Skip to content

{AD} az ad app permission add: Refine error message for incorrect --api-permissions#22848

Merged
jiasli merged 2 commits intoAzure:devfrom
jiasli:permission-type
Jun 13, 2022
Merged

{AD} az ad app permission add: Refine error message for incorrect --api-permissions#22848
jiasli merged 2 commits intoAzure:devfrom
jiasli:permission-type

Conversation

@jiasli
Copy link
Copy Markdown
Member

@jiasli jiasli commented Jun 13, 2022
edited
Loading

Related command
az ad app permission add

Description

Refine the error message per #10718, #15598, #16868, #17057, #18185, #18408, #22826

The correct usage of --api-permissions from az ad app permission add is {id}={type}. The help message and examples are pretty clear about this. They even show how to retrieve {id} and {type}.

> az ad app permission add --help

Command
    az ad app permission add : Add an API permission.
        Invoking "az ad app permission grant" is needed to activate it.

        To get available permissions of the resource app, run `az ad sp show --id <resource-appId>`.
        For example, to get available permissions for Microsoft Graph API, run `az ad sp show --id
        00000003-0000-0000-c000-000000000000`. Application permissions under the `appRoles` property
        correspond to `Role` in --api-permissions. Delegated permissions under the
        `oauth2Permissions` property correspond to `Scope` in --api-permissions.

Arguments
    --api             [Required] : RequiredResourceAccess.resourceAppId - The unique identifier for
                                   the resource that the application requires access to. This should
                                   be equal to the appId declared on the target resource
                                   application.
    --api-permissions [Required] : Space-separated list of {id}={type}. {id} is resourceAccess.id -
                                   The unique identifier for one of the oauth2PermissionScopes or
                                   appRole instances that the resource application exposes. {type}
                                   is resourceAccess.type - Specifies whether the id property
                                   references an oauth2PermissionScopes or an appRole. The possible
                                   values are: Scope (for OAuth 2.0 permission scopes) or Role (for
                                   app roles).
    --id              [Required] : Identifier uri, application id, or object id.

...

Examples
    Add Microsoft Graph delegated permission User.Read (Sign in and read user profile).
        az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-
        permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope

    Add Microsoft Graph application permission Application.ReadWrite.All (Read and write all
    applications).
        az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-
        permissions 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9=Role

When --api-permissions is provided incorrectly, the command az ad app permission add fails with an ugly error:

The command failed with an unexpected error. Here is the traceback:
not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_job
    return cmd_copy.exception_handler(ex)
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/role/commands.py", line 54, in graph_err_handler
    raise ex
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/role/custom.py", line 859, in add_permission
    access_id, access_type = e.split('=')
ValueError: not enough values to unpack (expected 2, got 1)

Now this command gives a better error message:

> az ad app permission add --id 233dd73b-72e3-424a-9367-7588d957267e --api 00000003-0000-0000-c000-000000000000 --api-permissions 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
Usage error: Please provide both permission id and type, such as `--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope`

@ghost ghost requested a review from yonzhan June 13, 2022 04:19
@ghost ghost added the Auto-Assign Auto assign by bot label Jun 13, 2022
@ghost ghost assigned jiasli Jun 13, 2022
@ghost ghost added this to the Jun 2022 (2022-07-05) milestone Jun 13, 2022
@ghost ghost added the RBAC az role label Jun 13, 2022
@ghost ghost requested a review from wangzelin007 June 13, 2022 04:19
@jiasli jiasli marked this pull request as ready for review June 13, 2022 04:19
@ghost ghost added the Graph (doesn't work with label-triggered comments; use Graph.Microsoft instead) az ad label Jun 13, 2022
jiasli
jiasli commented Jun 13, 2022
View reviewed changes
src/azure-cli/azure/cli/command_modules/role/custom.py
}
resource_access_list.append(resource_access)

application = show_application(client, identifier)
Copy link
Copy Markdown
Member Author

@jiasli jiasli Jun 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We delay the application resolution so that the above check fails quicker.

evelyn-ys
evelyn-ys reviewed Jun 13, 2022
View reviewed changes
@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Jun 13, 2022

Role

@jiasli jiasli merged commit b62440c into Azure:dev Jun 13, 2022
@jiasli jiasli deleted the permission-type branch June 13, 2022 08:59
@jiasli jiasli changed the title {Role} az ad app permission add: Refine error message for incorrect --api-permissions {AD} az ad app permission add: Refine error message for incorrect --api-permissions Jun 14, 2022
@jiasli jiasli mentioned this pull request Jul 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@wangzelin007 wangzelin007 wangzelin007 approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

Assignees

@jiasli jiasli

Labels

Auto-Assign Auto assign by bot Graph (doesn't work with label-triggered comments; use Graph.Microsoft instead) az ad RBAC az role

Projects

None yet

Milestone

Jun 2022 (2022-07-05)

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @evelyn-ys @calvinhzy @wangzelin007