Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: KelvinTegelaar

Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1

@@ -20,11 +20,13 @@ function Get-CIPPRolePermissions {
         $Permissions = $Role.Permissions | ConvertFrom-Json
         $AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() }
         $BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() }
+        $BlockedEndpoints = if ($Role.BlockedEndpoints) { $Role.BlockedEndpoints | ConvertFrom-Json } else { @() }
         [PSCustomObject]@{
-            Role           = $Role.RowKey
-            Permissions    = $Permissions.PSObject.Properties.Value
-            AllowedTenants = @($AllowedTenants)
-            BlockedTenants = @($BlockedTenants)
+            Role             = $Role.RowKey
+            Permissions      = $Permissions.PSObject.Properties.Value
+            AllowedTenants   = @($AllowedTenants)
+            BlockedTenants   = @($BlockedTenants)
+            BlockedEndpoints = @($BlockedEndpoints)
         }
     } else {
         throw "Role $RoleName not found."

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -199,6 +199,7 @@ function Test-CIPPAccess {
                     continue
                 }
             }
+
             if ($PermissionsFound) {
                 if ($TenantList.IsPresent) {
                     $LimitedTenantList = foreach ($Permission in $PermissionSet) {
@@ -248,6 +249,9 @@ function Test-CIPPAccess {
                 foreach ($Role in $PermissionSet) {
                     foreach ($Perm in $Role.Permissions) {
                         if ($Perm -match $APIRole) {
+                            if ($Role.BlockedEndpoints -contains $Request.Params.CIPPEndpoint) {
+                                throw "Access to this CIPP API endpoint is not allowed, the custom role '$($Role.Role)' has blocked this endpoint: $($Request.Params.CIPPEndpoint)"
+                            }
                             $APIAllowed = $true
                             break
                         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1

@@ -26,11 +26,12 @@ function Invoke-ExecCustomRole {
                 Write-LogMessage -headers $Request.Headers -API 'ExecCustomRole' -message "Saved custom role $($Request.Body.RoleName)" -Sev 'Info'
                 if ($Request.Body.RoleName -notin $DefaultRoles) {
                     $Role = @{
-                        'PartitionKey'   = 'CustomRoles'
-                        'RowKey'         = "$($Request.Body.RoleName.ToLower())"
-                        'Permissions'    = "$($Request.Body.Permissions | ConvertTo-Json -Compress)"
-                        'AllowedTenants' = "$($Request.Body.AllowedTenants | ConvertTo-Json -Compress)"
-                        'BlockedTenants' = "$($Request.Body.BlockedTenants | ConvertTo-Json -Compress)"
+                        'PartitionKey'     = 'CustomRoles'
+                        'RowKey'           = "$($Request.Body.RoleName.ToLower())"
+                        'Permissions'      = "$($Request.Body.Permissions | ConvertTo-Json -Compress)"
+                        'AllowedTenants'   = "$($Request.Body.AllowedTenants | ConvertTo-Json -Compress)"
+                        'BlockedTenants'   = "$($Request.Body.BlockedTenants | ConvertTo-Json -Compress)"
+                        'BlockedEndpoints' = "$($Request.Body.BlockedEndpoints | ConvertTo-Json -Compress)"
                     }
                     Add-CIPPAzDataTableEntity @Table -Entity $Role -Force | Out-Null
                     $Results.Add("Custom role $($Request.Body.RoleName) saved")
@@ -110,6 +111,15 @@ function Invoke-ExecCustomRole {
                     } else {
                         $Role | Add-Member -NotePropertyName BlockedTenants -NotePropertyValue @() -Force
                     }
+                    if ($Role.BlockedEndpoints) {
+                        try {
+                            $Role.BlockedEndpoints = @($Role.BlockedEndpoints | ConvertFrom-Json)
+                        } catch {
+                            $Role.BlockedEndpoints = ''
+                        }
+                    } else {
+                        $Role | Add-Member -NotePropertyName BlockedEndpoints -NotePropertyValue @() -Force
+                    }
                     $EntraRoleGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey
                     if ($EntraRoleGroup) {
                         $EntraGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey | Select-Object @{Name = 'label'; Expression = { $_.GroupName } }, @{Name = 'value'; Expression = { $_.GroupId } }
@@ -120,10 +130,11 @@ function Invoke-ExecCustomRole {
                 }
                 $DefaultRoles = foreach ($DefaultRole in $DefaultRoles) {
                     $Role = @{
-                        RowKey         = $DefaultRole
-                        Permissions    = ''
-                        AllowedTenants = @('AllTenants')
-                        BlockedTenants = @('')
+                        RowKey           = $DefaultRole
+                        Permissions      = ''
+                        AllowedTenants   = @('AllTenants')
+                        BlockedTenants   = @('')
+                        BlockedEndpoints = @('')
                     }
                     $EntraRoleGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey
                     if ($EntraRoleGroup) {