README
¶
maz
This is a Go library package module for managing Microsoft Azure resource and security objects. Please review https://que.tips/azure/ to better understand what is meant here by resource and security objects. Essentially this is a library that provides basic MSAL authentication and token creation to allow principals to call the two primary Azure APIs, the Azure Resource Managment (ARM) API and the MS Graph API. Other APIs could be added in the future.
Getting Started
- Any program wanting to use this library module can simply import it, then instantiate a variable
of type
maz.Bundleto manage the interaction. For example:
import (
"github.com/queone/maz"
)
z := maz.Bundle{
ConfDir: "", // Set up later, see example below
CredsFile: "credentials.yaml",
TokenFile: "accessTokens.json",
TenantId: "",
ClientId: "",
ClientSecret: "",
Interactive: false,
Username: "",
AuthorityUrl: "", // Set up later with maz.ConstAuthUrl + z.TenantId (see const block in maz.go)
MgToken: "", // Set up below 4 later with function maz.SetupApiTokens()
MgHeaders: map[string]string{},
AzToken: "",
AzHeaders: map[string]string{},
}
// Then update the variables within the Bundle, to set up configuration directory
z.ConfDir = filepath.Join(os.Getenv("HOME"), "." + prgname)
if utl.FileNotExist(z.ConfDir) {
if err := os.Mkdir(z.ConfDir, 0700); err != nil {
panic(err.Error())
}
}
- Then call
maz.SetupInterativeLogin(z)ormaz.SetupAutomatedLogin(z)to setup the credentials file accordingly. - Then call
z := maz.SetupApiTokens(*z)to acquire the respective API tokens, web headers, and other variables. - Now call whatever MS Graph and Azure Resource API functions you want by passing and using the
zvariables, with itsz.mgHeadersand/orz.azHeadersattributes, and so on.
Login Credentials
There are four (4) different ways to set up the login credentials to use this library module. All four ways required three (3) special attributes:
| # | Type | Method | Details |
|---|---|---|---|
| 1 | Interactive | Config file | Set up attributes via ~/.maz/credentials.yaml file |
| 2 | Interactive | Environment variables | Set up attributes via environment variables (OVERIDES config file) |
| 3 | Automated | Config file | Set up attributes via ~/.maz/credentials.yaml file |
| 4 | Automated | Environment variables | Set up attributes via environment variables (OVERIDES config file) |
- Interactive via config file: The calling utility sets up a way to allow setting up the
~/.maz/credentials.yamlfile with the 3 special attributes. For example, the azm CLI utility does this via the-idswitch, to Set up MSAL interactive browser popup login:
Above will populate theazm -id 3f050090-20b0-40a0-a060-c05060104010 user1@domain.io~/.maz/credentials.yamlfile as follows:
From then on thetenant_id: 3f050090-20b0-40a0-a060-c05060104010 username: user1@domain.io interactive: trueazmutility will use above credentials to interact with themazlibrary to perform all its functions. - Interactive via environment variables: The calling utility will instead use the
os.Getenv("VAR")function to look for the following 3 special environment variables:
Above values take precedence and OVERIDE any existing configMAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010 MAZ_USERNAME=user1@domain.io MAZ_INTERACTIVE=true~/.maz/credentials.yamlfile values. - Automated via config file: The calling utility sets up a way to allow setting up the
~/.maz/credentials.yamlfile with the 3 special attributes. For example, the azm CLI utility does this via the-idswitch, to Set up MSAL automated ClientId + Secret login:
Above will populate theazm -id 3f050090-20b0-40a0-a060-c05060104010 f1110121-7111-4171-a181-e1614131e181 ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i~/.maz/credentials.yamlfile as follows:
From then on thetenant_id: 3f050090-20b0-40a0-a060-c05060104010 client_id: f1110121-7111-4171-a181-e1614131e181 client_secret: ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_iazmutility will use above credentials to interact with themazlibrary to perform all its functions. - Automated via environment variables: The calling utility will instead use the
os.Getenv("VAR")function to look for the following 3 special environment variables
Above values take precedence and OVERIDE any existing configMAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010 MAZ_CLIENT_ID=f1110121-7111-4171-a181-e1614131e181 MAZ_CLIENT_SECRET=ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i~/.maz/credentials.yamlfile values.
