Enhance ACL Export and Project Valid Users role assignments (#110)

* Fix #104 and #44

Author: webtonize

src/PSRule.Rules.AzureDevOps/Functions/Common.ps1

@@ -150,6 +150,59 @@ function Get-AzDevOpsProject {
 }
 # End of Function Get-AzDevOpsProject
 
+<#
+    .SYNOPSIS
+    Get all Azure DevOps Project Acls
+
+    .DESCRIPTION
+    Get all Azure DevOps Project Acls using Azure DevOps Rest API
+
+    .PARAMETER ProjectId
+    Project Id for Azure DevOps
+
+    .EXAMPLE
+    Get-AzDevOpsProjectAcls -ProjectId $ProjectId
+#>
+function Get-AzDevOpsProjectAcls {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string]
+        $ProjectId
+    )
+    if ($null -eq $script:connection) {
+        throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
+    }
+    $Organization = $script:connection.Organization
+    $header = $script:connection.GetHeader()
+    $aclInfo = @{
+        'Environments' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/83d4c2e6-e57d-4d6e-892b-b87222b7ad20?api-version=7.2-preview.1&token=Environments/$ProjectId"
+        'Pipelines' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/33344d9c-fc72-4d6f-aba5-fa317101a7e9?api-version=7.2-preview.1&token=$ProjectId"
+        'ReleaseDefinitions' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/c788c23e-1b46-4162-8f5e-d7585343b5de?api-version=7.2-preview.1&token=$ProjectId"
+        'Repositories' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?api-version=7.2-preview.1&token=repoV2/$ProjectId"
+        'ServiceConnections' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/49b48001-ca20-4adc-8111-5b60c903a50c?api-version=7.2-preview.1&token=endpoints/$ProjectId"
+        'VariableGroups' = "https://dev.azure.com/$Organization/_apis/accesscontrollists/b7e84409-6553-448a-bbb2-af228e07cbeb?api-version=7.2-preview.1&token=Library/$ProjectId"
+    }
+    $acls = @{}
+    try {
+        # Walk through the aclInfo hashtable and get the acls for each resource
+        foreach($key in $aclInfo.Keys) {
+            $aclUri = $aclInfo[$key]
+            Write-Verbose "Getting $key ACLs for project $ProjectId"
+            $aclResponse = Invoke-RestMethod -Uri $aclUri -Method Get -Headers $header
+            # If the response is not an object but a string, the authentication failed
+            if ($aclResponse -is [string] -or $null -eq $aclResponse.value) {
+                throw "Authentication failed or project not found"
+            }
+            $acls.Add($key,$aclResponse.value)
+        }
+    }
+    catch {
+        throw $_.Exception.Message
+    }
+    return $acls
+}
+
 <#
     .SYNOPSIS
     Export the Azure DevOps Project
@@ -196,6 +249,10 @@ function Export-AzDevOpsProject {
         $response = Get-AzDevOpsProject -Project $Project
         $response | Add-Member -MemberType NoteProperty -Name ObjectType -Value "Azure.DevOps.Project"
         $response | Add-Member -MemberType NoteProperty -Name ObjectName -Value "$Organization.$Project"
+        # Add the Project Acls to the response object
+        $acls = Get-AzDevOpsProjectAcls -ProjectId $response.id
+        $response | Add-Member -MemberType NoteProperty -Name ProjectAcls -Value $acls
+        # Add a new id field to the response object
         $response.id = @{ 
             originalId      = $response.id;
             resourceName    = $response.name;
@@ -204,13 +261,13 @@ function Export-AzDevOpsProject {
         } | ConvertTo-Json -Depth 100
     }
     catch {
-        throw "Failed to get project $Project from Azure DevOps"
+        throw $_.Exception.Message
     }
     if($PassThru) {
         Write-Output $response
     } else {
         Write-Verbose "Exporting project $Project as file $Project.prj.ado.json"
-        $response | ConvertTo-Json | Out-File -FilePath "$OutputPath/$Project.prj.ado.json"
+        $response | ConvertTo-Json -Depth 100 | Out-File -FilePath "$OutputPath/$Project.prj.ado.json"
     }
 }
 # End of Function Export-AzDevOpsProject

