maz

package module
v2.0.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 1, 2025 License: MIT Imports: 22 Imported by: 0

README

maz

This is a Go library package module for managing Microsoft Azure resource and security objects. Please see https://que.one/azure/ to better understand what is meant by resource and security objects. Essentially this library provides basic MSAL authentication and token creation to allow principals to call the two supported Azure APIs, the Azure Resource Managment (ARM) API and the MS Graph API. Other APIs could be added in the future.

Why?

  • Learning/Experimentation: Building your own SDK can be a great way to learn more about Go and REST API development.
  • Specialized Use Cases: If your application only interacts with this smaller subset of Microsoft Graph APIs, then this lightweight custom SDK might be simpler and faster.
  • Control Over Dependencies: The official SDK might introduce dependencies or abstractions you want to avoid.
  • Custom Abstractions: If you need custom abstractions or behavior not easily achieved with the official SDK.

Getting Started

  1. To use this library, import the module then instantiate a variable of type maz.Config to manage the interaction. For example:
import (
    "github.com/queone/maz"
)

z := maz.NewConfig()
  • From then on, above global config z pointer variable can be used for managing the interation with the library.
  • This variable includes things like z.ConfDir, which defaults to ~/.maz, and so on.
  • See https://github.com/queone/maz/blob/main/maz.go for more information on the Config type, and what methods are available.

  1. Your program should then call maz.SetupInterativeLogin(z) or maz.SetupAutomatedLogin(z) to setup the credentials file accordingly.

  2. Then it should call z := maz.SetupApiTokens(*z) to acquire the respective API tokens, web headers, and other variables.

  3. Afterwards, it can then call whatever MS Graph and Azure Resource API functions you want by passing and using the z variables, with its z.mgHeaders and/or z.azHeaders attributes, and so on.

  4. The best way to understand this is to look at code of an example program like azgrp.

Login Credentials

There are four (4) different ways to set up the login credentials to use this library module. All four ways required three (3) special attributes:

# Type Method Details
1 Interactive Config file Set up attributes via ~/.maz/credentials.yaml file
2 Interactive Environment variables Set up attributes via environment variables (OVERIDES config file)
3 Automated Config file Set up attributes via ~/.maz/credentials.yaml file
4 Automated Environment variables Set up attributes via environment variables (OVERIDES config file)

  1. Interactive via config file: The calling utility sets up a way to allow setting up the ~/.maz/credentials.yaml file with the 3 special attributes. For example, the azm CLI utility does this via the -id switch, to Set up MSAL interactive browser popup login:

    azm -id 3f050090-20b0-40a0-a060-c05060104010 user1@domain.io

    Above will populate the ~/.maz/credentials.yaml file as follows:

    tenant_id: 3f050090-20b0-40a0-a060-c05060104010
username: user1@domain.io
interactive: true

    From then on the azm utility will use above credentials to interact with the maz library to perform all its functions.

  2. Interactive via environment variables: The calling utility will instead use the os.Getenv("VAR") function to look for the following 3 special environment variables:

    MAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010
MAZ_USERNAME=user1@domain.io
MAZ_INTERACTIVE=true

    Above values take precedence and OVERIDE any existing config ~/.maz/credentials.yaml file values.

  3. Automated via config file: The calling utility sets up a way to allow setting up the ~/.maz/credentials.yaml file with the 3 special attributes. For example, the azm CLI utility does this via the -id switch, to Set up MSAL automated ClientId + Secret login:

    azm -id 3f050090-20b0-40a0-a060-c05060104010 f1110121-7111-4171-a181-e1614131e181 ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i

    Above will populate the ~/.maz/credentials.yaml file as follows:

    tenant_id: 3f050090-20b0-40a0-a060-c05060104010
client_id: f1110121-7111-4171-a181-e1614131e181
client_secret: ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i

    From then on the azm utility will use above credentials to interact with the maz library to perform all its functions.

  4. Automated via environment variables: The calling utility will instead use the os.Getenv("VAR") function to look for the following 3 special environment variables

    MAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010
MAZ_CLIENT_ID=f1110121-7111-4171-a181-e1614131e181
MAZ_CLIENT_SECRET=ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i

    Above values take precedence and OVERIDE any existing config ~/.maz/credentials.yaml file values.

The benefit of using environment variables is to be able to override an existing credentials.yaml file, and to specify different credentials, as well as being able to use different credentials from different shell sessions on the same host. They also allow utilities written with this library to be used in continuous delivery and other types of automation.

NOTE: If all four MAZ_USERNAME, MAZ_INTERACTIVE, MAZ_CLIENT_ID, and MAZ_CLIENT_SECRET are properly define, then precedence is given to the Username Interactive login. To force a ClientID ClientSecret login via environment variables, you must ensure the first two are unset in the current shell.

Functions

TODO: List of all available functions?

  • maz.SetupInterativeLogin: This functions allows you to set up the~/.maz/credentials.yaml file for interactive Azure login.
  • ...

Releases

See releases

Documentation

Overview

Package maz is a library of functions for interacting with essential Azure APIs via REST calls. Currently it supports two APIs, the Azure Resource Management (ARM) API and the MS Graph API, but can be extended to support additional APIs. This package obviously also includes code to get an Azure JWT token using the MSAL library, to then use against either the 2 currently supported Azure APIs.

Index

Constants

View Source 
const (
	ConstAuthUrl = "https://login.microsoftonline.com/"
	ConstMgUrl   = "https://graph.microsoft.com"
	ConstAzUrl   = "https://management.azure.com"

	ConstAzPowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2" // 'Microsoft Azure PowerShell' ClientId

	ConstCacheFileExtension   = "gz"
	ConstMgCacheFileAgePeriod = 1800  // Half hour
	ConstAzCacheFileAgePeriod = 86400 // One day
)

Variables

This section is empty.

Functions

func AdRolesCountAzure 

func AdRolesCountAzure(z *Config) int64

Returns count of Azure AD directory role entries in current tenant

func AdRolesCountLocal 

func AdRolesCountLocal(z *Config) int64

Returns count of Azure AD directory role entries in local cache file

func AddAppSecret 

func AddAppSecret(id, displayName, expiry string, z *Config)

Creates/adds a secret to the given application

func AddSpSecret 

func AddSpSecret(id, displayName, expiry string, z *Config)

Creates/adds a secret to the given SP

func ApiCall 

func ApiCall(method, apiUrl string, z *Config, payload jsonT, params strMapT, verbose bool) (result jsonT, rsc int, err error)

Makes API calls and returns JSON object, Response StatusCode, and error. For a more clear explanation of how to interpret the JSON responses see https://eager.io/blog/go-and-json/ This function is the cornerstone of the maz package, extensively handling all API interactions.

func ApiDelete 

func ApiDelete(apiUrl string, z *Config, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a DELETE

func ApiDeleteDebug 

func ApiDeleteDebug(apiUrl string, z *Config, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a DELETE with debugging on

func ApiErrorCheck 

func ApiErrorCheck(method, apiUrl, caller string, r jsonT)

Prints useful error information if they occur

func ApiGet 

func ApiGet(apiUrl string, z *Config, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a GET

func ApiGetDebug 

func ApiGetDebug(apiUrl string, z *Config, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a GET with debugging on

func ApiPatch 

func ApiPatch(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PATCH

func ApiPatchDebug 

func ApiPatchDebug(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PATCH with debugging on

func ApiPost 

func ApiPost(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a POST

func ApiPostDebug 

func ApiPostDebug(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a POST with debugging on

func ApiPut 

func ApiPut(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PUT

func ApiPutDebug 

func ApiPutDebug(apiUrl string, z *Config, payload jsonT, params strMapT) (result jsonT, rsc int, err error)

ApiCall alias to do a PUT with debugging on

func AppsCountAzure 

func AppsCountAzure(z *Config) int64

Retrieves count of all applications in Azure tenant

func AppsCountLocal 

func AppsCountLocal(z *Config) int64

Retrieves count of all applications in local cache file

func CompareSpecfileToAzure 

func CompareSpecfileToAzure(filePath string, z *Config)

Compares object in specfile to what is in Azure

func CreateAzRoleAssignment 

func CreateAzRoleAssignment(x map[string]interface{}, z *Config)

Creates an RBAC role assignment as defined by give x object

func CreateDirGroup 

func CreateDirGroup(jsonObj map[string]interface{}, z *Config) (x map[string]interface{}, e error)

Creates Azure directory group.

func CreateSkeletonFile 

func CreateSkeletonFile(t string)

Creates specfile skeleton/scaffold files

func DecodeJwtToken 

func DecodeJwtToken(tokenString string)

Decode and dump token string, trusting without formal verification and validation

func DeleteAzObject 

func DeleteAzObject(force bool, specifier string, z *Config)

