Merge pull request Azure#4102 from RandalliLama/email-param

Remove email addresses from UPN query in KeyVault Access Policy CmdLets.

Author: cormacpayne

src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1

@@ -72,34 +72,34 @@ NestedModules = @('.\Microsoft.Azure.Commands.KeyVault.dll')
 FunctionsToExport = @()
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = 'Add-AzureKeyVaultCertificate', 
-               'Set-AzureKeyVaultCertificateAttribute', 
-               'Stop-AzureKeyVaultCertificateOperation', 
-               'Get-AzureKeyVaultCertificateOperation', 
-               'Import-AzureKeyVaultCertificate', 
-               'Add-AzureKeyVaultCertificateContact', 
-               'Get-AzureKeyVaultCertificate', 
-               'Get-AzureKeyVaultCertificateContact', 
-               'Get-AzureKeyVaultCertificateIssuer', 
-               'New-AzureKeyVaultCertificatePolicy', 
-               'Remove-AzureKeyVaultCertificate', 
-               'Remove-AzureKeyVaultCertificateContact', 
-               'Remove-AzureKeyVaultCertificateIssuer', 
-               'Remove-AzureKeyVaultCertificateOperation', 
-               'Set-AzureKeyVaultCertificateIssuer', 
-               'Set-AzureKeyVaultCertificatePolicy', 'Get-AzureRmKeyVault', 
-               'New-AzureRmKeyVault', 'Remove-AzureRmKeyVault', 
-               'Undo-AzureRmKeyVaultRemoval', 'Remove-AzureRmKeyVaultAccessPolicy', 
-               'Set-AzureRmKeyVaultAccessPolicy', 'Backup-AzureKeyVaultKey', 
-               'Get-AzureKeyVaultKey', 'Get-AzureKeyVaultSecret', 
-               'Undo-AzureKeyVaultKeyRemoval', 'Undo-AzureKeyVaultSecretRemoval', 
-               'Add-AzureKeyVaultKey', 'Remove-AzureKeyVaultKey', 
-               'Remove-AzureKeyVaultSecret', 'Restore-AzureKeyVaultKey', 
-               'Set-AzureKeyVaultKeyAttribute', 'Set-AzureKeyVaultSecret', 
-               'Set-AzureKeyVaultSecretAttribute', 
-               'Get-AzureKeyVaultCertificatePolicy', 
-               'New-AzureKeyVaultCertificateAdministratorDetails', 
-               'New-AzureKeyVaultCertificateOrganizationDetails', 
+CmdletsToExport = 'Add-AzureKeyVaultCertificate',
+               'Set-AzureKeyVaultCertificateAttribute',
+               'Stop-AzureKeyVaultCertificateOperation',
+               'Get-AzureKeyVaultCertificateOperation',
+               'Import-AzureKeyVaultCertificate',
+               'Add-AzureKeyVaultCertificateContact',
+               'Get-AzureKeyVaultCertificate',
+               'Get-AzureKeyVaultCertificateContact',
+               'Get-AzureKeyVaultCertificateIssuer',
+               'New-AzureKeyVaultCertificatePolicy',
+               'Remove-AzureKeyVaultCertificate',
+               'Remove-AzureKeyVaultCertificateContact',
+               'Remove-AzureKeyVaultCertificateIssuer',
+               'Remove-AzureKeyVaultCertificateOperation',
+               'Set-AzureKeyVaultCertificateIssuer',
+               'Set-AzureKeyVaultCertificatePolicy', 'Get-AzureRmKeyVault',
+               'New-AzureRmKeyVault', 'Remove-AzureRmKeyVault',
+               'Undo-AzureRmKeyVaultRemoval', 'Remove-AzureRmKeyVaultAccessPolicy',
+               'Set-AzureRmKeyVaultAccessPolicy', 'Backup-AzureKeyVaultKey',
+               'Get-AzureKeyVaultKey', 'Get-AzureKeyVaultSecret',
+               'Undo-AzureKeyVaultKeyRemoval', 'Undo-AzureKeyVaultSecretRemoval',
+               'Add-AzureKeyVaultKey', 'Remove-AzureKeyVaultKey',
+               'Remove-AzureKeyVaultSecret', 'Restore-AzureKeyVaultKey',
+               'Set-AzureKeyVaultKeyAttribute', 'Set-AzureKeyVaultSecret',
+               'Set-AzureKeyVaultSecretAttribute',
+               'Get-AzureKeyVaultCertificatePolicy',
+               'New-AzureKeyVaultCertificateAdministratorDetails',
+               'New-AzureKeyVaultCertificateOrganizationDetails',
                'Backup-AzureKeyVaultSecret', 'Restore-AzureKeyVaultSecret',
                'Get-AzureKeyVaultManagedStorageAccount',
                'Add-AzureKeyVaultManagedStorageAccount',
@@ -157,7 +157,7 @@ PrivateData = @{
         # ExternalModuleDependencies = ''
 
