Filter on appId (#48)

Author: geekzter

scripts/azure-devops/azure-pipelines.yml

@@ -92,8 +92,23 @@ jobs:
         inlineScript: |
           az account show -o json | ConvertFrom-Json | Set-Variable account
 
-          Write-Host "`nList Managed Identities in subscription '$($account.name)'"
-          ./list_service_connections.ps1 -TenantId $account.tenantId
+          Write-Host "`nList Service Connection in subscription '$($account.name)'"
+          ./list_service_connections.ps1
+
+        failOnStandardError: true
+        workingDirectory: '$(scriptDirectory)'
+
+    - task: AzureCLI@2
+      displayName: 'list_service_connection_identities.ps1'
+      inputs:
+        azureSubscription: '$(azureConnection)'
+        scriptType: pscore
+        scriptLocation: inlineScript
+        inlineScript: |
+          az account show -o json | ConvertFrom-Json | Set-Variable account
+
+          Write-Host "`nList Service Connection Identities in tenant '$($account.name)'"
+          ./list_service_connection_identities.ps1 -TenantId $account.tenantId
 
         failOnStandardError: true
         workingDirectory: '$(scriptDirectory)'

scripts/azure-devops/list_service_connection_identities.ps1

@@ -0,0 +1,132 @@
+#!/usr/bin/env pwsh
+<#
+.SYNOPSIS 
+    List Azure DevOps Service Connections
+.DESCRIPTION 
+    Use the Microsoft Graph API to find Azure DevOps Service Connections by organization & project, using Azure DevOps Service Connection naming convention
+#>
+#Requires -Version 7
+param ( 
+    [parameter(Mandatory=$false,ParameterSetName="Organization",HelpMessage="Name of the Azure DevOps Organization")]
+    [string]
+    $Organization=(($env:AZDO_ORG_SERVICE_URL ?? $env:SYSTEM_COLLECTIONURI) -split '/' | Select-Object -Index 3),
+
+    [parameter(Mandatory=$false,ParameterSetName="Organization",HelpMessage="Name of the Azure DevOps Project")]
+    [string]
+    $Project,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasCertificates=$false,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasNoCertificates=$false,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasFederation=$false,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasNoFederation=$false,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasSecrets=$false,
+
+    [parameter(Mandatory=$false)]
+    [switch]
+    $HasNoSecrets=$false,
+
+    [parameter(Mandatory=$false)]
+    [guid[]]
+    $AppId,
+
+    [parameter(Mandatory=$false,HelpMessage="Azure subscription id")]
+    [ValidateNotNullOrEmpty()]
+    [guid]
+    $SubscriptionId,
+
+    [parameter(Mandatory=$false,HelpMessage="Azure Active Directory tenant id")]
+    [guid]
+    $TenantId=($env:ARM_TENANT_ID ?? $env:AZURE_TENANT_ID ?? [guid]::Empty),
+
+    [parameter(Mandatory=$false)]
+    [ValidateSet('List', 'Table')]
+    [string]
+    $Format='Table'
+) 
+
+Write-Debug $MyInvocation.line
+. (Join-Path $PSScriptRoot .. functions.ps1)
+
+# Login to Azure CLI
+Write-Verbose "Logging into Azure..."
+Login-Az -Tenant ([ref]$TenantId)
+
+$message = "Identities of type 'Application' in Azure DevOps"
+if ($Organization) {
+    $federationPrefix += "sc://${Organization}/"
+    $namePrefix = "${Organization}-"
+    $message += " organization '${Organization}'"
+} elseif (!$HasFederation) {
+    Write-Warning "Organization not specified, listing all Service Connections with federation instead"
+    $HasFederation = $true
+}
+if ($Project) {
+    if (!$Organization) {
+        Write-Warning "Project '${Project}' requires Organization to be specified"
+        exit 1
+    }
+    $federationPrefix += "${Project}/"
+    $namePrefix += "${Project}-"
+    $message += " and project '${Project}'"
+}
+$federationPrefix ??= "sc://"
+
+if ($HasFederation) {
+    $message += " using federation"
+    Write-Host "Searching for ${message}..."
+    Find-ApplicationsByFederation -StartsWith $federationPrefix | Set-Variable msftGraphObjects
+} else {
+    Write-Host "Searching for ${message}..."
+    Find-ApplicationsByName -StartsWith $namePrefix | Set-Variable msftGraphObjects
+}
+
+# Filters
+if ($AppId) {
+    $AppId | Foreach-Object {$_.ToString().ToLower()} | Set-Variable AppId
+}
+Write-Host "${message}:"
+$msftGraphObjects | Where-Object { 
+    # We already check federation on organization/project, so we can ignore it here
+    !$AppId -or ($_.appId.ToLower() -in $AppId)
+# } | Where-Object { 
+#     # We already check federation on organization/project, so we can ignore it here
+#     !$HasFederation -or $_.name -match "${Organization}-[^-]+-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" 
+} | Where-Object { 
+    !$SubscriptionId -or $_.name -match $SubscriptionId
+} | Where-Object { 
+    $_.certCount -ge ($HasCertificates ? 1 : 0)
+} | Where-Object { 
+    !$HasNoCertificates -or $_.certCount -eq 0
+} | Where-Object { 
+    !$HasFederation -or $_.federatedSubjects -match "sc://[^/]+/[^/]+/[^/]+"
+} | Where-Object { 
+    !$HasNoFederation -or [string]::IsNullOrEmpty($_.federatedSubjects)
+} | Where-Object { 
+    $_.secretCount -ge ($HasSecrets ? 1 : 0)
+} | Where-Object { 
+    !$HasNoSecrets -or $_.secretCount -eq 0
+} | Set-Variable msftGraphFilteredObjects
+
+
+switch ($Format) {
+    'List' {
+        $msftGraphFilteredObjects | Format-List
+    }
+    'Table' {
+        $msftGraphFilteredObjects | Format-Table -AutoSize
+    }
+}