Deletes object based on string specifier (currently only supports roleDefinitions or Assignments) String specifier can be either of 3: UUID, specfile, or displaName (only for roleDefinition) 1) Search Azure by given identifier; 2) Grab object's Fully Qualified Id string; 3) Print and prompt for confirmation; 4) Delete or abort

func DeleteAzRoleAssignmentByFqid 

func DeleteAzRoleAssignmentByFqid(fqid string, z *Config) map[string]interface{}

Deletes an RBAC role assignment by its fully qualified object Id Example of a fully qualified Id string (note it's one long line): 

/providers/Microsoft.Management/managementGroups/33550b0b-2929-4b4b-adad-cccc66664444 \
  /providers/Microsoft.Authorization/roleAssignments/5d586a7b-3f4b-4b5c-844a-3fa8efe49ab3

func DeleteAzRoleDefinitionByFqid 

func DeleteAzRoleDefinitionByFqid(fqid string, z *Config) map[string]interface{}

Deletes an RBAC role definition object by its fully qualified object Id Example of a fully qualified Id string: 

"/providers/Microsoft.Authorization/roleDefinitions/50a6ff7c-3ac5-4acc-b4f4-9a43aee0c80f"

func DeleteDirGroup 

func DeleteDirGroup(opts *Options, z *Config)

Deletes Azure directory group

func DeleteGroupFromCache 

func DeleteGroupFromCache(id string, z *Config) error

Deletes a group by UUID from the local cache.

func DiffLists 

func DiffLists(list1, list2 []interface{}) (added, removed []interface{}, same bool)

Compares two list of strings and returns added and removed items, and whether or not the lists are the same. Note they come in as []interface{} but we know they are strings. This is a special function for handling Azure RBAC role definition action differences.

func DiffRoleDefinitionSpecfileVsAzure 

func DiffRoleDefinitionSpecfileVsAzure(a, b map[string]interface{}, z *Config)

Prints differences between role definition in Specfile (a) vs what is in Azure (b). The calling function must ensure that both a & b are valid role definition objects from a specfile and from Azure. A generic DiffJsonObject() function would probably be better for this.

func DumpLoginValues 

func DumpLoginValues(z *Config)

Dumps configured login values

func FindAzObjectsById 

func FindAzObjectsById(id string, z *Config) (list []interface{})

Returns list of Azure objects with this UUID. We are saying a list because 1) the UUID could be an appId shared by an app and an SP, or 2) there could be UUID collisions with multiple objects potentially sharing the same UUID. Only checks for the maz package limited set of Azure object types.

func GetAzAdRoleById 

func GetAzAdRoleById(id string, z *Config) map[string]interface{}

Gets Azure AD role definition by Object UUID, with all attributes

func GetAzAdRoles 

func GetAzAdRoles(z *Config, verbose bool) (list []interface{})

Gets all directory role definitions from Azure and sync to local cache. Shows progress if verbose = true

func GetAzAllPages 

func GetAzAllPages(apiUrl string, z *Config) (list []interface{})

Returns all Azure pages for given API URL call

func GetAzAppById 

func GetAzAppById(id string, z *Config) map[string]interface{}

Gets application by its Object UUID or by its appId, with all attributes

func GetAzApps 

func GetAzApps(z *Config, verbose bool) (list []interface{})

Gets all applications from Azure and sync to local cache. Shows progress if verbose = true

func GetAzMgGroups 

func GetAzMgGroups(z *Config) (list []interface{})

Gets all management groups in current Azure tenant, and saves them to local cache file

func GetAzObjectById 

func GetAzObjectById(t, id string, z *Config) (x map[string]interface{})

Retrieves Azure object by Object UUID

func GetAzObjects 

func GetAzObjects(apiUrl string, z *Config, verbose bool) (deltaSet []interface{}, deltaLinkMap map[string]interface{})

Generic Azure object deltaSet retriever function. Returns the set of new or updated items, and a deltaLink for running the next future Azure query. Implements the code logic pattern described at https://docs.microsoft.com/en-us/graph/delta-query-overview

func GetAzRbacScopes 

func GetAzRbacScopes(z *Config) (scopes []string)

Gets all scopes in the Azure tenant RBAC hierarchy: Tenant Root Group and all management groups, plus all subscription scopes

func GetAzRoleAssignmentById 

func GetAzRoleAssignmentById(id string, z *Config) map[string]interface{}

Gets RBAC role assignment by its Object UUID. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.

