From ee859d5a538f8ab752fda528b424cbc48bff4ce1 Mon Sep 17 00:00:00 2001 From: Qu Xuan Date: Wed, 20 Nov 2024 16:10:22 +0800 Subject: [PATCH] fix(azure): iam policy --- pkg/multicloud/azure/azure.go | 4 +- pkg/multicloud/azure/azure_v2.go | 19 +- pkg/multicloud/azure/cloudgroup.go | 21 +- pkg/multicloud/azure/cloudpolicy.go | 203 ------------------ pkg/multicloud/azure/clouduser.go | 27 +-- pkg/multicloud/azure/policy.go | 141 ------------ pkg/multicloud/azure/role.go | 152 +++++++++++++ pkg/multicloud/azure/shell/policy.go | 61 ------ .../azure/shell/{cloudpolicy.go => role.go} | 32 ++- 9 files changed, 200 insertions(+), 460 deletions(-) delete mode 100644 pkg/multicloud/azure/cloudpolicy.go delete mode 100644 pkg/multicloud/azure/policy.go create mode 100644 pkg/multicloud/azure/role.go delete mode 100644 pkg/multicloud/azure/shell/policy.go rename pkg/multicloud/azure/shell/{cloudpolicy.go => role.go} (62%) diff --git a/pkg/multicloud/azure/azure.go b/pkg/multicloud/azure/azure.go index c41c7c224..3af38e115 100644 --- a/pkg/multicloud/azure/azure.go +++ b/pkg/multicloud/azure/azure.go @@ -468,7 +468,7 @@ func (self *SAzureClient) _apiVersion(resource string, params url.Values) string } else if utils.IsInStringArray("microsoft.insights", info) { return "2017-03-01-preview" } else if utils.IsInStringArray("microsoft.authorization", info) { - return "2018-01-01-preview" + return "2022-04-01" } else if utils.IsInStringArray("microsoft.cache", info) { if utils.IsInStringArray("redisenterprise", info) { return "2021-03-01" @@ -675,12 +675,14 @@ type sMessage struct { Lang string Value string } + type sOdataError struct { Code string Message sMessage RequestId string Date time.Time } + type AzureResponseError struct { OdataError sOdataError `json:"odata.error"` AzureError AzureError `json:"error"` diff --git a/pkg/multicloud/azure/azure_v2.go b/pkg/multicloud/azure/azure_v2.go index 93204e088..6c2fcdc47 100644 --- a/pkg/multicloud/azure/azure_v2.go +++ b/pkg/multicloud/azure/azure_v2.go @@ -11,6 +11,7 @@ import ( "yunion.io/x/cloudmux/pkg/cloudprovider" "yunion.io/x/jsonutils" "yunion.io/x/pkg/errors" + "yunion.io/x/pkg/gotypes" "yunion.io/x/pkg/util/httputils" ) @@ -151,24 +152,32 @@ func (self *SAzureClient) _request_v2(service string, method httputils.THttpMeth if err != nil { return nil, err } + if gotypes.IsNil(resp) { + return jsonutils.NewDict(), nil + } if !resp.Contains("value") { return resp, nil } part := struct { - Value []jsonutils.JSONObject - NextLink string + Value []jsonutils.JSONObject + NextLink string + OdataNextLink string `json:"@odata.nextLink"` }{} err = resp.Unmarshal(&part) if err != nil { return nil, errors.Wrapf(err, "resp.Unmarshal") } value = append(value, part.Value...) - if len(part.Value) == 0 || len(part.NextLink) == 0 { + if len(part.Value) == 0 || (len(part.NextLink) == 0 && len(part.OdataNextLink) == 0) { break } - link, err := url.Parse(part.NextLink) + nextLink := part.NextLink + if len(nextLink) == 0 { + nextLink = part.OdataNextLink + } + link, err := url.Parse(nextLink) if err != nil { - return nil, errors.Wrapf(err, "url.Parse(%s)", part.NextLink) + return nil, errors.Wrapf(err, "url.Parse(%s)", nextLink) } token := "" for _, key := range []string{"$skipToken", "$skiptoken"} { diff --git a/pkg/multicloud/azure/cloudgroup.go b/pkg/multicloud/azure/cloudgroup.go index 537e39dac..db0d2fccb 100644 --- a/pkg/multicloud/azure/cloudgroup.go +++ b/pkg/multicloud/azure/cloudgroup.go @@ -54,13 +54,13 @@ func (group *SCloudgroup) GetDescription() string { } func (group *SCloudgroup) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { - policies, err := group.client.GetCloudpolicies(group.Id) + policies, err := group.client.GetPrincipalPolicy(group.Id) if err != nil { return nil, errors.Wrapf(err, "GetCloudpolicies(%s)", group.Id) } ret := []cloudprovider.ICloudpolicy{} for i := range policies { - ret = append(ret, &policies[i]) + ret = append(ret, &SCloudpolicy{Id: policies[i].RoleDefinitionId}) } return ret, nil } @@ -87,22 +87,17 @@ func (group *SCloudgroup) RemoveUser(name string) error { } func (group *SCloudgroup) AttachPolicy(policyId string, policyType api.TPolicyType) error { - return group.client.AssignPolicy(group.Id, policyId, "") + return group.client.AssignPolicy(group.Id, policyId) } func (group *SCloudgroup) DetachPolicy(policyId string, policyType api.TPolicyType) error { - assignments, err := group.client.GetAssignments(group.Id) + policys, err := group.client.GetPrincipalPolicy(group.Id) if err != nil { - return errors.Wrapf(err, "GetAssignments(%s)", group.Id) + return err } - for _, assignment := range assignments { - role, err := group.client.GetRole(assignment.Properties.RoleDefinitionId) - if err != nil { - return errors.Wrapf(err, "GetRule(%s)", assignment.Properties.RoleDefinitionId) - } - if role.Properties.RoleName == policyId { - _, err := group.client._delete_v2(SERVICE_GRAPH, assignment.Id, "") - return err + for _, policy := range policys { + if policy.RoleDefinitionId == policyId { + return group.client.DeletePrincipalPolicy(policy.Id) } } return nil diff --git a/pkg/multicloud/azure/cloudpolicy.go b/pkg/multicloud/azure/cloudpolicy.go deleted file mode 100644 index da95887ab..000000000 --- a/pkg/multicloud/azure/cloudpolicy.go +++ /dev/null @@ -1,203 +0,0 @@ -// Copyright 2019 Yunion -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package azure - -import ( - "fmt" - "net/url" - "strings" - - "yunion.io/x/jsonutils" - "yunion.io/x/pkg/errors" - "yunion.io/x/pkg/util/stringutils" - - api "yunion.io/x/cloudmux/pkg/apis/cloudid" - "yunion.io/x/cloudmux/pkg/cloudprovider" -) - -type SPermission struct { - Actions []string - NotActions []string - DataActions []string - NotDataActions []string -} - -type SRoleProperties struct { - RoleName string - Type string - Description string - AssignableScopes []string - Permissions []SPermission -} - -type SCloudpolicy struct { - Id string - Type string - Name string - Properties SRoleProperties -} - -func (role *SCloudpolicy) GetName() string { - return role.Properties.RoleName -} - -func (role *SCloudpolicy) GetGlobalId() string { - return role.Properties.RoleName -} - -func (role *SCloudpolicy) GetDescription() string { - return role.Properties.Description -} - -func (role *SCloudpolicy) GetPolicyType() api.TPolicyType { - if role.Properties.Type == "BuiltInRole" { - return api.PolicyTypeSystem - } - return api.PolicyTypeCustom -} - -func (role *SCloudpolicy) UpdateDocument(document *jsonutils.JSONDict) error { - return cloudprovider.ErrNotImplemented -} - -func (role *SCloudpolicy) GetDocument() (*jsonutils.JSONDict, error) { - return jsonutils.Marshal(role.Properties).(*jsonutils.JSONDict), nil -} - -func (role *SCloudpolicy) Delete() error { - return cloudprovider.ErrNotImplemented -} - -func (cli *SAzureClient) GetRoles(name, policyType string) ([]SCloudpolicy, error) { - ret := []SCloudpolicy{} - filter := []string{} - if len(name) > 0 { - filter = append(filter, fmt.Sprintf("roleName eq '%s'", name)) - } - if len(policyType) > 0 { - filter = append(filter, fmt.Sprintf("Type eq '%s'", policyType)) - } - params := url.Values{} - if len(filter) > 0 { - params.Set("$filter", strings.Join(filter, " and ")) - } - resource := "Microsoft.Authorization/roleDefinitions" - err := cli.list(resource, params, &ret) - if err != nil { - return nil, errors.Wrap(err, "list") - } - return ret, nil -} - -func (cli *SAzureClient) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { - roles, err := cli.GetRoles("", "") - if err != nil { - return nil, errors.Wrap(err, "GetRoles") - } - ret := []cloudprovider.ICloudpolicy{} - for i := range roles { - ret = append(ret, &roles[i]) - } - return ret, nil -} - -func (cli *SAzureClient) AssignPolicy(objectId, roleName, subscriptionId string) error { - roles, err := cli.GetRoles(roleName, "") - if