def augment(self, resources): s = Session(resource='https://graph.windows.net') graph_client = GraphRbacManagementClient(s.get_credentials(), s.get_tenant_id()) object_ids = list( set(resource['properties']['principalId'] for resource in resources if resource['properties']['principalId'])) object_params = GetObjectsParameters( include_directory_object_references=True, object_ids=object_ids) aad_objects = graph_client.objects.get_objects_by_object_ids( object_params) try: principal_dics = { aad_object.object_id: aad_object for aad_object in aad_objects } for resource in resources: graph_resource = principal_dics[resource['properties'] ['principalId']] resource['principalName'] = self.get_principal_name( graph_resource) resource['displayName'] = graph_resource.display_name resource['aadType'] = graph_resource.object_type except CloudError: log.warning( 'Credentials not authorized for access to read from Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n') return resources
def _get_object_stubs(graph_client, assignees): from azure.graphrbac.models import GetObjectsParameters result = [] assignees = list(assignees) # callers could pass in a set for i in range(0, len(assignees), 1000): params = GetObjectsParameters(include_directory_object_references=True, object_ids=assignees[i:i + 1000]) result += list(graph_client.objects.get_objects_by_object_ids(params)) return result
def _look_up_spring_cloud_rp(cmd, objectIds, subscription_id=None): if not objectIds: return None graph_client = _get_graph_rbac_management_client(cmd.cli_ctx, subscription_id=subscription_id) from azure.graphrbac.models import GetObjectsParameters for i in range(0, len(objectIds), 1000): params = GetObjectsParameters(include_directory_object_references=True, object_ids=objectIds[i:i + 1000]) result = list(graph_client.objects.get_objects_by_object_ids(params)) app = next((x for x in result if x.app_id and x.app_id == 'e8de9221-a19c-4c81-b814-fd37c6caf9d2'), None) if app: return app return None
def get_principal_dictionary(graph_client, object_ids): object_params = GetObjectsParameters( include_directory_object_references=True, object_ids=object_ids) principal_dics = {object_id: AADObject() for object_id in object_ids} aad_objects = graph_client.objects.get_objects_by_object_ids( object_params) try: for aad_object in aad_objects: principal_dics[aad_object.object_id] = aad_object except CloudError: GraphHelper.log.warning( 'Credentials not authorized for access to read from Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n') return principal_dics
def _get_object_id(assignee): client = _graph_client_factory() result = None if assignee.find('@') >= 0: #looks like a user principal name result = list(client.users.list(filter="userPrincipalName eq '{}'".format(assignee))) if not result: result = list(client.service_principals.list( filter="servicePrincipalNames/any(c:c eq '{}')".format(assignee))) if not result: #assume an object id, let us verify it from azure.graphrbac.models import GetObjectsParameters result = list(client.objects.get_objects_by_object_ids( GetObjectsParameters(include_directory_object_references=True, object_ids=[assignee]))) #2+ matches should never happen, so we only check 'no match' here if not result: raise CLIError("No matches in graph database for '{}'".format(assignee)) return result[0].object_id
def get_principal_dictionary(graph_client, object_ids, raise_on_graph_call_error=False): """Retrieves Azure AD Objects for corresponding object ids passed. :param graph_client: A client for Microsoft Graph. :param object_ids: The object ids to retrieve Azure AD objects for. :param raise_on_graph_call_error: A boolean indicate whether an error should be raised if the underlying Microsoft Graph call fails. :return: A dictionary keyed by object id with the Azure AD object as the value. Note: empty Azure AD objects could be returned if not found in the graph. """ if not object_ids: return {} object_params = GetObjectsParameters( include_directory_object_references=True, object_ids=object_ids) principal_dics = { object_id: DirectoryObject() for object_id in object_ids } aad_objects = graph_client.objects.get_objects_by_object_ids( object_params) try: for aad_object in aad_objects: principal_dics[aad_object.object_id] = aad_object except CloudError as e: if e.status_code in [403, 401]: GraphHelper.log.warning( 'Credentials not authorized for access to read from Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n' ) else: GraphHelper.log.error( 'Exception in call to Microsoft Graph. \n ' 'Can not query on principalName, displayName, or aadType. \n' 'Error: {0}'.format(e)) if raise_on_graph_call_error: raise return principal_dics
def _get_object_stubs(graph_client, assignees): from azure.graphrbac.models import GetObjectsParameters params = GetObjectsParameters(include_directory_object_references=True, object_ids=assignees) return list(graph_client.objects.get_objects_by_object_ids(params))
def _get_object_stubs(graph_client, assignees): params = GetObjectsParameters(include_directory_object_references=True, object_ids=assignees) return list(graph_client.objects.get_objects_by_object_ids(params))