Skip to content

Commit

Permalink
Sync eng/common directory with azure-sdk-tools for PR 7584 (Azure#34018)
Browse files Browse the repository at this point in the history
* Fix role assignment for user auth

* PR fb

* Apply suggestions from code review

Co-authored-by: Heath Stewart <[email protected]>

---------

Co-authored-by: jolov <[email protected]>
Co-authored-by: JoshLove-msft <[email protected]>
Co-authored-by: Heath Stewart <[email protected]>
  • Loading branch information
4 people authored and sofiar-msft committed Feb 16, 2024
1 parent 54bf4c5 commit d65617a
Showing 1 changed file with 18 additions and 15 deletions.
33 changes: 18 additions & 15 deletions eng/common/TestResources/New-TestResources.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -619,9 +619,11 @@ try {
Write-Warning "The specified TestApplicationId '$TestApplicationId' will be ignored when UserAuth is set."
}

$TestApplicationOid = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id
$userAccount = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account)
$TestApplicationOid = $userAccount.Id
$TestApplicationId = $testApplicationOid
Log "User-based app id '$TestApplicationId' will be used."
$userAccountName = $userAccount.UserPrincipalName
Log "User authentication with user '$userAccountName' ('$TestApplicationId') will be used."
}
# If no test application ID was specified during an interactive session, create a new service principal.
elseif (!$CI -and !$TestApplicationId) {
Expand Down Expand Up @@ -686,11 +688,11 @@ try {
$PSBoundParameters['TestApplicationOid'] = $TestApplicationOid
$PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret

# If the role hasn't been explicitly assigned to the resource group and a cached service principal is in use,
# If the role hasn't been explicitly assigned to the resource group and a cached service principal or user authentication is in use,
# query to see if the grant is needed.
if (!$resourceGroupRoleAssigned -and $AzureTestPrincipal) {
if (!$resourceGroupRoleAssigned -and $TestApplicationOid) {
$roleAssignment = Get-AzRoleAssignment `
-ObjectId $AzureTestPrincipal.Id `
-ObjectId $TestApplicationOid `
-RoleDefinitionName 'Owner' `
-ResourceGroupName "$ResourceGroupName" `
-ErrorAction SilentlyContinue
Expand All @@ -702,19 +704,20 @@ try {
# considered a critical failure, as the test application may have subscription-level permissions and not require
# the explicit grant.
if (!$resourceGroupRoleAssigned) {
Log "Attempting to assigning the 'Owner' role for '$ResourceGroupName' to the Test Application '$TestApplicationId'"
$principalOwnerAssignment = New-AzRoleAssignment `
-RoleDefinitionName "Owner" `
-ApplicationId "$TestApplicationId" `
-ResourceGroupName "$ResourceGroupName" `
-ErrorAction SilentlyContinue

if ($principalOwnerAssignment.RoleDefinitionName -eq 'Owner') {
Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the Test Application '$TestApplicationId'"
$idSlug = if ($userAuth) { "User '$userAccountName' ('$TestApplicationId')"} else { "Test Application '$TestApplicationId'"};
Log "Attempting to assign the 'Owner' role for '$ResourceGroupName' to the $idSlug"
$ownerAssignment = New-AzRoleAssignment `
-RoleDefinitionName "Owner" `
-ObjectId "$TestApplicationOId" `
-ResourceGroupName "$ResourceGroupName" `
-ErrorAction SilentlyContinue

if ($ownerAssignment.RoleDefinitionName -eq 'Owner') {
Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the $idSlug"
} else {
Write-Warning ("The 'Owner' role for '$ResourceGroupName' could not be assigned. " +
"You may need to manually grant 'Owner' for the resource group to the " +
"Test Application '$TestApplicationId' if it does not have subscription-level permissions.")
"$idSlug if it does not have subscription-level permissions.")
}
}

Expand Down

0 comments on commit d65617a

Please sign in to comment.