func GetAzRoleAssignmentByObject 

func GetAzRoleAssignmentByObject(x map[string]interface{}, z *Config) (y map[string]interface{})

Gets Azure resource RBAC role assignment object by matching given objects: roleId, principalId, and scope (the 3 parameters which make a role assignment unique)

func GetAzRoleAssignments 

func GetAzRoleAssignments(z *Config, verbose bool) (list []interface{})

Gets all role assignments objects in current Azure tenant and save them to local cache file. Option to be verbose (true) or quiet (false), since it can take a while. References: 

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest
https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/list-for-subscription

func GetAzRoleDefinitionById 

func GetAzRoleDefinitionById(id string, z *Config) map[string]interface{}

Gets role definition by Object Id. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.

func GetAzRoleDefinitionByName 

func GetAzRoleDefinitionByName(roleName string, z *Config) (y map[string]interface{})

Gets role definition by displayName See https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list

func GetAzRoleDefinitionByObject 

func GetAzRoleDefinitionByObject(x map[string]interface{}, z *Config) (y map[string]interface{})

Gets role definition object if it exists exactly as x object (as per essential attributes). Matches on: displayName and assignableScopes

func GetAzRoleDefinitions 

func GetAzRoleDefinitions(z *Config, verbose bool) (list []interface{})

Gets all role definitions in current Azure tenant and save them to local cache file Option to be verbose (true) or quiet (false), since it can take a while. References: 

https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list
https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list

func GetAzSpById 

func GetAzSpById(id string, z *Config) map[string]interface{}

Gets service principal by its Object UUID or by its appId, with all attributes

func GetAzSps 

func GetAzSps(z *Config, verbose bool) (list []interface{})

Gets all service principals from Azure and sync to local cache. Shows progress if verbose = true

func GetAzSubscriptionById 

func GetAzSubscriptionById(id string, z *Config) map[string]interface{}

Gets specific Azure subscription by Object UUID

func GetAzSubscriptions 

func GetAzSubscriptions(z *Config) (list []interface{})

Gets all subscription in current Azure tenant, and saves them to local cache file

func GetAzSubscriptionsIds 

func GetAzSubscriptionsIds(z *Config) (scopes []string)

Gets all subscription full IDs, i.e. "/subscriptions/UUID", which are commonly used as scopes for Azure resource RBAC role definitions and assignments

func GetAzUserById 

func GetAzUserById(id string, z *Config) map[string]interface{}

Gets Azure user object by Object UUID, with all attributes

func GetAzUsers 

func GetAzUsers(z *Config, verbose bool) (list []interface{})

Gets all users from Azure and sync to local cache. Show progress if verbose = true

func GetCachedObjects 

func GetCachedObjects(cacheFile string) (cachedList []interface{})

Retrieves locally cached list of objects in given cache file

func GetDirGroupFromAzureById 

func GetDirGroupFromAzureById(id string, z *Config) map[string]interface{}

Gets directory group JSON object from Azure by Id. Updates entry in local cache.

func GetDirGroupFromAzureByName 

func GetDirGroupFromAzureByName(displayName string, z *Config) []interface{}

Gets directory group JSON array from Azure by Name. We are only looking for a single group with this displayName, but MS Graph supports having groups with the very same displayName, so we return an array to allow for that possibility.

func GetIdMapApps 

func GetIdMapApps(z *Config) (nameMap map[string]string)

Returns an id:name map of all applications

func GetIdMapGroups 

func GetIdMapGroups(z *Config) (nameMap map[string]string)

Returns id:name map of all groups

func GetIdMapMgGroups 

func GetIdMapMgGroups(z *Config) (nameMap map[string]string)

Returns id:name map of management groups

func GetIdMapRoleDefs 

func GetIdMapRoleDefs(z *Config) (nameMap map[string]string)

Returns id:name map of all RBAC role definitions

func GetIdMapSps 

func GetIdMapSps(z *Config) (nameMap map[string]string)

Returns an id:name map of all service principals

func GetIdMapSubs 

func GetIdMapSubs(z *Config) (nameMap map[string]string)

Returns id:name map of all subscriptions

func GetIdMapUsers 

func GetIdMapUsers(z *Config) (nameMap map[string]string)

Returns an id:name map of all users

func GetMatchingAdRoles 

func GetMatchingAdRoles(filter string, force bool, z *Config) (list []interface{})

