Skip to content

Commit 7bee97c

Browse files
authored
Merge pull request #1073 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents 521835f + cb33a14 commit 7bee97c

47 files changed

Lines changed: 230 additions & 107 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

Modules/CIPPCore/Public/Authentication/Initialize-CIPPAuth.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ function Initialize-CIPPAuth {
2323
# -- Entry logging --
2424
$EasyAuthEnabled = [Craft.Services.AppLifecycleBridge]::IsEasyAuthConfigured()
2525
$IsDevStorage = ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') -or ($env:NonLocalHostAzurite -eq 'true')
26-
$KVName = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
26+
$KVName = Get-CippKeyVaultName
2727

2828
Write-Information "[Auth-Init] Starting — EasyAuth=$EasyAuthEnabled, DevStorage=$IsDevStorage, KVName='$KVName', DeploymentId='$env:WEBSITE_DEPLOYMENT_ID'"
2929

Modules/CIPPCore/Public/Authentication/Set-CIPPSSOEasyAuth.ps1

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,8 +71,7 @@ function Set-CIPPSSOEasyAuth {
7171
# Set AUTH_SECRET as a KV reference when requested (initial setup)
7272
# Skip for implicit auth (no client secret needed — e.g. central migration app)
7373
if ($UseKvReferences -and -not $ImplicitAuth) {
74-
$KV = $env:WEBSITE_DEPLOYMENT_ID
75-
$VaultName = if ($KV) { ($KV -split '-')[0] } else { $null }
74+
$VaultName = Get-CippKeyVaultName
7675
if ($VaultName) {
7776
$MergedSettings['AUTH_SECRET'] = "@Microsoft.KeyVault(VaultName=$VaultName;SecretName=SSOAppSecret)"
7877
}

Modules/CIPPCore/Public/Authentication/Set-CIPPSSOStoredCredentials.ps1

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,8 @@ function Set-CIPPSSOStoredCredentials {
3232
return
3333
}
3434

35-
$KV = $env:WEBSITE_DEPLOYMENT_ID
36-
$VaultName = if ($KV) { ($KV -split '-')[0] } else { $null }
37-
if (-not $VaultName) { throw 'Cannot determine Key Vault name from WEBSITE_DEPLOYMENT_ID' }
35+
$VaultName = Get-CippKeyVaultName
36+
if (-not $VaultName) { throw 'Cannot determine Key Vault name (WEBSITE_SITE_NAME / WEBSITE_DEPLOYMENT_ID not set)' }
3837

3938
if ($AppId) {
4039
$ExistingAppIdSecret = $null

Modules/CIPPCore/Public/Authentication/Update-CIPPSSORedirectUri.ps1

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,7 @@ function Update-CIPPSSORedirectUri {
3232
$SSOMultiTenant = $Secret.SSOMultiTenant -eq 'True'
3333
} catch { }
3434
} else {
35-
$KV = $env:WEBSITE_DEPLOYMENT_ID
36-
$VaultName = if ($KV) { ($KV -split '-')[0] } else { $null }
35+
$VaultName = Get-CippKeyVaultName
3736
if ($VaultName) {
3837
try {
3938
$SSOAppId = Get-CippKeyVaultSecret -VaultName $VaultName -Name 'SSOAppId' -AsPlainText -ErrorAction Stop

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-UpdateTokensTimer.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ function Start-UpdateTokensTimer {
2323
Write-LogMessage -API 'Update Tokens' -message 'Could not update refresh token. Will try again in 7 days.' -sev 'CRITICAL'
2424
}
2525
} else {
26-
$KV = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
26+
$KV = Get-CippKeyVaultName
2727
if ($Refreshtoken) {
2828
Set-CippKeyVaultSecret -VaultName $KV -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Refreshtoken -AsPlainText -Force)
2929
} else {

Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ function Get-CIPPAuthentication {
2121
}
2222
Write-Host "Got secrets from dev storage. ApplicationID: $env:ApplicationID"
2323
} else {
24-
$keyvaultname = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
24+
$keyvaultname = Get-CippKeyVaultName
2525
$Variables | ForEach-Object {
2626
Set-Item -Path env:$_ -Value (Get-CippKeyVaultSecret -VaultName $keyvaultname -Name $_ -AsPlainText -ErrorAction Stop) -Force
2727
}

Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,14 @@ function Get-CIPPTimerFunctions {
2828

2929
$FunctionName = $env:WEBSITE_SITE_NAME
3030
$MainFunctionVersion = ($Nodes | Where-Object { $_.RowKey -eq $FunctionName }).Version
31-
$AvailableNodes = $Nodes | Where-Object { $_.RowKey -match '-' -and $_.Version -eq $MainFunctionVersion } | ForEach-Object { ($_.RowKey -split '-')[1] }
32-
33-
# Get node name
34-
if ($FunctionName -match '-') {
35-
$Node = ($FunctionName -split '-')[1]
36-
} else {
31+
# Offloaded nodes: RowKey is '<mainname>-<suffix>'. Use the known offload suffix as the
32+
# node name (Get-CippOffloadSuffix), NOT the second dash segment - a dashed main-app name
33+
# (e.g. 'compaction-01-z2ir2') would otherwise yield a wrong node like '01'.
34+
$AvailableNodes = $Nodes | Where-Object { (Test-CippOffloadFunctionApp -SiteName $_.RowKey) -and $_.Version -eq $MainFunctionVersion } | ForEach-Object { Get-CippOffloadSuffix -SiteName $_.RowKey }
35+
36+
# Get node name for the current app: the offload suffix, or 'http' for the main app.
37+
$Node = Get-CippOffloadSuffix -SiteName $FunctionName
38+
if (-not $Node) {
3739
$Node = 'http'
3840
}
3941

