Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save karlospn/840b24df54fa9f8b4200abc9575e4b0b to your computer and use it in GitHub Desktop.
Save karlospn/840b24df54fa9f8b4200abc9575e4b0b to your computer and use it in GitHub Desktop.
param (
[Parameter(Mandatory=$true)][string]$personal_access_token,
[Parameter(Mandatory=$true)]$pipelines_permissions,
[Parameter(Mandatory=$true)][string]$group_descriptor,
[Parameter(Mandatory=$true)][string]$project_id,
[Parameter(Mandatory=$true)][string]$repository_name)
# Set the organization
$organization = "cponsn"
function Get-GroupDescriptor($header)
{
try {
# Get the group descriptor
$encoded_group_descriptor = $group_descriptor.Split('.')[1]
if(!$encoded_group_descriptor)
{
throw "Group descriptor not found"
exit 1
}
## Re-calculate the base64 value if necessary
$padding = $encoded_group_descriptor.length % 4
if ( $padding -ne 0 ) {
$extra_padding = 4 - $padding
$encoded_group_descriptor = $encoded_group_descriptor.PadRight($encoded_group_descriptor.Length + $extra_padding, [char]61)
}
## Decode the group descriptor
$descriptor = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded_group_descriptor))
return $descriptor
}
catch {
throw "Error when trying to retrieve the group descriptor"
exit 1
}
}
function Set-PipelinesPermissions($header, $descriptor)
{
try {
# Get Security Namespaces
$security_ns_uri = "https://dev.azure.com/${organization}/_apis/securitynamespaces?api-version=6.0"
$security_namespaces = Invoke-RestMethod -Uri $security_ns_uri -Method Get -Headers $header
if(!$security_namespaces)
{
Throw "Error trying to retrieve the security namespaces"
}
# Get Build Namespace
$build_ns_id = ($security_namespaces.value | Where-Object name -eq "Build").namespaceId
if(!$build_ns_id)
{
Throw "Empty build ns. Something went wrong"
}
# Get Build Namespace Actions
$build_ns_actions = ($security_namespaces.value | Where-Object name -eq "Build").actions
if(!$build_ns_actions)
{
Throw "Empty build ns actions. Something went wrong"
}
# Transform permissions to object
$permissions = $pipelines_permissions | ConvertFrom-Json -AsHashtable
# Loop through all the actions
foreach ($action in $build_ns_actions)
{
$r = $permissions[$action.name]
$bit = $action.bit
if(($r) -and ($r -eq "Allow"))
{
$permission_body = @"
{
"token": "$project_id/$repository_name",
"merge": true,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
"allow": ${bit},
"deny": 0
}
]
}
"@
}
else
{
$permission_body = @"
{
"token": "$project_id/$repository_name",
"merge": true,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}",
"deny": ${bit},
"allow": 0
}
]
}
"@
}
# Set permission
Write-Host("request: ${permission_body}")
$assign_permissions_url = "https://dev.azure.com/${organization}/_apis/accesscontrolentries/${build_ns_id}" + "?api-version=6.0"
$result = Invoke-WebRequest -Uri $assign_permissions_url -Method Post -ContentType "application/json" -Headers $header -Body $permission_body
if($result.StatusCode -ne 200)
{
Throw "Error trying to add a permission"
}
}
}
catch {
Write-Host "Error when trying to modify the pipeline permissions"
Write-Error $_.Exception
exit 1
}
}
function main()
{
if(!$pipelines_permissions)
{
Write-Host("Empty pipelines permissions, nothing to do here.")
}
else {
# Generate authentication header
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personal_access_token)"))
$header = @{authorization = "Basic $token"}
$descriptor = Get-GroupDescriptor $header
Set-PipelinesPermissions $header $descriptor
}
}
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment