Squash

Author: Zacgoose

.github/workflows/dev_api.yml

@@ -26,6 +26,83 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Setup PowerShell module cache
+        id: cacher
+        uses: actions/cache@v3
+        with:
+          path: "~/.local/share/powershell/Modules"
+          key: ${{ runner.os }}-ModuleBuilder
+
+      - name: Install ModuleBuilder
+        if: steps.cacher.outputs.cache-hit != 'true'
+        shell: pwsh
+        run: |
+          Set-PSRepository PSGallery -InstallationPolicy Trusted
+          Install-Module ModuleBuilder -AllowClobber -Force
+
+      - name: Build CIPPCore Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CIPPCore"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CIPPCore") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
+
+      - name: Build CippExtensions Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CippExtensions"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CippExtensions") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
+
+      - name: Build CIPPStandardsAlerts Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CIPPStandardsAlerts"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CIPPStandardsAlerts") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
+
       - name: Login to Azure
         uses: azure/login@v2
         with:

Modules/CIPPCore/CIPPCore.psm1

@@ -1,6 +1,7 @@
 # ModuleBuilder will concatenate all function files into this module
 # This block is only used when running from source (not built)
 if (Test-Path (Join-Path $PSScriptRoot 'Public')) {
+    # Load Public and Private functions
     $Public = @(Get-ChildItem -Path (Join-Path $PSScriptRoot 'Public\*.ps1') -Recurse -ErrorAction SilentlyContinue)
     $Private = @(Get-ChildItem -Path (Join-Path $PSScriptRoot 'Private\*.ps1') -Recurse -ErrorAction SilentlyContinue)
     $Functions = $Public + $Private

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -4,56 +4,54 @@ function Test-CIPPAccess {
         [switch]$TenantList,
         [switch]$GroupList
     )
-    # Initialize per-call profiling
+
     $AccessTimings = @{}
     $AccessTotalSw = [System.Diagnostics.Stopwatch]::StartNew()
     if ($Request.Params.CIPPEndpoint -eq 'ExecSAMSetup') { return $true }
-
-    # Get function help
     $FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
 
     $SwPermissions = [System.Diagnostics.Stopwatch]::StartNew()
-    if (-not $global:CIPPFunctionPermissions) {
+    if (-not $script:CIPPFunctionPermissions) {
         $CIPPCoreModule = Get-Module -Name CIPPCore
         if ($CIPPCoreModule) {
-            $PermissionsFileJson = Join-Path $CIPPCoreModule.ModuleBase 'lib' 'data' 'function-permissions.json'
-
-            if (Test-Path $PermissionsFileJson) {
+            $CIPPCoreModuleRoot = $CIPPCoreModule.ModuleBase
+            $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
+            $MetadataPath = Join-Path $CIPPRoot 'Config\function-metadata.psd1'
+            if (Test-Path $MetadataPath) {
                 try {
-                    $jsonData = Get-Content -Path $PermissionsFileJson -Raw | ConvertFrom-Json -AsHashtable
-                    $global:CIPPFunctionPermissions = [System.Collections.Hashtable]::new([StringComparer]::OrdinalIgnoreCase)
-                    foreach ($key in $jsonData.Keys) {
-                        $global:CIPPFunctionPermissions[$key] = $jsonData[$key]
-                    }
-                    Write-Debug "Loaded $($global:CIPPFunctionPermissions.Count) function permissions from JSON cache"
+                    $metadata = Import-PowerShellDataFile -Path $MetadataPath
+                    $script:CIPPFunctionPermissions = $metadata.Functions
+                    Write-Debug "Loaded $($script:CIPPFunctionPermissions.Count) function permissions from metadata cache"
                 } catch {
-                    Write-Warning "Failed to load function permissions from JSON: $($_.Exception.Message)"
+                    Write-Warning "Failed to load function permissions from metadata: $($_.Exception.Message)"
                 }
+            } else {
+                Write-Warning "Metadata file not found at $MetadataPath"
             }
         }
     }
     $SwPermissions.Stop()
     $AccessTimings['FunctionPermissions'] = $SwPermissions.Elapsed.TotalMilliseconds
 
