Skip to content

feat: ✨ Implement azdo security permission update command and fix bugs in handling permissions #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tmeckel merged 19 commits into from
Nov 3, 2025
Merged

feat: ✨ Implement azdo security permission update command and fix bugs in handling permissions #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
a8b48ee
refactor: add identity resolution and rename member resolver
tmeckel Nov 3, 2025
b171eff
feat: add descriptor and SID validators
tmeckel Nov 3, 2025
89011c4
chore: handled linting issues
tmeckel Nov 3, 2025
83b69f0
chore: add security client mock generation
tmeckel Nov 3, 2025
3b0e175
test: 🧪 re-created mocks
tmeckel Nov 3, 2025
24046fb
test: 🧪 introduce acceptance testing utilities
tmeckel Nov 3, 2025
2579f11
test: 🧪 add polling helper for tests
tmeckel Nov 3, 2025
e3dda1d
feat: 🎉 add ConfigReader and injectable config loading
tmeckel Nov 3, 2025
db82e67
refactor: call ResolveSubject for member resolution
tmeckel Nov 3, 2025
defe457
fix: ⚙️ improve subject descriptor resolution
tmeckel Nov 3, 2025
f7a857c
fix: use resolved identity descriptor for ACL queries
tmeckel Nov 3, 2025
04e4bf7
test: 🧪 add list test for subject descriptor fallback
tmeckel Nov 3, 2025
b73b782
fix: include subject in parsed target
tmeckel Nov 3, 2025
b9fabbf
feat: add access control helpers
tmeckel Nov 3, 2025
ffe6422
feat: ✨ add permission update command
tmeckel Nov 3, 2025
8146a89
test: 🧪 added tests for permission update command
tmeckel Nov 3, 2025
08bcf59
docs: 📄 updated docs
tmeckel Nov 3, 2025
530fb1d
chore: ignore env files
tmeckel Nov 3, 2025
7566f32
chore: add vscode launch configurations
tmeckel Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,4 @@ bin/
/azdo.exe

**/*.local.*
**/.env*
38 changes: 38 additions & 0 deletions .vscode/launch.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
// Use IntelliSense to learn about possible attributes.
// Hover to view descriptions of existing attributes.
// For more information, visit:
// https://go.microsoft.com/fwlink/?linkid=830387
// https://nsddd.top/posts/use-go-tools-dlv/
"version": "0.2.0",
"configurations": [
{
"name": "Debug ACC Test",
"type": "go",
"request": "launch",
"mode": "test",
"program": "${fileDirname}",
"args": ["-test.run", "^${selectedText}$"],
"env": {
"AZDO_ACC_TEST": "1",
"AZDO_DEBUG": "1"
},
"envFile": "${workspaceFolder}/.env"
},
{
"name": "Debug ACC Test (Proxy)",
"type": "go",
"request": "launch",
"mode": "test",
"program": "${fileDirname}",
"args": ["-test.run", "^${selectedText}$"],
"env": {
"AZDO_ACC_TEST": "1",
"AZDO_DEBUG": "1",
"HTTPS_PROXY": "http://127.0.0.1:8080",
"HTTP_PROXY": "http://127.0.0.1:8080"
},
"envFile": "${workspaceFolder}/.env"
}
]
}
19 changes: 19 additions & 0 deletions docs/azdo_help_reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,6 +733,25 @@ Aliases
s
```

#### `azdo security permission update <TARGET> [flags]`

Update or create permissions for a user or group.

