updates to new sam wizard

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCreateSAMApp.ps1

@@ -16,28 +16,27 @@ Function Invoke-ExecCreateSAMApp {
     try {
         $Token = $Request.body
         if ($Token) {
-            $URL = ($Request.headers.'x-ms-original-url').split('?') | Select-Object -First 1
+            $URL = ($Request.headers.'x-ms-original-url').split('/api') | Select-Object -First 1
             $TenantId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/organization' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method GET -ContentType 'application/json').value.id
             #Find Existing app registration
             $AppId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/applications' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method GET -ContentType 'application/json' -Body "{ `"filter`": `"displayName eq 'CIPP-SAM'`" }").value | Select-Object -Last 1
             #Check if the appId has the redirect URI, if not, add it.
             if ($AppId) {
                 Write-Host "Found existing app: $($AppId.id). Reusing."
                 $state = 'updated'
-                if ($AppId.web.redirectUris -notcontains $URL) {
-                    $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
-                    $SamManifestFile = Get-Item (Join-Path $ModuleBase 'Public\SAMManifest.json')
-                    $app = Get-Content $SamManifestFile.FullName | ConvertFrom-Json
-                    $App.web.redirectUris = @($App.web.redirectUris + $URL) #change to SPA URL.
-                    $app = $app | ConvertTo-Json -Depth 15
-                    Invoke-RestMethod "https://graph.microsoft.com/v1.0/applications/$($AppId.id)" -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method PATCH -Body $app -ContentType 'application/json'
-                }
+                #remove the entire web object from the app registration
+                $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+                $SamManifestFile = Get-Item (Join-Path $ModuleBase 'Public\SAMManifest.json')
+                $app = Get-Content $SamManifestFile.FullName | ConvertFrom-Json
+                $app.web.redirectUris = @("$($url)/authredirect")
+                $app = ConvertTo-Json -Depth 15 -Compress -InputObject $app
+                Invoke-RestMethod "https://graph.microsoft.com/v1.0/applications/$($AppId.id)" -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method PATCH -Body $app -ContentType 'application/json'
             } else {
                 $state = 'created'
                 $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
                 $SamManifestFile = Get-Item (Join-Path $ModuleBase 'Public\SAMManifest.json')
                 $app = Get-Content $SamManifestFile.FullName | ConvertFrom-Json
-                $App.web.redirectUris = @($App.web.redirectUris + $URL) #change to SPA URL.
+                $app.web.redirectUris = @("$($url)/authredirect")
                 $app = $app | ConvertTo-Json -Depth 15
                 $AppId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/applications' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body $app -ContentType 'application/json')
                 $attempt = 0
@@ -76,17 +75,17 @@ Function Invoke-ExecCreateSAMApp {
             if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
                 $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
                 $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
-                $Secret.TenantId = $TenantId
-                $Secret.ApplicationId = $AppId.appId
-                $Secret.ApplicationSecret = $AppPassword
+                $Secret | Add-Member -MemberType NoteProperty -Name 'tenantid' -Value $TenantId -Force
+                $Secret | Add-Member -MemberType NoteProperty -Name 'applicationid' -Value $AppId.appId -Force
+                $Secret | Add-Member -MemberType NoteProperty -Name 'applicationsecret' -Value $AppPassword -Force
                 Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
                 Write-Information ($Secret | ConvertTo-Json -Depth 5)
             } else {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'tenantid' -SecretValue (ConvertTo-SecureString -String $TenantId -AsPlainText -Force)
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationid' -SecretValue (ConvertTo-SecureString -String $Appid.appId -AsPlainText -Force)
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -SecretValue (ConvertTo-SecureString -String $AppPassword -AsPlainText -Force)
             }
-            $Results = @{'message' = "Succesfully $state the application registration. The application ID is $($AppId.id). You may continue to the next step."; severity = 'success' }
+            $Results = @{'message' = "Succesfully $state the application registration. The application ID is $($AppId.appid). You may continue to the next step."; severity = 'success' }
         }
 
