responded to comments

Author: salman90

5-AccessControl/1-call-api-roles/API/package-lock.json

@@ -13,7 +13,6 @@
     "express": "^4.14.0",
     "lowdb": "^1.0.0",
     "morgan": "^1.10.0",
-    "nanoid": "^3.3.1",
     "passport": "^0.6.0",
     "passport-azure-ad": "^4.3.3"
   },

5-AccessControl/1-call-api-roles/API/package.json

@@ -5,33 +5,51 @@ const routeGuard = (accessMatrix) => {
         } else {
             const roles = req.authInfo['roles'];
 
-            if (req.path.includes(accessMatrix.todolist.path)) {
-                if (accessMatrix.todolist.methods.includes(req.method)) {
-                    let intersection = accessMatrix.todolist.roles.filter((role) => roles.includes(role));
+            if (requestHasRequiredAttributes(accessMatrix, req.path, req.method, roles)) {
+                return res.status(403).json({ error: 'User does not have the role, method or path' });
+            }
+        }
+        next();
+    };
+};
 
-                    if (intersection.length < 1) {
-                        return res.status(403).json({ error: 'User does not have the role' });
-                    }
-                } else {
-                    return res.status(403).json({ error: 'Method not allowed' });
-                }
-            } else if (req.path.includes(accessMatrix.dashboard.path)) {
-                if (accessMatrix.dashboard.methods.includes(req.method)) {
-                    let intersection = accessMatrix.dashboard.roles.filter((role) => roles.includes(role));
+/**
+ * This method checks if the request has the correct roles, paths and methods
+ * @param {Object} accessMatrix
+ * @param {String} path
+ * @param {String} method
+ * @param {Array} roles
+ * @returns boolean
+ */
+const requestHasRequiredAttributes = (accessMatrix, path, method, roles) => {
+    const routes = Object.keys(accessMatrix);
+    let hasMethod = false;
+    let hasPath = false;
+    let hasRoles = false;
+    routes.forEach((route) => {
+        if (path.includes(accessMatrix[route].path)) {
+            hasPath = true;
+        } else {
+            hasPath = false;
+        }
 
-                    if (intersection.length < 1) {
-                        return res.status(403).json({ error: 'User does not have the role' });
-                    }
-                } else {
-                    return res.status(403).json({ error: 'Method not allowed' });
-                }
+        if (hasPath) {
+            if (accessMatrix[route].methods.includes(method)) {
+                hasMethod = true;
             } else {
-                return res.status(403).json({ error: 'Unrecognized path' });
+                hasMethod = false;
             }
         }
 
-        next();
-    };
+        if (hasPath && hasMethod) {
+            let intersection = accessMatrix[route].roles.filter((role) => roles.includes(role));
+            if (intersection.length < 1) {
+                hasRoles = true;
+            }
+        }
+    });
+
+    return hasRoles;
 };
 
 module.exports = routeGuard;

5-AccessControl/1-call-api-roles/API/utils/guard.js

@@ -139,11 +139,10 @@ The acceptable values for this parameter are:
 - AzureCloud
 - AzureChinaCloud
 - AzureUSGovernment
-- AzureGermanyCloud
 
 Example:
 
  ```PowerShell
- . .\Cleanup.ps1 -AzureEnvironmentName "AzureGermanyCloud"
- . .\Configure.ps1 -AzureEnvironmentName "AzureGermanyCloud"
+ . .\Cleanup.ps1 -AzureEnvironmentName "AzureUSGovernment"
+ . .\Configure.ps1 -AzureEnvironmentName "AzureUSGovernment"
  ```

5-AccessControl/1-call-api-roles/AppCreationScripts/AppCreationScripts.md

@@ -81,4 +81,3 @@ Cleanup -tenantId $tenantId -environment $azureEnvironmentName
 
 Write-Host "Disconnecting from tenant"
 Disconnect-MgGraph
-

5-AccessControl/1-call-api-roles/AppCreationScripts/Cleanup.ps1

@@ -7,13 +7,11 @@ param(
     [string] $azureEnvironmentName
 )
 
-
 Function RemoveUser([string]$userPrincipal)
 {
     Remove-MgUser -UserId $userPrincipal
 }
 
-
 Function CleanupRolesUsersAndRoleAssignments
 {
     if (!$azureEnvironmentName)
@@ -25,12 +23,12 @@ Function CleanupRolesUsersAndRoleAssignments
 
     if ($tenantId -eq "") 
     {
-        Connect-MgGraph -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -Scopes "Application.ReadWrite.All User.ReadWrite.All" -Environment $azureEnvironmentName
         $tenantId = (Get-MgContext).TenantId
     }
     else 
     {
-        Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All User.ReadWrite.All" -Environment $azureEnvironmentName
     }
 
