microsoft
/
Managing-RBAC-in-Azure
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #33 from microsoft/ReviewMaster 

Review master
This commit is contained in:
Josh Becker 2020-08-06 08:58:52 -07:00 коммит произвёл GitHub
Родитель f41750bca0 ff2ff7fd37
Коммит fb0d6be9f3
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
28 изменённых файлов: 167 добавлений и 142 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

34
AccessPoliciesToYaml/Code/AccessPoliciesToYaml.cs
Просмотреть файл

@ -1,9 +1,9 @@
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using System;
using System.Collections.Generic;
using YamlDotNet.Serialization;
using Microsoft.Azure.Management.ResourceManager.Fluent;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.Identity.Client;
using Microsoft.Azure.Management.KeyVault;
using Microsoft.Azure.Management.ResourceManager.Fluent.Authentication;
@ -38,7 +38,7 @@ namespace RBAC
}
/// <summary>
/// This method verifies that the file arguments are of the correct type.
/// This method verifies that the file arguments are of the correct number, type, and path.
/// </summary>
/// <param name="args">The string array of program arguments</param>
public void verifyFileExtensions(string[] args)
@ -202,11 +202,10 @@ namespace RBAC
}
/// <summary>
/// This method retrieves the AadAppSecrets using a SecretClient and returns a Dictionary of the secrets.
/// This method retrieves the AadAppSecrets using environment variables and returns a dictionary of the secrets.
/// </summary>
/// <param name="vaultList">The KeyVault information obtaind from MasterConfig.json file</param>
/// <returns>The dictionary of secrets obtained from the SecretClient</returns>
public Dictionary<string, string> getSecrets(JsonInput vaultList)
/// <returns>The dictionary of secrets obtained from environment variables</returns>
public Dictionary<string, string> getSecrets()
{
log.Info("Retrieving secrets...");
@ -231,7 +230,6 @@ namespace RBAC
throw new Exception("'AZURE_CLIENT_SECRET' environmental variable not defined.");
}
var ten = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");
if (ten == null)
{
@ -245,7 +243,7 @@ namespace RBAC
}
catch (Exception e)
{
log.Error($"AAD application name was not retrieved.", e);
log.Error($"AAD application name, clientId, clientKey, or tenantId was not retrieved.", e);
Exit(e.Message);
}
log.Info("Secrets retrieved!");
@ -255,16 +253,16 @@ namespace RBAC
/// <summary>
/// This method creates and returns a KeyVaulManagementClient.
/// </summary>
/// <param name="secrets">The dictionary of information obtained from SecretClient</param>
/// <param name="secrets">The dictionary of information obtained from environment variables</param>
/// <returns>The KeyVaultManagementClient created using the secret information</returns>
public Microsoft.Azure.Management.KeyVault.KeyVaultManagementClient createKVMClient(Dictionary<string, string> secrets)
public KeyVaultManagementClient createKVMClient(Dictionary<string, string> secrets)
{
log.Info("Creating KVM Client...");
try
{
AzureCredentials credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(secrets["clientId"],
secrets["clientKey"], secrets["tenantId"], AzureEnvironment.AzureGlobalCloud);
var kvmClient = new Microsoft.Azure.Management.KeyVault.KeyVaultManagementClient(credentials);
var kvmClient = new KeyVaultManagementClient(credentials);
log.Info("KVM Client created!");
return kvmClient;
}
@ -280,7 +278,7 @@ namespace RBAC
/// <summary>
/// This method creates and returns a GraphServiceClient.
/// </summary>
/// <param name="secrets">The dictionary of information obtained from SecretClient</param>
/// <param name="secrets">The dictionary of information obtained from environment variables</param>
/// <returns>The GraphServiceClient created using the secret information</returns>
public GraphServiceClient createGraphClient(Dictionary<string, string> secrets)
{
@ -317,7 +315,7 @@ namespace RBAC
/// <summary>
/// This method creates and returns an azure client.
/// </summary>
/// <param name="secrets">The dictionary of information obtained from SecretClient</param>
/// <param name="secrets">The dictionary of information obtained from environment variables</param>
/// <returns>The azure client created using the secret information</returns>
public Microsoft.Azure.Management.Fluent.Azure.IAuthenticated createAzureClient(Dictionary<string, string> secrets)
{
@ -421,14 +419,13 @@ namespace RBAC
}
/// <summary>
/// This method retrieves each of the KeyVaults specified in the vaultList.
/// This method retrieves each of the KeyVaults specified in "vaultList".
/// </summary>
/// <param name="vaultList">The data obtained from deserializing json file</param>
/// <param name="kvmClient">The KeyVaultManagementClient containing Vaults</param>
/// <param name="graphClient">The Microsoft GraphServiceClient for obtaining display names</param>
/// <returns>The list of KeyVaultProperties containing the properties of each KeyVault</returns>
public List<KeyVaultProperties> getVaults(JsonInput vaultList,
Microsoft.Azure.Management.KeyVault.KeyVaultManagementClient kvmClient, GraphServiceClient graphClient)
public List<KeyVaultProperties> getVaults(JsonInput vaultList, KeyVaultManagementClient kvmClient, GraphServiceClient graphClient)
{
log.Info("Getting Vaults...");
List<Vault> vaultsRetrieved = new List<Vault>();
@ -503,8 +500,7 @@ namespace RBAC
/// <param name="vaultsRetrieved">The list of Vault objects to add to</param>
/// <param name="resourceGroup">The ResourceGroup name(if applicable). Default is null.</param>
/// <returns>The updated vaultsRetrieved list</returns>
public List<Vault> getVaultsAllPages(Microsoft.Azure.Management.KeyVault.KeyVaultManagementClient kvmClient,
List<Vault> vaultsRetrieved, string resourceGroup = "")
public List<Vault> getVaultsAllPages(KeyVaultManagementClient kvmClient, List<Vault> vaultsRetrieved, string resourceGroup = "")
{
IPage<Vault> vaultsCurPg = null;
// Retrieves the first page of KeyVaults at the Subscription scope

