Merge pull request #269 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -32,8 +32,14 @@ Function Invoke-ExecUpdateRefreshToken {
             if ($env:TenantID -eq $Request.body.tenantId) {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             } else {
-                $name = $Request.body.tenantId -replace '-', '_'
-                Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                Write-Host "$($env:TenantID) does not match $($Request.body.tenantId) - we're adding a new secret for the tenant."
+                $name = $Request.body.tenantId
+                try {
+                    Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                } catch {
+                    Write-Host "Failed to set secret $name in KeyVault. $($_.Exception.Message)"
+                    throw $_
+                }
             }
         }
         $InstanceId = Start-UpdatePermissionsOrchestrator #start the CPV refresh immediately while wizard still runs.

Modules/CIPPCore/Public/Entrypoints/Invoke-ListLogs.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ListLogs {
+function Invoke-ListLogs {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -25,17 +25,35 @@ Function Invoke-ListLogs {
         }
     } else {
         if ($request.Query.Filter -eq 'True') {
-            $LogLevel = if ($Request.query.Severity) { ($Request.query.Severity).split(',') } else { 'Info', 'Warn', 'Error', 'Critical', 'Alert' }
-            $PartitionKey = $Request.query.DateFilter
+            $LogLevel = if ($Request.Query.Severity) { ($Request.query.Severity).split(',') } else { 'Info', 'Warn', 'Error', 'Critical', 'Alert' }
+            $PartitionKey = $Request.Query.DateFilter
             $username = $Request.Query.User
+
+            $StartDate = $Request.Query.StartDate ?? $Request.Query.DateFilter
+            $EndDate = $Request.Query.EndDate ?? $Request.Query.DateFilter
+
+            if ($StartDate -and $EndDate) {
+                # Collect logs for each partition key date in range
+                $PartitionKeys = for ($Date = [datetime]::ParseExact($StartDate, 'yyyyMMdd', $null); $Date -le [datetime]::ParseExact($EndDate, 'yyyyMMdd', $null); $Date = $Date.AddDays(1)) {
+                    $PartitionKey = $Date.ToString('yyyyMMdd')
+                    "PartitionKey eq '$PartitionKey'"
+                }
+                $Filter = $PartitionKeys -join ' or '
+            } elseif ($StartDate) {
+                $Filter = "PartitionKey eq '{0}'" -f $StartDate
+            } else {
+                $Filter = "PartitionKey eq '{0}'" -f (Get-Date -UFormat '%Y%m%d')
+            }
         } else {
             $LogLevel = 'Info', 'Warn', 'Error', 'Critical', 'Alert'
             $PartitionKey = Get-Date -UFormat '%Y%m%d'
             $username = '*'
+            $Filter = "PartitionKey eq '{0}'" -f $PartitionKey
         }
         $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
-        $Filter = "PartitionKey eq '{0}'" -f $PartitionKey
-        $Rows = Get-AzDataTableEntity @Table -Filter $Filter | Where-Object { $_.Severity -In $LogLevel -and $_.user -like $username }
+        Write-Host "Getting logs for filter: $Filter, LogLevel: $LogLevel, Username: $username"
+
+        $Rows = Get-AzDataTableEntity @Table -Filter $Filter | Where-Object { $_.Severity -in $LogLevel -and $_.user -like $username }
         foreach ($Row in $Rows) {
             if ($AllowedTenants -notcontains 'AllTenants') {
                 $TenantList = Get-Tenants -IncludeErrors