 
@@ -42,28 +40,25 @@ Function CleanupRolesUsersAndRoleAssignments
     if ($app)
     {
         $appName = $app.DisplayName
-
         $userEmail =  $appName +"-" + "TaskAdmin" + "@" + $tenantName
         RemoveUser -userPrincipal $userEmail
         Write-Host "user name ($userEmail)"
-
-
         $userEmail =  $appName +"-" + "TaskUser" + "@" + $tenantName
         RemoveUser -userPrincipal $userEmail
         Write-Host "user name ($userEmail)"
-
-
     }
-
-
-
-
 }
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Applications")) {
+    Install-Module "Microsoft.Graph.Applications" -Scope CurrentUser 
+}
 
+Import-Module Microsoft.Graph.Applications
 
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Users")) {
+    Install-Module "Microsoft.Graph.Users" -Scope CurrentUser 
+}
 
-Import-Module Microsoft.Graph.Applications
 Import-Module Microsoft.Graph.Users
 
 # Run interactively (will ask you for the tenant ID)

5-AccessControl/1-call-api-roles/AppCreationScripts/CleanupUsersAndAssignRoles.ps1

@@ -1,4 +1,4 @@
-
+
 [CmdletBinding()]
 param(
     [Parameter(Mandatory=$False, HelpMessage='Tenant ID (This is a GUID which represents the "Directory ID" of the AzureAD tenant into which you want to create the apps')]
@@ -171,22 +171,11 @@ Function CreateAppRole([string] $types, [string] $name, [string] $description)
     $appRole.Value = $name;
     return $appRole
 }
-Function CreateOptionalClaim([string] $name)
-{
-    <#.Description
-    This function creates a new Azure AD optional claims  with default and provided values
-    #>  
-
-    $appClaim = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim
-    $appClaim.AdditionalProperties =  New-Object System.Collections.Generic.List[string]
-    $appClaim.Source =  $null
-    $appClaim.Essential = $false
-    $appClaim.Name = $name
-    return $appClaim
-}
 
 Function ConfigureApplications
 {
+    $isOpenSSl = 'N' #temporary disable open certificate creation 
+
     <#.Description
        This function creates the Azure AD applications for the sample in the provided Azure AD tenant and updates the
        configuration files in the client and service project  of the visual studio solution (App.Config and Web.Config)
@@ -238,28 +227,6 @@ Function ConfigureApplications
         New-MgApplicationOwnerByRef -ApplicationId $clientAadApplication.Id  -BodyParameter = @{"@odata.id" = "htps://graph.microsoft.com/v1.0/directoryObjects/$user.ObjectId"}
         Write-Host "'$($user.UserPrincipalName)' added as an application owner to app '$($clientServicePrincipal.DisplayName)'"
     }
-
-    # Add Claims
-
-    $optionalClaims = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaims
-    $optionalClaims.AccessToken = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim]
-    $optionalClaims.IdToken = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim]
-    $optionalClaims.Saml2Token = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphOptionalClaim]
-
-
-    # Add Optional Claims
-
-    $newClaim =  CreateOptionalClaim  -name "sid" 
-    $optionalClaims.IdToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "login_hint" 
-    $optionalClaims.IdToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "email" 
-    $optionalClaims.IdToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "upn" 
-    $optionalClaims.IdToken += ($newClaim)
-    $newClaim =  CreateOptionalClaim  -name "acct" 
-    $optionalClaims.IdToken += ($newClaim)
-    Update-MgApplication -ApplicationId $clientAadApplication.Id -OptionalClaims $optionalClaims
 
     # Add application Roles
     $appRoles = New-Object System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphAppRole]
@@ -323,13 +290,6 @@ Function ConfigureApplications
     $requiredResourcesAccess.Add($requiredPermissions)
     Update-MgApplication -ApplicationId $clientAadApplication.Id -RequiredResourceAccess $requiredResourcesAccess
     Write-Host "Granted permissions."
-
-    # Configure known client applications for client 
-    Write-Host "Configure known client applications for the 'client'"
-    $knowApplications = New-Object System.Collections.Generic.List[System.String]
-    $knowApplications.Add($clientAadApplication.AppId)
-    Update-MgApplication -ApplicationId $clientAadApplication.Id -Api @{KnownClientApplications = $knowApplications}
-    Write-Host "Configured."
 
     # Update config file for 'client'
     $configFile = $pwd.Path + "\..\API\authConfig.js"
@@ -351,7 +311,7 @@ Function ConfigureApplications
     Write-Host "- For client"
     Write-Host "  - Navigate to $clientPortalUrl"
     Write-Host "  - To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions." -ForegroundColor Red 
-    Write-Host "  - Or you can run the ..\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app." -ForegroundColor Red 
+    Write-Host "  - Or you can run the .\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app." -ForegroundColor Red 
     Write-Host "  - Application 'client' publishes app roles . Do remember to navigate to the app registration in the app portal and assign users to these app roles" -ForegroundColor Red 
     Write-Host -ForegroundColor Green "------------------------------------------------------------------------------------------------" 
        if($isOpenSSL -eq 'Y')

5-AccessControl/1-call-api-roles/AppCreationScripts/Configure.ps1

@@ -7,7 +7,6 @@ param(
     [string] $azureEnvironmentName
 )
 