6
AccessPoliciesToYaml/Code/HelperClasses/JsonInput.cs
Просмотреть файл

@ -1,4 +1,6 @@
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using System;
using System.Collections.Generic;
using System.Linq;
@ -51,7 +53,7 @@ namespace RBAC
}
/// <summary>
/// This class stores the details on the ResourceGroups specified in the MasterConfig.json file.
/// This class stores the details of the ResourceGroups specified in the MasterConfig.json file.
/// </summary>
/// <remarks>If the ResourceGroups field is not null, the MasterConfig.json file must include a ResourceGroup Name, but specific KeyVault names are not required.</remarks>
public class ResourceGroup

4
AccessPoliciesToYaml/Code/HelperClasses/KeyVaultProperties.cs
Просмотреть файл

@ -1,4 +1,6 @@
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Azure.Management.KeyVault.Models;

5
AccessPoliciesToYaml/Code/HelperClasses/MsalAuthenticationProvider.cs
Просмотреть файл

@ -1,8 +1,9 @@
using Microsoft.Graph;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Graph;
using Microsoft.Identity.Client;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
namespace RBAC

4
AccessPoliciesToYaml/Code/HelperClasses/PrincipalPermissions.cs
Просмотреть файл

@ -1,4 +1,6 @@
using Microsoft.Azure.Management.KeyVault.Models;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Azure.Management.KeyVault.Models;
using Microsoft.Graph;
using System;
using System.Collections.Generic;

7
AccessPoliciesToYaml/Code/TestClients/TestGraphClient.cs
Просмотреть файл

@ -1,11 +1,10 @@
using Microsoft.Graph;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Graph;
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq.Expressions;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using System.Threading.Tasks;

6
AccessPoliciesToYaml/Code/TestClients/TestKVMClient.cs
Просмотреть файл

@ -1,12 +1,12 @@
using Microsoft.Azure.Management.KeyVault;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Azure.Management.KeyVault;
using Microsoft.Azure.Management.KeyVault.Models;
using Microsoft.Rest.Azure;
using RBAC;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using YamlDotNet.Serialization;

5
AccessPoliciesToYaml/Constants.cs
Просмотреть файл

@ -1,6 +1,5 @@
using Microsoft.Azure.Management.KeyVault.Models;
using System.Linq;
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
[assembly: log4net.Config.XmlConfigurator]
namespace RBAC

