Merge branch 'dev' into dev

Author: Jr7468

Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1

@@ -147,7 +147,7 @@ function New-CippAuditLogSearch {
     if ($IPAddressFilters) {
         $SearchParams.ipAddressFilters = @($IPAddressFilters)
     }
-    if ($ObjectIdFilterss) {
+    if ($ObjectIdFilters) {
         $SearchParams.objectIdFilters = @($ObjectIdFilters)
     }
     if ($AdministrativeUnitFilters) {

Modules/CIPPCore/Public/Authentication/Get-CippAllowedPermissions.ps1

@@ -0,0 +1,182 @@
+function Get-CippAllowedPermissions {
+    <#
+    .SYNOPSIS
+        Retrieves the allowed permissions for the current user.
+
+    .DESCRIPTION
+        This function retrieves the allowed permissions for the current user based on their role and the configured permissions in the CIPP system.
+        For admin/superadmin users, permissions are computed from base role include/exclude rules.
+        For editor/readonly users, permissions start from base role and are restricted by custom roles.
+
+    .PARAMETER UserRoles
+        Array of user roles to compute permissions for.
+
+    .OUTPUTS
+        Returns a list of allowed permissions for the current user.
+    #>
+
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string[]]$UserRoles
+    )
+
+    # Get all available permissions and base roles configuration
+
+    $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+    $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
+    $Version = (Get-Content -Path $CIPPRoot\version_latest.txt).trim()
+    $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
+    $DefaultRoles = @('superadmin', 'admin', 'editor', 'readonly', 'anonymous', 'authenticated')
+
+    $AllPermissionCacheTable = Get-CIPPTable -tablename 'cachehttppermissions'
+    $AllPermissionsRow = Get-CIPPAzDataTableEntity @AllPermissionCacheTable -Filter "PartitionKey eq 'HttpFunctions' and RowKey eq 'HttpFunctions' and Version eq '$($Version)'"
+
+    if (-not $AllPermissionsRow) {
+        $AllPermissions = Get-CIPPHttpFunctions -ByRole | Select-Object -ExpandProperty Permission
+        $Entity = @{
+            PartitionKey = 'HttpFunctions'
+            RowKey       = 'HttpFunctions'
+            Version      = [string]$Version
+            Permissions  = [string]($AllPermissions | ConvertTo-Json -Compress)
+        }
+        Add-CIPPAzDataTableEntity @AllPermissionCacheTable -Entity $Entity -Force
+    } else {
+        $AllPermissions = $AllPermissionsRow.Permissions | ConvertFrom-Json
+    }
+
+    $AllowedPermissions = [System.Collections.Generic.List[string]]::new()
+
+    # Determine user's primary base role (highest priority first)
+    $BaseRole = $null
+    $PrimaryRole = $null
+
+    if ($UserRoles -contains 'superadmin') {
+        $PrimaryRole = 'superadmin'
+    } elseif ($UserRoles -contains 'admin') {
+        $PrimaryRole = 'admin'
+    } elseif ($UserRoles -contains 'editor') {
+        $PrimaryRole = 'editor'
+    } elseif ($UserRoles -contains 'readonly') {
+        $PrimaryRole = 'readonly'
+    }
+
+    if ($PrimaryRole) {
+        $BaseRole = $BaseRoles.PSObject.Properties | Where-Object { $_.Name -eq $PrimaryRole } | Select-Object -First 1
+    }
+
+    # Get custom roles (non-default roles)
+    $CustomRoles = $UserRoles | Where-Object { $DefaultRoles -notcontains $_ }
+
+    # For admin and superadmin: Compute permissions from base role include/exclude rules
+    if ($PrimaryRole -in @('admin', 'superadmin')) {
+        Write-Information "Computing permissions for $PrimaryRole using base role rules"
+
+        if ($BaseRole) {
+            # Start with all permissions and apply include/exclude rules
+            $BasePermissions = [System.Collections.Generic.List[string]]::new()
+
+            # Apply include rules
+            foreach ($Include in $BaseRole.Value.include) {
+                $MatchingPermissions = $AllPermissions | Where-Object { $_ -like $Include }
+                foreach ($Permission in $MatchingPermissions) {
+                    if ($BasePermissions -notcontains $Permission) {
+                        $BasePermissions.Add($Permission)
+                    }
+                }
+            }
+
+            # Apply exclude rules
+            foreach ($Exclude in $BaseRole.Value.exclude) {
