[pull] dev from KelvinTegelaar:dev#105
Open
pull[bot] wants to merge 146 commits into
Open
Conversation
Updated to write to and read from cetralised CIPP database
Added license check for new Defender category Signed-off-by: DamienMatthys <damien@pcunplug.com>
Cleaned up logging Signed-off-by: DamienMatthys <damien@pcunplug.com>
…enant.ps1 Remove old sync function Signed-off-by: DamienMatthys <damien@pcunplug.com>
Remove old sync schedule Signed-off-by: DamienMatthys <damien@pcunplug.com>
Fixed sync to add one CVE per Device Signed-off-by: DamienMatthys <damien@pcunplug.com>
…d with repaired and have all remediation actions disabled
- replace arraylist with generic list - skip sync on archived companies
If a CA failed to be deployed because of a missing X or another issue these were not surfaced to the user and in tern drift/standards alignment indicated the policy as aligned even though nothing was deployed. Also adds some future helpers that might be of use later
…vanced) (#2114) ## What The "Check" add-in's alerts are re-sent on every scheduled run - each run dumps the whole recent backlog to the configured webhook instead of only new alerts. Reported in #6216 (e.g. 13 test alerts resulted in 13 entries on every run). ## Cause `Get-CIPPAlertCheckExtension` reads a per-tenant watermark from the `AlertLastRun` table (`PartitionKey 'AlertLastRun'`, `RowKey "<tenant>-Get-CIPPAlertCheckExtension"`) so it only fetches alerts newer than the previous run - but it never writes that watermark back. As a result `$Since` always falls back to the default 24-hour window, so every run re-fetches and re-sends the same alerts (and the day-partitioned de-dupe in `Write-AlertTrace` resets at midnight, which lines up with the reported timing jumps). ## Fix Capture the run start, read/store an explicit `LastRunTime` watermark (falling back to the existing `Timestamp` for backward compatibility), and upsert the `AlertLastRun` row after processing. Each run now only sends alerts created since the previous run. ## Testing - PowerShell parses clean. - A mock-storage harness confirms the behaviour: run 1 sends the backlog, run 2 (no new alerts) sends nothing, run 3 sends only a newly-added alert. Fixes KelvinTegelaar/CIPP#6216
# Resolve tenant variables in the Win32 Custom App detection script Fixes KelvinTegelaar/CIPP#6226. `%tenantid%` and the other `Get-CIPPTextReplacement` tokens resolve in a Win32 Custom Application's install and uninstall scripts, but not in the detection script, which reaches Intune with the literal `%tenantid%` string. In `Add-CIPPW32ScriptApplication.ps1` the install and uninstall scripts are passed through `Get-CIPPTextReplacement` before being base64-encoded, but the detection script was encoded from the raw `$Properties.detectionScript`. This change runs the detection script through `Get-CIPPTextReplacement` first, the same way as the install and uninstall scripts directly below it. Verified against the real `Get-CIPPTextReplacement` with mocked tenant lookups: before the change the detection script keeps the literal `%tenantid%`; after, it resolves to the tenant's customerId and matches what the install script produces. Other tokens such as `%tenantfilter%` resolve too.
