Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug Report]: Get-RoleAssignmentList.ps1 wildcard filter is incorrect. #3160

Open
jachin84 opened this issue May 3, 2023 · 1 comment
Open

[Bug Report]: Get-RoleAssignmentList.ps1 wildcard filter is incorrect. #3160

jachin84 opened this issue May 3, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@jachin84
Copy link

jachin84 commented May 3, 2023

Describe the bug

Unless I'm missing something, the script Get-RoleAssignmentList.ps1 doesn't seem to be returning the correct results for me.
I think the issue is here.

if ("$ProviderNamespace/$ResourceType" -eq 'Microsoft.Authorization/RoleAssignments') {
            # No filter
            $relevantRoles = $roleDefinitions
        } else {
            # Filter Action based
            $relevantRoles += $roleDefinitions | Where-Object {
                $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
                $_.Actions -like "$ProviderNamespace/`**" -or
                $_.Actions -like '`**'
            }

            # Filter Data Action based
            $relevantRoles += $roleDefinitions | Where-Object {
                $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or
                $_.DataActions -like "$ProviderNamespace/`**" -or
                $_.DataActions -like '`**'
            }
        }

In PowerShell to match the * character with the -like operator you need to enclose it in brackets like this: [*].

if ("$ProviderNamespace/$ResourceType" -eq 'Microsoft.Authorization/RoleAssignments') {
        # No filter
        $relevantRoles = $roleDefinitions
    } else {
        # Filter Action based
        $relevantRoles += $roleDefinitions | Where-Object {
            $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
            $_.Actions -like "$ProviderNamespace/[*]*" -or
            $_.Actions -like '[*]*'
        }

        # Filter Data Action based
        $relevantRoles += $roleDefinitions | Where-Object {
            $_.DataActions -like "$ProviderNamespace/$ResourceType/*" -or
            $_.DataActions -like "$ProviderNamespace/[*]*" -or
            $_.DataActions -like '[*]*'
        }
    }

To reproduce

$ProviderNamespace = "Microsoft.Network"
$ResourceType = "routeTables"

$allRoleDefinitions = Get-AzRoleDefinition

$badRoleList = $allRoleDefinitions | Where-Object {
    $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
    $_.Actions -like "$ProviderNamespace/`**" -or
    $_.Actions -like '`**'
} 

$badRoleList.Count

$goodRoleList = $allRoleDefinitions | Where-Object {
    $_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
    $_.Actions -like "$ProviderNamespace/[*]*" -or
    $_.Actions -like '[*]*'
} 

$goodRoleList.Count

You can further compare the two lists by doing the following:
Compare-Object $badRoleList $goodRoleList -PassThru | ft

As an example. The 'Virtual Machine Administrator Login' appears in the original list but none of the actions are relevant to a route table.
get-azroledefinition 'Virtual Machine Administrator Login' | Select-Object -ExpandProperty Actions

Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/networkInterfaces/read
Microsoft.Compute/virtualMachines/*/read
Microsoft.HybridCompute/machines/*/read
Microsoft.HybridConnectivity/endpoints/listCredentials/action

Code snippet

No response

Relevant log output

No response
@jachin84 jachin84 added the bug Something isn't working label May 3, 2023
@AlexanderSehr
Copy link
Contributor

Linking to discussion #3155

@AlexanderSehr AlexanderSehr added this to the Azure Verfified Modules (AVM) - V3 milestone May 19, 2024
@AlexanderSehr AlexanderSehr removed this from the Azure Verfified Modules (AVM) - CI Issues milestone Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Bug board
Status: Low priority
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jachin84 @AlexanderSehr