maz

package module
v1.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2024 License: MIT Imports: 20 Imported by: 0

README

maz

This is a Go library package module for managing Microsoft Azure resource and security objects. Please review https://que.one/azure/ to better understand what is meant here by resource and security objects. Essentially this is a library that provides basic MSAL authentication and token creation to allow principals to call the two primary Azure APIs, the Azure Resource Managment (ARM) API and the MS Graph API. Other APIs could be added in the future.

Getting Started

  1. Any program wanting to use this library module can simply import it, then instantiate a variable of type maz.Bundle to manage the interaction. For example:
import (
    "github.com/queone/maz"
)
z := maz.Bundle{
    ConfDir:      "",                   // Set up later, see example below
    CredsFile:    "credentials.yaml",
    TokenFile:    "accessTokens.json",
    TenantId:     "",
    ClientId:     "",
    ClientSecret: "",
    Interactive:  false,
    Username:     "",
    AuthorityUrl: "",                   // Set up later with maz.ConstAuthUrl + z.TenantId (see const block in maz.go)
    MgToken:      "",                   // Set up below 4 later with function maz.SetupApiTokens()
    MgHeaders:    map[string]string{},
    AzToken:      "",
    AzHeaders:    map[string]string{},  
}
// Then update the variables within the Bundle, to set up configuration directory
z.ConfDir = filepath.Join(os.Getenv("HOME"), "." + prgname)
if utl.FileNotExist(z.ConfDir) {
    if err := os.Mkdir(z.ConfDir, 0700); err != nil {
        panic(err.Error())
    }
}
  1. Then call maz.SetupInterativeLogin(z) or maz.SetupAutomatedLogin(z) to setup the credentials file accordingly.
  2. Then call z := maz.SetupApiTokens(*z) to acquire the respective API tokens, web headers, and other variables.
  3. Now call whatever MS Graph and Azure Resource API functions you want by passing and using the z variables, with its z.mgHeaders and/or z.azHeaders attributes, and so on.

Login Credentials

There are four (4) different ways to set up the login credentials to use this library module. All four ways required three (3) special attributes:

# Type Method Details
1 Interactive Config file Set up attributes via ~/.maz/credentials.yaml file
2 Interactive Environment variables Set up attributes via environment variables (OVERIDES config file)
3 Automated Config file Set up attributes via ~/.maz/credentials.yaml file
4 Automated Environment variables Set up attributes via environment variables (OVERIDES config file)
  1. Interactive via config file: The calling utility sets up a way to allow setting up the ~/.maz/credentials.yaml file with the 3 special attributes. For example, the azm CLI utility does this via the -id switch, to Set up MSAL interactive browser popup login: 
    azm -id 3f050090-20b0-40a0-a060-c05060104010 user1@domain.io
    Above will populate the ~/.maz/credentials.yaml file as follows: 
    tenant_id: 3f050090-20b0-40a0-a060-c05060104010
username: user1@domain.io
interactive: true
    From then on the azm utility will use above credentials to interact with the maz library to perform all its functions.
  2. Interactive via environment variables: The calling utility will instead use the os.Getenv("VAR") function to look for the following 3 special environment variables: 
    MAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010
MAZ_USERNAME=user1@domain.io
MAZ_INTERACTIVE=true
    Above values take precedence and OVERIDE any existing config ~/.maz/credentials.yaml file values.
  3. Automated via config file: The calling utility sets up a way to allow setting up the ~/.maz/credentials.yaml file with the 3 special attributes. For example, the azm CLI utility does this via the -id switch, to Set up MSAL automated ClientId + Secret login: 
    azm -id 3f050090-20b0-40a0-a060-c05060104010 f1110121-7111-4171-a181-e1614131e181 ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i
    Above will populate the ~/.maz/credentials.yaml file as follows: 
    tenant_id: 3f050090-20b0-40a0-a060-c05060104010
client_id: f1110121-7111-4171-a181-e1614131e181
client_secret: ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i
    From then on the azm utility will use above credentials to interact with the maz library to perform all its functions.
  4. Automated via environment variables: The calling utility will instead use the os.Getenv("VAR") function to look for the following 3 special environment variables 
    MAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010
MAZ_CLIENT_ID=f1110121-7111-4171-a181-e1614131e181
MAZ_CLIENT_SECRET=ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i
    Above values take precedence and OVERIDE any existing config ~/.maz/credentials.yaml file values.

