cloud_terrastodon_azure 0.35.1

Helpers for interacting with Azure for the Cloud Terrastodon project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

use crate::fetch_all_unified_role_assignments;
use crate::fetch_all_unified_role_definitions;
use cloud_terrastodon_azure_types::AzureTenantId;
use cloud_terrastodon_azure_types::UnifiedRoleDefinitionsAndAssignments;
use cloud_terrastodon_command::CacheInvalidatable;
use cloud_terrastodon_command::CacheableCommand;
use cloud_terrastodon_command::async_trait;
use std::pin::Pin;
use tokio::try_join;

/// Fetches Entra role assignments and role definitions.
///
/// Not to be confused with Azure RBAC role assignments and role definitions.
#[must_use = "This is a future request, you must .await it"]
pub struct UnifiedRoleDefinitionsAndAssignmentsListRequest {
    pub tenant_id: AzureTenantId,
}

pub fn fetch_all_unified_role_definitions_and_assignments(
    tenant_id: AzureTenantId,
) -> UnifiedRoleDefinitionsAndAssignmentsListRequest {
    UnifiedRoleDefinitionsAndAssignmentsListRequest { tenant_id }
}

#[async_trait]
impl CacheInvalidatable for UnifiedRoleDefinitionsAndAssignmentsListRequest {
    async fn invalidate(&self) -> eyre::Result<()> {
        let definitions = fetch_all_unified_role_definitions(self.tenant_id).cache_key();
        let assignments = fetch_all_unified_role_assignments(self.tenant_id).cache_key();
        try_join!(definitions.invalidate(), assignments.invalidate())?;
        Ok(())
    }
}

impl IntoFuture for UnifiedRoleDefinitionsAndAssignmentsListRequest {
    type Output = eyre::Result<UnifiedRoleDefinitionsAndAssignments>;
    type IntoFuture = Pin<Box<dyn std::future::Future<Output = Self::Output> + Send>>;

    fn into_future(self) -> Self::IntoFuture {
        Box::pin(async move {
            let (role_definitions, role_assignments) = try_join!(
                fetch_all_unified_role_definitions(self.tenant_id),
                fetch_all_unified_role_assignments(self.tenant_id)
            )?;

            UnifiedRoleDefinitionsAndAssignments::try_new(role_definitions, role_assignments)
        })
    }
}

#[cfg(test)]
mod test {
    use crate::fetch_all_principals;
    use crate::fetch_all_unified_role_definitions_and_assignments;
    use crate::get_test_tenant_id;
    use cloud_terrastodon_azure_types::RolePermissionAction;
    use cloud_terrastodon_azure_types::UnifiedRoleDefinitionsAndAssignmentsIterTools;

    #[tokio::test]
    pub async fn it_works() -> eyre::Result<()> {
        let tenant_id = get_test_tenant_id().await?;
        let rbac = fetch_all_unified_role_definitions_and_assignments(tenant_id).await?;
        let principals = fetch_all_principals(tenant_id).await?;
        let permissions = &[RolePermissionAction::new(
            "microsoft.directory/users/standard/read",
        )];
        let mut matching_assignments = 0usize;
        let mut resolved_principals = 0usize;
        for (assignment, definition) in rbac.iter_role_assignments().filter_satisfying(permissions)
        {
            matching_assignments += 1;
            if let Some(principal) = principals.get(&assignment.principal_id) {
                assert!(!principal.display_name().is_empty());
                assert!(!definition.display_name.is_empty());
                resolved_principals += 1;
            }
        }
        assert!(resolved_principals <= matching_assignments);
        Ok(())
    }
}