Merge pull request #323 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVulnerabilities.ps1

@@ -0,0 +1,65 @@
+function Get-CIPPAlertVulnerabilities {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        $VulnerabilityRequest = New-GraphGetRequest -tenantid $TenantFilter -uri "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?`$top=999&`$filter=cveId ne null" -scope 'https://api.securitycenter.microsoft.com/.default'
+
+        if ($VulnerabilityRequest) {
+            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+            # Group by CVE ID and create objects for each vulnerability
+            $VulnerabilityGroups = $VulnerabilityRequest | Where-Object { $_.cveId } | Group-Object cveId
+
+            foreach ($Group in $VulnerabilityGroups) {
+                $FirstVuln = $Group.Group | Sort-Object firstSeenTimestamp | Select-Object -First 1
+                $HoursOld = [math]::Round(((Get-Date) - [datetime]$FirstVuln.firstSeenTimestamp).TotalHours)
+
+                # Skip if vulnerability is not old enough
+                if ($HoursOld -lt [int]$InputValue) {
+                    continue
+                }
+
+                $DaysOld = [math]::Round(((Get-Date) - [datetime]$FirstVuln.firstSeenTimestamp).TotalDays)
+                $AffectedDevices = ($Group.Group | Select-Object -ExpandProperty deviceName -Unique) -join ', '
+
+                $VulnerabilityAlert = [PSCustomObject]@{
+                    CVE                  = $Group.Name
+                    Severity             = $FirstVuln.vulnerabilitySeverityLevel
+                    FirstSeenTimestamp   = $FirstVuln.firstSeenTimestamp
+                    LastSeenTimestamp    = $FirstVuln.lastSeenTimestamp
+                    DaysOld              = $DaysOld
+                    HoursOld             = $HoursOld
+                    AffectedDeviceCount  = $Group.Count
+                    AffectedDevices      = $AffectedDevices
+                    SoftwareName         = $FirstVuln.softwareName
+                    SoftwareVendor       = $FirstVuln.softwareVendor
+                    SoftwareVersion      = $FirstVuln.softwareVersion
+                    CVSSScore            = $FirstVuln.cvssScore
+                    ExploitabilityLevel  = $FirstVuln.exploitabilityLevel
+                    RecommendedUpdate    = $FirstVuln.recommendedSecurityUpdate
+                    RecommendedUpdateId  = $FirstVuln.recommendedSecurityUpdateId
+                    RecommendedUpdateUrl = $FirstVuln.recommendedSecurityUpdateUrl
+                    Tenant               = $TenantFilter
+                }
+                $AlertData.Add($VulnerabilityAlert)
+            }
+
+            # Only send alert if we have vulnerabilities that meet the criteria
+            if ($AlertData.Count -gt 0) {
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    } catch {
+        Write-LogMessage -message "Failed to check vulnerabilities: $($_.exception.message)" -API 'Vulnerability Alerts' -tenant $TenantFilter -sev Error
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecBrandingSettings.ps1

@@ -15,7 +15,7 @@ Function Invoke-ExecBrandingSettings {
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
     $StatusCode = [HttpStatusCode]::OK
-    $Results = @{}
+    @{}
 
     try {
         $Table = Get-CIPPTable -TableName Config
@@ -33,9 +33,9 @@ Function Invoke-ExecBrandingSettings {
 
         $Action = if ($Request.Body.Action) { $Request.Body.Action } else { $Request.Query.Action }
 
-        switch ($Action) {
+        $Results = switch ($Action) {
             'Get' {
-                $Results = @{
+                @{
                     colour = $BrandingConfig.colour
                     logo   = $BrandingConfig.logo
                 }
@@ -50,7 +50,7 @@ Function Invoke-ExecBrandingSettings {
                         $Updated = $true
                     } else {
                         $StatusCode = [HttpStatusCode]::BadRequest
-                        $Results = 'Error: Invalid color format. Please use hex format (e.g., #F77F00)'
+                        'Error: Invalid color format. Please use hex format (e.g., #F77F00)'
                     }
                 }
 
