Skip to content

Commit 73f808a

Browse files
authored
Merge pull request #544 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents ad15aa6 + 1a7a5dc commit 73f808a

26 files changed

Lines changed: 105 additions & 43 deletions

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
function Test-CIPPAccess {
22
param(
33
$Request,
4-
[switch]$TenantList
4+
[switch]$TenantList,
5+
[switch]$GroupList
56
)
67
if ($Request.Params.CIPPEndpoint -eq 'ExecSAMSetup') { return $true }
78

@@ -239,7 +240,21 @@ function Test-CIPPAccess {
239240
$ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
240241
}
241242
}
242-
return $LimitedTenantList
243+
return @($LimitedTenantList | Sort-Object -Unique)
244+
} elseif ($GroupList.IsPresent) {
245+
Write-Information "Getting allowed groups for roles: $($CustomRoles -join ', ')"
246+
$LimitedGroupList = foreach ($Permission in $PermissionSet) {
247+
if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
248+
@('AllGroups')
249+
} else {
250+
foreach ($AllowedItem in $Permission.AllowedTenants) {
251+
if ($AllowedItem -is [PSCustomObject] -and $AllowedItem.type -eq 'Group') {
252+
$AllowedItem.value
253+
}
254+
}
255+
}
256+
}
257+
return @($LimitedGroupList | Sort-Object -Unique)
243258
}
244259

245260
$TenantAllowed = $false
@@ -256,12 +271,14 @@ function Test-CIPPAccess {
256271
}
257272

258273
if ($APIAllowed) {
259-
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $Request.Body.tenantId.value ?? $env:TenantID
274+
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env:TenantID
260275
# Check tenant level access
261276
if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
262277
$TenantAllowed = $true
263-
} elseif ($TenantFilter -eq 'AllTenants') {
278+
} elseif ($TenantFilter -eq 'AllTenants' -and $ApiRole -match 'Write$') {
264279
$TenantAllowed = $false
280+
} elseif ($TenantFilter -eq 'AllTenants' -and $ApiRole -match 'Read$') {
281+
$TenantAllowed = $true
265282
} else {
266283
$Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
267284

@@ -328,12 +345,11 @@ function Test-CIPPAccess {
328345
}
329346
return $true
330347
if ($APIAllowed) {
331-
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $env:TenantID
348+
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env:TenantID
332349
# Check tenant level access
333350
if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
334351
$TenantAllowed = $true
335352
} elseif ($TenantFilter -eq 'AllTenants') {
336-
337353
$TenantAllowed = $false
338354
} else {
339355
$Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId

Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
function Invoke-ListCippQueue {
22
<#
33
.FUNCTIONALITY
4-
Entrypoint
4+
Entrypoint,AnyTenant
55
.ROLE
66
CIPP.Core.Read
77
#>

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ function Push-DomainAnalyserTenant {
2323
# Remove domains that are not wanted, and used for cloud signature services. Same exclusions also found in Invoke-CIPPStandardAddDKIM
2424
$ExclusionDomains = @(
2525
'*.microsoftonline.com'
26+
'*.mail.onmicrosoft.com'
2627
'*.exclaimer.cloud'
2728
'*.excl.cloud'
2829
'*.codetwo.online'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListApiTest.ps1

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ function Invoke-ListApiTest {
1818
}
1919
$Response.EnvironmentVariables = $EnvironmentVariables
2020
}
21+
$Response.AllowedTenants = $script:AllowedTenants
22+
$Response.AllowedGroups = $script:AllowedGroups
2123

2224
return ([HttpResponseContext]@{
2325
StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,14 @@ function Invoke-ExecTenantGroup {
2323
$dynamicRules = $Request.Body.dynamicRules
2424
$ruleLogic = $Request.Body.ruleLogic ?? 'and'
2525

26+
$AllowedGroups = Test-CippAccess -Request $Request -GroupList
27+
if ($AllowedGroups -notcontains 'AllGroups') {
28+
return ([HttpResponseContext]@{
29+
StatusCode = [HttpStatusCode]::Forbidden
30+
Body = @{ Results = 'You do not have permission to manage tenant groups.' }
31+
})
32+
}
33+
2634
switch ($Action) {
2735
'AddEdit' {
2836
$Results = [System.Collections.Generic.List[object]]::new()

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/New-CippCoreRequest.ps1

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,18 @@ function New-CippCoreRequest {
3838
})
3939
}
4040

41+
$AllowedTenants = Test-CippAccess -Request $Request -TenantList
42+
$AllowedGroups = Test-CippAccess -Request $Request -GroupList
43+
44+
if ($AllowedTenants -notcontains 'AllTenants') {
45+
Write-Warning 'Limiting tenant access'
46+
$script:AllowedTenants = $AllowedTenants
47+
}
48+
if ($AllowedGroups -notcontains 'AllGroups') {
49+
Write-Warning 'Limiting group access'
50+
$script:AllowedGroups = $AllowedGroups
51+
}
52+
4153
try {
4254
Write-Information "Access: $Access"
4355
Write-LogMessage -headers $Headers -API $Request.Params.CIPPEndpoint -message 'Accessed this API' -Sev 'Debug'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAuditLogs.ps1

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,10 @@ function Invoke-ListAuditLogs {
6464
if ($FilterConditions) {
6565
$Table.Filter = $FilterConditions -join ' and '
6666
}
67-
$AuditLogs = Get-CIPPAzDataTableEntity @Table | ForEach-Object {
67+
68+
$Tenants = Get-Tenants -IncludeErrors
69+
70+
$AuditLogs = Get-CIPPAzDataTableEntity @Table | Where-Object { $Tenants.defaultDomainName -contains $_.Tenant } | ForEach-Object {
6871
$_.Data = try { $_.Data | ConvertFrom-Json } catch { $_.AuditData }
6972
$_ | Select-Object @{n = 'LogId'; exp = { $_.RowKey } }, @{ n = 'Timestamp'; exp = { $_.Data.RawData.CreationTime } }, Tenant, Title, Data
7073
}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,7 @@ function Invoke-ListTenants {
1616
$TenantAccess = Test-CIPPAccess -Request $Request -TenantList
1717
Write-Host "Tenant Access: $TenantAccess"
1818

19-
if ($TenantAccess -notcontains 'AllTenants') {
20-
$AllTenantSelector = $false
21-
} else {
22-
$AllTenantSelector = $Request.Query.AllTenantSelector
23-
}
19+
$AllTenantSelector = $Request.Query.AllTenantSelector
2420

2521
$IncludeOffboardingDefaults = $Request.Query.IncludeOffboardingDefaults
2622

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-AddStandardsDeploy.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Function Invoke-AddStandardsDeploy {
22
<#
33
.FUNCTIONALITY
4-
Entrypoint,AnyTenant
4+
Entrypoint
55
.ROLE
66
Tenant.Standards.ReadWrite
77
#>

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-AddStandardsTemplate.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
function Invoke-AddStandardsTemplate {
22
<#
33
.FUNCTIONALITY
4-
Entrypoint,AnyTenant
4+
Entrypoint
55
.ROLE
66
Tenant.Standards.ReadWrite
77
#>

0 commit comments

Comments
 (0)