Merge pull request Azure#4389 from liangyong79/preview

Add-AzureAnalysisServicesAccount to support login with Service Principal

Author: markcowl

src/ResourceManager/AnalysisServices/ChangeLog.md

@@ -24,6 +24,7 @@
     - Enable to set/disable backup blob container for backup/restore Azure Analysis Services Server
 * Updated Sku lookup in New-AzureRmAnalysisServicesServer and Set-AzureRmAnalysisServicesServer
     - Changed hard coded Sku into dynamic lookup.
+* Add-AzureAnalysisServicesAccount to support login with Service Principal
 
 ## Version 0.4.2
 

src/ResourceManager/AnalysisServices/Commands.AnalysisServices.Dataplane/Commands/AddAzureASAccount.cs

@@ -28,19 +28,54 @@ namespace Microsoft.Azure.Commands.AnalysisServices.Dataplane
     /// <summary>
     /// Cmdlet to log into an Analysis Services environment
     /// </summary>
-    [Cmdlet("Add", "AzureAnalysisServicesAccount", SupportsShouldProcess=true)]
+    [Cmdlet("Add", "AzureAnalysisServicesAccount", DefaultParameterSetName = "UserParameterSetName", SupportsShouldProcess =true)]
     [Alias("Login-AzureAsAccount")]
     [OutputType(typeof(AsAzureProfile))]
     public class AddAzureASAccountCommand : AzurePSCmdlet, IModuleAssemblyInitializer
     {
-        [Parameter(Position = 0, Mandatory = false, HelpMessage = "Name of the Azure Analysis Services environment to which to logon to")]
+        private const string UserParameterSet = "UserParameterSetName";
+        private const string ServicePrincipalWithPasswordParameterSet = "ServicePrincipalWithPasswordParameterSetName";
+        private const string ServicePrincipalWithCertificateParameterSet = "ServicePrincipalWithCertificateParameterSetName";
+
+        [Parameter(ParameterSetName = UserParameterSet,
+            Mandatory = false, HelpMessage = "Name of the Azure Analysis Services environment to which to logon to", Position = 0)]
+        [Parameter(ParameterSetName = ServicePrincipalWithPasswordParameterSet,
+            Mandatory = true, HelpMessage = "Name of the Azure Analysis Services environment to which to logon to")]
+        [Parameter(ParameterSetName = ServicePrincipalWithCertificateParameterSet,
+            Mandatory = true, HelpMessage = "Name of the Azure Analysis Services environment to which to logon to")]
         public string RolloutEnvironment { get; set; }
-        
-        [Parameter(Position = 1, Mandatory = false, HelpMessage = "Login credentials to the Azure Analysis Services environment")]
+
+        [Parameter(ParameterSetName = UserParameterSet,
+            Mandatory = false, HelpMessage = "Login credentials to the Azure Analysis Services environment", Position = 1)]
+        [Parameter(ParameterSetName = ServicePrincipalWithPasswordParameterSet,
+            Mandatory = true, HelpMessage = "Login credentials to the Azure Analysis Services environment")]
         public PSCredential Credential { get; set; }
 
+        [Parameter(ParameterSetName = ServicePrincipalWithPasswordParameterSet,
+            Mandatory = true)]
+        [Parameter(ParameterSetName = ServicePrincipalWithCertificateParameterSet,
+            Mandatory = true)]
+        public SwitchParameter ServicePrincipal { get; set; }
+
+        [Parameter(ParameterSetName = ServicePrincipalWithPasswordParameterSet,
+            Mandatory = true, HelpMessage = "Tenant name or ID")]
+        [Parameter(ParameterSetName = ServicePrincipalWithCertificateParameterSet,
+            Mandatory = true, HelpMessage = "Tenant name or ID")]
+        [ValidateNotNullOrEmpty]
+        public string TenantId { get; set; }
+
+        [Parameter(ParameterSetName = ServicePrincipalWithCertificateParameterSet,
+            Mandatory = true, HelpMessage = "The application ID.")]
+        [ValidateNotNullOrEmpty]
+        public string ApplicationId { get; set; }
+
+        [Parameter(ParameterSetName = ServicePrincipalWithCertificateParameterSet,
+            Mandatory = true, HelpMessage = "Certificate Hash (Thumbprint)")]
+        [ValidateNotNullOrEmpty]
+        public string CertificateThumbprint { get; set; }
+
         protected AsAzureEnvironment AsEnvironment;
-           
+
         protected override IAzureContext DefaultContext
         {
             get
@@ -83,9 +118,30 @@ protected override void InitializeQosEvent()
             // nothing to do here.
         }
 
+        protected override void SetupDebuggingTraces()
+        {
+            // nothing to do here.
+        }
+
+        protected override void TearDownDebuggingTraces()
+        {
+            // nothing to do here.
+        }
+
+        protected override void SetupHttpClientPipeline()
+        {
+            // nothing to do here.
+        }
+
+        protected override void TearDownHttpClientPipeline()
+        {
+            // nothing to do here.
+        }
+
         public override void ExecuteCmdlet()
         {
             AsAzureAccount azureAccount = new AsAzureAccount();
+            azureAccount.Type = ServicePrincipal ? AsAzureAccount.AccountType.ServicePrincipal : AsAzureAccount.AccountType.User;
 
