Merge pull request Azure#6272 from cormacpayne/update-new-sp

Revert default role assignment for New-AzureRmADServicePrincipal

Author: cormacpayne

ChangeLog.md

@@ -1,4 +1,12 @@
-## 6.1.0 - May 2018
+## 6.1.1 - May 2018
+#### AzureRM.Resources
+* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
+    - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
+    - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
+    - If a `Scope` is provided, but no `Role`, the service principal is created with `Contributor` permissions over the specified `Scope`
+    - If both `Role` and `Scope` are provided, the service principal is created with the specified `Role` permissions over the specified `Scope`
+
+## 6.1.0 - May 2018
 #### AzureRM.Profile
 * Fix issue where running 'Clear-AzureRmContext' would keep an empty context with the name of the previous default context, which prevented the user from creating a new context with the old name
 

src/Common/Commands.Common/AzurePowerShell.cs

@@ -26,9 +26,9 @@ public class AzurePowerShell
 
         public const string AssemblyCopyright = "Copyright © Microsoft";
 
-        public const string AssemblyVersion = "6.0.0";
+        public const string AssemblyVersion = "6.1.1";
 
-        public const string AssemblyFileVersion = "6.0.0";
+        public const string AssemblyFileVersion = "6.1.1";
 
         public const string ProfileFile = "AzureProfile.json";
 

src/ResourceManager/Resources/AzureRM.Resources.psd1

@@ -12,7 +12,7 @@
 # RootModule = ''
 
 # Version number of this module.
-ModuleVersion = '6.0.0'
+ModuleVersion = '6.0.1'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -164,21 +164,11 @@ PrivateData = @{
         # IconUri = ''
 
         # ReleaseNotes of this module
-        ReleaseNotes = '* Set minimum dependency of module to PowerShell 5.0
-* Remove obsolete parameter -AtScopeAndBelow from Get-AzureRmRoledefinition call
-* Include assignments to deleted Users/Groups/ServicePrincipals in Get-AzureRmRoleAssignment result
-* Add convenience cmdlet for creating ServicePrincipals
-* Add Tab completers for Scope and ResourceType
-* Merge Get- and Find- functionality in Get-AzureRmResource
-* Add AD Cmdlets:
-  - Remove-AzureRmADGroupMember
-  - Get-AzureRmADGroup
-  - New-AzureRmADGroup
-  - Remove-AzureRmADGroup
-  - Remove-AzureRmADUser
-  - Update-AzureRmADApplication
-  - Update-AzureRmADServicePrincipal
-  - Update-AzureRmADUser'
+        ReleaseNotes = '* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
+    - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
+    - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
+    - If a `Scope` is provided, but no `Role`, the service principal is created with `Contributor` permissions over the specified `Scope`
+    - If both `Role` and `Scope` are provided, the service principal is created with the specified `Role` permissions over the specified `Scope`'
 
         # Prerelease string of this module
         # Prerelease = ''

src/ResourceManager/Resources/ChangeLog.md

@@ -20,6 +20,13 @@
 ## Current Release
 * Fix issue with `Properties` property of `PSResource` object(s) returned from `Get-AzureRmResource`
 
+## Version 6.0.1
+* Revert change to `New-AzureRmADServicePrincipal` that gave service principals `Contributor` permissions over the current subscription if no values were provided for the `Role` or `Scope` parameters
+    - If no values are provided for `Role` or `Scope`, the service principal is created with no permissions
+    - If a `Role` is provided, but no `Scope`, the service principal is created with the specified `Role` permissions over the current subscription
+    - If a `Scope` is provided, but no `Role`, the service principal is created with `Contributor` permissions over the specified `Scope`
+    - If both `Role` and `Scope` are provided, the service principal is created with the specified `Role` permissions over the specified `Scope`
+
 ## Version 6.0.0
 * Set minimum dependency of module to PowerShell 5.0
 * Remove obsolete parameter -AtScopeAndBelow from Get-AzureRmRoledefinition call

src/ResourceManager/Resources/Commands.ResourceManager/Cmdlets/Properties/AssemblyInfo.cs

