Created
March 9, 2021 20:43
-
-
Save karlospn/840b24df54fa9f8b4200abc9575e4b0b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param ( | |
[Parameter(Mandatory=$true)][string]$personal_access_token, | |
[Parameter(Mandatory=$true)]$pipelines_permissions, | |
[Parameter(Mandatory=$true)][string]$group_descriptor, | |
[Parameter(Mandatory=$true)][string]$project_id, | |
[Parameter(Mandatory=$true)][string]$repository_name) | |
# Set the organization | |
$organization = "cponsn" | |
function Get-GroupDescriptor($header) | |
{ | |
try { | |
# Get the group descriptor | |
$encoded_group_descriptor = $group_descriptor.Split('.')[1] | |
if(!$encoded_group_descriptor) | |
{ | |
throw "Group descriptor not found" | |
exit 1 | |
} | |
## Re-calculate the base64 value if necessary | |
$padding = $encoded_group_descriptor.length % 4 | |
if ( $padding -ne 0 ) { | |
$extra_padding = 4 - $padding | |
$encoded_group_descriptor = $encoded_group_descriptor.PadRight($encoded_group_descriptor.Length + $extra_padding, [char]61) | |
} | |
## Decode the group descriptor | |
$descriptor = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded_group_descriptor)) | |
return $descriptor | |
} | |
catch { | |
throw "Error when trying to retrieve the group descriptor" | |
exit 1 | |
} | |
} | |
function Set-PipelinesPermissions($header, $descriptor) | |
{ | |
try { | |
# Get Security Namespaces | |
$security_ns_uri = "https://dev.azure.com/${organization}/_apis/securitynamespaces?api-version=6.0" | |
$security_namespaces = Invoke-RestMethod -Uri $security_ns_uri -Method Get -Headers $header | |
if(!$security_namespaces) | |
{ | |
Throw "Error trying to retrieve the security namespaces" | |
} | |
# Get Build Namespace | |
$build_ns_id = ($security_namespaces.value | Where-Object name -eq "Build").namespaceId | |
if(!$build_ns_id) | |
{ | |
Throw "Empty build ns. Something went wrong" | |
} | |
# Get Build Namespace Actions | |
$build_ns_actions = ($security_namespaces.value | Where-Object name -eq "Build").actions | |
if(!$build_ns_actions) | |
{ | |
Throw "Empty build ns actions. Something went wrong" | |
} | |
# Transform permissions to object | |
$permissions = $pipelines_permissions | ConvertFrom-Json -AsHashtable | |
# Loop through all the actions | |
foreach ($action in $build_ns_actions) | |
{ | |
$r = $permissions[$action.name] | |
$bit = $action.bit | |
if(($r) -and ($r -eq "Allow")) | |
{ | |
$permission_body = @" | |
{ | |
"token": "$project_id/$repository_name", | |
"merge": true, | |
"accessControlEntries": [ | |
{ | |
"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}", | |
"allow": ${bit}, | |
"deny": 0 | |
} | |
] | |
} | |
"@ | |
} | |
else | |
{ | |
$permission_body = @" | |
{ | |
"token": "$project_id/$repository_name", | |
"merge": true, | |
"accessControlEntries": [ | |
{ | |
"descriptor": "Microsoft.TeamFoundation.Identity;${descriptor}", | |
"deny": ${bit}, | |
"allow": 0 | |
} | |
] | |
} | |
"@ | |
} | |
# Set permission | |
Write-Host("request: ${permission_body}") | |
$assign_permissions_url = "https://dev.azure.com/${organization}/_apis/accesscontrolentries/${build_ns_id}" + "?api-version=6.0" | |
$result = Invoke-WebRequest -Uri $assign_permissions_url -Method Post -ContentType "application/json" -Headers $header -Body $permission_body | |
if($result.StatusCode -ne 200) | |
{ | |
Throw "Error trying to add a permission" | |
} | |
} | |
} | |
catch { | |
Write-Host "Error when trying to modify the pipeline permissions" | |
Write-Error $_.Exception | |
exit 1 | |
} | |
} | |
function main() | |
{ | |
if(!$pipelines_permissions) | |
{ | |
Write-Host("Empty pipelines permissions, nothing to do here.") | |
} | |
else { | |
# Generate authentication header | |
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($personal_access_token)")) | |
$header = @{authorization = "Basic $token"} | |
$descriptor = Get-GroupDescriptor $header | |
Set-PipelinesPermissions $header $descriptor | |
} | |
} | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment