def augment(self, resources):
s = Session(resource='https://graph.windows.net')
graph_client = GraphRbacManagementClient(s.get_credentials(),
s.get_tenant_id())
object_ids = list(
set(resource['properties']['principalId'] for resource in resources
if resource['properties']['principalId']))
object_params = GetObjectsParameters(
include_directory_object_references=True, object_ids=object_ids)
aad_objects = graph_client.objects.get_objects_by_object_ids(
object_params)
try:
principal_dics = {
aad_object.object_id: aad_object
for aad_object in aad_objects
}
for resource in resources:
graph_resource = principal_dics[resource['properties']
['principalId']]
resource['principalName'] = self.get_principal_name(
graph_resource)
resource['displayName'] = graph_resource.display_name
resource['aadType'] = graph_resource.object_type
except CloudError:
log.warning(
'Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n')
return resources
def _get_object_stubs(graph_client, assignees):
from azure.graphrbac.models import GetObjectsParameters
result = []
assignees = list(assignees) # callers could pass in a set
for i in range(0, len(assignees), 1000):
params = GetObjectsParameters(include_directory_object_references=True, object_ids=assignees[i:i + 1000])
result += list(graph_client.objects.get_objects_by_object_ids(params))
return result
def _look_up_spring_cloud_rp(cmd, objectIds, subscription_id=None):
if not objectIds:
return None
graph_client = _get_graph_rbac_management_client(cmd.cli_ctx, subscription_id=subscription_id)
from azure.graphrbac.models import GetObjectsParameters
for i in range(0, len(objectIds), 1000):
params = GetObjectsParameters(include_directory_object_references=True, object_ids=objectIds[i:i + 1000])
result = list(graph_client.objects.get_objects_by_object_ids(params))
app = next((x for x in result if x.app_id and x.app_id == 'e8de9221-a19c-4c81-b814-fd37c6caf9d2'), None)
if app:
return app
return None
def get_principal_dictionary(graph_client, object_ids):
object_params = GetObjectsParameters(
include_directory_object_references=True, object_ids=object_ids)
principal_dics = {object_id: AADObject() for object_id in object_ids}
aad_objects = graph_client.objects.get_objects_by_object_ids(
object_params)
try:
for aad_object in aad_objects:
principal_dics[aad_object.object_id] = aad_object
except CloudError:
GraphHelper.log.warning(
'Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n')
return principal_dics
def _get_object_id(assignee):
client = _graph_client_factory()
result = None
if assignee.find('@') >= 0: #looks like a user principal name
result = list(client.users.list(filter="userPrincipalName eq '{}'".format(assignee)))
if not result:
result = list(client.service_principals.list(
filter="servicePrincipalNames/any(c:c eq '{}')".format(assignee)))
if not result: #assume an object id, let us verify it
from azure.graphrbac.models import GetObjectsParameters
result = list(client.objects.get_objects_by_object_ids(
GetObjectsParameters(include_directory_object_references=True, object_ids=[assignee])))
#2+ matches should never happen, so we only check 'no match' here
if not result:
raise CLIError("No matches in graph database for '{}'".format(assignee))
return result[0].object_id
def get_principal_dictionary(graph_client,
object_ids,
raise_on_graph_call_error=False):
"""Retrieves Azure AD Objects for corresponding object ids passed.
:param graph_client: A client for Microsoft Graph.
:param object_ids: The object ids to retrieve Azure AD objects for.
:param raise_on_graph_call_error: A boolean indicate whether an error should be
raised if the underlying Microsoft Graph call fails.
:return: A dictionary keyed by object id with the Azure AD object as the value.
Note: empty Azure AD objects could be returned if not found in the graph.
"""
if not object_ids:
return {}
object_params = GetObjectsParameters(
include_directory_object_references=True, object_ids=object_ids)
principal_dics = {
object_id: DirectoryObject()
for object_id in object_ids
}
aad_objects = graph_client.objects.get_objects_by_object_ids(
object_params)
try:
for aad_object in aad_objects:
principal_dics[aad_object.object_id] = aad_object
except CloudError as e:
if e.status_code in [403, 401]:
GraphHelper.log.warning(
'Credentials not authorized for access to read from Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n'
)
else:
GraphHelper.log.error(
'Exception in call to Microsoft Graph. \n '
'Can not query on principalName, displayName, or aadType. \n'
'Error: {0}'.format(e))
if raise_on_graph_call_error:
raise
return principal_dics
def _get_object_stubs(graph_client, assignees):
from azure.graphrbac.models import GetObjectsParameters
params = GetObjectsParameters(include_directory_object_references=True,
object_ids=assignees)
return list(graph_client.objects.get_objects_by_object_ids(params))
def _get_object_stubs(graph_client, assignees):
params = GetObjectsParameters(include_directory_object_references=True,
object_ids=assignees)
return list(graph_client.objects.get_objects_by_object_ids(params))