17
AccessPoliciesToYaml/ToYamlProgram.cs
Просмотреть файл

@ -1,12 +1,17 @@
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using System;
using System.Collections.Generic;
using Microsoft.Azure.Management.KeyVault;
using Microsoft.Graph;
using static Microsoft.Azure.Management.Fluent.Azure;
namespace RBAC
{
public class ToYamlProgram
{
/// <summary>
/// This method reads in a Json config file and prints out a serialized list of Key Vaults into a Yaml file.
/// This method reads in a Json config file and converts it into a serialized list of KeyVaults that are displayed in a Yaml file.
/// </summary>
public static void Main(string[] args)
{
@ -22,13 +27,13 @@ namespace RBAC
Console.WriteLine("Finished!");
Console.WriteLine("Grabbing secrets...");
var secrets = ap.getSecrets(vaultList);
Dictionary<string, string> secrets = ap.getSecrets();
Console.WriteLine("Finished!");
Console.WriteLine("Creating KeyVaultManagementClient, GraphServiceClient, and AzureClient...");
var kvmClient = ap.createKVMClient(secrets);
var graphClient = ap.createGraphClient(secrets);
var azureClient = ap.createAzureClient(secrets);
KeyVaultManagementClient kvmClient = ap.createKVMClient(secrets);
GraphServiceClient graphClient = ap.createGraphClient(secrets);
IAuthenticated azureClient = ap.createAzureClient(secrets);
Console.WriteLine("Finished!");;
Console.WriteLine("Checking access and retrieving key vaults...");

38
LICENSE
Просмотреть файл

@ -1,21 +1,25 @@
MIT License
Automation of Role Based Access Control (RBAC) in Azure
Copyright (c) Microsoft Corporation.
Copyright (c) Microsoft Corporation.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE

4
ListingOptions/App.xaml
Просмотреть файл

@ -1,4 +1,6 @@
<Application x:Class="RBAC.App"
<!-- Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
<Application x:Class="RBAC.App"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:local="clr-namespace:RBAC"

9
ListingOptions/App.xaml.cs
Просмотреть файл

@ -1,10 +1,5 @@
using Microsoft.Azure.Management.Storage.Fluent.Models;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Threading.Tasks;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
using System.Windows;
namespace RBAC

2
ListingOptions/AssemblyInfo.cs
Просмотреть файл

@ -1,3 +1,5 @@
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
using System.Windows;
[assembly: ThemeInfo(

4
ListingOptions/FileDialogWindow.xaml
Просмотреть файл

@ -1,4 +1,6 @@
<Window x:Class="RBAC.FileDialogWindow"
<!-- Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
<Window x:Class="RBAC.FileDialogWindow"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"

12
ListingOptions/ListingOptions.xaml
Просмотреть файл

@ -1,9 +1,8 @@
<Window x:Class="RBAC.MainWindow"
<!-- Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
<Window x:Class="RBAC.MainWindow"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:local="clr-namespace:RBAC"
xmlns:lvc="clr-namespace:LiveCharts.Wpf;assembly=LiveCharts.Wpf"
WindowStartupLocation="CenterScreen"
Title="ListingOptions" Height="625" Width="1000" Background="#FFE3EBEB">
@ -456,7 +455,6 @@
<!-- #6 Ranked Security Principal List Option-->
<TextBlock Name="SecurityPrincipalAccess"
Text="6. List Top 10 Security Principals by Permission Access."
Grid.Column="0" Grid.Row="23"
Style="{StaticResource FiltersStyle}"/>
@ -498,7 +496,6 @@
<Label Name="SecurityPrincipalAccessSpecifyScopeLabel"
Content="Specify the scope:"
Grid.Column="2" Grid.Row="25"
Style="{StaticResource LabelStyleHidden}"/>
@ -877,7 +874,7 @@
</StackPanel>
</Border>
</Popup>
<Popup x:Name="PbPopup" IsOpen="False" Style="{StaticResource PopupStyle}">
<Border BorderThickness="0.3" Height="Auto" Width="300" BorderBrush="#FFE0E0E0" >
<StackPanel Name="PbPanel" Height="Auto" Width="300" Background="White">
@ -885,7 +882,6 @@
</StackPanel>
</Border>
</Popup>
</Grid>
</Viewbox>
</Window>

