Consume new azure package for target services and role definitions (#1036)

* Consume new azure package for target services and role definitions

* Refactor using azure utils package

* Merge conflict

* Fix package-lock.json

* Remove unneeded refres

Author: nturinski

package-lock.json

@@ -161,6 +161,12 @@
                 "category": "Azure",
                 "icon": "$(zoom-in)"
             },
+            {
+                "command": "azureResourceGroups.loadAllSubscriptionRoleAssignments",
+                "title": "%azureResourceGroups.loadAllSubscriptionRoleAssignments%",
+                "category": "Azure",
+                "icon": "$(sync)"
+            },
             {
                 "command": "azureResourceGroups.unfocusGroup",
                 "title": "%azureResourceGroups.unfocusGroup%",
@@ -493,6 +499,16 @@
                 }
             ],
             "view/item/context": [
+                {
+                    "command": "azureResourceGroups.loadAllSubscriptionRoleAssignments",
+                    "when": "view == azureResourceGroups && viewItem =~ /targetServiceRoleAssignmentItem(?!allLoaded)/",
+                    "group": "inline"
+                },
+                {
+                    "command": "azureResourceGroups.loadAllSubscriptionRoleAssignments",
+                    "when": "view == azureResourceGroups && viewItem =~ /targetServiceRoleAssignmentItem(?!allLoaded)/",
+                    "group": "1@1"
+                },
                 {
                     "command": "azureResourceGroups.focusGroup",
                     "when": "view == azureResourceGroups && viewItem =~ /canFocus/",
@@ -862,6 +878,8 @@
         "api-extractor": "tsc -p ./api && api-extractor run -c ./api/api-extractor.json"
     },
     "devDependencies": {
+        "@azure/arm-authorization": "^9.0.0",
+        "@azure/arm-msi": "^2.1.0",
         "@azure/arm-resources-subscriptions": "^2.1.0",
         "@azure/identity": "^4.2.1",
         "@microsoft/api-extractor": "^7.33.8",
@@ -894,13 +912,11 @@
         "webpack-cli": "^4.6.0"
     },
     "dependencies": {
-        "@azure/arm-authorization": "^9.0.0",
-        "@azure/arm-msi": "^2.1.0",
         "@azure/arm-resources": "^5.2.0",
         "@azure/arm-resources-profile-2020-09-01-hybrid": "^2.1.0",
         "@azure/ms-rest-js": "^2.7.0",
         "@microsoft/vscode-azext-azureauth": "^4.0.3",
-        "@microsoft/vscode-azext-azureutils": "^3.1.1",
+        "@microsoft/vscode-azext-azureutils": "^3.1.4",
         "@microsoft/vscode-azext-utils": "^2.5.12",
         "buffer": "^6.0.3",
         "form-data": "^4.0.1",

package.json

@@ -45,6 +45,7 @@
     "azureResourceGroups.showGroupOptions": "Show Grouping Options",
     "azureResourceGroups.enableChatStandIn": "Enable the @azure chat stand-in",
     "chatParticipants.azure.fullName": "Azure (Preview)",
+    "azureResourceGroups.loadAllSubscriptionRoleAssignments": "Load all role assignments across subscriptions...",
     "azureResourceGroups.askAzure": {
         "message": "Ask @azure",
         "comment": [

package.nls.json

@@ -4,13 +4,13 @@
  *--------------------------------------------------------------------------------------------*/
 
 import { signInToTenant } from '@microsoft/vscode-azext-azureauth';
-import { AzExtTreeItem, IActionContext, isAzExtTreeItem, openUrl, registerCommand, registerCommandWithTreeNodeUnwrapping, registerErrorHandler, registerReportIssueCommand } from '@microsoft/vscode-azext-utils';
+import { AzExtTreeItem, IActionContext, isAzExtTreeItem, nonNullValue, openUrl, registerCommand, registerCommandWithTreeNodeUnwrapping, registerErrorHandler, registerReportIssueCommand } from '@microsoft/vscode-azext-utils';
 import { commands } from 'vscode';
 import { askAgentAboutResource } from '../chat/askAgentAboutResource';
 import { askAzureInCommandPalette } from '../chat/askAzure';
 import { uploadFileToCloudShell } from '../cloudConsole/uploadFileToCloudShell';
 import { ext } from '../extensionVariables';
-import { loadAllSubscriptionRoleAssignments } from '../managedIdentity/loadAllSubscriptionRoleAssignments';
+import { TargetServiceRoleAssignmentItem } from '../managedIdentity/TargetServiceRoleAssignmentItem';
 import { BranchDataItemWrapper } from '../tree/BranchDataItemWrapper';
 import { ResourceGroupsItem } from '../tree/ResourceGroupsItem';
 import { GroupingItem } from '../tree/azure/grouping/GroupingItem';
@@ -122,9 +122,12 @@ export function registerCommands(): void {
     registerCommand('azureResourceGroups.askAzure', askAzureInCommandPalette);
 