Improve logging and error handling in the GDAP relationship termination function
…2112) ## What Adds a deterministic post-processing stage that enriches the generated `openapi.json` with typed `200` response schemas and a unique `operationId` per operation, and publishes the result as a Release asset. It does **not** replace the existing generator; it runs on its output. ## Why The generated spec types request bodies but leaves every `200` response as the generic `StandardResults` envelope, and carries no `operationId` on any operation. Two practical consequences: - OpenAPI importers that key on `operationId` skip every operation. Tested against a real importer: the unmodified spec imported as **0** actions; with `operationId` injected it imports as **all 582**. - Downstream tools get no typed output fields to map against. ## How A PowerShell stage (`.build/Add-OpenApiResponseSchemas.ps1`) with two passes, both pure functions of checked-in sources (no live API calls, byte-identical output across runs): - **operationId**: bare endpoint name per operation; method-prefixed only where one path carries multiple methods (e.g. `GetExecCSPLicense` / `PostExecCSPLicense`). Existing `operationId`s are preserved; any collision is a hard failure. - **typed 200 responses**: derived from the frontend shape baselines (`Tests/Shapes/*.json`) and page `simpleColumns` declarations. The `{ Results, Metadata }` envelope is preserved exactly as the API returns it (no flattening, so the schema stays truthful to the wire). Endpoints with no typed source keep `StandardResults`, which is correct for write/exec operations. ## Publishing + CI - `openapi-enriched-release.yml` builds and uploads `openapi.enriched.json` as an asset on each GitHub Release (no commits back to the tree). - `openapi-enriched-check.yml` runs the test suite and **strictly lints the enriched spec** against a committed ignore-baseline (`.redocly.lint-ignore.yaml`) that pins pre-existing findings, so any *new* finding fails CI. - `.github/workflows/` is gitignored in this repo (the existing workflows are force-added), so these two were added with `git add -f`, matching the repo convention. ## Tests 50 Pester tests + PSScriptAnalyzer (0 findings), run via `Tests/Build/Invoke-BuildTests.ps1`. Covers operationId rules (bare/disambiguated/preserve/collision-throws), response typing, idempotency, and the frontend-scan edge cases. ## Known limitations (documented in `.build/README.md`) - Only `get/post/put/patch/delete` are processed (the spec has no other methods today). - Paths are assumed to start with `/api/` (all current paths do). - A typed `200` replaces the existing `200.content` (today only `StandardResults` exists there). - Conditional/ternary `simpleColumns` expressions are intentionally not parsed (a conservative miss is preferred over capturing non-column strings). ## Side benefit Injecting `operationId` also removes the `operation-operationId` lint warning that previously applied to every operation in the spec. ## CI activation note Both workflows are guarded with `if: github.repository_owner == 'KelvinTegelaar'`, matching the convention of the existing workflows in this repo (forks do not run them). As a result they will **not** appear as status checks on this PR from the fork; they activate once merged into the upstream tree. Verification was therefore done locally before opening this PR: - `Tests/Build/Invoke-BuildTests.ps1`: 50 Pester tests passing, PSScriptAnalyzer 0 findings - strict Redocly lint of the generated `openapi.enriched.json`: 0 errors, 0 warnings, 5 pre-existing findings ignored via the committed baseline; verified to fail on an injected new finding - both workflow YAML files parse clean - enrichment is deterministic: same inputs produce byte-identical output across runs
This pull request enhances the `Push-BECRun` PowerShell function by adding the retrieval and logging of sent message traces for a user, and includes this data in the output object. These changes improve the auditing and incident response capabilities of the function by providing more comprehensive information about user activity. **Enhancements to auditing and user activity tracking:** * Added retrieval of sent message traces using the `Get-MessageTraceV2` cmdlet, with error handling and logging in case of failures. The trace includes message details such as status, subject, recipient, received time, and sender IP. * Included the collected sent message trace data as a new property (`SentMessages`) in the output object returned by the function.
Introduce support for ExcludeGroupIds and ExcludeGroupNames in assignment functions. Frontend PR: KelvinTegelaar/CIPP#6244
Overhaul of the rather interesting way to construct a JSON payload and add in severity and resolving comment functionality. Frontend PR: KelvinTegelaar/CIPP#6234
Updated to write to and read from cetralised CIPP database
Frontend PR: KelvinTegelaar/CIPP#6238 The `SetAuthMethod` endpoint only toggled state and group targeting, so every method-specific option was unreachable from the portal. This forwards those settings through `Invoke-SetAuthMethod` and applies them in `Set-CIPPAuthenticationPolicy`. **Added/exposed settings** - TAP: `isUsableOnce`, min/max/default lifetime, default length - Microsoft Authenticator: software OATH + display-app-info / display-location / companion-app feature states - Email OTP: external-ID state, exclude groups (empty list now explicitly clears `excludeTargets`) - QR Code PIN: lifetime + PIN length - FIDO2: `isAttestationEnforced` + `isSelfServiceRegistrationAllowed` (were hardcoded on enable) - Voice: `isOfficePhoneAllowed` - SMS: `isUsableForSignIn` (stamped onto each include-target) Log messages now spell out the changed values per method. **Tests:** adds `Tests/Private/Set-CIPPAuthenticationPolicy.Tests.ps1` (7 cases) — `Invoke-Pester -Path ./Tests/Private/Set-CIPPAuthenticationPolicy.Tests.ps1`.
Add the SMTP client authentication state to the mailbox details response, enhancing the information available for mailbox configuration. Frontend: KelvinTegelaar/CIPP#6180
Introduce functionality to allow specific user profile fields to be cleared when editing a user. Currently the property is just quietly dropped with a success message. Frontend PR: KelvinTegelaar/CIPP#6261
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )