Merge pull request #131 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Config/cipp-roles.json

@@ -0,0 +1,23 @@
+{
+  "readonly": {
+    "include": ["*.Read"],
+    "exclude": ["CIPP.SuperAdmin.*"]
+  },
+  "editor": {
+    "include": ["*.Read", "*.ReadWrite"],
+    "exclude": [
+      "CIPP.SuperAdmin.*",
+      "CIPP.Admin.*",
+      "CIPP.AppSettings.*",
+      "Tenant.Standards.ReadWrite"
+    ]
+  },
+  "admin": {
+    "include": ["*"],
+    "exclude": ["CIPP.SuperAdmin.*"]
+  },
+  "superadmin": {
+    "include": ["*"],
+    "exclude": []
+  }
+}

Modules/CIPPCore/Public/Authentication/Get-CIPPHttpFunctions.ps1

@@ -9,6 +9,7 @@ function Get-CIPPHttpFunctions {
         $Results = foreach ($Function in $Functions) {
             $Help = Get-Help $Function
             if ($Help.Functionality -ne 'Entrypoint') { continue }
+            if ($Help.Role -eq 'Public') { continue }
             [PSCustomObject]@{
                 Function = $Function.Name
                 Role     = $Help.Role

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -53,13 +53,13 @@ function New-CIPPAPIConfig {
 
             if ($PSCmdlet.ShouldProcess($AppName, 'Create API App')) {
                 Write-Information 'Creating app'
-                $APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -NoAuthCheck $true -type POST -body $CreateBody
+                $APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -AsApp $true -NoAuthCheck $true -type POST -body $CreateBody
                 Write-Information 'Creating password'
-                $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}"
+                $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}"
                 Write-Information 'Adding App URL'
-                $APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}"
+                $APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -AsApp $true -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}"
                 Write-Information 'Adding serviceprincipal'
-                $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
+                $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -AsApp $true -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Created CIPP-API App with name '$($APIApp.displayName)'." -Sev 'info'
             }
         }

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -12,7 +12,14 @@ function Test-CIPPAccess {
     # Check help for role
     $APIRole = $Help.Role
 
-    $AnyTenantAllowedFunctions = @('ListTenants', 'ListUserSettings', 'ListUserPhoto', 'GetCippAlerts', 'GetVersion')
+    if ($APIRole -eq 'Public') {
+        return $true
+    }
+
+    # Get default roles from config
+    $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+    $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
+    $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
 
     if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
         # Direct API Access
@@ -132,15 +139,15 @@ function Test-CIPPAccess {
                     }
                 }
             }
+
             if (!$APIAllowed) {
-                throw "Access to this CIPP API endpoint is not allowed, the '$($Role.Role)' custom role does not have the required permission: $APIRole"
+                throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
             }
-            if (!$TenantAllowed -and $AnyTenantAllowedFunctions -notcontains $Request.Params.CIPPEndpoint) {
+            if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
                 throw 'Access to this tenant is not allowed'
             } else {
                 return $true
             }
-
         } else {
             # No permissions found for any roles
             if ($TenantList.IsPresent) {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecAddAlert.ps1

@@ -3,7 +3,7 @@ using namespace System.Net
 Function Invoke-ExecAddAlert {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Alert.ReadWrite
     #>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecEditTemplate.ps1

@@ -3,7 +3,7 @@ using namespace System.Net
 Function Invoke-ExecEditTemplate {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Core.ReadWrite
     #>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecGeoIPLookup.ps1

@@ -3,7 +3,7 @@ using namespace System.Net
 Function Invoke-ExecGeoIPLookup {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Core.Read
     #>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1

@@ -1,7 +1,7 @@
 function Invoke-ExecServicePrincipals {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Core.ReadWrite
     #>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-GetCippAlerts.ps1

@@ -3,7 +3,7 @@ using namespace System.Net
 Function Invoke-GetCippAlerts {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Core.Read
     #>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-GetVersion.ps1

@@ -3,7 +3,7 @@ using namespace System.Net
 Function Invoke-GetVersion {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.AppSettings.Read
     #>