improve roledefinition.id enrichment

Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>

Author: mblaschke

auditor/auditor.azure.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/resources"
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/subscriptions"
+	"github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2020-04-01-preview/authorization"
 	"github.com/Azure/go-autorest/autorest/to"
 )
 
@@ -122,3 +123,37 @@ func (auditor *AzureAuditor) getResourceList(ctx context.Context, subscription *
 
 	return
 }
+
+func (auditor *AzureAuditor) getRoleDefinitionList(ctx context.Context, subscription *subscriptions.Subscription) (list map[string]authorization.RoleDefinition) {
+	auditor.locks.resources.Lock()
+	defer auditor.locks.resources.Unlock()
+
+	list = map[string]authorization.RoleDefinition{}
+
+	cacheKey := "roledefinitions:" + *subscription.SubscriptionID
+	if val, ok := auditor.cache.Get(cacheKey); ok {
+		// fetched from cache
+		list = val.(map[string]authorization.RoleDefinition)
+		return
+	}
+
+	client := authorization.NewRoleDefinitionsClientWithBaseURI(auditor.azure.client.Environment.ResourceManagerEndpoint, *subscription.SubscriptionID)
+	auditor.decorateAzureClient(&client.Client, auditor.azure.client.GetAuthorizer())
+
+	listResult, err := client.ListComplete(ctx, *subscription.ID, "")
+	if err != nil {
+		auditor.logger.Panic(err)
+	}
+
+	for _, item := range *listResult.Response().Value {
+		resourceID := strings.ToLower(to.String(item.ID))
+		list[resourceID] = item
+	}
+
+	auditor.logger.Infof("found %v Azure RoleDefinitions for Subscription %v (%v) (cache update)", len(list), to.String(subscription.DisplayName), to.String(subscription.SubscriptionID))
+
+	// save to cache
+	_ = auditor.cache.Add(cacheKey, list, auditor.cacheExpiry)
+
+	return
+}

auditor/auditor.enrich.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/resources"
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/resources/mgmt/subscriptions"
+	"github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2020-04-01-preview/authorization"
 	"github.com/Azure/go-autorest/autorest/to"
 	azureCommon "github.com/webdevops/go-common/azure"
 
@@ -15,13 +16,15 @@ import (
 
 func (auditor *AzureAuditor) enrichAzureObjects(ctx context.Context, subscription *subscriptions.Subscription, list *[]*validator.AzureObject) {
 	var (
-		resourceGroupList map[string]resources.Group
-		resourcesList     map[string]resources.GenericResourceExpanded
+		resourceGroupList  map[string]resources.Group
+		resourcesList      map[string]resources.GenericResourceExpanded
+		roleDefinitionList map[string]authorization.RoleDefinition
 	)
 	subscriptionList := auditor.getSubscriptionList(ctx)
 	if subscription != nil {
 		resourceGroupList = auditor.getResourceGroupList(ctx, subscription)
 		resourcesList = auditor.getResourceList(ctx, subscription)
+		roleDefinitionList = auditor.getRoleDefinitionList(ctx, subscription)
 	}
 
 	inheritTag := map[string]string{}
@@ -36,11 +39,13 @@ func (auditor *AzureAuditor) enrichAzureObjects(ctx context.Context, subscriptio
 		if subscription == nil {
 			resourceGroupList = map[string]resources.Group{}
 			resourcesList = map[string]resources.GenericResourceExpanded{}
+			roleDefinitionList = map[string]authorization.RoleDefinition{}
 
 			if subscriptionID, ok := (*row)["subscription.id"].(string); ok && subscriptionID != "" {
 				if val, ok := subscriptionList[subscriptionID]; ok {
 					resourceGroupList = auditor.getResourceGroupList(ctx, &val)
 					resourcesList = auditor.getResourceList(ctx, &val)
+					roleDefinitionList = auditor.getRoleDefinitionList(ctx, &val)
 				}
 			}
 		}
@@ -77,6 +82,15 @@ func (auditor *AzureAuditor) enrichAzureObjects(ctx context.Context, subscriptio
 			}
 		}
 