     registerCommand('azureWorkspace.loadMore', async (context: IActionContext, node: AzExtTreeItem) => await ext.workspaceTree.loadMore(node, context));
-    registerCommand('azureResources.loadAllSubscriptionRoleAssignments', loadAllSubscriptionRoleAssignments);
-
     registerCommand('azureTenantsView.configureSovereignCloud', configureSovereignCloud);
+    registerCommandWithTreeNodeUnwrapping('azureResourceGroups.loadAllSubscriptionRoleAssignments', async (_context: IActionContext, node?: TargetServiceRoleAssignmentItem) => {
+        node = nonNullValue(node);
+        node.setAllSubscriptionsLoaded();
+        ext.azureTreeState.notifyChildrenChanged(node.id);
+    });
     registerCommandWithTreeNodeUnwrapping<{ id?: string }>("azureResourceGroups.askAgentAboutResource", (context, node) => askAgentAboutResource(context, node));
 }
 

src/commands/registerCommands.ts

@@ -3,47 +3,27 @@
 *  Licensed under the MIT License. See License.txt in the project root for license information.
 *--------------------------------------------------------------------------------------------*/
 
-import { RoleAssignment } from '@azure/arm-authorization';
-import { uiUtils } from '@microsoft/vscode-azext-azureutils';
-import { callWithTelemetryAndErrorHandling, createSubscriptionContext, type IActionContext } from '@microsoft/vscode-azext-utils';
+import { callWithTelemetryAndErrorHandling, type IActionContext } from '@microsoft/vscode-azext-utils';
 import { AzureResource, AzureResourceModel, BranchDataProvider } from '@microsoft/vscode-azureresources-api';
 import * as vscode from 'vscode';
 import { localize } from 'vscode-nls';
 import { ext } from '../extensionVariables';
 import { ResourceGroupsItem } from '../tree/ResourceGroupsItem';
-import { createAuthorizationManagementClient } from '../utils/azureClients';
 import { ManagedIdentityItem } from './ManagedIdentityItem';
 export class ManagedIdentityBranchDataProvider extends vscode.Disposable implements BranchDataProvider<AzureResource, AzureResourceModel> {
     private readonly onDidChangeTreeDataEmitter = new vscode.EventEmitter<ResourceGroupsItem | undefined>();
-    public roleAssignmentsTask: Promise<{ [id: string]: RoleAssignment[] }>;
 
     constructor() {
         super(
             () => {
                 this.onDidChangeTreeDataEmitter.dispose();
             });
-        this.roleAssignmentsTask = this.initialize();
     }
 
     get onDidChangeTreeData(): vscode.Event<ResourceGroupsItem | undefined> {
         return this.onDidChangeTreeDataEmitter.event;
     }
 
-    public async initialize(): Promise<{ [id: string]: RoleAssignment[] }> {
-        return await callWithTelemetryAndErrorHandling('initializeManagedIdentityBranchDataProvider', async (context: IActionContext) => {
-            const provider = await ext.subscriptionProviderFactory();
-            const allSubscriptions = await provider.getSubscriptions(false /*filter*/);
-            const roleAssignments: { [id: string]: RoleAssignment[] } = {};
-            await Promise.allSettled(allSubscriptions.map(async (subscription) => {
-                const subContext = createSubscriptionContext(subscription);
-                const authClient = await createAuthorizationManagementClient([context, subContext]);
-                roleAssignments[subscription.subscriptionId] = await uiUtils.listAllIterator(authClient.roleAssignments.listForSubscription());
-            }));
-
-            return roleAssignments;
-        }) ?? {};
-    }
-
     async getChildren(element: ResourceGroupsItem): Promise<ResourceGroupsItem[] | null | undefined> {
         return (await element.getChildren?.())?.map((child) => {
             return ext.azureTreeState.wrapItemInStateHandling(child, () => this.refresh(child))

src/managedIdentity/ManagedIdentityBranchDataProvider.ts

@@ -4,20 +4,15 @@
 *--------------------------------------------------------------------------------------------*/
 
