cleanup duplicate auth checks

JohnDuprey · JohnDuprey · commit b579ef996ede · 2025-05-28T12:45:01.000-04:00
diff --git a/Modules/CIPPCore/Public/Authentication/Get-CIPPAccessRole.ps1 b/Modules/CIPPCore/Public/Authentication/Get-CIPPAccessRole.ps1
@@ -16,7 +16,27 @@ function Get-CIPPAccessRole {
     Internal
     #>
     [CmdletBinding()]
-    Param()
+    param($Request)
 
-    
+    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRole'
+    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$($Request.Headers.'x-ms-client-principal-name')'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+
+    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+    $SwaRoles = $SwaCreds.userRoles
+
+    # Combine SWA roles and cached roles into a single deduplicated list
+    $AllRoles = [System.Collections.Generic.List[string]]::new()
+    if ($null -ne $SwaRoles) {
+        $AllRoles.AddRange($SwaRoles)
+    }
+    if ($null -ne $CachedRoles) {
+        $AllRoles.AddRange($CachedRoles)
+    }
+
+    # Remove duplicates and ensure we have a clean array
+    $CombinedRoles = $AllRoles | Select-Object -Unique
+
+    # For debugging
+    Write-Information "Combined Roles: $($CombinedRoles -join ', ')"
+    return $CombinedRoles
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1
@@ -1,5 +1,5 @@
 
-Function Invoke-ExecOffloadFunctions {
+function Invoke-ExecOffloadFunctions {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -9,78 +9,68 @@ Function Invoke-ExecOffloadFunctions {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $roles = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json).userRoles
-    if ('superadmin' -notin $roles) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::Forbidden
-                Body       = @{ error = 'You do not have permission to perform this action.' }
-            })
-        return
-    } else {
-        $Table = Get-CippTable -tablename 'Config'
+    $Table = Get-CippTable -tablename 'Config'
 
-        if ($Request.Query.Action -eq 'ListCurrent') {
-            $CurrentState = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'OffloadFunctions' and RowKey eq 'OffloadFunctions'"
-            $VersionTable = Get-CippTable -tablename 'Version'
-            $Version = Get-CIPPAzDataTableEntity @VersionTable -Filter "RowKey ne 'Version'"
-            $MainVersion = $Version | Where-Object { $_.RowKey -eq $env:WEBSITE_SITE_NAME }
-            $OffloadVersions = $Version | Where-Object { $_.RowKey -match '-' }
+    if ($Request.Query.Action -eq 'ListCurrent') {
+        $CurrentState = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'OffloadFunctions' and RowKey eq 'OffloadFunctions'"
+        $VersionTable = Get-CippTable -tablename 'Version'
+        $Version = Get-CIPPAzDataTableEntity @VersionTable -Filter "RowKey ne 'Version'"
+        $MainVersion = $Version | Where-Object { $_.RowKey -eq $env:WEBSITE_SITE_NAME }
+        $OffloadVersions = $Version | Where-Object { $_.RowKey -match '-' }
 
-            $Alerts = [System.Collections.Generic.List[string]]::new()
+        $Alerts = [System.Collections.Generic.List[string]]::new()
 
-            $CanEnable = $false
-            if (!$OffloadVersions.Version) {
-                $Alerts.Add('No offloaded function apps have been registered. If you''ve just deployed one, this can take up to 15 minutes.')
-            } else {
-                $CanEnable = $true
-            }
+        $CanEnable = $false
+        if (!$OffloadVersions.Version) {
+            $Alerts.Add('No offloaded function apps have been registered. If you''ve just deployed one, this can take up to 15 minutes.')
+        } else {
+            $CanEnable = $true
+        }
 
-            foreach ($Offload in $OffloadVersions) {
-                $FunctionName = $Offload.RowKey
-                if ([semver]$Offload.Version -ne [semver]$MainVersion.Version) {
-                    $CanEnable = $false
-                    $Alerts.Add("The version of $FunctionName ($($Offload.Version)) does not match the current version of $($MainVersion.Version).")
-                }
+        foreach ($Offload in $OffloadVersions) {
+            $FunctionName = $Offload.RowKey
+            if ([semver]$Offload.Version -ne [semver]$MainVersion.Version) {
+                $CanEnable = $false
+                $Alerts.Add("The version of $FunctionName ($($Offload.Version)) does not match the current version of $($MainVersion.Version).")
             }
+        }
 