The benefit of using environment variables is to be able to override an existing credentials.yaml file, and to specify different credentials, as well as being able to use different credentials from different shell sessions on the same host. They also allow utilities written with this library to be used in continuous delivery and other types of automation.

NOTE: If all four MAZ_USERNAME, MAZ_INTERACTIVE, MAZ_CLIENT_ID, and MAZ_CLIENT_SECRET are properly define, then precedence is given to the Username Interactive login. To force a ClientID ClientSecret login via environment variables, you must ensure the first two are unset in the current shell.

Functions

TODO: List of all available functions?

  • maz.SetupInterativeLogin: This functions allows you to set up the~/.maz/credentials.yaml file for interactive Azure login.
  • ...

Documentation

Overview

Package maz is a library of functions for interacting with essential Azure APIs via REST calls. Currently it supports two APIs, the Azure Resource Management (ARM) API and the MS Graph API, but can be extended to support additional APIs. This package obviously also includes code to get an Azure JWT token using the MSAL library, to then use against either the 2 currently supported Azure APIs.

Index

Constants

View Source 
const (
	ConstAuthUrl = "https://login.microsoftonline.com/"
	ConstMgUrl   = "https://graph.microsoft.com"
	ConstAzUrl   = "https://management.azure.com"

	ConstAzPowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2" // 'Microsoft Azure PowerShell' ClientId

	ConstCacheFileExtension   = "gz"
	ConstMgCacheFileAgePeriod = 1800  // Half hour
	ConstAzCacheFileAgePeriod = 86400 // One day
)

Variables

This section is empty.

Functions

func AdRolesCountAzure 

func AdRolesCountAzure(z Bundle) int64

Returns count of Azure AD directory role entries in current tenant

func AdRolesCountLocal 

func AdRolesCountLocal(z Bundle) int64

Returns count of Azure AD directory role entries in local cache file

func AddAppSecret 

func AddAppSecret(uuid, displayName, expiry string, z Bundle)

Creates/adds a secret to the given application

func AddSpSecret 

func AddSpSecret(uuid, displayName, expiry string, z Bundle)

Creates/adds a secret to the given SP

func ApiCall 

func ApiCall(method, apiUrl string, z Bundle, payload jsonT, params strMapT, verbose bool) (result jsonT, rsc int, err error)

Makes API calls and returns JSON object, Response StatusCode, and error. For a more clear explanation of how to interpret the JSON responses see https://eager.io/blog/go-and-json/ This function is the cornerstone of the maz package, extensively handling all API interactions.

func ApiDelete 

func ApiDelete(apiUrl string, z Bundle, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a DELETE

func ApiDeleteDebug 

func ApiDeleteDebug(apiUrl string, z Bundle, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a DELETE with debugging on

func ApiErrorCheck 

func ApiErrorCheck(method, apiUrl, caller string, r jsonT)

Prints useful error information if they occur

func ApiGet 

func ApiGet(apiUrl string, z Bundle, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a GET

func ApiGetDebug 

func ApiGetDebug(apiUrl string, z Bundle, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a GET with debugging on

func ApiPost 

func ApiPost(apiUrl string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a POST

func ApiPostDebug 

func ApiPostDebug(apiUrl string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a POST with debugging on

func ApiPut 

func ApiPut(apiUrl string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PUT

func ApiPutDebug 

func ApiPutDebug(apiUrl string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PUT with debugging on

func AppsCountAzure 

func AppsCountAzure(z Bundle) int64

Retrieves count of all applications in Azure tenant

func AppsCountLocal 

func AppsCountLocal(z Bundle) int64

Retrieves count of all applications in local cache file

func CompareSpecfileToAzure 

func CompareSpecfileToAzure(filePath string, z Bundle)

