Add detailed profiling to access and user role checks

JohnDuprey · JohnDuprey · commit 968463443969 · 2025-12-16T18:27:07.000-05:00
Introduced per-call profiling using Stopwatch in Test-CIPPAccess and Test-CIPPAccessUserRole functions. Timings for key operations are collected and logged for performance analysis, aiding in identifying bottlenecks during authentication and authorization flows.
diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1
@@ -4,26 +4,35 @@ function Test-CIPPAccess {
         [switch]$TenantList,
         [switch]$GroupList
     )
+    # Initialize per-call profiling
+    $AccessTimings = @{}
+    $AccessTotalSw = [System.Diagnostics.Stopwatch]::StartNew()
     if ($Request.Params.CIPPEndpoint -eq 'ExecSAMSetup') { return $true }
 
     # Get function help
     $FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
 
     if ($FunctionName -ne 'Invoke-me') {
+        $swHelp = [System.Diagnostics.Stopwatch]::StartNew()
         try {
             $Help = Get-Help $FunctionName -ErrorAction Stop
         } catch {
             Write-Warning "Function '$FunctionName' not found"
         }
+        $swHelp.Stop()
+        $AccessTimings['GetHelp'] = $swHelp.Elapsed.TotalMilliseconds
     }
 
     # Check help for role
     $APIRole = $Help.Role
 
     # Get default roles from config
+    $swRolesLoad = [System.Diagnostics.Stopwatch]::StartNew()
     $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
     $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
     $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
+    $swRolesLoad.Stop()
+    $AccessTimings['LoadBaseRoles'] = $swRolesLoad.Elapsed.TotalMilliseconds
     $DefaultRoles = @('superadmin', 'admin', 'editor', 'readonly', 'anonymous', 'authenticated')
 
     if ($APIRole -eq 'Public') {
@@ -32,6 +41,7 @@ function Test-CIPPAccess {
 
     if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
         $Type = 'APIClient'
+        $swApiClient = [System.Diagnostics.Stopwatch]::StartNew()
         # Direct API Access
         $ForwardedFor = $Request.Headers.'x-forwarded-for' -split ',' | Select-Object -First 1
         $IPRegex = '^(?<IP>(?:\d{1,3}(?:\.\d{1,3}){3}|\[[0-9a-fA-F:]+\]|[0-9a-fA-F:]+))(?::\d+)?$'
@@ -92,14 +102,20 @@ function Test-CIPPAccess {
                         } | ConvertTo-Json -Depth 5)
                 })
         }
+        $swApiClient.Stop()
+        $AccessTimings['ApiClientBranch'] = $swApiClient.Elapsed.TotalMilliseconds
 
     } else {
         $Type = 'User'
+        $swUserBranch = [System.Diagnostics.Stopwatch]::StartNew()
         $User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
 
         # Check for roles granted via group membership
         if (($User.userRoles | Measure-Object).Count -eq 2 -and $User.userRoles -contains 'authenticated' -and $User.userRoles -contains 'anonymous') {
+            $swResolveUserRoles = [System.Diagnostics.Stopwatch]::StartNew()
             $User = Test-CIPPAccessUserRole -User $User
+            $swResolveUserRoles.Stop()
+            $AccessTimings['ResolveUserRoles'] = $swResolveUserRoles.Elapsed.TotalMilliseconds
         }
 
         #Write-Information ($User | ConvertTo-Json -Depth 5)
@@ -117,7 +133,10 @@ function Test-CIPPAccess {
                     })
             }
 
+            $swPermsMe = [System.Diagnostics.Stopwatch]::StartNew()
             $Permissions = Get-CippAllowedPermissions -UserRoles $User.userRoles
+            $swPermsMe.Stop()
+            $AccessTimings['GetPermissions(me)'] = $swPermsMe.Elapsed.TotalMilliseconds
             return ([HttpResponseContext]@{
                     StatusCode = [HttpStatusCode]::OK
                     Body       = (
@@ -187,8 +206,12 @@ function Test-CIPPAccess {
         if (@('admin', 'superadmin') -contains $BaseRole.Name) {
             return $true
         } else {
+            $swTenantsLoad = [System.Diagnostics.Stopwatch]::StartNew()
             $Tenants = Get-Tenants -IncludeErrors
+            $swTenantsLoad.Stop()
+            $AccessTimings['LoadTenants'] = $swTenantsLoad.Elapsed.TotalMilliseconds
             $PermissionsFound = $false
+            $swRolePerms = [System.Diagnostics.Stopwatch]::StartNew()
             $PermissionSet = foreach ($CustomRole in $CustomRoles) {
                 try {
                     Get-CIPPRolePermissions -Role $CustomRole
@@ -198,9 +221,12 @@ function Test-CIPPAccess {
                     continue
                 }
             }
+            $swRolePerms.Stop()
+            $AccessTimings['GetRolePermissions'] = $swRolePerms.Elapsed.TotalMilliseconds
 