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
function Get-CippKeyVaultName {
2+
<#
3+
.SYNOPSIS
4+
Returns the name of the CIPP Azure Key Vault for the current instance.
5+
6+
.DESCRIPTION
7+
The Key Vault is named after the main App Service instance, so its name equals
8+
$env:WEBSITE_SITE_NAME on the main app.
9+
10+
Two things have to be handled:
11+
12+
1. Dashed instance names. Earlier code derived the vault name as
13+
($env:WEBSITE_DEPLOYMENT_ID -split '-')[0], which keeps only the segment before
14+
the first dash. That silently truncated any instance name containing a dash -
15+
e.g. 'compaction-01-z2ir2' became 'compaction' - so every secret call was pointed
16+
at a vault that does not exist (404). The full name must be kept intact.
17+
18+
2. Offloaded function apps. When function offloading is enabled, extra Function Apps
19+
are deployed alongside the main app and share its Key Vault. They are named
20+
'<mainname>-<suffix>' (e.g. 'compaction-01-z2ir2-standards'). Those apps must
21+
resolve the SAME vault as the main app, so a known offload suffix is stripped from
22+
the end of the site name. Only the fixed offload suffixes are stripped, never an
23+
arbitrary trailing segment, so a legitimate dashed vault name is left intact.
24+
25+
This is the single source of truth for the vault name so those bugs cannot reappear
26+
per call site.
27+
28+
.EXAMPLE
29+
$VaultName = Get-CippKeyVaultName
30+
#>
31+
[CmdletBinding()]
32+
[OutputType([string])]
33+
param()
34+
35+
# Primary: the App Service site name IS the vault name (on the main app).
36+
# Fallback: the full deployment id. Never split on '-' (that is the truncation bug this
37+
# helper exists to prevent); a dashed vault name must be kept whole.
38+
$Name = if (-not [string]::IsNullOrWhiteSpace($env:WEBSITE_SITE_NAME)) {
39+
$env:WEBSITE_SITE_NAME
40+
} elseif (-not [string]::IsNullOrWhiteSpace($env:WEBSITE_DEPLOYMENT_ID)) {
41+
$env:WEBSITE_DEPLOYMENT_ID
42+
} else {
43+
return $null
44+
}
45+
46+
# If running on an offloaded app ('<mainname>-<suffix>'), strip the known suffix so it
47+
# resolves the SAME vault as the main app. Get-CippOffloadSuffix is the single source of
48+
# truth for the suffix list.
49+
$Suffix = Get-CippOffloadSuffix -SiteName $Name
50+
if ($Suffix) {
51+
$Name = $Name -replace "-$([regex]::Escape($Suffix))$", ''
52+
}
53+
54+
return $Name
55+
}

Modules/CIPPCore/Public/Get-CippKeyVaultSecret.ps1

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,9 @@ function Get-CippKeyVaultSecret {
3737
try {
3838
# Derive vault name if not provided
3939
if (-not $VaultName) {
40-
if ($env:WEBSITE_DEPLOYMENT_ID) {
41-
$VaultName = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
42-
} else {
43-
throw 'VaultName not provided and WEBSITE_DEPLOYMENT_ID environment variable not set'
40+
$VaultName = Get-CippKeyVaultName
41+
if (-not $VaultName) {
42+
throw 'VaultName not provided and could not be derived (WEBSITE_SITE_NAME / WEBSITE_DEPLOYMENT_ID not set)'
4443
}
4544
}
4645

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
function Get-CippOffloadSuffix {
2+
<#
3+
.SYNOPSIS
4+
Returns the offload-app suffix for a function app name, or $null when it is not an
5+
offloaded app.
6+
7+
.DESCRIPTION
8+
When function offloading is enabled, extra Function Apps are deployed alongside the
9+
main app and share its resources (Key Vault, etc.). They are named
10+
'<mainname>-<suffix>' - e.g. 'compaction-01-z2ir2-standards'.
11+
12+
This is the SINGLE SOURCE OF TRUTH for the known offload suffixes so that vault-name
13+
derivation ([[Get-CippKeyVaultName]]) and offload detection stay in sync. Matching is
14+
anchored to the end and requires a whole '-<suffix>' segment, so a legitimate dashed
15+
main-app name (e.g. 'compaction-01-z2ir2', which contains dashes but is NOT offloaded)
16+
is never misdetected.
17+
18+
Keep $OffloadSuffixes in sync with the deployment's offload app names.
19+
20+
.PARAMETER SiteName
21+
Function app name to inspect. Defaults to $env:WEBSITE_SITE_NAME (the current app).
22+
23+
.EXAMPLE
24+
Get-CippOffloadSuffix -SiteName 'compaction-01-z2ir2-standards' # -> 'standards'
25+
26+
.EXAMPLE
27+
Get-CippOffloadSuffix -SiteName 'compaction-01-z2ir2' # -> $null
28+
#>
29+
[CmdletBinding()]
30+
[OutputType([string])]
31+
param(
32+
[Parameter(Mandatory = $false)]
33+
[AllowNull()]
34+
[AllowEmptyString()]
35+
[string]$SiteName = $env:WEBSITE_SITE_NAME
36+
)
37+
38+
$OffloadSuffixes = @('proc', 'auditlog', 'standards', 'usertasks')
39+
40+
if ([string]::IsNullOrWhiteSpace($SiteName)) { return $null }
41+
42+
foreach ($Suffix in $OffloadSuffixes) {
43+
if ($SiteName -match "-$([regex]::Escape($Suffix))$") {
44+
return $Suffix
45+
}
46+
}
47+
48+
return $null
49+
}

0 commit comments

Comments
 (0)