Added Role Definition tests for bash.

Author: Hovsep Mkrtchyan

examples/resource-management/04-RoleDefinitions.ps1

@@ -0,0 +1,25 @@
+Param(
+  [string]$groupName,
+  [string]$location
+)
+
+Write-Host "=== Managing Role Definitions in Azure ==="
+
+Write-Host "1. Create a new resource group"
+New-AzureRmResourceGroup -Name $groupName -Location $location
+
+Write-Host "2. Creating a new Role Definition."
+$rd = New-AzureRmRoleDefinition -InputFile roleDefinition.json
+
+Write-Host "3. Get information about Role Definitions."
+Get-AzureRmRoleDefinition -Name $rd.Name
+
+Write-Host "4. Update Role Definition."
+$rd.Actions.Add('Microsoft.Authorization/*/write')
+$updatedRd = Set-AzureRmRoleDefinition -Role $rd
+Assert-NotNull $updatedRd
+
+Write-Host "5. Delete Role Definition."
+Remove-AzureRmRoleDefinition -Id $rd.Id -Force -PassThru
+$readRd = Get-AzureRmRoleDefinition -Name $rd.Name
+Assert-Null $readRd

examples/resource-management/04-RoleDefinitions.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+printf "\n=== Managing Role Definitions in Azure ===\n"
+
+printf "\n1. Creating a new resource group: %s and location: %s.\n" "$groupName" "$location"
+azure group create --name "$groupName" --location "$location"
+
+printf "\n2. Creating a new Role Definition.\n"
+roleDefinition=$(azure role definition create --inputfile $BASEDIR/resource-management/roleDefinition.json)
+
+printf "\n3. Get information about Role Definitions.\n"
+roleDefinitionName=$(echo $roleDefinition | jq '.Name' --raw-output)
+azure role definition get -n $roleDefinitionName
+
+printf "\n4. Update Role Definition.\n"
+updatedRoleDefinition=$(echo $roleDefinition | jq '.Actions |= .+ ["Microsoft.Authorization/*/write"]')
+azure role definition set --Role "$updatedRoleDefinition"
+
+printf "\n5. Delete Role Definition.\n"
+roleDefinitionId=$(echo $roleDefinition | jq '.Id' --raw-output)
+azure role definition remove --Id $roleDefinitionId --PassThru -f 

examples/resource-management/roleDefinition.json

@@ -0,0 +1,10 @@
+{
+  "Name": "CluRoleDefinition",
+  "Description": "Super awesome Clu Role Definition",
+  "Actions": [
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Support/*"
+    ],
+  "NotActions": [],
+  "AssignableScopes": [ "/subscriptions/3ca49042-782a-4cc9-89b5-ee1b487fe115" ]
+}

src/CLU/Microsoft.Azure.Commands.Resources/Models.Authorization/AuthorizationClient.cs

@@ -73,6 +73,15 @@ public PSRoleDefinition GetRoleDefinition(string roleId)
             return AuthorizationManagementClient.RoleDefinitions.GetById(roleId).ToPSRoleDefinition();
         }
 
+        /// <summary>
+        /// Gets a single role definition by the role Id guid.
+        /// </summary>
+        /// <param name="roleId">RoleId guid</param>
+        public PSRoleDefinition GetRoleDefinition(string roleId, string scope)
+        {
+            return AuthorizationManagementClient.RoleDefinitions.Get(scope, roleId).ToPSRoleDefinition();
+        }
+
         /// <summary>
         /// Gets a single role definition by the role Id guid.
         /// </summary>
@@ -90,22 +99,51 @@ public PSRoleDefinition GetRoleDefinition(Guid roleId)
         /// </summary>
         /// <param name="name">The role name</param>
         /// <returns>The matched role Definitions</returns>
-        public List<PSRoleDefinition> FilterRoleDefinitions(string name)
+        public List<PSRoleDefinition> FilterRoleDefinitions(string name, string scope, bool scopeAndBelow = false)
         {
             List<PSRoleDefinition> result = new List<PSRoleDefinition>();
+
+            ODataQuery<RoleDefinitionFilter> odataFilter = null;
+
+            if (scopeAndBelow)
+            {
+                odataFilter = new ODataQuery<RoleDefinitionFilter>(item => item.AtScopeAndBelow() && item.RoleName == name);
+            }
+            else
+            {
+                odataFilter = new ODataQuery<RoleDefinitionFilter>(item => item.RoleName == name);
+            }
+
             result.AddRange(AuthorizationManagementClient.RoleDefinitions.List(
-                        "subscriptions/" + AuthorizationManagementClient.SubscriptionId,
-                        new ODataQuery<RoleDefinition>( item => item.Name == name))
+                        scope,
+                        odataFilter)
                   .Select(r => r.ToPSRoleDefinition()));
 
             return result;
         }
+        public List<PSRoleDefinition> FilterRoleDefinitions(FilterRoleDefinitionOptions options)
+        {
+            if (options.RoleDefinitionId != Guid.Empty)
+            {
+                return new List<PSRoleDefinition> { GetRoleDefinition(options.RoleDefinitionId.ToString(), options.Scope) };
+            }
+            else if (options.CustomOnly)
+            {
+                // Special case - if custom only flag is specified then you don't need to lookup on a specific id or name since it will be a bit redundant
+                return FilterRoleDefinitionsByCustom(options.Scope, options.ScopeAndBelow);
+            }
+            else
+            {
+                // If RoleDefinition name is not specified (null/empty), service will handle it and return all roles
+                return FilterRoleDefinitions(options.RoleDefinitionName, options.Scope, options.ScopeAndBelow);
+            }
+        }
 