             if ($PermissionsFound) {
                 if ($TenantList.IsPresent) {
+                    $swTenantList = [System.Diagnostics.Stopwatch]::StartNew()
                     $LimitedTenantList = foreach ($Permission in $PermissionSet) {
                         if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
                             @('AllTenants')
@@ -240,8 +266,11 @@ function Test-CIPPAccess {
                             $ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
                         }
                     }
+                    $swTenantList.Stop()
+                    $AccessTimings['BuildTenantList'] = $swTenantList.Elapsed.TotalMilliseconds
                     return @($LimitedTenantList | Sort-Object -Unique)
                 } elseif ($GroupList.IsPresent) {
+                    $swGroupList = [System.Diagnostics.Stopwatch]::StartNew()
                     Write-Information "Getting allowed groups for roles: $($CustomRoles -join ', ')"
                     $LimitedGroupList = foreach ($Permission in $PermissionSet) {
                         if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
@@ -254,11 +283,14 @@ function Test-CIPPAccess {
                             }
                         }
                     }
+                    $swGroupList.Stop()
+                    $AccessTimings['BuildGroupList'] = $swGroupList.Elapsed.TotalMilliseconds
                     return @($LimitedGroupList | Sort-Object -Unique)
                 }
 
                 $TenantAllowed = $false
                 $APIAllowed = $false
+                $swPermissionEval = [System.Diagnostics.Stopwatch]::StartNew()
                 foreach ($Role in $PermissionSet) {
                     foreach ($Perm in $Role.Permissions) {
                         if ($Perm -match $APIRole) {
@@ -329,6 +361,8 @@ function Test-CIPPAccess {
                         }
                     }
                 }
+                $swPermissionEval.Stop()
+                $AccessTimings['EvaluatePermissions'] = $swPermissionEval.Elapsed.TotalMilliseconds
 
                 if (!$APIAllowed) {
                     throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
@@ -392,10 +426,22 @@ function Test-CIPPAccess {
             }
             return $true
         }
+        $swUserBranch.Stop()
+        $AccessTimings['UserBranch'] = $swUserBranch.Elapsed.TotalMilliseconds
     }
 
     if ($TenantList.IsPresent) {
+        $AccessTotalSw.Stop()
+        $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
+        $AccessTimingsRounded = [ordered]@{}
+        foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
+        Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
         return @('AllTenants')
     }
+    $AccessTotalSw.Stop()
+    $AccessTimings['Total'] = $AccessTotalSw.Elapsed.TotalMilliseconds
+    $AccessTimingsRounded = [ordered]@{}
+    foreach ($Key in ($AccessTimings.Keys | Sort-Object)) { $AccessTimingsRounded[$Key] = [math]::Round($AccessTimings[$Key], 2) }
+    Write-Information "#### Access Timings #### $($AccessTimingsRounded | ConvertTo-Json -Compress)"
     return $true
 }
diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1
@@ -19,6 +19,9 @@ function Test-CIPPAccessUserRole {
     param(
         $User
     )
+    # Initialize per-call profiling
+    $UserRoleTimings = @{}
+    $UserRoleTotalSw = [System.Diagnostics.Stopwatch]::StartNew()
     $Roles = @()
 
