-
Notifications
You must be signed in to change notification settings - Fork 6.5k
Expand file tree
/
Copy pathTest-CIPPAccess.ps1
More file actions
154 lines (142 loc) · 6.68 KB
/
Test-CIPPAccess.ps1
File metadata and controls
154 lines (142 loc) · 6.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
function Test-CIPPAccess {
param(
$Request,
[switch]$TenantList
)
if ($Request.Params.CIPPEndpoint -eq 'ExecSAMSetup') { return $true }
# Get function help
$FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
$Help = Get-Help $FunctionName
# Check help for role
$APIRole = $Help.Role
$AnyTenantAllowedFunctions = @('ListTenants', 'ListUserSettings', 'ListUserPhoto', 'GetCippAlerts', 'GetVersion')
if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
# Direct API Access
$ForwardedFor = $Request.Headers.'x-forwarded-for' -split ',' | Select-Object -First 1
$IPRegex = '^(?<IP>(?:\d{1,3}(?:\.\d{1,3}){3}|\[[0-9a-fA-F:]+\]|[0-9a-fA-F:]+))(?::\d+)?$'
$IPAddress = $ForwardedFor -replace $IPRegex, '$1' -replace '[\[\]]', ''
$Client = Get-CippApiClient -AppId $Request.Headers.'x-ms-client-principal-name'
if ($Client) {
Write-Information "API Access: AppName=$($Client.AppName), AppId=$($Request.Headers.'x-ms-client-principal-name'), IP=$IPAddress"
$IPMatched = $false
if ($Client.IPRange -notcontains 'Any') {
foreach ($Range in $Client.IPRange) {
if ($IPaddress -eq $Range -or (Test-IpInRange -IPAddress $IPAddress -Range $Range)) {
$IPMatched = $true
break
}
}
} else {
$IPMatched = $true
}
if ($IPMatched) {
if ($Client.Role) {
$CustomRoles = @($Client.Role)
} else {
$CustomRoles = @('cipp-api')
}
} else {
throw 'Access to this CIPP API endpoint is not allowed, the API Client does not have the required permission'
}
} else {
$CustomRoles = @('cipp-api')
Write-Information "API Access: AppId=$($Request.Headers.'x-ms-client-principal-name'), IP=$IPAddress"
}
} else {
$DefaultRoles = @('admin', 'editor', 'readonly', 'anonymous', 'authenticated')
$User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
if (!$TenantList.IsPresent -and $APIRole -match 'SuperAdmin' -and $User.userRoles -notcontains 'superadmin') {
throw 'Access to this CIPP API endpoint is not allowed, the user does not have the required permission'
}
if ($User.userRoles -contains 'admin' -or $User.userRoles -contains 'superadmin') {
if ($TenantList.IsPresent) {
return @('AllTenants')
}
return $true
}
$CustomRoles = $User.userRoles | ForEach-Object {
if ($DefaultRoles -notcontains $_) {
$_
}
}
}
if (($CustomRoles | Measure-Object).Count -gt 0) {
$Tenants = Get-Tenants -IncludeErrors
$PermissionsFound = $false
$PermissionSet = foreach ($CustomRole in $CustomRoles) {
try {
Get-CIPPRolePermissions -Role $CustomRole
$PermissionsFound = $true
} catch {
Write-Information $_.Exception.Message
continue
}
}
if ($PermissionsFound) {
if ($TenantList.IsPresent) {
$LimitedTenantList = foreach ($Permission in $PermissionSet) {
if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
@('AllTenants')
} else {
if ($Permission.AllowedTenants -contains 'AllTenants') {
$Permission.AllowedTenants = $Tenants.customerId
}
$Permission.AllowedTenants | Where-Object { $Permission.BlockedTenants -notcontains $_ }
}
}
return $LimitedTenantList
}
foreach ($Role in $PermissionSet) {
# Loop through each custom role permission and check API / Tenant access
$TenantAllowed = $false
$APIAllowed = $false
foreach ($Perm in $Role.Permissions) {
if ($Perm -match $APIRole) {
$APIAllowed = $true
break
}
}
if ($APIAllowed) {
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $env:TenantID
# Check tenant level access
if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
$TenantAllowed = $true
} elseif ($TenantFilter -eq 'AllTenants') {
$TenantAllowed = $false
} else {
$Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
if ($Role.AllowedTenants -contains 'AllTenants') {
$AllowedTenants = $Tenants.customerId
} else {
$AllowedTenants = $Role.AllowedTenants
}
if ($Tenant) {
$TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
if (!$TenantAllowed) { continue }
break
} else {
$TenantAllowed = $true
break
}
}
}
}
if (!$APIAllowed) {
throw "Access to this CIPP API endpoint is not allowed, the '$($Role.Role)' custom role does not have the required permission: $APIRole"
}
if (!$TenantAllowed -and $AnyTenantAllowedFunctions -notcontains $Request.Params.CIPPEndpoint) {
throw 'Access to this tenant is not allowed'
} else {
return $true
}
} else {
# No permissions found for any roles
if ($TenantList.IsPresent) {
return @('AllTenants')
}
return $true
}
} else {
return $true
}
}