err != nil { - return errors.Wrapf(err, "GetRoles(%s)", roleName) - } - if len(roles) == 0 { - return errors.Wrap(cloudprovider.ErrNotFound, roleName) - } - if len(roles) > 1 { - return errors.Wrap(cloudprovider.ErrDuplicateId, roleName) - } - body := map[string]interface{}{ - "properties": map[string]interface{}{ - "roleDefinitionId": roles[0].Id, - "principalId": objectId, - }, - } - subscriptionIds := []string{} - if len(subscriptionId) == 0 { - for _, subscription := range cli.subscriptions { - subscriptionIds = append(subscriptionIds, subscription.SubscriptionId) - } - } - for _, subscriptionId := range subscriptionIds { - resource := fmt.Sprintf("subscriptions/%s/providers/Microsoft.Authorization/roleAssignments/%s", subscriptionId, stringutils.UUID4()) - _, err = cli.put(resource, jsonutils.Marshal(body)) - if err != nil { - if e, ok := err.(*AzureResponseError); ok && e.AzureError.Code == "ReadOnlyDisabledSubscription" || e.AzureError.Code == "PrincipalNotFound" { - continue - } - return errors.Wrapf(err, "AssignPolicy %s for subscription %s", roleName, subscriptionId) - } - } - return nil -} - -type SAssignmentProperties struct { - RoleDefinitionId string - PrincipalId string - PrincipalType string - Scope string -} - -type SAssignment struct { - Id string - Name string - Type string - Properties SAssignmentProperties -} - -func (cli *SAzureClient) GetAssignments(objectId string) ([]SAssignment, error) { - ret := []SAssignment{} - params := url.Values{} - if len(objectId) > 0 { - params.Set("$filter", fmt.Sprintf("principalId eq '%s'", objectId)) - } - resource := "Microsoft.Authorization/roleAssignments" - err := cli.list(resource, params, &ret) - if err != nil { - return nil, errors.Wrap(err, "list") - } - return ret, nil -} - -func (cli *SAzureClient) GetRole(roleId string) (*SCloudpolicy, error) { - role := &SCloudpolicy{} - err := cli.get(roleId, nil, role) - if err != nil { - return nil, errors.Wrapf(err, "GetRole(%s)", roleId) - } - return role, nil -} - -func (cli *SAzureClient) GetCloudpolicies(objectId string) ([]SCloudpolicy, error) { - assignments, err := cli.GetAssignments(objectId) - if err != nil { - return nil, errors.Wrapf(err, "GetAssignments(%s)", objectId) - } - ret := []SCloudpolicy{} - for _, assignment := range assignments { - role, err := cli.GetRole(assignment.Properties.RoleDefinitionId) - if err != nil { - return nil, errors.Wrapf(err, "GetRule(%s)", assignment.Properties.RoleDefinitionId) - } - ret = append(ret, *role) - } - return ret, nil -} diff --git a/pkg/multicloud/azure/clouduser.go b/pkg/multicloud/azure/clouduser.go index f5b422027..6e3d89a6f 100644 --- a/pkg/multicloud/azure/clouduser.go +++ b/pkg/multicloud/azure/clouduser.go @@ -103,40 +103,29 @@ func (user *SClouduser) GetInviteUrl() string { } func (user *SClouduser) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { - policies, err := user.client.GetCloudpolicies(user.Id) + policies, err := user.client.GetPrincipalPolicy(user.Id) if err != nil { return nil, errors.Wrapf(err, "GetCloudpolicies(%s)", user.Id) } ret := []cloudprovider.ICloudpolicy{} for i := range policies { - ret = append(ret, &policies[i]) + ret = append(ret, &SCloudpolicy{Id: policies[i].RoleDefinitionId}) } return ret, nil } func (user *SClouduser) AttachPolicy(policyId string, policyType api.TPolicyType) error { - for _, subscription := range user.client.subscriptions { - err := user.client.AssignPolicy(user.Id, policyId, subscription.SubscriptionId) - if err != nil { - return errors.Wrapf(err, "AssignPolicy for subscription %s", subscription.SubscriptionId) - } - } - return nil + return user.client.AssignPolicy(user.Id, policyId) } func (user *SClouduser) DetachPolicy(policyId string, policyType api.TPolicyType) error { - assignments, err := user.client.GetAssignments(user.Id) + policys, err := user.client.GetPrincipalPolicy(user.Id) if err != nil { - return