The benefit of using environment variables is to be able to override an existing credentials.yaml file, and to specify different credentials, as well as being able to use different credentials from different shell sessions on the same host. They also allow utilities written with this library to be used in continuous delivery and other types of automation.
NOTE: If all four MAZ_USERNAME, MAZ_INTERACTIVE, MAZ_CLIENT_ID, and MAZ_CLIENT_SECRET are properly define, then precedence is given to the Username Interactive login. To force a ClientID ClientSecret login via environment variables, you must ensure the first two are unset in the current shell.
Functions
TODO: List of all available functions?
- maz.SetupInterativeLogin: This functions allows you to set up the
~/.maz/credentials.yamlfile for interactive Azure login. - ...
Documentation
¶
Overview ¶
Package maz is a library of functions for interacting with essential Azure APIs via REST calls. Currently it supports two APIs, the Azure Resource Management (ARM) API and the MS Graph API, but can be extended to support additional APIs. This package obviously also includes code to get an Azure JWT token using the MSAL library, to then use against either the 2 currently supported Azure APIs.
Index ¶
- Constants
- func AdRolesCountAzure(z Bundle) int64
- func AdRolesCountLocal(z Bundle) int64
- func AddAppSecret(uuid, displayName, expiry string, z Bundle)
- func AddSpSecret(uuid, displayName, expiry string, z Bundle)
- func ApiCall(method, url string, z Bundle, payload jsonT, params strMapT, verbose bool) (result jsonT, rsc int, err error)
- func ApiDelete(url string, z Bundle, params strMapT) (result jsonT, rsc int, err error)
- func ApiDeleteDebug(url string, z Bundle, params strMapT) (result jsonT, rsc int, err error)
- func ApiErrorCheck(method, url, caller string, r jsonT)
- func ApiGet(url string, z Bundle, params strMapT) (result jsonT, rsc int, err error)
- func ApiGetDebug(url string, z Bundle, params strMapT) (result jsonT, rsc int, err error)
- func ApiPost(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
- func ApiPostDebug(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
- func ApiPut(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
- func ApiPutDebug(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
- func AppsCountAzure(z Bundle) int64
- func AppsCountLocal(z Bundle) int64
- func CompareSpecfileToAzure(filePath string, z Bundle)
- func CreateAzRoleAssignment(x map[string]interface{}, z Bundle)
- func CreateSkeletonFile(t string)
- func DecodeJwtToken(tokenString string)
- func DeleteAzObject(force bool, specifier string, z Bundle)
- func DeleteAzRoleAssignmentByFqid(fqid string, z Bundle) map[string]interface{}
- func DeleteAzRoleDefinitionByFqid(fqid string, z Bundle) map[string]interface{}
- func DiffLists(list1, list2 []interface{}) (added, removed []interface{}, same bool)
- func DiffRoleDefinitionSpecfileVsAzure(a, b map[string]interface{}, z Bundle)
- func DumpLoginValues(z Bundle)
- func FindAzObjectsByUuid(uuid string, z Bundle) (list []interface{})
- func GetAzAdRoleByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzAdRoles(z Bundle, verbose bool) (list []interface{})
- func GetAzAllPages(url string, z Bundle) (list []interface{})
- func GetAzAppByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzApps(z Bundle, verbose bool) (list []interface{})
- func GetAzGroupByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzGroups(z Bundle, verbose bool) (list []interface{})
- func GetAzMgGroups(z Bundle) (list []interface{})
- func GetAzObjectByUuid(t, uuid string, z Bundle) (x map[string]interface{})
- func GetAzObjects(url string, z Bundle, verbose bool) (deltaSet []interface{}, deltaLinkMap map[string]interface{})
- func GetAzRbacScopes(z Bundle) (scopes []string)
- func GetAzRoleAssignmentByObject(x map[string]interface{}, z Bundle) (y map[string]interface{})
- func GetAzRoleAssignmentByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzRoleAssignments(z Bundle, verbose bool) (list []interface{})
- func GetAzRoleDefinitionByName(roleName string, z Bundle) (y map[string]interface{})
- func GetAzRoleDefinitionByObject(x map[string]interface{}, z Bundle) (y map[string]interface{})
- func GetAzRoleDefinitionByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzRoleDefinitions(z Bundle, verbose bool) (list []interface{})
- func GetAzSpByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzSps(z Bundle, verbose bool) (list []interface{})
- func GetAzSubscriptionByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzSubscriptions(z Bundle) (list []interface{})
- func GetAzSubscriptionsIds(z Bundle) (scopes []string)
- func GetAzUserByUuid(uuid string, z Bundle) map[string]interface{}
- func GetAzUsers(z Bundle, verbose bool) (list []interface{})
- func GetCachedObjects(cacheFile string) (cachedList []interface{})
- func GetIdMapApps(z Bundle) (nameMap map[string]string)
- func GetIdMapGroups(z Bundle) (nameMap map[string]string)
- func GetIdMapMgGroups(z Bundle) (nameMap map[string]string)
- func GetIdMapRoleDefs(z Bundle) (nameMap map[string]string)
- func GetIdMapSps(z Bundle) (nameMap map[string]string)
- func GetIdMapSubs(z Bundle) (nameMap map[string]string)
- func GetIdMapUsers(z Bundle) (nameMap map[string]string)
- func GetMatchingAdRoles(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingApps(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingGroups(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingMgGroups(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingRoleAssignments(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingRoleDefinitions(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingSps(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingSubscriptions(filter string, force bool, z Bundle) (list []interface{})
- func GetMatchingUsers(filter string, force bool, z Bundle) (list []interface{})
- func GetObjectFromFile(filePath string) (formatType, t string, obj map[string]interface{})
- func GetObjects(t, filter string, force bool, z Bundle) (list []interface{})
- func GetTokenByCredentials(scopes []string, ...) (token string, err error)
- func GetTokenInteractively(scopes []string, confDir, tokenFile, authorityUrl, username string) (token string, err error)
- func GroupsCountAzure(z Bundle) int64
- func GroupsCountLocal(z Bundle) int64
- func MgGroupCountAzure(z Bundle) int64
- func MgGroupCountLocal(z Bundle) int64
- func MgType(typeIn string) string
- func NormalizeCache(baseSet, deltaSet []interface{}) (list []interface{})
- func PrintAdRole(x map[string]interface{}, z Bundle)
- func PrintApiErrMsg(msg string)
- func PrintApp(x map[string]interface{}, z Bundle)
- func PrintAppRoleAssignmentsOthers(appRoleAssignments []interface{}, z Bundle)
- func PrintAppRoleAssignmentsSp(roleNameMap map[string]string, appRoleAssignments []interface{})
- func PrintCertificateList(certificates []interface{})
- func PrintCountStatus(z Bundle)
- func PrintGroup(x map[string]interface{}, z Bundle)
- func PrintHeaders(headers http.Header)
- func PrintMatching(printFormat, t, specifier string, z Bundle)
- func PrintMemberOfs(t string, memberOf []interface{})
- func PrintMgChildren(indent int, children []interface{})
- func PrintMgGroup(x map[string]interface{})
- func PrintMgTree(z Bundle)
- func PrintObject(t string, x map[string]interface{}, z Bundle)
- func PrintObjectByUuid(uuid string, z Bundle)
- func PrintOwners(owners []interface{})
- func PrintPags(z Bundle)
- func PrintParams(params url.Values)
- func PrintRoleAssignment(x map[string]interface{}, z Bundle)
- func PrintRoleAssignmentReport(z Bundle)
- func PrintRoleDefinition(x map[string]interface{}, z Bundle)
- func PrintSecretList(secretsList []interface{})
- func PrintSp(x map[string]interface{}, z Bundle)
- func PrintStringMapColor(strMap map[string]string)
- func PrintSubscription(x map[string]interface{})
