Skip to content

Commit 4707a6a

Browse files
JohnDupreyJohnDuprey
committed
CIPP-API fixes
add permission check
1 parent 36bfe09 commit 4707a6a

File tree

3 files changed

+42
-26
lines changed

3 files changed

+42
-26
lines changed

Modules/CIPPCore/Public/Authentication/Get-CippApiClient.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ function Get-CippApiClient {
1818
if ($AppId) {
1919
$Table.Filter = "RowKey eq '$AppId'"
2020
}
21-
$Apps = Get-CIPPAzDataTableEntity @Table
21+
$Apps = Get-CIPPAzDataTableEntity @Table | Where-Object { ![string]::IsNullOrEmpty($_.RowKey) }
2222
$Apps = foreach ($Client in $Apps) {
2323
$Client = $Client | Select-Object -Property @{Name = 'ClientId'; Expression = { $_.RowKey } }, AppName, Role, IPRange, Enabled
2424

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,14 @@ function New-CIPPAPIConfig {
99
[string]$AppId
1010
)
1111

12+
$Permissions = Get-GraphToken -tenantid $env:TenantID -scope 'https://graph.microsoft.com/.default' -AsApp $true -SkipCache $true -ReturnRefresh $true
13+
$Token = Read-JwtAccessDetails -Token $Permissions.access_token
14+
$Permissions = $Token.Roles | Where-Object { $_ -match 'Application.ReadWrite.All' -or $_ -match 'Directory.ReadWrite.All' }
15+
if (!$Permissions -or $Permissions.Count -lt 2) {
16+
Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message 'Insufficient permissions to create API App' -Sev 'Error'
17+
throw 'Insufficient permissions to create API App. This integration requires the following Application permissions in the partner tenant. Application.ReadWrite.All, Directory.ReadWrite.All'
18+
}
19+
1220
try {
1321
if ($AppId) {
1422
$APIApp = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appid='$($AppId)')" -NoAuthCheck $true

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecApiClient.ps1

Lines changed: 33 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ function Invoke-ExecApiClient {
1313

1414
switch ($Action) {
1515
'List' {
16-
$Apps = Get-CIPPAzDataTableEntity @Table
16+
$Apps = Get-CIPPAzDataTableEntity @Table | Where-Object { ![string]::IsNullOrEmpty($_.RowKey) }
1717
if (!$Apps) {
1818
$Apps = @()
1919
} else {
@@ -31,6 +31,7 @@ function Invoke-ExecApiClient {
3131
'AddUpdate' {
3232
if ($Request.Body.ClientId -or $Request.Body.AppName) {
3333
$ClientId = $Request.Body.ClientId.value ?? $Request.Body.ClientId
34+
$AddUpdateSuccess = $false
3435
try {
3536
$ApiConfig = @{
3637
Headers = $Request.Headers
@@ -46,8 +47,9 @@ function Invoke-ExecApiClient {
4647

4748
$ClientId = $APIConfig.ApplicationID
4849
$AddedText = $APIConfig.Results
50+
$AddUpdateSuccess = $true
4951
} catch {
50-
$AddedText = 'Could not modify App Registrations. Check the CIPP documentation for API requirements.'
52+
$AddedText = "Could not modify App Registrations. Check the CIPP documentation for API requirements. Error: $($_.Exception.Message)"
5153
$Body = $Body | Select-Object * -ExcludeProperty CIPPAPI
5254
}
5355
}
@@ -64,32 +66,38 @@ function Invoke-ExecApiClient {
6466
$IpRange = @()
6567
}
6668

67-
$ExistingClient = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($ClientId)'"
68-
if ($ExistingClient) {
69-
$Client = $ExistingClient
70-
$Client.Role = [string]$Request.Body.Role.value
71-
$Client.IPRange = "$(@($IpRange) | ConvertTo-Json -Compress)"
72-
$Client.Enabled = $Request.Body.Enabled ?? $false
73-
Write-LogMessage -headers $Request.Headers -API 'ExecApiClient' -message "Updated API client $($Request.Body.ClientId)" -Sev 'Info'
74-
$Results = 'API client updated'
75-
} else {
76-
$Client = @{
77-
'PartitionKey' = 'ApiClients'
78-
'RowKey' = "$($ClientId)"
79-
'AppName' = "$($APIConfig.AppName ?? $Request.Body.ClientId.addedFields.displayName)"
80-
'Role' = [string]$Request.Body.Role.value
81-
'IPRange' = "$(@($IpRange) | ConvertTo-Json -Compress)"
82-
'Enabled' = $Request.Body.Enabled ?? $false
69+
if (!$AddUpdateSuccess -and !$ClientId) {
70+
$Body = @{
71+
Results = $AddedText
8372
}
84-
$Results = @{
85-
resultText = "API Client created with the name '$($Client.AppName)'. Use the Copy to Clipboard button to retrieve the secret."
86-
copyField = $APIConfig.ApplicationSecret
87-
state = 'success'
73+
} else {
74+
$ExistingClient = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($ClientId)'"
75+
if ($ExistingClient) {
76+
$Client = $ExistingClient
77+
$Client.Role = [string]$Request.Body.Role.value
78+
$Client.IPRange = "$(@($IpRange) | ConvertTo-Json -Compress)"
79+
$Client.Enabled = $Request.Body.Enabled ?? $false
80+
Write-LogMessage -headers $Request.Headers -API 'ExecApiClient' -message "Updated API client $($Request.Body.ClientId)" -Sev 'Info'
81+
$Results = 'API client updated'
82+
} else {
83+
$Client = @{
84+
'PartitionKey' = 'ApiClients'
85+
'RowKey' = "$($ClientId)"
86+
'AppName' = "$($APIConfig.AppName ?? $Request.Body.ClientId.addedFields.displayName)"
87+
'Role' = [string]$Request.Body.Role.value
88+
'IPRange' = "$(@($IpRange) | ConvertTo-Json -Compress)"
89+
'Enabled' = $Request.Body.Enabled ?? $false
90+
}
91+
$Results = @{
92+
resultText = "API Client created with the name '$($Client.AppName)'. Use the Copy to Clipboard button to retrieve the secret."
93+
copyField = $APIConfig.ApplicationSecret
94+
state = 'success'
95+
}
8896
}
89-
}
9097

91-
Add-CIPPAzDataTableEntity @Table -Entity $Client -Force | Out-Null
92-
$Body = @($Results)
98+
Add-CIPPAzDataTableEntity @Table -Entity $Client -Force | Out-Null
99+
$Body = @($Results)
100+
}
93101
}
94102
'GetAzureConfiguration' {
95103
$RGName = $ENV:WEBSITE_RESOURCE_GROUP

0 commit comments

Comments
 (0)