Merge pull request #623 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

.github/workflows/dev_api.yml

@@ -25,6 +25,67 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+    
+      - name: Setup PowerShell module cache
+        id: cacher
+        uses: actions/cache@v3
+        with:
+          path: "~/.local/share/powershell/Modules"
+          key: ${{ runner.os }}-ModuleBuilder
+
+      - name: Install ModuleBuilder
+        if: steps.cacher.outputs.cache-hit != 'true'
+        shell: pwsh
+        run: |
+          Set-PSRepository PSGallery -InstallationPolicy Trusted
+          Install-Module ModuleBuilder -AllowClobber -Force
+
+      - name: Build CIPPCore Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CIPPCore"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Generate function permissions before replacing the source module
+          $ToolsPath = Join-Path $env:GITHUB_WORKSPACE "Tools"
+          $ScriptPath = Join-Path $ToolsPath "Build-FunctionPermissions.ps1"
+          pwsh -File $ScriptPath -ModulePath $ModulePath
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CIPPCore") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
+
+      - name: Build CippExtensions Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CippExtensions"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CippExtensions") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
 
       - name: Login to Azure
         uses: azure/login@v2

Modules/CIPPCore/Public/Authentication/Get-CIPPAzIdentityToken.ps1

@@ -3,7 +3,8 @@ function Get-CIPPAzIdentityToken {
     .SYNOPSIS
         Get the Azure Identity token for Managed Identity
     .DESCRIPTION
-        This function retrieves the Azure Identity token using the Managed Identity endpoint for the specified resource
+        This function retrieves the Azure Identity token using the Managed Identity endpoint for the specified resource.
+        Tokens are cached per resource URL until expiration to reduce redundant API calls.
     .PARAMETER ResourceUrl
         The Azure resource URL to get a token for. Defaults to 'https://management.azure.com/' for Azure Resource Manager.
 
@@ -12,6 +13,8 @@ function Get-CIPPAzIdentityToken {
         - https://vault.azure.net (Azure Key Vault)
         - https://api.loganalytics.io (Log Analytics / Application Insights)
         - https://storage.azure.com/ (Azure Storage)
+    .PARAMETER SkipCache
+        Force a new token to be fetched, bypassing the cache.
     .EXAMPLE
         Get-CIPPAzIdentityToken
         Gets a token for Azure Resource Manager
@@ -25,7 +28,8 @@ function Get-CIPPAzIdentityToken {
     [CmdletBinding()]
     param(
         [Parameter(Mandatory = $false)]
-        [string]$ResourceUrl = 'https://management.azure.com/'
+        [string]$ResourceUrl = 'https://management.azure.com/',
+        [switch]$SkipCache
     )
 
     $Endpoint = $env:IDENTITY_ENDPOINT
@@ -35,12 +39,40 @@ function Get-CIPPAzIdentityToken {
         throw 'Managed Identity environment variables (IDENTITY_ENDPOINT/IDENTITY_HEADER) not found. Is Managed Identity enabled on the Function App?'
     }
 
-    $EncodedResource = [System.Uri]::EscapeDataString($ResourceUrl)
-    $TokenUri = "$($Endpoint)?resource=$EncodedResource&api-version=2019-08-01"
-    $Headers = @{
-        'X-IDENTITY-HEADER' = $Secret
-    }
+    # Build cache key from resource URL
+    $TokenKey = "ManagedIdentity-$ResourceUrl"
+
+    try {
+        # Check if cached token exists and is still valid
+        if ($script:ManagedIdentityTokens.$TokenKey -and [int](Get-Date -UFormat %s -Millisecond 0) -lt $script:ManagedIdentityTokens.$TokenKey.expires_on -and $SkipCache -ne $true) {
+            return $script:ManagedIdentityTokens.$TokenKey.access_token
+        }
+
+        # Get new token
+        $EncodedResource = [System.Uri]::EscapeDataString($ResourceUrl)
+        $TokenUri = "$($Endpoint)?resource=$EncodedResource&api-version=2019-08-01"
+        $Headers = @{
+            'X-IDENTITY-HEADER' = $Secret
+        }
+
+        $TokenResponse = Invoke-RestMethod -Method Get -Headers $Headers -Uri $TokenUri -ErrorAction Stop
+
+        # Calculate expiration time
+        $ExpiresOn = [int](Get-Date -UFormat %s -Millisecond 0) + $TokenResponse.expires_in
 
-    $TokenResponse = Invoke-RestMethod -Method Get -Headers $Headers -Uri $TokenUri
-    return $TokenResponse.access_token
+        # Store in cache (initialize synchronized hash table if needed)
+        if (-not $script:ManagedIdentityTokens) {
+            $script:ManagedIdentityTokens = [HashTable]::Synchronized(@{})
+        }
+
+        # Add expires_on to token response for tracking
+        Add-Member -InputObject $TokenResponse -NotePropertyName 'expires_on' -NotePropertyValue $ExpiresOn -Force
+
+        # Cache the token
+        $script:ManagedIdentityTokens.$TokenKey = $TokenResponse
+
+        return $TokenResponse.access_token
+    } catch {
+        throw "Failed to get managed identity token for resource '$ResourceUrl': $($_.Exception.Message)"
+    }
 }