-
 Function Get-RandomPassword {
     param (
         [Parameter(Mandatory)]
@@ -53,7 +52,6 @@ Function Get-RandomPassword {
     return $password
 }
 
-
 Function CreateUser([string] $appName, $role, [string] $tenantName) 
 {
     $displayName =  $appName +"-" + $role.Value
@@ -65,24 +63,18 @@ Function CreateUser([string] $appName, $role, [string] $tenantName)
         Password =  $password
     }
 
-     
-
-
-
    $user =  Get-MgUser -Filter "UserPrincipalName eq '$($userEmail)'" 
 
     if(!$user)
     {
-        $user = New-MgUser -DisplayName $displayName -PasswordProfile $PasswordProfile -AccountEnabled -MailNickName $nickName  -UserPrincipalName $userEmail
-        Write-Host "Email: is "($user.UserPrincipalName)" and  password is $password"
-
+        $user = New-MgUser -DisplayName $displayName -PasswordProfile $PasswordProfile -AccountEnabled -MailNickName $nickName -UserPrincipalName $userEmail
+        Write-Host "Email: is "($user.UserPrincipalName)" and password is $password"
     }
     else
     {
         Write-Host "Email: "($user.UserPrincipalName)" already exists"
     }
 
-
     return $user
 }
 
@@ -94,16 +86,16 @@ Function CreateRolesUsersAndRoleAssignments
         $azureEnvironmentName = "Global"
     }
 
-     Write-Host "Connecting to Microsoft Graph"
+    Write-Host "Connecting to Microsoft Graph"
 
     if ($tenantId -eq "") 
     {
-        Connect-MgGraph -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -Scopes "Application.ReadWrite.All User.ReadWrite.All" -Environment $azureEnvironmentName
         $tenantId = (Get-MgContext).TenantId
     }
     else 
     {
-        Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All" -Environment $azureEnvironmentName
+        Connect-MgGraph -TenantId $tenantId -Scopes "Application.ReadWrite.All User.ReadWrite.All" -Environment $azureEnvironmentName
     }
 
     $userAccount = (Get-MgContext).Account
@@ -118,25 +110,29 @@ Function CreateRolesUsersAndRoleAssignments
        $servicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
        $appName = $app.DisplayName
 
-
        $TaskAdmin = $servicePrincipal.AppRoles | Where-Object { $_.DisplayName -eq "TaskAdmin" }
        # Creating a user 
        $newUser = CreateUser -appName $appName -role $TaskAdmin -tenantName $tenantName
        $assignRole = New-MgUserAppRoleAssignment -Userid $newUser.Id -PrincipalId $newUser.Id -ResourceId $servicePrincipal.Id -AppRoleID $TaskAdmin.Id
 
-
        $TaskUser = $servicePrincipal.AppRoles | Where-Object { $_.DisplayName -eq "TaskUser" }
        # Creating a user 
        $newUser = CreateUser -appName $appName -role $TaskUser -tenantName $tenantName
        $assignRole = New-MgUserAppRoleAssignment -Userid $newUser.Id -PrincipalId $newUser.Id -ResourceId $servicePrincipal.Id -AppRoleID $TaskUser.Id
 
-
     }
+}
 
-
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Applications")) {
+    Install-Module "Microsoft.Graph.Applications" -Scope CurrentUser 
 }
 
 Import-Module Microsoft.Graph.Applications
+
+if ($null -eq (Get-Module -ListAvailable -Name "Microsoft.Graph.Users")) {
+    Install-Module "Microsoft.Graph.Users" -Scope CurrentUser 
+}
+
 Import-Module Microsoft.Graph.Users
 
 # Run interactively (will ask you for the tenant ID)

5-AccessControl/1-call-api-roles/AppCreationScripts/CreateUsersAndAssignRoles.ps1

@@ -8,11 +8,7 @@
         "Endpoint": "AAD v2.0",
         "Languages": ["JavaScript", "Node"],
         "Description": "React single-page application calling a protected web API using App Roles to implement Role-Based Access Control",
-        "products": ["React", "Express"]
-    },
-    "ReadmeScenario": {
-        "UseNewSetup": "1",
-        "CertificateOption": "0"
+        "products": ["React", "Express", "azure-active-directory", "msal-js", "passport-azure-ad"]
     },
     "AADApps": [
         {
@@ -45,15 +41,12 @@
                     "Description": "Users can read and modify their todo lists"
                 }
             ],
-            "OptionalClaims": {
-                "IdTokenClaims": ["sid", "login_hint", "email", "upn", "acct"]
-            },
             "ManualSteps": [
                 {
                     "Comment": "To receive the 'roles' claim with the name of the app roles this user is assigned to, make sure that the user accounts you plan to sign-in to this app is assigned to the app roles of this SPA app. The guide, https://aka.ms/userassignmentrequired provides step by step instructions."
                 },
                 {
-                    "Comment": "Or you can run the ..\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
+                    "Comment": "Or you can run the .\\CreateUsersAndAssignRoles.ps1 command to automatically create a number of users, and assign these users to the app roles of this app."
                 }
             ]
         }