def reset_sp_credentials_for_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None, role='Contributor', sp_password=None, xml=False, years=None): ams = client.get(resource_group_name, account_name) graph_client = _graph_client_factory(cmd.cli_ctx) sp_name = _create_sp_name(account_name, sp_name) sp_password = _create_sp_password(sp_password) app_display_name = sp_name.replace('http://', '') aad_sp = _get_service_principal(graph_client, sp_name) if not aad_sp: raise CLIError("Can't find a service principal matching '{}'".format(app_display_name)) tenant = graph_client.config.tenant_id sp_oid = aad_sp.object_id app_id = aad_sp.app_id app_object_id = _get_application_object_id(graph_client.applications, app_id) _update_password_credentials(graph_client, app_object_id, sp_password, years) _assign_role(cmd, role, sp_oid, ams.id) return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name, tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management, cmd.cli_ctx.cloud.endpoints.active_directory, cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def create_assign_sp_to_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None, role='Contributor', sp_password=None, xml=False, years=None): ams = client.get(resource_group_name, account_name) graph_client = _graph_client_factory(cmd.cli_ctx) sp_name = _create_sp_name(account_name, sp_name) sp_password = _create_sp_password(sp_password) app_display_name = sp_name.replace('http://', '') aad_sp = _get_service_principal(graph_client, sp_name) if aad_sp: raise CLIError("Service principal '{}' already exists.".format(app_display_name)) aad_application = create_application(graph_client.applications, display_name=app_display_name, homepage=sp_name, years=years, password=sp_password, identifier_uris=[sp_name], available_to_other_tenants=False) app_id = aad_application.app_id tenant = graph_client.config.tenant_id sp_oid = _create_service_principal(graph_client, name=sp_name, app_id=app_id) _assign_role(cmd, role, sp_oid, ams.id) return _build_sp_result(client.config.subscription_id, ams.location, resource_group_name, account_name, tenant, app_id, sp_password, cmd.cli_ctx.cloud.endpoints.management, cmd.cli_ctx.cloud.endpoints.active_directory, cmd.cli_ctx.cloud.endpoints.resource_manager, xml)
def create_or_update_assign_sp_to_mediaservice(cmd, client, account_name, resource_group_name, sp_name=None, new_sp_name=None, role='Contributor', sp_password=None, xml=False, years=None): ams = client.get(resource_group_name, account_name) subscription_id = get_subscription_id(cmd.cli_ctx) graph_client = _graph_client_factory(cmd.cli_ctx) sp_name = _create_sp_name(account_name, sp_name) app_display_name = sp_name.replace('http://', '') aad_sp = _get_service_principal(graph_client, sp_name) if aad_sp: return _update_sp(cmd, graph_client, aad_sp, ams, account_name, resource_group_name, app_display_name, new_sp_name, role, years, sp_password, xml) sp_password = _create_sp_password(sp_password) aad_application = create_application(graph_client.applications, display_name=app_display_name, homepage=sp_name, years=years, password=sp_password, identifier_uris=[sp_name], available_to_other_tenants=False) app_id = aad_application.app_id profile = Profile(cli_ctx=cmd.cli_ctx) _, _, tenant_id = profile.get_login_credentials( resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) sp_oid = _create_service_principal(graph_client, name=sp_name, app_id=app_id) _assign_role(cmd, role, sp_oid, ams.id) return _build_sp_result(subscription_id, ams.location, resource_group_name, account_name, tenant_id, app_id, app_display_name, sp_password, cmd.cli_ctx.cloud.endpoints.management, cmd.cli_ctx.cloud.endpoints.active_directory, cmd.cli_ctx.cloud.endpoints.resource_manager, role, xml)
def list_role_assignments(cmd, assignee_object_id, scope=None): ''' :param include_groups: include extra assignments to the groups of which the user is a member(transitively). ''' graph_client = _graph_client_factory(cmd.cli_ctx) factory = _auth_client_factory(cmd.cli_ctx) assignments_client = factory.role_assignments definitions_client = factory.role_definitions assignments = _search_role_assignments(assignments_client, assignee_object_id) subscription_id = get_subscription_id(cmd.cli_ctx) results = todict(assignments) if assignments else [] if not results: return [] # 1. fill in logic names to get things understandable. # (it's possible that associated roles and principals were deleted, and we just do nothing.) # 2. fill in role names role_defs = list( definitions_client.list(scope=(scope if scope else '/subscriptions/' + subscription_id))) role_dics = {i.id: i.role_name for i in role_defs} for i in results: if role_dics.get(i['roleDefinitionId']): i['roleDefinitionName'] = role_dics[i['roleDefinitionId']] # fill in principal names principal_ids = set(i['principalId'] for i in results if i['principalId']) if principal_ids: try: principals = _get_object_stubs(graph_client, principal_ids) principal_dics = { i.object_id: _get_displayable_name(i) for i in principals } for i in [r for r in results if not r.get('principalName')]: i['principalName'] = '' if principal_dics.get(i['principalId']): i['principalName'] = principal_dics[i['principalId']] except (HttpResponseError, GraphErrorException) as ex: # failure on resolving principal due to graph permission should not fail the whole thing logger.info( "Failed to resolve graph object information per error '%s'", ex) return results
def list_role_assignments(cmd, assignee_object_id, scope=None): ''' :param include_groups: include extra assignments to the groups of which the user is a member(transitively). ''' graph_client = _graph_client_factory(cmd.cli_ctx) factory = _auth_client_factory(cmd.cli_ctx) assignments_client = factory.role_assignments definitions_client = factory.role_definitions assignments = _search_role_assignments(assignments_client, assignee_object_id) results = todict(assignments) if assignments else [] if not results: return [] # 1. fill in logic names to get things understandable. # (it's possible that associated roles and principals were deleted, and we just do nothing.) # 2. fill in role names role_defs = list(definitions_client.list( scope=(scope if scope else '/subscriptions/' + definitions_client.config.subscription_id))) role_dics = {i.id: i.role_name for i in role_defs} for i in results: if role_dics.get(i['roleDefinitionId']): i['roleDefinitionName'] = role_dics[i['roleDefinitionId']] # fill in principal names principal_ids = set(i['principalId'] for i in results if i['principalId']) if principal_ids: try: principals = _get_object_stubs(graph_client, principal_ids) principal_dics = {i.object_id: _get_displayable_name(i) for i in principals} for i in [r for r in results if not r.get('principalName')]: i['principalName'] = '' if principal_dics.get(i['principalId']): i['principalName'] = principal_dics[i['principalId']] except (CloudError, GraphErrorException) as ex: # failure on resolving principal due to graph permission should not fail the whole thing logger.info("Failed to resolve graph object information per error '%s'", ex) return results