-            $VersionTable = $Version | Select-Object @{n = 'Name'; e = { $_.RowKey } }, @{n = 'Version'; e = { $_.Version } }, @{n = 'Default'; e = { $_.RowKey -notmatch '-' } }
+        $VersionTable = $Version | Select-Object @{n = 'Name'; e = { $_.RowKey } }, @{n = 'Version'; e = { $_.Version } }, @{n = 'Default'; e = { $_.RowKey -notmatch '-' } }
 
-            $CurrentState = if (!$CurrentState) {
-                [PSCustomObject]@{
-                    OffloadFunctions = $false
-                    Version          = @($VersionTable)
-                    Alerts           = $Alerts
-                    CanEnable        = $CanEnable
-                }
-            } else {
-                [PSCustomObject]@{
-                    OffloadFunctions = $CurrentState.state
-                    Version          = @($VersionTable)
-                    Alerts           = $Alerts
-                    CanEnable        = $CanEnable
-                }
+        $CurrentState = if (!$CurrentState) {
+            [PSCustomObject]@{
+                OffloadFunctions = $false
+                Version          = @($VersionTable)
+                Alerts           = $Alerts
+                CanEnable        = $CanEnable
             }
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                    StatusCode = [HttpStatusCode]::OK
-                    Body       = $CurrentState
-                })
         } else {
-            Add-CIPPAzDataTableEntity @Table -Entity @{
-                PartitionKey = 'OffloadFunctions'
-                RowKey       = 'OffloadFunctions'
-                state        = $request.Body.OffloadFunctions
-            } -Force
-
-            if ($Request.Body.OffloadFunctions) {
-                $Results = 'Enabled Offload Functions'
-            } else {
-                $Results = 'Disabled Offload Functions'
+            [PSCustomObject]@{
+                OffloadFunctions = $CurrentState.state
+                Version          = @($VersionTable)
+                Alerts           = $Alerts
+                CanEnable        = $CanEnable
             }
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                    StatusCode = [HttpStatusCode]::OK
-                    Body       = @{ results = $Results }
-                })
         }
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = $CurrentState
+            })
+    } else {
+        Add-CIPPAzDataTableEntity @Table -Entity @{
+            PartitionKey = 'OffloadFunctions'
+            RowKey       = 'OffloadFunctions'
+            state        = $request.Body.OffloadFunctions
+        } -Force
 
+        if ($Request.Body.OffloadFunctions) {
+            $Results = 'Enabled Offload Functions'
+        } else {
+            $Results = 'Disabled Offload Functions'
+        }
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = @{ results = $Results }
+            })
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPartnerMode.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPartnerMode.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecPartnerMode {
+function Invoke-ExecPartnerMode {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -10,74 +10,67 @@ Function Invoke-ExecPartnerMode {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $roles = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json).userRoles
-    if ('superadmin' -notin $roles) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::Forbidden
-                Body       = @{ error = 'You do not have permission to perform this action.' }
-            })
-        return
-    } else {
-        $Table = Get-CippTable -tablename 'tenantMode'
-        if ($request.body.TenantMode) {
-            Add-CIPPAzDataTableEntity @Table -Entity @{
-                PartitionKey = 'Setting'
-                RowKey       = 'PartnerModeSetting'
-                state        = $request.body.TenantMode
-            } -Force
 
-            if ($Request.Body.TenantMode -eq 'default') {
-                $Table = Get-CippTable -tablename 'Tenants'
-                $Tenant = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'Tenants' and RowKey eq '$($env:TenantID)'" -Property RowKey, PartitionKey, customerId, displayName
-                if ($Tenant) {
-                    try {
-                        Remove-AzDataTableEntity -Force @Table -Entity $Tenant
-                    } catch {
-                    }
+    $Table = Get-CippTable -tablename 'tenantMode'
+    if ($request.body.TenantMode) {
+        Add-CIPPAzDataTableEntity @Table -Entity @{
+            PartitionKey = 'Setting'
+            RowKey       = 'PartnerModeSetting'
+            state        = $request.body.TenantMode
+        } -Force
+
+        if ($Request.Body.TenantMode -eq 'default') {
+            $Table = Get-CippTable -tablename 'Tenants'
+            $Tenant = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'Tenants' and RowKey eq '$($env:TenantID)'" -Property RowKey, PartitionKey, customerId, displayName
+            if ($Tenant) {
+                try {
+                    Remove-AzDataTableEntity -Force @Table -Entity $Tenant
+                } catch {
                 }
-            } elseif ($Request.Body.TenantMode -eq 'PartnerTenantAvailable') {
-                $InputObject = [PSCustomObject]@{
-                    Batch            = @(
+            }
+        } elseif ($Request.Body.TenantMode -eq 'PartnerTenantAvailable') {
+            $InputObject = [PSCustomObject]@{
+                Batch            = @(
+                    @{
+                        FunctionName = 'UpdateTenants'
+                    }
+                )
+                OrchestratorName = 'UpdateTenants'
+                SkipLog          = $true
+            }
+            Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Compress -Depth 5)
+        }
+
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = @{
+                    results = @(
                         @{
-                            FunctionName = 'UpdateTenants'
+                            resultText = "Set Tenant mode to $($Request.body.TenantMode)"
+                            state      = 'success'
                         }
                     )
-                    OrchestratorName = 'UpdateTenants'
-                    SkipLog          = $true
                 }
-                Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Compress -Depth 5)
-            }
-
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                    StatusCode = [HttpStatusCode]::OK
-                    Body       = @{
-                        results = @(
-                            @{
-                                resultText = "Set Tenant mode to $($Request.body.TenantMode)"
-                                state      = 'success'
-                            }
-                        )
-                    }
-                })
+            })
 
