From b79f144594deba65479baa0370eb7b48b47fbd06 Mon Sep 17 00:00:00 2001 From: Xiaojian Xu Date: Thu, 30 Jan 2020 17:06:45 +0800 Subject: [PATCH] [RBAC] BREAKING CHANGE: Fix #11883: `az role assignment create`: empty scope will prompt error (#11983) * [RBAC] BREAKING CHANGE: Fix #11883: `az role assignment create`: empty scope will prompt error * add test for role assignment with empty scope case * udpate HISTORY.rst according to alphabetic order --- src/azure-cli/HISTORY.rst | 4 ++++ src/azure-cli/azure/cli/command_modules/role/custom.py | 2 ++ .../cli/command_modules/role/tests/latest/test_role.py | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/src/azure-cli/HISTORY.rst b/src/azure-cli/HISTORY.rst index 31c59b57e4d..2ab9173690f 100644 --- a/src/azure-cli/HISTORY.rst +++ b/src/azure-cli/HISTORY.rst @@ -52,6 +52,10 @@ Release History * Fix #2092: az network dns record-set add/remove: add warning when record-set is not found. In the future, an extra argument will be supported to confirm this auto creation. +**RBAC** + +* [BREAKING CHANGE] Fix #11883: `az role assignment create`: empty scope will prompt error + **Security** * Added new commands `az atp show` and `az atp update` to view and manage advanced threat protection settings for storage accounts. diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 4b17917d3e2..92560c4888e 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -494,6 +494,8 @@ def _build_role_scope(resource_group_name, scope, subscription_id): if resource_group_name: err = 'Resource group "{}" is redundant because scope is supplied' raise CLIError(err.format(resource_group_name)) + elif scope == '': + raise CLIError('Invalid scope. Please use --help to view the valid format.') elif resource_group_name: scope = subscription_scope + '/resourceGroups/' + resource_group_name else: diff --git a/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py b/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py index 79c3db53bc7..1a60367c3d0 100644 --- a/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py +++ b/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py @@ -12,6 +12,7 @@ import mock import unittest +from knack.util import CLIError from azure_devtools.scenario_tests import AllowLargeResponse, record_only from azure.cli.core.profiles import ResourceType, get_sdk from azure.cli.testsdk import ScenarioTest, LiveScenarioTest, ResourceGroupPreparer, KeyVaultPreparer @@ -295,6 +296,11 @@ def test_role_assignment_e2e(self, resource_group): self.cmd('role assignment list --assignee {upn}', checks=self.check("length([])", 1)) self.cmd('role assignment delete --assignee {upn} --role reader') + + # test role assignment on empty scope + with self.assertRaisesRegexp(CLIError, 'Invalid scope. Please use --help to view the valid format.'): + self.cmd('role assignment create --assignee {upn} --scope "" --role reader') + self.cmd('role assignment delete --assignee {upn} --scope "" --role reader') finally: self.cmd('ad user delete --upn-or-object-id {upn}')