Introducing Az.Security AllowedConnection cmdlets (#12233)

* Introducing SecurityTopologies cmdlets

* Update ChangeLog.md

* Update ChangeLog.md

* Change cmdlet name to Get-AzSecurityTopology

* remove AllowedConnections

* change name

* fix conflicy

* fix conflict

* Update ChangeLog.md

* Introducing Az.Security AllowedConnections cmdlets

* update change.log

* remove SecurityTopology

* fix version

* Fix comments

* fix location

* fix comment

* fix comment

* fix version number

Co-authored-by: Arik Riklin <[email protected]>
Co-authored-by: Yabo Hu <[email protected]>

Author: 3 people

src/Security/Security.Test/ScenarioTests/AllowedConnectionTests.cs

@@ -0,0 +1,41 @@
+using Microsoft.Azure.Commands.ScenarioTest;
+using Microsoft.Azure.ServiceManagement.Common.Models;
+using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.Security.Test.ScenarioTests
+{
+    public class AllowedConnectionTests
+    {
+        private readonly XunitTracingInterceptor _logger;
+
+        public AllowedConnectionTests (Xunit.Abstractions.ITestOutputHelper output)
+        {
+            _logger = new XunitTracingInterceptor(output);
+            XunitTracingInterceptor.AddToContext(_logger);
+            TestExecutionHelpers.SetUpSessionAndProfile();
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void GetSubscriptionScope()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzureRmAllowedConnection-SubscriptionScope");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void GetResourceGroupLevelResource()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzureRmAllowedConnection-ResourceGroupLevelResource");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void GetResourceId()
+        {
+            TestController.NewInstance.RunPowerShellTest(_logger, "Get-AzureRmAllowedConnection-ResourceId");
+        }
+    }
+}
+

src/Security/Security.Test/ScenarioTests/AllowedConnectionTests.ps1

@@ -0,0 +1,76 @@
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.SYNOPSIS
+Get Allowed Connections on a subscription scope
+#>
+function Get-AzureRmAllowedConnection-SubscriptionScope
+{
+    $AllowedConnection = Get-AzAllowedConnection
+	Validate-AllowedConnection $AllowedConnection
+}
+
+<#
+.SYNOPSIS
+Get Allowed Connections
+#>
+function Get-AzureRmAllowedConnection-ResourceGroupLevelResource
+{
+	$AllowedConnection = Get-AzAllowedConnection | Select -First 1
+	$rgName = Extract-ResourceGroup -ResourceId $AllowedConnection.Id
+	$location = Extract-ResourceLocation -ResourceId $AllowedConnection.Id
+
+    $fetchedAllowedConnection = Get-AzAllowedConnection -ResourceGroupName $rgName -Location $location -Name $AllowedConnection.Name
+	Validate-AllowedConnection $fetchedAllowedConnection
+}
+
+<#
+.SYNOPSIS
+Get Allowed Connections by a resource ID
+#>
+function Get-AzureRmAllowedConnection-ResourceId
+{
+	$AllowedConnection = Get-AzAllowedConnection | Select -First 1
+
+    $AllowedConnection = Get-AzAllowedConnection -ResourceId $AllowedConnection.Id
+	Validate-AllowedConnection $AllowedConnection
+}
+
+<#
+.SYNOPSIS
+Validates a list of Allowed Connections
+#>
+function Validate-AllowedConnection
+{
+	param($AllowedConnection)
+
+    Assert-True { $AllowedConnection.Count -gt 0 }
+
+	Foreach($AllowedConnection in $AllowedConnection)
+	{
+		Validate-AllowedConnection $AllowedConnection
+	}
+}
+
+<#
+.SYNOPSIS
+Validates a single Allowed Connection
+#>
+function Validate-AllowedConnection
+{
+	param($AllowedConnection)
+
+	Assert-NotNull $AllowedConnection
+}

src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.AllowedConnectionTests/GetResourceGroupLevelResource.json

@@ -114,8 +114,8 @@ CmdletsToExport = 'Get-AzSecurityAlert', 'Set-AzSecurityAlert',
                'Set-AzSecurityAssessmentMetadata', 
                'Remove-AzSecurityAssessmentMetadata', 
                'Get-AzSecuritySubAssessment',
-			         'Get-AzSecurityTopology'
-
+			   'Get-AzSecurityTopology',
+			   'Get-AzAllowedConnection'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.AllowedConnectionTests/GetResourceId.json

@@ -18,8 +18,10 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added new cmdlet: 'Get-AzAllowedConnection'
 * Added new cmdlet: 'Get-AzSecurityTopology'
 