87
ListingOptions/ListingOptions.xaml.cs
Просмотреть файл

@ -1,4 +1,6 @@
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license-->
using System;
using System.Collections.Generic;
using System.Linq;
using System.Windows;
@ -8,7 +10,6 @@ using LiveCharts.Wpf;
using System.Windows.Media;
using System.Windows.Data;
using System.Threading.Tasks;
using Microsoft.Azure.Management.Storage.Fluent.Models;
using Constants = RBAC.UpdatePoliciesFromYamlConstants;
namespace RBAC
@ -236,7 +237,7 @@ namespace RBAC
}
/// <summary>
/// This method makes the specify scope dropdown indicate how many items were selected when the dropdown is close.
/// This method makes the specify scope dropdown indicate how many items were selected when the dropdown closes.
/// </summary>
/// <param name="sender">Button</param>
/// <param name="e">Mouse event</param>
@ -575,7 +576,7 @@ namespace RBAC
}
/// <summary>
/// This method generates the 'Assigned Permissions by Security Principal data grid' if the 'YAML' scope is selected.
/// This method generates the 'Listing Assigned Permissions by Security Principal' data grid if the 'YAML' scope is selected.
/// </summary>
/// <param name="yaml">The deserialized list of KeyVaultProperties objects</param>
/// <param name="type">The security principal type</param>
@ -646,7 +647,7 @@ namespace RBAC
}
/// <summary>
/// This method generates the 'Assigned Permissions by Security Principal data grid' if the 'Subscription' scope is selected.
/// This method generates the 'Listing Assigned Permissions by Security Principal' data grid if the 'Subscription' scope is selected.
/// </summary>
/// <param name="yaml">The deserialized list of KeyVaultProperties objects</param>
/// <param name="type">The security principal type</param>
@ -761,7 +762,7 @@ namespace RBAC
}
/// <summary>
/// This method generates the 'Assigned Permissions by Security Principal data grid' if the 'ResourceGroup' scope is selected.
/// This method generates the 'Listing Assigned Permissions by Security Principal' data grid if the 'ResourceGroup' scope is selected.
/// </summary>
/// <param name="yaml">The deserialized list of KeyVaultProperties objects</param>
/// <param name="type">The security principal type</param>
@ -856,7 +857,7 @@ namespace RBAC
}
/// <summary>
/// This method generates the 'Assigned Permissions by Security Principal data grid' if the 'KeyVault' scope is selected.
/// This method generates the 'Listing Assigned Permissions by Security Principal' data grid if the 'KeyVault' scope is selected.
/// </summary>
/// <param name="yaml">The deserialized list of KeyVaultProperties objects</param>
/// <param name="type">The security principal type</param>
@ -1467,12 +1468,12 @@ namespace RBAC
// Do nothing, means the last item is a CheckBox and thus no removal is necessary
}
}
foreach (var item in items)
foreach(var item in items)
{
CheckBox checkBox = item as CheckBox;
if((bool)(checkBox.IsChecked))
{
selected.Add((string)(checkBox.Content));
selected.Add((string)checkBox.Content);
}
}
return selected;
@ -1490,7 +1491,7 @@ namespace RBAC
List<KeyVaultProperties> yaml = Yaml;
ComboBoxItem scope = PBPScopeDropdown.SelectedItem as ComboBoxItem;
if (scope == null)
if(scope == null)
{
PbPopup.IsOpen = false;
MessageBox.Show("Please select scope prior to hitting 'Run'.", "ScopeInvalid Exception", MessageBoxButton.OK, MessageBoxImage.Warning);
@ -1498,7 +1499,7 @@ namespace RBAC
}
List<KeyVaultProperties> vaultsInScope = new List<KeyVaultProperties>();
if (scope.Content.ToString() == "YAML")
if(scope.Content.ToString() == "YAML")
{
vaultsInScope = yaml;
}
@ -1507,18 +1508,18 @@ namespace RBAC
ComboBox specifyScopeDropdown = PBPSpecifyScopeDropdown as ComboBox;
List<string> selected = getSelectedItemsTemplate(specifyScopeDropdown);
selected.Remove("All");
if (selected.Count() == 0)
if(selected.Count() == 0)
{
PbPopup.IsOpen = false;
MessageBox.Show("Please specify as least one scope prior to hitting 'Run'.", "ScopeInvalid Exception", MessageBoxButton.OK, MessageBoxImage.Warning);
return;
}
ILookup<string, KeyVaultProperties> lookup;
if (scope.Content.ToString() == "Subscription")