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -19,7 +19,8 @@ function New-CIPPAPIConfig {
 
     try {
         if ($AppId) {
-            $APIApp = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appid='$($AppId)')" -NoAuthCheck $true
+            $APIApp = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appid='$($AppId)')" -NoAuthCheck $true -AsApp $true
+            Write-Information "Found existing app with AppId $AppId"
         } else {
             $CreateBody = @{
                 api                    = @{

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -12,20 +12,50 @@ function Test-CIPPAccess {
     # Get function help
     $FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
 
+    $SwPermissions = [System.Diagnostics.Stopwatch]::StartNew()
+    if (-not $global:CIPPFunctionPermissions) {
+        $CIPPCoreModule = Get-Module -Name CIPPCore
+        if ($CIPPCoreModule) {
+            $PermissionsFileJson = Join-Path $CIPPCoreModule.ModuleBase 'lib' 'data' 'function-permissions.json'
+            
+            if (Test-Path $PermissionsFileJson) {
+                try {
+                    $jsonData = Get-Content -Path $PermissionsFileJson -Raw | ConvertFrom-Json -AsHashtable
+                    $global:CIPPFunctionPermissions = [System.Collections.Hashtable]::new([StringComparer]::OrdinalIgnoreCase)
+                    foreach ($key in $jsonData.Keys) {
+                        $global:CIPPFunctionPermissions[$key] = $jsonData[$key]
+                    }
+                    Write-Information "Loaded $($global:CIPPFunctionPermissions.Count) function permissions from JSON cache"
+                } catch {
+                    Write-Warning "Failed to load function permissions from JSON: $($_.Exception.Message)"
+                }
+            }
+        }
+    }
+    $SwPermissions.Stop()
+    $AccessTimings['FunctionPermissions'] = $SwPermissions.Elapsed.TotalMilliseconds
+
     if ($FunctionName -ne 'Invoke-me') {
         $swHelp = [System.Diagnostics.Stopwatch]::StartNew()
-        try {
-            $Help = Get-Help $FunctionName -ErrorAction Stop
-        } catch {
-            Write-Warning "Function '$FunctionName' not found"
+        if ($global:CIPPFunctionPermissions -and $global:CIPPFunctionPermissions.ContainsKey($FunctionName)) {
+            $PermissionData = $global:CIPPFunctionPermissions[$FunctionName]
+            $APIRole = $PermissionData['Role']
+            $Functionality = $PermissionData['Functionality']
+            Write-Information "Loaded function permission data from cache for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
+        } else {
+            try {
+                $Help = Get-Help $FunctionName -ErrorAction Stop
+                $APIRole = $Help.Role
+                $Functionality = $Help.Functionality
+                Write-Information "Loaded function permission data via Get-Help for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
+            } catch {
+                Write-Warning "Function '$FunctionName' not found"
+            }
         }
         $swHelp.Stop()
         $AccessTimings['GetHelp'] = $swHelp.Elapsed.TotalMilliseconds
     }
 
-    # Check help for role
-    $APIRole = $Help.Role
-
     # Get default roles from config
     $swRolesLoad = [System.Diagnostics.Stopwatch]::StartNew()
     $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
@@ -367,7 +397,7 @@ function Test-CIPPAccess {
                 if (!$APIAllowed) {
                     throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
                 }
-                if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+                if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
                     throw 'Access to this tenant is not allowed'
                 } else {
                     return $true
@@ -405,12 +435,12 @@ function Test-CIPPAccess {
                 }
             }
 
-            if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+            if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
 
                 if (!$APIAllowed) {
                     throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
                 }
-                if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+                if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
                     Write-Information "Tenant not allowed: $TenantFilter"
 
                     throw 'Access to this tenant is not allowed'

Modules/CIPPCore/Public/Send-CIPPAlert.ps1

@@ -100,6 +100,18 @@ function Send-CIPPAlert {
 
     if ($Type -eq 'webhook') {
         Write-Information 'Trying to send webhook'
+
+        $ExtensionTable = Get-CIPPTable -TableName Extensionsconfig
+        $Configuration = ((Get-CIPPAzDataTableEntity @ExtensionTable).config | ConvertFrom-Json)
+
+        if ($Configuration.CFZTNA.WebhookEnabled -eq $true -and $Configuration.CFZTNA.Enabled -eq $true) {
+            $CFAPIKey = Get-ExtensionAPIKey -Extension 'CFZTNA'
+            $Headers = @{'CF-Access-Client-Id' = $Configuration.CFZTNA.ClientId; 'CF-Access-Client-Secret' = "$CFAPIKey" }
+            Write-Information 'CF-Access-Client-Id and CF-Access-Client-Secret headers added to webhook API request'
+        } else {
+            $Headers = $null
+        }
+
         $JSONBody = Get-CIPPTextReplacement -TenantFilter $TenantFilter -Text $JSONContent -EscapeForJson
         try {
             if (![string]::IsNullOrWhiteSpace($Config.webhook) -or ![string]::IsNullOrWhiteSpace($AltWebhook)) {
@@ -124,7 +136,16 @@ function Send-CIPPAlert {
                             Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $JSONBody
                         }
                         default {
-                            Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $JSONContent
+                            $RestMethod = @{
+                                Uri         = $webhook
+                                Method      = 'POST'
+                                ContentType = 'application/json'
+                                Body        = $JSONContent
+                            }
+                            if ($Headers) {
+                                $RestMethod['Headers'] = $Headers
+                            }
+                            Invoke-RestMethod @RestMethod
                         }
                     }
                 }
@@ -137,6 +158,7 @@ function Send-CIPPAlert {
             $ErrorMessage = Get-CippException -Exception $_
             Write-Information "Could not send alerts to webhook: $($ErrorMessage.NormalizedError)"
             Write-LogMessage -API 'Webhook Alerts' -message "Could not send alerts to webhook: $($ErrorMessage.NormalizedError)" -tenant $TenantFilter -sev error -LogData $ErrorMessage
+            return "Could not send alerts to webhook: $($ErrorMessage.NormalizedError)"
         }
     }
 