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecTokenExchange.ps1

@@ -0,0 +1,90 @@
+using namespace System.Net
+
+Function Invoke-ExecTokenExchange {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    # Get the key vault name
+    $KV = $env:WEBSITE_DEPLOYMENT_ID
+    $APIName = $Request.Params.CIPPEndpoint
+
+    try {
+        if (!$Request.Body) {
+            Write-LogMessage -API $APIName -message 'Request body is missing' -Sev 'Error'
+            throw 'Request body is missing'
+        }
+
+        $TokenRequest = $Request.Body.tokenRequest
+        $TokenUrl = $Request.Body.tokenUrl
+        $TenantId = $Request.Body.tenantId
+
+        if (!$TokenRequest -or !$TokenUrl) {
+            Write-LogMessage -API $APIName -message 'Missing required parameters: tokenRequest or tokenUrl' -Sev 'Error'
+            throw 'Missing required parameters: tokenRequest or tokenUrl'
+        }
+
+        Write-LogMessage -API $APIName -message "Making token request to $TokenUrl" -Sev 'Info'
+
+        # Make sure we get the latest authentication
+        $auth = Get-CIPPAuthentication
+
+        if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+            $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+            $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+            $ClientSecret = $Secret.applicationsecret
+            Write-LogMessage -API $APIName -message 'Retrieved client secret from development secrets' -Sev 'Info'
+        } else {
+            try {
+                $ClientSecret = (Get-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -AsPlainText).SecretValue
+                Write-LogMessage -API $APIName -message 'Retrieved client secret from key vault' -Sev 'Info'
+            } catch {
+                Write-LogMessage -API $APIName -message "Failed to retrieve client secret: $($_.Exception.Message)" -Sev 'Error'
+                throw "Failed to retrieve client secret: $($_.Exception.Message)"
+            }
+        }
+
+        if (!$ClientSecret) {
+            Write-LogMessage -API $APIName -message 'Client secret is empty or null' -Sev 'Error'
+            throw 'Client secret is empty or null'
+        }
+
+        # Convert token request to form data and add client secret
+        $FormData = @{}
+        foreach ($key in $TokenRequest.PSObject.Properties.Name) {
+            $FormData[$key] = $TokenRequest.$key
+        }
+
+        # Add client_secret to the form data if not already present
+        if (!$FormData.ContainsKey('client_secret')) {
+            $FormData['client_secret'] = $ClientSecret
+        }
+
+        Write-Host "Posting this data: $($FormData | ConvertTo-Json -Depth 15)"
+        $Results = Invoke-RestMethod -Uri $TokenUrl -Method Post -Body $FormData -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop -SkipHttpErrorCheck
+    } catch {
+        $ErrorMessage = $_.Exception
+        $Results = @{
+            error             = 'server_error'
+            error_description = "Token exchange failed: $ErrorMessage"
+        }
+    }
+    if ($Results.error) {
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = $Results
+                Headers    = @{'Content-Type' = 'application/json' }
+            })
+    } else {
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = $Results
+                Headers    = @{'Content-Type' = 'application/json' }
+            })
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -0,0 +1,49 @@
+using namespace System.Net
+
+Function Invoke-ExecUpdateRefreshToken {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite.
+    #>
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $KV = $env:WEBSITE_DEPLOYMENT_ID
+
+    try {
+        # Handle refresh token update
+        #make sure we get the latest authentication:
+        $auth = Get-CIPPAuthentication
+        if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+            $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+            $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+            if ($env:ApplicationId -eq $Request.body.tenantId) {
+                $Secret.RefreshToken = $Request.body.RefreshToken
+            } else {
+                Write-Host "$($env:Applicationid) does not match $($Request.body.tenantId)"
+                $secret | Add-Member -MemberType NoteProperty -Name $($Request.body.tenantId) -Value $Request.body.refreshtoken -Force
+            }
+            Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
+        } else {
+            if ($env:ApplicationId -eq $Request.body.tenantId) {
+                Set-AzKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+            } else {
+                Set-AzKeyVaultSecret -VaultName $kv -Name $Request.body.tenantId -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+            }
+        }
+        $InstanceId = Start-UpdatePermissionsOrchestrator #start the CPV refresh immediately while wizard still runs.
+        $Results = @{'message' = "Successfully updated your stored authentication for $($request.body.tenantId)."; severity = 'success' }
+    } catch {
+        $Results = [pscustomobject]@{'Results' = "Failed. $($_.InvocationInfo.ScriptLineNumber):  $($_.Exception.message)"; severity = 'failed' }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}

Modules/CIPPCore/Public/Entrypoints/Invoke-ExecListAppId.ps1

@@ -14,7 +14,16 @@ Function Invoke-ExecListAppId {
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
     $ResponseURL = "$(($Request.headers.'x-ms-original-url').replace('/api/ExecListAppId','/api/ExecSAMSetup'))"
-
+    #make sure we get the very latest version of the appid from kv:
+    if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+        $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+        $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+        $env:ApplicationID = $Secret.ApplicationID
+        $env:TenantID = $Secret.TenantID
+    } else {
+        $env:ApplicationID = (Get-AzKeyVaultSecret -AsPlainText -VaultName $env:WEBSITE_DEPLOYMENT_ID -Name 'ApplicationID').SecretValueText
+        $env:TenantID = (Get-AzKeyVaultSecret -AsPlainText -VaultName $env:WEBSITE_DEPLOYMENT_ID -Name 'TenantID').SecretValueText
+    }
     $Results = @{
         applicationId = $env:ApplicationID
         tenantId      = $env:TenantID

Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1

@@ -18,6 +18,7 @@ function Get-CIPPAuthentication {
                     Set-Item -Path env:$Var -Value $Secret.$Var -Force -ErrorAction Stop
                 }
             }
+            Write-Host "Got secrets from dev storage. ApplicationID: $env:ApplicationID"
         } else {
             Write-Information 'Connecting to Azure'
             Connect-AzAccount -Identity