Merge pull request #16 from FriedrichWeinmann/development

1.3.12

Author: FriedrichWeinmann

.gitignore

@@ -1 +1,2 @@
-TestResults
+TestResults
+publish

MiniGraph/MiniGraph.psd1

@@ -4,7 +4,7 @@
 RootModule = 'MiniGraph.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.2.7'
+ModuleVersion = '1.3.12'
 
 # Supported PSEditions
 # CompatiblePSEditions = @()
@@ -63,13 +63,15 @@ Description = 'Minimal query infrastructure for interacting with MS Graph'
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
 FunctionsToExport = @(
 	'Connect-GraphAzure'
-    'Connect-GraphCertificate'
-    'Connect-GraphClientSecret'
-    'Connect-GraphCredential'
+	'Connect-GraphBrowser'
+	'Connect-GraphCertificate'
+	'Connect-GraphClientSecret'
+	'Connect-GraphCredential'
 	'Connect-GraphDeviceCode'
 	'Connect-GraphToken'
-    'Invoke-GraphRequest'
-    'Set-GraphEndpoint'
+	'Invoke-GraphRequest'
+	'Invoke-GraphRequestBatch'
+	'Set-GraphEndpoint'
 )
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

MiniGraph/functions/Connect-GraphAzure.ps1

@@ -15,6 +15,10 @@
 		Whether to risk showing a dialog during authentication.
 		If set to never, it will fail if not possible to do silent authentication.
 		Defaults to: Auto
+
+	.PARAMETER NoReconnect
+		Disables automatic reconnection.
+		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
 	
 	.EXAMPLE
 		PS C:\> Connect-GraphAzure
@@ -28,7 +32,10 @@
 
 		[ValidateSet('Auto', 'Always', 'Never')]
 		[string]
-		$ShowDialog = 'Auto'
+		$ShowDialog = 'Auto',
+
+		[switch]
+		$NoReconnect
 	)
 
 	try { $azContext = Get-AzContext -ErrorAction Stop }
@@ -49,4 +56,6 @@
 	catch { $PSCmdlet.ThrowTerminatingError($_) }
 
 	$script:token = $result.AccessToken
+
+	Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect
 }