     } # End of PSData hashtable
-    
+
  } # End of PrivateData hashtable
 
 # HelpInfo URI of this module

src/ResourceManager/KeyVault/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Current Release
+* Remove email address from the directory query when -UserPrincipalName is specified to the Set-AzureRMKeyVaultAccessPolicy and Remove-AzureRMKeyVaultAccessPolicy cmdlets.
+  - Both Cmdlets now have an -EmailAddress parameter that can be used instead of the -UserPrincipalName parameter when querying for email address is appropriate.  If there are more than one matching email addresses in the directory then the Cmdlet will fail.
 
 ## Version 3.1.0
 * New Cmdlets to support KeyVault Managed Storage Account Keys
@@ -38,10 +40,10 @@
 
 * Backup cmdlets for Keys and Secrets now accept a corresponding object as an input parameter
     - The caller may chain retrieval and backup operations: Get-AzureKeyVaultKey -VaultName myVault -Name myKey | Backup-AzureKeyVaultKey
-    
+
 * Backup cmdlets now support a -Force switch to overwrite an existing file
     - Note that attempting to overwrite an existing file will no longer throw, and will instead prompt the user for a choice on how to proceed.
-      
+
 ## Version 2.8.0
 
 ## Version 2.7.0

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Properties/AssemblyInfo.cs

@@ -17,7 +17,7 @@
 using System.Runtime.InteropServices;
 using Xunit;
 
-// General Information about an assembly is controlled through the following 
+// General Information about an assembly is controlled through the following
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle( "Microsoft.Azure.Commands.KeyVault.Test" )]
@@ -29,8 +29,8 @@
 [assembly: AssemblyTrademark( "" )]
 [assembly: AssemblyCulture( "" )]
 
-// Setting ComVisible to false makes the types in this assembly not visible 
-// to COM components.  If you need to access a type in this assembly from 
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
 // COM, set the ComVisible attribute to true on that type.
 [assembly: ComVisible( false )]
 
@@ -40,11 +40,11 @@
 // Version information for an assembly consists of the following four values:
 //
 //      Major Version
-//      Minor Version 
+//      Minor Version
 //      Build Number
 //      Revision
 //
-// You can specify all the values or you can default the Build and Revision Numbers 
+// You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 
 [assembly: AssemblyVersion( "3.0.0.0" )]

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -440,6 +440,26 @@ function Test-SetRemoveAccessPolicyByUPN
     Assert-AreEqual 0 $vault.AccessPolicies.Count
 }
 
+function Test-SetRemoveAccessPolicyByEmailAddress
+{
+    Param($existingVaultName, $rgName, $email, $upn)
+
+    $PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
+    $PermToSecrets = @("get", "list", "set", "delete")
+    $PermToCertificates = @("get", "list", "create", "delete")
+    $PermToStorage = @("get", "list", "delete")
+
+    $vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -EmailAddress $email -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PermissionsToStorage $PermToStorage -PassThru
+
+    CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets $PermToCertificates $PermToStorage
+    if (-not $global:noADCmdLetMode) {
+        Assert-AreEqual  $vault.AccessPolicies[0].ObjectId (Get-AzureRmADUser -Mail $upn).Id
+    }
+
+    $vault = Remove-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -EmailAddress $email -PassThru
+    Assert-AreEqual 0 $vault.AccessPolicies.Count
+}
+
 function Test-SetRemoveAccessPolicyBySPN
 {
     Param($existingVaultName, $rgName, $spn)

