Framework/Core/SubscriptionSecurity/RBAC.ps1
|
using namespace Microsoft.Azure.Commands.Resources.Models.Authorization using namespace System.Management.Automation Set-StrictMode -Version Latest # Class to implement Subscription RBAC controls class RBAC: AzCommandBase { hidden [SubscriptionRBAC] $Policy = $null; hidden [PSRoleAssignment[]] $RoleAssignments = $null; hidden [ActiveRBACAccount[]] $ApplicableActiveAccounts = $null; hidden [ActiveRBACAccount[]] $MissingActiveAccounts = $null; hidden [RBACAccountRoleMapping[]] $MatchedActiveAccounts = $null; hidden [RBACAccountRoleMapping[]] $MatchedDeprecatedAccounts = $null; RBAC([string] $subscriptionId, [InvocationInfo] $invocationContext, [string] $tags): Base($subscriptionId, $invocationContext) { $this.Policy = [SubscriptionRBAC] $this.LoadServerConfigFile("Subscription.RBAC.json"); $this.FilterTags = $this.ConvertToStringArray($tags); } hidden [PSRoleAssignment[]] GetRoleAssignments() { if(-not $this.RoleAssignments) { $this.RoleAssignments = [RoleAssignmentHelper]::GetAzSKRoleAssignment($true, $true); #filter deleted user/group/spn assignments $deletedUserAssignments = $this.RoleAssignments | Where-Object{ [string]::IsNullOrWhiteSpace($_.DisplayName) -and [string]::IsNullOrWhiteSpace($_.SignInName) -and $_.ObjectType -eq 'Unknown'} if(($deletedUserAssignments | Measure-Object).Count -gt 0) { $this.RoleAssignments = $this.RoleAssignments | Where-Object{ $deletedUserAssignments.RoleAssignmentId -inotcontains $_.RoleAssignmentId } } } return $this.RoleAssignments; } hidden [ActiveRBACAccount[]] GetApplicableActiveAccounts() { if($null -eq $this.ApplicableActiveAccounts) { $this.ApplicableActiveAccounts = @(); $subscriptionId = $this.SubscriptionContext.SubscriptionId; if(($this.FilterTags | Measure-Object).Count -ne 0) { $this.Policy.ValidActiveAccounts | ForEach-Object { $currentItem = $_; if(($currentItem.Tags | Where-Object { $this.FilterTags -Contains $_ } | Measure-Object).Count -ne 0) { # Resolve the value of SubscriptionId $currentItem.Scope = $global:ExecutionContext.InvokeCommand.ExpandString($currentItem.Scope); if([string]::IsNullOrWhiteSpace($currentItem.Scope)) { $currentItem.Scope = "/subscriptions/$subscriptionId" } $this.ApplicableActiveAccounts += $currentItem; } } } } return $this.ApplicableActiveAccounts; } hidden [void] LoadActiveAccountStatus() { $this.MissingActiveAccounts = @(); $this.MatchedActiveAccounts = @(); $this.GetApplicableActiveAccounts() | Where-Object { $_.Enabled } | ForEach-Object { $currentItem = $_; $matchedAccount = $this.GetRoleAssignments() | Where-Object { ($_.ObjectId -eq $currentItem.ObjectId) -and ($_.Scope -eq $currentItem.Scope) -and ($_.RoleDefinitionName -eq $currentItem.RoleDefinitionName) } | Select-Object -First 1 if($matchedAccount) { $this.MatchedActiveAccounts += [RBACAccountRoleMapping]@{ RoleAssignment = $matchedAccount; RBACAccount = $currentItem; }; } else { $this.MissingActiveAccounts += $currentItem; } }; } hidden [void] LoadDeprecatedAccountStatus() { $this.MatchedDeprecatedAccounts = @(); $this.Policy.DeprecatedAccounts | Where-Object { $_.Enabled } | ForEach-Object { $currentItem = $_; $matchedAccounts = $this.GetRoleAssignments() | Where-Object { ($_.ObjectId -eq $currentItem.ObjectId) }; if(($matchedAccounts | Measure-Object).Count -ne 0) { $matchedAccounts | ForEach-Object { $this.MatchedDeprecatedAccounts += [RBACAccountRoleMapping]@{ RoleAssignment = $_; RBACAccount = $currentItem; }; }; } }; } [MessageData[]] SetRBACAccounts() { [MessageData[]] $messages = @(); [MessageData[]] $resultMessages = @(); [CCAutomation] $caAutomation = [CCAutomation]::new($this.SubscriptionContext.SubscriptionId, $this.InvocationContext); $caAutomation.RecoverCASPN(); if($this.Force -or -not ([ResourceGroupHelper]::IsLatestVersionConfiguredOnSub($this.Policy.ActiveCentralAccountsVersion,[Constants]::CentralRBACVersionTagName,"CentralRBAC"))) { #setting the tag at AzSKRG $azskRGName = [ConfigurationManager]::GetAzSKConfigData().AzSKRGName; [ResourceGroupHelper]::SetResourceGroupTags($azskRGName,@{"CentralRBACVersion"=$this.Policy.ActiveCentralAccountsVersion},$false) #set the tag on subscription based on server tag # Set Active accounts $nonConfiguredActiveAccounts = $this.GetNonConfiguredActiveAccounts(([ref]$messages)); if($nonConfiguredActiveAccounts.Count -ne 0) { $provisionAccounts = @(); $provisionAccounts += $nonConfiguredActiveAccounts | Where-Object { $_.Type -eq [RBACAccountType]::Provision }; if($provisionAccounts.Count -ne 0) { # Adding Central Accounts $messages += [MessageData]::new([Constants]::SingleDashLine + "`r`nAdding following active accounts to the subscription. Total accounts: $($provisionAccounts.Count)", $provisionAccounts); $errorCount = 0; $currentCount = 0; $provisionAccounts | ForEach-Object { $accountName = $_.Name; $currentCount += 1; # Add account try { $this.PublishCustomMessage("Adding account [$accountName] to the subscription..."); New-AzRoleAssignment -ObjectId $_.ObjectId -Scope $_.Scope -RoleDefinitionName $_.RoleDefinitionName -ErrorAction Stop | Out-Null } catch { $messages += [MessageData]::new("Error while adding account [$accountName] to the subscription", $_, [MessageType]::Error); $errorCount += 1; } $this.CommandProgress($provisionAccounts.Count, $currentCount, 5); }; if($errorCount -eq 0) { $resultMessages += [MessageData]::new("All required active accounts have been added to the subscription successfully.`r`n" + [Constants]::SingleDashLine, [MessageType]::Update); } elseif($errorCount -eq $provisionAccounts.Count) { $resultMessages += [MessageData]::new("No accounts have been added due an error. Please add the accounts manually. You can find the specific account details in the log file.`r`n" + [Constants]::SingleDashLine, [MessageType]::Error); } else { $resultMessages += [MessageData]::new("$errorCount/$($provisionAccounts.Count) required active account(s) have not been added to the subscription. Please add the accounts manually. You can find the specific account details in the log file.", [MessageType]::Error); $resultMessages += [MessageData]::new("$($provisionAccounts.Count - $errorCount)/$($provisionAccounts.Count) required active account(s) have been added to the subscription successfully.`r`n" + [Constants]::SingleDashLine, [MessageType]::Update); } $messages += $resultMessages; $this.PublishCustomMessage($resultMessages); } $nonProvisionAccounts = @(); $nonProvisionAccounts += $nonConfiguredActiveAccounts | Where-Object { $_.Type -ne [RBACAccountType]::Provision }; if($nonProvisionAccounts.Count -ne 0) { $messageText = "Some accounts are not added to the subscription, since the account type is not set to 'Provision' in RBAC policy file. Total accounts: $($nonProvisionAccounts.Count)"; $messages += [MessageData]::new($messageText, $nonProvisionAccounts); $this.PublishCustomMessage($messageText); } } } return $messages; } [ActiveRBACAccount[]] GetNonConfiguredActiveAccounts([ref]$messages) { if($this.Policy.ValidActiveAccounts.Count -ne 0) { if($this.GetApplicableActiveAccounts().Count -ne 0) { $startMessage = [MessageData]::new("Processing RBAC rules for adding central accounts. Tags: [$([string]::Join(",", $this.FilterTags))]. Total accounts: $($this.GetApplicableActiveAccounts().Count)"); $messages.Value += $startMessage; $this.PublishCustomMessage($startMessage); $disabledAccounts = $this.GetApplicableActiveAccounts() | Where-Object { -not $_.Enabled }; if(($disabledAccounts | Measure-Object).Count -ne 0) { $disabledMessage = "Found accounts which are disabled. Total disabled accounts: $($disabledAccounts.Count)"; $messages.Value += [MessageData]::new($disabledMessage, $disabledAccounts); $this.PublishCustomMessage($disabledMessage, [MessageType]::Warning); } # Load all properties $this.LoadActiveAccountStatus(); if($this.MatchedActiveAccounts.Count -ne 0) { $messages.Value += [MessageData]::new("Following accounts have correct RBAC configured. Total accounts: $($this.MatchedActiveAccounts.Count)", ($this.MatchedActiveAccounts | Select-Object -Property RoleAssignment)); } if($this.MissingActiveAccounts.Count -ne 