@@ -25,8 +25,8 @@
 [assembly: ComVisible(false)]
 [assembly: CLSCompliant(false)]
 [assembly: Guid("e8f34267-c461-4eae-b156-5f3528553d10")]
-[assembly: AssemblyVersion("6.0.0")]
-[assembly: AssemblyFileVersion("6.0.0")]
+[assembly: AssemblyVersion("6.0.1")]
+[assembly: AssemblyFileVersion("6.0.1")]
 #if SIGN
 [assembly: InternalsVisibleTo("Microsoft.Azure.Commands.Resources.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]
 [assembly: InternalsVisibleTo("Microsoft.Azure.Commands.MachineLearning.Test, PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]

src/ResourceManager/Resources/Commands.Resources.Test/Commands.Resources.Test.csproj

@@ -363,9 +363,15 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.ActiveDirectoryTests\TestGetADUserWithMail.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.ActiveDirectoryTests\TestNewADServicePrincipalWithCustomScope.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.ActiveDirectoryTests\TestNewADServicePrincipalWithoutApp.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.ActiveDirectoryTests\TestNewADServicePrincipalWithReaderRole.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.Resources.Test.ScenarioTests.DeploymentTests\TestCrossResourceGroupDeploymentFromTemplateFile.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/ActiveDirectoryTests.cs

@@ -599,13 +599,27 @@ public void TestNewADApplication()
             ResourcesController.NewInstance.RunPsTest("Test-NewADApplication");
         }
 
-        [Fact(Skip = "Need AD team to re-record test")]
+        [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestNewADServicePrincipalWithoutApp()
         {
             ResourcesController.NewInstance.RunPsTest("Test-NewADServicePrincipalWithoutApp");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestNewADServicePrincipalWithReaderRole()
+        {
+            ResourcesController.NewInstance.RunPsTest("Test-NewADServicePrincipalWithReaderRole");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestNewADServicePrincipalWithCustomScope()
+        {
+            ResourcesController.NewInstance.RunPsTest("Test-NewADServicePrincipalWithCustomScope");
+        }
+
         [Fact(Skip = "Not working in playback.")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestCreateDeleteAppPasswordCredentials()

src/ResourceManager/Resources/Commands.Resources.Test/ScenarioTests/ActiveDirectoryTests.ps1

@@ -33,10 +33,10 @@ function Test-GetAllADGroups
 .SYNOPSIS
 Tests getting Active Directory groups.
 #>
-function Test-GetADGroupWithSearchString 
+function Test-GetADGroupWithSearchString
 {
     param([string]$displayName)
-    
+
     # Test
     # Select at most 10 groups. Groups are restricted to contain "test" to fasten the test
     $groups = Get-AzureRmADGroup -SearchString $displayName
@@ -68,7 +68,7 @@ Tests getting Active Directory groups.
 function Test-GetADGroupWithObjectId
 {
     param([string]$objectId)
-    
+
     # Test
     $groups = Get-AzureRmADGroup -ObjectId $objectId
 
@@ -85,7 +85,7 @@ Tests getting Active Directory group with security enabled .
 function Test-GetADGroupSecurityEnabled
 {
     param([string]$objectId, [string]$securityEnabled)
-    
+
     # Test
     $groups = Get-AzureRmADGroup -ObjectId $objectId
 
@@ -134,8 +134,8 @@ function Test-GetADGroupMemberWithGroupObjectId
 
     # Test
     $members = Get-AzureRmADGroupMember -GroupObjectId $groupObjectId
-    
-    # Assert 
+
+    # Assert
     Assert-AreEqual $members.Count 1
     Assert-AreEqual $members[0].Id $userObjectId
     Assert-AreEqual $members[0].DisplayName $userName
@@ -148,7 +148,7 @@ Tests getting members from an Active Directory group.
 function Test-GetADGroupMemberWithBadGroupObjectId
 {
     # Test
-    Assert-Throws { Get-AzureRmADGroupMember -GroupObjectId "baadc0de-baad-c0de-baad-c0debaadc0de" }    
+    Assert-Throws { Get-AzureRmADGroupMember -GroupObjectId "baadc0de-baad-c0de-baad-c0debaadc0de" }
 }
 
 <#
@@ -160,7 +160,7 @@ function Test-GetADGroupMemberWithUserObjectId
     param([string]$objectId)
 
     # Test
-    Assert-Throws { Get-AzureRmADGroupMember -GroupObjectId $objectId }    
+    Assert-Throws { Get-AzureRmADGroupMember -GroupObjectId $objectId }
 }
 
