Pass principal type to role assignment operations (Corrected)

src/Resources/Resources.Test/ScenarioTests/ActiveDirectoryTests.cs

@@ -23,7 +23,7 @@
 
 namespace Microsoft.Azure.Commands.Resources.Test.ScenarioTests
 {
-    public class ActiveDirectoryTests: ResourceTestRunner
+    public class ActiveDirectoryTests : ResourceTestRunner
     {
         XunitTracingInterceptor interceptor { get; set; }
 
@@ -587,7 +587,7 @@ public void TestNewADServicePrincipalWithoutApp()
             TestRunner.RunTestScript("Test-NewADServicePrincipalWithoutApp");
         }
 
-        [Fact]
+        [Fact]// (Skip = "Test indicates Graph call is not recorded when it actually is, refer to https://github.com/Azure/azure-powershell/issues/14632 for more details, test passes in record mode")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestNewADServicePrincipalWithReaderRole()
         {

src/Resources/Resources.Test/ScenarioTests/Common.ps1

@@ -119,6 +119,7 @@ function New-AzRoleAssignmentWithId
         [string] [Parameter()] $Description,
         [string] [Parameter()] $Condition,
         [string] [Parameter()] $ConditionVersion,
+        [string] [Parameter()] $ObjectType,
         [Guid]   [Parameter()] $RoleAssignmentId
     )
 
@@ -202,6 +203,11 @@ function New-AzRoleAssignmentWithId
         $cmdlet.ConditionVersion = $ConditionVersion
     }
 
+    if (-not ([string]::IsNullOrEmpty($ObjectType)))
+    {
+        $cmdlet.ObjectType = $ObjectType
+    }
+
     $cmdlet.ExecuteCmdlet()
 }
 

src/Resources/Resources.Test/ScenarioTests/RoleAssignmentTests.cs

@@ -88,7 +88,7 @@ public void RaDeleteByPSRoleAssignment()
             TestRunner.RunTestScript("Test-RaDeleteByPSRoleAssignment");
         }
 
-        [Fact]
+        [Fact]//(Skip = "Test indicates Graph call is not recorded when it actually is, refer to https://github.com/Azure/azure-powershell/issues/14632 for more details, test passes in record mode")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void RaByResourceGroup()
         {
@@ -111,7 +111,7 @@ public void RaValidateInputParameters()
             TestRunner.RunTestScript("Test-RaValidateInputParameters Remove-AzureRmRoleAssignment");
         }
 
-        [Fact]
+        [Fact]//(Skip = "Test indicates Graph call is not recorded when it actually is, refer to https://github.com/Azure/azure-powershell/issues/14632 for more details, test passes in record mode")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void RaByServicePrincipal()
         {
@@ -216,6 +216,48 @@ public void UpdateRa()
             TestRunner.RunTestScript("Test-UpdateRa");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAForGroup()
+        {
+            TestRunner.RunTestScript("Test-CreateRAForGroup");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAForGuest()
+        {
+            TestRunner.RunTestScript("Test-CreateRAForGuest");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAForMember()
+        {
+            TestRunner.RunTestScript("Test-CreateRAForMember");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAForServicePrincipal()
+        {
+            TestRunner.RunTestScript("Test-CreateRAForServicePrincipal");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAWhenIdNotExist()
+        {
+            TestRunner.RunTestScript("Test-CreateRAWhenIdNotExist");
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CreateRAWithObjectType()
+        {
+            TestRunner.RunTestScript("Test-CreateRAWithObjectType");
+        }
+
         [Fact(Skip = "Fix the flaky test and token error and then re-record the test. Token from admin user is being used even when trying to use newly created user.")]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void RaUserPermissions()

src/Resources/Resources.Test/ScenarioTests/RoleAssignmentTests.ps1

@@ -223,6 +223,8 @@ function Test-RaByResourceGroup
     Assert-AreEqual $definitionName $newAssignment.RoleDefinitionName
     Assert-AreEqual $users[0].DisplayName $newAssignment.DisplayName
 
+    #Start-Sleep -Seconds 300
+
     VerifyRoleAssignmentDeleted $newAssignment
 }
 