+		// enrich with roledefinition information
+		if val, ok := (*row)["roledefinition.id"].(string); ok && val != "" {
+			if roleDefinition, ok := roleDefinitionList[val]; ok {
+				obj["roledefinition.name"] = to.String(roleDefinition.RoleName)
+				obj["roledefinition.type"] = to.String(roleDefinition.RoleType)
+				obj["roledefinition.description"] = to.String(roleDefinition.Description)
+			}
+		}
+
 		// enrich with resource information (if resource is detected)
 		resourceID := ""
 		if val, ok := (*row)["roleassignment.scope"].(string); ok && val != "" {

auditor/auditor.roleassignments.go

@@ -40,8 +40,6 @@ func (auditor *AzureAuditor) auditRoleAssignments(ctx context.Context, logger *l
 func (auditor *AzureAuditor) fetchRoleAssignments(ctx context.Context, logger *log.Entry, subscription *subscriptions.Subscription) (list []*validator.AzureObject) {
 	list = []*validator.AzureObject{}
 
-	roleDefinitionList := auditor.fetchRoleDefinitionList(ctx, logger, subscription)
-
 	client := authorization.NewRoleAssignmentsClientWithBaseURI(auditor.azure.client.Environment.ResourceManagerEndpoint, *subscription.SubscriptionID)
 	auditor.decorateAzureClient(&client.Client, auditor.azure.client.GetAuthorizer())
 
@@ -72,7 +70,7 @@ func (auditor *AzureAuditor) fetchRoleAssignments(ctx context.Context, logger *l
 		obj := map[string]interface{}{
 			"resource.id":        stringPtrToStringLower(roleAssignment.ID),
 			"subscription.id":    to.String(subscription.SubscriptionID),
-			"role.id":            stringPtrToStringLower(roleAssignment.RoleDefinitionID),
+			"roledefinition.id":  stringPtrToStringLower(roleAssignment.RoleDefinitionID),
 			"principal.objectid": stringPtrToStringLower(roleAssignment.PrincipalID),
 			"resourcegroup.name": azureScope.ResourceGroup,
 
@@ -84,12 +82,6 @@ func (auditor *AzureAuditor) fetchRoleAssignments(ctx context.Context, logger *l
 			"roleassignment.age":         time.Since(roleAssignment.CreatedOn.Time),
 		}
 
-		if roleDefinition, exists := roleDefinitionList[stringPtrToStringLower(roleAssignment.RoleDefinitionID)]; exists {
-			obj["role.name"] = stringPtrToStringLower(roleDefinition.RoleName)
-			obj["role.type"] = stringPtrToStringLower(roleDefinition.RoleType)
-			obj["role.description"] = stringPtrToStringLower(roleDefinition.Description)
-		}
-
 		list = append(list, validator.NewAzureObject(obj))
 
 		if response.NextWithContext(ctx) != nil {
@@ -101,29 +93,3 @@ func (auditor *AzureAuditor) fetchRoleAssignments(ctx context.Context, logger *l
 
 	return
 }
-
-func (auditor *AzureAuditor) fetchRoleDefinitionList(ctx context.Context, logger *log.Entry, subscription *subscriptions.Subscription) map[string]authorization.RoleDefinition {
-	client := authorization.NewRoleDefinitionsClientWithBaseURI(auditor.azure.client.Environment.ResourceManagerEndpoint, *subscription.SubscriptionID)
-	auditor.decorateAzureClient(&client.Client, auditor.azure.client.GetAuthorizer())
-
-	response, err := client.ListComplete(ctx, *subscription.ID, "")
-
-	if err != nil {
-		logger.Panic(err)
-	}
-
-	roleDefinitionList := map[string]authorization.RoleDefinition{}
-
-	for response.NotDone() {
-		roleDefinition := response.Value()
-
-		roleDefinitionID := stringPtrToStringLower(roleDefinition.ID)
-		roleDefinitionList[roleDefinitionID] = roleDefinition
-
-		if response.NextWithContext(ctx) != nil {
-			break
-		}
-	}
-
-	return roleDefinitionList
-}