Skip to content

Commit ef6aa46

Browse files
JohnDupreyJohnDuprey
committed
tenant group support in cipp roles
1 parent d1d0d5c commit ef6aa46

File tree

5 files changed

+143
-34
lines changed

5 files changed

+143
-34
lines changed

Modules/CIPPCore/Public/Authentication/Get-CIPPHttpFunctions.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
function Get-CIPPHttpFunctions {
2-
Param(
2+
param(
33
[switch]$ByRole,
44
[switch]$ByRoleGroup
55
)
@@ -8,7 +8,7 @@ function Get-CIPPHttpFunctions {
88
$Functions = Get-Command -Module CIPPCore | Where-Object { $_.Visibility -eq 'Public' -and $_.Name -match 'Invoke-*' }
99
$Results = foreach ($Function in $Functions) {
1010
$Help = Get-Help $Function
11-
if ($Help.Functionality -ne 'Entrypoint') { continue }
11+
if ($Help.Functionality -notmatch 'Entrypoint') { continue }
1212
if ($Help.Role -eq 'Public') { continue }
1313
[PSCustomObject]@{
1414
Function = $Function.Name

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

Lines changed: 74 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,13 @@ function Test-CIPPAccess {
88
# Get function help
99
$FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
1010

11-
try {
12-
$Help = Get-Help $FunctionName -ErrorAction Stop
13-
} catch {}
11+
if ($FunctionName -ne 'Invoke-me') {
12+
try {
13+
$Help = Get-Help $FunctionName -ErrorAction Stop
14+
} catch {
15+
Write-Warning "Function '$FunctionName' not found"
16+
}
17+
}
1418

1519
# Check help for role
1620
$APIRole = $Help.Role
@@ -189,10 +193,39 @@ function Test-CIPPAccess {
189193
if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
190194
@('AllTenants')
191195
} else {
192-
if ($Permission.AllowedTenants -contains 'AllTenants') {
193-
$Permission.AllowedTenants = $Tenants.customerId
196+
# Expand tenant groups to individual tenant IDs
197+
$ExpandedAllowedTenants = foreach ($AllowedItem in $Permission.AllowedTenants) {
198+
if ($AllowedItem -is [PSCustomObject] -and $AllowedItem.type -eq 'Group') {
199+
try {
200+
$GroupMembers = Expand-CIPPTenantGroups -TenantFilter @($AllowedItem)
201+
$GroupMembers | ForEach-Object { $_.addedFields.customerId }
202+
} catch {
203+
Write-Warning "Failed to expand tenant group '$($AllowedItem.label)': $($_.Exception.Message)"
204+
@()
205+
}
206+
} else {
207+
$AllowedItem
208+
}
209+
}
210+
211+
$ExpandedBlockedTenants = foreach ($BlockedItem in $Permission.BlockedTenants) {
212+
if ($BlockedItem -is [PSCustomObject] -and $BlockedItem.type -eq 'Group') {
213+
try {
214+
$GroupMembers = Expand-CIPPTenantGroups -TenantFilter @($BlockedItem)
215+
$GroupMembers | ForEach-Object { $_.addedFields.customerId }
216+
} catch {
217+
Write-Warning "Failed to expand blocked tenant group '$($BlockedItem.label)': $($_.Exception.Message)"
218+
@()
219+
}
220+
} else {
221+
$BlockedItem
222+
}
223+
}
224+
225+
if ($ExpandedAllowedTenants -contains 'AllTenants') {
226+
$ExpandedAllowedTenants = $Tenants.customerId
194227
}
195-
$Permission.AllowedTenants | Where-Object { $Permission.BlockedTenants -notcontains $_ }
228+
$ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
196229
}
197230
}
198231
return $LimitedTenantList
@@ -217,13 +250,45 @@ function Test-CIPPAccess {
217250
$TenantAllowed = $false
218251
} else {
219252
$Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
220-
if ($Role.AllowedTenants -contains 'AllTenants') {
253+
254+
# Expand allowed tenant groups to individual tenant IDs
255+
$ExpandedAllowedTenants = foreach ($AllowedItem in $Role.AllowedTenants) {
256+
if ($AllowedItem -is [PSCustomObject] -and $AllowedItem.type -eq 'Group') {
257+
try {
258+
$GroupMembers = Expand-CIPPTenantGroups -TenantFilter @($AllowedItem)
259+
$GroupMembers | ForEach-Object { $_.addedFields.customerId }
260+
} catch {
261+
Write-Warning "Failed to expand allowed tenant group '$($AllowedItem.label)': $($_.Exception.Message)"
262+
@()
263+
}
264+
} else {
265+
$AllowedItem
266+
}
267+
}
268+
269+
# Expand blocked tenant groups to individual tenant IDs
270+
$ExpandedBlockedTenants = foreach ($BlockedItem in $Role.BlockedTenants) {
271+
if ($BlockedItem -is [PSCustomObject] -and $BlockedItem.type -eq 'Group') {
272+
try {
273+
$GroupMembers = Expand-CIPPTenantGroups -TenantFilter @($BlockedItem)
274+
$GroupMembers | ForEach-Object { $_.addedFields.customerId }
275+
} catch {
276+
Write-Warning "Failed to expand blocked tenant group '$($BlockedItem.label)': $($_.Exception.Message)"
277+
@()
278+
}
279+
} else {
280+
$BlockedItem
281+
}
282+
}
283+
284+
if ($ExpandedAllowedTenants -contains 'AllTenants') {
221285
$AllowedTenants = $Tenants.customerId
222286
} else {
223-
$AllowedTenants = $Role.AllowedTenants
287+
$AllowedTenants = $ExpandedAllowedTenants
224288
}
289+
225290
if ($Tenant) {
226-
$TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
291+
$TenantAllowed = $AllowedTenants -contains $Tenant -and $ExpandedBlockedTenants -notcontains $Tenant
227292
if (!$TenantAllowed) { continue }
228293
break
229294
} else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ function Invoke-ExecTenantGroup {
77
.FUNCTIONALITY
88
Entrypoint,AnyTenant
99
.ROLE
10-
TenantGroups.Config.ReadWrite
10+
Tenant.Groups.ReadWrite
1111
#>
1212
[CmdletBinding()]
1313
param($Request, $TriggerMetadata)

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ListCustomRole.ps1

Lines changed: 50 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -49,9 +49,31 @@ function Invoke-ListCustomRole {
4949
if ($Role.AllowedTenants) {
5050
try {
5151
$AllowedTenants = $Role.AllowedTenants | ConvertFrom-Json -ErrorAction Stop | ForEach-Object {
52-
$TenantId = $_
53-
$TenantList | Where-Object { $_.customerId -eq $TenantId } | Select-Object -ExpandProperty defaultDomainName
54-
}
52+
if ($_ -is [PSCustomObject] -and $_.type -eq 'Group') {
53+
# Return group objects as-is for frontend display
54+
[PSCustomObject]@{
55+
type = 'Group'
56+
value = $_.value
57+
label = $_.label
58+
}
59+
} else {
60+
# Convert tenant customer ID to domain name object for frontend
61+
$TenantId = $_
62+
$TenantInfo = $TenantList | Where-Object { $_.customerId -eq $TenantId }
63+
if ($TenantInfo) {
64+
[PSCustomObject]@{
65+
type = 'Tenant'
66+
value = $TenantInfo.defaultDomainName
67+
label = "$($TenantInfo.displayName) ($($TenantInfo.defaultDomainName))"
68+
addedFields = @{
69+
defaultDomainName = $TenantInfo.defaultDomainName
70+
displayName = $TenantInfo.displayName
71+
customerId = $TenantInfo.customerId
72+
}
73+
}
74+
}
75+
}
76+
} | Where-Object { $_ -ne $null }
5577
$AllowedTenants = $AllowedTenants ?? @('AllTenants')
5678
$Role.AllowedTenants = @($AllowedTenants)
5779
} catch {
@@ -63,9 +85,31 @@ function Invoke-ListCustomRole {
6385
if ($Role.BlockedTenants) {
6486
try {
6587
$BlockedTenants = $Role.BlockedTenants | ConvertFrom-Json -ErrorAction Stop | ForEach-Object {
66-
$TenantId = $_
67-
$TenantList | Where-Object { $_.customerId -eq $TenantId } | Select-Object -ExpandProperty defaultDomainName
68-
}
88+
if ($_ -is [PSCustomObject] -and $_.type -eq 'Group') {
89+
# Return group objects as-is for frontend display
90+
[PSCustomObject]@{
91+
type = 'Group'
92+
value = $_.value
93+
label = $_.label
94+
}
95+
} else {
96+
# Convert tenant customer ID to domain name object for frontend
97+
$TenantId = $_
98+
$TenantInfo = $TenantList | Where-Object { $_.customerId -eq $TenantId }
99+
if ($TenantInfo) {
100+
[PSCustomObject]@{
101+
type = 'Tenant'
102+
value = $TenantInfo.defaultDomainName
103+
label = "$($TenantInfo.displayName) ($($TenantInfo.defaultDomainName))"
104+
addedFields = @{
105+
defaultDomainName = $TenantInfo.defaultDomainName
106+
displayName = $TenantInfo.displayName
107+
customerId = $TenantInfo.customerId
108+
}
109+
}
110+
}
111+
}
112+
} | Where-Object { $_ -ne $null }
69113
$BlockedTenants = $BlockedTenants ?? @()
70114
$Role.BlockedTenants = @($BlockedTenants)
71115
} catch {

