Changes for New-AzureRoleDefinition commandlet that allows creating new roles

Author: namratab

src/ResourceManager/Batch/Commands.Batch.Test/Commands.Batch.Test.csproj

@@ -59,8 +59,9 @@
     <Reference Include="Microsoft.Azure.Gallery">
       <HintPath>..\..\..\packages\Microsoft.Azure.Gallery.2.6.2-preview\lib\net40\Microsoft.Azure.Gallery.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.Management.Authorization">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.0-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
+    <Reference Include="Microsoft.Azure.Management.Authorization, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.2-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Batch">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Batch.1.3.0-preview\lib\net40\Microsoft.Azure.Management.Batch.dll</HintPath>
@@ -181,6 +182,7 @@
     <Compile Include="WorkItems\RemoveBatchWorkItemCommandTests.cs" />
   </ItemGroup>
   <ItemGroup>
+    <None Include="app.config" />
     <None Include="MSSharedLibKey.snk" />
     <None Include="packages.config">
       <SubType>Designer</SubType>

src/ResourceManager/Batch/Commands.Batch.Test/packages.config

@@ -6,7 +6,7 @@
   <package id="Microsoft.Azure.Common.Authentication" version="1.0.22-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Gallery" version="2.6.2-preview" targetFramework="net45" />
-  <package id="Microsoft.Azure.Management.Authorization" version="0.18.0-preview" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Authorization" version="0.18.2-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Batch" version="1.3.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.Framework" version="1.0.5571.32271-prerelease" targetFramework="net45" />

src/ResourceManager/DataFactories/Commands.DataFactories.Test/Commands.DataFactories.Test.csproj

@@ -58,9 +58,9 @@
       <HintPath>..\..\..\packages\Microsoft.Azure.Gallery.2.6.0-preview\lib\net40\Microsoft.Azure.Gallery.dll</HintPath>
       <HintPath>..\..\..\packages\Microsoft.Azure.Gallery.2.6.2-preview\lib\net40\Microsoft.Azure.Gallery.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.Management.Authorization">
+    <Reference Include="Microsoft.Azure.Management.Authorization, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.0-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.2-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.DataFactories">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.DataFactories.0.15.6-preview\lib\net40\Microsoft.Azure.Management.DataFactories.dll</HintPath>
@@ -175,6 +175,7 @@
     <Compile Include="UnitTests\SetDataFactoryGatewayTests.cs" />
   </ItemGroup>
   <ItemGroup>
+    <None Include="app.config" />
     <None Include="MSSharedLibKey.snk" />
     <None Include="packages.config">
       <SubType>Designer</SubType>

src/ResourceManager/DataFactories/Commands.DataFactories.Test/packages.config

@@ -5,7 +5,7 @@
   <package id="Microsoft.Azure.Common.Authentication" version="1.0.22-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Gallery" version="2.6.2-preview" targetFramework="net45" />
-  <package id="Microsoft.Azure.Management.Authorization" version="0.18.0-preview" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Authorization" version="0.18.2-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.DataFactories" version="0.15.6-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.Framework" version="1.0.5571.32271-prerelease" targetFramework="net45" />

src/ResourceManager/Resources/Commands.Resources.Test/Commands.Resources.Test.csproj

@@ -63,8 +63,9 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.0-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.Management.Authorization">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.0-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
+    <Reference Include="Microsoft.Azure.Management.Authorization, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.2-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.0-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>
@@ -173,6 +174,7 @@
     <Compile Include="ScenarioTests\ResourceGroupTests.cs" />
     <Compile Include="ScenarioTests\ResourceTests.cs" />
     <Compile Include="ScenarioTests\RoleAssignmentTests.cs" />
+    <Compile Include="ScenarioTests\RoleDefinitionTests.cs" />
     <Compile Include="Templates\TestAzureResourceGroupTemplateCommandTests.cs" />
     <Compile Include="Templates\SaveAzureResourceGroupGalleryTemplateCommandTests.cs" />
     <Compile Include="Templates\GetAzureResourceGroupGalleryTemplateCommandTests.cs" />
@@ -245,6 +247,7 @@
     <Content Include="ScenarioTests\AuthorizationTests.ps1">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>
+    <None Include="Resources\NewRoleDefinition.json" />
     <None Include="ScenarioTests\ActiveDirectoryTests.ps1">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
@@ -266,6 +269,7 @@
     <None Include="ScenarioTests\RoleAssignmentTests.ps1">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="ScenarioTests\RoleDefinitionTests.ps1" />
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.ActiveDirectoryTests\TestGetADUserWithMail.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

src/ResourceManager/Resources/Commands.Resources.Test/Resources/NewRoleDefinition.json