```
--allow-bit strings Permission bit or comma-separated bits to allow.
--deny-bit strings Permission bit or comma-separated bits to deny.
--merge Merge incoming ACEs with existing entries or replace the permissions. If provided without value true is implied.
-n, --namespace-id string ID of the security namespace to modify (required).
--token string Security token for the resource (required).
-y, --yes Do not prompt for confirmation.
```

Aliases

```
create, u, new
```



### See also
Expand Down
1 change: 1 addition & 0 deletions docs/azdo_security_permission.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Manage Azure DevOps security permissions.
* [azdo security permission list](./azdo_security_permission_list.md)
* [azdo security permission namespace](./azdo_security_permission_namespace.md)
* [azdo security permission show](./azdo_security_permission_show.md)
* [azdo security permission update](./azdo_security_permission_update.md)

### ALIASES

Expand Down
86 changes: 86 additions & 0 deletions docs/azdo_security_permission_update.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
## Command `azdo security permission update`

```
azdo security permission update <TARGET> [flags]
```

Update the permissions for a user or group on a specific securable resource (identified by a token) by assigning "allow" or "deny" permission bits.

The --allow-bit and --deny-bit flags accept one or more permission values. Each value may be provided as:
- a hexadecimal bitmask (e.g. 0x4),
- a decimal bit value (e.g. 4), or
- a textual action name matching the namespace action (e.g. "Read", "Edit").

To discover the available actions (and their textual names) for a security namespace, use:
azdo security permission namespace show --namespace-id <namespace-uuid>

Accepted TARGET formats:
- ORGANIZATION/SUBJECT → target subject in org
- ORGANIZATION/PROJECT/SUBJECT → subject scoped to project

Token hierarchy (Git repo namespace example):
- repoV2 → all repos across org
- repoV2/{projectId} → all repos in project
- repoV2/{projectId}/{repoId} → single repo in project


- ORGANIZATION/SUBJECT → target subject in org
- ORGANIZATION/PROJECT/SUBJECT → subject scoped to project


### Options


* `--allow-bit` `strings`

Permission bit or comma-separated bits to allow.

* `--deny-bit` `strings`

Permission bit or comma-separated bits to deny.

* `--merge`

Merge incoming ACEs with existing entries or replace the permissions. If provided without value true is implied.

* `-n`, `--namespace-id` `string`

ID of the security namespace to modify (required).

* `--token` `string`

Security token for the resource (required).

* `-y`, `--yes`

Do not prompt for confirmation.


### ALIASES

- `create`
- `u`
- `new`

### Examples

```bash
# Allow the Read action (textual) for a user on a token
azdo security permission update fabrikam/contoso@example.com --namespace-id 71356614-aad7-4757-8f2c-0fb3bff6f680 --token '$/696416ee-f7ff-4ee3-934a-979b00dce74f' --allow-bit Read

# Allow multiple actions by specifying --allow-bit multiple times (textual and numeric)
azdo security permission update fabrikam/contoso@example.com --namespace-id bf7bfa03-b2b7-47db-8113-fa2e002cc5b1 --token vstfs:///Classification/Node/18c76992-93fa-4eb2-aac0-0abc0be212d6 --allow-bit Read --allow-bit Contribute --allow-bit 0x4

# Allow multiple actions using a single comma-separated value (shells may need quoting)
azdo security permission update fabrikam/contoso@example.com --namespace-id 302acaca-b667-436d-a946-87133492041c --token BuildPrivileges --allow-bit "Read,Contribute,0x4"

# Deny a numeric bit and merge with existing ACEs (merge will OR incoming bits with existing ACE)
azdo security permission update fabrikam/contoso@example.com --namespace-id 33344d9c-fc72-4d6f-aba5-fa317101a7e9 --token '696416ee-f7ff-4ee3-934a-979b00dce74f/237' --deny-bit 8 --merge

# Use --yes to skip confirmation prompts
azdo security permission update fabrikam/contoso@example.com --namespace-id 8adf73b7-389a-4276-b638-fe1653f7efc7 --token '$/f6ad111f-42cb-4e2d-b22a-cd0bd6f5aebd/00000000-0000-0000-0000-000000000000' --allow-bit Read --yes
```

### See also

* [azdo security permission](./azdo_security_permission.md)
Loading
Loading