SCEPman

1.7.0-beta

Private/appregistrations.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
                                function RegisterAzureADApp($name, $manifest, $replyUrls = $null, $homepage = $null, $EnableIdToken = $false) {

  $azureAdAppReg = ConvertLinesToObject -lines $(az ad app list --filter "displayname eq '$name'" --query "[0]" --only-show-errors)

  if($null -eq $azureAdAppReg) {

      #App Registration doesn't exist.

      $azAppRegistrationCommand = "az ad app create --display-name '$name' --app-roles '$manifest'"

      if ($null -ne $replyUrls) {

        if (AzUsesAADGraph) {

          $azAppRegistrationCommand += " --reply-urls '$replyUrls'"

        } else {

          $azAppRegistrationCommand += " --web-redirect-uris '$replyUrls'"

        }

      }

      if ($null -ne $homepage) {

        if (AzUsesAADGraph) {

          $azAppRegistrationCommand += " --homepage '$homepage'"

        } else {

          $azAppRegistrationCommand += " --web-home-page-url '$homepage'"

        }

      }

      if (-not (AzUsesAADGraph)) {

        $azAppRegistrationCommand += " --sign-in-audience AzureADMyOrg"

        if ($EnableIdToken) {

          $azAppRegistrationCommand += " --enable-id-token-issuance"

        }

      }

      $azureAdAppReg = ConvertLinesToObject -lines $(ExecuteAzCommandRobustly -azCommand $azAppRegistrationCommand)

      # REVISIT: Once there is a solution for https://github.com/Azure/azure-cli/issues/22810, we can upload the logo

#      $graphEndpointForAppLogo = "https://graph.microsoft.com/v1.0/applications/$($azureAdAppReg.id)/logo"

#      az rest --method put --url $graphEndpointForAppLogo --body '@testlogo.png' --headers Content-Type=image/png

  }

  return $azureAdAppReg

}

function CreateSCEPmanAppRegistration ($AzureADAppNameForSCEPman, $CertMasterServicePrincipalId) {

  Write-Information "Creating Azure AD app registration for SCEPman"

  # Register SCEPman App

  $appregsc = RegisterAzureADApp -name $AzureADAppNameForSCEPman -manifest $ScepmanManifest -hideApp $true

  $spsc = CreateServicePrincipal -appId $($appregsc.appId)

  if (AzUsesAADGraph) {

    $servicePrincipalScepmanId = $spsc.objectId

  } else { # Microsoft Graph

    $servicePrincipalScepmanId = $spsc.id

  }

  $ScepManSubmitCSRPermission = $appregsc.appRoles[0].id

  # Expose SCEPman API

  ExecuteAzCommandRobustly -azCommand "az ad app update --id $($appregsc.appId) --identifier-uris `"api://$($appregsc.appId)`""

  Write-Information "Allowing CertMaster to submit CSR requests to SCEPman API"

  $resourcePermissionsForCertMaster = @([pscustomobject]@{'resourceId'=$servicePrincipalScepmanId;'appRoleId'=$ScepManSubmitCSRPermission;})

  SetManagedIdentityPermissions -principalId $CertMasterServicePrincipalId -resourcePermissions $resourcePermissionsForCertMaster

  return $appregsc

}

function CreateCertMasterAppRegistration ($AzureADAppNameForCertMaster, $CertMasterBaseURL) {

  Write-Information "Creating Azure AD app registration for CertMaster"

  ### CertMaster App Registration

  # Register CertMaster App

  $appregcm = RegisterAzureADApp -name $AzureADAppNameForCertMaster -manifest $CertmasterManifest -replyUrls `"$CertMasterBaseURL/signin-oidc`" -hideApp $false -homepage $CertMasterBaseURL -EnableIdToken $true

  $null = CreateServicePrincipal -appId $($appregcm.appId)

  Write-Verbose "Adding Delegated permission to CertMaster App Registration"

  # Add Microsoft Graph's User.Read as delegated permission for CertMaster

  AddDelegatedPermissionToCertMasterApp -appId $appregcm.appId

  return $appregcm

}