errors.Wrapf(err, "GetAssignments(%s)", user.Id) + return err } - for _, assignment := range assignments { - role, err := user.client.GetRole(assignment.Properties.RoleDefinitionId) - if err != nil { - return errors.Wrapf(err, "GetRule(%s)", assignment.Properties.RoleDefinitionId) - } - if role.Properties.RoleName == policyId { - _, err := user.client._delete_v2(SERVICE_GRAPH, assignment.Id, "") - return err + for _, policy := range policys { + if policy.RoleDefinitionId == policyId { + return user.client.DeletePrincipalPolicy(policy.Id) } } return nil diff --git a/pkg/multicloud/azure/policy.go b/pkg/multicloud/azure/policy.go deleted file mode 100644 index 135911a06..000000000 --- a/pkg/multicloud/azure/policy.go +++ /dev/null @@ -1,141 +0,0 @@ -// Copyright 2019 Yunion -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package azure - -import ( - "fmt" - "net/url" - "strings" - - "yunion.io/x/jsonutils" - "yunion.io/x/pkg/errors" -) - -type SPolicyDefinitonPropertieParameterMetadata struct { - DisplayName string - Description string - StrongType string - AssignPermissions bool -} - -type SPolicyDefinitonPropertieParameter struct { - Type string - Metadata SPolicyDefinitonPropertieParameterMetadata - AllowedValues []string - DefaultValue []string -} - -type SPolicyDefinitonProperties struct { - DisplayName string - PolicyType string - Mode string - Description string - Metadata SPolicyDefinitonPropertieMetadata - Parameters map[string]SPolicyDefinitonPropertieParameter - PolicyRule SPolicyDefinitonPropertieRule -} - -type SPolicyDefinitonPropertieRuleThen struct { - Effect string -} - -type SPolicyDefinitonPropertieRuleInfo jsonutils.JSONDict - -type SPolicyDefinitonPropertieRule struct { - If jsonutils.JSONObject - Then SPolicyDefinitonPropertieRuleThen -} - -type SPolicyDefinitonPropertieMetadata struct { - Version string - Category string -} - -type SPolicyDefinition struct { - Properties SPolicyDefinitonProperties - Id string - Name string - Type string -} - -func (client *SAzureClient) GetPolicyDefinitions() ([]SPolicyDefinition, error) { - definitions := []SPolicyDefinition{} - err := client.list("Microsoft.Authorization/policyDefinitions", url.Values{}, &definitions) - if err != nil { - return nil, errors.Wrap(err, "Microsoft.Authorization/policyDefinitions.List") - } - return definitions, nil -} - -func (client *SAzureClient) GetPolicyDefinition(id string) (*SPolicyDefinition, error) { - definition := &SPolicyDefinition{} - err := client.get(id, url.Values{}, definition) - if err != nil { - return nil, errors.Wrapf(err, "get %s", id) - } - return definition, nil -} - -type PolicyAssignmentPropertiesParameter struct { - Value []string -} - -type PolicyAssignmentProperties struct { - DisplayName string - Parameters map[string]PolicyAssignmentPropertiesParameter -} - -type SPolicyAssignment struct { - Id string - Properties PolicyAssignmentProperties - values []string - category string - condition string - parameters *jsonutils.JSONDict -} - -func (assignment *SPolicyAssignment) GetName() string { - return assignment.Properties.DisplayName -} - -func (assignment *SPolicyAssignment) GetGlobalId() string { - return strings.ToLower(assignment.Id) -} - -func (assignment *SPolicyAssignment) GetCategory() string { - return assignment.category -} - -func (assignment *SPolicyAssignment) GetCondition() string { - return assignment.condition -} - -func (assignment *SPolicyAssignment) GetParameters() *jsonutils.JSONDict { - return assignment.parameters -} - -func (client *SAzureClient) GetPolicyAssignments(defineId string) ([]SPolicyAssignment, error) { - assignments := []SPolicyAssignment{} - resource := "Microsoft.Authorization/policyAssignments" - params := url.Values{} - if len(defineId) > 0 { - params.Set("$filter", fmt.Sprintf(`policyDefinitionId eq '%s'`, defineId)) - } - err := client.list(resource, params, &assignments) - if err != nil { - return