         /// <summary>
         /// Fetches all existing role Definitions.
         /// </summary>
         /// <returns>role Definitions</returns>
-        public List<PSRoleDefinition> GetRoleDefinitions()
+        public List<PSRoleDefinition> GetRoleDefinitionsAtScopeAndBelow()
         {
             List<PSRoleDefinition> result = new List<PSRoleDefinition>();
             result.AddRange(AuthorizationManagementClient.RoleDefinitions.List(
@@ -118,11 +156,13 @@ public List<PSRoleDefinition> GetRoleDefinitions()
         /// Filters the existing role Definitions by CustomRole.
         /// </summary>
         /// <returns>The custom role Definitions</returns>
-        public List<PSRoleDefinition> FilterRoleDefinitionsByCustom()
+        public List<PSRoleDefinition> FilterRoleDefinitionsByCustom(string scope, bool scopeAndBelow)
         {
             List<PSRoleDefinition> result = new List<PSRoleDefinition>();
+
             result.AddRange(AuthorizationManagementClient.RoleDefinitions.List(
-                        "subscriptions/" + AuthorizationManagementClient.SubscriptionId)
+                        scope,
+                        scopeAndBelow ? new ODataQuery<RoleDefinitionFilter>(filter => filter.AtScopeAndBelow()) : null)
                 .Where(r => r.Properties.Type == AuthorizationClientExtensions.CustomRole)
                 .Select(r => r.ToPSRoleDefinition()));
             return result;
@@ -138,7 +178,7 @@ public PSRoleAssignment CreateRoleAssignment(FilterRoleAssignmentsOptions parame
             Guid principalId = ActiveDirectoryClient.GetObjectId(parameters.ADObjectFilter);
             Guid roleAssignmentId = RoleAssignmentNames.Count == 0 ? Guid.NewGuid() : RoleAssignmentNames.Dequeue();
             string roleDefinitionId = !string.IsNullOrEmpty(parameters.RoleDefinitionName)
-                ? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetRoleRoleDefinition(parameters.RoleDefinitionName).Id)
+                ? AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, GetSingleRoleDefinitionByName(parameters.RoleDefinitionName, parameters.Scope).Id)
                 : AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, parameters.RoleDefinitionId);
 
             var createParameters =  new RoleAssignmentProperties
@@ -318,9 +358,9 @@ public IEnumerable<PSRoleAssignment> RemoveRoleAssignment(FilterRoleAssignmentsO
             return roleAssignments;
         }
 
-        public PSRoleDefinition GetRoleRoleDefinition(string name)
+        public PSRoleDefinition GetSingleRoleDefinitionByName(string name, string scope)
         {
-            List<PSRoleDefinition> roles = FilterRoleDefinitions(name);
+            List<PSRoleDefinition> roles = FilterRoleDefinitions(name, scope);
 
             if (roles == null || !roles.Any())
             {
@@ -334,38 +374,52 @@ public PSRoleDefinition GetRoleRoleDefinition(string name)
             return roles.First();
         }
 
+        public PSRoleDefinition RemoveRoleDefinition(FilterRoleDefinitionOptions options)
+        {
+            if (options.RoleDefinitionId != Guid.Empty)
+            {
+                return this.RemoveRoleDefinition(options.RoleDefinitionId, options.Scope);
+            }
+            else if (!string.IsNullOrEmpty(options.RoleDefinitionName))
+            {
+                return this.RemoveRoleDefinition(options.RoleDefinitionName, options.Scope);
+            }
+            else
+            {
+                throw new InvalidOperationException("RoleDefinition Name or Id should be specified.");
+            }
+        }
         /// <summary>
         /// Deletes a role definition based on the id.
         /// </summary>
         /// <param name="roleDefinitionId">The role definition id to delete</param>
         /// <param name="subscriptionId">Current subscription id</param>
         /// <returns>The deleted role definition.</returns>
-        public PSRoleDefinition RemoveRoleDefinition(Guid roleDefinitionId, string subscriptionId)
+        public PSRoleDefinition RemoveRoleDefinition(Guid roleDefinitionId, string scope)
         {
             string id = roleDefinitionId.ToString();
 
