RBAC and full backup restore

src/KeyVault/KeyVault/Az.KeyVault.psd1

@@ -96,6 +96,9 @@ CmdletsToExport = 'Add-AzManagedHsmKey', 'Get-AzManagedHsmKey', 'Remove-AzManage
                'Remove-AzManagedHsm', 'Update-AzManagedHsm',
                'Get-AzKeyVault', 'New-AzKeyVault', 
                'Remove-AzKeyVault', 'Undo-AzKeyVaultRemoval', 
+               'Backup-AzManagedHsm', 'Restore-AzManagedHsm',
+               'Get-AzManagedHsmRoleDefinition', 'Get-AzManagedHsmRoleAssignment',
+               'New-AzManagedHsmRoleAssignment', 'Remove-AzManagedHsmRoleAssignment',
                'Remove-AzKeyVaultAccessPolicy', 'Set-AzKeyVaultAccessPolicy', 
                'Backup-AzKeyVaultKey', 'Get-AzKeyVaultKey', 'Get-AzKeyVaultSecret', 
                'Undo-AzKeyVaultKeyRemoval', 'Undo-AzKeyVaultSecretRemoval', 

src/KeyVault/KeyVault/Commands/Constants.cs

@@ -55,5 +55,14 @@ public static class CmdletNoun
         public const string AzureKeyVaultManagedStorageQueueSasParameters = "AzureKeyVaultManagedStorageQueueSasParameters";
         public const string AzureKeyVaultManagedStorageShareSasParameters = "AzureKeyVaultManagedStorageShareSasParameters";
         public const string AzureKeyVaultManagedStorageTableSasParameters = "AzureKeyVaultManagedStorageTableSasParameters";
+
+        public const string ManagedHsm = "ManagedHsm";
+        public const string ManagedHsmRoleDefinition = ManagedHsm + "RoleDefinition";
+        public const string ManagedHsmRoleAssignment = ManagedHsm + "RoleAssignment";
+    }
+
+    public static class ResourceType
+    {
+        public const string ManagedHsm = "Microsoft.KeyVault/managedHSMs";
     }
 }

src/KeyVault/KeyVault/Commands/FullBackupRestore/BackupAzureManagedHsm.cs

@@ -0,0 +1,32 @@
+using Azure.Core.Diagnostics;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.WindowsAzure.Commands.Common;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    [Cmdlet("Backup", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.ManagedHsm, SupportsShouldProcess = true, DefaultParameterSetName = InteractiveStorageName)]
+    [OutputType(typeof(string))]
+    public class BackupAzureManagedHsm : FullBackupRestoreCmdletBase
+    {
+        public override void DoExecuteCmdlet()
+        {
+
+            ConfirmAction(
+                string.Format(Resources.DoFullBackup, StorageContainerUri),
+                Name, () =>
+            {
+                try
+                {
+                    WriteObject(Track2DataClient.BackupHsm(Name, StorageContainerUri, SasToken.ConvertToString()).AbsoluteUri);
+                }
+                catch (Exception ex)
+                {
+                    throw new Exception(string.Format(Resources.FullBackupFailed, Name), ex);
+                }
+            });
+        }
+    }
+}

src/KeyVault/KeyVault/Commands/FullBackupRestore/FullBackupRestoreCmdletBase.cs

@@ -0,0 +1,74 @@
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Management.Automation;
+using System.Security;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    public abstract class FullBackupRestoreCmdletBase : KeyVaultCmdletBase
+    {
+        protected const string InteractiveStorageUri = "InteractiveStorageUri";
+        protected const string InputObjectStorageUri = "InputObjectStorageUri";
+        protected const string InteractiveStorageName = "InteractiveStorageName";
+        protected const string InputObjectStorageName = "InputObjectStorageName";
+
+        [Parameter(ParameterSetName = InteractiveStorageUri, Mandatory = true, Position = 1,
+            HelpMessage = "Name of the HSM.")]
+        [Parameter(ParameterSetName = InteractiveStorageName, Mandatory = true, Position = 1,
+            HelpMessage = "Name of the HSM.")]
+        [Alias("HsmName")]
+        public string Name { get; set; }
+
+        [Parameter(ParameterSetName = InteractiveStorageUri, Mandatory = true,
+            HelpMessage = "URI of the storage container where the backup is going to be stored.")]
+        [Parameter(ParameterSetName = InputObjectStorageUri, Mandatory = true,
+            HelpMessage = "URI of the storage container where the backup is going to be stored.")]
+        public Uri StorageContainerUri { get; set; }
+
+        [Parameter(ParameterSetName = InteractiveStorageName, Mandatory = true,
+            HelpMessage = "Name of the storage account where the backup is going to be stored.")]
+        [Parameter(ParameterSetName = InputObjectStorageName, Mandatory = true,
+            HelpMessage = "Name of the storage account where the backup is going to be stored.")]
+        public string StorageAccountName { get; set; }
+
+        [Parameter(ParameterSetName = InteractiveStorageName, Mandatory = true,
+            HelpMessage = "Name of the blob container where the backup is going to be stored.")]
+        [Parameter(ParameterSetName = InputObjectStorageName, Mandatory = true,
+            HelpMessage = "Name of the blob container where the backup is going to be stored.")]
+        public string StorageContainerName { get; set; }
+
+        [Parameter(Mandatory = true, HelpMessage = "The shared access signature (SAS) token to authenticate the storage account.")]
+        public SecureString SasToken { get; set; }
+
+        [Parameter(ParameterSetName = InputObjectStorageUri, Mandatory = true, HelpMessage = "Managed HSM object")]
+        [Parameter(ParameterSetName = InputObjectStorageName, Mandatory = true, HelpMessage = "Managed HSM object")]
+        public PSManagedHsm HsmObject { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            PreprocessParameterSet();
+            DoExecuteCmdlet();
+        }
+
+        /// <summary>
+        /// Prepare parameters so the implementation doesn't care about parameter set
+        /// </summary>
+        private void PreprocessParameterSet()
+        {
+            if (this.IsParameterBound(c => c.HsmObject))
+            {
+                Name = HsmObject.Name;
+            }
+
+            if (this.IsParameterBound(c => c.StorageAccountName))
+            {
+                StorageContainerUri = new Uri($"https://{StorageAccountName}.{DefaultContext.Environment.GetEndpoint(AzureEnvironment.Endpoint.StorageEndpointSuffix)}/{StorageContainerName}");
+            }
+        }
+
+        public abstract void DoExecuteCmdlet();
+    }
+}

src/KeyVault/KeyVault/Commands/FullBackupRestore/RestoreAzureManagedHsm.cs

@@ -0,0 +1,42 @@
+using Azure.Core.Diagnostics;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.WindowsAzure.Commands.Common;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    [Cmdlet("Restore", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsm", SupportsShouldProcess = true, DefaultParameterSetName = InteractiveStorageName)]
+    [OutputType(typeof(bool))]
+    public class RestoreAzureManagedHsm : FullBackupRestoreCmdletBase
+    {
+        [Parameter(Mandatory = true, HelpMessage = "Folder name of the backup, e.g. 'mhsm-*-2020101309020403'.\nIt can also be nested such as 'backups/mhsm-*-2020101309020403'.")]
+        public string BackupFolder { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Return true when the HSM is restored.")]
+        public SwitchParameter PassThru { get; set; }
+
+        public override void DoExecuteCmdlet()
+        {
+            ConfirmAction(
+                    string.Format(Resources.DoFullRestore, StorageContainerUri),
+                    Name, () =>
+                    {
+                        try
+                        {
+                            Track2DataClient.RestoreHsm(Name, StorageContainerUri, SasToken.ConvertToString(), BackupFolder);
+                        }
+                        catch (Exception ex)
+                        {
+                            throw new Exception(string.Format(Resources.FullRestoreFailed, Name), ex);
+                        }
+                        if (PassThru)
+                        {
+                            WriteObject(true);
+                        }
+                    }
+                );
+        }
+    }
+}

src/KeyVault/KeyVault/Commands/RBAC/GetAzureManagedHsmRoleAssignment.cs

@@ -0,0 +1,121 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;
+using Microsoft.Azure.Graph.RBAC.Version1_6.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using System;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.ManagedHsmRoleAssignment, DefaultParameterSetName = ListParameterSet)]
+    [OutputType(typeof(PSKeyVaultRoleAssignment))]
+    public class GetAzureManagedHsmRoleAssignment : RbacCmdletBase
+    {
+        private const string ListParameterSet = "List";
+        private const string GetByNameParameterSet = "GetByName";
+
+        [Parameter(Mandatory = true, Position = 1,
+            HelpMessage = "Name of the HSM.")]
+        [ResourceNameCompleter(ResourceType.ManagedHsm, "IntentionalFakeParameterName")]
+        public string HsmName { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'. By default it lists all scopes.")]
+        public string Scope { get; set; } = string.Empty;
+
+        [Parameter(Mandatory = false, ParameterSetName = ListParameterSet,
+            HelpMessage = "Name of the RBAC role to assign the principal with.")]
+        [Alias("RoleName")]
+        public string RoleDefinitionName { get; set; }
+
+        [Parameter(Mandatory = false, ParameterSetName = ListParameterSet,
+            HelpMessage = "Role Id the principal is assigned to.")]
+        [Alias("RoleId")]
+        [ValidateNotNullOrEmpty]
+        public string RoleDefinitionId { get; set; }
+
+        [Parameter(Mandatory = false, ParameterSetName = ListParameterSet,
+            HelpMessage = "The user or group object id.")]
+        [ValidateNotNullOrEmpty]
+        [Alias("Id", "PrincipalId")]
+        public string ObjectId { get; set; }
+
+        [Parameter(Mandatory = false, ParameterSetName = ListParameterSet,
+            HelpMessage = "The user SignInName.")]
+        [ValidateNotNullOrEmpty]
+        [Alias("Email", "UserPrincipalName")]
+        public string SignInName { get; set; }
+
+        [Parameter(Mandatory = false, ParameterSetName = ListParameterSet,
+            HelpMessage = "The app SPN.")]
+        [ValidateNotNullOrEmpty]
+        [Alias("SPN", "ServicePrincipalName")]
+        public string ApplicationId { get; set; }
+
+        [Parameter(Mandatory = true, ParameterSetName = GetByNameParameterSet,
+            HelpMessage = "Name of the role assignment.")]
+        [ValidateNotNullOrEmpty]
+        public string RoleAssignmentName { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            switch (ParameterSetName)
+            {
+                case ListParameterSet:
+                    DoList();
+                    break;
+                case GetByNameParameterSet:
+                    DoGetByName();
+                    break;
+            }
+        }
+
+        private void DoGetByName()
+        {
+            var assignment = Track2DataClient.GetHsmRoleAssignment(HsmName, Scope, RoleAssignmentName);
+            GetAssignmentDetails(assignment, HsmName, Scope);
+            WriteObject(assignment);
+        }
+
+        private void DoList()
+        {
+            // get role assignments
+            var assignments = Track2DataClient.GetHsmRoleAssignments(HsmName, Scope);
+            assignments.ForEach(assignment => GetAssignmentDetails(assignment, HsmName, Scope));
+            assignments = FilterAssignments(assignments);
+            WriteObject(assignments, enumerateCollection: true);
+        }
+
+        private PSKeyVaultRoleAssignment[] FilterAssignments(PSKeyVaultRoleAssignment[] assignments)
+        {
+            if (!string.IsNullOrEmpty(RoleDefinitionName))
+            {
+                var definition = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope)
+                    .FirstOrDefault(x => string.Equals(x.RoleName, RoleDefinitionName, StringComparison.OrdinalIgnoreCase));
+                RoleDefinitionId = definition?.Id;
+            }
+            if (!string.IsNullOrEmpty(SignInName))
+            {
+                var filter = new ADObjectFilterOptions() { UPN = SignInName };
+                var user = ActiveDirectoryClient.FilterUsers(filter).FirstOrDefault();
+                ObjectId = user?.Id.ToString();
+            }
+            if (!string.IsNullOrEmpty(ApplicationId))
+            {
+                var odataQuery = new Rest.Azure.OData.ODataQuery<Application>(s => string.Equals(s.AppId, ApplicationId, StringComparison.OrdinalIgnoreCase));
+                var app = ActiveDirectoryClient.GetApplicationWithFilters(odataQuery).FirstOrDefault();
+                ObjectId = app?.ObjectId.ToString();
+            }
+            if (!string.IsNullOrEmpty(RoleDefinitionId))
+            {
+                assignments = assignments.Where(assignment => string.Equals(assignment.RoleDefinitionId, RoleDefinitionId, StringComparison.OrdinalIgnoreCase)).ToArray();
+            }
+            if (!string.IsNullOrEmpty(ObjectId))
+            {
+                assignments = assignments.Where(assignment => string.Equals(assignment.PrincipalId, ObjectId, StringComparison.OrdinalIgnoreCase)).ToArray();
+            }
+            return assignments;
+        }
+    }
+}

src/KeyVault/KeyVault/Commands/RBAC/GetAzureManagedHsmRoleDefinition.cs

@@ -0,0 +1,43 @@
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using System;
+using System.Linq;
+using System.Management.Automation;
+
+namespace Microsoft.Azure.Commands.KeyVault.Commands
+{
+    [Cmdlet("Get", ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.ManagedHsmRoleDefinition, DefaultParameterSetName = InteractiveCreateParameterSet)]
+    [OutputType(typeof(PSKeyVaultRoleDefinition))]
+    public class GetAzureManagedHsmRoleDefinition : RbacCmdletBase
+    {
+        private const string InteractiveCreateParameterSet = "Interactive";
+        private const string ByNameParameterSet = "ByName";
+
+        [Parameter(Mandatory = true, Position = 1,
+            HelpMessage = "Name of the HSM.")]
+        [ResourceNameCompleter(ResourceType.ManagedHsm, "IntentionalFakeParameterName")]
+        public string HsmName { get; set; }
+
+        [Parameter(Mandatory = false, HelpMessage = "Scope at which the role assignment or definition applies to, e.g., '/' or '/keys' or '/keys/{keyName}'.")]
+        public string Scope { get; set; } = string.Empty;
+
+        [Parameter(ParameterSetName = ByNameParameterSet, Mandatory = true,
+            HelpMessage = "Name of the role definition to get.")]
+        [Alias("RoleName")]
+        public string RoleDefinitionName { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            var roleDefinitions = Track2DataClient.GetHsmRoleDefinitions(HsmName, Scope);
+            switch (ParameterSetName)
+            {
+                case InteractiveCreateParameterSet:
+                    WriteObject(roleDefinitions, enumerateCollection: true);
+                    break;
+                case ByNameParameterSet:
+                    WriteObject(roleDefinitions.FirstOrDefault(def => string.Equals(RoleDefinitionName, def.RoleName, StringComparison.OrdinalIgnoreCase)));
+                    break;
+            }
+        }
+    }
+}