     # Check AsyncLocal cache first (per-request cache)
@@ -27,9 +30,12 @@ function Test-CIPPAccessUserRole {
     } else {
         # Check table storage cache (persistent cache)
         try {
+            $swTableLookup = [System.Diagnostics.Stopwatch]::StartNew()
             $Table = Get-CippTable -TableName cacheAccessUserRoles
             $Filter = "PartitionKey eq 'AccessUser' and RowKey eq '$($User.userDetails)' and Timestamp ge datetime'$((Get-Date).AddMinutes(-15).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))'"
             $UserRole = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+            $swTableLookup.Stop()
+            $UserRoleTimings['TableLookup'] = $swTableLookup.Elapsed.TotalMilliseconds
         } catch {
             Write-Information "Could not access cached user roles table. $($_.Exception.Message)"
             $UserRole = $null
@@ -44,29 +50,47 @@ function Test-CIPPAccessUserRole {
             }
         } else {
             try {
+                $swGraphMemberships = [System.Diagnostics.Stopwatch]::StartNew()
                 $uri = "https://graph.microsoft.com/beta/users/$($User.userDetails)/transitiveMemberOf"
                 $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true -AsApp $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
+                $swGraphMemberships.Stop()
+                $UserRoleTimings['GraphMemberships'] = $swGraphMemberships.Elapsed.TotalMilliseconds
                 if ($Memberships) {
                     Write-Information "Found group memberships for $($User.userDetails)"
                 } else {
                     Write-Information "No group memberships found for $($User.userDetails)"
                 }
             } catch {
                 Write-Information "Could not get user roles for $($User.userDetails). $($_.Exception.Message)"
+                $UserRoleTotalSw.Stop()
+                $UserRoleTimings['Total'] = $UserRoleTotalSw.Elapsed.TotalMilliseconds
+                $timingsRounded = [ordered]@{}
+                foreach ($Key in ($UserRoleTimings.Keys | Sort-Object)) { $timingsRounded[$Key] = [math]::Round($UserRoleTimings[$Key], 2) }
+                Write-Information "#### UserRole Timings #### $($timingsRounded | ConvertTo-Json -Compress)"
                 return $User
             }
 
+            $swAccessGroups = [System.Diagnostics.Stopwatch]::StartNew()
             $AccessGroupsTable = Get-CippTable -TableName AccessRoleGroups
             $AccessGroups = Get-CIPPAzDataTableEntity @AccessGroupsTable -Filter "PartitionKey eq 'AccessRoleGroups'"
+            $swAccessGroups.Stop()
+            $UserRoleTimings['AccessGroupsFetch'] = $swAccessGroups.Elapsed.TotalMilliseconds
+
+            $swCustomRoles = [System.Diagnostics.Stopwatch]::StartNew()
             $CustomRolesTable = Get-CippTable -TableName CustomRoles
             $CustomRoles = Get-CIPPAzDataTableEntity @CustomRolesTable -Filter "PartitionKey eq 'CustomRoles'"
+            $swCustomRoles.Stop()
+            $UserRoleTimings['CustomRolesFetch'] = $swCustomRoles.Elapsed.TotalMilliseconds
             $BaseRoles = @('superadmin', 'admin', 'editor', 'readonly')
 
+            $swDeriveRoles = [System.Diagnostics.Stopwatch]::StartNew()
             $Roles = foreach ($AccessGroup in $AccessGroups) {
                 if ($Memberships.id -contains $AccessGroup.GroupId -and ($CustomRoles.RowKey -contains $AccessGroup.RowKey -or $BaseRoles -contains $AccessGroup.RowKey)) {
                     $AccessGroup.RowKey
                 }
             }
+            $swDeriveRoles.Stop()
+            $UserRoleTimings['DeriveRoles'] = $swDeriveRoles.Elapsed.TotalMilliseconds
 
             $Roles = @($Roles) + @($User.userRoles)
 
@@ -76,12 +100,15 @@ function Test-CIPPAccessUserRole {
 
             if (($Roles | Measure-Object).Count -gt 2) {
                 try {
+                    $swCacheWrite = [System.Diagnostics.Stopwatch]::StartNew()
                     $UserRole = [PSCustomObject]@{
                         PartitionKey = 'AccessUser'
                         RowKey       = [string]$User.userDetails
                         Role         = [string](ConvertTo-Json -Compress -InputObject $Roles)
                     }
                     Add-CIPPAzDataTableEntity @Table -Entity $UserRole -Force
+                    $swCacheWrite.Stop()
+                    $UserRoleTimings['TableWrite'] = $swCacheWrite.Elapsed.TotalMilliseconds
                 } catch {
                     Write-Information "Could not cache user roles for $($User.userDetails). $($_.Exception.Message)"
                 }
@@ -95,5 +122,12 @@ function Test-CIPPAccessUserRole {
     }
     $User.userRoles = $Roles
 
+    # Log timings summary
+    $UserRoleTotalSw.Stop()
+    $UserRoleTimings['Total'] = $UserRoleTotalSw.Elapsed.TotalMilliseconds
+    $timingsRounded = [ordered]@{}
+    foreach ($Key in ($UserRoleTimings.Keys | Sort-Object)) { $timingsRounded[$Key] = [math]::Round($UserRoleTimings[$Key], 2) }
+    Write-Information "#### UserRole Timings #### $($timingsRounded | ConvertTo-Json -Compress)"
+
     return $User
 }
