karlospn · March 9, 2021 20:43
diff --git a/Set AzDo pipelines permissions at folder level b/Set AzDo pipelines permissions at folder level
 param (
    [Parameter(Mandatory=$true)][string]$personal_access_token,
    [Parameter(Mandatory=$true)]$pipelines_permissions,
    [Parameter(Mandatory=$true)][string]$group_descriptor,
    [Parameter(Mandatory=$true)][string]$project_id,
    [Parameter(Mandatory=$true)][string]$repository_name)


 # Set the organization
 $organization = "cponsn"

 function Get-GroupDescriptor($header)
 {
    try {

        # Get the group descriptor
        $encoded_group_descriptor = $group_descriptor.Split('.')[1]
        if(!$encoded_group_descriptor)
        {
            throw "Group descriptor not found"
            exit 1
        }

        ## Re-calculate the base64 value if necessary
        $padding = $encoded_group_descriptor.length % 4
        if ( $padding -ne 0 ) {

            $extra_padding = 4 - $padding
            $encoded_group_descriptor = $encoded_group_descriptor.PadRight($encoded_group_descriptor.Length + $extra_padding, [char]61)
        }

        ## Decode the group descriptor
        $descriptor = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded_group_descriptor))
        return $descriptor
    }
    catch {
        throw "Error when trying to retrieve the group descriptor"
        exit 1
    }

 }

 function Set-PipelinesPermissions($header, $descriptor)
 {
    try {

        # Get Security Namespaces
        $security_ns_uri = "https://dev.azure.com/${organization}/_apis/securitynamespaces?api-version=6.0"
        $security_namespaces = Invoke-RestMethod -Uri $security_ns_uri -Method Get -Headers $header
        if(!$security_namespaces)
        {
            Throw "Error trying to retrieve the security namespaces"
        }

        # Get Build Namespace
        $build_ns_id = ($security_namespaces.value | Where-Object name -eq "Build").namespaceId
        if(!$build_ns_id)
        {
            Throw "Empty build ns. Something went wrong"
        }

        # Get Build Namespace Actions
        $build_ns_actions  = ($security_namespaces.value | Where-Object name -eq "Build").actions
        if(!$build_ns_actions)
        {
            Throw "Empty build ns actions. Something went wrong"
        }

        # Transform permissions to object
        $permissions = $pipelines_permissions | ConvertFrom-Json -AsHashtable

        # Loop through all the actions
        foreach ($action in $build_ns_actions)
        {
            $r = $permissions[$action.name]
            $bit = $action.bit

            if(($r) -and ($r -eq "Allow"))
            {

 $permission_body = @"
 {
  "token": "$project_id/$repository_name",
  "merge": true,
  "accessControlEntries": [
    {
      "descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
      "allow": ${bit},
      "deny": 0
    }
  ]
 }
 "@
            }
            else
            {

 $permission_body = @"
 {
  "token": "$project_id/$repository_name",
  "merge": true,
  "accessControlEntries": [
    {
      "descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
      "deny": ${bit},
      "allow": 0
    }
  ]
 }
 "@
            }

            # Set permission
            Write-Host("request: ${permission_body}")
            $assign_permissions_url = "https://dev.azure.com/${organization}/_apis/accesscontrolentries/${build_ns_id}" + "?api-version=6.0"
            $result = Invoke-WebRequest -Uri $assign_permissions_url -Method Post -ContentType "application/json" -Headers $header -Body $permission_body
            if($result.StatusCode -ne 200)
            {
                Throw "Error trying to add a permission"
            }
        }
    }
    catch {
        Write-Host "Error when trying to modify the pipeline permissions"
        Write-Error $_.Exception
        exit 1
    }
 }


 function main()
 {
    if(!$pipelines_permissions)
    {
        Write-Host("Empty pipelines permissions, nothing to do here.")
    }
    else {
        # Generate authentication header
        $token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personal_access_token)"))
        $header = @{authorization = "Basic $token"}

