Fix exemption cmdlet parameter to accept empty array (#21824)

* Fix exemption cmdlet parameter to take empty array

* Update changelog

* Fixed the wrong method call

* Addressed comments

Author: robga

src/Resources/ResourceManager/Entities/Resources/ResourceWithSystemData.cs

@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.ResourceManager.Cmdlets.Entities.Resources
+{
+    using Newtonsoft.Json.Linq;
+
+    /// <summary>
+    /// The resource definition object.
+    /// </summary>
+    public class ResourceWithSystemData<TProperties> : Resource<TProperties>
+    {
+        /// <summary>
+        /// Gets or sets the resource system data.
+        /// </summary>
+        public JObject SystemData { get; set; }
+    }
+}

src/Resources/ResourceManager/Extensions/ResourceExtensions.cs

@@ -108,5 +108,14 @@ internal static Resource<TType> ToResource<TType>(this JToken jtoken)
         {
             return jtoken.ToObject<Resource<TType>>(JsonExtensions.JsonMediaTypeSerializer);
         }
+
+        /// <summary>
+        /// Converts a <see cref="JToken"/> to a <see cref="ResourceWithSystemData{JToken}"/>.
+        /// </summary>
+        /// <param name="jtoken">The <see cref="JToken"/>.</param>
+        internal static ResourceWithSystemData<JToken> ToResourceWithSystemData(this JToken jtoken)
+        {
+            return jtoken.ToObject<ResourceWithSystemData<JToken>>(JsonExtensions.JsonMediaTypeSerializer);
+        }
     }
 }

src/Resources/ResourceManager/Implementation/Policy/PolicyHelpStrings.cs

@@ -135,7 +135,7 @@ public static class PolicyHelpStrings
         public const string GetPolicyExemptionScopeHelp = "The scope of the policy exemption to get, e.g. /providers/managementGroups/{managementGroupName}, defaults to current subscription.";
         public const string GetPolicyExemptionIdHelp = "The fully qualified policy exemption ID to get, including the scope, e.g. /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/policyExemptions/{policyExemptionName}.";
         public const string GetPolicyExemptionFilterHelp = "Limits the list of returned policy exemptions to those assigning the policy assignment identified by this fully qualified Id.";
-        public const string GetPolicyExemptionIncludeDescendentsHelp = "Causes the list of returned policy exemptions to include all exemptions related to the given scope, including those from ancestor scopes and those from descendent scopes.";
+        public const string GetPolicyExemptionIncludeDescendentsHelp = "Causes the list of returned policy exemptions to include all exemptions related to the given scope, including those from ancestor scopes and those from descendent scopes. This parameter doesn't work when the requested scope is a management group scope.";
         public const string GetPolicyExemptionDoesNothingHelp = "This parameter is ignored if provided with -Name or -Id parameters.";
         public const string NewPolicyExemptionNameHelp = "The name of the new policy exemption.";
         public const string NewPolicyExemptionScopeHelp = "The scope of the new policy exemption, e.g. /providers/managementGroups/{managementGroupName}, defaults to current subscription.";

src/Resources/ResourceManager/Implementation/Policy/PsPolicyExemption.cs

@@ -26,14 +26,15 @@ public class PsPolicyExemption
     {
         public PsPolicyExemption(JToken input)
         {
-            var resource = input.ToResource();
+            var resource = input.ToResourceWithSystemData();
             Name = resource.Name;
             Properties = new PsPolicyExemptionProperties(resource.Properties);
             ResourceId = resource.Id;
             ResourceName = resource.Name;
             ResourceGroupName = string.IsNullOrEmpty(resource.Id) ? null : ResourceIdUtility.GetResourceGroupName(resource.Id);
             ResourceType = resource.Type;
             SubscriptionId = string.IsNullOrEmpty(resource.Id) ? null : ResourceIdUtility.GetSubscriptionId(resource.Id);
+            SystemData = resource.SystemData.ToPsObject();
         }
 
         /// <summary>

src/Resources/ResourceManager/Implementation/Policy/SetAzurePolicyExemption.cs

@@ -77,7 +77,7 @@ public class SetAzurePolicyExemptionCmdlet : PolicyCmdletBase
         /// Gets or sets the policy definition reference ID list when the associated policy assignment is for a policy set (initiative).
         /// </summary>
         [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, HelpMessage = PolicyHelpStrings.SetPolicyExemptionPolicyDefinitionReferenceIdHelp)]
-        [ValidateNotNullOrEmpty]
+        [ValidateNotNull]
         public string[] PolicyDefinitionReferenceId { get; set; }
 
         /// <summary>
@@ -144,7 +144,7 @@ protected override void OnProcessRecord()
         /// </summary>
         private JToken GetResource(string resourceId, string apiVersion)
         {
-            var resource = this.GetExistingResource(resourceId, apiVersion).Result.ToResource();
+            var resource = this.GetExistingResource(resourceId, apiVersion).Result.ToResource<PolicyExemptionProperties>();
 
             // get incoming object properties if present
             JObject inputMetadata = null;
@@ -154,25 +154,19 @@ private JToken GetResource(string resourceId, string apiVersion)
                 inputMetadata = newProperties["metadata"] as JObject;
             }
 
-            DateTime? existingExpiration = null;
-            if (DateTime.TryParse(resource.Properties["expiresOn"]?.ToString(), out var expiresOn))
-            {
-                existingExpiration = expiresOn;
-            }
-
             var parameterMetadata = this.Metadata == null ? null : this.GetObjectFromParameter(this.Metadata, nameof(this.Metadata));
             var policyExemption = new PolicyExemption
             {
                 Name = this.Name ?? this.InputObject?.Name ?? resource.Name,
                 Properties = new PolicyExemptionProperties
                 {
-                    DisplayName = this.DisplayName ?? this.InputObject?.Properties?.DisplayName ?? resource.Properties["displayName"]?.ToString(),
-                    Description = this.Description ?? this.InputObject?.Properties?.Description ?? resource.Properties["description"]?.ToString(),
-                    ExemptionCategory = this.ExemptionCategory ?? this.InputObject?.Properties?.ExemptionCategory ?? resource.Properties["exemptionCategory"]?.ToString(),
-                    PolicyAssignmentId = resource.Properties["policyAssignmentId"]?.ToString(),
-                    PolicyDefinitionReferenceIds = this.PolicyDefinitionReferenceId ?? this.InputObject?.Properties?.PolicyDefinitionReferenceIds ?? resource.Properties["policyDefinitionReferenceIds"]?.ToString()?.Split(','),
-                    ExpiresOn = this.ClearExpiration.IsPresent ? null : this.ExpiresOn?.ToUniversalTime() ?? this.InputObject?.Properties?.ExpiresOn ?? existingExpiration,
-                    Metadata = parameterMetadata ?? inputMetadata ?? resource.Properties["metadata"] as JObject,
+                    DisplayName = this.DisplayName ?? this.InputObject?.Properties?.DisplayName ?? resource.Properties.DisplayName,
+                    Description = this.Description ?? this.InputObject?.Properties?.Description ?? resource.Properties.Description,
+                    ExemptionCategory = this.ExemptionCategory ?? this.InputObject?.Properties?.ExemptionCategory ?? resource.Properties.ExemptionCategory,
+                    PolicyAssignmentId = resource.Properties.PolicyAssignmentId,
+                    PolicyDefinitionReferenceIds = this.PolicyDefinitionReferenceId ?? this.InputObject?.Properties?.PolicyDefinitionReferenceIds ?? resource.Properties.PolicyDefinitionReferenceIds,
+                    ExpiresOn = this.ClearExpiration.IsPresent ? null : this.ExpiresOn?.ToUniversalTime() ?? this.InputObject?.Properties?.ExpiresOn ?? resource.Properties.ExpiresOn,
+                    Metadata = parameterMetadata ?? inputMetadata ?? resource.Properties.Metadata,
                 }
             };
 

