Copy Azure Role scripts
This commit is contained in:
robbwilcox
117
Check-AppRoles.ps1
Normal file
117
Check-AppRoles.ps1
Normal file
@@ -0,0 +1,117 @@
|
||||
[CmdletBinding()]
|
||||
param(
|
||||
[Parameter(Mandatory=$true)]
|
||||
[string]$InputFile
|
||||
)
|
||||
|
||||
# Ensure you're logged into Azure CLI
|
||||
try {
|
||||
$null = az account show
|
||||
}
|
||||
catch {
|
||||
Write-Host "Please log in to Azure CLI first using 'az login'"
|
||||
exit
|
||||
}
|
||||
|
||||
# Function to get all role definitions
|
||||
function Get-AllRoleDefinitions {
|
||||
$roles = az role definition list |
|
||||
ConvertFrom-Json |
|
||||
ForEach-Object { $_ } |
|
||||
# Where-Object { $_.roleName -eq "Website Contributor" }
|
||||
Where-Object { $_.roleType -ne "CustomRole" -and $_.roleName -ne "Contributor" -and $_.roleName -ne "Owner" }
|
||||
return $roles
|
||||
}
|
||||
|
||||
# Function to check if a string matches a resource type pattern
|
||||
function Test-ResourceTypeMatch {
|
||||
param (
|
||||
[string]$Pattern,
|
||||
[string]$ResourceType
|
||||
)
|
||||
$patternParts = $Pattern -split '/'
|
||||
$resourceTypeParts = $ResourceType -split '/'
|
||||
|
||||
for ($i = 0; $i -lt $patternParts.Count; $i++) {
|
||||
if ($i -ge $resourceTypeParts.Count -and $patternParts[$i] -ne "*") {
|
||||
return $false
|
||||
}
|
||||
|
||||
if ($patternParts[$i] -eq '*') {
|
||||
if ($i -eq $patternParts.Count - 1) {
|
||||
return $true
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if ($patternParts[$i] -ne $resourceTypeParts[$i]) {
|
||||
return $false
|
||||
}
|
||||
}
|
||||
|
||||
# If the pattern is shorter than the resource type, it's only a match if the last part was a wildcard
|
||||
return ($patternParts.Count -eq $resourceTypeParts.Count) -or ($patternParts[-1] -eq '*')
|
||||
}
|
||||
|
||||
# Function to check if a role grants access to a resource type
|
||||
function Test-RoleAccess {
|
||||
param (
|
||||
$Role,
|
||||
$ResourceType
|
||||
)
|
||||
$hasAccess = $false
|
||||
foreach ($permission in $Role.permissions) {
|
||||
# Check actions and dataActions
|
||||
foreach ($action in ($permission.actions + $permission.dataActions)) {
|
||||
if (Test-ResourceTypeMatch -Pattern $action -ResourceType $ResourceType) {
|
||||
$hasAccess = $true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
# Check notActions and notDataActions
|
||||
foreach ($notAction in ($permission.notActions + $permission.notDataActions)) {
|
||||
if (Test-ResourceTypeMatch -Pattern $notAction -ResourceType $ResourceType) {
|
||||
return $false # Explicitly not allowed
|
||||
}
|
||||
}
|
||||
|
||||
if ($hasAccess) {
|
||||
break
|
||||
}
|
||||
}
|
||||
return $hasAccess
|
||||
}
|
||||
|
||||
# Get all role definitions
|
||||
$allRoles = Get-AllRoleDefinitions
|
||||
|
||||
# Read the file with resource types
|
||||
try {
|
||||
$resourceTypes = Get-Content -Path $InputFile -ErrorAction Stop
|
||||
$resourceTypes = $resourceTypes | Sort-Object
|
||||
}
|
||||
catch {
|
||||
Write-Host "Error reading input file: $_"
|
||||
exit
|
||||
}
|
||||
|
||||
# Process each resource type
|
||||
foreach ($resourceType in $resourceTypes) {
|
||||
Write-Host "Resource Type: $resourceType"
|
||||
$matchingRoles = @()
|
||||
|
||||
foreach ($role in $allRoles) {
|
||||
if (Test-RoleAccess -Role $role -ResourceType $resourceType) {
|
||||
$matchingRoles += $role.roleName
|
||||
}
|
||||
}
|
||||
|
||||
if ($matchingRoles.Count -gt 0) {
|
||||
Write-Host "Roles granting access:"
|
||||
$matchingRoles | ForEach-Object { Write-Host " - $_" }
|
||||
} else {
|
||||
Write-Host "No roles found granting access to this resource type."
|
||||
}
|
||||
Write-Host ""
|
||||
}
|
||||
Reference in New Issue
Block a user