Gets all AD roles matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingApps 

func GetMatchingApps(filter string, force bool, z *Config) (list []interface{})

Gets all applications matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingMgGroups 

func GetMatchingMgGroups(filter string, force bool, z *Config) (list []interface{})

Gets all Azure management groups matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingRoleAssignments 

func GetMatchingRoleAssignments(filter string, force bool, z *Config) (list []interface{})

Gets all RBAC role assignments matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingRoleDefinitions 

func GetMatchingRoleDefinitions(filter string, force bool, z *Config) (list []interface{})

Gets all role definitions matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingSps 

func GetMatchingSps(filter string, force bool, z *Config) (list []interface{})

Gets all service principals matching on 'filter'. Return entire list if filter is empty ""

func GetMatchingSubscriptions 

func GetMatchingSubscriptions(filter string, force bool, z *Config) (list []interface{})

Gets all Azure subscriptions matching on 'filter'. Returns entire list if filter is empty ""

func GetMatchingUsers 

func GetMatchingUsers(filter string, force bool, z *Config) (list []interface{})

Gets all users matching on 'filter'. Returns entire list if filter is empty ""

func GetObjectFromFile 

func GetObjectFromFile(filePath string) (formatType, t string, specfileObj map[string]interface{})

Processes given specfile and returns the specfile format type, the maz object letter string type, and the actual object.

func GetObjects 

func GetObjects(t, filter string, force bool, z *Config) (list []interface{})

Generic function to get objects of type t whose attributes match on filter. If filter is the "" empty string return ALL of the objects of this type.

func GetTokenByCredentials 

func GetTokenByCredentials(scopes []string, z *Config) (token string, err error)

Initiates an Azure JWT token acquisition with provided parameters, using a Client ID plus a Client Secret. This is the 'Confidential' app auth flow and is documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/confidential/confidential.go

func GetTokenInteractively 

func GetTokenInteractively(scopes []string, z *Config) (token string, err error)

Initiates an Azure JWT token acquisition with provided parameters, using a Username and a browser pop up window. This is the 'Public' app auth flow as documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/public/public.go

func GroupsCountAzure 

func GroupsCountAzure(z *Config) int64

Returns number of group object entries in Azure tenant

func GroupsCountLocal 

func GroupsCountLocal(z *Config) int64

Returns number of group object entries in local cache file

func JsonObjectFromDirGroup 

func JsonObjectFromDirGroup(g *DirGroup) map[string]interface{}

Creates a JSON-like map of attributes from a DirGroup.

func MgGroupCountAzure 

func MgGroupCountAzure(z *Config) int64

Returns count of management groups in Azure

func MgGroupCountLocal 

func MgGroupCountLocal(z *Config) int64

Returns count of management group objects in local cache file

func MgType 

func MgType(typeIn string) string

Returns ARM object type based on long string

func NormalizeCache 

func NormalizeCache(baseSet, deltaSet []interface{}) (list []interface{})

Builds JSON mergeSet from deltaSet, and builds and returns the list of deleted IDs

func PrintAdRole 

func PrintAdRole(x map[string]interface{}, z *Config)

Prints Azure AD role definition object in YAML-like format

func PrintAllDirGroupsTersely 

func PrintAllDirGroupsTersely(all DirGroupList)

Prints list of directory groups tersely.

func PrintApiErrMsg 

func PrintApiErrMsg(msg string)

Prints API error messages in 2 parts separated by a newline: A header, then a JSON byte slice

func PrintApp 

func PrintApp(x map[string]interface{}, z *Config)

Prints application object in YAML-like format

func PrintAppRoleAssignmentsOthers 

func PrintAppRoleAssignmentsOthers(appRoleAssignments []interface{}, z *Config)

Prints appRoleAssignments for other types of objects (Users and Groups)

func PrintAppRoleAssignmentsSp 

func PrintAppRoleAssignmentsSp(roleNameMap map[string]string, appRoleAssignments []interface{})

Prints appRoleAssignments for given service principal (SP)

func PrintCertificateList 

func PrintCertificateList(certificates []interface{})

Prints certificate list stanza for Apps and Sps

func PrintCountStatus 

func PrintCountStatus(z *Config)

Prints a status count of all AZ and MG objects that are in Azure, and the local files.

func PrintCountStatusDirGroups 

func PrintCountStatusDirGroups(z *Config)

func PrintDirGroup 

func PrintDirGroup(x map[string]interface{}, z *Config)