     if ($FunctionName -ne 'Invoke-me') {
-        $swHelp = [System.Diagnostics.Stopwatch]::StartNew()
-        if ($global:CIPPFunctionPermissions -and $global:CIPPFunctionPermissions.ContainsKey($FunctionName)) {
-            $PermissionData = $global:CIPPFunctionPermissions[$FunctionName]
+        $swMeta = [System.Diagnostics.Stopwatch]::StartNew()
+        if ($script:CIPPFunctionPermissions -and $script:CIPPFunctionPermissions.ContainsKey($FunctionName)) {
+            $PermissionData = $script:CIPPFunctionPermissions[$FunctionName]
             $APIRole = $PermissionData['Role']
             $Functionality = $PermissionData['Functionality']
-            Write-Debug "Loaded function permission data from cache for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
+            Write-Debug "Loaded function permission data from metadata for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
         } else {
             try {
                 $Help = Get-Help $FunctionName -ErrorAction Stop
                 $APIRole = $Help.Role
                 $Functionality = $Help.Functionality
                 Write-Debug "Loaded function permission data via Get-Help for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
             } catch {
-                Write-Warning "Function '$FunctionName' not found"
+                Write-Warning "Function '$FunctionName' not found in metadata cache or via Get-Help"
             }
         }
-        $swHelp.Stop()
-        $AccessTimings['GetHelp'] = $swHelp.Elapsed.TotalMilliseconds
+        $swMeta.Stop()
+        $AccessTimings['MetadataLookup'] = $swMeta.Elapsed.TotalMilliseconds
     }
 
     # Get default roles from config
@@ -120,6 +118,13 @@ function Test-CIPPAccess {
         }
         if ($Request.Params.CIPPEndpoint -eq 'me') {
             $Permissions = Get-CippAllowedPermissions -UserRoles $CustomRoles
+            $swApiClient.Stop()
+            $AccessTotalSw.Stop()
+            $AccessTimings['ApiClientBranch'] = $swApiClient.Elapsed.TotalMilliseconds
+            $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
+            $AccessTimingsRounded = [ordered]@{}
+            foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
+            Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
             return ([HttpResponseContext]@{
                     StatusCode = [HttpStatusCode]::OK
                     Body       = (
@@ -153,6 +158,13 @@ function Test-CIPPAccess {
         if ($Request.Params.CIPPEndpoint -eq 'me') {
 
             if (!$User.userRoles) {
+                $swUserBranch.Stop()
+                $AccessTotalSw.Stop()
+                $AccessTimings['UserBranch'] = $swUserBranch.Elapsed.TotalMilliseconds
+                $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
+                $AccessTimingsRounded = [ordered]@{}
+                foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
+                Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
                 return ([HttpResponseContext]@{
                         StatusCode = [HttpStatusCode]::OK
                         Body       = (
@@ -167,6 +179,13 @@ function Test-CIPPAccess {
             $Permissions = Get-CippAllowedPermissions -UserRoles $User.userRoles
             $swPermsMe.Stop()
             $AccessTimings['GetPermissions(me)'] = $swPermsMe.Elapsed.TotalMilliseconds
+            $swUserBranch.Stop()
+            $AccessTotalSw.Stop()
+            $AccessTimings['UserBranch'] = $swUserBranch.Elapsed.TotalMilliseconds
+            $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
+            $AccessTimingsRounded = [ordered]@{}
+            foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
+            Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
             return ([HttpResponseContext]@{
                     StatusCode = [HttpStatusCode]::OK
                     Body       = (
@@ -465,13 +484,13 @@ function Test-CIPPAccess {
         $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
         $AccessTimingsRounded = [ordered]@{}
         foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
-        Write-Debug "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
+        Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
         return @('AllTenants')
     }
     $AccessTotalSw.Stop()
     $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
     $AccessTimingsRounded = [ordered]@{}
     foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
-    Write-Debug "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
+    Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
     return $true
 }

Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1

@@ -25,8 +25,8 @@ function Test-CIPPAccessUserRole {
     $Roles = @()
 
