WIP: create_user_role

This commit is contained in:
dandds 2020-02-05 09:20:22 -05:00
parent b754f1384f
commit cdf6a469ed
2 changed files with 62 additions and 0 deletions

View File

@ -50,6 +50,8 @@ from .models import (
TenantPrincipalOwnershipCSPResult,
UserCSPPayload,
UserCSPResult,
UserRoleCSPPayload,
UserRoleCSPResult,
)
from .policy import AzurePolicyManager
@ -932,6 +934,49 @@ class AzureCloudProvider(CloudProviderInterface):
f"Failed update user email: {response.json()}"
)
def create_user_role(self, payload: UserRoleCSPPayload):
# creds TBD
graph_token = ""
# graph_token = self._get_up_token_for_resource(
# username,
# password,
# payload.tenant_id,
# self.sdk.cloud.endpoints.resource_manager
# )
# graph_token = self._get_tenant_principal_token(
# payload.tenant_id
# )
if graph_token is None:
raise AuthenticationException(
"Could not resolve graph token for tenant admin"
)
role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.management_group_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles[payload.role]}"
request_body = {
"properties": {
"roleDefinitionId": role_definition_id,
"principalId": payload.user_object_id,
}
}
auth_header = {
"Authorization": f"Bearer {graph_token}",
}
assignment_guid = str(uuid4())
url = f"{self.sdk.cloud.endpoints.resource_manager}/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleAssignments/{assignment_guid}?api-version=2015-07-01"
response = self.sdk.requests.post(url, headers=auth_header, json=request_body)
if response.ok:
return UserRoleCSPResult(**response.json())
else:
raise UserProvisioningException(
f"Failed to create user role assignment: {response.json()}"
)
def _extract_subscription_id(self, subscription_url):
sub_id_match = SUBSCRIPTION_ID_REGEX.match(subscription_url)

View File

@ -1,3 +1,4 @@
from enum import Enum
from secrets import token_urlsafe
from typing import Dict, List, Optional
from uuid import uuid4
@ -499,3 +500,19 @@ class UserCSPPayload(BaseCSPPayload):
class UserCSPResult(AliasModel):
id: str
class UserRoles(str, Enum):
owner = "owner"
contributor = "contributor"
billing = "billing"
class UserRoleCSPPayload(BaseCSPPayload):
management_group_id: str
role: UserRoles
user_object_id: str
class UserRoleCSPResult(AliasModel):
id: str