Print directory group object in YAML-like format

func PrintDirGroupTersely 

func PrintDirGroupTersely(g DirGroup)

Prints single directory group tersely, only the Id and DisplayName.

func PrintHeaders 

func PrintHeaders(headers http.Header)

Prints HTTP headers specific to API calls. Simplifies ApiCall function.

func PrintMatching 

func PrintMatching(printFormat, t, specifier string, z *Config)

Prints all objects that match on given specifier

func PrintMemberOfs 

func PrintMemberOfs(t string, memberOf []interface{})

Prints all memberOf entries

func PrintMgChildren 

func PrintMgChildren(indent int, children []interface{})

Recursively print management groups and all its children MGs and subscriptions

func PrintMgGroup 

func PrintMgGroup(x map[string]interface{})

Prints management group object in YAML-like format

func PrintMgTree 

func PrintMgTree(z *Config)

Gets current tenant management group tree, and recursively calls function PrintMgChildren() to print the hierarchy

func PrintObject 

func PrintObject(t string, x map[string]interface{}, z *Config)

Generic print object function

func PrintObjectById 

func PrintObjectById(id string, z *Config)

Prints object by given UUID

func PrintOwners 

func PrintOwners(owners []interface{})

Print owners stanza for Apps and Sps

func PrintPags 

func PrintPags(z *Config)

Lists all cached Privileged Access Groups (PAGs)

func PrintParams 

func PrintParams(params url.Values)

Prints HTTP parameters specific to API calls. Simplifies ApiCall function.

func PrintRoleAssignment 

func PrintRoleAssignment(x map[string]interface{}, z *Config)

Prints RBAC role definition object in YAML-like format

func PrintRoleAssignmentReport 

func PrintRoleAssignmentReport(z *Config)

Prints a human-readable report of all RBAC role assignments

func PrintRoleDefinition 

func PrintRoleDefinition(x map[string]interface{}, z *Config)

Prints role definition object in a YAML-like format

func PrintSecretList 

func PrintSecretList(secretsList []interface{})

Prints secret list stanza for App and SP objects

func PrintSp 

func PrintSp(x map[string]interface{}, z *Config)

Prints service principal object in YAML-like format

func PrintStringMapColor 

func PrintStringMapColor(strMap map[string]string)

Prints string map in YAML-like format, sorted, and in color

func PrintSubscription 

func PrintSubscription(x map[string]interface{})

Prints subscription object in YAML-like format

func PrintTersely 

func PrintTersely(t string, object interface{})

Prints this single object of type 't' tersely, with minimal attributes.

func PrintUser 

func PrintUser(x map[string]interface{}, z *Config)

Prints user object in YAML-like format

func RemoveAppSecret 

func RemoveAppSecret(id, keyId string, z *Config)

Removes a secret from the given application

func RemoveCacheFile 

func RemoveCacheFile(t string, z *Config)

Removes specified cache file

func RemoveDirGroupCacheFile 

func RemoveDirGroupCacheFile(z *Config)

Removes directory group local cache files.

func RemoveSpSecret 

func RemoveSpSecret(id, keyId string, z *Config)

Removes a secret from the given SP

func RenameDirGroup 

func RenameDirGroup(opts *Options, z *Config)

Renames Azure directory group

func RoleAssignmentsCountAzure 

func RoleAssignmentsCountAzure(z *Config) int64

Calculates count of all role assignment objects in Azure

func RoleAssignmentsCountLocal 

func RoleAssignmentsCountLocal(z *Config) int64

Retrieves count of all role assignment objects in local cache file

func RoleDefinitionCountAzure 

func RoleDefinitionCountAzure(z *Config) (builtin, custom int64)

Counts all role definition in Azure. Returns 2 lists: one of native custom roles, the other of built-in role

func RoleDefinitionCountLocal 

func RoleDefinitionCountLocal(z *Config) (builtin, custom int64)

Dedicated role definition local cache counter able to discern if role is custom to native tenant or it's an Azure BuilIn role

func SaveDirGroupsToCache 

func SaveDirGroupsToCache(filePath string, groupList DirGroupList) error

Saves a list of DirGroup objects to a binary cache file.

func SelectObject 

func SelectObject(id string, objSet []interface{}) map[string]interface{}

Selects JSON object with given ID from slice

func SetupApiTokens 

func SetupApiTokens(z *Config)

Initializes the necessary global variables, acquires all API tokens, and sets them up for use.