-            PSRoleDefinition roleDefinition = this.GetRoleDefinition(roleDefinitionId);
+            PSRoleDefinition roleDefinition = this.GetRoleDefinition(id, scope);
             if (roleDefinition != null)
             {
-                return AuthorizationManagementClient.RoleDefinitions
-                    .Delete(roleDefinition.AssignableScopes.First(), roleDefinitionId.ToString()).ToPSRoleDefinition();
+                return AuthorizationManagementClient.RoleDefinitions.Delete(scope, id).ToPSRoleDefinition();
             }
             else
             {
-                throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, id));
+                throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, roleDefinitionId));
             }
         }
-
+        
         /// <summary>
         /// Deletes a role definition based on the name.
         /// </summary>
         /// <param name="roleDefinitionName">The role definition name.</param>
         /// <returns>The deleted role definition.</returns>
-        public PSRoleDefinition RemoveRoleDefinition(string roleDefinitionName, string subscriptionId)
+        public PSRoleDefinition RemoveRoleDefinition(string roleDefinitionName, string scope)
         {
-            PSRoleDefinition roleDefinition = this.GetRoleRoleDefinition(roleDefinitionName);
+            PSRoleDefinition roleDefinition = this.GetSingleRoleDefinitionByName(roleDefinitionName, scope);
             return AuthorizationManagementClient.RoleDefinitions
-                .Delete(roleDefinition.AssignableScopes.First(), roleDefinition.Id).ToPSRoleDefinition();
+                .Delete(scope, roleDefinition.Id).ToPSRoleDefinition();
         }
 
         /// <summary>
@@ -381,34 +435,26 @@ public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition role, string subsc
                 throw new InvalidOperationException(ProjectResources.RoleDefinitionIdShouldBeAGuid);
             }
 
-            PSRoleDefinition roleDefinition = this.GetRoleDefinition(roleDefinitionId);
+            PSRoleDefinition roleDefinition = this.GetRoleDefinition(roleDefinitionId.ToString(), role.AssignableScopes.First());
             if (roleDefinition == null)
             {
                 throw new KeyNotFoundException(string.Format(ProjectResources.RoleDefinitionWithIdNotFound, role.Id));
             }
-
-            string roleDefinitionFullyQualifiedId = AuthorizationHelper.GetRoleDefinitionFullyQualifiedId(subscriptionId, role.Id);
-
-            roleDefinition.Name = role.Name ?? roleDefinition.Name;
-            roleDefinition.Actions = role.Actions ?? roleDefinition.Actions;
-            roleDefinition.NotActions = role.NotActions ?? roleDefinition.NotActions;
-            roleDefinition.AssignableScopes = role.AssignableScopes ?? roleDefinition.AssignableScopes;
-            roleDefinition.Description = role.Description ?? roleDefinition.Description;
-
+            
             ValidateRoleDefinition(roleDefinition);
 
             return
                 AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(
-                    roleDefinitionId.ToString(),
                     roleDefinition.AssignableScopes.First(),
+                    roleDefinitionId.ToString(),
                     new RoleDefinition()
                         {
-                            Id = roleDefinitionFullyQualifiedId,
                             Name = roleDefinitionId.ToString(),
                             Properties =
                                 new RoleDefinitionProperties()
                                 {
-                                    RoleName = roleDefinition.Name,
+                                    AssignableScopes = roleDefinition.AssignableScopes,
+                                    Description = roleDefinition.Description,
                                     Permissions =
                                         new List<Permission>()
                                         {
@@ -418,8 +464,7 @@ public PSRoleDefinition UpdateRoleDefinition(PSRoleDefinition role, string subsc
                                                 NotActions = roleDefinition.NotActions
                                             }
                                         },
-                                    AssignableScopes = roleDefinition.AssignableScopes,
-                                    Description = roleDefinition.Description
+                                    RoleName = roleDefinition.Name
                                 }
                         }
                     ).ToPSRoleDefinition();

src/CLU/Microsoft.Azure.Commands.Resources/Models.Authorization/AuthorizationClientExtensions.cs

@@ -74,7 +74,7 @@ public static IEnumerable<PSRoleAssignment> ToPSRoleAssignments(this IEnumerable
             }
             else
             {
-                roleDefinitions = policyClient.GetRoleDefinitions();
+                roleDefinitions = policyClient.GetRoleDefinitionsAtScopeAndBelow();
             }
 
             foreach (RoleAssignment assignment in assignments)

src/CLU/Microsoft.Azure.Commands.Resources/Models.Authorization/FilterRoleDefinitionOptions.cs

@@ -0,0 +1,66 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.Azure.Commands.Resources.Models.Authorization
+{
+    public class FilterRoleDefinitionOptions
+    {
+        public bool CustomOnly { get; set; }
+
+        public bool ScopeAndBelow { get; set; }
+
+        public string RoleDefinitionName { get; set; }
+
+        // Guid Id
+        public Guid RoleDefinitionId { get; set; }
+
+        private string scope;
+
+        public string Scope
+        {
+            get
+            {
+                string result;
+                string resourceIdentifier = ResourceIdentifier.ToString();
+
+                if (!string.IsNullOrEmpty(this.scope))
+                {
+                    result = this.scope;
+                }
+                else if (!string.IsNullOrEmpty(resourceIdentifier))
+                {
+                    result = resourceIdentifier;
+                }
+                else
+                {
+                    result = null;
+                }
+
+                return result;
+            }
+            set
+            {
+                this.scope = value;
+            }
+        }
+
+        public ResourceIdentifier ResourceIdentifier { get; set; }
+    }
+}