def reset_sp_credentials_for_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None,
role='Contributor', sp_password=None, xml=False, years=None):
ams = client.get(resource_group_name, account_name)
graph_client = _graph_client_factory(cmd.cli_ctx)
sp_name = _create_sp_name(account_name, sp_name)
sp_password = _create_sp_password(sp_password)
app_display_name = sp_name.replace('http://', '')
aad_sp = _get_service_principal(graph_client, sp_name)
if not aad_sp:
raise CLIError("Can't find a service principal matching '{}'".format(app_display_name))
tenant = graph_client.config.tenant_id
sp_oid = aad_sp.object_id
app_id = aad_sp.app_id
app_object_id = _get_application_object_id(graph_client.applications, app_id)
_update_password_credentials(graph_client, app_object_id, sp_password, years)
_assign_role(cmd, role, sp_oid, ams.id)
return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name,
tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management,
cmd.cli_ctx.cloud.endpoints.active_directory,
cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def create_assign_sp_to_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None,
role='Contributor', sp_password=None, xml=False, years=None):
ams = client.get(resource_group_name, account_name)
graph_client = _graph_client_factory(cmd.cli_ctx)
sp_name = _create_sp_name(account_name, sp_name)
sp_password = _create_sp_password(sp_password)
app_display_name = sp_name.replace('http://', '')
aad_sp = _get_service_principal(graph_client, sp_name)
if aad_sp:
raise CLIError("Service principal '{}' already exists.".format(app_display_name))
aad_application = create_application(graph_client.applications,
display_name=app_display_name,
homepage=sp_name,
years=years,
password=sp_password,
identifier_uris=[sp_name],
available_to_other_tenants=False)
app_id = aad_application.app_id
tenant = graph_client.config.tenant_id
sp_oid = _create_service_principal(graph_client, name=sp_name,
app_id=app_id)
_assign_role(cmd, role, sp_oid, ams.id)
return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name,
tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management,
cmd.cli_ctx.cloud.endpoints.active_directory,
cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def create_assign_sp_to_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None,
role='Contributor', sp_password=None, xml=False, years=None):
ams = client.get(resource_group_name, account_name)
graph_client = _graph_client_factory(cmd.cli_ctx)
sp_name = _create_sp_name(account_name, sp_name)
sp_password = _create_sp_password(sp_password)
app_display_name = sp_name.replace('http://', '')
aad_sp = _get_service_principal(graph_client, sp_name)
if aad_sp:
raise CLIError("Service principal '{}' already exists.".format(app_display_name))
aad_application = create_application(graph_client.applications,
display_name=app_display_name,
homepage=sp_name,
years=years,
password=sp_password,
identifier_uris=[sp_name],
available_to_other_tenants=False)
app_id = aad_application.app_id
tenant = graph_client.config.tenant_id
sp_oid = _create_service_principal(graph_client, name=sp_name,
app_id=app_id)
_assign_role(cmd, role, sp_oid, ams.id)
return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name,
tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management,
cmd.cli_ctx.cloud.endpoints.active_directory,
cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def reset_sp_credentials_for_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None,
role='Contributor', sp_password=None, xml=False, years=None):
ams = client.get(resource_group_name, account_name)
graph_client = _graph_client_factory(cmd.cli_ctx)
sp_name = _create_sp_name(account_name, sp_name)
sp_password = _create_sp_password(sp_password)
app_display_name = sp_name.replace('http://', '')
aad_sp = _get_service_principal(graph_client, sp_name)
if not aad_sp:
raise CLIError("Can't find a service principal matching '{}'".format(app_display_name))
tenant = graph_client.config.tenant_id
sp_oid = aad_sp.object_id
app_id = aad_sp.app_id
app_object_id = _get_application_object_id(graph_client.applications, app_id)
_update_password_credentials(graph_client, app_object_id, sp_password, years)
_assign_role(cmd, role, sp_oid, ams.id)
return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name,
tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management,
cmd.cli_ctx.cloud.endpoints.active_directory,
cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def create_or_update_assign_sp_to_mediaservice(cmd,
client,
account_name,
resource_group_name,
sp_name=None,
new_sp_name=None,
role='Contributor',
sp_password=None,
xml=False,
years=None):
ams = client.get(resource_group_name, account_name)
subscription_id = get_subscription_id(cmd.cli_ctx)
graph_client = _graph_client_factory(cmd.cli_ctx)
sp_name = _create_sp_name(account_name, sp_name)
app_display_name = sp_name.replace('http://', '')
aad_sp = _get_service_principal(graph_client, sp_name)
if aad_sp:
return _update_sp(cmd, graph_client, aad_sp, ams, account_name,
resource_group_name, app_display_name, new_sp_name,
role, years, sp_password, xml)
sp_password = _create_sp_password(sp_password)
aad_application = create_application(graph_client.applications,
display_name=app_display_name,
homepage=sp_name,
years=years,
password=sp_password,
identifier_uris=[sp_name],
available_to_other_tenants=False)
app_id = aad_application.app_id
profile = Profile(cli_ctx=cmd.cli_ctx)
_, _, tenant_id = profile.get_login_credentials(
resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
sp_oid = _create_service_principal(graph_client,
name=sp_name,
app_id=app_id)
_assign_role(cmd, role, sp_oid, ams.id)
return _build_sp_result(subscription_id, ams.location, resource_group_name,
account_name, tenant_id, app_id, app_display_name,
sp_password,
cmd.cli_ctx.cloud.endpoints.management,
cmd.cli_ctx.cloud.endpoints.active_directory,
cmd.cli_ctx.cloud.endpoints.resource_manager, role,
xml)
def list_role_assignments(cmd, assignee_object_id, scope=None):
'''
:param include_groups: include extra assignments to the groups of which the user is a
member(transitively).
'''
graph_client = _graph_client_factory(cmd.cli_ctx)
factory = _auth_client_factory(cmd.cli_ctx)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
assignments = _search_role_assignments(assignments_client,
assignee_object_id)
subscription_id = get_subscription_id(cmd.cli_ctx)
results = todict(assignments) if assignments else []
if not results:
return []
# 1. fill in logic names to get things understandable.
# (it's possible that associated roles and principals were deleted, and we just do nothing.)
# 2. fill in role names
role_defs = list(
definitions_client.list(scope=(scope if scope else '/subscriptions/' +
subscription_id)))
role_dics = {i.id: i.role_name for i in role_defs}
for i in results:
if role_dics.get(i['roleDefinitionId']):
i['roleDefinitionName'] = role_dics[i['roleDefinitionId']]
# fill in principal names
principal_ids = set(i['principalId'] for i in results if i['principalId'])
if principal_ids:
try:
principals = _get_object_stubs(graph_client, principal_ids)
principal_dics = {
i.object_id: _get_displayable_name(i)
for i in principals
}
for i in [r for r in results if not r.get('principalName')]:
i['principalName'] = ''
if principal_dics.get(i['principalId']):
i['principalName'] = principal_dics[i['principalId']]
except (HttpResponseError, GraphErrorException) as ex:
# failure on resolving principal due to graph permission should not fail the whole thing
logger.info(
"Failed to resolve graph object information per error '%s'",
ex)
return results
def list_role_assignments(cmd, assignee_object_id, scope=None):
'''
:param include_groups: include extra assignments to the groups of which the user is a
member(transitively).
'''
graph_client = _graph_client_factory(cmd.cli_ctx)
factory = _auth_client_factory(cmd.cli_ctx)
assignments_client = factory.role_assignments
definitions_client = factory.role_definitions
assignments = _search_role_assignments(assignments_client, assignee_object_id)
results = todict(assignments) if assignments else []
if not results:
return []
# 1. fill in logic names to get things understandable.
# (it's possible that associated roles and principals were deleted, and we just do nothing.)
# 2. fill in role names
role_defs = list(definitions_client.list(
scope=(scope if scope else '/subscriptions/' + definitions_client.config.subscription_id)))
role_dics = {i.id: i.role_name for i in role_defs}
for i in results:
if role_dics.get(i['roleDefinitionId']):
i['roleDefinitionName'] = role_dics[i['roleDefinitionId']]
# fill in principal names
principal_ids = set(i['principalId'] for i in results if i['principalId'])
if principal_ids:
try:
principals = _get_object_stubs(graph_client, principal_ids)
principal_dics = {i.object_id: _get_displayable_name(i) for i in principals}
for i in [r for r in results if not r.get('principalName')]:
i['principalName'] = ''
if principal_dics.get(i['principalId']):
i['principalName'] = principal_dics[i['principalId']]
except (CloudError, GraphErrorException) as ex:
# failure on resolving principal due to graph permission should not fail the whole thing
logger.info("Failed to resolve graph object information per error '%s'", ex)
return results