func SetupAutomatedLogin 

func SetupAutomatedLogin(z *Config)

Sets up credentials file for client_id + secret login

func SetupCredentials 

func SetupCredentials(z *Config)

Gets credentials from OS environment variables (which take precedence), or from the credentials file.

func SetupInterativeLogin 

func SetupInterativeLogin(z *Config)

Sets up credentials file for interactive login

func SpsCountAzure 

func SpsCountAzure(z *Config) (native, microsoft int64)

Retrieves counts of all SPs in this Azure tenant, 2 values: Native ones to this tenant, and all others

func SpsCountLocal 

func SpsCountLocal(z *Config) (native, microsoft int64)

Retrieves counts of all SPs in local cache, 2 values: Native ones to this tenant, and all others

func SubsCountAzure 

func SubsCountAzure(z *Config) int64

Returns count of all subscriptions in current Azure tenant

func SubsCountLocal 

func SubsCountLocal(z *Config) int64

Returns count of all subscriptions in local cache file

func TokenValid 

func TokenValid(tokenString string) bool

Does a very basic validation of the JWT token as defined in https://tools.ietf.org/html/rfc7519

func UpdateDirGroup 

func UpdateDirGroup(id string, jsonObj map[string]interface{}, z *Config) error

Updates Azure directory group.

func UpsertAzObject 

func UpsertAzObject(force bool, filePath string, z *Config)

Creates or updates an Azure object based on given specfile

func UpsertAzRoleDefinition 

func UpsertAzRoleDefinition(force bool, x map[string]interface{}, z *Config)

Creates or updates an RBAC role definition as defined by give x object

func UpsertDirGroup 

func UpsertDirGroup(opts *Options, z *Config)

Driver function to Create or Update a directory group. Expects the group object to be printed out before hand, to then optionally prompt for confirmation.

func UpsertDirGroupFromArgs 

func UpsertDirGroupFromArgs(opts *Options, z *Config)

Upsert (update or create) Azure directory from given command-line arguments.

func UpsertDirGroupFromFile 

func UpsertDirGroupFromFile(opts *Options, z *Config)

Upsert (update or create) Azure directory group from given specfile.

func UpsertGroupInCache 

func UpsertGroupInCache(group DirGroup, z *Config) error

Updates or adds a group in the local cache.

func UsersCountAzure 

func UsersCountAzure(z *Config) int64

Returns the number of entries in Azure tenant

func UsersCountLocal 

func UsersCountLocal(z *Config) int64

Returns the number of entries in local cache file

Types

type Bundle 

type Bundle struct {
	ConfDir      string // Directory where utility will store all its file
	CredsFile    string
	TokenFile    string
	TenantId     string
	ClientId     string
	ClientSecret string
	Interactive  bool
	Username     string
	AuthorityUrl string
	MgToken      string // This and below to support MS Graph API
	MgHeaders    map[string]string
	AzToken      string // This and below to support Azure Resource Management API
	AzHeaders    map[string]string
}

Old configuration Bundle type. To be deprecated.

type Config 

type Config struct {
	ConfDir      string
	CredsFile    string
	TokenFile    string
	TenantId     string
	ClientId     string
	ClientSecret string
	Interactive  bool
	Username     string
	MgToken      string
	MgHeaders    map[string]string
	AzToken      string
	AzHeaders    map[string]string
}

Config holds configuration and credentials for various APIs and the calling programs themselves.

func NewConfig 

func NewConfig() *Config

Constructs, initializes, and returns a pointer to a Config instance. The returned pointer can be used as a global configuration object to store credentials, tokens, and other API-related details for the application.

func (*Config) AddAzHeader 

func (m *Config) AddAzHeader(key, value string) *Config

Adds an Azure Resource Management API header.

func (*Config) AddMgHeader 

func (m *Config) AddMgHeader(key, value string) *Config

Adds a Microsoft Graph API header.

func (*Config) SetInteractiveMode 

func (m *Config) SetInteractiveMode(interactive bool) *Config

Sets the interactive mode flag.

func (*Config) SetTenantCredentials 

func (m *Config) SetTenantCredentials(tenantID, clientID, clientSecret string) *Config

Sets the credentials for the tenant.

func (*Config) SetUsername 

func (m *Config) SetUsername(username string) *Config

Sets the username.

func (*Config) Validate 

func (m *Config) Validate() error

Checks whether required fields are set and returns an error if not.