- func PrintTersely(t string, object interface{})
- func PrintUser(x map[string]interface{}, z Bundle)
- func RemoveAppSecret(uuid, keyId string, z Bundle)
- func RemoveCacheFile(t string, z Bundle)
- func RemoveSpSecret(uuid, keyId string, z Bundle)
- func RoleAssignmentsCountAzure(z Bundle) int64
- func RoleAssignmentsCountLocal(z Bundle) int64
- func RoleDefinitionCountAzure(z Bundle) (builtin, custom int64)
- func RoleDefinitionCountLocal(z Bundle) (builtin, custom int64)
- func SelectObject(id string, objSet []interface{}) (x map[string]interface{})
- func SetupAutomatedLogin(z Bundle)
- func SetupInterativeLogin(z Bundle)
- func SpsCountAzure(z Bundle) (native, microsoft int64)
- func SpsCountLocal(z Bundle) (native, microsoft int64)
- func SubsCountAzure(z Bundle) int64
- func SubsCountLocal(z Bundle) int64
- func TokenValid(tokenString string) bool
- func UpsertAzObject(force bool, filePath string, z Bundle)
- func UpsertAzRoleDefinition(force bool, x map[string]interface{}, z Bundle)
- func UsersCountAzure(z Bundle) int64
- func UsersCountLocal(z Bundle) int64
- type Bundle
- type TokenCache
Constants ¶
const ( ConstAuthUrl = "https://login.microsoftonline.com/" ConstMgUrl = "https://graph.microsoft.com" ConstAzUrl = "https://management.azure.com" ConstAzPowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2" // 'Microsoft Azure PowerShell' ClientId // See https://stackoverflow.com/questions/1508490/erase-the-current-printed-console-line ConstCacheFileExtension = "gz" ConstMgCacheFileAgePeriod = 1800 // Half hour ConstAzCacheFileAgePeriod = 86400 // One day )
Variables ¶
This section is empty.
Functions ¶
func AdRolesCountAzure ¶ added in v0.8.0
Returns count of Azure AD directory role entries in current tenant
func AdRolesCountLocal ¶ added in v0.8.0
Returns count of Azure AD directory role entries in local cache file
func AddAppSecret ¶ added in v0.10.0
Creates/adds a secret to the given application
func AddSpSecret ¶ added in v0.10.0
Creates/adds a secret to the given SP
func ApiCall ¶ added in v0.8.0
func ApiCall(method, url string, z Bundle, payload jsonT, params strMapT, verbose bool) (result jsonT, rsc int, err error)
Makes API calls and returns JSON object, Response StatusCode, and error. For a more clear explanation of how to interpret the JSON responses see https://eager.io/blog/go-and-json/ This function is the cornerstone of the maz package, extensively handling all API interactions.
func ApiDeleteDebug ¶ added in v0.8.8
ApiCall alias to do a DELETE with debugging on
func ApiErrorCheck ¶ added in v0.8.0
func ApiErrorCheck(method, url, caller string, r jsonT)
Prints useful error information if they occur
func ApiGetDebug ¶ added in v0.8.0
ApiCall alias to do a GET with debugging on
func ApiPost ¶ added in v0.10.0
func ApiPost(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
ApiCall alias to do a POST
func ApiPostDebug ¶ added in v0.10.0
func ApiPostDebug(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
ApiCall alias to do a POST with debugging on
func ApiPutDebug ¶ added in v0.8.8
func ApiPutDebug(url string, z Bundle, payload jsonT, params strMapT) (result jsonT, rsc int, err error)
ApiCall alias to do a PUT with debugging on
func AppsCountAzure ¶ added in v0.8.0
Retrieves count of all applications in Azure tenant
func AppsCountLocal ¶ added in v0.8.0
Retrieves count of all applications in local cache file
func CompareSpecfileToAzure ¶ added in v0.8.0
Compares specification file to what is in Azure
func CreateAzRoleAssignment ¶ added in v0.8.8
Creates an RBAC role assignment as defined by give x object
func CreateSkeletonFile ¶ added in v0.8.7
func CreateSkeletonFile(t string)
Creates specfile skeleton/scaffold files
func DecodeJwtToken ¶ added in v0.9.9
func DecodeJwtToken(tokenString string)
Decode and dump token string, trusting without formaly verification and validation
func DeleteAzObject ¶ added in v0.8.8