-        }
+    }
 
-        if ($request.query.action -eq 'ListCurrent') {
-            $CurrentState = Get-CIPPAzDataTableEntity @Table
-            $CurrentState = if (!$CurrentState) {
-                [PSCustomObject]@{
-                    TenantMode = 'default'
-                }
-            } else {
-                [PSCustomObject]@{
-                    TenantMode = $CurrentState.state
-                }
+    if ($request.query.action -eq 'ListCurrent') {
+        $CurrentState = Get-CIPPAzDataTableEntity @Table
+        $CurrentState = if (!$CurrentState) {
+            [PSCustomObject]@{
+                TenantMode = 'default'
+            }
+        } else {
+            [PSCustomObject]@{
+                TenantMode = $CurrentState.state
             }
-
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                    StatusCode = [HttpStatusCode]::OK
-                    Body       = $CurrentState
-                })
         }
+
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = $CurrentState
+            })
     }
+
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecDeviceCodeLogon.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecDeviceCodeLogon.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecDeviceCodeLogon {
+function Invoke-ExecDeviceCodeLogon {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
@@ -10,19 +10,6 @@ Function Invoke-ExecDeviceCodeLogon {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $UserCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
-    if ('admin' -notin $UserCreds.userRoles) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                ContentType = 'application/json'
-                StatusCode  = [HttpStatusCode]::Forbidden
-                Body        = @{
-                    error        = 'Forbidden'
-                    errorMessage = 'You do not have permission to perform this action'
-                } | ConvertTo-Json
-            })
-        exit
-    }
-
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecSAMSetup.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecSAMSetup.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecSAMSetup {
+function Invoke-ExecSAMSetup {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
@@ -13,7 +13,7 @@ Function Invoke-ExecSAMSetup {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $UserCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+
     if ($Request.Query.error) {
         Add-Type -AssemblyName System.Web
         Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
@@ -23,14 +23,6 @@ Function Invoke-ExecSAMSetup {
             })
         exit
     }
-    if ('admin' -notin $UserCreds.userRoles) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                ContentType = 'text/html'
-                StatusCode  = [HttpStatusCode]::Forbidden
-                Body        = 'Could not find an admin cookie in your browser, please confirm that you have the admin role in CIPP. Make sure you do not have an adblocker active, use a Chromium browser, and allow cookies. If our automatic refresh does not work, try pressing the URL bar and hitting enter. We will try to refresh ourselves in 3 seconds.<meta http-equiv="refresh" content="3" />'
-            })
-        exit
-    }
 
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListDomainHealth.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListDomainHealth.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ListDomainHealth {
+function Invoke-ListDomainHealth {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
@@ -38,8 +38,8 @@ Function Invoke-ListDomainHealth {
     }
 
     Set-DnsResolver -Resolver $Resolver
-    #UNDOREPLACE
-    $UserCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+
+    $UserRoles = Get-CIPPAccessPermissions -Request $Request
 
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
@@ -87,7 +87,7 @@ Function Invoke-ListDomainHealth {
                         if ($Request.Query.Selector) {
                             $DkimQuery.Selectors = ($Request.Query.Selector).trim() -split '\s*,\s*'
 
-                            if ('admin' -in $UserCreds.userRoles -or 'editor' -in $UserCreds.userRoles) {
+                            if ('admin' -in $UserRoles -or 'editor' -in $UserRoles) {
                                 $DkimSelectors = [string]($DkimQuery.Selectors | ConvertTo-Json -Compress)
                                 if ($DomainInfo) {
                                     $DomainInfo.DkimSelectors = $DkimSelectors