nil, errors.Wrap(err, "Microsoft.Authorization/policyAssignments.List") - } - return assignments, nil -} diff --git a/pkg/multicloud/azure/role.go b/pkg/multicloud/azure/role.go new file mode 100644 index 000000000..6d8b8ac26 --- /dev/null +++ b/pkg/multicloud/azure/role.go @@ -0,0 +1,152 @@ +// Copyright 2019 Yunion +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package azure + +import ( + "fmt" + "net/url" + "strings" + + "yunion.io/x/jsonutils" + "yunion.io/x/pkg/errors" + + api "yunion.io/x/cloudmux/pkg/apis/cloudid" + "yunion.io/x/cloudmux/pkg/cloudprovider" +) + +type SCloudpolicy struct { + Id string + Description string + DisplayName string + IsBuildIn bool + IsEnabled bool + ResourceScopes []string + TemplateId string + Version string + RolePermissions []struct { + allowedResourceActions []string + Condition string + } + InheritsPermissionsFrom []struct { + Id string + } +} + +func (role *SCloudpolicy) GetName() string { + return role.DisplayName +} + +func (role *SCloudpolicy) GetGlobalId() string { + return role.Id +} + +func (role *SCloudpolicy) GetDescription() string { + return role.Description +} + +func (role *SCloudpolicy) GetPolicyType() api.TPolicyType { + if role.IsBuildIn { + return api.PolicyTypeSystem + } + return api.PolicyTypeCustom +} + +func (role *SCloudpolicy) UpdateDocument(document *jsonutils.JSONDict) error { + return cloudprovider.ErrNotImplemented +} + +func (role *SCloudpolicy) GetDocument() (*jsonutils.JSONDict, error) { + return jsonutils.Marshal(role).(*jsonutils.JSONDict), nil +} + +func (role *SCloudpolicy) Delete() error { + return cloudprovider.ErrNotImplemented +} + +func (cli *SAzureClient) GetRoles(name string) ([]SCloudpolicy, error) { + ret := []SCloudpolicy{} + filter := []string{} + if len(name) > 0 { + filter = append(filter, fmt.Sprintf("displayName eq '%s'", name)) + } + params := url.Values{} + if len(filter) > 0 { + params.Set("$filter", strings.Join(filter, " and ")) + } + resp, err := cli._list_v2(SERVICE_GRAPH, "rolemanagement/directory/roleDefinitions", "", nil) + if err != nil { + return nil, errors.Wrap(err, "list") + } + err = resp.Unmarshal(&ret, "value") + if err != nil { + return nil, err + } + return ret, nil +} + +func (cli *SAzureClient) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { + roles, err := cli.GetRoles("") + if err != nil { + return nil, errors.Wrap(err, "GetRoles") + } + ret := []cloudprovider.ICloudpolicy{} + for i := range roles { + ret = append(ret, &roles[i]) + } + return ret, nil +} + +func (cli *SAzureClient) AssignPolicy(objectId, roleId string) error { + body := map[string]interface{}{ + "roleDefinitionId": roleId, + "principalId": objectId, + "directoryScopeId": "/", + } + _, err := cli._post_v2(SERVICE_GRAPH, "roleManagement/directory/roleAssignments", "", body) + return err +} + +type SPrincipalPolicy struct { + RoleDefinitionId string + PrincipalId string + Id string +} + +func (cli *SAzureClient) GetPrincipalPolicy(principalId string) ([]SPrincipalPolicy, error) { + params := url.Values{} + filter := []string{} + if len(principalId) > 0 { + filter = append(filter, fmt.Sprintf("principalId eq '%s'", principalId)) + } + if len(filter) > 0 { + params.Set("$filter", strings.Join(filter, " and ")) + } + resp, err := cli._list_v2(SERVICE_GRAPH, "rolemanagement/directory/roleAssignments", "", params) + if err != nil { + return nil, err + } + ret := []SPrincipalPolicy{} + err = resp.Unmarshal(&ret, "value") + if err != nil { + return nil, err + } + return ret, nil +} + +func (cli *SAzureClient) DeletePrincipalPolicy(assignmentId string) error { + res := fmt.Sprintf("roleManagement/directory/roleAssignments/%s", assignmentId) + _, err := cli._delete_v2(SERVICE_GRAPH, res, "") + return err +} diff --git a/pkg/multicloud/azure/shell/policy.go b/pkg/multicloud/azure/shell/policy.go deleted file mode 100644 index 6b24c85c0..000000000 --- a/pkg/multicloud/azure/shell/policy.