Deletes object based on string specifier (currently only supports roleDefinitions or Assignments) String specifier can be either of 3: UUID, specfile, or displaName (only for roleDefinition) 1) Search Azure by given identifier; 2) Grab object's Fully Qualified Id string; 3) Print and prompt for confirmation; 4) Delete or abort
func DeleteAzRoleAssignmentByFqid ¶ added in v0.8.8
Deletes an RBAC role assignment by its fully qualified object Id Example of a fully qualified Id string (note it's one long line):
/providers/Microsoft.Management/managementGroups/33550b0b-2929-4b4b-adad-cccc66664444 \ /providers/Microsoft.Authorization/roleAssignments/5d586a7b-3f4b-4b5c-844a-3fa8efe49ab3
func DeleteAzRoleDefinitionByFqid ¶ added in v0.8.8
Deletes an RBAC role definition object by its fully qualified object Id Example of a fully qualified Id string:
"/providers/Microsoft.Authorization/roleDefinitions/50a6ff7c-3ac5-4acc-b4f4-9a43aee0c80f"
func DiffLists ¶ added in v1.8.1
func DiffLists(list1, list2 []interface{}) (added, removed []interface{}, same bool)
Compares two list of strings and returns added and removed items, and whether or not the lists are the same. Note they come in as []interface{} but we know they are strings. This is a special function for handling Azure RBAC role definition action differences.
func DiffRoleDefinitionSpecfileVsAzure ¶ added in v1.8.1
Prints differences between role definition in Specfile (a) vs what is in Azure (b). The calling function must ensure that both a & b are valid role definition objects from a specfile and from Azure. A generic DiffJsonObject() function would probably be better for this.
func DumpLoginValues ¶ added in v0.12.0
func DumpLoginValues(z Bundle)
Dumps configured login values
func FindAzObjectsByUuid ¶ added in v0.8.8
Returns list of Azure objects with this UUID. We are saying a list because 1) the UUID could be an appId shared by an app and an SP, or 2) there could be UUID collisions with multiple objects potentially sharing the same UUID. Only checks for the maz package limited set of Azure object types.
func GetAzAdRoleByUuid ¶ added in v0.8.8
Gets Azure AD role definition by Object UUID, with all attributes
func GetAzAdRoles ¶ added in v0.8.0
Gets all directory role definitions from Azure and sync to local cache. Shows progress if verbose = true
func GetAzAllPages ¶ added in v1.4.0
Returns all Azure pages for given API URL call
func GetAzAppByUuid ¶ added in v0.8.8
Gets application by its Object UUID or by its appId, with all attributes
func GetAzApps ¶ added in v0.8.0
Gets all applications from Azure and sync to local cache. Shows progress if verbose = true
func GetAzGroupByUuid ¶ added in v0.8.8
Gets Azure AD group by Object UUID, with all attributes
func GetAzGroups ¶ added in v0.8.0
Gets all groups from Azure and sync to local cache. Shows progress if verbose = true
func GetAzMgGroups ¶ added in v0.8.0
func GetAzMgGroups(z Bundle) (list []interface{})
Gets all management groups in current Azure tenant, and saves them to local cache file
func GetAzObjectByUuid ¶ added in v0.8.8
Retrieves Azure object by Object UUID
func GetAzObjects ¶ added in v0.8.0
func GetAzObjects(url string, z Bundle, verbose bool) (deltaSet []interface{}, deltaLinkMap map[string]interface{})
Generic Azure object deltaSet retriever function. Returns the set of changed or new items, and a deltaLink for running the next future Azure query. Implements the pattern described at https://docs.microsoft.com/en-us/graph/delta-query-overview
func GetAzRbacScopes ¶ added in v0.8.0
Gets all scopes in the Azure tenant RBAC hierarchy: Tenant Root Group and all management groups, plus all subscription scopes
func GetAzRoleAssignmentByObject ¶ added in v0.8.8
Gets Azure resource RBAC role assignment object by matching given objects: roleId, principalId, and scope (the 3 parameters which make a role assignment unique)
func GetAzRoleAssignmentByUuid ¶ added in v0.8.8
Gets RBAC role assignment by its Object UUID. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.