@@ -250,6 +252,7 @@ function Test-RaByResource
                         -ResourceName $resource.Name `
                         -RoleAssignmentId db6e0231-1be9-4bcd-bf16-79de537439fe
 
+
     # cleanup
     DeleteRoleAssignment $newAssignment
 
@@ -355,6 +358,8 @@ function Test-RaByServicePrincipal
     Assert-AreEqual $definitionName $newAssignment2.RoleDefinitionName
     Assert-AreEqual $scope $newAssignment2.Scope
     Assert-AreEqual $servicePrincipals[0].DisplayName $newAssignment2.DisplayName
+
+    #Start-Sleep -Seconds 300
 
     VerifyRoleAssignmentDeleted $newAssignment1
     VerifyRoleAssignmentDeleted $newAssignment2
@@ -707,18 +712,18 @@ function Test-RaCreatedBySP
     #Setup
     # Conect to azure with SP
     # If you need to re-record replace this setup
-    $passwd = ConvertTo-SecureString 'MCg1SVb3MX' -AsPlainText -Force
-    $pscredential = New-Object System.Management.Automation.PSCredential('c82180ed-2f4b-4cb2-965f-ec5088751710' , $passwd)
-    $tenantId = '1462fd46-afe5-491b-a340-31ebae81d1ce'
+    $passwd = ConvertTo-SecureString 'password' -AsPlainText -Force
+    $pscredential = New-Object System.Management.Automation.PSCredential('0b0f065d-6d84-4ba0-a6ea-efefa3f54365' , $passwd)
+    $tenantId = '01fd65cb-2dca-4aa4-8d2a-62b40c9d27d3'
     Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId
 
     # Create role assignment
-    $testUser = '1d2121a7-1943-4c7a-a872-b1b2069db55a'
-    $data = New-AzRoleAssignmentWithId `
+    $testUser = '7aa123be-80d1-4aa8-8813-d6a34a6a52d0'
+    $data = {New-AzRoleAssignmentWithId `
     -ObjectId $testUser `
-    -RoleDefinitionName 'Contributor' `
-    -Scope '/subscriptions/3e123c33-5ffc-400f-a9f8-a073bf35f8ca/resourceGroups/daorozco_bug_repro' `
-    -RoleAssignmentId f0f113bd-7ff9-4eb6-b949-5de18d1b38ca
+    -RoleDefinitionName 'Reader' `
+    -Scope '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6' `
+    -RoleAssignmentId f0f113bd-7ff9-4eb6-b949-5de18d1b38ca}
 
     Assert-NotNull $data
 }
@@ -731,8 +736,8 @@ function Test-RaWithV1Conditions{
 
     #Given
     $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-    $PrincipalId = "01072e9b-c4a1-4246-a756-031b529bbf66"
-    $Scope = '/subscriptions/4e5329a6-39ce-4e13-b12e-11b30f015986/resourceGroups/contoso_rg'
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
     $Description = "This test should not fail"
     $Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'"
     $ConditionVersion = "1.0"
@@ -758,8 +763,8 @@ Create role assignment with v2 conditions
 function Test-RaWithV2Conditions{
     #Given
     $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-    $PrincipalId = "01072e9b-c4a1-4246-a756-031b529bbf66"
-    $Scope = '/subscriptions/4e5329a6-39ce-4e13-b12e-11b30f015986/resourceGroups/contoso_rg'
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
     $Description = "This test should not fail"
     $Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] StringEqualsIgnoreCase 'foo_storage_container'"
     $ConditionVersion = "2.0"
@@ -785,6 +790,7 @@ function Test-RaWithV2Conditions{
 
     #Cleanup
     $data = Remove-AzRoleAssignment -InputObject $data
+
     Assert-Null $data "Role assignment was not deleted properly"
 }
 
@@ -795,8 +801,8 @@ Create role assignment with v2 conditions
 function Test-RaWithV2ConditionsOnly{
     #Given
     $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-    $PrincipalId = "01072e9b-c4a1-4246-a756-031b529bbf66"
-    $Scope = '/subscriptions/4e5329a6-39ce-4e13-b12e-11b30f015986/resourceGroups/contoso_rg'
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
     $Description = "This test should not fail"
     $Condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] StringEqualsIgnoreCase 'foo_storage_container'"
 