MiniGraph/functions/Connect-GraphBrowser.ps1

@@ -0,0 +1,173 @@
+function Connect-GraphBrowser {
+	<#
+	.SYNOPSIS
+		Interactive logon using the Authorization flow and browser. Supports SSO.
+	
+	.DESCRIPTION
+		Interactive logon using the Authorization flow and browser. Supports SSO.
+
+		This flow requires an App Registration configured for the platform "Mobile and desktop applications".
+		Its redirect Uri must be "http://localhost"
+
+		On successful authentication
+	
+	.PARAMETER ClientID
+		The ID of the registered app used with this authentication request.
+	
+	.PARAMETER TenantID
+		The ID of the tenant connected to with this authentication request.
+	
+	.PARAMETER SelectAccount
+		Forces account selection on logon.
+		As this flow supports single-sign-on, it will otherwise not prompt for anything if already signed in.
+		This could be a problem if you want to connect using another (e.g. an admin) account.
+	
+	.PARAMETER Scopes
+        Generally doesn't need to be changed from the default 'https://graph.microsoft.com/.default'
+
+	.PARAMETER LocalPort
+		The local port that should be redirected to.
+		In order to process the authentication response, we need to listen to a local web request on some port.
+		Usually needs not be redirected.
+		Defaults to: 8080
+
+	.PARAMETER Resource
+		The resource the token grants access to.
+		Generally doesn't need to be changed from the default 'https://graph.microsoft.com/'
+		Only needed when connecting to another service.
+
+	.PARAMETER Browser
+		The path to the browser to use for the authentication flow.
+		Provide the full path to the executable.
+		The browser must accept the url to open as its only parameter.
+		Defaults to Edge.
+	
+	.PARAMETER NoReconnect
+		Disables automatic reconnection.
+		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
+	
+	.EXAMPLE
+		PS C:\> Connect-GraphBrowser -ClientID '<ClientID>' -TenantID '<TenantID>'
+	
+		Connects to the specified tenant using the specified client, prompting the user to authorize via Browser.
+	#>
+	[CmdletBinding()]
+	param (
+		[Parameter(Mandatory = $true)]
+		[string]
+		$TenantID,
+
+		[Parameter(Mandatory = $true)]
+		[string]
+		$ClientID,
+
+		[switch]
+		$SelectAccount,
+
+		[string[]]
+		$Scopes = 'https://graph.microsoft.com/.default',
+
+		[int]
+		$LocalPort = 8080,
+
+		[Uri]
+		$Resource = 'https://graph.microsoft.com/',
+
+		[string]
+		$Browser = $script:browserPath,
+
+		[switch]
+		$NoReconnect
+	)
+	process {
+		Add-Type -AssemblyName System.Web
+
+		$redirectUri = "http://localhost:$LocalPort"
+		$actualScopes = foreach ($scope in $Scopes) {
+			if ($scope -like 'https://*/*') { $scope }
+			else { "{0}://{1}/{2}" -f $Resource.Scheme, $Resource.Host, $scope }
+		}
+
+		if (-not $NoReconnect) {
+			$actualScopes = @($actualScopes) + 'offline_access'
+		}
+
+		$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/authorize?"
+		$state = Get-Random
+		$parameters = @{
+			client_id     = $ClientID
+			response_type = 'code'
+			redirect_uri  = $redirectUri
+			response_mode = 'query'
+			scope         = $Scopes -join ' '
+			state         = $state
+		}
+		if ($SelectAccount) {
+			$parameters.prompt = 'select_account'
+		}
+
+		$paramStrings = foreach ($pair in $parameters.GetEnumerator()) {
+			$pair.Key, ([System.Web.HttpUtility]::UrlEncode($pair.Value)) -join '='
+		}
+		$uriFinal = $uri + ($paramStrings -join '&')
+		Write-Verbose "Authorize Uri: $uriFinal"
+
+		$redirectTo = 'https://raw.githubusercontent.com/FriedrichWeinmann/MiniGraph/master/nothing-to-see-here.txt'
+		if ((Get-Random -Minimum 10 -Maximum 99) -eq 66) {
+			$redirectTo = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'
+		}
+		
+		# Start local server to catch the redirect
+		$http = [System.Net.HttpListener]::new()
+		$http.Prefixes.Add("$redirectUri/")
+		try { $http.Start() }
+		catch { Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Failed to create local http listener on port $LocalPort. Use -LocalPort to select a different port. $_" -Category OpenError }
+
+		# Execute in default browser
+		& $Browser $uriFinal
+
+		# Get Result
+		$task = $http.GetContextAsync()
+		$authorizationCode, $stateReturn, $sessionState = $null
+		try {
+			while (-not $task.IsCompleted) {
+				Start-Sleep -Milliseconds 200
+			}
+			$context = $task.Result
+			$context.Response.Redirect($redirectTo)
+			$context.Response.Close()
+			$authorizationCode, $stateReturn, $sessionState = $context.Request.Url.Query -split "&"
+		}
+		finally {
+			$http.Stop()
+			$http.Dispose()
+		}
+
+		if (-not $stateReturn) {
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Authentication failed (see browser for details)" -Category AuthenticationError
+		}
+
+		if ($state -ne $stateReturn.Split("=")[1]) {
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "Received invalid authentication result. Likely returned from another flow redirecting to the same local port!" -Category InvalidOperation
+		}
+
+		$actualAuthorizationCode = $authorizationCode.Split("=")[1]
+
+		$body = @{
+			client_id    = $ClientID
+			scope        = $actualScopes -join " "
+			code         = $actualAuthorizationCode
+			redirect_uri = $redirectUri
+			grant_type   = 'authorization_code'
+		}
+		$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
+		try { $authResponse = Invoke-RestMethod -Method Post -Uri $uri -Body $body -ErrorAction Stop }
+		catch {
+			if ($_ -notmatch '"error":\s*"invalid_client"') { Invoke-TerminatingException -Cmdlet $PSCmdlet -ErrorRecord $_ }
+			Invoke-TerminatingException -Cmdlet $PSCmdlet -Message "The App Registration $ClientID has not been configured correctly. Ensure you have a 'Mobile and desktop applications' platform with redirect to 'http://localhost' configured (and not a 'Web' Platform). $_" -Category $_.CategoryInfo.Category
+		}
+		$script:token = $authResponse.access_token
+
+		Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect -RefreshToken $authResponse.refresh_token
+	}
+}

MiniGraph/functions/Connect-GraphCertificate.ps1

@@ -15,6 +15,15 @@
     .PARAMETER ClientID
         The ClientID / ApplicationID of the application to connect as.
 