func GetAzRoleAssignments ¶ added in v0.8.0
Gets all role assignments objects in current Azure tenant and save them to local cache file. Option to be verbose (true) or quiet (false), since it can take a while. References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest https://learn.microsoft.com/en-us/rest/api/authorization/role-assignments/list-for-subscription
func GetAzRoleDefinitionByName ¶ added in v0.8.8
Gets role definition by displayName See https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list
func GetAzRoleDefinitionByObject ¶ added in v0.8.8
Gets role definition object if it exists exactly as x object (as per essential attributes). Matches on: displayName and assignableScopes
func GetAzRoleDefinitionByUuid ¶ added in v0.8.8
Gets role definition by Object Id. Unfortunately we have to iterate through the entire tenant scope hierarchy, which can take time.
func GetAzRoleDefinitions ¶ added in v0.8.0
Gets all role definitions in current Azure tenant and save them to local cache file Option to be verbose (true) or quiet (false), since it can take a while. References:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list
func GetAzSpByUuid ¶ added in v0.8.8
Gets service principal by its Object UUID or by its appId, with all attributes
func GetAzSps ¶ added in v0.8.0
Gets all service principals from Azure and sync to local cache. Shows progress if verbose = true
func GetAzSubscriptionByUuid ¶ added in v0.8.8
Gets specific Azure subscription by Object UUID
func GetAzSubscriptions ¶ added in v0.8.0
func GetAzSubscriptions(z Bundle) (list []interface{})
Gets all subscription in current Azure tenant, and saves them to local cache file
func GetAzSubscriptionsIds ¶ added in v0.8.0
Gets all subscription full IDs, i.e. "/subscriptions/UUID", which are commonly used as scopes for Azure resource RBAC role definitions and assignments
func GetAzUserByUuid ¶ added in v0.8.8
Gets Azure user object by Object UUID, with all attributes
func GetAzUsers ¶ added in v0.8.0
Gets all users from Azure and sync to local cache. Show progress if verbose = true
func GetCachedObjects ¶ added in v1.0.0
func GetCachedObjects(cacheFile string) (cachedList []interface{})
Retrieves locally cached list of objects in given cache file
func GetIdMapApps ¶ added in v0.8.0
Returns an id:name map of all applications
func GetIdMapGroups ¶ added in v0.8.0
Returns id:name map of all groups
func GetIdMapMgGroups ¶ added in v0.8.8
Returns id:name map of management groups
func GetIdMapRoleDefs ¶ added in v0.8.0
Returns id:name map of all RBAC role definitions
func GetIdMapSps ¶ added in v0.8.0
Returns an id:name map of all service principals
func GetIdMapSubs ¶ added in v0.8.0
Returns id:name map of all subscriptions
func GetIdMapUsers ¶ added in v0.8.0
Returns an id:name map of all users
func GetMatchingAdRoles ¶ added in v1.3.1
Gets all AD roles matching on 'filter'. Returns entire list if filter is empty ""
func GetMatchingApps ¶ added in v1.3.1
Gets all applications matching on 'filter'. Return entire list if filter is empty ""
func GetMatchingGroups ¶ added in v1.3.1
Gets all groups matching on 'filter'. Returns entire list if filter is empty ""
func GetMatchingMgGroups ¶ added in v1.3.1
Gets all Azure management groups matching on 'filter'. Returns entire list if filter is empty ""
func GetMatchingRoleAssignments ¶ added in v1.3.1
Gets all RBAC role assignments matching on 'filter'. Return entire list if filter is empty ""
func GetMatchingRoleDefinitions ¶ added in v1.3.1
Gets all role definitions matching on 'filter'. Returns entire list if filter is empty ""
func GetMatchingSps ¶ added in v1.3.1
Gets all service principals matching on 'filter'. Return entire list if filter is empty ""
func GetMatchingSubscriptions ¶ added in v1.3.1
Gets all Azure subscriptions matching on 'filter'. Returns entire list if filter is empty ""
func GetMatchingUsers ¶ added in v1.3.1
Gets all users matching on 'filter'. Returns entire list if filter is empty ""
func GetObjectFromFile ¶ added in v0.8.0
Returns 3 values: File format type, single-letter object type, and the object itself
func GetObjects ¶ added in v0.8.0
Generic function to get objects of type t whose attributes match on filter. If filter is the "" empty string return ALL of the objects of this type.