@@ -62,18 +62,18 @@ Function Invoke-ExecBrandingSettings {
                             $ImageBytes = [Convert]::FromBase64String($Base64Data)
                             if ($ImageBytes.Length -le 2097152) {
                                 Write-Host 'updating logo'
-                                $BrandingConfig.logo = $Logo
+                                $BrandingConfig | Add-Member -MemberType NoteProperty -Name 'logo' -Value $Logo -Force
                                 $Updated = $true
                             } else {
                                 $StatusCode = [HttpStatusCode]::BadRequest
-                                $Results = 'Error: Image size must be less than 2MB'
+                                'Error: Image size must be less than 2MB'
                             }
                         } catch {
                             $StatusCode = [HttpStatusCode]::BadRequest
-                            $Results = 'Error: Invalid base64 image data'
+                            'Error: Invalid base64 image data: ' + $_.Exception.Message
                         }
                     } elseif ($Logo -eq $null -or $Logo -eq '') {
-                        $BrandingConfig.logo = $null
+                        $BrandingConfig | Add-Member -MemberType NoteProperty -Name 'logo' -Value $null -Force
                         $Updated = $true
                     }
                 }
@@ -84,10 +84,10 @@ Function Invoke-ExecBrandingSettings {
 
                     Add-CIPPAzDataTableEntity @Table -Entity $BrandingConfig -Force | Out-Null
                     Write-LogMessage -API $APIName -tenant 'Global' -headers $Request.Headers -message 'Updated branding settings' -Sev 'Info'
-                    $Results = 'Successfully updated branding settings'
+                    'Successfully updated branding settings'
                 } else {
                     $StatusCode = [HttpStatusCode]::BadRequest
-                    $Results = 'Error: No valid branding data provided'
+                    'Error: No valid branding data provided'
                 }
             }
             'Reset' {
@@ -100,17 +100,17 @@ Function Invoke-ExecBrandingSettings {
 
                 Add-CIPPAzDataTableEntity @Table -Entity $DefaultConfig -Force | Out-Null
                 Write-LogMessage -API $APIName -tenant 'Global' -headers $Request.Headers -message 'Reset branding settings to defaults' -Sev 'Info'
-                $Results = 'Successfully reset branding settings to defaults'
+                'Successfully reset branding settings to defaults'
             }
             default {
                 $StatusCode = [HttpStatusCode]::BadRequest
-                $Results = 'Error: Invalid action specified'
+                'Error: Invalid action specified'
             }
         }
     } catch {
         Write-LogMessage -API $APIName -tenant 'Global' -headers $Request.Headers -message "Branding Settings API failed: $($_.Exception.Message)" -Sev 'Error'
         $StatusCode = [HttpStatusCode]::InternalServerError
-        $Results = "Failed to process branding settings: $($_.Exception.Message)"
+        "Failed to process branding settings: $($_.Exception.Message)"
     }
 
     $body = [pscustomobject]@{'Results' = $Results }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -20,8 +20,9 @@ Function Invoke-ExecUpdateRefreshToken {
         if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
             $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
             $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+
             if ($env:TenantID -eq $Request.body.tenantId) {
-                $Secret.RefreshToken = $Request.body.RefreshToken
+                $Secret | Add-Member -MemberType NoteProperty -Name 'RefreshToken' -Value $Request.body.refreshtoken -Force
             } else {
                 Write-Host "$($env:TenantID) does not match $($Request.body.tenantId)"
                 $name = $Request.body.tenantId -replace '-', '_'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecModifyCalPerms.ps1