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Pipelines.Core.ps1

@@ -77,7 +77,10 @@ function Get-AzDevOpsPipelineAcls {
         $ProjectId,
         [Parameter(Mandatory=$true)]
         [string]
-        $PipelineId
+        $PipelineId,
+        [Parameter(Mandatory=$false)]
+        [string]
+        $Folder = ""
     )
     if ($null -eq $script:connection) {
         throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
@@ -90,11 +93,16 @@ function Get-AzDevOpsPipelineAcls {
         return $null
     } else {
         $header = $script:connection.GetHeader()
-        $uri = "https://dev.azure.com/$Organization/_apis/accesscontrollists/33344d9c-fc72-4d6f-aba5-fa317101a7e9?api-version=6.0&token=$($ProjectId)/$($PipelineId)"
+        $uri = "https://dev.azure.com/$Organization/_apis/accesscontrollists/33344d9c-fc72-4d6f-aba5-fa317101a7e9?api-version=7.2-preview.1&token=$($ProjectId)/$($PipelineId)"
         Write-Verbose "Getting pipeline ACLs from $uri"
         Write-Verbose "PROJECTID: $ProjectId"
         try {
-            $response = (Invoke-RestMethod -Uri $uri -Method Get -Headers $header -ContentType "application/json") #| Where-Object { $_.token -eq "$($ProjectId)/$($PipelineId)" }
+            if ($Folder -eq "") {
+                $response = (Invoke-RestMethod -Uri $uri -Method Get -Headers $header -ContentType "application/json") #| Where-Object { $_.token -eq "$($ProjectId)/$($PipelineId)" }
+            }
+            else {
+                $response = (Invoke-RestMethod -Uri $uri -Method Get -Headers $header -ContentType "application/json") #| Where-Object { $_.token -eq "$($ProjectId)/$($Folder)/$($PipelineId)" }
+            }
             # if the response is not an object but a string, the authentication failed
             if ($response -is [string]) {
                 throw "Authentication failed or project not found"
@@ -319,7 +327,14 @@ function Export-AzDevOpsPipelines {
         # Add the pipeline ACLs to the pipeline object if the token type is not ReadOnly
         if ($TokenType -ne 'ReadOnly') {
             Write-Verbose "Getting pipeline ACLs for pipeline $($pipeline.name)"
-            $pipeline | Add-Member -MemberType NoteProperty -Name Acls -Value (Get-AzDevOpsPipelineAcls -ProjectId $ProjectId -PipelineId $pipelineId)
+            if ($pipeline.folder -eq '\') {
+                $Folder = ""
+            }
+            else {
+                $Folder = $pipeline.folder.replace('\','/')
+                $Folder = $Folder.Trim('/')
+            }
+            $pipeline | Add-Member -MemberType NoteProperty -Name Acls -Value (Get-AzDevOpsPipelineAcls -ProjectId $ProjectId -PipelineId $pipelineId -Folder $Folder)
         } else {
             Write-Verbose "Token Type is set to ReadOnly, no pipeline ACLs will be returned"
         }

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Pipelines.Environments.ps1

@@ -116,6 +116,66 @@ function Get-AzDevOpsEnvironmentChecks {
     }
 }
 Export-ModuleMember -Function Get-AzDevOpsEnvironmentChecks
+
+<#
+    .SYNOPSIS
+    Get all Azure Pipelines environment ACLs from Azure DevOps project
+
+    .DESCRIPTION
+    Get all Azure Pipelines environment ACLs from Azure DevOps project using Azure DevOps Rest API
+
+    .PARAMETER ProjectId
+    Project Id for Azure DevOps
+
+    .PARAMETER EnvironmentId
+    Environment Id for Azure DevOps
+
+    .EXAMPLE
+    Get-AzDevOpsEnvironmentAcls -Project $Project -Environment $Environment
+
+    .NOTES
+    Requires a connection to Azure DevOps with a token type of FullAccess
+#>
+function Get-AzDevOpsEnvironmentAcls {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string]
+        $ProjectId,
+        [Parameter(Mandatory)]
+        [string]
+        $EnvironmentId
+    )
+    if ($null -eq $script:connection) {
+        throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
+    }
+    $TokenType = $script:connection.TokenType
+    # If token type is ReadOnly, write a warning and exit the function returing null
+    if($TokenType -eq 'ReadOnly') {
+        Write-Warning "Token type ReadOnly does not have access to Azure DevOps Pipelines Environments"
+        return $null
+    } else {
+        $header = $script:connection.GetHeader()
+        $Organization = $script:connection.Organization
+        Write-Verbose "Getting environment ACLs for environment $Environment"
+        $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/83d4c2e6-e57d-4d6e-892b-b87222b7ad20?api-version=7.2-preview.1&token=Environments/{1}/{2}" -f $Organization, $ProjectId, $EnvironmentId
+        Write-Verbose "URI: $uri"
+        try {
+            $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
+            # If the response is a string and not an object, throw an exception for authentication failure or project not found
+            if ($response -is [string]) {
+                throw "Authentication failed or project not found"
+            }
+        }
+        catch {
+            throw $_.Exception.Message
+        }
+        $acls = @($response.value)
+        return $acls
+    }
+}
+Export-ModuleMember -Function Get-AzDevOpsEnvironmentAcls
+
 <#
     .SYNOPSIS
     Export all Azure Pipelines environments to JSON files with their checks as nested objects
@@ -169,6 +229,8 @@ function Export-AzDevOpsEnvironmentChecks {
 