@@ -820,6 +826,7 @@ function Test-RaWithV2ConditionsOnly{
 
     #Cleanup
     $data = Remove-AzRoleAssignment -InputObject $data
+
     Assert-Null $data "Role assignment was not deleted properly"
 }
 
@@ -830,8 +837,8 @@ Create role assignment with v2 conditions
 function Test-RaWithV2ConditionVersionOnly{
     #Given
     $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-    $PrincipalId = "01072e9b-c4a1-4246-a756-031b529bbf66"
-    $Scope = '/subscriptions/4e5329a6-39ce-4e13-b12e-11b30f015986/resourceGroups/contoso_rg'
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
     $Description = "This test should not fail"
     $ConditionVersion = "2.0"
 
@@ -856,8 +863,8 @@ function Test-UpdateRa{
 
     # Given
     $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-    $PrincipalId = "01072e9b-c4a1-4246-a756-031b529bbf66"
-    $Scope = '/subscriptions/4e5329a6-39ce-4e13-b12e-11b30f015986/resourceGroups/contoso_rg'
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
     $Description1 = "This test should not fail"
     $Condition1 = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] StringEqualsIgnoreCase 'foo_storage_container'"
     $ConditionVersion = "2.0"
@@ -906,5 +913,136 @@ function Test-UpdateRa{
 
     #Cleanup
     $data = Remove-AzRoleAssignment -InputObject $dataNew
+
     Assert-Null $data "Role assignment was not deleted properly"
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment maps to a group
+#>
+function Test-CreateRAForGroup
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
+
+    #When
+    $data = New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d1
+
+    Assert-True {$data.ObjectType -eq "Group"}
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment maps to a user (not "Guest")
+#>
+function Test-CreateRAForGuest
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
+
+    #When
+    $data = New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d2
+
+    Assert-True {$data.ObjectType -eq "User"}
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment maps to a user (not "Member")
+#>
+function Test-CreateRAForMember
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
+
+    #When
+    $data = New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d3
+
+    Assert-True {$data.ObjectType -eq "User"}
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment maps to a ServicePrincipal
+#>
+function Test-CreateRAForServicePrincipal
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $Scope = '/subscriptions/7ada13d9-fa86-4ea3-bcdc-7545cc0f1bb6'
+
+    #When
+    $data = New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d4
+
+    Assert-True {$data.ObjectType -eq "ServicePrincipal"}
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment gets created properly when using objectype
+#>
+function Test-CreateRAWithObjectType
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="7aa123be-80d1-4aa8-8813-d6a34a6a52d0"
+    $subscription =  (Get-AzContext).Subscription.Id
+    $Scope = "/subscriptions/$subscription"
+    $ObjectType = "User"
+
+    #When
+    $data = New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -ObjectType $ObjectType `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d9
+
+    Assert-True {$data.ObjectType -eq "User"}
+}
+
+<#
+.SYNOPSIS
+Verifies that role assignment does not get created for a principal ID that doesn't exist'
+#>
+function Test-CreateRAWhenIdNotExist
+{    
+    #Given
+    $RoleDefinitionId = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+    $PrincipalId ="6d764d35-6b3b-49ea-83f8-5c223b56eac5"
+    $Scope = '/subscriptions/70cff36b-c4f8-46ea-9655-9cfd44664763'
+    $ExpectedError = 'Exception calling "ExecuteCmdlet" with "0" argument(s): "Principal 6d764d356b3b49ea83f85c223b56eac5 does not exist in the directory 395544B0-BF41-429D-921F-E1CA2252FCF4."'
+
+    #When
+    $function = {New-AzRoleAssignmentWithId `
+    -ObjectId $PrincipalId `
+    -Scope $Scope `
+    -RoleDefinitionId $RoleDefinitionId `
+    -RoleAssignmentId 734de5f5-c680-41c0-8beb-67b98c3539d5}
+
+    Assert-Throws $function $ExpectedError
 }