if(scope.Content.ToString() == "Subscription")
{
lookup = yaml.ToLookup(kv => kv.SubscriptionId);
}
else if (scope.Content.ToString() == "ResourceGroup")
else if(scope.Content.ToString() == "ResourceGroup")
{
lookup = yaml.ToLookup(kv => kv.ResourceGroupName);
}
@ -1527,7 +1528,7 @@ namespace RBAC
lookup = yaml.ToLookup(kv => kv.VaultName);
}
foreach (var specifiedScope in selected)
foreach(var specifiedScope in selected)
{
vaultsInScope.AddRange(lookup[specifiedScope].ToList());
}
@ -1564,14 +1565,14 @@ namespace RBAC
var k = data["Keys"];
var s = data["Secrets"];
var c = data["Certificates"];
if (k.Count == 0)
if(k.Count == 0)
{
KeyTitle.Visibility = Visibility.Collapsed;
ListSPKey.Visibility = Visibility.Collapsed;
}
else
{
foreach (var key in k.Keys)
foreach(var key in k.Keys)
{
if(k[key].Count != 0)
{
@ -1580,14 +1581,14 @@ namespace RBAC
Permission = key,
KeyVaults = new List<KVsWithPermission>()
};
foreach (var p in k[key])
foreach(var p in k[key])
{
var toAdd = new KVsWithPermission
{
VaultName = p.Item1,
SecurityPrincipals = new List<SecPrincipals>()
};
foreach (var sp in p.Item2)
foreach(var sp in p.Item2)
{
toAdd.SecurityPrincipals.Add(new SecPrincipals
{
@ -1611,14 +1612,14 @@ namespace RBAC
}
}
}
if (s.Count == 0)
if(s.Count == 0)
{
SecTitle.Visibility = Visibility.Collapsed;
ListSPSecret.Visibility = Visibility.Collapsed;
}
else
{
foreach (var key in s.Keys)
foreach(var key in s.Keys)
{
if(s[key].Count != 0)
{
@ -1627,14 +1628,14 @@ namespace RBAC
Permission = key,
KeyVaults = new List<KVsWithPermission>()
};
foreach (var p in s[key])
foreach(var p in s[key])
{
var toAdd = new KVsWithPermission
{
VaultName = p.Item1,
SecurityPrincipals = new List<SecPrincipals>()
};
foreach (var sp in p.Item2)
foreach(var sp in p.Item2)
{
toAdd.SecurityPrincipals.Add(new SecPrincipals
{
@ -1665,7 +1666,7 @@ namespace RBAC
}
else
{
foreach (var key in c.Keys)
foreach(var key in c.Keys)
{
if(c[key].Count != 0)
{
@ -1674,14 +1675,14 @@ namespace RBAC
Permission = key,
KeyVaults = new List<KVsWithPermission>()
};
foreach (var p in c[key])
foreach(var p in c[key])
{
var toAdd = new KVsWithPermission
{
VaultName = p.Item1,
SecurityPrincipals = new List<SecPrincipals>()
};
foreach (var sp in p.Item2)
foreach(var sp in p.Item2)
{
toAdd.SecurityPrincipals.Add(new SecPrincipals
{
@ -1714,7 +1715,7 @@ namespace RBAC
}
/// <summary>
/// This Class is Used to populate the datagrid for listing Security Principals by permission.
/// This Class is used to populate the datagrid for listing Security Principals by permission.
/// It stores a Permission and a list of KeyVaults with access policies containing the permission.
/// </summary>
internal class ListSpResults
@ -1723,7 +1724,7 @@ namespace RBAC
public List<KVsWithPermission> KeyVaults { get; set; }
}
/// <summary>
/// This Class is Used to populate the datagrid for listing Security Principals by permission.
/// This Class is used to populate the datagrid for listing Security Principals by permission.
/// It stores a KeyVault and a List of Security Principals with a certain permission.
/// </summary>
internal class KVsWithPermission
@ -1732,7 +1733,7 @@ namespace RBAC
public List<SecPrincipals> SecurityPrincipals { get; set; }
}
/// <summary>
/// This Class is Used to populate the datagrid for listing Security Principals by permission.
/// This Class is used to populate the datagrid for listing Security Principals by permission.
/// It stores a Security Principal's type, name, and alias.
/// </summary>
internal class SecPrincipals
@ -1762,7 +1763,7 @@ namespace RBAC
foreach(PrincipalPermissions principal in kv.AccessPolicies)
{
upInstance.translateShorthands(principal);
if (keysSelected.Count != 0)
if(keysSelected.Count != 0)
{
foreach(string key in keysSelected)
@ -1786,7 +1787,7 @@ namespace RBAC
}
if(secretsSelected.Count() != 0)
{
foreach (string secret in secretsSelected)
foreach(string secret in secretsSelected)
{
List<PrincipalPermissions> secretPrincipals = new List<PrincipalPermissions>();
if(principal.PermissionsToSecrets.Contains(secret.ToLower()))
@ -1953,12 +1954,12 @@ namespace RBAC