+
 ## Version 0.7.9
 * Add new cmdlets: 'Get-AzSecurityAssessment',
                    'Set-AzSecurityAssessment',

src/Security/Security.Test/SessionRecords/Microsoft.Azure.Commands.Security.Test.ScenarioTests.AllowedConnectionTests/GetSubscriptionScope.json

@@ -0,0 +1,71 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ------------------------------------
+using System.Linq;
+using System.Management.Automation;
+using Commands.Security;
+using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Commands.Security.Common;
+using Microsoft.Azure.Commands.Security.Models.AllowedConnection;
+using Microsoft.Azure.Commands.SecurityCenter.Common;
+using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
+using Microsoft.Rest.Azure;
+
+namespace Microsoft.Azure.Commands.Security.Cmdlets.AllowedConnection
+{
+    [Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "AllowedConnection", DefaultParameterSetName = ParameterSetNames.SubscriptionScope), OutputType(typeof(PSSecurityAllowedConnection))]
+    public class AllowedConnection : SecurityCenterCmdletBase
+    {
+        [Parameter(ParameterSetName = ParameterSetNames.ResourceGroupLevelResource, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
+        [ValidateNotNullOrEmpty]
+        public string ResourceGroupName { get; set; }
+
+        [Parameter(ParameterSetName = ParameterSetNames.ResourceGroupLevelResource, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceName)]
+        [ValidateNotNullOrEmpty]
+        public string Name { get; set; }
+
+        [Parameter(ParameterSetName = ParameterSetNames.ResourceGroupLevelResource, Mandatory = true, HelpMessage = ParameterHelpMessages.Location)]
+        [ValidateNotNullOrEmpty]
+        [LocationCompleter("Microsoft.Security/allowedConnections")]
+        public string Location { get; set; }
+
+        [Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
+        [ValidateNotNullOrEmpty]
+        public string ResourceId { get; set; }
+
+        public override void ExecuteCmdlet()
+        {
+            switch (ParameterSetName)
+            {
+                case ParameterSetNames.SubscriptionScope:
+                    var tors = SecurityCenterClient.AllowedConnections.ListWithHttpMessagesAsync().GetAwaiter().GetResult().Body;
+                    WriteObject(tors.ConvertToPSType(), enumerateCollection: true);
+                    break;
+                case ParameterSetNames.ResourceGroupLevelResource:
+                    SecurityCenterClient.AscLocation = Location;
+
+                    var tor = SecurityCenterClient.AllowedConnections.GetWithHttpMessagesAsync(ResourceGroupName, Name).GetAwaiter().GetResult().Body;
+                    WriteObject(tor.ConvertToPSType(), enumerateCollection: false);
+                    break;
+                case ParameterSetNames.ResourceId:
+                    SecurityCenterClient.AscLocation = AzureIdUtilities.GetResourceLocation(ResourceId);
+
+                    tor = SecurityCenterClient.AllowedConnections.GetWithHttpMessagesAsync(AzureIdUtilities.GetResourceGroup(ResourceId), AzureIdUtilities.GetResourceName(ResourceId)).GetAwaiter().GetResult().Body;
+                    WriteObject(tor.ConvertToPSType(), enumerateCollection: false);
+                    break;
+                default:
+                    throw new PSInvalidOperationException();
+            }
+        }
+    }
+}

src/Security/Security/Az.Security.psd1

@@ -0,0 +1,32 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.Security.Models.AllowedConnection
+{
+    public class PSSecurityAllowedConnection
+    {
+        public string Id { get; set; }
+
+        public string Name { get; set; }
+
+        public string Type { get; set; }
+
+        public DateTime? CalculatedDateTime { get; set; }
+
+        public IList<PSSecurityConnectableResources> ConnectableResources { get; set; }
+    }
+}

src/Security/Security/ChangeLog.md

@@ -0,0 +1,25 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.Security.Models.AllowedConnection
+{
+    public class PSSecurityConnectableResources
+    {
+        /// <summary>
+        /// Gets azure resource id
+        /// </summary>
+        public string Id { get; set; }
+
+        /// <summary>
+        /// Gets The list of Azure resources that the resource has inbound allowed connection from
+        /// </summary>
+        public IList<PSSecurityConnectedResource> InboundConnectedResources { get; set; }
+
+        /// <summary>
+        /// The list of Azure resources that the resource has outbound allowed connection to
+        /// </summary>
+        public IList<PSSecurityConnectedResource> OutboundConnectedResources { get; set; }
+
+    }
+}