Compares specification file to what is in Azure

func CreateAzRoleAssignment 

func CreateAzRoleAssignment(x map[string]interface{}, z Bundle)

Creates an RBAC role assignment as defined by give x object

func CreateSkeletonFile 

func CreateSkeletonFile(t string)

Creates specfile skeleton/scaffold files

func DecodeJwtToken 

func DecodeJwtToken(tokenString string)

Decode and dump token string, trusting without formaly verification and validation

func DeleteAzObject 

func DeleteAzObject(force bool, specifier string, z Bundle)

Deletes object based on string specifier (currently only supports roleDefinitions or Assignments) String specifier can be either of 3: UUID, specfile, or displaName (only for roleDefinition) 1) Search Azure by given identifier; 2) Grab object's Fully Qualified Id string; 3) Print and prompt for confirmation; 4) Delete or abort

func DeleteAzRoleAssignmentByFqid 

func DeleteAzRoleAssignmentByFqid(fqid string, z Bundle) map[string]interface{}

Deletes an RBAC role assignment by its fully qualified object Id Example of a fully qualified Id string (note it's one long line): 

/providers/Microsoft.Management/managementGroups/33550b0b-2929-4b4b-adad-cccc66664444 \
  /providers/Microsoft.Authorization/roleAssignments/5d586a7b-3f4b-4b5c-844a-3fa8efe49ab3

func DeleteAzRoleDefinitionByFqid 

func DeleteAzRoleDefinitionByFqid(fqid string, z Bundle) map[string]interface{}

Deletes an RBAC role definition object by its fully qualified object Id Example of a fully qualified Id string: 

"/providers/Microsoft.Authorization/roleDefinitions/50a6ff7c-3ac5-4acc-b4f4-9a43aee0c80f"

func DiffLists 

func DiffLists(list1, list2 []interface{}) (added, removed []interface{}, same bool)

Compares two list of strings and returns added and removed items, and whether or not the lists are the same. Note they come in as []interface{} but we know they are strings. This is a special function for handling Azure RBAC role definition action differences.

func DiffRoleDefinitionSpecfileVsAzure 

func DiffRoleDefinitionSpecfileVsAzure(a, b map[string]interface{}, z Bundle)

Prints differences between role definition in Specfile (a) vs what is in Azure (b). The calling function must ensure that both a & b are valid role definition objects from a specfile and from Azure. A generic DiffJsonObject() function would probably be better for this.

func DumpLoginValues 

func DumpLoginValues(z Bundle)

Dumps configured login values

func FindAzObjectsByUuid 

func FindAzObjectsByUuid(uuid string, z Bundle) (list []interface{})

Returns list of Azure objects with this UUID. We are saying a list because 1) the UUID could be an appId shared by an app and an SP, or 2) there could be UUID collisions with multiple objects potentially sharing the same UUID. Only checks for the maz package limited set of Azure object types.

func GetAzAdRoleByUuid 

func GetAzAdRoleByUuid(uuid string, z Bundle) map[string]interface{}

Gets Azure AD role definition by Object UUID, with all attributes

func GetAzAdRoles 

func GetAzAdRoles(z Bundle, verbose bool) (list []interface{})

Gets all directory role definitions from Azure and sync to local cache. Shows progress if verbose = true

func GetAzAllPages 

func GetAzAllPages(apiUrl string, z Bundle) (list []interface{})

Returns all Azure pages for given API URL call

func GetAzAppByUuid 

func GetAzAppByUuid(uuid string, z Bundle) map[string]interface{}

Gets application by its Object UUID or by its appId, with all attributes

func GetAzApps 

func GetAzApps(z Bundle, verbose bool) (list []interface{})

Gets all applications from Azure and sync to local cache. Shows progress if verbose = true

func GetAzGroupByUuid 

func GetAzGroupByUuid(uuid string, z Bundle) map[string]interface{}

Gets Azure AD group by Object UUID, with all attributes

func GetAzGroups 

func GetAzGroups(z Bundle, verbose bool) (list []interface{})

Gets all groups from Azure and sync to local cache. Shows progress if verbose = true

func GetAzMgGroups 

func GetAzMgGroups(z Bundle) (list []interface{})

Gets all management groups in current Azure tenant, and saves them to local cache file

func GetAzObjectByUuid 

func GetAzObjectByUuid(t, uuid string, z Bundle) (x map[string]interface{})

Retrieves Azure object by Object UUID

func GetAzObjects 

func GetAzObjects(apiUrl string, z Bundle, verbose bool) (deltaSet []interface{}, deltaLinkMap map[string]interface{})

Generic Azure object deltaSet retriever function. Returns the set of changed or new items, and a deltaLink for running the next future Azure query. Implements the pattern described at https://docs.microsoft.com/en-us/graph/delta-query-overview

func GetAzRbacScopes 

func GetAzRbacScopes(z Bundle) (scopes []string)

Gets all scopes in the Azure tenant RBAC hierarchy: Tenant Root Group and all management groups, plus all subscription scopes

func GetAzRoleAssignmentByObject 

func GetAzRoleAssignmentByObject(x map[string]interface{}, z Bundle) (y map[string]interface{})

Gets Azure resource RBAC role assignment object by matching given objects: roleId, principalId, and scope (the 3 parameters which make a role assignment unique)

func GetAzRoleAssignmentByUuid 

func GetAzRoleAssignmentByUuid(uuid string, z Bundle) map[string]interface{}

Gets RBAC role assignment by its Object UUID. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.

func GetAzRoleAssignments 

func GetAzRoleAssignments(z Bundle, verbose bool) (list []interface{})

Gets all role assignments objects in current Azure tenant and save them to local cache file. Option to be verbose (true) or quiet (false), since it can take a while. References: 

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest
https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/list-for-subscription

func GetAzRoleDefinitionByName 

func GetAzRoleDefinitionByName(roleName string, z Bundle) (y map[string]interface{})

Gets role definition by displayName See https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list

func GetAzRoleDefinitionByObject 

func GetAzRoleDefinitionByObject(x map[string]interface{}, z Bundle) (y map[string]interface{})

Gets role definition object if it exists exactly as x object (as per essential attributes). Matches on: displayName and assignableScopes

func GetAzRoleDefinitionByUuid 

func GetAzRoleDefinitionByUuid(uuid string, z Bundle) map[string]interface{}

Gets role definition by Object Id. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.

func GetAzRoleDefinitions 

func GetAzRoleDefinitions(z Bundle, verbose bool) (list []interface{})

Gets all role definitions in current Azure tenant and save them to local cache file Option to be verbose (true) or quiet (false), since it can take a while. References: 

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list
https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list

func GetAzSpByUuid 

func GetAzSpByUuid(uuid string, z Bundle) map[string]interface{}

Gets service principal by its Object UUID or by its appId, with all attributes

func GetAzSps 

func GetAzSps(z Bundle, verbose bool) (list []interface{})

Gets all service principals from Azure and sync to local cache. Shows progress if verbose = true

func GetAzSubscriptionByUuid 

func GetAzSubscriptionByUuid(uuid string, z Bundle) map[string]interface{}

Gets specific Azure subscription by Object UUID

func GetAzSubscriptions 

func GetAzSubscriptions(z Bundle) (list []interface{})

Gets all subscription in current Azure tenant, and saves them to local cache file

func GetAzSubscriptionsIds 

func GetAzSubscriptionsIds(z Bundle) (scopes []string)

Gets all subscription full IDs, i.e. "/subscriptions/UUID", which are commonly used as scopes for Azure resource RBAC role definitions and assignments

func GetAzUserByUuid 

func GetAzUserByUuid(uuid string, z Bundle) map[string]interface{}

Gets Azure user object by Object UUID, with all attributes

func GetAzUsers 

func GetAzUsers(z Bundle, verbose bool) (list []interface{})

Gets all users from Azure and sync to local cache. Show progress if verbose = true

func GetCachedObjects 

func GetCachedObjects(cacheFile string) (cachedList []interface{})