ComboBoxItem breakdownScope = BreakdownScopeDropdown.SelectedItem as ComboBoxItem;
string scope = breakdownScope.Content as string;
if (scope != "YAML")
if(scope != "YAML")
{
ComboBox scopeDropdown = SelectedScopeBreakdownDropdown as ComboBox;
List<string> selected = getSelectedItemsTemplate(scopeDropdown);
selected.Remove("All");
if (selected.Count() == 0)
if(selected.Count() == 0)
{
PbPopup.IsOpen = false;
MessageBox.Show("Please specify as least one scope prior to hitting 'Run'.", "ScopeInvalid Exception", MessageBoxButton.OK, MessageBoxImage.Warning);
@ -2120,10 +2121,10 @@ namespace RBAC
private void checkForShorthands(Dictionary<string, Dictionary<string, int>> usages, PrincipalPermissions principal)
{
upInstance.translateShorthands(principal);
foreach (string shorthand in Constants.SHORTHANDS_KEYS.Where(val => val != "all").ToArray())
foreach(string shorthand in Constants.SHORTHANDS_KEYS.Where(val => val != "all").ToArray())
{
var permissions = upInstance.getShorthandPermissions(shorthand, "key");
if (principal.PermissionsToKeys.Intersect(permissions).Count() == permissions.Count())
if(principal.PermissionsToKeys.Intersect(permissions).Count() == permissions.Count())
{
++usages["keyBreakdown"][shorthand];
}
@ -2132,7 +2133,7 @@ namespace RBAC
foreach(string shorthand in Constants.SHORTHANDS_SECRETS.Where(val => val != "all").ToArray())
{
var permissions = upInstance.getShorthandPermissions(shorthand, "secret");
if (principal.PermissionsToSecrets.Intersect(permissions).Count() == permissions.Count())
if(principal.PermissionsToSecrets.Intersect(permissions).Count() == permissions.Count())
{
++usages["secretBreakdown"][shorthand];
}
@ -2141,7 +2142,7 @@ namespace RBAC
foreach(string shorthand in Constants.SHORTHANDS_CERTIFICATES.Where(val => val != "all").ToArray())
{
var permissions = upInstance.getShorthandPermissions(shorthand, "certificate");
if (principal.PermissionsToCertificates.Intersect(permissions).Count() == permissions.Count())
if(principal.PermissionsToCertificates.Intersect(permissions).Count() == permissions.Count())
{
++usages["certificateBreakdown"][shorthand];
}
@ -2268,7 +2269,7 @@ namespace RBAC
CheckBox all = new CheckBox();
all.Content = "All";
MostAccessedSpecifyScopeDropdown.Items.Add(all);
if (choice == "KeyVault")
if(choice == "KeyVault")
{
foreach(KeyVaultProperties kv in yaml)
{
@ -2352,7 +2353,7 @@ namespace RBAC
CheckBox all = new CheckBox();
all.Content = "All";
SecurityPrincipalAccessSpecifyScopeDropdown.Items.Add(all);
if (choice == "KeyVault")
if(choice == "KeyVault")
{
foreach(KeyVaultProperties kv in yaml)
{
@ -2401,7 +2402,7 @@ namespace RBAC
// "Run" Buttons that Execute Code & Output ----------------------------------------------------------------------------------
/// <summary>
/// This method displays an output when a button is clicked
/// This method displays an output when a button is clicked.
/// </summary>
/// <param name="sender">Button</param>
/// <param name="e">Mouse event</param>
@ -2919,7 +2920,7 @@ namespace RBAC
}
/// <summary>
/// This method returns the button to its original color when a user exits or isn't hovering over the button
/// This method returns the button to its original color when a user exits or isn't hovering over the button.
/// </summary>
/// <param name="sender">Button</param>
/// <param name="e">Mouse event</param>
@ -2965,7 +2966,7 @@ namespace RBAC
}
/// <summary>
/// This method closes the popup for listing the top KeyVaults and closes all dropdowns
/// This method closes the popup for listing the top KeyVaults and closes all dropdowns.
/// </summary>
/// <param name="sender">CloseTopKVResults button</param>
/// <param name="e">Event triggered from clicking button</param>
@ -3004,7 +3005,7 @@ namespace RBAC
}
/// <summary>
/// This method closes the popup for listing the top Security Principals and closes all dropdowns
/// This method closes the popup for listing the top Security Principals and closes all dropdowns.
/// </summary>
/// <param name="sender">CloseTopSPResults button</param>
/// <param name="e">Event triggered from clicking button</param>