scripts/azure-devops/list_service_connections.ps1

@@ -1,106 +1,126 @@
 #!/usr/bin/env pwsh
 <#
 .SYNOPSIS 
-    Find Azure DevOps Service Connections
+    List Azure DevOps Service Connections
 .DESCRIPTION 
-    Use the Microsoft Graph API to find Azure DevOps Service Connections by organization & project, using Azure DevOps Service Connection naming convention
+    Use the Azure CLI to find Azure DevOps Service Connections by organization & project
 #>
-#Requires -Version 7
+#Requires -Version 7.2
+
+[CmdletBinding(DefaultParameterSetName = 'name')]
 param ( 
-    [parameter(Mandatory=$false,ParameterSetName="Organization",HelpMessage="Name of the Azure DevOps Organization")]
-    [string]
-    $Organization=(($env:AZDO_ORG_SERVICE_URL ?? $env:SYSTEM_COLLECTIONURI) -split '/' | Select-Object -Index 3),
+    [parameter(Mandatory=$false,ParameterSetName="app")]
+    [guid[]]
+    $AppId,
 
-    [parameter(Mandatory=$false,ParameterSetName="Organization",HelpMessage="Name of the Azure DevOps Project")]
+    [parameter(Mandatory=$false,ParameterSetName="name",HelpMessage="Name of the Service Connection")]
     [string]
-    $Project,
-
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasCertificates=$false,
-
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasNoCertificates=$false,
-
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasFederation=$false,
-
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasNoFederation=$false,
+    $ServiceConnectionName,
 
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasSecrets=$false,
-
-    [parameter(Mandatory=$false)]
-    [switch]
-    $HasNoSecrets=$false,
+    [parameter(Mandatory=$false,HelpMessage="Name of the Azure DevOps Project")]
+    [string]
+    [ValidateNotNullOrEmpty()]
+    $Project=$env:SYSTEM_TEAMPROJECT,
 
