Framework/Abstracts/AzCommandBase.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
<#
.Description
# Extended base class for all classes being called from PS commands
# Provides functionality to fire important events at command call
#>


using namespace System.Management.Automation
Set-StrictMode -Version Latest
class AzCommandBase: CommandBase {

    #Region: Properties
    [bool] $IsLocalComplianceStoreEnabled = $false
    #EndRegion

    #Region: Constructor
    AzCommandBase([string] $subscriptionId, [InvocationInfo] $invocationContext): Base($subscriptionId, $invocationContext) {

        [Helpers]::AbstractClass($this, [AzCommandBase]);

        #Validate if command is getting run with correct Org Policy
        $IsTagSettingRequired = $this.ValidateOrgPolicyOnSubscription($this.Force)
        
        #Validate if policy url token is getting expired
        $onlinePolicyStoreUrl = [ConfigurationManager]::GetAzSKSettings().OnlinePolicyStoreUrl
        
        if([Helpers]::IsSASTokenUpdateRequired($onlinePolicyStoreUrl))
        {
            #Check if CA Setup Runbook URL token is valid and update it with local policy token
            $CASetupRunbookUrl = [ConfigurationManager]::GetAzSKConfigData().CASetupRunbookURL
            if(-not [Helpers]::IsSASTokenUpdateRequired($CASetupRunbookUrl))
            {
                [ConfigurationManager]::GetAzSKSettings().OnlinePolicyStoreUrl = [Helpers]::GetUriWithUpdatedSASToken($onlinePolicyStoreUrl,$CASetupRunbookUrl)                
                [AzSKSettings]::Update([ConfigurationManager]::GetAzSKSettings())
            }
            else
            {
                [EventBase]::PublishGenericCustomMessage("Org policy settings is getting expired. Please run installer(IWR) command to update with latest policy. ", [MessageType]::Warning);
            }
        }

         #Validate if command has AzSK component write permission
        $commandMetadata= $this.GetCommandMetadata()
        if(([Helpers]::CheckMember($commandMetadata,"HasAzSKComponentWritePermission")) -and  $commandMetadata.HasAzSKComponentWritePermission -and ($IsTagSettingRequired -or $this.Force))
        {
            #If command is running with Org-neutral Policy or switch Org policy, Set Org Policy tag on subscription
            $this.SetOrgPolicyTag($this.Force)
        }    

        $azskConfigComplianceFlag = [ConfigurationManager]::GetAzSKConfigData().StoreComplianceSummaryInUserSubscriptions;    
        $localSettingComplianceFlag = [ConfigurationManager]::GetAzSKSettings().StoreComplianceSummaryInUserSubscriptions;
        #return if feature is turned off at server config
        if($azskConfigComplianceFlag -or $localSettingComplianceFlag) 
        {
            $this.IsLocalComplianceStoreEnabled = $true
        }     
        #clear azsk storage instance
        [StorageHelper]::AzSKStorageHelperInstance = $null;

    }
    #EndRegion

    #Function to validate Org policy on subscription based on tag present on "AzSKRG" resource group
    [bool] ValidateOrgPolicyOnSubscription([bool] $Force)
    {
        $AzSKConfigData = [ConfigurationManager]::GetAzSKConfigData()
        $tagsOnSub =  [ResourceGroupHelper]::GetResourceGroupTags($AzSKConfigData.AzSKRGName)
        $IsTagSettingRequired = $false
        $commandMetadata= $this.GetCommandMetadata()
        if(([Helpers]::CheckMember($commandMetadata,"IsOrgPolicyMandatory")) -and  $commandMetadata.IsOrgPolicyMandatory)
        {
            if($tagsOnSub)
            {
                $SubOrgTag= $tagsOnSub.GetEnumerator() | Where-Object {$_.Name -like "AzSKOrgName*"}
                
                if(($SubOrgTag | Measure-Object).Count -gt 0)
                {
                    $OrgName =$SubOrgTag.Name.Split("_")[1]        
                    if(-not [string]::IsNullOrWhiteSpace($OrgName) -and  $OrgName -ne $AzSKConfigData.PolicyOrgName)
                    {
                        if($AzSKConfigData.PolicyOrgName -eq [Constants]::OrgNameOSS)
                        {
                            throw [SuppressedException]::new(([Constants]::PolicyMismatchMsgOSS -f $OrgName, $AzSKConfigData.PolicyOrgName, $SubOrgTag.Value),[SuppressedExceptionType]::Generic)
                            
                        }
                        else
                        {    
                            if(-not $Force)
                            {
                                if ($AzSKConfigData.PolicyOrgName -eq [Constants]::OrgNameCSEO) 
                                {
                                    $this.PublishCustomMessage(([Constants]::PolicyMismatchMsgCSE -f $SubOrgTag.Value), [MessageType]::Warning);
                                }
                                else 
                                {
                                    $this.PublishCustomMessage(([Constants]::PolicyMismatchMsg -f $OrgName, $AzSKConfigData.PolicyOrgName, $SubOrgTag.Value), [MessageType]::Warning);
                                }
                                $IsTagSettingRequired = $false
                            }                    
                        }
                    }              
                }
                elseif($AzSKConfigData.PolicyOrgName -ne [Constants]::OrgNameOSS){                
                    $IsTagSettingRequired =$true            
                }             
            }
            else {
                $IsTagSettingRequired = $true
            }
        }
        return $IsTagSettingRequired    
    }

    #Function to set Org policy tag
    [void] SetOrgPolicyTag([bool] $Force)
    {
        try
        {
            $AzSKConfigData = [ConfigurationManager]::GetAzSKConfigData()
            $tagsOnSub =  [ResourceGroupHelper]::GetResourceGroupTags($AzSKConfigData.AzSKRGName) 
            if($tagsOnSub)
            {
                $SubOrgTag= $tagsOnSub.GetEnumerator() | Where-Object {$_.Name -like "AzSKOrgName*"}            
                if(
                    (($SubOrgTag | Measure-Object).Count -eq 0 -and $AzSKConfigData.PolicyOrgName -ne "org-neutral") -or 
                    (($SubOrgTag | Measure-Object).Count -gt 0 -and $AzSKConfigData.PolicyOrgName -ne "org-neutral" -and $AzSKConfigData.PolicyOrgName -ne $SubOrgTag.Value -and $Force))
                {
                    if(($SubOrgTag | Measure-Object).Count -gt 0)
                    {
                        $SubOrgTag | ForEach-Object{
                            [ResourceGroupHelper]::SetResourceGroupTags($AzSKConfigData.AzSKRGName,@{$_.Name=$_.Value}, $true)               
                        }
                    }
                    $TagName = [Constants]::OrgPolicyTagPrefix +$AzSKConfigData.PolicyOrgName
                    $SupportMail = $AzSKConfigData.SupportDL
                    if(-not [string]::IsNullOrWhiteSpace($SupportMail) -and  [Constants]::SupportDL -eq $SupportMail)
                    {
                        $SupportMail = "Not Available"
                    }   
                    [ResourceGroupHelper]::SetResourceGroupTags($AzSKConfigData.AzSKRGName,@{$TagName=$SupportMail}, $false)                
                                    
                }
                                    
            }
        }
        catch{
            # Exception occurred during setting tag. This is kept blank intentionaly to avoid flow break
        }
    }
}