+                $ExcludedPermissions = $BasePermissions | Where-Object { $_ -like $Exclude }
+                foreach ($Permission in $ExcludedPermissions) {
+                    $BasePermissions.Remove($Permission) | Out-Null
+                }
+            }
+
+            foreach ($Permission in $BasePermissions) {
+                $AllowedPermissions.Add($Permission)
+            }
+        }
+    }
+    # For editor and readonly: Start with base role permissions and restrict with custom roles
+    elseif ($PrimaryRole -in @('editor', 'readonly')) {
+        Write-Information "Computing permissions for $PrimaryRole with custom role restrictions"
+
+        if ($BaseRole) {
+            # Get base role permissions first
+            $BasePermissions = [System.Collections.Generic.List[string]]::new()
+
+            # Apply include rules from base role
+            foreach ($Include in $BaseRole.Value.include) {
+                $MatchingPermissions = $AllPermissions | Where-Object { $_ -like $Include }
+                foreach ($Permission in $MatchingPermissions) {
+                    if ($BasePermissions -notcontains $Permission) {
+                        $BasePermissions.Add($Permission)
+                    }
+                }
+            }
+
+            # Apply exclude rules from base role
+            foreach ($Exclude in $BaseRole.Value.exclude) {
+                $ExcludedPermissions = $BasePermissions | Where-Object { $_ -like $Exclude }
+                foreach ($Permission in $ExcludedPermissions) {
+                    $BasePermissions.Remove($Permission) | Out-Null
+                }
+            }
+
+            # If custom roles exist, intersect with custom role permissions (restriction)
+            if ($CustomRoles.Count -gt 0) {
+                $CustomRolePermissions = [System.Collections.Generic.List[string]]::new()
+
+                foreach ($CustomRole in $CustomRoles) {
+                    try {
+                        $RolePermissions = Get-CIPPRolePermissions -RoleName $CustomRole
+                        foreach ($Permission in $RolePermissions.Permissions) {
+                            if ($null -ne $Permission -and $Permission -is [string] -and $CustomRolePermissions -notcontains $Permission) {
+                                $CustomRolePermissions.Add($Permission)
+                            }
+                        }
+                    } catch {
+                        Write-Warning "Failed to get permissions for custom role '$CustomRole': $($_.Exception.Message)"
+                    }
+                }
+
+                # Restrict base permissions to only those allowed by custom roles
+                $RestrictedPermissions = $BasePermissions | Where-Object { $CustomRolePermissions -contains $_ }
+                foreach ($Permission in $RestrictedPermissions) {
+                    if ($null -ne $Permission -and $Permission -is [string]) {
+                        $AllowedPermissions.Add($Permission)
+                    }
+                }
+            } else {
+                # No custom roles, use base role permissions
+                foreach ($Permission in $BasePermissions) {
+                    if ($null -ne $Permission -and $Permission -is [string]) {
+                        $AllowedPermissions.Add($Permission)
+                    }
+                }
+            }
+        }
+    }
+    # Handle users with only custom roles (no base role)
+    elseif ($CustomRoles.Count -gt 0) {
+        Write-Information 'Computing permissions for custom roles only'
+
+        foreach ($CustomRole in $CustomRoles) {
+            try {
+                $RolePermissions = Get-CIPPRolePermissions -RoleName $CustomRole
+                foreach ($Permission in $RolePermissions.Permissions) {
+                    if ($null -ne $Permission -and $Permission -is [string] -and $AllowedPermissions -notcontains $Permission) {
+                        $AllowedPermissions.Add($Permission)
+                    }
+                }
+            } catch {
+                Write-Warning "Failed to get permissions for custom role '$CustomRole': $($_.Exception.Message)"
+            }
+        }
+    }
+
+    # Return sorted unique permissions
+    return ($AllowedPermissions | Sort-Object -Unique)
+}