                 $checks = @(Get-AzDevOpsEnvironmentChecks -Project $Project -Environment $environment.id)
                 $environment | Add-Member -MemberType NoteProperty -Name checks -Value $checks
+                $acls = @(Get-AzDevOpsEnvironmentAcls -ProjectId $environment.project.id -EnvironmentId $environment.id)
+                $environment | Add-Member -MemberType NoteProperty -Name Acls -Value $acls
                 # Set the id property to a hash table with the original id, organization and project name
                 $environment.id = @{
                     originalId = $environment.id

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Pipelines.Releases.ps1

@@ -85,10 +85,11 @@ Function Get-AzDevOpsReleaseDefinitionAcls {
     } else {
         Write-Verbose "Getting release definition ACLs for release definition $ReleaseDefinitionId"
         if ($Folder -eq '') {
-            $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/c788c23e-1b46-4162-8f5e-d7585343b5de?api-version=6.0&token={1}/{2}" -f $Organization, $ProjectId, $ReleaseDefinitionId
+            $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/c788c23e-1b46-4162-8f5e-d7585343b5de?api-version=7.2-preview.1&token={1}/{2}" -f $Organization, $ProjectId, $ReleaseDefinitionId
         }
         else {
-            $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/c788c23e-1b46-4162-8f5e-d7585343b5de?api-version=6.0&token={1}/{2}/{3}" -f $Organization, $ProjectId, $Folder, $ReleaseDefinitionId
+            $Folder = $Folder.Trim('/')
+            $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/c788c23e-1b46-4162-8f5e-d7585343b5de?api-version=7.2-preview.1&token={1}/{2}/{3}" -f $Organization, $ProjectId, $Folder, $ReleaseDefinitionId
         }
         Write-Verbose "URI: $uri"
         $header = $script:connection.GetHeader()
@@ -167,7 +168,7 @@ Function Export-AzDevOpsReleaseDefinitions {
 
             # Set the id to the to a hashtable of the organization, project and original id
             $id = @{
-                originalId = $null
+                originalId = $definitionId
                 resourceName = $definitionName
                 project = $Project
                 organization = $Organization

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Repos.ps1

@@ -239,14 +239,14 @@ Function Get-AzDevOpsRepositoryAcls {
         return $null
     } else {
         $header = $script:connection.GetHeader()
-        $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?api-version=6.0" -f $Organization
+        $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?api-version=7.2-preview.1&token=repoV2/{1}/{2}" -f $Organization, $ProjectId, $RepositoryId
         try {
             $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header -ContentType "application/json"
             # If the response is a string and not an object, throw an exception for authentication failure or project not found
             if ($response -is [string]) {
                 throw "Authentication failed or project not found"
             }
-            $thisRepoPerms = $response.value | where-object {($_.token -eq "repoV2/$($ProjectId)/$($RepositoryId)")}
+            $thisRepoPerms = $response.value
         }
         catch {
             throw $_.Exception.Message

src/PSRule.Rules.AzureDevOps/Functions/DevOps.ServiceConnections.ps1

@@ -91,6 +91,52 @@ function Get-AzDevOpsServiceConnectionChecks {
 Export-ModuleMember -Function Get-AzDevOpsServiceConnectionChecks
 # End of Function Get-AzDevOpsServiceConnectionChecks
 
