Skip to content

Commit 77073ba

Browse files
role change
1 parent 7800b3c commit 77073ba

1 file changed

Lines changed: 18 additions & 0 deletions

File tree

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/New-CippCoreRequest.ps1

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,24 @@ function New-CippCoreRequest {
4343
$FunctionName = 'Invoke-{0}' -f $Request.Params.CIPPEndpoint
4444
Write-Information "API Endpoint: $($Request.Params.CIPPEndpoint) | Frontend Version: $($Request.Headers.'X-CIPP-Version' ?? 'Not specified')"
4545

46+
# For now, while we're in read-only we force the role of the MCP API cred.
47+
# When we remove the feature flag, in NG, we move this to use the users role/ident.
48+
if ($Request.Params.CIPPEndpoint -eq 'ExecMcp' -and
49+
$Request.Headers.'x-ms-client-principal' -and
50+
$Request.Headers.'x-ms-client-principal-name' -notmatch '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
51+
try {
52+
$McpPrincipal = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
53+
$McpAppId = ($McpPrincipal.claims | Where-Object { $_.typ -in @('azp', 'appid') } | Select-Object -First 1).val
54+
if ($McpAppId -and (Get-CippApiClient -AppId $McpAppId)) {
55+
$Request.Headers | Add-Member -NotePropertyName 'x-ms-client-principal-name' -NotePropertyValue $McpAppId -Force
56+
$Request.Headers | Add-Member -NotePropertyName 'x-ms-client-principal-idp' -NotePropertyValue 'aad' -Force
57+
Write-Information "MCP request mapped to API client $McpAppId (running at the app's CIPP role)"
58+
}
59+
} catch {
60+
Write-Information "MCP principal app resolution failed: $($_.Exception.Message)"
61+
}
62+
}
63+
4664
# Check if endpoint is disabled via feature flags
4765
$FeatureFlags = Get-CIPPFeatureFlag
4866
$DisabledEndpoint = $FeatureFlags | Where-Object {

0 commit comments

Comments
 (0)