+	.PARAMETER Scopes
+		The scopes to request when connecting.
+		IN Application flows, this only determines the service for which to retrieve the scopes already configured on the App Registration.
+		Defaults to graph API.
+
+	.PARAMETER NoReconnect
+		Disables automatic reconnection.
+		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
+
     .EXAMPLE
         PS C:\> $cert = Get-Item -Path 'Cert:\CurrentUser\My\082D5CB4BA31EED7E2E522B39992E34871C92BF5'
         PS C:\> Connect-GraphCertificate -TenantID '0639f07d-76e1-49cb-82ac-abcdefabcdefa' -ClientID '0639f07d-76e1-49cb-82ac-1234567890123' -Certificate $cert
@@ -40,7 +49,13 @@
 
 		[Parameter(Mandatory = $true)]
 		[string]
-		$ClientID
+		$ClientID,
+
+		[string[]]
+		$Scopes = 'https://graph.microsoft.com/.default',
+
+		[switch]
+		$NoReconnect
 	)
 
 	$jwtHeader = @{
@@ -66,7 +81,7 @@
 		client_id             = $ClientID
 		client_assertion      = $jwt
 		client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
-		scope                 = 'https://graph.microsoft.com/.default'
+		scope                 = $Scopes -join ' '
 		grant_type            = 'client_credentials'
 	}
 	$header = @{
@@ -75,4 +90,6 @@
 	$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
 	try { $script:token = (Invoke-RestMethod -Uri $uri -Method Post -Body $body -Headers $header -ContentType 'application/x-www-form-urlencoded' -ErrorAction Stop).access_token }
     catch { $PSCmdlet.ThrowTerminatingError($_) }
+
+	Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect
 }

MiniGraph/functions/Connect-GraphClientSecret.ps1

@@ -22,6 +22,10 @@
 			The resource the token grants access to.
 			Generally doesn't need to be changed from the default 'https://graph.microsoft.com/'
 			Only needed when connecting to another service.
+
+		.PARAMETER NoReconnect
+			Disables automatic reconnection.
+			By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
             
 		.EXAMPLE
 			PS C:\> Connect-GraphClientSecret -ClientID '<ClientID>' -TenantID '<TenantID>' -ClientSecret $secret
@@ -46,7 +50,10 @@
 		$Scopes = 'https://graph.microsoft.com/.default',
 
 		[string]
-		$Resource = 'https://graph.microsoft.com/'
+		$Resource = 'https://graph.microsoft.com/',
+
+		[switch]
+		$NoReconnect
 	)
 
 	process {
@@ -60,5 +67,7 @@
 		try { $authResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantId/oauth2/token" -Body $body -ErrorAction Stop }
 		catch { $PSCmdlet.ThrowTerminatingError($_) }
 		$script:token = $authResponse.access_token
+
+		Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect
 	}
 }

MiniGraph/functions/Connect-GraphCredential.ps1

@@ -20,6 +20,10 @@
     
     .PARAMETER Scopes
         The permission scopes to request.
+
+	.PARAMETER NoReconnect
+		Disables automatic reconnection.
+		By default, MiniGraph will automatically try to reaquire a new token before the old one expires.
     
     .EXAMPLE
         PS C:\> Connect-GraphCredential -Credential [email protected] -ClientID $client -TenantID $tenant -Scopes 'user.read','user.readbasic.all'
@@ -41,7 +45,10 @@
 		$TenantID,
 
 		[string[]]
-		$Scopes = 'user.read'
+		$Scopes = 'user.read',
+
+		[switch]
+		$NoReconnect
 	)
 
 	$request = @{
@@ -55,4 +62,6 @@
 	try { $answer = Invoke-RestMethod -Method POST -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Body $request -ErrorAction Stop }
 	catch { $PSCmdlet.ThrowTerminatingError($_) }
 	$script:token = $answer.access_token
+
+	Set-ReconnectInfo -BoundParameters $PSBoundParameters -NoReconnect:$NoReconnect
 }