment -ObjectId $badOid
     Assert-AreEqual 0 $assignments.Count
 
-	# Bad OID throws if Expand Principal Groups included
-	Assert-Throws { Get-AzureRmRoleAssignment -ObjectId $badOid -ExpandPrincipalGroups } $badObjectResult
+    # Bad OID throws if Expand Principal Groups included
+    Assert-Throws { Get-AzureRmRoleAssignment -ObjectId $badOid -ExpandPrincipalGroups } $badObjectResult
 
     # Bad UPN
     $badUpn = '[email protected]'
@@ -110,9 +110,9 @@ function Test-RaByScope
 
     # Assert
     Assert-NotNull $newAssignment
-    Assert-AreEqual	$definitionName $newAssignment.RoleDefinitionName 
-    Assert-AreEqual	$scope $newAssignment.Scope 
-    Assert-AreEqual	$users[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $scope $newAssignment.Scope 
+    Assert-AreEqual $users[0].DisplayName $newAssignment.DisplayName
 
     VerifyRoleAssignmentDeleted $newAssignment
 }
@@ -142,8 +142,8 @@ function Test-RaByResourceGroup
 
     # Assert
     Assert-NotNull $newAssignment
-    Assert-AreEqual	$definitionName $newAssignment.RoleDefinitionName 
-    Assert-AreEqual	$users[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $users[0].DisplayName $newAssignment.DisplayName
 
     VerifyRoleAssignmentDeleted $newAssignment
 }
@@ -177,8 +177,8 @@ function Test-RaByResource
 
     # Assert
     Assert-NotNull $newAssignment
-    Assert-AreEqual	$definitionName $newAssignment.RoleDefinitionName 
-    Assert-AreEqual	$groups[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $groups[0].DisplayName $newAssignment.DisplayName
 
     VerifyRoleAssignmentDeleted $newAssignment
 }
@@ -261,9 +261,9 @@ function Test-RaByServicePrincipal
 
     # Assert
     Assert-NotNull $newAssignment
-    Assert-AreEqual	$definitionName $newAssignment.RoleDefinitionName 
-    Assert-AreEqual	$scope $newAssignment.Scope 
-    Assert-AreEqual	$servicePrincipals[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $scope $newAssignment.Scope 
+    Assert-AreEqual $servicePrincipals[0].DisplayName $newAssignment.DisplayName
 
     VerifyRoleAssignmentDeleted $newAssignment
 }
@@ -282,7 +282,7 @@ function Test-RaByUpn
     Assert-AreEqual 1 $resourceGroups.Count "No resource group found. Unable to run the test."
 
     # Test
-	[Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient]::RoleAssignmentNames.Enqueue("f8dac632-b879-42f9-b4ab-df2aab22a149")
+    [Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient]::RoleAssignmentNames.Enqueue("f8dac632-b879-42f9-b4ab-df2aab22a149")
     $newAssignment = New-AzureRmRoleAssignment `
                         -SignInName $users[0].UserPrincipalName `
                         -RoleDefinitionName $definitionName `
@@ -293,8 +293,8 @@ function Test-RaByUpn
 
     # Assert
     Assert-NotNull $newAssignment
-    Assert-AreEqual	$definitionName $newAssignment.RoleDefinitionName 
-    Assert-AreEqual	$users[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $users[0].DisplayName $newAssignment.DisplayName
 
     VerifyRoleAssignmentDeleted $newAssignment
 }
@@ -305,11 +305,11 @@ function Test-RaUserPermissions
     param([string]$rgName, [string]$action) 
     # Test 
     $rg = Get-AzureRmResourceGroup
-	$errorMsg = "User should have access to only 1 RG. Found: {0}" -f $rg.Count
-	Assert-AreEqual 1 $rg.Count $errorMsg
+    $errorMsg = "User should have access to only 1 RG. Found: {0}" -f $rg.Count
+    Assert-AreEqual 1 $rg.Count $errorMsg
 
-	# User should not be able to create another RG as he doesnt have access to the subscription.
-	Assert-Throws{ New-AzureRmResourceGroup -Name 'NewGroupFromTest' -Location 'WestUS'}        
+    # User should not be able to create another RG as he doesnt have access to the subscription.
+    Assert-Throws{ New-AzureRmResourceGroup -Name 'NewGroupFromTest' -Location 'WestUS'}        
 }
 
 <#
@@ -430,6 +430,42 @@ function Test-RaPropertiesValidation
     VerifyRoleAssignmentDeleted $newAssignment
 }
 
+<#
+.SYNOPSIS
+Tests verifies creation and retrieval of a RoleAssignments using delegation flag
+#>
+function Test-RaDelegation
+{
+    # Setup
+    $definitionName = 'Reader'
+    $users = Get-AzureRmADUser | Select-Object -First 1 -Wait
+    $subscription = Get-AzureRmSubscription
+    $resourceGroups = Get-AzureRmResourceGroup | Select-Object -Last 1 -Wait
+    $scope = '/subscriptions/'+ $subscription[0].Id +'/resourceGroups/' + $resourceGroups[0].ResourceGroupName
+    $assignmentScope = $scope +"/"
+    Assert-AreEqual 1 $users.Count "There should be at least one user to run the test."
+    
+    # Test
+    [Microsoft.Azure.Commands.Resources.Models.Authorization.AuthorizationClient]::RoleAssignmentNames.Enqueue("f747531e-da33-43b9-b726-04675abf1939")
+    $newAssignment = New-AzureRmRoleAssignment `
+                        -ObjectId $users[0].Id.Guid `
+                        -RoleDefinitionName $definitionName `
+                        -Scope $assignmentScope `
+                        -AllowDelegation
+    
+    # Assert
+    Assert-NotNull $newAssignment
+    Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName 
+    Assert-AreEqual $scope $newAssignment.Scope 
+    Assert-AreEqual $users[0].DisplayName $newAssignment.DisplayName
+    Assert-AreEqual $true $newAssignment.CanDelegate
+    
+    # cleanup 
+    DeleteRoleAssignment $newAssignment
+    
+    VerifyRoleAssignmentDeleted $newAssignment
+}
+
 <#
 .SYNOPSIS
 Tests verifies get of RoleAssignment by Scope