Az ad app grant command

src/command_modules/azure-cli-role/HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+2.1.9
+++++++
+* support grant permissions to AAD apps
+
 2.1.8
 ++++++
 * support add/remove/list owner on AAD Applciation and Group objects

src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py

@@ -175,6 +175,24 @@
     type: command
     short-summary: remove an application owner.
 """
+helps['ad app permission'] = """
+    type: group
+    short-summary: manage an application's OAuth2 permissions.
+"""
+helps['ad app permission grant'] = """
+    type: command
+    short-summary: Grant an app permissions from another app
+    examples:
+        - name: Grant a native application with permissions to access an existing API with TTL of 2 years
+          text: az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --app-id a0322f79-57df-498f-9d9f-12678 --expires 2
+"""
+helps['ad app permission list'] = """
+    type: command
+    short-summary: List the app permissions
+    examples:
+        - name: List the OAuth2 permissions for an existing AAD app
+          text: az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234
+"""
 helps['ad user list'] = """
     type: command
     short-summary: List Azure Active Directory users.

src/command_modules/azure-cli-role/azure/cli/command_modules/role/_params.py

@@ -46,6 +46,13 @@ def load_arguments(self, _):
     with self.argument_context('ad app owner list') as c:
         c.argument('identifier', options_list=['--id'], help='identifier uri, application id, or object id of the application')
 
+    with self.argument_context('ad app permission grant') as c:
+        c.argument('app_id', help='clientId of an existing app from which you want to grant permissions to your app')
+        c.argument('expires', help='Expiry date for the permissions in years, options include 1, 2 or never.')
+
+    with self.argument_context('ad app permission list') as c:
+        c.argument('identifier', options_list=['--id'], help='identifier uri, application id, or object id of the associated application')
+
     with self.argument_context('ad sp') as c:
         c.argument('identifier', options_list=['--id'], help='service principal name, or object id')
 

src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py

@@ -84,6 +84,8 @@ def load_command_table(self, _):
         g.custom_command('delete', 'delete_application')
         g.custom_command('list', 'list_apps')
         g.custom_show_command('show', 'show_application')
+        g.custom_command('permission grant', 'grant_application')
+        g.custom_command('permission list', 'list_granted_application')
         g.generic_update_command('update', setter_name='patch_application', setter_type=role_custom,
                                  getter_name='show_application', getter_type=role_custom,
                                  custom_func_name='update_application', custom_func_type=role_custom)

src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py

@@ -669,6 +669,53 @@ def create_application(client, display_name, homepage=None, identifier_uris=None
     return result
 
 
+def list_granted_application(cmd, identifier):
+    graph_client = _graph_client_factory(cmd.cli_ctx)
+
+    # Get the Service Principal ObjectId for the client app
+    client_sp_object_id = _resolve_service_principal(graph_client.service_principals, identifier)
+
+    # Get the OAuth2 permissions client app
+    permissions = graph_client.oauth2.get(
+        filter="clientId eq '{}'".format(client_sp_object_id))  # pylint: disable=no-member
+
+    return permissions.additional_properties['value']
+
+
+def grant_application(cmd, identifier, app_id, expires='1'):
+    graph_client = _graph_client_factory(cmd.cli_ctx)
+
+    # Get the Service Principal ObjectId for the client app
+    client_sp_object_id = _resolve_service_principal(graph_client.service_principals, identifier)
+
+    # Get the Service Principal ObjectId for associated app
+    associated_sp_object_id = _resolve_service_principal(graph_client.service_principals, app_id)
+
+    # Build payload
+    start_date = datetime.datetime.utcnow()
+    end_date = start_date + relativedelta(years=1)
+
+    if expires == '2':
+        end_date = start_date + relativedelta(years=2)
+    elif expires.lower() == 'never':
+        end_date = start_date + relativedelta(years=1000)
+
+    payload = {
+        "odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
+        "clientId": client_sp_object_id,
+        "consentType": "AllPrincipals",
+        "resourceId": associated_sp_object_id,
+        "scope": "user_impersonation",
+        "startTime": start_date.isoformat(),
+        "expiryTime": end_date.isoformat()
+    }
+
+    # Grant OAuth2 permissions
+    response = graph_client.oauth2.grant(payload)  # pylint: disable=no-member
+
+    return response
+
+
 def update_application(instance, display_name=None, homepage=None,  # pylint: disable=unused-argument
                        identifier_uris=None, password=None, reply_urls=None, key_value=None,
                        key_type=None, key_usage=None, start_date=None, end_date=None, available_to_other_tenants=None,

src/command_modules/azure-cli-role/setup.py

@@ -14,7 +14,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "2.1.8"
+VERSION = "2.1.9"
 
 CLASSIFIERS = [
     'Development Status :: 5 - Production/Stable',