-    [parameter(Mandatory=$false,HelpMessage="Azure subscription id")]
+    [parameter(Mandatory=$false,HelpMessage="Url of the Azure DevOps Organization")]
+    [uri]
     [ValidateNotNullOrEmpty()]
-    [guid]
-    $SubscriptionId,
+    $OrganizationUrl=($env:AZDO_ORG_SERVICE_URL ?? $env:SYSTEM_COLLECTIONURI),
 
-    [parameter(Mandatory=$false,HelpMessage="Azure Active Directory tenant id")]
-    [guid]
-    $TenantId=($env:ARM_TENANT_ID ?? $env:AZURE_TENANT_ID ?? [guid]::Empty)
+    [parameter(Mandatory=$false)]
+    [ValidateSet('List', 'Table')]
+    [string]
+    $Format='List'
 ) 
-
-Write-Debug $MyInvocation.line
+Write-Verbose $MyInvocation.line 
 . (Join-Path $PSScriptRoot .. functions.ps1)
+$apiVersion = "7.1"
+if ($AppId) {
+    $AppId | Foreach-Object {$_.ToString().ToLower()} | Set-Variable AppId
+}
 
-# Login to Azure CLI
-Write-Verbose "Logging into Azure..."
-Login-Az -Tenant ([ref]$TenantId)
-
-$message = "Identities of type 'Application' in Azure DevOps"
-if ($Organization) {
-    $federationPrefix += "sc://${Organization}/"
-    $namePrefix = "${Organization}-"
-    $message += " organization '${Organization}'"
-} elseif (!$HasFederation) {
-    Write-Warning "Organization not specified, listing all Service Connections with federation instead"
-    $HasFederation = $true
+#-----------------------------------------------------------
+# Log in to Azure
+if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
+    Write-Error "Azure CLI is not installed. You can get it here: http://aka.ms/azure-cli"
+    exit 1
 }
-if ($Project) {
-    if (!$Organization) {
-        Write-Warning "Project '${Project}' requires Organization to be specified"
-        exit 1
-    }
-    $federationPrefix += "${Project}/"
-    $namePrefix += "${Project}-"
-    $message += " and project '${Project}'"
+az account show -o json 2>$null | ConvertFrom-Json | Set-Variable account
+if (!$account) {
+    az login --allow-no-subscriptions -o json | ConvertFrom-Json | Set-Variable account
+}
+# Log in to Azure & Azure DevOps
+$OrganizationUrl = $OrganizationUrl.ToString().Trim('/')
+az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 `
+                            --query "accessToken" `
+                            --output tsv `
+                            | Set-Variable accessToken
+if (!$accessToken) {
+    Write-Error "$(account.user.name) failed to get access token for Azure DevOps"
+    exit 1
+}
+if (!(az extension list --query "[?name=='azure-devops'].version" -o tsv)) {
+    Write-Host "Adding Azure CLI extension 'azure-devops'..."
+    az extension add -n azure-devops -y -o none
+}
+$accessToken | az devops login --organization $OrganizationUrl
+if ($lastexitcode -ne 0) {
+    Write-Error "$($account.user.name) failed to log in to Azure DevOps organization '${OrganizationUrl}'"
+    exit $lastexitcode
 }
-$federationPrefix ??= "sc://"
 
-if ($HasFederation) {
-    $message += " using federation"
-    Write-Host "Searching for ${message}..."
-    Find-ApplicationsByFederation -StartsWith $federationPrefix | Set-Variable msftGraphObjects
-} else {
-    Write-Host "Searching for ${message}..."
-    Find-ApplicationsByName -StartsWith $namePrefix | Set-Variable msftGraphObjects
+#-----------------------------------------------------------
+# Check parameters
+az devops project show --project "${Project}" --organization $OrganizationUrl --query id -o tsv | Set-Variable projectId
+if (!$projectId) {
+    Write-Error "Project '${Project}' not found in organization '${OrganizationUrl}"
+    exit 1
 }
 