12
Managing-RBAC-in-Azure.Tests/AccessPoliciesToYamlTest.cs
Просмотреть файл

@ -1,3 +1,5 @@
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.VisualStudio.TestTools.UnitTesting;
using Newtonsoft.Json.Linq;
using System;
@ -127,7 +129,7 @@ namespace RBAC
[TestMethod]
/// <summary>
/// This method verifies that reading in invalid Json fields are handled (checks if AppKeyDetails or Resources is null).
/// This method verifies that reading in invalid Json fields are handled (checks if Resources is null).
/// </summary>
public void TestCheckJsonFieldsInvalid()
{
@ -137,7 +139,7 @@ namespace RBAC
List<Testing<JsonInput>> testCasesJsonFieldsInvalid = new List<Testing<JsonInput>>()
{
new Testing <JsonInput> (createExpectedJson( null),
new Testing <JsonInput> (createExpectedJson(null),
"Missing Resources in Json. Invalid fields were defined; Only valid field is 'Resources'.")
};
foreach (Testing<JsonInput> testCase in testCasesJsonFieldsInvalid)
@ -253,13 +255,7 @@ namespace RBAC
/// <summary>
/// This method creates an expected json that is used for testing purposes.
/// </summary>
/// <param name="aadAppKeyDetails"> An AadAppKey </param>
/// <param name="resources"> List of Resources </param>
/// <param name="aadAppName"> aadAppName </param>
/// <param name="vaultName"> A keyVault name </param>
/// <param name="clientIdSecretName"> ClientIdSecretName </param>
/// <param name="clientKeySecretName"> ClientKeySecretName </param>
/// <param name="tenantIdSecretName"> TenantIdSecretName </param>
/// <returns>The expected deserialized JsonInput</returns>
private JsonInput createExpectedJson( List<Resource> resources)
{

2
Managing-RBAC-in-Azure.Tests/Expected/ExpectedOutput.yml
Просмотреть файл

@ -1,3 +1,5 @@
# Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
- VaultName: RG1Test1
ResourceGroupName: RG1
SubscriptionId: 00000000-0000-0000-0000-000000000000

2
Managing-RBAC-in-Azure.Tests/Expected/ExpectedPhase2Output.yml
Просмотреть файл

@ -1,3 +1,5 @@
# Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
- VaultName: RG1Test1
ResourceGroupName: RG1
SubscriptionId: 00000000-0000-0000-0000-000000000000

4
Managing-RBAC-in-Azure.Tests/Input/MasterConfig.json
Просмотреть файл

@ -1,3 +1,5 @@
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
{
"Resources": [
{
@ -33,4 +35,4 @@
]
}
]
}
}

2
Managing-RBAC-in-Azure.Tests/Input/Phase2Input.yml
Просмотреть файл

@ -1,3 +1,5 @@
# Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
- VaultName: RG1Test1
ResourceGroupName: RG1
SubscriptionId: 00000000-0000-0000-0000-000000000000

2
Managing-RBAC-in-Azure.Tests/Input/TestActualVaults.json
Просмотреть файл

@ -1,3 +1,5 @@
// Copyright (c) Microsoft Corporation. // Licensed under the MIT license.
{
"Resources": [
{

2
Managing-RBAC-in-Azure.Tests/Output/ActualOutput.yml
Просмотреть файл

@ -1,3 +1,5 @@
# Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
- VaultName: RG1Test1
ResourceGroupName: RG1
SubscriptionId: 00000000-0000-0000-0000-000000000000

3
Managing-RBAC-in-Azure.Tests/UpdatePoliciesFromYamlTest.cs
Просмотреть файл

@ -1,8 +1,9 @@
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.VisualStudio.TestTools.UnitTesting;
using System;
using System.Collections.Generic;
using System.Linq;
using YamlDotNet.Serialization;
using Constants = RBAC.UpdatePoliciesFromYamlConstants;
namespace RBAC

