From 800674006813159bc08ebbf6db86efdf45b1eaf3 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 12 Aug 2024 13:46:32 -0400 Subject: [PATCH 1/7] Function offloading --- .../Settings/Invoke-ExecOffloadFunctions.ps1 | 56 +++++++++++++++++++ Scheduler_PollAuditLogs/run.ps1 | 8 +++ 2 files changed, 64 insertions(+) create mode 100644 Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1 new file mode 100644 index 000000000000..bf73ed18cd93 --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecOffloadFunctions.ps1 @@ -0,0 +1,56 @@ + +Function Invoke-ExecOffloadFunctions { + <# + .FUNCTIONALITY + Entrypoint + .ROLE + CIPP.SuperAdmin.ReadWrite + #> + [CmdletBinding()] + param($Request, $TriggerMetadata) + + $roles = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json).userRoles + if ('superadmin' -notin $roles) { + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::Forbidden + Body = @{ error = 'You do not have permission to perform this action.' } + }) + return + } else { + $Table = Get-CippTable -tablename 'Config' + + if ($Request.Query.Action -eq 'ListCurrent') { + $CurrentState = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'OffloadFunctions' and RowKey eq 'OffloadFunctions'" + $CurrentState = if (!$CurrentState) { + [PSCustomObject]@{ + OffloadFunctions = $false + } + } else { + [PSCustomObject]@{ + OffloadFunctions = $CurrentState.state + } + } + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $CurrentState + }) + } else { + Add-CIPPAzDataTableEntity @Table -Entity @{ + PartitionKey = 'OffloadFunctions' + RowKey = 'OffloadFunctions' + state = $request.Body.OffloadFunctions + } -Force + + if ($Request.Body.OffloadFunctions) { + $Results = 'Enabled Offload Functions' + } else { + $Results = 'Disabled Offload Functions' + } + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{ results = $Results } + }) + } + + } +} diff --git a/Scheduler_PollAuditLogs/run.ps1 b/Scheduler_PollAuditLogs/run.ps1 index 4913f8570d52..3c7e8668355c 100644 --- a/Scheduler_PollAuditLogs/run.ps1 +++ b/Scheduler_PollAuditLogs/run.ps1 @@ -1,6 +1,14 @@ param($Timer) try { + $ConfigTable = Get-CIPPTable -tablename Config + $Config = Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'OffloadFunctions' and RowKey eq 'OffloadFunctions'" + + if ($Config -and $Config.state -eq $true) { + Write-Host 'Offload functions are enabled. Exiting.' + return 0 + } + $webhookTable = Get-CIPPTable -tablename webhookTable $Webhooks = Get-CIPPAzDataTableEntity @webhookTable -Filter "Version eq '3'" | Where-Object { $_.Resource -match '^Audit' -and $_.Status -ne 'Disabled' } if (($Webhooks | Measure-Object).Count -eq 0) { From 6f94a828eb84027fab1eaf4d710a8c058afbf2b9 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 12 Aug 2024 16:56:50 -0400 Subject: [PATCH 2/7] Cleanup Don't create queue entry for empty scheduler Don't write messages for debug off --- Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 | 3 +-- Scheduler_GetQueue/run.ps1 | 6 +++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 b/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 index 08b06d792cc6..5828884a19d1 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 @@ -25,7 +25,6 @@ function Write-LogMessage { if (!$tenant) { $tenant = 'None' } if (!$username) { $username = 'CIPP' } if ($sev -eq 'Debug' -and $env:DebugMode -ne $true) { - Write-Information 'Not writing to log file - Debug mode is not enabled.' return } $PartitionKey = (Get-Date -UFormat '%Y%m%d').ToString() @@ -48,4 +47,4 @@ function Write-LogMessage { $Table.Entity = $TableRow Add-CIPPAzDataTableEntity @Table | Out-Null -} \ No newline at end of file +} diff --git a/Scheduler_GetQueue/run.ps1 b/Scheduler_GetQueue/run.ps1 index 87d355d1476c..f359db7de9c4 100644 --- a/Scheduler_GetQueue/run.ps1 +++ b/Scheduler_GetQueue/run.ps1 @@ -27,6 +27,10 @@ $Tasks = foreach ($Tenant in $Tenants) { } } +if (($Tasks | Measure-Object).Count -eq 0) { + return +} + $Queue = New-CippQueueEntry -Name 'Scheduler' -TotalTasks ($Tasks | Measure-Object).Count $Batch = foreach ($Task in $Tasks) { @@ -49,4 +53,4 @@ $InputObject = [PSCustomObject]@{ #Write-Information ($InputObject | ConvertTo-Json) $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress) Write-Information "Started orchestration with ID = '$InstanceId'" -#$Orchestrator = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId \ No newline at end of file +#$Orchestrator = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId From c149d69572580b8639dc496e101ab5a4cee4b2cc Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 13 Aug 2024 11:37:23 +0200 Subject: [PATCH 3/7] assign bug --- Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 index c9f4cb5bbcff..9541e8f7e1d1 100644 --- a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 @@ -80,6 +80,6 @@ function Set-CIPPAssignedPolicy { } catch { #$ErrorMessage = Get-CippException -Exception $_ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message - Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to assign $GroupName to Policy $PolicyId. Error:$ErrorMessage" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage + Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to assign $GroupName to Policy $PolicyId, using Platform $PlatformType and $Type. The error is:$ErrorMessage" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage } } From 