     # Check AsyncLocal cache first (per-request cache)
-    if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value -and $script:CippUserRolesStorage.Value.ContainsKey($User.userDetails)) {
-        $Roles = $script:CippUserRolesStorage.Value[$User.userDetails]
+    if ($global:CippUserRolesStorage -and $global:CippUserRolesStorage.Value -and $global:CippUserRolesStorage.Value.ContainsKey($User.userDetails)) {
+        $Roles = $global:CippUserRolesStorage.Value[$User.userDetails]
     } else {
         # Check table storage cache (persistent cache)
         try {
@@ -45,8 +45,8 @@ function Test-CIPPAccessUserRole {
             $Roles = $UserRole.Role | ConvertFrom-Json
 
             # Store in AsyncLocal cache for this request
-            if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value) {
-                $script:CippUserRolesStorage.Value[$User.userDetails] = $Roles
+            if ($global:CippUserRolesStorage -and $global:CippUserRolesStorage.Value) {
+                $global:CippUserRolesStorage.Value[$User.userDetails] = $Roles
             }
         } else {
             try {
@@ -115,8 +115,8 @@ function Test-CIPPAccessUserRole {
             }
 
             # Store in AsyncLocal cache for this request
-            if ($script:CippUserRolesStorage -and $script:CippUserRolesStorage.Value) {
-                $script:CippUserRolesStorage.Value[$User.userDetails] = $Roles
+            if ($global:CippUserRolesStorage -and $global:CippUserRolesStorage.Value) {
+                $global:CippUserRolesStorage.Value[$User.userDetails] = $Roles
             }
         }
     }

Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1

@@ -275,9 +275,9 @@ function Get-Tenants {
         }
     }
 
-    # Limit tenant list to allowed tenants if set in script scope from New-CippCoreRequest
-    if ($script:CippAllowedTenantsStorage -and $script:CippAllowedTenantsStorage.Value) {
-        $IncludedTenantsCache = $IncludedTenantsCache | Where-Object { $script:CippAllowedTenantsStorage.Value -contains $_.customerId }
+    # Limit tenant list to allowed tenants if set in global scope from New-CippCoreRequest
+    if ($global:CippAllowedTenantsStorage -and $global:CippAllowedTenantsStorage.Value) {
+        $IncludedTenantsCache = $IncludedTenantsCache | Where-Object { $global:CippAllowedTenantsStorage.Value -contains $_.customerId }
     }
 
     return $IncludedTenantsCache | Where-Object { ($null -ne $_.defaultDomainName -and ($_.defaultDomainName -notmatch 'Domain Error' -or $IncludeAll.IsPresent)) } | Where-Object $IncludedTenantFilter | Sort-Object -Property displayName

Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1

@@ -18,8 +18,8 @@ function New-GraphBulkRequest {
     if ($NoAuthCheck -or (Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) {
         $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp
 
-        if ($script:XMsThrottlePriority) {
-            $headers['x-ms-throttle-priority'] = $script:XMsThrottlePriority
+        if ($global:XMsThrottlePriority) {
+            $headers['x-ms-throttle-priority'] = $global:XMsThrottlePriority
         }
 
         $URL = "https://graph.microsoft.com/$Version/`$batch"

Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1

@@ -37,8 +37,8 @@ function New-GraphGetRequest {
             $headers['ConsistencyLevel'] = 'eventual'
         }
 
-        if ($script:XMsThrottlePriority) {
-            $headers['x-ms-throttle-priority'] = $script:XMsThrottlePriority
+        if ($global:XMsThrottlePriority) {
+            $headers['x-ms-throttle-priority'] = $global:XMsThrottlePriority
         }
 
         $nextURL = $uri
@@ -85,7 +85,8 @@ function New-GraphGetRequest {
                     } else {
                         $GraphRequest.ResponseHeadersVariable = 'ResponseHeaders'
                         $Data = (Invoke-RestMethod @GraphRequest)
-                        $script:LastGraphResponseHeaders = $ResponseHeaders
+                        # Store response headers in global scope for cross-module access
+                        $global:LastGraphResponseHeaders = $ResponseHeaders
                     }
 
                     # If we reach here, the request was successful