+<#
+    .SYNOPSIS
+    Get the Acls for an service connection from Azure DevOps project
+
+    .DESCRIPTION
+    Get the Acls for an service connection from Azure DevOps project using Azure DevOps Rest API
+
+    .PARAMETER ProjectId
+    Project Id for Azure DevOps
+
+    .PARAMETER ServiceConnectionId
+    Service connection id for Azure DevOps
+
+    .EXAMPLE
+    Get-AzDevOpsServiceConnectionAcls -ProjectId $ProjectId -ServiceConnectionId $ServiceConnectionId
+#>
+function Get-AzDevOpsServiceConnectionAcls {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory)]
+        [string]
+        $ProjectId,
+        [Parameter(Mandatory)]
+        [string]
+        $ServiceConnectionId
+    )
+    if ($null -eq $script:connection) {
+        throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
+    }
+    $Organization = $script:connection.Organization
+    $header = $script:connection.GetHeader()
+    $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/49b48001-ca20-4adc-8111-5b60c903a50c?api-version=7.2-preview.1&token=endpoints/{1}/{2}" -f $Organization, $ProjectId, $ServiceConnectionId
+    try {
+        $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
+        # If the response is not an object but a string, the authentication failed
+        if ($response -is [string]) {
+            throw "Authentication failed or project not found"
+        }
+    }
+    catch {
+        throw $_.Exception.Message
+    }
+    return @($response.value)
+}
+Export-ModuleMember -Function Get-AzDevOpsServiceConnectionAcls
+
 <#
     .SYNOPSIS
     Export all Azure Resource Manager service connections from Azure DevOps project with checks as nested objects
@@ -142,6 +188,10 @@ function Export-AzDevOpsServiceConnections {
         # Get checks for service connection
         $serviceConnectionChecks = @(Get-AzDevOpsServiceConnectionChecks -Project $Project -ServiceConnectionId $serviceConnection.id)
         $serviceConnection | Add-Member -MemberType NoteProperty -Name Checks -Value $serviceConnectionChecks
+        # Get acls for service connection
+        $serviceConnectionAcls = @(Get-AzDevOpsServiceConnectionAcls -ProjectId $serviceConnection.serviceEndpointProjectReferences[0].projectReference.id -ServiceConnectionId $serviceConnection.id)
+        $serviceConnection | Add-Member -MemberType NoteProperty -Name Acls -Value $serviceConnectionAcls
+
         # Set id field to a JSON object with originalId, project and organization
         $serviceConnection.id = @{
             originalId = $serviceConnection.id

src/PSRule.Rules.AzureDevOps/Functions/DevOps.Tasks.VariableGroups.ps1

@@ -41,6 +41,53 @@ Function Get-AzDevOpsVariableGroups {
 Export-ModuleMember -Function Get-AzDevOpsVariableGroups
 # End of function Get-AzDevOpsVariableGroups
 
+<#
+    .SYNOPSIS
+    Get Acls for a variable group from Azure DevOps.
+
+    .DESCRIPTION
+    Get Acls for a variable group from Azure DevOps using the REST API.
+
+    .PARAMETER ProjectId
+    The id of the Azure DevOps project.
+
+    .PARAMETER VariableGroupId
+    The id of the Azure DevOps variable group.
+
+    .EXAMPLE
+    Get-AzDevOpsVariableGroupAcls -ProjectId 'myproject' -VariableGroupId 1
+#>
+function Get-AzDevOpsVariableGroupAcls {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)]
+        [string]$ProjectId,
+        [Parameter(Mandatory)]
+        [string]$VariableGroupId
+    )
+    if ($null -eq $script:connection) {
+        throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
+    }
+    $Organization = $script:connection.Organization
+    Write-Verbose "Getting variable group acls for project $ProjectId and variable group $VariableGroupId"
+    $uri = "https://dev.azure.com/{0}/_apis/accesscontrollists/b7e84409-6553-448a-bbb2-af228e07cbeb?api-version=7.2-preview.1&token=Library/{1}/VariableGroup/{2}" -f $Organization, $ProjectId, $VariableGroupId
+    Write-Verbose "URI: $uri"
+    $header = $script:connection.GetHeader()
+    # try to get the variable group acls, throw a descriptive error if it fails for authentication or other reasons
+    try {
+        $response = Invoke-RestMethod -Uri $uri -Method Get -Headers $header
+        # If the response is not an object but a string, the authentication failed
+        if ($response -is [string]) {
+            throw "Authentication failed or project not found"
+        }
+    }
+    catch {
+        throw $_.Exception.Message
+    }
+    return @($response.value)
+}
+Export-ModuleMember -Function Get-AzDevOpsVariableGroupAcls
+
 <#
     .SYNOPSIS
     Export variable groups to JSON files.
@@ -84,11 +131,15 @@ Function Export-AzDevOpsVariableGroups {
         throw "Not connected to Azure DevOps. Run Connect-AzDevOps first"
     }
     $Organization = $script:connection.Organization
+    $ProjectId = (Get-AzDevOpsProject -Project $Project).id
     $variableGroups = Get-AzDevOpsVariableGroups -Project $Project
     $variableGroups | ForEach-Object {
         $variableGroup = $_
         $variableGroup | Add-Member -MemberType NoteProperty -Name 'ObjectType' -Value 'Azure.DevOps.Tasks.VariableGroup'
         $variableGroup | Add-Member -MemberType NoteProperty -Name 'ObjectName' -Value "$Organization.$Project.$($variableGroup.name)"
+        # Add the variable group acls
+        $variableGroupAcls = @(Get-AzDevOpsVariableGroupAcls -ProjectId $ProjectId -VariableGroupId $variableGroup.id)
+        $variableGroup | Add-Member -MemberType NoteProperty -Name 'Acls' -Value $variableGroupAcls
         # Set the id to a JSON object with the originalId, project and organization
         $variableGroup.id = @{
             originalId = $variableGroup.id