func GetTokenByCredentials ¶
func GetTokenByCredentials(scopes []string, confDir, tokenFile, authorityUrl, clientId, clientSecret string) (token string, err error)
Initiates an Azure JWT token acquisition with provided parameters, using a Client ID plus a Client Secret. This is the 'Confidential' app auth flow and is documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/confidential/confidential.go
func GetTokenInteractively ¶
func GetTokenInteractively(scopes []string, confDir, tokenFile, authorityUrl, username string) (token string, err error)
Initiates an Azure JWT token acquisition with provided parameters, using a Username and a browser pop up window. This is the 'Public' app auth flow and is documented at: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/dev/apps/public/public.go
func GroupsCountAzure ¶ added in v0.8.0
Returns number of group object entries in Azure tenant
func GroupsCountLocal ¶ added in v0.8.0
Returns number of group object entries in local cache file
func MgGroupCountAzure ¶ added in v0.8.0
Returns count of management groups in Azure
func MgGroupCountLocal ¶ added in v0.8.0
Returns count of management group objects in local cache file
func NormalizeCache ¶ added in v0.8.0
func NormalizeCache(baseSet, deltaSet []interface{}) (list []interface{})
Builds JSON mergeSet from deltaSet, and builds and returns the list of deleted IDs
func PrintAdRole ¶ added in v0.8.0
Prints Azure AD role definition object in YAML-like format
func PrintApiErrMsg ¶ added in v0.12.0
func PrintApiErrMsg(msg string)
Prints API error messages in 2 parts separated by a newline: A header, then a JSON byte slice
func PrintAppRoleAssignmentsOthers ¶ added in v1.4.0
func PrintAppRoleAssignmentsOthers(appRoleAssignments []interface{}, z Bundle)
Prints appRoleAssignments for other types of objects (Users and Groups)
func PrintAppRoleAssignmentsSp ¶ added in v1.4.0
Prints appRoleAssignments for given service principal (SP)
func PrintCertificateList ¶ added in v0.9.10
func PrintCertificateList(certificates []interface{})
Prints certificate list stanza for Apps and Sps
func PrintCountStatus ¶ added in v0.8.0
func PrintCountStatus(z Bundle)
Prints a status count of all AZ and MG objects that are in Azure, and the local files.
func PrintGroup ¶ added in v0.8.0
Print group object in YAML-like format
func PrintHeaders ¶ added in v0.9.2
Prints HTTP headers specific to API calls. Simplifies ApiCall function.
func PrintMatching ¶ added in v0.9.13
Prints all objects that match on given specifier
func PrintMemberOfs ¶ added in v0.8.0
func PrintMemberOfs(t string, memberOf []interface{})
Prints all memberOf entries
func PrintMgChildren ¶ added in v0.8.0
func PrintMgChildren(indent int, children []interface{})
Recursively print management groups and all its children MGs and subscriptions
func PrintMgGroup ¶ added in v0.8.0
func PrintMgGroup(x map[string]interface{})
Prints management group object in YAML-like format
func PrintMgTree ¶ added in v0.8.0
func PrintMgTree(z Bundle)
Gets current tenant management group tree, and recursively calls function PrintMgChildren() to print the hierarchy
func PrintObject ¶ added in v0.8.0
Generic print object function
func PrintObjectByUuid ¶ added in v0.8.8
Prints object by given UUID
func PrintOwners ¶ added in v0.9.10
func PrintOwners(owners []interface{})
Print owners stanza for Apps and Sps
func PrintPags ¶ added in v0.8.0
func PrintPags(z Bundle)
Lists all cached Privileged Access Groups (PAGs)
func PrintParams ¶ added in v0.9.2
Prints HTTP parameters specific to API calls. Simplifies ApiCall function.