             SecureString password = null;
             if (Credential != null)
@@ -94,6 +150,20 @@ public override void ExecuteCmdlet()
                 password = Credential.Password;
             }
 
+            if (ServicePrincipal)
+            {
+                azureAccount.Tenant = TenantId;
+
+                if (!string.IsNullOrEmpty(ApplicationId))
+                {
+                    azureAccount.Id = ApplicationId;
+                }
+                if (!string.IsNullOrEmpty(CertificateThumbprint))
+                {
+                    azureAccount.CertificateThumbprint = CertificateThumbprint;
+                }
+            }
+
             if (ShouldProcess(string.Format(Resources.LoginTarget, AsEnvironment.Name), "log in"))
             {
                 var currentProfile = AsAzureClientSession.Instance.Profile;

src/ResourceManager/AnalysisServices/Commands.AnalysisServices.Dataplane/Models/AsAzureAccount.cs

@@ -24,5 +24,18 @@ public partial class AsAzureAccount
         public string UniqueId { get; set; }
 
         public string Tenant { get; set; }
+
+        public string Type { get; set; }
+
+        public string CertificateThumbprint { get; set; }
+
+        /// <summary>
+        /// string constants for known credential types
+        /// </summary>
+        public static class AccountType
+        {
+            public const string User = "User",
+            ServicePrincipal = "ServicePrincipal";
+        }
     }
 }

src/ResourceManager/AnalysisServices/Commands.AnalysisServices.Dataplane/Models/AsAzureAuthenticationProvider.cs

@@ -20,6 +20,8 @@
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.WindowsAzure.Commands.Common;
+using Microsoft.WindowsAzure.Commands.Common.Properties;
 
 namespace Microsoft.Azure.Commands.AnalysisServices.Dataplane.Models
 {
@@ -52,7 +54,7 @@ public string GetAadAuthenticatedToken(AsAzureContext asAzureContext, SecureStri
                 AsAzureClientSession.TokenCache);
 
             AuthenticationResult result = null;
-            if (password == null)
+            if (password == null && asAzureContext.Account.Type == AsAzureAccount.AccountType.User)
             {
                 if (asAzureContext.Account.Id != null)
                 {
@@ -74,13 +76,35 @@ public string GetAadAuthenticatedToken(AsAzureContext asAzureContext, SecureStri
             }
             else
             {
-                UserCredential userCredential = new UserCredential(asAzureContext.Account.Id, password);
-                result = authenticationContext.AcquireToken(resourceUri, clientId, userCredential);
-            }
+                if (asAzureContext.Account.Type == AsAzureAccount.AccountType.User)
+                {
+                    UserCredential userCredential = new UserCredential(asAzureContext.Account.Id, password);
+                    result = authenticationContext.AcquireToken(resourceUri, clientId, userCredential);
 
-            asAzureContext.Account.Id = result.UserInfo.DisplayableId;
-            asAzureContext.Account.Tenant = result.TenantId;
-            asAzureContext.Account.UniqueId = result.UserInfo.UniqueId;
+                    asAzureContext.Account.Id = result.UserInfo.DisplayableId;
+                    asAzureContext.Account.Tenant = result.TenantId;
+                    asAzureContext.Account.UniqueId = result.UserInfo.UniqueId;
+                }
+                else if (asAzureContext.Account.Type == AsAzureAccount.AccountType.ServicePrincipal)
+                {
+                    if (string.IsNullOrEmpty(asAzureContext.Account.CertificateThumbprint))
+                    {
+                        ClientCredential credential = new ClientCredential(asAzureContext.Account.Id, password);
+                        result = authenticationContext.AcquireToken(resourceUri, credential);
+                    }
+                    else
+                    {
+                        DiskDataStore dataStore = new DiskDataStore();
+                        var certificate = dataStore.GetCertificate(asAzureContext.Account.CertificateThumbprint);
+                        if (certificate == null)
+                        {
+                            throw new ArgumentException(string.Format(Resources.CertificateNotFoundInStore, asAzureContext.Account.CertificateThumbprint));
+                        }
+
+                        result = authenticationContext.AcquireToken(resourceUri, new ClientAssertionCertificate(asAzureContext.Account.Id, certificate));
+                    }
+                }
+            }
 
             return result.AccessToken;
         }

src/ResourceManager/AnalysisServices/Commands.AnalysisServices.Dataplane/help/Add-AzureAnalysisServicesAccount.md

@@ -1,5 +1,5 @@
 ---
-external help file: Microsoft.Azure.Commands.AnalysisServices.Dataplane.dll-help.xml
+external help file: Microsoft.Azure.Commands.AnalysisServices.Dataplane.dll-Help.xml
 online version: 
 schema: 2.0.0
 ---
@@ -11,9 +11,22 @@ Adds an authenticated account to use for Azure Analysis Services server cmdlet r
 