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1

@@ -183,6 +183,7 @@ function Run-AllControlPlaneTests
     {
         Run-TestProtected { Run-VaultTest { Test_CreateNewPremiumVaultEnabledForDeployment } "Test_CreateNewPremiumVaultEnabledForDeployment" } "Test_CreateNewPremiumVaultEnabledForDeployment"
     }
+
     Run-TestProtected { Run-VaultTest { Test_CreateNewVault } "Test_CreateNewVault" } "Test_CreateNewVault"
     Run-TestProtected { Run-VaultTest { Test_RecreateVaultFails } "Test_RecreateVaultFails" } "Test_RecreateVaultFails"
     Run-TestProtected { Run-VaultTest { Test_CreateVaultInUnknownResGrpFails } "Test_CreateVaultInUnknownResGrpFails" } "Test_CreateVaultInUnknownResGrpFails"
@@ -211,6 +212,10 @@ function Run-AllControlPlaneTests
 
     # Set-AzureRmKeyVaultAccessPolicy & Remove-AzureRmKeyVaultAccessPolicy tests.
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByUPN } "Test_SetRemoveAccessPolicyByUPN" } "Test_SetRemoveAccessPolicyByUPN"
+
+    # This test will fail for users that do not have the same email address as their UPN.
+    Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByEmailAddress } "Test_SetRemoveAccessPolicyByEmailAddress" } "Test_SetRemoveAccessPolicyByEmailAddress"
+
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyBySPN } "Test_SetRemoveAccessPolicyBySPN" } "Test_SetRemoveAccessPolicyBySPN"
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByObjectId } "Test_SetRemoveAccessPolicyByObjectId" } "Test_SetRemoveAccessPolicyByObjectId"
     Run-TestProtected { Run-VaultTest { Test_SetRemoveAccessPolicyByBypassObjectIdValidation } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation" } "Test_SetRemoveAccessPolicyByBypassObjectIdValidation"
@@ -222,7 +227,7 @@ function Run-AllControlPlaneTests
     Run-TestProtected { Run-VaultTest { Test_ModifyAccessPolicyNegativeCases } "Test_ModifyAccessPolicyNegativeCases" } "Test_ModifyAccessPolicyNegativeCases"
     Run-TestProtected { Run-VaultTest { Test_RemoveNonExistentAccessPolicyDoesNotThrow } "Test_RemoveNonExistentAccessPolicyDoesNotThrow" } "Test_RemoveNonExistentAccessPolicyDoesNotThrow"
     Run-TestProtected { Run-VaultTest { Test_AllPermissionExpansion } "Test_AllPermissionExpansion" } "Test_AllPermissionExpansion"
-    
+
 
     # Piping tests.
     Run-TestProtected { Run-VaultTest { Test_CreateDeleteVaultWithPiping } "Test_CreateDeleteVaultWithPiping" } "Test_CreateDeleteVaultWithPiping"
@@ -237,7 +242,7 @@ function Run-AllDataPlaneTests
     Write-Host "Starting the data plane tests..."
 
     # All operations that invlove soft delete
-    if($global:softDeleteEnabled -eq $true) 
+    if($global:softDeleteEnabled -eq $true)
     {
         # Key soft delete tests
         Run-TestProtected { Run-KeyTest {Test_GetDeletedKey} "Test_GetDeletedKey" } "Test_GetDeletedKey"
@@ -268,7 +273,7 @@ function Run-AllDataPlaneTests
         Run-TestProtected { Run-KeyTest {Test_ImportPfxAsHsmWithDefaultAttributes} "Test_ImportPfxAsHsmWithDefaultAttributes" } "Test_ImportPfxAsHsmWithDefaultAttributes"
         Run-TestProtected { Run-KeyTest {Test_ImportPfxAsHsmWithCustomAttributes} "Test_ImportPfxAsHsmWithCustomAttributes" } "Test_ImportPfxAsHsmWithCustomAttributes"
 
-        # All operations involving BYOK keys. For these tests to run correctly, the user running the tests 
+        # All operations involving BYOK keys. For these tests to run correctly, the user running the tests
         # must have a subscription ID that matches the subscription ID of the person who initially
         # generated the dummy *.byok files located in the proddata folder.
         #
@@ -478,7 +483,7 @@ try
             Restore-VaultResource $oldVaultResource
         }
     }
-    
+
     if (@('DataPlane', 'All') -contains $TestMode)
     {
         $oldVaultResource = Get-VaultResource

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/VaultManagementTests.ps1

@@ -126,6 +126,14 @@ function Test_SetRemoveAccessPolicyByUPN
     Test-SetRemoveAccessPolicyByUPN $global:testVault $global:resourceGroupName $user
 }
 