 <#
@@ -173,8 +173,8 @@ function Test-GetADGroupMemberFromEmptyGroup
 
     # Test
     $members = Get-AzureRmADGroupMember -GroupObjectId $objectId
-    
-    # Assert 
+
+    # Assert
     Assert-Null($members)
 }
 
@@ -462,7 +462,7 @@ function Test-NewADApplication
 
     # Assert
     Assert-NotNull $application
-    $apps =  Get-AzureRmADApplication 
+    $apps =  Get-AzureRmADApplication
     Assert-NotNull $apps
     Assert-True { $apps.Count -ge 0 }
 
@@ -489,13 +489,13 @@ function Test-NewADApplication
     $newDisplayName = getAssetName
     $newHomePage = "http://" + $newDisplayName + ".com"
     $newIdentifierUri = "http://" + $newDisplayName
-    
+
     # Update displayName and HomePage
     Set-AzureRmADApplication -ObjectId $application.ObjectId -DisplayName $newDisplayName -HomePage $newHomePage
 
-    # Update identifierUri 
+    # Update identifierUri
     Set-AzureRmADApplication -ApplicationId $application.ApplicationId -IdentifierUris $newIdentifierUri
-    
+
     # Get application and verify updated properties
     $app1 =  Get-AzureRmADApplication -ObjectId $application.ObjectId
     Assert-NotNull $app1
@@ -504,7 +504,7 @@ function Test-NewADApplication
     Assert-AreEqual $app1.HomePage $newHomePage
     Assert-AreEqual $app1.IdentifierUris[0] $newIdentifierUri
 
-    # Delete 
+    # Delete
     Remove-AzureRmADApplication -ObjectId $application.ObjectId -Force
 }
 
@@ -543,16 +543,18 @@ function Test-NewADServicePrincipal
 Tests Creating and deleting service principal without an exisitng application.
 #>
 function Test-NewADServicePrincipalWithoutApp
-{   
+{
     # Setup
     $displayName = getAssetName
 
     # Test
     $servicePrincipal = New-AzureRmADServicePrincipal -DisplayName $displayName
+	$role = Get-AzureRmRoleAssignment -ObjectId $servicePrincipal.Id
 
     # Assert
     Assert-NotNull $servicePrincipal
     Assert-AreEqual $servicePrincipal.DisplayName $displayName
+	Assert-Null $role
 
     # GetServicePrincipal by ObjectId
     $sp1 = Get-AzureRmADServicePrincipal -ObjectId $servicePrincipal.Id
@@ -573,7 +575,7 @@ function Test-NewADServicePrincipalWithoutApp
 
     # update SP displayName
     $newDisplayName = getAssetName
-    
+
     Set-AzureRmADServicePrincipal -ObjectId $servicePrincipal.Id -DisplayName $newDisplayName
 
     # Get SP and verify updated name
@@ -588,12 +590,78 @@ function Test-NewADServicePrincipalWithoutApp
     Assert-Throws { Remove-AzureRmADServicePrincipal -ObjectId $servicePrincipal.Id -Force}
 }
 