@@ -0,0 +1,10 @@
+{
+    "Name": "CustomRole Test Role",
+    "Description": "Test role",
+    "Actions": [
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Support/*"
+    ],
+    "NotActions": [],
+    "AssignableScopes": ["Scope1" , "Scope2"]
+}

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleDefinitionTests.cs

@@ -0,0 +1,30 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.Resources.Test.ScenarioTests
+{
+    public class RoleDefinitionTests
+    {
+        [Fact(Skip = "Not implemented")]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void RoleDefinitionCreateTests()
+        {
+            ResourcesController.NewInstance.RunPsTest("Test-RoleDefinitionCreateTests");
+        }
+    }
+}

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/RoleDefinitionTests.ps1

@@ -0,0 +1,51 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+
+<#
+.SYNOPSIS
+Tests verify scenarios for RoleDefinitions creation.
+#>
+function Test-RoleDefinitionCreateTests
+{
+    # Basic positive case - read from file
+    $rdName = 'CustomRole Test Role'
+    New-AzureRoleDefinition -InputFile .\Resources\NewRoleDefinition.json
+    $rd = Get-AzureRoleDefinition -Name $rdName
+	Assert-NotNull $rd
+	Assert-AreEqual "Test role" $rd.Description 
+	Assert-AreEqual $true $rd.IsCustom
+	Assert-NotNull $rd.Actions
+	Assert-AreEqual "Microsoft.Authorization/*/read" $rd.Actions[0]
+	Assert-AreEqual "Microsoft.Support/*" $rd.Actions[1]
+	Assert-NotNull $rd.AssignableScopes
+	# The below scopes may need to be changed to actual scope values like /subscriptions/.... to satisfy the ARM access checks for PUT requests
+	Assert-AreEqual "Scope1" $rd.AssignableScopes[0]
+	Assert-AreEqual "Scope2" $rd.AssignableScopes[1]
+
+	# Basic positive case - read from object
+	$roleDef = Get-AzureRoleDefinition -Name "Virtual Machine Contributor"
+	$roleDef.Id = $null
+	$roleDef.Name = "Virtual machine restarter"
+	$roleDef.Actions.Add("Microsoft.ClassicCompute/virtualMachines/restart/action")
+	$roleDef.Description = "Can monitor and restart virtual machines"
+	
+	New-AzureRoleDefinition -Role $roleDef
+	$addedRoleDef = Get-AzureRoleDefinition -Name "Virtual machine restarter"
+
+	Assert-AreEqual $roleDef.Actions $addedRoleDef.Actions
+	Assert-AreEqual $roleDef.Description $addedRoleDef.Description
+	Assert-AreEqual $roleDef.AssignableScopes $addedRoleDef.AssignableScopes
+	Assert-AreEqual $true $roleDef.IsCustom
+}

src/ResourceManager/Resources/Commands.Resources.Test/packages.config

@@ -6,7 +6,7 @@
   <package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net45" />
   <package id="Microsoft.Azure.Gallery" version="2.6.2-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Graph.RBAC" version="1.7.0-preview" targetFramework="net45" />
-  <package id="Microsoft.Azure.Management.Authorization" version="0.18.0-preview" targetFramework="net45" />
+  <package id="Microsoft.Azure.Management.Authorization" version="0.18.2-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Management.Resources" version="2.18.0-preview" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.Framework" version="1.0.5571.32271-prerelease" targetFramework="net45" />
   <package id="Microsoft.Azure.Test.HttpRecorder" version="1.0.5571.32271-prerelease" targetFramework="net45" />