func PrintRoleAssignment ¶ added in v0.8.0
Prints RBAC role definition object in YAML-like format
func PrintRoleAssignmentReport ¶ added in v0.8.0
func PrintRoleAssignmentReport(z Bundle)
Prints a human-readable report of all RBAC role assignments
func PrintRoleDefinition ¶ added in v0.8.0
Prints role definition object in a YAML-like format
func PrintSecretList ¶ added in v0.9.10
func PrintSecretList(secretsList []interface{})
Prints secret list stanza for App and SP objects
func PrintStringMapColor ¶ added in v0.9.3
Prints string map in YAML-like format, sorted, and in color
func PrintSubscription ¶ added in v0.8.0
func PrintSubscription(x map[string]interface{})
Prints subscription object in YAML-like format
func PrintTersely ¶ added in v0.8.0
func PrintTersely(t string, object interface{})
Prints this single object of type 't' tersely, with minimal attributes.
func RemoveAppSecret ¶ added in v0.10.0
Removes a secret from the given application
func RemoveCacheFile ¶ added in v0.8.0
Removes specified cache file
func RemoveSpSecret ¶ added in v0.10.0
Removes a secret from the given SP
func RoleAssignmentsCountAzure ¶ added in v0.8.0
Calculates count of all role assignment objects in Azure
func RoleAssignmentsCountLocal ¶ added in v0.8.0
Retrieves count of all role assignment objects in local cache file
func RoleDefinitionCountAzure ¶ added in v0.8.0
Counts all role definition in Azure. Returns 2 lists: one of native custom roles, the other of built-in role
func RoleDefinitionCountLocal ¶ added in v0.8.0
Dedicated role definition local cache counter able to discern if role is custom to native tenant or it's an Azure BuilIn role
func SelectObject ¶ added in v0.8.0
Selects JSON object with given ID from slice
func SetupAutomatedLogin ¶
func SetupAutomatedLogin(z Bundle)
Sets up credentials file for client_id + secret login
func SetupInterativeLogin ¶
func SetupInterativeLogin(z Bundle)
Sets up credentials file for interactive login
func SpsCountAzure ¶ added in v0.8.0
Retrieves counts of all SPs in this Azure tenant, 2 values: Native ones to this tenant, and all others
func SpsCountLocal ¶ added in v0.8.0
Retrieves counts of all SPs in local cache, 2 values: Native ones to this tenant, and all others
func SubsCountAzure ¶ added in v0.8.0
Returns count of all subscriptions in current Azure tenant
func SubsCountLocal ¶ added in v0.8.0
Returns count of all subscriptions in local cache file
func TokenValid ¶ added in v1.8.7
Does a very basic validation of the JWT token as defined in https://tools.ietf.org/html/rfc7519
func UpsertAzObject ¶ added in v0.8.8
Creates or updates a role definition or assignment based on given specfile
func UpsertAzRoleDefinition ¶ added in v0.8.8
Creates or updates an RBAC role definition as defined by give x object
func UsersCountAzure ¶ added in v0.8.0
Returns the number of entries in Azure tenant
func UsersCountLocal ¶ added in v0.8.0
Returns the number of entries in local cache file
Types ¶
type Bundle ¶
type Bundle struct {
ConfDir string // Directory where utility will store all its file
CredsFile string
TokenFile string
TenantId string
ClientId string
ClientSecret string
Interactive bool
Username string
AuthorityUrl string
MgToken string // This and below to support MS Graph API
MgHeaders map[string]string
AzToken string // This and below to support Azure Resource Management API
AzHeaders map[string]string
}
func SetupApiTokens ¶
Initializes the necessary global variables, acquires all API tokens, and sets them up for use.
func SetupCredentials ¶
Gets credentials from OS environment variables (which take precedence), or from the credentials file.
type TokenCache ¶
type TokenCache struct {
// contains filtered or unexported fields
}
func (*TokenCache) Export ¶
func (t *TokenCache) Export(ctx context.Context, cache cache.Marshaler, hints cache.ExportHints) error
func (*TokenCache) Print ¶ added in v1.3.0
func (t *TokenCache) Print() string
func (*TokenCache) Replace ¶
func (t *TokenCache) Replace(ctx context.Context, cache cache.Unmarshaler, hints cache.ReplaceHints) error
Source Files