+<#
+.SYNOPSIS
+Tests creating a service principal with reader permissions
+#>
+function Test-NewADServicePrincipalWithReaderRole
+{
+	# Setup
+	$displayName = getAssetName
+	$roleDefinitionName = "Reader"
+
+	# Test
+	$servicePrincipal = New-AzureRmADServicePrincipal -DisplayName $displayName -Role $roleDefinitionName
+	Assert-NotNull $servicePrincipal
+	Assert-AreEqual $servicePrincipal.DisplayName $displayName
+
+	try
+	{
+		$role = Get-AzureRmRoleAssignment -ObjectId $servicePrincipal.Id
+		Assert-AreEqual $role.Count 1
+		Assert-AreEqual $role.DisplayName $servicePrincipal.DisplayName
+		Assert-AreEqual $role.ObjectId $servicePrincipal.Id
+		Assert-AreEqual $role.RoleDefinitionName $roleDefinitionName
+		Assert-AreEqual $role.ObjectType "ServicePrincipal"
+	}
+	finally
+	{
+		Remove-AzureRmADApplication -ApplicationId $servicePrincipal.ApplicationId -Force
+		Remove-AzureRmRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName $roleDefinitionName
+	}
+}
+
+<#
+.SYNOPSIS
+Tests creating a service principal with permissions over a custom scope
+#>
+function Test-NewADServicePrincipalWithCustomScope
+{
+	# Setup
+	$displayName = getAssetName
+	$defaultRoleDefinitionName = "Contributor"
+	$subscription = Get-AzureRmSubscription | Select -Last 1 -Wait
+	$resourceGroup = Get-AzureRmResourceGroup | Select -Last 1 -Wait
+	$scope = "/subscriptions/" + $subscription.Id + "/resourceGroups/" + $resourceGroup.ResourceGroupName
+
+	# Test
+	$servicePrincipal = New-AzureRmADServicePrincipal -DisplayName $displayName -Scope $scope
+	Assert-NotNull $servicePrincipal
+	Assert-AreEqual $servicePrincipal.DisplayName $displayName
+
+	try
+	{
+		$role = Get-AzureRmRoleAssignment -ObjectId $servicePrincipal.Id
+		Assert-AreEqual $role.Count 1
+		Assert-AreEqual $role.DisplayName $servicePrincipal.DisplayName
+		Assert-AreEqual $role.ObjectId $servicePrincipal.Id
+		Assert-AreEqual $role.RoleDefinitionName $defaultRoleDefinitionName
+		Assert-AreEqual $role.Scope $scope
+		Assert-AreEqual $role.ObjectType "ServicePrincipal"
+	}
+	finally
+	{
+		Remove-AzureRmADApplication -ApplicationId $servicePrincipal.ApplicationId -Force
+		Remove-AzureRmRoleAssignment -ObjectId $servicePrincipal.Id -Scope $scope -RoleDefinitionName $defaultRoleDefinitionName
+	}
+}
+
 <#
 .SYNOPSIS
 Tests Creating and deleting application using Password Credentials.
 #>
 function Test-CreateDeleteAppPasswordCredentials
-{   
+{
     # Setup
     $displayName = getAssetName
     $identifierUri = "http://" + $displayName
@@ -629,7 +697,7 @@ function Test-CreateDeleteAppPasswordCredentials
 
     # Remove cred by KeyId
     Remove-AzureRmADAppCredential -ApplicationId $application.ApplicationId -KeyId $cred.KeyId -Force
-    $cred3 = Get-AzureRmADAppCredential -ApplicationId $application.ApplicationId 
+    $cred3 = Get-AzureRmADAppCredential -ApplicationId $application.ApplicationId
     Assert-NotNull $cred3
     Assert-AreEqual $cred3.Count 1
     Assert-AreEqual $cred3[0].KeyId $cred1.KeyId
@@ -642,7 +710,7 @@ function Test-CreateDeleteAppPasswordCredentials
     $newApplication = Get-AzureRmADApplication -DisplayNameStartWith "PowershellTestingApp"
     Assert-Throws { New-AzureRmADAppCredential -ApplicationId $newApplication.ApplicationId -Password "Somedummypwd"}
 
-    # Remove App 
+    # Remove App
     Remove-AzureRmADApplication -ObjectId $application.ObjectId -Force
 }
 
@@ -652,7 +720,7 @@ function Test-CreateDeleteAppPasswordCredentials
 Tests Creating and deleting application using Service Principal Credentials.
 #>
 function Test-CreateDeleteSpPasswordCredentials
-{   
+{
     # Setup
     $displayName = getAssetName
     $password = getAssetName
@@ -689,7 +757,7 @@ function Test-CreateDeleteSpPasswordCredentials
 
     # Remove cred by KeyId
     Remove-AzureRmADSpCredential -ServicePrincipalName $servicePrincipal.ServicePrincipalNames[0] -KeyId $cred.KeyId -Force
-    $cred3 = Get-AzureRmADSpCredential -ServicePrincipalName $servicePrincipal.ServicePrincipalNames[0] 
+    $cred3 = Get-AzureRmADSpCredential -ServicePrincipalName $servicePrincipal.ServicePrincipalNames[0]
     Assert-NotNull $cred3
     Assert-AreEqual $cred3.Count 1
     Assert-AreEqual $cred3[0].KeyId $cred1.KeyId
@@ -701,7 +769,7 @@ function Test-CreateDeleteSpPasswordCredentials
     }
     Finally
     {
-      # Remove App 
+      # Remove App
       $app =  Get-AzureRmADApplication -ApplicationId $servicePrincipal.ApplicationId
       Remove-AzureRmADApplication -ObjectId $app.ObjectId -Force
     }