src/Resources/Resources.Test/ScenarioTests/PolicyTests.ps1

@@ -1503,6 +1503,12 @@ function Test-PolicyExemptionCRUD
     Assert-NotNull $exemption.Properties.Metadata
     Assert-AreEqual $metadataValue $exemption.Properties.Metadata.$metadataName
     Assert-Null $exemption.Properties.ExpiresOn
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # get the exemption by name
     $exemption = Get-AzPolicyExemption -Name testExemption -Scope $rg.ResourceId
@@ -1516,6 +1522,12 @@ function Test-PolicyExemptionCRUD
     Assert-NotNull $exemption.Properties.Metadata
     Assert-AreEqual $metadataValue $exemption.Properties.Metadata.$metadataName
     Assert-Null $exemption.Properties.ExpiresOn
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # get the exemption by id
     $exemption = Get-AzPolicyExemption -Id $exemption.ResourceId
@@ -1529,6 +1541,12 @@ function Test-PolicyExemptionCRUD
     Assert-NotNull $exemption.Properties.Metadata
     Assert-AreEqual $metadataValue $exemption.Properties.Metadata.$metadataName
     Assert-Null $exemption.Properties.ExpiresOn
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # update the policy exemption, validate the result
     $future1 = [DateTime]::Parse('3021-03-09T07:30:10Z').ToUniversalTime()
@@ -1600,6 +1618,12 @@ function Test-PolicyExemptionCRUDOnPolicySet
     Assert-Null $exemption.Properties.Metadata
     Assert-Null $exemption.Properties.PolicyDefinitionReferenceIds
     Assert-AreEqual $future1 $exemption.Properties.ExpiresOn.ToUniversalTime()
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # update the policy exemption set policy definition reference Id using piping, validate the result
     $future2 = $future1.AddDays(1).ToUniversalTime()
@@ -1614,6 +1638,12 @@ function Test-PolicyExemptionCRUDOnPolicySet
     Assert-NotNull $exemption.Properties.PolicyDefinitionReferenceIds
     Assert-AreEqual 1 $exemption.Properties.PolicyDefinitionReferenceIds.Count
     Assert-AreEqual $policySet.Properties.PolicyDefinitions[0].policyDefinitionReferenceId $exemption.Properties.PolicyDefinitionReferenceIds[0]
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # update the policy exemption set policy definition reference Id using parameters, validate the result
     $exemption = Set-AzPolicyExemption -Name testExemption -DisplayName 'testDisplay1' -ExemptionCategory Waiver -PolicyDefinitionReferenceId @($policySet.Properties.PolicyDefinitions[0].policyDefinitionReferenceId)
@@ -1623,12 +1653,26 @@ function Test-PolicyExemptionCRUDOnPolicySet
     Assert-NotNull $exemption.Properties.PolicyDefinitionReferenceIds
     Assert-AreEqual 1 $exemption.Properties.PolicyDefinitionReferenceIds.Count
     Assert-AreEqual $policySet.Properties.PolicyDefinitions[0].policyDefinitionReferenceId $exemption.Properties.PolicyDefinitionReferenceIds[0]
+    Assert-NotNull $exemption.SystemData.createdBy
+    Assert-NotNull $exemption.SystemData.createdByType
+    Assert-NotNull $exemption.SystemData.createdAt
+    Assert-NotNull $exemption.SystemData.lastModifiedBy
+    Assert-NotNull $exemption.SystemData.lastModifiedByType
+    Assert-NotNull $exemption.SystemData.lastModifiedAt
 
     # update the exemption to clear the expiration
     $exemption.Properties.PolicyDefinitionReferenceIds = @()
     $exemption = $exemption | Set-AzPolicyExemption 
     Assert-AreEqual 0 @($exemption.Properties.PolicyDefinitionReferenceIds).Count
 
+    # update the exemption without pipeline input
+    $exemption = Set-AzPolicyExemption -Name testExemption -ExpiresOn $future1
+    Assert-AreEqual $future1 $exemption.Properties.ExpiresOn.ToUniversalTime()
+
+    # update policy definition reference Ids with empty array
+    $exemption = Set-AzPolicyExemption -Name testExemption -policyDefinitionReferenceId @()
+    Assert-AreEqual 0 @($exemption.Properties.PolicyDefinitionReferenceIds).Count
+
     # make another policy exemption, ensure both are present
     $exemption2 = $assignment | New-AzPolicyExemption -Name testExemption2 -ExemptionCategory Mitigated -DisplayName $description
     $list = Get-AzPolicyExemption | ?{ $_.Name -in @('testExemption', 'testExemption2') }