Skip to content

[Keyvault] az keyvault set-policy/delete-policy: Support --application-id #18209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
evelyn-ys merged 5 commits into from
May 27, 2021
Merged

[Keyvault] az keyvault set-policy/delete-policy: Support --application-id #18209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fd8d79e
`az keyvault set-policy/delete-policy`: Support --application-id
evelyn-ys May 25, 2021
305721d
param
evelyn-ys May 25, 2021
9846d61
application_id.lower comparison
evelyn-ys May 26, 2021
31f5bc0
fix delete
evelyn-ys May 26, 2021
4e039be
address comment
evelyn-ys May 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions src/azure-cli/azure/cli/command_modules/keyvault/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,11 +221,13 @@ class CLISecurityDomainOperation(str, Enum):
c.argument('hsm_name', deleted_hsm_name_type)
c.argument('location', help='Location of the deleted Vault or HSM', required=False)

with self.argument_context('keyvault delete-policy') as c:
c.argument('object_id', validator=validate_principal)
for item in ['set-policy', 'delete-policy']:
with self.argument_context('keyvault {}'.format(item)) as c:
c.argument('object_id', validator=validate_principal)
c.argument('application_id', help='Application ID of the client making request on behalf of a principal. '
'Exposed for compound identity using on-behalf-of authentication flow.')

with self.argument_context('keyvault set-policy', arg_group='Permission') as c:
c.argument('object_id', validator=validate_principal)
c.argument('key_permissions', arg_type=get_enum_type(KeyPermissions), metavar='PERM', nargs='*',
help='Space-separated list of key permissions to assign.', validator=validate_policy_permissions)
c.argument('secret_permissions', arg_type=get_enum_type(SecretPermissions), metavar='PERM', nargs='*',
Expand Down
10 changes: 7 additions & 3 deletions src/azure-cli/azure/cli/command_modules/keyvault/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -885,7 +885,7 @@ def _permissions_distinct(permissions):


def set_policy(cmd, client, resource_group_name, vault_name,
object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
object_id=None, application_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
certificate_permissions=None, storage_permissions=None, no_wait=False):
""" Update security policy settings for a Key Vault. """

Expand Down Expand Up @@ -913,12 +913,14 @@ def set_policy(cmd, client, resource_group_name, vault_name,
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies
if object_id.lower() == p.object_id.lower() and
(application_id or '').lower() == (p.application_id or '').lower() and
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(AccessPolicyEntry(
tenant_id=vault.properties.tenant_id,
object_id=object_id,
application_id=application_id,
permissions=Permissions(keys=key_permissions,
secrets=secret_permissions,
certificates=certificate_permissions,
Expand Down Expand Up @@ -1043,7 +1045,8 @@ def list_network_rules(cmd, client, resource_group_name, vault_name): # pylint:
return vault.properties.network_acls


def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None, spn=None, upn=None, no_wait=False):
def delete_policy(cmd, client, resource_group_name, vault_name,
object_id=None, application_id=None, spn=None, upn=None, no_wait=False):
""" Delete security policy settings for a Key Vault. """
VaultCreateOrUpdateParameters = cmd.get_models('VaultCreateOrUpdateParameters',
resource_type=ResourceType.MGMT_KEYVAULT)
Expand All @@ -1062,7 +1065,8 @@ def delete_policy(cmd, client, resource_group_name, vault_name, object_id=None,
prev_policies_len = len(vault.properties.access_policies)
vault.properties.access_policies = [p for p in vault.properties.access_policies if
vault.properties.tenant_id.lower() != p.tenant_id.lower() or
object_id.lower() != p.object_id.lower()]
object_id.lower() != p.object_id.lower() or
(application_id or '').lower() != (p.application_id or '').lower()]
if len(vault.properties.access_policies) == prev_policies_len:
raise CLIError('No matching policies found')

Expand Down
Loading