Retrieves locally cached list of objects in given cache file

func GetIdMapApps 

func GetIdMapApps(z Bundle) (nameMap map[string]string)

Returns an id:name map of all applications

func GetIdMapGroups 

func GetIdMapGroups(z Bundle) (nameMap map[string]string)

Returns id:name map of all groups

func GetIdMapMgGroups 

func GetIdMapMgGroups(z Bundle) (nameMap map[string]string)

Returns id:name map of management groups

func GetIdMapRoleDefs 

func GetIdMapRoleDefs(z Bundle) (nameMap map[string]string)

Returns id:name map of all RBAC role definitions

func GetIdMapSps 

func GetIdMapSps(z Bundle) (nameMap map[string]string)

Returns an id:name map of all service principals

func GetIdMapSubs 

func GetIdMapSubs(z Bundle) (nameMap map[string]string)

Returns id:name map of all subscriptions

func GetIdMapUsers 

func GetIdMapUsers(z Bundle) (nameMap map[string]string)

Returns an id:name map of all users

func GetMatchingAdRoles 

func GetMatchingAdRoles(filter string, force bool, z Bundle) (list []interface{})

Gets all AD roles matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingApps 

func GetMatchingApps(filter string, force bool, z Bundle) (list []interface{})

Gets all applications matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingGroups 

func GetMatchingGroups(filter string, force bool, z Bundle) (list []interface{})

Gets all groups matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingMgGroups 

func GetMatchingMgGroups(filter string, force bool, z Bundle) (list []interface{})

Gets all Azure management groups matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingRoleAssignments 

func GetMatchingRoleAssignments(filter string, force bool, z Bundle) (list []interface{})

Gets all RBAC role assignments matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingRoleDefinitions 

func GetMatchingRoleDefinitions(filter string, force bool, z Bundle) (list []interface{})

Gets all role definitions matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingSps 

func GetMatchingSps(filter string, force bool, z Bundle) (list []interface{})

Gets all service principals matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingSubscriptions 

func GetMatchingSubscriptions(filter string, force bool, z Bundle) (list []interface{})

Gets all Azure subscriptions matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingUsers 

func GetMatchingUsers(filter string, force bool, z Bundle) (list []interface{})

Gets all users matching on 'filter'. Returns entire list if filter is empty ""

func GetObjectFromFile 

func GetObjectFromFile(filePath string) (formatType, t string, obj map[string]interface{})

Returns 3 values: File format type, single-letter object type, and the object itself

func GetObjects 

func GetObjects(t, filter string, force bool, z Bundle) (list []interface{})

Generic function to get objects of type t whose attributes match on filter. If filter is the "" empty string return ALL of the objects of this type.

func GetTokenByCredentials 

func GetTokenByCredentials(scopes []string, confDir, tokenFile, authorityUrl, clientId, clientSecret string) (token string, err error)

Initiates an Azure JWT token acquisition with provided parameters, using a Client ID plus a Client Secret. This is the 'Confidential' app auth flow and is documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/confidential/confidential.go

func GetTokenInteractively 

func GetTokenInteractively(scopes []string, confDir, tokenFile, authorityUrl, username string) (token string, err error)

Initiates an Azure JWT token acquisition with provided parameters, using a Username and a browser pop up window. This is the 'Public' app auth flow and is documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/public/public.go

func GroupsCountAzure 

func GroupsCountAzure(z Bundle) int64

Returns number of group object entries in Azure tenant

func GroupsCountLocal 

func GroupsCountLocal(z Bundle) int64

Returns number of group object entries in local cache file

func MgGroupCountAzure 

func MgGroupCountAzure(z Bundle) int64

Returns count of management groups in Azure

func MgGroupCountLocal 

func MgGroupCountLocal(z Bundle) int64

Returns count of management group objects in local cache file

func MgType 

func MgType(typeIn string) string

Returns ARM object type based on long string

func NormalizeCache 

func NormalizeCache(baseSet, deltaSet []interface{}) (list []interface{})