        $descriptor = Get-GroupDescriptor $header
        Set-PipelinesPermissions $header $descriptor
    }
 }

 main
	param (
	[Parameter(Mandatory=$true)][string]$personal_access_token,
	[Parameter(Mandatory=$true)]$pipelines_permissions,
	[Parameter(Mandatory=$true)][string]$group_descriptor,
	[Parameter(Mandatory=$true)][string]$project_id,
	[Parameter(Mandatory=$true)][string]$repository_name)


	# Set the organization
	$organization = "cponsn"

	function Get-GroupDescriptor($header)
	{
	try {

	# Get the group descriptor
	$encoded_group_descriptor = $group_descriptor.Split('.')[1]
	if(!$encoded_group_descriptor)
	{
	throw "Group descriptor not found"
	exit 1
	}

	## Re-calculate the base64 value if necessary
	$padding = $encoded_group_descriptor.length % 4
	if ( $padding -ne 0 ) {

	$extra_padding = 4 - $padding
	$encoded_group_descriptor = $encoded_group_descriptor.PadRight($encoded_group_descriptor.Length + $extra_padding, [char]61)
	}

	## Decode the group descriptor
	$descriptor = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded_group_descriptor))
	return $descriptor
	}
	catch {
	throw "Error when trying to retrieve the group descriptor"
	exit 1
	}

	}

	function Set-PipelinesPermissions($header, $descriptor)
	{
	try {

	# Get Security Namespaces
	$security_ns_uri = "https://dev.azure.com/${organization}/_apis/securitynamespaces?api-version=6.0"
	$security_namespaces = Invoke-RestMethod -Uri $security_ns_uri -Method Get -Headers $header
	if(!$security_namespaces)
	{
	Throw "Error trying to retrieve the security namespaces"
	}

	# Get Build Namespace
	$build_ns_id = ($security_namespaces.value \| Where-Object name -eq "Build").namespaceId
	if(!$build_ns_id)
	{
	Throw "Empty build ns. Something went wrong"
	}

	# Get Build Namespace Actions
	$build_ns_actions = ($security_namespaces.value \| Where-Object name -eq "Build").actions
	if(!$build_ns_actions)
	{
	Throw "Empty build ns actions. Something went wrong"
	}

	# Transform permissions to object
	$permissions = $pipelines_permissions \| ConvertFrom-Json -AsHashtable

	# Loop through all the actions
	foreach ($action in $build_ns_actions)
	{
	$r = $permissions[$action.name]
	$bit = $action.bit

	if(($r) -and ($r -eq "Allow"))
	{

	$permission_body = @"
	{
	"token": "$project_id/$repository_name",
	"merge": true,
	"accessControlEntries": [
	{
	"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
	"allow": ${bit},
	"deny": 0
	}
	]
	}
	"@
	}
	else
	{

	$permission_body = @"
	{
	"token": "$project_id/$repository_name",
	"merge": true,
	"accessControlEntries": [
	{
	"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
	"deny": ${bit},
	"allow": 0
	}
	]
	}
	"@
	}

	# Set permission
	Write-Host("request: ${permission_body}")
	$assign_permissions_url = "https://dev.azure.com/${organization}/_apis/accesscontrolentries/${build_ns_id}" + "?api-version=6.0"
	$result = Invoke-WebRequest -Uri $assign_permissions_url -Method Post -ContentType "application/json" -Headers $header -Body $permission_body
	if($result.StatusCode -ne 200)
	{
	Throw "Error trying to add a permission"
	}
	}
	}
	catch {
	Write-Host "Error when trying to modify the pipeline permissions"
	Write-Error $_.Exception
	exit 1
	}
	}


	function main()
	{
	if(!$pipelines_permissions)
	{
	Write-Host("Empty pipelines permissions, nothing to do here.")
	}
	else {
	# Generate authentication header
	$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personal_access_token)"))
	$header = @{authorization = "Basic $token"}

	$descriptor = Get-GroupDescriptor $header
	Set-PipelinesPermissions $header $descriptor
	}
	}

	main