@@ -11,30 +11,30 @@ Function Invoke-ExecModifyCalPerms {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
-    Write-LogMessage -headers $Request.Headers -API $APINAME-message 'Accessed this API' -Sev 'Debug'
-    
-    $Username = $request.body.userID
-    $Tenantfilter = $request.body.tenantfilter
-    $Permissions = $request.body.permissions
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
-    Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing request for user: $Username, tenant: $Tenantfilter" -Sev 'Debug'
+    $Username = $Request.Body.userID
+    $TenantFilter = $Request.Body.tenantFilter
+    $Permissions = $Request.Body.permissions
 
-    if ($username -eq $null) { 
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message 'Username is null' -Sev 'Error'
+    Write-LogMessage -headers $Headers -API $APIName -message "Processing request for user: $Username, tenant: $TenantFilter" -Sev 'Debug'
+
+    if ($null -eq $Username) {
+        Write-LogMessage -headers $Headers -API $APIName -message 'Username is null' -Sev 'Error'
         $body = [pscustomobject]@{'Results' = @('Username is required') }
         Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
                 StatusCode = [HttpStatusCode]::BadRequest
                 Body       = $Body
             })
         return
     }
-    
+
     try {
-        $userid = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($username)" -tenantid $Tenantfilter).id
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Retrieved user ID: $userid" -Sev 'Debug'
-    }
-    catch {
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Failed to get user ID: $($_.Exception.Message)" -Sev 'Error'
+        $UserId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Username)" -tenantid $TenantFilter).id
+        Write-LogMessage -headers $Headers -API $APIName -message "Retrieved user ID: $UserId" -Sev 'Debug'
+    } catch {
+        Write-LogMessage -headers $Headers -API $APIName -message "Failed to get user ID: $($_.Exception.Message)" -Sev 'Error'
         $body = [pscustomobject]@{'Results' = @("Failed to get user ID: $($_.Exception.Message)") }
         Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
                 StatusCode = [HttpStatusCode]::NotFound
@@ -43,98 +43,73 @@ Function Invoke-ExecModifyCalPerms {
         return
     }
 
-    $Results = [System.Collections.ArrayList]::new()
+    $Results = [System.Collections.Generic.List[string]]::new()
     $HasErrors = $false
 
     # Convert permissions to array format if it's an object with numeric keys
     if ($Permissions -is [PSCustomObject]) {
         if ($Permissions.PSObject.Properties.Name -match '^\d+$') {
             $Permissions = $Permissions.PSObject.Properties.Value
-        }
-        else {
+        } else {
             $Permissions = @($Permissions)
         }
     }
 
-    Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing $($Permissions.Count) permission entries" -Sev 'Debug'
+    Write-LogMessage -headers $Headers -API $APIName -message "Processing $($Permissions.Count) permission entries" -Sev 'Debug'
 
     foreach ($Permission in $Permissions) {
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing permission: $($Permission | ConvertTo-Json)" -Sev 'Debug'
-        
+        Write-LogMessage -headers $Headers -API $APIName -message "Processing permission: $($Permission | ConvertTo-Json)" -Sev 'Debug'
+
         $PermissionLevel = $Permission.PermissionLevel.value ?? $Permission.PermissionLevel
         $Modification = $Permission.Modification
         $CanViewPrivateItems = $Permission.CanViewPrivateItems ?? $false
-        
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Permission Level: $PermissionLevel, Modification: $Modification, CanViewPrivateItems: $CanViewPrivateItems" -Sev 'Debug'
-        
+        $FolderName = $Permission.FolderName ?? 'Calendar'
+
+        Write-LogMessage -headers $Headers -API $APIName -message "Permission Level: $PermissionLevel, Modification: $Modification, CanViewPrivateItems: $CanViewPrivateItems, FolderName: $FolderName" -Sev 'Debug'
+
         # Handle UserID as array or single value
         $TargetUsers = @($Permission.UserID | ForEach-Object { $_.value ?? $_ })
 
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Target Users: $($TargetUsers -join ', ')" -Sev 'Debug'
+        Write-LogMessage -headers $Headers -API $APIName -message "Target Users: $($TargetUsers -join ', ')" -Sev 'Debug'
 
         foreach ($TargetUser in $TargetUsers) {
             try {
-                Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing target user: $TargetUser" -Sev 'Debug'
-                
-                if ($Modification -eq 'Remove') {
-                    try {
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Remove-MailboxFolderPermission' -cmdParams @{
-                            Identity = "$($userid):\Calendar"
-                            User     = $TargetUser
-                            Confirm  = $false
-                        }
-                        $null = $results.Add("Removed $($TargetUser) from $($username) Calendar permissions")
-                    }
-                    catch {
-                        $null = $results.Add("No existing permissions to remove for $($TargetUser)")
-                    }
-                }
-                else {
-                    Write-LogMessage -headers $Request.Headers -API $APINAME-message "Setting permissions with AccessRights: $PermissionLevel" -Sev 'Debug'
-
-                    $cmdParams = @{
-                        Identity     = "$($userid):\Calendar"
-                        User         = $TargetUser
-                        AccessRights = $PermissionLevel
-                        Confirm      = $false
-                    }
-
-                    if ($CanViewPrivateItems) {
-                        $cmdParams['SharingPermissionFlags'] = 'Delegate,CanViewPrivateItems'
-                    }
-
-                    try {
-                        # Try Add first
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Add-MailboxFolderPermission' -cmdParams $cmdParams
-                        $null = $results.Add("Granted $($TargetUser) $($PermissionLevel) access to $($username) Calendar$($CanViewPrivateItems ? ' with access to private items' : '')")
-                    }
-                    catch {
-                        # If Add fails, try Set
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Set-MailboxFolderPermission' -cmdParams $cmdParams
-                        $null = $results.Add("Updated $($TargetUser) $($PermissionLevel) access to $($username) Calendar$($CanViewPrivateItems ? ' with access to private items' : '')")
-                    }
+                Write-LogMessage -headers $Headers -API $APIName -message "Processing target user: $TargetUser" -Sev 'Debug'
+                $Params = @{
+                    APIName              = $APIName
+                    Headers              = $Headers
+                    RemoveAccess         = if ($Modification -eq 'Remove') { $TargetUser } else { $null }
+                    TenantFilter         = $TenantFilter
+                    UserID               = $UserId
+                    folderName           = $FolderName
+                    UserToGetPermissions = $TargetUser
+                    LoggingName          = $TargetUser
+                    Permissions          = $PermissionLevel
+                    CanViewPrivateItems  = $CanViewPrivateItems
                 }
-                Write-LogMessage -headers $Request.Headers -API $APINAME-message "Successfully executed $($PermissionLevel) permission modification for $($TargetUser) on $($username)" -Sev 'Info' -tenant $TenantFilter
-            }
-            catch {
+
+                # Write-Host "Request params: $($Params | ConvertTo-Json)"
+                $Result = Set-CIPPCalendarPermission @Params
+
+                $null = $Results.Add($Result)
+            } catch {
                 $HasErrors = $true
-                Write-LogMessage -headers $Request.Headers -API $APINAME-message "Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username). Error: $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter
-                $null = $results.Add("Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username). Error: $($_.Exception.Message)")
+                $null = $Results.Add("$($_.Exception.Message)")
             }
         }
     }
 
-    if ($results.Count -eq 0) {
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message 'No results were generated from the operation' -Sev 'Warning'
-        $null = $results.Add('No results were generated from the operation. Please check the logs for more details.')
+    if ($Results.Count -eq 0) {
+        Write-LogMessage -headers $Headers -API $APIName -message 'No results were generated from the operation' -Sev 'Warning'
+        $null = $Results.Add('No results were generated from the operation. Please check the logs for more details.')
         $HasErrors = $true
     }
 
-    $body = [pscustomobject]@{'Results' = @($results) }
+    $Body = [pscustomobject]@{'Results' = @($Results) }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = if ($HasErrors) { [HttpStatusCode]::InternalServerError } else { [HttpStatusCode]::OK }
             Body       = $Body
         })
-} 
+}