src/ResourceManager/Resources/Commands.Resources/Commands.Resources.csproj

@@ -68,8 +68,9 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.1.7.0-preview\lib\net40\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.Management.Authorization">
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.0-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
+    <Reference Include="Microsoft.Azure.Management.Authorization, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.Authorization.0.18.2-preview\lib\net40\Microsoft.Azure.Management.Authorization.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.0-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>
@@ -186,7 +187,7 @@
     <Compile Include="Models.Authorization\AuthorizationClient.cs" />
     <Compile Include="ProviderFeatures\RegisterAzureProviderFeatureCmdlet.cs" />
     <Compile Include="Providers\GetAzureProviderCmdlet.cs" />
-	<Compile Include="Providers\GetAzureProviderOperationCmdlet.cs" />
+    <Compile Include="Providers\GetAzureProviderOperationCmdlet.cs" />
     <Compile Include="Providers\RegisterAzureProviderCmdlet.cs" />
     <Compile Include="Providers\UnregisterAzureProviderCmdlet.cs" />
     <Compile Include="ResourceGroups\GetAzureResourceGroupLogCommand.cs" />
@@ -198,6 +199,7 @@
     <Compile Include="RoleAssignments\GetAzureRoleAssignmentCommand.cs" />
     <Compile Include="RoleAssignments\NewAzureRoleAssignmentCommand.cs" />
     <Compile Include="RoleDefinitions\GetAzureRoleDefinitionCommand.cs" />
+    <Compile Include="RoleDefinitions\NewAzureRoleDefinitionCommand.cs" />
     <Compile Include="Templates\TestAzureResourceGroupTemplateCommand.cs" />
     <Compile Include="Templates\SaveAzureResourceGroupGalleryTemplateCommand.cs" />
     <Compile Include="Templates\GetAzureResourceGroupGalleryTemplateCommand.cs" />

src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ParameterSet.cs

@@ -67,5 +67,9 @@ internal static class ParameterSet
         public const string ApplicationWithKeyCredential = "ApplicationWithKeyCredentialParameterSet";
 
         public const string Empty = "EmptyParameterSet";
+
+        public const string InputFile = "InputFileParameterSet";
+
+        public const string RoleDefinition = "RoleDefinitionParameterSet";
     }
 }

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/AuthorizationClient.cs

@@ -178,5 +178,44 @@ public PSRoleDefinition GetRoleRoleDefinition(string name)
 
             return role;
         }
+
+        public PSRoleDefinition CreateRoleDefinition(PSRoleDefinition roleDefinition)
+        {
+            AuthorizationClient.ValidateRoleDefinition(roleDefinition);
+            
+            Guid newRoleDefinitionId = Guid.NewGuid();
+            RoleDefinitionCreateOrUpdateParameters parameters = new RoleDefinitionCreateOrUpdateParameters()
+            {
+                RoleDefinition = new RoleDefinition()
+                {
+                    Name = newRoleDefinitionId,
+                    Properties = new RoleDefinitionProperties()
+                    {
+                        AssignableScopes = roleDefinition.AssignableScopes,
+                        Description = roleDefinition.Description,
+                        Permissions = new List<Permission>()
+                        {
+                            new Permission()
+                            {
+                                Actions = roleDefinition.Actions,
+                                NotActions = roleDefinition.NotActions
+                            }
+                        },
+                        RoleName = roleDefinition.Name,
+                        Type = "CustomRole"
+                    }
+                }
+            };
+
+            return AuthorizationManagementClient.RoleDefinitions.CreateOrUpdate(newRoleDefinitionId, parameters).RoleDefinition.ToPSRoleDefinition();
+        }
+
+        private static void ValidateRoleDefinition(PSRoleDefinition roleDefinition)
+        {
+            if (string.IsNullOrWhiteSpace(roleDefinition.Name))
+            {
+                throw new ArgumentException(ProjectResources.InvalidRoleDefinitionName);
+            }
+        }
     }
 }

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/AuthorizationClientExtensions.cs

@@ -32,7 +32,10 @@ public static PSRoleDefinition ToPSRoleDefinition(this RoleDefinition role)
                     Name = role.Properties.RoleName,
                     Actions = new List<string>(role.Properties.Permissions.SelectMany(r => r.Actions)),
                     NotActions = new List<string>(role.Properties.Permissions.SelectMany(r => r.NotActions)),
-                    Id = role.Id
+                    Id = role.Id,
+                    AssignableScopes = role.Properties.AssignableScopes.ToList(),
+                    Description = role.Properties.Description,
+                    IsCustom = role.Properties.Type == "CustomRole" ? true : false
                 };
             }
 

src/ResourceManager/Resources/Commands.Resources/Models.Authorization/PSRoleDefinition.cs

@@ -22,8 +22,14 @@ public class PSRoleDefinition
 
         public string Id { get; set; }
 
+        public bool IsCustom { get; set; }
+
+        public string Description { get; set; }
+
         public List<string> Actions { get; set; }
 
         public List<string> NotActions { get; set; }
+
+        public List<string> AssignableScopes { get; set; }
     }
 }

src/ResourceManager/Resources/Commands.Resources/Properties/Resources.Designer.cs

@@ -282,4 +282,7 @@
   <data name="RegisterProviderFeatureMessage" xml:space="preserve">
     <value>Registering provider feature ...</value>
   </data>
-</root>
+  <data name="InvalidRoleDefinitionName" xml:space="preserve">
+    <value>RoleDefinitionName is invalid</value>
+  </data>
+</root>