@@ -4,9 +4,18 @@ function Test-CIPPAccess {
44 [switch ]$TenantList
55 )
66 if ($Request.Params.CIPPEndpoint -eq ' ExecSAMSetup' return $true }
7+
8+ # Get function help
9+ $FunctionName = ' Invoke-{0}' -f $Request.Params.CIPPEndpoint
10+ $Help = Get-Help $FunctionName
11+
12+ # Check help for role
13+ $APIRole = $Help.Role
14+
715 if (! $Request.Headers .' x-ms-client-principal' -or ($Request.Headers .' x-ms-client-principal-id' -and $Request.Headers .' x-ms-client-principal-idp' -eq ' aad'
816 # Direct API Access
9- $IPAddress = $Request.Headers .' x-forwarded-for' -replace ' :(?=[^:]*$)' , ' ' -replace ' [\[\]]' , ' '
17+ $IPRegex = ' ^(?<IP>(?:\d{1,3}(?:\.\d{1,3}){3}|\[[0-9a-fA-F:]+\]|[0-9a-fA-F:]+))(?::\d+)?$'
18+ $IPAddress = $Request.Headers .' x-forwarded-for' -replace $IPRegex , ' $1' -replace ' [\[\]]' , ' '
1019 Write-Information " API Access: AppId=$ ( $Request.Headers .' x-ms-client-principal-id' ) IP=$IPAddress "
1120
1221 # TODO: Implement API Client support, create Get-CippApiClient function
@@ -22,11 +31,16 @@ function Test-CIPPAccess {
2231 throw 'Access to this CIPP API endpoint is not allowed, the API Client does not have the required permission'
2332 }
2433 } else { #>
25- $CustomRoles = @ (' CIPP-API '
34+ $CustomRoles = @ (' cipp-api '
2635 # }
2736 } else {
2837 $DefaultRoles = @ (' admin' , ' editor' , ' readonly' , ' anonymous' , ' authenticated'
2938 $User = [System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String($Request.Headers .' x-ms-client-principal' | ConvertFrom-Json
39+
40+ if (! $TenantList.IsPresent -and $APIRole -match ' SuperAdmin' -and $User.userRoles -notcontains ' superadmin'
41+ throw ' Access to this CIPP API endpoint is not allowed, the user does not have the required permission'
42+ }
43+
3044 if ($User.userRoles -contains ' admin' -or $User.userRoles -contains ' superadmin'
3145 if ($TenantList.IsPresent ) {
3246 return @ (' AllTenants'
@@ -66,57 +80,51 @@ function Test-CIPPAccess {
6680 }
6781 return $LimitedTenantList
6882 }
83+ foreach ($Role in $PermissionSet ) {
84+ # Loop through each custom role permission and check API / Tenant access
85+ $TenantAllowed = $false
86+ $APIAllowed = $false
6987
70- if (($PermissionSet | Measure-Object ).Count -eq 0 ) {
71- return $true
72- } else {
73- $FunctionName = ' Invoke-{0}' -f $Request.Params.CIPPEndpoint
74- $Help = Get-Help $FunctionName
75- # Check API for required role
76- $APIRole = $Help.Role
77- foreach ($Role in $PermissionSet ) {
78- # Loop through each custom role permission and check API / Tenant access
79- $TenantAllowed = $false
80- $APIAllowed = $false
81- foreach ($Perm in $Role.Permissions ) {
82- if ($Perm -match $APIRole ) {
83- $APIAllowed = $true
84- break
85- }
88+ foreach ($Perm in $Role.Permissions ) {
89+ if ($Perm -match $APIRole ) {
90+ $APIAllowed = $true
91+ break
8692 }
87- if ($APIAllowed ) {
88- # Check tenant level access
89- if (($Role.BlockedTenants | Measure-Object ).Count -eq 0 -and $Role.AllowedTenants -contains ' AllTenants'
90- $TenantAllowed = $true
91- } elseif ($Request.Query.TenantFilter -eq ' AllTenants' -or $Request.Body.TenantFilter -eq ' AllTenants'
92- $TenantAllowed = $false
93+ }
94+
95+ if ($APIAllowed ) {
96+ # Check tenant level access
97+ if (($Role.BlockedTenants | Measure-Object ).Count -eq 0 -and $Role.AllowedTenants -contains ' AllTenants'
98+ $TenantAllowed = $true
99+ } elseif ($Request.Query.TenantFilter -eq ' AllTenants' -or $Request.Body.TenantFilter -eq ' AllTenants'
100+ $TenantAllowed = $false
101+ } else {
102+ $Tenant = ($Tenants | Where-Object { $Request.Query.TenantFilter -eq $_.customerId -or $Request.Body.TenantFilter -eq $_.customerId -or $Request.Query.TenantFilter -eq $_.defaultDomainName -or $Request.Body.TenantFilter -eq $_.defaultDomainName }).customerId
103+ if ($Role.AllowedTenants -contains ' AllTenants'
104+ $AllowedTenants = $Tenants.customerId
93105 } else {
94- $Tenant = ($Tenants | Where-Object { $Request.Query.TenantFilter -eq $_.customerId -or $Request.Body.TenantFilter -eq $_.customerId -or $Request.Query.TenantFilter -eq $_.defaultDomainName -or $Request.Body.TenantFilter -eq $_.defaultDomainName }).customerId
95- if ($Role.AllowedTenants -contains ' AllTenants'
96- $AllowedTenants = $Tenants.customerId
97- } else {
98- $AllowedTenants = $Role.AllowedTenants
99- }
100- if ($Tenant ) {
101- $TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
102- if (! $TenantAllowed ) { continue }
103- break
104- } else {
105- $TenantAllowed = $true
106- break
107- }
106+ $AllowedTenants = $Role.AllowedTenants
107+ }
108+ if ($Tenant ) {
109+ $TenantAllowed = $AllowedTenants -contains $Tenant -and $Role.BlockedTenants -notcontains $Tenant
110+ if (! $TenantAllowed ) { continue }
111+ break
112+ } else {
113+ $TenantAllowed = $true
114+ break
108115 }
109116 }
110117 }
111- if (! $APIAllowed ) {
112- throw " Access to this CIPP API endpoint is not allowed, the '$ ( $Role.Role ) ' custom role does not have the required permission: $APIRole "
113- }
114- if (! $TenantAllowed ) {
115- throw ' Access to this tenant is not allowed'
116- } else {
117- return $true
118- }
119118 }
119+ if (! $APIAllowed ) {
120+ throw " Access to this CIPP API endpoint is not allowed, the '$ ( $Role.Role ) ' custom role does not have the required permission: $APIRole "
121+ }
122+ if (! $TenantAllowed ) {
123+ throw ' Access to this tenant is not allowed'
124+ } else {
125+ return $true
126+ }
127+
120128 } else {
121129 # No permissions found for any roles
122130 if ($TenantList.IsPresent ) {
0 commit comments