Tools/Build-FunctionPermissions.ps1

@@ -0,0 +1,87 @@
+param(
+    [string]$ModulePath = (Join-Path $PSScriptRoot '..' 'Modules' 'CIPPCore'),
+    [string]$OutputPath,
+    [string]$ModuleName
+)
+
+$ErrorActionPreference = 'Stop'
+
+function Resolve-ModuleImportPath {
+    param(
+        [Parameter(Mandatory = $true)][string]$Root,
+        [Parameter(Mandatory = $true)][string]$Name
+    )
+
+    $psd1 = Join-Path $Root "$Name.psd1"
+    if (Test-Path $psd1) { return $psd1 }
+
+    $psm1 = Join-Path $Root "$Name.psm1"
+    if (Test-Path $psm1) { return $psm1 }
+
+    throw "Module files not found for '$Name' in '$Root'. Expected $Name.psd1 or $Name.psm1."
+}
+
+function Get-HelpProperty {
+    param(
+        [Parameter(Mandatory = $true)]$HelpObject,
+        [Parameter(Mandatory = $true)][string]$PropertyName
+    )
+
+    $property = $HelpObject.PSObject.Properties[$PropertyName]
+    if ($property) { return $property.Value }
+    return ''
+}
+
+# Resolve defaults
+if (-not (Test-Path -Path $ModulePath)) {
+    throw "ModulePath '$ModulePath' not found. Provide -ModulePath to the module root."
+}
+$ModulePath = (Resolve-Path -Path $ModulePath).ProviderPath
+if (-not $ModuleName) { $ModuleName = (Split-Path -Path $ModulePath -Leaf) }
+if (-not $OutputPath) {
+    $defaultLibData = Join-Path $ModulePath 'lib' 'data' 'function-permissions.json'
+    $OutputPath = if (Test-Path (Split-Path -Parent $defaultLibData)) { $defaultLibData } else { Join-Path $ModulePath 'function-permissions.json' }
+}
+
+# Ensure destination directory exists
+$null = New-Item -ItemType Directory -Path (Split-Path -Parent $OutputPath) -Force
+
+# Import target module so Get-Help can read Role/Functionality metadata
+$ModuleImportPath = Resolve-ModuleImportPath -Root $ModulePath -Name $ModuleName
+$normalizedImportPath = [System.IO.Path]::GetFullPath($ModuleImportPath)
+$loaded = Get-Module -Name $ModuleName | Where-Object { [System.IO.Path]::GetFullPath($_.Path) -eq $normalizedImportPath }
+if (-not $loaded) {
+    Write-Host "Importing module '$ModuleName' from '$ModuleImportPath'"
+    Import-Module -Name $ModuleImportPath -Force -ErrorAction Stop
+} else {
+    Write-Host "Module '$ModuleName' already loaded from '$ModuleImportPath'; reusing existing session copy."
+}
+
+$commands = Get-Command -Module $ModuleName -CommandType Function
+$permissions = [ordered]@{}
+
+foreach ($command in $commands | Sort-Object -Property Name | Select-Object -Unique) {
+    $help = Get-Help -Name $command.Name -ErrorAction SilentlyContinue
+    if ($help) {
+        $role = Get-HelpProperty -HelpObject $help -PropertyName 'Role'
+        $functionality = Get-HelpProperty -HelpObject $help -PropertyName 'Functionality'
+    } else {
+        $role = ''
+        $functionality = ''
+    }
+
+    if ($role -or $functionality) {
+        $permissions[$command.Name] = @{
+            Role          = $role
+            Functionality = $functionality
+        }
+    } else {
+        Write-Host "Skipping $($command.Name): no Role or Functionality metadata found."
+    }
+}
+
+# Depth 3 is sufficient for the flat hashtable of functions -> (Role, Functionality)
+$json = $permissions | ConvertTo-Json -Depth 3
+Set-Content -Path $OutputPath -Value $json -Encoding UTF8
+
+Write-Host "Wrote permissions for $($permissions.Count) functions to $OutputPath"