0) { $missingAccountsMessage = "Following accounts do not have correct RBAC configured. Total accounts: $($this.MissingActiveAccounts.Count)"; $messages.Value += [MessageData]::new($missingAccountsMessage, $this.MissingActiveAccounts); $this.PublishCustomMessage($missingAccountsMessage); } else { $successMessage = [MessageData]::new("All required accounts are correctly configured"); $messages.Value += $successMessage; $this.PublishCustomMessage($successMessage); } return $this.MissingActiveAccounts; } else { if($this.FilterTags) { $this.PublishCustomMessage("No active accounts have been found that matches the specified tags. Tags: [$([string]::Join(",", $this.FilterTags))].", [MessageType]::Warning); } else { $this.PublishCustomMessage("No active accounts have been found that matches the specified tags.", [MessageType]::Warning); } } } else { $this.PublishCustomMessage("No active accounts found in the RBAC policy file", [MessageType]::Warning); } return @(); } [RBACAccountRoleMapping[]] GetMatchedDeprecatedAccounts([ref]$messages) { if($this.Policy.DeprecatedAccounts -and $this.Policy.DeprecatedAccounts.Count -ne 0) { #$this.PublishCustomMessage("Found deprecated accounts in the RBAC policy file"); $startMessage = [MessageData]::new("Processing RBAC rules for removing deprecated central accounts. Total accounts: $($this.Policy.DeprecatedAccounts.Count)"); $messages.Value += $startMessage; #$this.PublishCustomMessage($startMessage); $disabledAccounts = $this.Policy.DeprecatedAccounts | Where-Object { -not $_.Enabled }; if(($disabledAccounts | Measure-Object).Count -ne 0) { $disabledMessage = "Found accounts which are disabled. Total disabled accounts: $($disabledAccounts.Count)"; $messages.Value += [MessageData]::new($disabledMessage, $disabledAccounts); $this.PublishCustomMessage($disabledMessage, [MessageType]::Warning); } # Load all properties $this.LoadDeprecatedAccountStatus(); if($this.MatchedDeprecatedAccounts.Count -ne 0) { $messages.Value += [MessageData]::new("Following deprecated accounts must be removed from the subscription. Total accounts: $($this.MatchedDeprecatedAccounts.Count)", ($this.MatchedDeprecatedAccounts | Select-Object -Property RoleAssignment)); } else { $resultMessage = [MessageData]::new("No deprecated accounts found on the subscription", [MessageType]::Warning); $messages.Value += $resultMessage; $this.PublishCustomMessage($resultMessage); } return $this.MatchedDeprecatedAccounts; } else { $this.PublishCustomMessage("No deprecated accounts found in the RBAC policy file"); } return @(); } [MessageData[]] RemoveRBACAccounts() { [MessageData[]] $messages = @(); if($this.Force -or -not ([ResourceGroupHelper]::IsLatestVersionConfiguredOnSub($this.Policy.DeprecatedAccountsVersion,[Constants]::DeprecatedRBACVersionTagName,"DeprecatedRBAC"))) { #setting the tag at AzSKRG $azskRGName = [ConfigurationManager]::GetAzSKConfigData().AzSKRGName; [ResourceGroupHelper]::SetResourceGroupTags($azskRGName,@{[Constants]::DeprecatedRBACVersionTagName=$this.Policy.DeprecatedAccountsVersion}, $false) if($this.Policy.ValidActiveAccounts.Count -ne 0) { if($this.GetApplicableActiveAccounts().Count -ne 0) { $startMessage = [MessageData]::new("Processing RBAC rules for removing central accounts. Tags: [$([string]::Join(",", $this.FilterTags))]. Total accounts: $($this.GetApplicableActiveAccounts().Count)"); $messages += $startMessage; $this.PublishCustomMessage($startMessage); $disabledAccounts = $this.GetApplicableActiveAccounts() | Where-Object { -not $_.Enabled }; if(($disabledAccounts | Measure-Object).Count -ne 0) { $disabledMessage = "Found accounts which are disabled. Total disabled accounts: $($disabledAccounts.Count)"; $messages += [MessageData]::new($disabledMessage, $disabledAccounts); $this.PublishCustomMessage($disabledMessage, [MessageType]::Warning); } # Load all properties $this.LoadActiveAccountStatus(); $messages += $this.RemoveRoleAssignments($this.MatchedActiveAccounts); [ResourceGroupHelper]::SetResourceGroupTags($azskRGName,@{[Constants]::CentralRBACVersionTagName=$this.Policy.ActiveCentralAccountsVersion}, $true) } else { if($this.FilterTags) { $this.PublishCustomMessage("No active accounts have been found that matches the specified tags. Tags:[$([string]::Join(",", $this.FilterTags))].", [MessageType]::Warning); } else { $this.PublishCustomMessage("No active accounts have been found that matches the specified tags.", [MessageType]::Warning); } } } else { $this.PublishCustomMessage("No active accounts found in the RBAC policy file", [MessageType]::Warning); } # Remove deprecated accounts $depAccounts = $this.GetMatchedDeprecatedAccounts(([ref]$messages)); $messages += $this.RemoveRBACAccounts($depAccounts); } return $messages; } hidden [MessageData[]] RemoveRoleAssignments([RBACAccountRoleMapping[]] $rbacRoleMapping) { [MessageData[]] $messages = @(); if($rbacRoleMapping.Count -ne 0) { $messages += [MessageData]::new("Total matching accounts found in the subscription: $($rbacRoleMapping.Count)"); $provisionAccounts = @(); $provisionAccounts += $rbacRoleMapping | Where-Object { $_.RBACAccount.Type -eq [RBACAccountType]::Provision }; $messages += $this.RemoveRBACAccounts($provisionAccounts); $nonProvisionAccounts = @(); $nonProvisionAccounts += $rbacRoleMapping | Where-Object { $_.RBACAccount.Type -ne [RBACAccountType]::Provision }; if($nonProvisionAccounts.Count -ne 0) { $messageText = "Some accounts were not removed from the subscription, since the account type is not set to 'Provision' in RBAC policy file. Total accounts: $($nonProvisionAccounts.Count)"; $messages += [MessageData]::new($messageText, ($nonProvisionAccounts | Select-Object -Property RoleAssignment)); #$this.PublishCustomMessage($messageText); } } return $messages; } hidden [MessageData[]] RemoveRBACAccounts([RBACAccountRoleMapping[]] $rbacRoleMapping) { [MessageData[]] $messages = @(); if($rbacRoleMapping.Count -ne 0) { # Removing Central Accounts $messages += [MessageData]::new([Constants]::SingleDashLine + "`r`nRemoving following accounts from the subscription. Total accounts: $($rbacRoleMapping.Count)", ($rbacRoleMapping | Select-Object -Property RoleAssignment)); $errorCount = 0; $currentCount = 0; $rbacRoleMapping | ForEach-Object { $accountName = $_.RoleAssignment.DisplayName; $currentCount += 1; if(-not [string]::IsNullOrWhiteSpace($_.RoleAssignment.SignInName)) { $accountName += " ($($_.RoleAssignment.SignInName))"; } # Remove account try { $this.PublishCustomMessage("Removing account [$accountName] from the subscription"); Remove-AzRoleAssignment -ObjectId $_.RoleAssignment.ObjectId -Scope $_.RoleAssignment.Scope -RoleDefinitionName $_.RoleAssignment.RoleDefinitionName -ErrorAction Stop | Out-Null } catch { $messages += [MessageData]::new("Error while removing account [$accountName] from the subscription", $_, [MessageType]::Error); $errorCount += 1; } $this.CommandProgress($rbacRoleMapping.Count, $currentCount, 5); }; [MessageData[]] $resultMessages = @(); if($errorCount -eq 0) { $resultMessages += [MessageData]::new("All matched accounts have been removed from the subscription successfully`r`n" + [Constants]::SingleDashLine, [MessageType]::Update); } elseif($errorCount -eq $rbacRoleMapping.Count) { $resultMessages += [MessageData]::new("No accounts were removed due to an error. Please remove the accounts manually. You can find the specific account details in the log file.`r`n" + [Constants]::SingleDashLine, [MessageType]::Error); } else { $resultMessages += [MessageData]::new("$errorCount/$($rbacRoleMapping.Count) matched account(s) have not been removed from the subscription. Please remove the accounts manually.", [MessageType]::Error); $resultMessages += [MessageData]::new("$($rbacRoleMapping.Count - $errorCount)/$($rbacRoleMapping.Count) matched account(s) have been removed from the subscription successfully`r`n" + [Constants]::SingleDashLine, [MessageType]::Update); } $messages += $resultMessages; $this.PublishCustomMessage($resultMessages); } return $messages; } } class RBACAccountRoleMapping { hidden [PSRoleAssignment] $RoleAssignment = $null; hidden [RBACAccount] $RBACAccount = $null; } |