44b3e931a30d03ad9e828f52fde4b413f5dd400e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 13 Aug 2024 11:49:19 +0200 Subject: [PATCH 4/7] type check --- .../Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 6e904b80c722..8cbe8a150570 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -20,6 +20,7 @@ function Invoke-CIPPStandardIntuneTemplate { $displayname = $request.body.Displayname $description = $request.body.Description $RawJSON = $Request.body.RawJSON + $TemplateTypeURL = $Request.body.Type Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $null -tenantFilter $Tenant From 27c4d1837e5a18c98ed131c5f3614270e5253d05 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 13 Aug 2024 12:00:08 +0200 Subject: [PATCH 5/7] cleaned up standards deployment. New assigns via set-intunepolicy --- .../Invoke-CIPPStandardIntuneTemplate.ps1 | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 8cbe8a150570..7eddbd5eecfc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -22,9 +22,9 @@ function Invoke-CIPPStandardIntuneTemplate { $RawJSON = $Request.body.RawJSON $TemplateTypeURL = $Request.body.Type - Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $null -tenantFilter $Tenant + Set-CIPPIntunePolicy -TemplateType $Request.body.Type -Description $description -DisplayName $displayname -RawJSON $RawJSON -AssignTo $Template.AssignedTo -tenantFilter $Tenant - #Legacy assign. + #Legacy assign, only required for older templates. if ($Settings.AssignTo) { Write-Host "Assigning Policy to $($Settings.AssignTo) the create ID is $($CreateRequest)" if ($Settings.AssignTo -eq 'customGroup') { $Settings.AssignTo = $Settings.customGroup } @@ -37,16 +37,6 @@ function Invoke-CIPPStandardIntuneTemplate { } } - if ($Template.AssignedTo) { - Write-Host "New: Assigning Policy to $($Template.AssignedTo) the create ID is $($CreateRequest)" - if ($ExistingID) { - Set-CIPPAssignedPolicy -PolicyId $ExistingID.id -TenantFilter $tenant -GroupName $Template.AssignedTo -Type $TemplateTypeURL - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully updated Intune Template $PolicyName policy for $($Tenant)" -sev 'Info' - } else { - Set-CIPPAssignedPolicy -PolicyId $CreateRequest.id -TenantFilter $tenant -GroupName $Template.AssignedTo -Type $TemplateTypeURL - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully created Intune Template $PolicyName policy for $($Tenant)" -sev 'Info' - } - } } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template $PolicyName, Error: $ErrorMessage" -sev 'Error' From 0622564acc150016a3f2173ac37b2390253d9f6d Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 13 Aug 2024 08:02:11 -0400 Subject: [PATCH 6/7] Fix audit log duplicate detection --- .../Webhooks/Push-AuditLogTenant.ps1 | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 index b16829c6a3a7..555a0fe05d36 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 @@ -1,15 +1,24 @@ function Push-AuditLogTenant { Param($Item) + # Get Table contexts $AuditBundleTable = Get-CippTable -tablename 'AuditLogBundles' $SchedulerConfig = Get-CIPPTable -TableName 'SchedulerConfig' - $CIPPURL = Get-CIPPAzDataTableEntity @SchedulerConfig -Filter "PartitionKey eq 'webhookcreation'" | Select-Object -First 1 -ExpandProperty CIPPURL $WebhookTable = Get-CippTable -tablename 'webhookTable' - $Webhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter "PartitionKey eq '$($Item.TenantFilter)' and Version eq '3'" | Where-Object { $_.Resource -match '^Audit' } - $ExistingBundles = Get-CIPPAzDataTableEntity @AuditBundleTable -Filter "PartitionKey eq '$($Item.TenantFilter)' and ContentType eq '$ContentType'" $ConfigTable = Get-CIPPTable -TableName 'WebhookRules' + + # Query CIPPURL for linking + $CIPPURL = Get-CIPPAzDataTableEntity @SchedulerConfig -Filter "PartitionKey eq 'webhookcreation'" | Select-Object -First 1 -ExpandProperty CIPPURL + + # Get all webhooks for the tenant + $Webhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter "PartitionKey eq '$($Item.TenantFilter)' and Version eq '3'" | Where-Object { $_.Resource -match '^Audit' } + + # Get webhook rules $ConfigEntries = Get-CIPPAzDataTableEntity @ConfigTable + # Date filter for existing bundles + $LastHour = (Get-Date).AddHours(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss') + $NewBundles = [System.Collections.Generic.List[object]]::new() foreach ($Webhook in $Webhooks) { # only process webhooks that are configured in the webhookrules table @@ -28,6 +37,7 @@ function Push-AuditLogTenant { EndTime = $Item.EndTime } $LogBundles = Get-CIPPAuditLogContentBundles @ContentBundleQuery + $ExistingBundles = Get-CIPPAzDataTableEntity @AuditBundleTable -Filter "PartitionKey eq '$($Item.TenantFilter)' and ContentType eq '$LogType' and Timestamp ge datetime'$($LastHour)'" foreach ($Bundle in $LogBundles) { if ($ExistingBundles.RowKey -notcontains $Bundle.contentId) { @@ -61,5 +71,4 @@ function Push-AuditLogTenant { $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress) Write-Host "Started orchestration with ID = '$InstanceId'" } - } From 73be998f07f813eef6fdc625cfe053c122f88a16 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 13 Aug 2024 10:07:34 -0400 Subject: [PATCH 7/7] Update version_latest.txt --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index ca06394388d6..bee943381742 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -6.2.2 +6.2.3