2
README.md
Просмотреть файл

@ -185,7 +185,7 @@ We have provided a series of automated test cases to verify your inputs.
# Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a
Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a
CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions

15
UpdatePoliciesFromYaml/Code/UpdatePoliciesFromYaml.cs
Просмотреть файл

@ -1,4 +1,6 @@
using Microsoft.Azure.Management.ContainerRegistry.Fluent;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Azure.Management.ContainerRegistry.Fluent;
using Microsoft.Azure.Management.KeyVault;
using Microsoft.Azure.Management.KeyVault.Models;
using Microsoft.Graph;
@ -27,7 +29,7 @@ namespace RBAC
}
/// <summary>
/// This method verifies that the file arguments are of the correct type.
/// This method verifies that the file arguments are of the correct number, type, and path.
/// </summary>
/// <param name="args">The string array of program arguments</param>
public void verifyFileExtensions(string[] args)
@ -88,7 +90,7 @@ namespace RBAC
}
/// <summary>
/// This method reads in the Yaml file and stores the data in a list of KeyVaultProperties. If any of the fields are removed, an error is thrown.
/// This method reads in the Yaml file and stores the data in a list of "KeyVaultProperties". If any of the fields are removed, an error is thrown.
/// </summary>
/// <returns>The list of KeyVaultProperties if the input file has the correct formatting. Otherwise, exits the program.</returns>
/// <param name="yamlDirectory">The directory of the yaml file</param>
@ -437,10 +439,10 @@ namespace RBAC
/// <summary>
/// This method updates the access policies for each KeyVault in the yamlVaults list.
/// </summary>
/// <param name="yamlVaults">The list of KeyVaultProperties obtained from the Yaml file</param>
/// <param name="vaultsRetrieved">The list of KeyVaultProperties obtained from the MasterConfig.json file</param>
/// <param name="yamlVaults">The list of "KeyVaultProperties" obtained from the Yaml file</param>
/// <param name="vaultsRetrieved">The list of "KeyVaultProperties" obtained from the MasterConfig.json file</param>
/// <param name="kvmClient">The KeyManagementClient</param>
/// <param name="secrets">The dictionary of information obtained from SecretClient</param>
/// <param name="secrets">The dictionary of information obtained from environment variables</param>
/// <param name="graphClient">The GraphServiceClient to obtain the security principal's data</param>
public List<KeyVaultProperties> updateVaults(List<KeyVaultProperties> yamlVaults, List<KeyVaultProperties> vaultsRetrieved, KeyVaultManagementClient kvmClient,
Dictionary<string, string> secrets, GraphServiceClient graphClient)
@ -894,7 +896,6 @@ namespace RBAC
log.Info("Shorthands translated!");
}
/// <summary>
/// This method translates the specified shorthand to its respective permissions.
/// </summary>

4
UpdatePoliciesFromYaml/Constants.cs
Просмотреть файл

@ -1,4 +1,6 @@
using Microsoft.Azure.Management.KeyVault.Models;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using Microsoft.Azure.Management.KeyVault.Models;
using System.Linq;
using System;
[assembly: log4net.Config.XmlConfigurator]

15
UpdatePoliciesFromYaml/UpdatePoliciesProgram.cs
Просмотреть файл

@ -1,5 +1,10 @@
using System;
// Copyright (c) Microsoft Corporation.// Licensed under the MIT license.
using System;
using System.Collections.Generic;
using Microsoft.Azure.Management.KeyVault;
using Microsoft.Graph;
using static Microsoft.Azure.Management.Fluent.Azure;
namespace RBAC
{
@ -27,13 +32,13 @@ namespace RBAC
Console.WriteLine("Finished!");
Console.WriteLine("Grabbing secrets...");
var secrets = ap.getSecrets(vaultList);
Dictionary<string,string> secrets = ap.getSecrets();
Console.WriteLine("Finished!");
Console.WriteLine("Creating KeyVaultManagementClient, GraphServiceClient, and AzureClient...");
var kvmClient = ap.createKVMClient(secrets);
var graphClient = ap.createGraphClient(secrets);
var azureClient = ap.createAzureClient(secrets);
KeyVaultManagementClient kvmClient = ap.createKVMClient(secrets);
GraphServiceClient graphClient = ap.createGraphClient(secrets);
IAuthenticated azureClient = ap.createAzureClient(secrets);
Console.WriteLine("Finished!"); ;
Console.WriteLine("Checking access and retrieving key vaults...");