+function Test_SetRemoveAccessPolicyByEmailAddress
+{
+    # ASSUMPTION: The logged in users UPN is the same as their email address.
+    $user = (Get-AzureRmContext).Account.Id
+    Reset-PreCreatedVault
+    Test-SetRemoveAccessPolicyByEmailAddress $global:testVault $global:resourceGroupName $user $user
+}
+
 function Test_SetRemoveAccessPolicyBySPN
 {
     Reset-PreCreatedVault
@@ -230,7 +238,7 @@ function Test_AllPermissionExpansion
 {
     Reset-PreCreatedVault
     $user = (Get-AzureRmContext).Account.Id
-    Test-AllPermissionExpansion $global:testVault $global:resourceGroupName $user 
+    Test-AllPermissionExpansion $global:testVault $global:resourceGroupName $user
 }
 
 #-------------------------------------------------------------------------------------
@@ -330,7 +338,7 @@ function Initialize-TemporaryState
     {
         Write-Host "Skipping resource group creation since the resource group $global:resourceGroupName is already provided."
     }
-    
+
     if ($global:testVault -ne "" -and $global:testVault -ne $null)
     {
         Write-Host "Skipping vault creation since the vault $global:testVault is already provided."
@@ -339,7 +347,7 @@ function Initialize-TemporaryState
 
     # Create a vault using ARM.
     $vaultName = Get-VaultName $suffix
-    $tenantId = (Get-AzureRmContext).Tenant.TenantId
+    $tenantId = (Get-AzureRmContext).Tenant.Id
     $sku = "premium"
     if ($global:standardVaultOnly)
     {
@@ -446,7 +454,7 @@ function Cleanup-TemporaryState([bool]$tempResourceGroup, [bool]$tempVault)
     elseif ($tempVault)
     {
         Write-Host "Starting the deletion of the temporary vault. This can take a minute or so..."
-        $vaultRemoved = Remove-AzureRmKeyVault -VaultName $global:testVault -Force -Confirm:$false
+        $vaultRemoved = Remove-AzureRmKeyVault -VaultName $global:testVault -ResourceGroupName $global:resourceGroupname -Force -Confirm:$false
         if ($vaultRemoved)
         {
             $global:testVault = ""

src/ResourceManager/KeyVault/Commands.KeyVault/Commands/RemoveAzureKeyVaultAccessPolicy.cs

@@ -31,6 +31,7 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         private const string ByObjectId = "ByObjectId";
         private const string ByServicePrincipalName = "ByServicePrincipalName";
         private const string ByUserPrincipalName = "ByUserPrincipalName";
+        private const string ByEmail = "ByEmail";
         private const string ForVault = "ForVault";
 
         #endregion
@@ -89,6 +90,16 @@ public class RemoveAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [ValidateNotNullOrEmpty()]
         public string ObjectId { get; set; }
 
+        /// <summary>
+        /// Email address
+        /// </summary>
+        [Parameter(Mandatory = true,
+            ParameterSetName = ByEmail,
+            ValueFromPipelineByPropertyName = true,
+            HelpMessage = "Specifies the email address of the user in Azure Active Directory for which to grant permissions.")]
+        [ValidateNotNullOrEmpty()]
+        public string EmailAddress { get; set; }
+
         /// <summary>
         /// Id of the application to which a user delegate to
         /// </summary>
@@ -160,11 +171,14 @@ public override void ExecuteCmdlet()
 
                 // Update vault policies
                 var updatedPolicies = existingVault.AccessPolicies;
-                if (!string.IsNullOrEmpty(UserPrincipalName) || !string.IsNullOrEmpty(ServicePrincipalName) || !string.IsNullOrWhiteSpace(this.ObjectId))
+                if (!string.IsNullOrEmpty(UserPrincipalName)
+                    || !string.IsNullOrEmpty(ServicePrincipalName)
+                    || !string.IsNullOrWhiteSpace(this.ObjectId)
+                    || !string.IsNullOrWhiteSpace(this.EmailAddress))
                 {
                     if (string.IsNullOrWhiteSpace(this.ObjectId))
                     {
-                        ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.ServicePrincipalName);
+                        ObjectId = GetObjectId(this.ObjectId, this.UserPrincipalName, this.EmailAddress, this.ServicePrincipalName);
                     }
                     updatedPolicies = existingVault.AccessPolicies.Where(ap => !ShallBeRemoved(ap, ObjectId, this.ApplicationId)).ToArray();
                 }