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -15,19 +15,6 @@ function Test-CIPPAccess {
     # Check help for role
     $APIRole = $Help.Role
 
-    if ($APIRole -eq 'Public') {
-        return $true
-    }
-
-    # Get default roles from config
-    $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
-    $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
-    $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
-
-    if ($APIRole -eq 'Public') {
-        return $true
-    }
-
     # Get default roles from config
     $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
     $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
@@ -38,11 +25,6 @@ function Test-CIPPAccess {
         return $true
     }
 
-    # Get default roles from config
-    $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
-    $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
-    $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
-
     if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
         $Type = 'APIClient'
         # Direct API Access
@@ -91,6 +73,22 @@ function Test-CIPPAccess {
             $CustomRoles = @('cipp-api')
             Write-Information "API Access: AppId=$($Request.Headers.'x-ms-client-principal-name'), IP=$IPAddress"
         }
+        if ($Request.Params.CIPPEndpoint -eq 'me') {
+            $Permissions = Get-CippAllowedPermissions -UserRoles $CustomRoles
+            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::OK
+                    Body       = (
+                        @{
+                            'clientPrincipal' = @{
+                                appId   = $Request.Headers.'x-ms-client-principal-name'
+                                appRole = $CustomRoles
+                            }
+                            'permissions'     = $Permissions
+                        } | ConvertTo-Json -Depth 5)
+                })
+            return
+        }
+
     } else {
         $Type = 'User'
         $User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
@@ -103,9 +101,14 @@ function Test-CIPPAccess {
         #Write-Information ($User | ConvertTo-Json -Depth 5)
         # Return user permissions
         if ($Request.Params.CIPPEndpoint -eq 'me') {
+            $Permissions = Get-CippAllowedPermissions -UserRoles $User.userRoles
             Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
                     StatusCode = [HttpStatusCode]::OK
-                    Body       = (@{ 'clientPrincipal' = $User } | ConvertTo-Json -Depth 5)
+                    Body       = (
+                        @{
+                            'clientPrincipal' = $User
+                            'permissions'     = $Permissions
+                        } | ConvertTo-Json -Depth 5)
                 })
             return
         }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1

@@ -83,7 +83,7 @@ function Push-DomainAnalyserDomain {
     # Setup Score Explanation
     $ScoreExplanation = [System.Collections.Generic.List[string]]::new()
 
-    # Check MX Record
+    #Region MX Check
     $MXRecord = Read-MXRecord -Domain $Domain -ErrorAction Stop
 
     $Result.ExpectedSPFRecord = $MXRecord.ExpectedInclude
@@ -106,8 +106,9 @@ function Push-DomainAnalyserDomain {
     } else {
         $Result.MailProvider = $MXRecord.MailProvider.Name
     }
+    #EndRegion MX Check
 
-    # Get SPF Record
+    #Region SPF Check
     try {
         $SPFRecord = Read-SpfRecord -Domain $Domain -ErrorAction Stop
         if ($SPFRecord.RecordCount -gt 0) {
@@ -126,21 +127,21 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
     }
 
-    # Check SPF Record
-    $Result.SPFPassAll = $false
 
     # Check warning + fail counts to ensure all tests pass
     #$SPFWarnCount = $SPFRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count
     $SPFFailCount = $SPFRecord.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
+    $Result.SPFPassAll = $false
 
     if ($SPFFailCount -eq 0) {
         $ScoreDomain += $Scores.SPFCorrectAll
         $Result.SPFPassAll = $true
     } else {
         $ScoreExplanation.Add('SPF record did not pass validation') | Out-Null
     }
+    #EndRegion SPF Check
 
-    # Get DMARC Record
+    #Region DMARC Check
     try {
         $DMARCPolicy = Read-DmarcPolicy -Domain $Domain -ErrorAction Stop
 
