Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: JohnDuprey

.github/workflows/dev_api.yml

@@ -25,6 +25,67 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false
+    
+      - name: Setup PowerShell module cache
+        id: cacher
+        uses: actions/cache@v3
+        with:
+          path: "~/.local/share/powershell/Modules"
+          key: ${{ runner.os }}-ModuleBuilder
+
+      - name: Install ModuleBuilder
+        if: steps.cacher.outputs.cache-hit != 'true'
+        shell: pwsh
+        run: |
+          Set-PSRepository PSGallery -InstallationPolicy Trusted
+          Install-Module ModuleBuilder -AllowClobber -Force
+
+      - name: Build CIPPCore Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CIPPCore"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Generate function permissions before replacing the source module
+          $ToolsPath = Join-Path $env:GITHUB_WORKSPACE "Tools"
+          $ScriptPath = Join-Path $ToolsPath "Build-FunctionPermissions.ps1"
+          pwsh -File $ScriptPath -ModulePath $ModulePath
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CIPPCore") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
+
+      - name: Build CippExtensions Module
+        shell: pwsh
+        run: |
+          $ModulePath = Join-Path $env:GITHUB_WORKSPACE "Modules/CippExtensions"
+          $OutputPath = Join-Path $env:GITHUB_WORKSPACE "Output"
+
+          Write-Host "Building module from: $ModulePath"
+          Write-Host "Output directory: $OutputPath"
+
+          # Build the module using ModuleBuilder
+          Build-Module -SourcePath $ModulePath -OutputDirectory $OutputPath -Verbose
+
+          # Replace the source module with the built module
+          Remove-Item -Path $ModulePath -Recurse -Force
+          Copy-Item -Path (Join-Path $OutputPath "CippExtensions") -Destination $ModulePath -Recurse -Force
+
+          Write-Host "Module built and replaced successfully"
+
+          # Clean up output directory
+          Remove-Item -Path $OutputPath -Recurse -Force
 
       - name: Login to Azure
         uses: azure/login@v2

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -12,20 +12,50 @@ function Test-CIPPAccess {
     # Get function help
     $FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
 
+    $SwPermissions = [System.Diagnostics.Stopwatch]::StartNew()
+    if (-not $global:CIPPFunctionPermissions) {
+        $CIPPCoreModule = Get-Module -Name CIPPCore
+        if ($CIPPCoreModule) {
+            $PermissionsFileJson = Join-Path $CIPPCoreModule.ModuleBase 'lib' 'data' 'function-permissions.json'
+            
+            if (Test-Path $PermissionsFileJson) {
+                try {
+                    $jsonData = Get-Content -Path $PermissionsFileJson -Raw | ConvertFrom-Json -AsHashtable
+                    $global:CIPPFunctionPermissions = [System.Collections.Hashtable]::new([StringComparer]::OrdinalIgnoreCase)
+                    foreach ($key in $jsonData.Keys) {
+                        $global:CIPPFunctionPermissions[$key] = $jsonData[$key]
+                    }
+                    Write-Information "Loaded $($global:CIPPFunctionPermissions.Count) function permissions from JSON cache"
+                } catch {
+                    Write-Warning "Failed to load function permissions from JSON: $($_.Exception.Message)"
+                }
+            }
+        }
+    }
+    $SwPermissions.Stop()
+    $AccessTimings['FunctionPermissions'] = $SwPermissions.Elapsed.TotalMilliseconds
+
     if ($FunctionName -ne 'Invoke-me') {
         $swHelp = [System.Diagnostics.Stopwatch]::StartNew()
-        try {
-            $Help = Get-Help $FunctionName -ErrorAction Stop
-        } catch {
-            Write-Warning "Function '$FunctionName' not found"
+        if ($global:CIPPFunctionPermissions -and $global:CIPPFunctionPermissions.ContainsKey($FunctionName)) {
+            $PermissionData = $global:CIPPFunctionPermissions[$FunctionName]
+            $APIRole = $PermissionData['Role']
+            $Functionality = $PermissionData['Functionality']
+            Write-Information "Loaded function permission data from cache for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
+        } else {
+            try {
+                $Help = Get-Help $FunctionName -ErrorAction Stop
+                $APIRole = $Help.Role
+                $Functionality = $Help.Functionality
+                Write-Information "Loaded function permission data via Get-Help for '$FunctionName': Role='$APIRole', Functionality='$Functionality'"
+            } catch {
+                Write-Warning "Function '$FunctionName' not found"
+            }
         }
         $swHelp.Stop()
         $AccessTimings['GetHelp'] = $swHelp.Elapsed.TotalMilliseconds
     }
 