Builds JSON mergeSet from deltaSet, and builds and returns the list of deleted IDs

func PrintAdRole 

func PrintAdRole(x map[string]interface{}, z Bundle)

Prints Azure AD role definition object in YAML-like format

func PrintApiErrMsg 

func PrintApiErrMsg(msg string)

Prints API error messages in 2 parts separated by a newline: A header, then a JSON byte slice

func PrintApp 

func PrintApp(x map[string]interface{}, z Bundle)

Prints application object in YAML-like format

func PrintAppRoleAssignmentsOthers 

func PrintAppRoleAssignmentsOthers(appRoleAssignments []interface{}, z Bundle)

Prints appRoleAssignments for other types of objects (Users and Groups)

func PrintAppRoleAssignmentsSp 

func PrintAppRoleAssignmentsSp(roleNameMap map[string]string, appRoleAssignments []interface{})

Prints appRoleAssignments for given service principal (SP)

func PrintCertificateList 

func PrintCertificateList(certificates []interface{})

Prints certificate list stanza for Apps and Sps

func PrintCountStatus 

func PrintCountStatus(z Bundle)

Prints a status count of all AZ and MG objects that are in Azure, and the local files.

func PrintCountStatusDirGroups added in v1.2.1 

func PrintCountStatusDirGroups(z Bundle)

func PrintGroup 

func PrintGroup(x map[string]interface{}, z Bundle)

Print group object in YAML-like format

func PrintHeaders 

func PrintHeaders(headers http.Header)

Prints HTTP headers specific to API calls. Simplifies ApiCall function.

func PrintMatching 

func PrintMatching(printFormat, t, specifier string, z Bundle)

Prints all objects that match on given specifier

func PrintMemberOfs 

func PrintMemberOfs(t string, memberOf []interface{})

Prints all memberOf entries

func PrintMgChildren 

func PrintMgChildren(indent int, children []interface{})

Recursively print management groups and all its children MGs and subscriptions

func PrintMgGroup 

func PrintMgGroup(x map[string]interface{})

Prints management group object in YAML-like format

func PrintMgTree 

func PrintMgTree(z Bundle)

Gets current tenant management group tree, and recursively calls function PrintMgChildren() to print the hierarchy

func PrintObject 

func PrintObject(t string, x map[string]interface{}, z Bundle)

Generic print object function

func PrintObjectByUuid 

func PrintObjectByUuid(uuid string, z Bundle)

Prints object by given UUID

func PrintOwners 

func PrintOwners(owners []interface{})

Print owners stanza for Apps and Sps

func PrintPags 

func PrintPags(z Bundle)

Lists all cached Privileged Access Groups (PAGs)

func PrintParams 

func PrintParams(params url.Values)

Prints HTTP parameters specific to API calls. Simplifies ApiCall function.

func PrintRoleAssignment 

func PrintRoleAssignment(x map[string]interface{}, z Bundle)

Prints RBAC role definition object in YAML-like format

func PrintRoleAssignmentReport 

func PrintRoleAssignmentReport(z Bundle)

Prints a human-readable report of all RBAC role assignments

func PrintRoleDefinition 

func PrintRoleDefinition(x map[string]interface{}, z Bundle)

Prints role definition object in a YAML-like format

func PrintSecretList 

func PrintSecretList(secretsList []interface{})

Prints secret list stanza for App and SP objects

func PrintSp 

func PrintSp(x map[string]interface{}, z Bundle)

Prints service principal object in YAML-like format

func PrintStringMapColor 

func PrintStringMapColor(strMap map[string]string)

Prints string map in YAML-like format, sorted, and in color

func PrintSubscription 

func PrintSubscription(x map[string]interface{})

Prints subscription object in YAML-like format

func PrintTersely 

func PrintTersely(t string, object interface{})

Prints this single object of type 't' tersely, with minimal attributes.

func PrintUser 

func PrintUser(x map[string]interface{}, z Bundle)

