Merge pull request #641 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

CIPPTimers.json

@@ -231,5 +231,14 @@
     "Priority": 22,
     "RunOnProcessor": true,
     "IsSystem": true
+  },
+  {
+    "Id": "1f2e3d4c-5b6a-7c8d-9e0f-1a2b3c4d5e6f",
+    "Command": "Start-TestsOrchestrator",
+    "Description": "Timer to run security and compliance tests against cached data",
+    "Cron": "0 0 4 * * *",
+    "Priority": 23,
+    "RunOnProcessor": true,
+    "IsSystem": true
   }
 ]

Modules/CIPPCore/Public/Add-CIPPDbItem.ps1

@@ -62,14 +62,8 @@ function Add-CIPPDbItem {
                     Type         = $Type
                 }
             }
+            Add-CIPPAzDataTableEntity @Table -Entity $Entities -Force | Out-Null
 
-            $BatchSize = 1000
-            for ($i = 0; $i -lt $Entities.Count; $i += $BatchSize) {
-                $Batch = $Entities[$i..([Math]::Min($i + $BatchSize - 1, $Entities.Count - 1))]
-                foreach ($Entity in $Batch) {
-                    Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
-                }
-            }
         }
 
         Write-LogMessage -API 'CIPPDbItem' -tenant $TenantFilter -message "Added $($Data.Count) items of type $Type$(if ($Count) { ' (count mode)' })" -sev Info

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -58,6 +58,10 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AdminConsentRequestPolicy collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheAuthorizationPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthorizationPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         try { Set-CIPPDBCacheDeviceSettings -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "DeviceSettings collection failed: $($_.Exception.Message)" -sev Error
         }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Tests/Push-CIPPTest.ps1

@@ -0,0 +1,30 @@
+function Push-CIPPTest {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param(
+        $Item
+    )
+
+    $TenantFilter = $Item.TenantFilter
+    $TestId = $Item.TestId
+
+    Write-Information "Running test $TestId for tenant $TenantFilter"
+
+    try {
+        $FunctionName = "Invoke-CippTest$TestId"
+
+        if (-not (Get-Command $FunctionName -ErrorAction SilentlyContinue)) {
+            Write-LogMessage -API 'Tests' -tenant $TenantFilter -message "Test function not found: $FunctionName" -sev Error
+            return
+        }
+
+        Write-Information "Executing $FunctionName for $TenantFilter"
+        & $FunctionName -Tenant $TenantFilter
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $TenantFilter -message "Failed to run test $TestId $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Tests/Invoke-CIPPTestsRun.ps1

@@ -0,0 +1,78 @@
+function Invoke-CIPPTestsRun {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Tenant.Tests.Read
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [string]$TenantFilter = 'allTenants'
+    )
+
+    Write-Information "Starting tests run for tenant: $TenantFilter"
+
+    try {
+        $AllTests = Get-Command -Name 'Invoke-CippTest*' -Module CIPPCore | Select-Object -ExpandProperty Name | ForEach-Object {
+            $_ -replace '^Invoke-CippTest', ''
+        }
+
+        if ($AllTests.Count -eq 0) {
+            Write-LogMessage -API 'Tests' -message 'No test functions found.' -sev Error
+            return
+        }
+
+        Write-Information "Found $($AllTests.Count) test functions to run"
+        $AllTenantsList = if ($TenantFilter -eq 'allTenants') {
+            $DbCounts = Get-CIPPDbItem -CountsOnly
+            $TenantsWithData = $DbCounts | Where-Object { $_.Count -gt 0 } | Select-Object -ExpandProperty PartitionKey -Unique
+            Write-Information "Found $($TenantsWithData.Count) tenants with data in database"
+            $TenantsWithData
+        } else {
+            $DbCounts = Get-CIPPDbItem -TenantFilter $TenantFilter -CountsOnly
+            if (($DbCounts | Measure-Object -Property Count -Sum).Sum -gt 0) {
+                @($TenantFilter)
+            } else {
+                Write-LogMessage -API 'Tests' -tenant $TenantFilter -message 'Tenant has no data in database. Skipping tests.' -sev Info
+                @()
+            }
+        }
+
+        if ($AllTenantsList.Count -eq 0) {
+            Write-LogMessage -API 'Tests' -message 'No tenants with data found. Exiting.' -sev Info
+            return
+        }
+
+        # Build batch: all tests for all tenants
+        $Batch = foreach ($Tenant in $AllTenantsList) {
+            foreach ($Test in $AllTests) {
+                @{
+                    FunctionName = 'CIPPTest'
+                    TenantFilter = $Tenant
+                    TestId       = $Test
+                }
+            }
+        }
+
+        Write-Information "Built batch of $($Batch.Count) test activities ($($AllTests.Count) tests × $($AllTenantsList.Count) tenants)"
+
+        $InputObject = [PSCustomObject]@{
+            OrchestratorName = 'TestsRun'
+            Batch            = @($Batch)
+            SkipLog          = $true
+        }
+
+        $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+        Write-Information "Started tests orchestration with ID = '$InstanceId'"
+
+        return @{
+            InstanceId = $InstanceId
+            Message    = "Tests orchestration started: $($AllTests.Count) tests for $($AllTenantsList.Count) tenants"
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -message "Failed to start tests orchestration: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        throw
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-TestsOrchestrator.ps1