 import { Identity } from "@azure/arm-msi";
-import { uiUtils } from "@microsoft/vscode-azext-azureutils";
+import { createManagedServiceIdentityClient } from "@microsoft/vscode-azext-azureutils";
 import { callWithTelemetryAndErrorHandling, createContextValue, createSubscriptionContext, nonNullProp, type IActionContext } from "@microsoft/vscode-azext-utils";
 import { type AzureResource, type AzureSubscription, type ViewPropertiesModel } from "@microsoft/vscode-azureresources-api";
-import { ThemeIcon, TreeItem, TreeItemCollapsibleState } from "vscode";
-import { createAzureResource } from "../api/DefaultAzureResourceProvider";
+import { TreeItem, TreeItemCollapsibleState } from "vscode";
 import { getAzureResourcesService } from "../services/AzureResourcesService";
-import { DefaultAzureResourceItem } from "../tree/azure/DefaultAzureResourceItem";
-import { GenericItem } from "../tree/GenericItem";
 import { ResourceGroupsItem } from "../tree/ResourceGroupsItem";
-import { createAuthorizationManagementClient, createManagedServiceIdentityClient } from "../utils/azureClients";
 import { getIconPath } from "../utils/azureUtils";
-import { localize } from "../utils/localize";
-import { RoleAssignmentsItem } from "./RoleAssignmentsItem";
-import { RoleDefinitionsItem } from "./RoleDefinitionsItem";
+import { SourceResourceIdentityItem } from "./SourceResourceIdentityItem";
+import { TargetServiceRoleAssignmentItem } from "./TargetServiceRoleAssignmentItem";
 
 export class ManagedIdentityItem implements ResourceGroupsItem {
     static readonly contextValue: string = 'managedIdentityItem';
@@ -42,60 +37,28 @@ export class ManagedIdentityItem implements ResourceGroupsItem {
         return createContextValue(values);
     }
 
-    async getChildren(): Promise<(GenericItem | RoleDefinitionsItem | RoleAssignmentsItem)[]> {
+    async getChildren<TreeElementBase>(): Promise<TreeElementBase[]> {
         const result = await callWithTelemetryAndErrorHandling('managedIdentityItem.getChildren', async (context: IActionContext) => {
             const subContext = createSubscriptionContext(this.subscription);
             const msiClient = await createManagedServiceIdentityClient([context, subContext]);
             const msi: Identity = await msiClient.userAssignedIdentities.get(nonNullProp(this.resource, 'resourceGroup'), this.resource.name);
 
             const resources = await getAzureResourcesService().listResources(context, this.subscription);
-            const assignedRoleAssignment = new RoleAssignmentsItem(localize('sourceResources', 'Source resources'), this.subscription, msi);
-            const accessRoleAssignment = new RoleAssignmentsItem(localize('targetServices', 'Target services'), this.subscription, msi);
+            const sourceResourceItem = new SourceResourceIdentityItem(this.subscription, msi, resources);
+            const targetServiceItem = new TargetServiceRoleAssignmentItem(this.subscription, msi);
 
-            const assignedResources = resources.filter((r) => {
-                // verify the msi is assigned to the resource by checking if the msi id is in the userAssignedIdentities
-                const userAssignedIdentities = r.identity?.userAssignedIdentities;
-                if (!userAssignedIdentities) {
-                    return false;
-                }
-
-                if (!msi.id) {
-                    return false;
-                }
-
-                return userAssignedIdentities[msi.id] !== undefined
-            }).map((r) => {
-                const azureResoure = createAzureResource(this.subscription, r);
-                return new DefaultAzureResourceItem(azureResoure);
-            });
-
-            const authClient = await createAuthorizationManagementClient([context, subContext]);
-            const roleAssignment = await uiUtils.listAllIterator(authClient.roleAssignments.listForSubscription());
-            // filter the role assignments to only show the ones that are assigned to the msi
-            const filteredBySub = roleAssignment.filter((ra) => ra.principalId === msi.principalId);
-
-            const targetResources = await accessRoleAssignment.getRoleDefinitionsItems(context, filteredBySub);
             const children = [];
 
-            if (assignedResources.length > 0) {
+            if (sourceResourceItem.getChildren().length > 0) {
                 // if there weren't any assigned resources, don't show that section
-                assignedRoleAssignment.addChildren(assignedResources);
-                children.push(assignedRoleAssignment);
+                children.push(sourceResourceItem);
             }
 
-            accessRoleAssignment.addChildren(targetResources);
-            children.push(accessRoleAssignment);
-            accessRoleAssignment.addChild(new GenericItem(localize('showResources', 'Show resources from other subscriptions...'),
-                {
-                    id: accessRoleAssignment.id + '/showResourcesFromOtherSubscriptions',
-                    iconPath: new ThemeIcon('sync'),
-                    commandId: 'azureResources.loadAllSubscriptionRoleAssignments',
-                    commandArgs: [accessRoleAssignment]
-                }))
+            children.push(targetServiceItem);
             return children;
         });
 
-        return result ?? [];
+        return result as TreeElementBase[] ?? [];
     }
 
     getTreeItem(): TreeItem {