-    # Check help for role
-    $APIRole = $Help.Role
-
     # Get default roles from config
     $swRolesLoad = [System.Diagnostics.Stopwatch]::StartNew()
     $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
@@ -367,7 +397,7 @@ function Test-CIPPAccess {
                 if (!$APIAllowed) {
                     throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
                 }
-                if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+                if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
                     throw 'Access to this tenant is not allowed'
                 } else {
                     return $true
@@ -405,12 +435,12 @@ function Test-CIPPAccess {
                 }
             }
 
-            if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+            if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
 
                 if (!$APIAllowed) {
                     throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
                 }
-                if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
+                if (!$TenantAllowed -and $Functionality -notmatch 'AnyTenant') {
                     Write-Information "Tenant not allowed: $TenantFilter"
 
                     throw 'Access to this tenant is not allowed'

Tools/Build-FunctionPermissions.ps1

@@ -0,0 +1,87 @@
+param(
+    [string]$ModulePath = (Join-Path $PSScriptRoot '..' 'Modules' 'CIPPCore'),
+    [string]$OutputPath,
+    [string]$ModuleName
+)
+
+$ErrorActionPreference = 'Stop'
+
+function Resolve-ModuleImportPath {
+    param(
+        [Parameter(Mandatory = $true)][string]$Root,
+        [Parameter(Mandatory = $true)][string]$Name
+    )
+
+    $psd1 = Join-Path $Root "$Name.psd1"
+    if (Test-Path $psd1) { return $psd1 }
+
+    $psm1 = Join-Path $Root "$Name.psm1"
+    if (Test-Path $psm1) { return $psm1 }
+
+    throw "Module files not found for '$Name' in '$Root'. Expected $Name.psd1 or $Name.psm1."
+}
+
+function Get-HelpProperty {
+    param(
+        [Parameter(Mandatory = $true)]$HelpObject,
+        [Parameter(Mandatory = $true)][string]$PropertyName
+    )
+
+    $property = $HelpObject.PSObject.Properties[$PropertyName]
+    if ($property) { return $property.Value }
+    return ''
+}
+
+# Resolve defaults
+if (-not (Test-Path -Path $ModulePath)) {
+    throw "ModulePath '$ModulePath' not found. Provide -ModulePath to the module root."
+}
+$ModulePath = (Resolve-Path -Path $ModulePath).ProviderPath
+if (-not $ModuleName) { $ModuleName = (Split-Path -Path $ModulePath -Leaf) }
+if (-not $OutputPath) {
+    $defaultLibData = Join-Path $ModulePath 'lib' 'data' 'function-permissions.json'
+    $OutputPath = if (Test-Path (Split-Path -Parent $defaultLibData)) { $defaultLibData } else { Join-Path $ModulePath 'function-permissions.json' }
+}
+
+# Ensure destination directory exists
+$null = New-Item -ItemType Directory -Path (Split-Path -Parent $OutputPath) -Force
+
+# Import target module so Get-Help can read Role/Functionality metadata
+$ModuleImportPath = Resolve-ModuleImportPath -Root $ModulePath -Name $ModuleName
+$normalizedImportPath = [System.IO.Path]::GetFullPath($ModuleImportPath)
+$loaded = Get-Module -Name $ModuleName | Where-Object { [System.IO.Path]::GetFullPath($_.Path) -eq $normalizedImportPath }
+if (-not $loaded) {
+    Write-Host "Importing module '$ModuleName' from '$ModuleImportPath'"
+    Import-Module -Name $ModuleImportPath -Force -ErrorAction Stop
+} else {
+    Write-Host "Module '$ModuleName' already loaded from '$ModuleImportPath'; reusing existing session copy."
+}
+
+$commands = Get-Command -Module $ModuleName -CommandType Function
+$permissions = [ordered]@{}
+
+foreach ($command in $commands | Sort-Object -Property Name | Select-Object -Unique) {
+    $help = Get-Help -Name $command.Name -ErrorAction SilentlyContinue
+    if ($help) {
+        $role = Get-HelpProperty -HelpObject $help -PropertyName 'Role'
+        $functionality = Get-HelpProperty -HelpObject $help -PropertyName 'Functionality'
+    } else {
+        $role = ''
+        $functionality = ''
+    }
+
+    if ($role -or $functionality) {
+        $permissions[$command.Name] = @{
+            Role          = $role
+            Functionality = $functionality
+        }
+    } else {
+        Write-Host "Skipping $($command.Name): no Role or Functionality metadata found."
+    }
+}
+
+# Depth 3 is sufficient for the flat hashtable of functions -> (Role, Functionality)
+$json = $permissions | ConvertTo-Json -Depth 3
+Set-Content -Path $OutputPath -Value $json -Encoding UTF8
+
+Write-Host "Wrote permissions for $($permissions.Count) functions to $OutputPath"