@@ -0,0 +1,16 @@
+function Start-TestsOrchestrator {
+    <#
+    .SYNOPSIS
+    Start the Tests Orchestrator
+
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param()
+
+    if ($PSCmdlet.ShouldProcess('Start-TestsOrchestrator', 'Starting Tests Orchestrator')) {
+        Write-LogMessage -API 'Tests' -message 'Starting Tests Schedule' -sev Info
+        Invoke-CIPPTestsRun -TenantFilter 'allTenants'
+    }
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheAuthorizationPolicy.ps1

@@ -0,0 +1,26 @@
+function Set-CIPPDBCacheAuthorizationPolicy {
+    <#
+    .SYNOPSIS
+        Caches authorization policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache authorization policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching authorization policy' -sev Info
+        $AuthPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy' -tenantid $TenantFilter
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthorizationPolicy' -Data @($AuthPolicy)
+        $AuthPolicy = $null
+
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authorization policy successfully' -sev Info
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache authorization policy: $($_.Exception.Message)" -sev Error
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21776.ps1

@@ -0,0 +1,29 @@
+function Invoke-CippTestZTNA21776 {
+    param($Tenant)
+
+    try {
+        $AuthPolicy = New-CIPPDbRequest -TenantFilter $Tenant -Type 'AuthorizationPolicy'
+        if (-not $AuthPolicy) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21776' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Authorization policy not found in database' -Risk 'High' -Name 'User consent settings are restricted' -UserImpact 'High' -ImplementationEffort 'Medium' -Category 'Application Management'
+            return
+        }
+
+        $Matched = $AuthPolicy | Where-Object { $_.defaultUserRolePermissions.permissionGrantPoliciesAssigned -match '^ManagePermissionGrantsForSelf' }
+        $NoMatch = $Matched.Count -eq 0
+        $LowImpact = $Matched.defaultUserRolePermissions.permissionGrantPoliciesAssigned -contains 'managePermissionGrantsForSelf.microsoft-user-default-low'
+
+        if ($NoMatch -or $LowImpact) {
+            $Status = 'Passed'
+            $Result = if ($NoMatch) { 'User consent is disabled' } else { 'User consent restricted to verified publishers and low-impact permissions' }
+        } else {
+            $Status = 'Failed'
+            $Result = 'Users can consent to any application'
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21776' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'User consent settings are restricted' -UserImpact 'High' -ImplementationEffort 'Medium' -Category 'Application Management'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21776' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'User consent settings are restricted' -UserImpact 'High' -ImplementationEffort 'Medium' -Category 'Application Management'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21808.ps1

@@ -0,0 +1,41 @@
+function Invoke-CippTestZTNA21808 {
+    param($Tenant)
+
+    try {
+        $CAPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ConditionalAccessPolicies'
+        if (-not $CAPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21808' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Conditional Access policies not found in database' -Risk 'High' -Name 'Restrict device code flow' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access Control'
+            return
+        }
+
+        $Enabled = $CAPolicies | Where-Object { $_.state -eq 'enabled' }
+        $DeviceCodePolicies = $Enabled | Where-Object {
+            if ($_.conditions.authenticationFlows.transferMethods) {
+                $Methods = $_.conditions.authenticationFlows.transferMethods -split ','
+                $Methods -contains 'deviceCodeFlow'
+            } else {
+                $false
+            }
+        }
+
+        $BlockPolicies = $DeviceCodePolicies | Where-Object { $_.grantControls.builtInControls -contains 'block' }
+
+        if ($BlockPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $Result = "Device code flow is properly restricted with $($BlockPolicies.Count) blocking policy/policies"
+        } elseif ($DeviceCodePolicies.Count -eq 0) {
+            $Status = 'Failed'
+            $Result = 'No Conditional Access policies found targeting device code flow'
+            #Add table with existing policies?
+        } else {
+            $Status = 'Failed'
+            $Result = 'Device code flow policies exist but none are configured to block'
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21808' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Restrict device code flow' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access Control'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21808' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Restrict device code flow' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access Control'
+    }
+}