Prints user object in YAML-like format

func RemoveAppSecret 

func RemoveAppSecret(uuid, keyId string, z Bundle)

Removes a secret from the given application

func RemoveCacheFile 

func RemoveCacheFile(t string, z Bundle)

Removes specified cache file

func RemoveSpSecret 

func RemoveSpSecret(uuid, keyId string, z Bundle)

Removes a secret from the given SP

func RoleAssignmentsCountAzure 

func RoleAssignmentsCountAzure(z Bundle) int64

Calculates count of all role assignment objects in Azure

func RoleAssignmentsCountLocal 

func RoleAssignmentsCountLocal(z Bundle) int64

Retrieves count of all role assignment objects in local cache file

func RoleDefinitionCountAzure 

func RoleDefinitionCountAzure(z Bundle) (builtin, custom int64)

Counts all role definition in Azure. Returns 2 lists: one of native custom roles, the other of built-in role

func RoleDefinitionCountLocal 

func RoleDefinitionCountLocal(z Bundle) (builtin, custom int64)

Dedicated role definition local cache counter able to discern if role is custom to native tenant or it's an Azure BuilIn role

func SelectObject 

func SelectObject(id string, objSet []interface{}) (x map[string]interface{})

Selects JSON object with given ID from slice

func SetupAutomatedLogin 

func SetupAutomatedLogin(z Bundle)

Sets up credentials file for client_id + secret login

func SetupInterativeLogin 

func SetupInterativeLogin(z Bundle)

Sets up credentials file for interactive login

func SpsCountAzure 

func SpsCountAzure(z Bundle) (native, microsoft int64)

Retrieves counts of all SPs in this Azure tenant, 2 values: Native ones to this tenant, and all others

func SpsCountLocal 

func SpsCountLocal(z Bundle) (native, microsoft int64)

Retrieves counts of all SPs in local cache, 2 values: Native ones to this tenant, and all others

func SubsCountAzure 

func SubsCountAzure(z Bundle) int64

Returns count of all subscriptions in current Azure tenant

func SubsCountLocal 

func SubsCountLocal(z Bundle) int64

Returns count of all subscriptions in local cache file

func TokenValid 

func TokenValid(tokenString string) bool

Does a very basic validation of the JWT token as defined in https://tools.ietf.org/html/rfc7519

func UpsertAzObject 

func UpsertAzObject(force bool, filePath string, z Bundle)

Creates or updates a role definition or assignment based on given specfile

func UpsertAzRoleDefinition 

func UpsertAzRoleDefinition(force bool, x map[string]interface{}, z Bundle)

Creates or updates an RBAC role definition as defined by give x object

func UsersCountAzure 

func UsersCountAzure(z Bundle) int64

Returns the number of entries in Azure tenant

func UsersCountLocal 

func UsersCountLocal(z Bundle) int64

Returns the number of entries in local cache file

Types

type Bundle 

type Bundle struct {
	ConfDir      string // Directory where utility will store all its file
	CredsFile    string
	TokenFile    string
	TenantId     string
	ClientId     string
	ClientSecret string
	Interactive  bool
	Username     string
	AuthorityUrl string
	MgToken      string // This and below to support MS Graph API
	MgHeaders    map[string]string
	AzToken      string // This and below to support Azure Resource Management API
	AzHeaders    map[string]string
}

func SetupApiTokens 

func SetupApiTokens(z *Bundle) Bundle

Initializes the necessary global variables, acquires all API tokens, and sets them up for use.

func SetupCredentials 

func SetupCredentials(z *Bundle) Bundle

Gets credentials from OS environment variables (which take precedence), or from the credentials file.

type TokenCache 

type TokenCache struct {
	// contains filtered or unexported fields
}

func (*TokenCache) Export 

func (t *TokenCache) Export(ctx context.Context, cache cache.Marshaler, hints cache.ExportHints) error

func (*TokenCache) Print 

func (t *TokenCache) Print() string

func (*TokenCache) Replace 

func (t *TokenCache) Replace(ctx context.Context, cache cache.Unmarshaler, hints cache.ReplaceHints) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.