-Write-Host "${message}:"
-$msftGraphObjects | Where-Object { 
-    # We already check federation on organization/project, so we can ignore it here
-    !$HasFederation -or $_.name -match "${Organization}-[^-]+-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" 
-} | Where-Object { 
-    !$SubscriptionId -or $_.name -match $SubscriptionId
-} | Where-Object { 
-    $_.certCount -ge ($HasCertificates ? 1 : 0)
-} | Where-Object { 
-    !$HasNoCertificates -or $_.certCount -eq 0
-} | Where-Object { 
-    !$HasFederation -or $_.federatedSubjects -match "sc://[^/]+/[^/]+/[^/]+"
-} | Where-Object { 
-    !$HasNoFederation -or [string]::IsNullOrEmpty($_.federatedSubjects)
-} | Where-Object { 
-    $_.secretCount -ge ($HasSecrets ? 1 : 0)
+#-----------------------------------------------------------
+# Retrieve the service connection
+
+$getApiUrl = "${OrganizationUrl}/${Project}/_apis/serviceendpoint/endpoints?type=azurerm&includeFailed=true&includeDetails=true&api-version=${apiVersion}"
+az rest --resource 499b84ac-1321-427f-aa17-267ca6975798 -u "${getApiUrl} " -m GET --query "sort_by(value[?authorization.scheme=='ServicePrincipal' && data.creationMode=='Automatic' && !(isShared && serviceEndpointProjectReferences[0].projectReference.name!='${Project}')],&name)" -o json `
+        | Tee-Object -Variable rawResponse `
+        | ConvertFrom-Json `
+        | Tee-Object -Variable serviceEndpoints `
+        | Format-List | Out-String | Write-Debug
+if (!$serviceEndpoints -or ($serviceEndpoints.count-eq 0)) {
+    Write-Warning "No convertible service connections found"
+    exit 1
+}
+
+$serviceEndpoints | ForEach-Object {
+    "https://portal.azure.com/{0}/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/{1}" -f $_.authorization.parameters.tenantId, $_.authorization.parameters.servicePrincipalId | Set-Variable applicationPortalLink
+    $_ | Add-Member -NotePropertyName applicationPortalLink -NotePropertyValue $applicationPortalLink
+    "{0}/{1}/_settings/adminservices?resourceId={2}" -f $OrganizationUrl, $_.serviceEndpointProjectReferences[0].projectReference.id, $_.id | Set-Variable serviceConnectionPortalLink
+    $_ | Add-Member -NotePropertyName serviceConnectionPortalLink -NotePropertyValue $serviceConnectionPortalLink
+    $_ | Add-Member -NotePropertyName authorizationScheme -NotePropertyValue $_.authorization.scheme
+    $_ | Add-Member -NotePropertyName appId -NotePropertyValue $_.authorization.parameters.servicePrincipalId.ToLower()
+    
+    $_
 } | Where-Object { 
-    !$HasNoSecrets -or $_.secretCount -eq 0
-} | Format-Table -AutoSize
+    # We already check federation on organization/project, so we can ignore it here
+    !$AppId -or ($_.appId -in $AppId)
+} | Set-Variable filteredServiceEndpoints
+
+switch ($Format) {
+    'List' {
+        $filteredServiceEndpoints | Format-List 
+    }
+    'Table' {
+        $filteredServiceEndpoints | Format-Table -AutoSize -Property name, authorizationScheme, appId
+    }
+}
+$filteredServiceEndpoints | ForEach-Object {
+    $_.appId
+} | Set-Variable matchedAppIds
+Write-Host "Matched AppIds: $($matchedAppIds -join ', ')"
+$AppId | Where-Object {
+           $_ -notin $matchedAppIds
+         }
+       | Set-Variable unmatchedAppIds
+if ($unmatchedAppIds) {
+    Write-Warning "Unmatched AppIds: $($unmatchedAppIds -join ', ')"
+}