 ## SYNTAX
 
+### UserParameterSetName (Default)
 ```
-Add-AzureAnalysisServicesAccount [-RolloutEnvironment] <String> [[-Credential] <PSCredential>] [-WhatIf]
- [-Confirm]
+Add-AzureAnalysisServicesAccount [[-RolloutEnvironment] <String>] [[-Credential] <PSCredential>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
+```
+
+### ServicePrincipalWithPasswordParameterSetName
+```
+Add-AzureAnalysisServicesAccount [-RolloutEnvironment] <String> [-Credential] <PSCredential>
+ [-ServicePrincipal] -TenantId <String> [-WhatIf] [-Confirm] [<CommonParameters>]
+```
+
+### ServicePrincipalWithCertificateParameterSetName
+```
+Add-AzureAnalysisServicesAccount [-RolloutEnvironment] <String> [-ServicePrincipal] -TenantId <String>
+ -ApplicationId <String> -CertificateThumbprint <String> [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -30,14 +43,60 @@ Credential: $UserCredential
 
 This example will add the account specified by the $UserCredential variable to the westcentralus.asazure.windows.net Analysis Services environment.
 
+### Example 2
+```
+PS C:\>$ApplicationCredential = Get-Credential
+PS C:\>Add-AzureAnalysisServicesAccount -RolloutEnvironment 'westcentralus.asazure.windows.net' -ServicePrincipal -Credential $ApplicationCredential -TenantId "xxxx-xxxx-xxxx-xxxx"
+```
+
+The first command gets the application service principal credentials, and then stores them in the $ApplicationCredential variable.
+The second command add the application service principal account specified by the $ApplicationCredential variable and TenantId to the westcentralus.asazure.windows.net Analysis Services environment.
+
+### Example 3
+```
+PS C:\>Add-AzureAnalysisServicesAccount -RolloutEnvironment 'westcentralus.asazure.windows.net' -ServicePrincipal -ApplicationId "yyyy-yyyy-yyyy-yyyy" -CertificateThumbprint 'zzzzzzzzzzzzzzzz' -TenantId "xxxx-xxxx-xxxx-xxxx"
+```
+
+This example will add the application service principal account specified by the ApplicationId, TenantId and CertificateThumbprint to the westcentralus.asazure.windows.net Analysis Services environment.
+
 ## PARAMETERS
 
+### -ApplicationId
+The application ID.
+
+```yaml
+Type: String
+Parameter Sets: ServicePrincipalWithCertificateParameterSetName
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CertificateThumbprint
+Certificate Hash (Thumbprint)
+
+```yaml
+Type: String
+Parameter Sets: ServicePrincipalWithCertificateParameterSetName
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Credential
 Login credentials
 
 ```yaml
 Type: PSCredential
-Parameter Sets: (All)
+Parameter Sets: UserParameterSetName
 Aliases: 
 
 Required: False
@@ -47,12 +106,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+```yaml
+Type: PSCredential
+Parameter Sets: ServicePrincipalWithPasswordParameterSetName
+Aliases: 
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -RolloutEnvironment
 Name of the Azure Analysis Services environment to which to logon to. Given the full name of the server for example asazure://westcentralus.asazure.windows.net/testserver , the correct value for this variable will be westcentralus.asazure.windows.net
 
 ```yaml
 Type: String
-Parameter Sets: (All)
+Parameter Sets: UserParameterSetName
+Aliases: 
+
+Required: False
+Position: 0
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+```yaml
+Type: String
+Parameter Sets: ServicePrincipalWithPasswordParameterSetName, ServicePrincipalWithCertificateParameterSetName
 Aliases: 
 
 Required: True
@@ -62,6 +145,36 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ServicePrincipal
+Indicates that this account authenticates by providing service principal credentials.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ServicePrincipalWithPasswordParameterSetName, ServicePrincipalWithCertificateParameterSetName
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TenantId
+Tenant name or ID
+
+```yaml
+Type: String
+Parameter Sets: ServicePrincipalWithPasswordParameterSetName, ServicePrincipalWithCertificateParameterSetName
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -Confirm
 Prompts you for confirmation before running the cmdlet.
 
@@ -93,6 +206,9 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
+
 ## INPUTS
 
 ## OUTPUTS

src/ResourceManager/AnalysisServices/Commands.AnalysisServices.Test/ScenarioTests/AsTests.cs

@@ -65,5 +65,12 @@ public void TestAnalysisServicesServerRestart()
         {
             NewInstance.RunPsTest("Test-AnalysisServicesServerRestart");
         }
+
+        [Fact]
+        [Trait(Category.ServiceManagement, Category.LiveOnly)]
+        public void TestAnalysisServicesServerLoginWithSPN()
+        {
+            NewInstance.RunPsTest("Test-AnalysisServicesServerLoginWithSPN");
+        }
     }
 }