# coding=utf-8 # ---------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License file in the project root for license information. # ---------------------------------------------------------------------------------------------- from enum import Enum from typing import Iterable, Optional from uuid import uuid4 from azure.cli.core.azclierror import ValidationError from knack.log import get_logger from ...util.az_client import get_authz_client logger = get_logger(__name__) VALID_PERM_FORMS = frozenset( ["*", "*/write", "microsoft.authorization/roleassignments/write", "microsoft.authorization/*/write"] ) ROLE_DEF_FORMAT_STR = "/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/{role_id}" # TODO: one-off for time, make generic def verify_write_permission_against_rg(subscription_id: str, resource_group_name: str): for permission in get_principal_permissions_for_group( subscription_id=subscription_id, resource_group_name=resource_group_name ): action_result = False negate_action_result = False for action in permission.get("actions", []): if action.lower() in VALID_PERM_FORMS: action_result = True break for not_action in permission.get("notActions", []): if not_action.lower() in VALID_PERM_FORMS: negate_action_result = True break if action_result and not negate_action_result: return raise ValidationError( "This IoT Operations deployment config includes resource sync rules which require the logged-in principal\n" "to have permission to write role assignments (Microsoft.Authorization/roleAssignments/write) " "against the resource group.\n\n" "Run the command with --enable-rsync False to not include resource sync rules in the deployment.\n" ) def get_principal_permissions_for_group(subscription_id: str, resource_group_name: str) -> Iterable[dict]: authz_client = get_authz_client(subscription_id=subscription_id) return authz_client.permissions.list_for_resource_group(resource_group_name) class PermissionState(Enum): ActionAllowed = 1 ActionDenied = 2 ActionUndefined = 3 class PrincipalType(Enum): # There are more types but keeping this short with respect to what we use for now USER = "User" SERVICE_PRINCIPAL = "ServicePrincipal" class PermissionManager: def __init__(self, subscription_id: str): self.authz_client = get_authz_client( subscription_id=subscription_id, ) def apply_role_assignment( self, scope: str, principal_id: str, role_def_id: str, principal_type: Optional[str] = None ) -> Optional[dict]: role_assignments_iter = self.authz_client.role_assignments.list_for_scope( scope=scope, filter=f"principalId eq '{principal_id}'" ) for role_assignment in role_assignments_iter: if role_assignment["properties"]["roleDefinitionId"] == role_def_id: return props = { "properties": { "roleDefinitionId": role_def_id, "principalId": principal_id, } } if principal_type: props["properties"]["principalType"] = principal_type return self.authz_client.role_assignments.create( scope=scope, role_assignment_name=str(uuid4()), parameters=props, ) def can_apply_role_assignment( self, resource_group_name: str, resource_provider_namespace: str, parent_resource_path: str, resource_type: str, resource_name: str, ) -> bool: permissions = self._get_principal_permissions_for_resource( resource_group_name=resource_group_name, resource_provider_namespace=resource_provider_namespace, parent_resource_path=parent_resource_path, resource_type=resource_type, resource_name=resource_name, ) action_allowed = None for permission in permissions: action_result = self._calculate_action(permission=permission, valid_permissions=VALID_PERM_FORMS) if action_result == PermissionState.ActionAllowed and action_allowed is not False: action_allowed = True elif action_result == PermissionState.ActionDenied: action_allowed = False return bool(action_allowed) def _get_principal_permissions_for_resource( self, resource_group_name: str, resource_provider_namespace: str, parent_resource_path: str, resource_type: str, resource_name: str, ) -> Iterable: return self.authz_client.permissions.list_for_resource( resource_group_name=resource_group_name, resource_provider_namespace=resource_provider_namespace, parent_resource_path=parent_resource_path, resource_type=resource_type, resource_name=resource_name, ) def _calculate_action(self, permission: dict, valid_permissions: frozenset) -> PermissionState: action_result = False negate_action_result = False for action in permission.get("actions", []): if action.lower() in valid_permissions: action_result = True break for not_action in permission.get("notActions", []): if not_action.lower() in valid_permissions: negate_action_result = True break if action_result and not negate_action_result: return PermissionState.ActionAllowed if negate_action_result: return PermissionState.ActionDenied return PermissionState.ActionUndefined