type DirGroup 

type DirGroup struct {
	Id                 string `json:"id"`
	DisplayName        string `json:"displayName"`
	Description        string `json:"description"`
	IsAssignableToRole bool   `json:"isAssignableToRole"`
}

Directory group type definition.

func DirGroupFromJson 

func DirGroupFromJson(x map[string]interface{}) *DirGroup

Creates a DirGroup object from a JSON-like map of attributes.

func FetchExistingDirGroup 

func FetchExistingDirGroup(id string, z *Config) (x *DirGroup)

Fetches existing directory group, as preprocessing to rename, delete, or update.

func GetGroupFromCache 

func GetGroupFromCache(id string, z *Config) (DirGroup, error)

Retrieves a single group by UUID from the local cache.

func MergeDirGroups 

func MergeDirGroups(a, b *DirGroup) *DirGroup

Overwrites or adds the keys from a to b. A simple merge of first-level attributes. Existing b attributes are overwritten.

func (*DirGroup) HasString 

func (g *DirGroup) HasString(filter string) bool

Checks if any string field in DirGroup contains the given filter as a case-insensitive substring.

type DirGroupList 

type DirGroupList []*DirGroup

Directory group list type definition.

func GetAzureDirGroups 

func GetAzureDirGroups(z *Config, verbose bool) DirGroupList

Gets all groups from Azure and sync to local cache. Shows progress if verbose = true

func GetDirGroupByName 

func GetDirGroupByName(displayName string, z *Config) (matchingGroups DirGroupList)

Gets Azure directory group by given displayName. Note that this can potentially return multiple objects, ergo the use of an array for matchingGroups.

func GetMatchingGroups 

func GetMatchingGroups(filter string, force bool, z *Config) DirGroupList

Gets all groups matching on 'filter'. Returns entire list if filter is empty ""

func LoadDirGroupsFromCache 

func LoadDirGroupsFromCache(filePath string) (DirGroupList, error)

Reads a list of DirGroup objects from a binary cache file.

func NewDirGroupList 

func NewDirGroupList() DirGroupList

Initializes a new ObjectList.

func NormalizeDirGroupCache 

func NormalizeDirGroupCache(currentCache DirGroupList, deltaSet []interface{}) DirGroupList

Normalizes currentCache with the changes in deltaSet and returns it as newCache.

func (*DirGroupList) Add 

func (l *DirGroupList) Add(g *DirGroup)

Add Group object to DirGroupList.

func (*DirGroupList) Delete 

func (list *DirGroupList) Delete(target interface{}) bool

Deletes a DirGroup from the DirGroupList by matching *DirGroup, Id, or DisplayName.

func (*DirGroupList) Exists 

func (list *DirGroupList) Exists(target interface{}) bool

Check if a DirGroup exists in the DirGroupList by matching *DirGroup, Id, or DisplayName.

func (*DirGroupList) Find 

func (list *DirGroupList) Find(target interface{}) *DirGroup

Finds a DirGroup in the DirGroupList by matching *DirGroup, Id, or DisplayName.

type Options 

type Options struct {
	// contains filtered or unexported fields
}

Options map type to facilitate calling functions with many variables.

func NewOptions 

func NewOptions() *Options

Constructor to initialize an options map

func (*Options) Count 

func (a *Options) Count() int

Returns the number of entries in the set of options.

func (*Options) Get 

func (a *Options) Get(key string) (interface{}, bool)

Gets a value of any type from the options map.

func (*Options) GetBool 

func (a *Options) GetBool(key string) (bool, bool)

Gets boolean value in an options map.

func (*Options) GetInt 

func (a *Options) GetInt(key string) (int, bool)

Gets integer value in an options map.

func (*Options) GetString 

func (a *Options) GetString(key string) (string, bool)

Gets string value in an options map.

func (*Options) Set 

func (a *Options) Set(key string, value interface{}) *Options

Sets values in an options map.

func (*Options) Validate 

func (a *Options) Validate(requiredKeys []string) error

Validate required keys.

type TokenCache 

type TokenCache struct {
	// contains filtered or unexported fields
}

func (*TokenCache) Export 

func (t *TokenCache) Export(ctx context.Context, cache cache.Marshaler, hints cache.ExportHints) error

func (*TokenCache) Print 

func (t *TokenCache) Print() string

func (*TokenCache) Replace 

func (t *TokenCache) Replace(ctx context.Context, cache cache.Unmarshaler, hints cache.ReplaceHints) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.