Modules/CIPPCore/Public/Functions/Get-TenantGroups.ps1

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,9 @@ function Get-TenantGroups {
3030
}
3131
$Tenants = Get-Tenants @TenantParams
3232

33-
if ($GroupFilter) {
34-
$Groups = Get-CIPPAzDataTableEntity @GroupTable -Filter "RowKey eq '$GroupFilter'"
35-
$AllMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "GroupId eq '$GroupFilter'"
33+
if ($GroupId) {
34+
$Groups = Get-CIPPAzDataTableEntity @GroupTable -Filter "RowKey eq '$GroupId'"
35+
$AllMembers = Get-CIPPAzDataTableEntity @MembersTable -Filter "GroupId eq '$GroupId'"
3636
} else {
3737
$Groups = Get-CIPPAzDataTableEntity @GroupTable
3838
$AllMembers = Get-CIPPAzDataTableEntity @MembersTable
@@ -49,10 +49,10 @@ function Get-TenantGroups {
4949
$Group = $Groups | Where-Object { $_.RowKey -eq $Group.GroupId }
5050
if ($Group) {
5151
$Results.Add([PSCustomObject]@{
52-
Id = $Group.RowKey
53-
Name = $Group.Name
54-
Description = $Group.Description
55-
})
52+
Id = $Group.RowKey
53+
Name = $Group.Name
54+
Description = $Group.Description
55+
})
5656
}
5757
}
5858
return $Results | Sort-Object Name
@@ -66,22 +66,22 @@ function Get-TenantGroups {
6666
$Tenant = $Tenants | Where-Object { $Member.customerId -eq $_.customerId }
6767
if ($Tenant) {
6868
$MembersList.Add(@{
69-
customerId = $Tenant.customerId
70-
displayName = $Tenant.displayName
71-
defaultDomainName = $Tenant.defaultDomainName
72-
})
69+
customerId = $Tenant.customerId
70+
displayName = $Tenant.displayName
71+
defaultDomainName = $Tenant.defaultDomainName
72+
})
7373
}
7474
}
7575
$SortedMembers = $MembersList | Sort-Object displayName
7676
} else {
7777
$SortedMembers = @()
7878
}
7979
$Results.Add([PSCustomObject]@{
80-
Id = $Group.RowKey
81-
Name = $Group.Name
82-
Description = $Group.Description
83-
Members = @($SortedMembers)
84-
})
80+
Id = $Group.RowKey
81+
Name = $Group.Name
82+
Description = $Group.Description
83+
Members = @($SortedMembers)
84+
})
8585
}
8686
return $Results | Sort-Object Name
8787
}

0 commit comments

Comments
 (0)