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-UpdateTokensTimer.ps1

@@ -7,12 +7,12 @@ function Start-UpdateTokensTimer {
     [CmdletBinding(SupportsShouldProcess = $true)]
     param()
     if ($PSCmdlet.ShouldProcess('Start-UpdateTokensTimer', 'Starting Update Tokens Timer')) {
-
+        Write-Information 'Starting Update Tokens Timer'
+        Write-Information "Getting new refresh token for $($env:TenantId)"
         # Get the current universal time in the default string format.
         $currentUTCtime = (Get-Date).ToUniversalTime()
         try {
             $Refreshtoken = (Get-GraphToken -ReturnRefresh $true).Refresh_token
-
             if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
                 $Table = Get-CIPPTable -tablename 'DevSecrets'
                 $Secret = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
@@ -37,10 +37,95 @@ function Start-UpdateTokensTimer {
                 }
             }
         } catch {
+            Write-Warning "Error updating refresh token $($_.Exception.Message)."
+            Write-Information ($_.InvocationInfo.PositionMessage)
             Write-LogMessage -API 'Update Tokens' -message 'Error updating refresh token, see Log Data for details. Will try again in 7 days.' -sev 'CRITICAL' -LogData (Get-CippException -Exception $_)
         }
-        # Write an information log with the current time.
-        Write-Information "PowerShell timer trigger function ran! TIME: $currentUTCtime"
 
+        # Check application secret expiration for $env:ApplicationId and generate a new application secret if expiration is within 30 days.
+        try {
+            $AppId = $env:ApplicationID
+            $PasswordCredentials = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appId='$AppId')?`$select=id,passwordCredentials" -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+            # sort by latest expiration date and get the first one
+            $LastPasswordCredential = $PasswordCredentials.passwordCredentials | Sort-Object -Property endDateTime -Descending | Select-Object -First 1
+            if ($LastPasswordCredential.endDateTime -lt (Get-Date).AddDays(30).ToUniversalTime()) {
+                Write-Information "Application secret for $AppId is expiring soon. Generating a new application secret."
+                $AppSecret = New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/applications/$($PasswordCredentials.id)/addPassword" -Body '{"passwordCredential":{"displayName":"UpdateTokens"}}' -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+                Write-Information "New application secret generated for $AppId. Expiration date: $($AppSecret.endDateTime)."
+            } else {
+                Write-Information "Application secret for $AppId is valid until $($LastPasswordCredential.endDateTime). No need to generate a new application secret."
+            }
+
+            if ($AppSecret) {
+                if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+                    $Table = Get-CIPPTable -tablename 'DevSecrets'
+                    $Secret = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+                    $Secret.ApplicationSecret = $AppSecret.secretText
+                    Add-AzDataTableEntity @Table -Entity $Secret -Force
+                } else {
+                    Set-AzKeyVaultSecret -VaultName $KV -Name 'ApplicationSecret' -SecretValue (ConvertTo-SecureString -String $AppSecret.secretText -AsPlainText -Force)
+                }
+                Write-LogMessage -API 'Update Tokens' -message "New application secret generated for $AppId. Expiration date: $($AppSecret.endDateTime)." -sev 'INFO'
+            }
+
+            # Clean up expired application secrets
+            $ExpiredSecrets = $PasswordCredentials.passwordCredentials | Where-Object { $_.endDateTime -lt (Get-Date).ToUniversalTime() }
+            if ($ExpiredSecrets.Count -gt 0) {
+                Write-Information "Found $($ExpiredSecrets.Count) expired application secrets for $AppId. Removing them."
+                foreach ($Secret in $ExpiredSecrets) {
+                    try {
+                        New-GraphPostRequest -type DELETE -uri "https://graph.microsoft.com/v1.0/applications/$($PasswordCredentials.id)/removePassword" -Body "{`"keyId`":`"$($Secret.keyId)`"}" -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+                        Write-Information "Removed expired application secret with keyId $($Secret.keyId)."
+                    } catch {
+                        Write-LogMessage -API 'Update Tokens' -message "Error removing expired application secret with keyId $($Secret.keyId), see Log Data for details." -sev 'CRITICAL' -LogData (Get-CippException -Exception $_)
+                    }
+                }
+            } else {
+                Write-Information "No expired application secrets found for $AppId."
+            }
+        } catch {
+            Write-Warning "Error updating application secret $($_.Exception.Message)."
+            Write-Information ($_.InvocationInfo.PositionMessage)
+            Write-LogMessage -API 'Update Tokens' -message 'Error updating application secret, will try again in 7 days' -sev 'CRITICAL' -LogData (Get-CippException -Exception $_)
+        }
+
+        # Get new refresh token for each direct added tenant
+        $TenantList = Get-Tenants -IncludeAll | Where-Object { $_.Excluded -eq $false -and $_.delegatedPrivilegeStatus -eq 'directTenant' }
+        if ($TenantList.Count -eq 0) {
+            Write-Information 'No direct tenants found for refresh token update.'
+        } else {
+            Write-Information "Found $($TenantList.Count) direct tenant(s) for refresh token update."
+            foreach ($Tenant in $TenantList) {
+                try {
+                    Write-Information "Updating refresh token for tenant $($Tenant.displayName) - $($Tenant.customerId)"
+                    $Refreshtoken = (Get-GraphToken -ReturnRefresh $true -TenantId $Tenant.customerId).Refresh_token
+                    if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+                        $Table = Get-CIPPTable -tablename 'DevSecrets'
+                        $Secret = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+                        if ($Secret) {
+                            $name = $Tenant.customerId -replace '-', '_'
+                            $Secret | Add-Member -MemberType NoteProperty -Name $name -Value $Refreshtoken -Force
+                            Add-AzDataTableEntity @Table -Entity $Secret -Force
+                        } else {
+                            Write-Warning "Could not update refresh token for tenant $($Tenant.displayName) ($($Tenant.customerId))."
+                            Write-LogMessage -API 'Update Tokens' -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -message "Could not update refresh token for tenant $($Tenant.displayName). Will try again in 7 days." -sev 'CRITICAL'
+                        }
+                    } else {
+                        if ($Refreshtoken) {
+                            $name = $Tenant.customerId
+                            Set-AzKeyVaultSecret -VaultName $KV -Name $name -SecretValue (ConvertTo-SecureString -String $Refreshtoken -AsPlainText -Force)
+                        } else {
+                            Write-Warning "Could not update refresh token for tenant $($Tenant.displayName) ($($Tenant.customerId))."
+                            Write-LogMessage -API 'Update Tokens' -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -message "Could not update refresh token for tenant $($Tenant.displayName). Will try again in 7 days." -sev 'CRITICAL'
+                        }
+                    }
+                } catch {
+                    Write-LogMessage -API 'Update Tokens' -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -message "Error updating refresh token for tenant $($Tenant.displayName), see Log Data for details. Will try again in 7 days." -sev 'CRITICAL' -LogData (Get-CippException -Exception $_)
+                }
+            }
+        }
+
+        # Write an information log with the current time.
+        Write-Information "UpdateTokens completed: $currentUTCtime"
     }
 }

Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1

@@ -57,11 +57,9 @@ function Get-CIPPAuthentication {
             $tenants = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter
             if ($tenants) {
                 $tenants | ForEach-Object {
-                    $name = $_.tenantId -replace '-', '_'
+                    $name = $_.customerId
                     $secret = Get-AzKeyVaultSecret -VaultName $keyvaultname -Name $name -AsPlainText -ErrorAction Stop
                     if ($secret) {
-                        #set the name back to the original tenantId
-                        $name = $_.customerId
                         Set-Item -Path env:$name -Value $secret -Force
                     }
                 }

Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1

@@ -10,12 +10,10 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     $Filter = "PartitionKey eq 'AppCache' and RowKey eq 'AppCache'"
     $AppCache = Get-CIPPAzDataTableEntity @ConfigTable -Filter $Filter
     #force auth update is appId is not the same as the one in the environment variable.
-    Write-Host "My appId pre-launch is $($env:ApplicationID) and the one in the cache is $($AppCache.ApplicationId)"
     if ($AppCache.ApplicationId -and $env:ApplicationID -ne $AppCache.ApplicationId) {
         Write-Host "Setting environment variable ApplicationID to $($AppCache.ApplicationId)"
         $CIPPAuth = Get-CIPPAuthentication
     }
-    Write-Host "My appId post-launch is $($env:ApplicationID) and the one in the cache is $($AppCache.ApplicationId)"
     $refreshToken = $env:RefreshToken
     if (!$tenantid) { $tenantid = $env:TenantID }
     #Get list of tenants that have 'directTenant' set to true