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright 2019 Yunion -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package shell - -import ( - "yunion.io/x/pkg/util/shellutils" - - "yunion.io/x/cloudmux/pkg/multicloud/azure" -) - -func init() { - type PolicyListOptions struct { - } - shellutils.R(&PolicyListOptions{}, "policy-definition-list", "List policy definitions", func(cli *azure.SRegion, args *PolicyListOptions) error { - definitions, err := cli.GetClient().GetPolicyDefinitions() - if err != nil { - return err - } - printList(definitions, len(definitions), 0, 0, []string{}) - return nil - }) - - type PolicyAssignmentListOptions struct { - DefinitionId string - } - - shellutils.R(&PolicyAssignmentListOptions{}, "policy-assignment-list", "List policy assignment", func(cli *azure.SRegion, args *PolicyAssignmentListOptions) error { - assignments, err := cli.GetClient().GetPolicyAssignments(args.DefinitionId) - if err != nil { - return err - } - printList(assignments, len(assignments), 0, 0, []string{}) - return nil - }) - - type PolicyIdOptions struct { - ID string - } - - shellutils.R(&PolicyIdOptions{}, "policy-definition-show", "Show policy definition", func(cli *azure.SRegion, args *PolicyIdOptions) error { - definition, err := cli.GetClient().GetPolicyDefinition(args.ID) - if err != nil { - return err - } - printObject(definition) - return nil - }) - -} diff --git a/pkg/multicloud/azure/shell/cloudpolicy.go b/pkg/multicloud/azure/shell/role.go similarity index 62% rename from pkg/multicloud/azure/shell/cloudpolicy.go rename to pkg/multicloud/azure/shell/role.go index b90d4b933..03efd3b66 100644 --- a/pkg/multicloud/azure/shell/cloudpolicy.go +++ b/pkg/multicloud/azure/shell/role.go @@ -22,11 +22,10 @@ import ( func init() { type CloudpolicyListOptions struct { - Name string - PolicyType string `choices:"CustomRole|BuiltInRole"` + Name string } shellutils.R(&CloudpolicyListOptions{}, "cloud-policy-list", "List cloudpolicies", func(cli *azure.SRegion, args *CloudpolicyListOptions) error { - roles, err := cli.GetClient().GetRoles(args.Name, args.PolicyType) + roles, err := cli.GetClient().GetRoles(args.Name) if err != nil { return err } @@ -35,38 +34,37 @@ func init() { }) type CloudpolicyAssignOption struct { - OBJECT string - ROLE string - SubscriptionId string + OBJECT string + ROLE string } shellutils.R(&CloudpolicyAssignOption{}, "cloud-policy-assign-object", "Assign cloudpolicy for object", func(cli *azure.SRegion, args *CloudpolicyAssignOption) error { - return cli.GetClient().AssignPolicy(args.OBJECT, args.ROLE, args.SubscriptionId) + return cli.GetClient().AssignPolicy(args.OBJECT, args.ROLE) }) type AssignmentListOption struct { ObjectId string } - shellutils.R(&AssignmentListOption{}, "assignment-list", "List role assignments", func(cli *azure.SRegion, args *AssignmentListOption) error { - assignments, err := cli.GetClient().GetAssignments(args.ObjectId) + type CloudpolicyAssignListOptions struct { + ID string + } + + shellutils.R(&CloudpolicyAssignListOptions{}, "cloud-user-policy-list", "Assign cloudpolicy for object", func(cli *azure.SRegion, args *CloudpolicyAssignListOptions) error { + ret, err := cli.GetClient().GetPrincipalPolicy(args.ID) if err != nil { return err } - printList(assignments, 0, 0, 0, nil) + printList(ret, 0, 0, 0, nil) return nil }) - type ObjectPolicyListOptions struct { - OBJECT string - } - - shellutils.R(&ObjectPolicyListOptions{}, "object-policy-list", "List object policies", func(cli *azure.SRegion, args *ObjectPolicyListOptions) error { - policies, err := cli.GetClient().GetCloudpolicies(args.OBJECT) + shellutils.R(&CloudpolicyAssignListOptions{}, "cloud-group-policy-list", "Assign cloudpolicy for object", func(cli *azure.SRegion, args *CloudpolicyAssignListOptions) error { + ret, err := cli.GetClient().GetPrincipalPolicy(args.ID) if err != nil { return err } - printList(policies, 0, 0, 0, nil) + printList(ret, 0, 0, 0, nil) return nil })