@@ -188,8 +189,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DMARC Check
 
-    # DNS Sec Check
+    #Region DNS Sec Check
     try {
         $DNSSECResult = Test-DNSSEC -Domain $Domain -ErrorAction Stop
         $DNSSECFailCount = $DNSSECResult.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
@@ -206,8 +208,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DNS Sec Check
 
-    # DKIM Check
+    #Region DKIM Check
     try {
         $DkimParams = @{
             Domain                       = $Domain
@@ -241,7 +244,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DKIM Check
 
+    #Region MSCNAME DKIM Records
     # Get Microsoft DKIM CNAME selector Records
     # Ugly, but i needed to create a scope/loop i could break out of without breaking the rest of the function
     foreach ($d in $Domain) {
@@ -250,7 +255,7 @@ function Push-DomainAnalyserDomain {
             if ($Result.DKIMEnabled -eq $true) {
                 continue
             }
-            # Test if its a onmicrosft.com domain, skip domain if it is
+            # Test if its a onmicrosoft.com domain, skip domain if it is
             if ($Domain -match 'onmicrosoft.com') {
                 continue
             }
@@ -264,28 +269,21 @@ function Push-DomainAnalyserDomain {
                 }
             }
 
+            # Get the DKIM record from EXO. This is the only way to get the correct values for the MSCNAME records since the new format was introduced in May 2025.
+            $DKIM = (New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'Get-DkimSigningConfig' -Select 'Domain,Selector1CNAME,Selector2CNAME') | Where-Object { $_.Domain -eq $Domain }
 
-            # Compute the DKIM CNAME records from $Tenant.InitialDomainName according to this logic: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure#syntax-for-dkim-cname-records
-            # Test if it has a - in the domain name
-            if ($Domain -like '*-*') {
-                Write-Information 'Domain has a - in it. Got to query EXO for the right values'
-                $DKIM = (New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Domain -eq $Domain } | Select-Object Domain, Selector1CNAME, Selector2CNAME
-
-                # If no DKIM signing record is found, create a new disabled one
-                if ($null -eq $DKIM) {
-                    Write-Information 'No DKIM record found in EXO - Creating new signing'
-                    $NewDKIMSigningRequest = New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'New-DkimSigningConfig' -cmdParams @{  KeySize = 2048; DomainName = $Domain; Enabled = $false }
-                    $Selector1Value = $NewDKIMSigningRequest.Selector1CNAME
-                    $Selector2Value = $NewDKIMSigningRequest.Selector2CNAME
-                } else {
-                    $Selector1Value = $DKIM.Selector1CNAME
-                    $Selector2Value = $DKIM.Selector2CNAME
-                }
+            # If no DKIM signing record is found, create a new disabled one
+            if ($null -eq $DKIM) {
+                Write-Information 'No DKIM record found in EXO - Creating new signing'
+                $NewDKIMSigningRequest = New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'New-DkimSigningConfig' -cmdParams @{  KeySize = 2048; DomainName = $Domain; Enabled = $false }
+                $Selector1Value = $NewDKIMSigningRequest.Selector1CNAME
+                $Selector2Value = $NewDKIMSigningRequest.Selector2CNAME
             } else {
-                $Selector1Value = "selector1-$($Domain -replace '\.', '-' )._domainkey.$($Tenant.InitialDomainName)"
-                $Selector2Value = "selector2-$($Domain -replace '\.', '-' )._domainkey.$($Tenant.InitialDomainName)"
+                $Selector1Value = $DKIM.Selector1CNAME
+                $Selector2Value = $DKIM.Selector2CNAME
             }
 
+
             # Create the MSCNAME object
             $MSCNAMERecords = [PSCustomObject]@{
                 Domain    = $Domain
@@ -304,7 +302,7 @@ function Push-DomainAnalyserDomain {
             Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "MS CNAME DKIM error: $($ErrorMessage.NormalizedError)" -LogData $ErrorMessage -sev Error
         }
     }
-
+    #EndRegion MSCNAME DKIM Records
     # Final Score
     $Result.Score = $ScoreDomain
     $Result.ScorePercentage = [int](($Result.Score / $Result.MaximumScore) * 100)