@pnp/cli-microsoft365 8.1.0-beta.bf59841 → 9.0.0-beta.1516729

package/dist/m365/entra/commands/app/app-add.js

@@ -9,10 +9,10 @@ import { v4 } from 'uuid';
 import auth from '../../../../Auth.js';
 import request from '../../../../request.js';
 import { accessToken } from '../../../../utils/accessToken.js';
-import { odata } from '../../../../utils/odata.js';
+import { entraApp } from '../../../../utils/entraApp.js';
 import GraphCommand from '../../../base/GraphCommand.js';
-import commands from '../../commands.js';
 import aadCommands from '../../aadCommands.js';
+import commands from '../../commands.js';
 class EntraAppAddCommand extends GraphCommand {
     get name() {
         return commands.APP_ADD;
@@ -27,7 +27,6 @@ class EntraAppAddCommand extends GraphCommand {
         super();
         _EntraAppAddCommand_instances.add(this);
         this.appName = '';
-        this.appPermissions = [];
         __classPrivateFieldGet(this, _EntraAppAddCommand_instances, "m", _EntraAppAddCommand_initTelemetry).call(this);
         __classPrivateFieldGet(this, _EntraAppAddCommand_instances, "m", _EntraAppAddCommand_initOptions).call(this);
         __classPrivateFieldGet(this, _EntraAppAddCommand_instances, "m", _EntraAppAddCommand_initValidators).call(this);
@@ -35,16 +34,38 @@ class EntraAppAddCommand extends GraphCommand {
     }
     async commandAction(logger, args) {
         await this.showDeprecationWarning(logger, aadCommands.APP_ADD, commands.APP_ADD);
+        if (!args.options.name && this.manifest) {
+            args.options.name = this.manifest.name;
+        }
+        this.appName = args.options.name;
         try {
-            const apis = await this.resolveApis(args, logger);
-            let appInfo = await this.createAppRegistration(args, apis, logger);
+            const apis = await entraApp.resolveApis({
+                options: args.options,
+                manifest: this.manifest,
+                logger,
+                verbose: this.verbose,
+                debug: this.debug
+            });
+            let appInfo = await entraApp.createAppRegistration({
+                options: args.options,
+                apis,
+                logger,
+                verbose: this.verbose,
+                debug: this.debug
+            });
             // based on the assumption that we're adding Microsoft Entra app to the current
             // directory. If we in the future extend the command with allowing
             // users to create Microsoft Entra app in a different directory, we'll need to
             // adjust this
             appInfo.tenantId = accessToken.getTenantIdFromAccessToken(auth.connection.accessTokens[auth.defaultResource].accessToken);
             appInfo = await this.updateAppFromManifest(args, appInfo);
-            appInfo = await this.grantAdminConsent(appInfo, args.options.grantAdminConsent, logger);
+            appInfo = await entraApp.grantAdminConsent({
+                appInfo,
+                appPermissions: entraApp.appPermissions,
+                adminConsent: args.options.grantAdminConsent,
+                logger,
+                debug: this.debug
+            });
             appInfo = await this.configureUri(args, appInfo, logger);
             appInfo = await this.configureSecret(args, appInfo, logger);
             const _appInfo = await this.saveAppInfo(args, appInfo, logger);
@@ -62,128 +83,45 @@ class EntraAppAddCommand extends GraphCommand {
             this.handleRejectedODataJsonPromise(err);
         }
     }
-    async createAppRegistration(args, apis, logger) {
-        const applicationInfo = {
-            displayName: args.options.name,
-            signInAudience: args.options.multitenant ? 'AzureADMultipleOrgs' : 'AzureADMyOrg'
-        };
-        if (!applicationInfo.displayName && this.manifest) {
-            applicationInfo.displayName = this.manifest.name;
-        }
-        this.appName = applicationInfo.displayName;
-        if (apis.length > 0) {
-            applicationInfo.requiredResourceAccess = apis;
-        }
-        if (args.options.redirectUris) {
-            applicationInfo[args.options.platform] = {
-                redirectUris: args.options.redirectUris.split(',').map(u => u.trim())
-            };
-        }
-        if (args.options.implicitFlow) {
-            if (!applicationInfo.web) {
-                applicationInfo.web = {};
-            }
-            applicationInfo.web.implicitGrantSettings = {
-                enableAccessTokenIssuance: true,
-                enableIdTokenIssuance: true
-            };
-        }
-        if (args.options.certificateFile || args.options.certificateBase64Encoded) {
-            const certificateBase64Encoded = await this.getCertificateBase64Encoded(args, logger);
-            const newKeyCredential = {
-                type: "AsymmetricX509Cert",
-                usage: "Verify",
-                displayName: args.options.certificateDisplayName,
-                key: certificateBase64Encoded
-            };
-            applicationInfo.keyCredentials = [newKeyCredential];
-        }
-        if (args.options.allowPublicClientFlows) {
-            applicationInfo.isFallbackPublicClient = true;
+    async configureSecret(args, appInfo, logger) {
+        if (!args.options.withSecret || (appInfo.secrets && appInfo.secrets.length > 0)) {
+            return appInfo;
         }
         if (this.verbose) {
-            await logger.logToStderr(`Creating Microsoft Entra app registration...`);
-        }
-        const createApplicationRequestOptions = {
-            url: `${this.resource}/v1.0/myorganization/applications`,
-            headers: {
-                accept: 'application/json;odata.metadata=none'
-            },
-            responseType: 'json',
-            data: applicationInfo
-        };
-        return request.post(createApplicationRequestOptions);
-    }
-    async grantAdminConsent(appInfo, adminConsent, logger) {
-        if (!adminConsent || this.appPermissions.length === 0) {
-            return appInfo;
+            await logger.logToStderr(`Configure Microsoft Entra app secret...`);
         }
-        const sp = await this.createServicePrincipal(appInfo.appId);
-        if (this.debug) {
-            await logger.logToStderr("Service principal created, returned object id: " + sp.id);
+        const secret = await this.createSecret({ appObjectId: appInfo.id });
+        if (!appInfo.secrets) {
+            appInfo.secrets = [];
         }
-        const tasks = [];
-        this.appPermissions.forEach(async (permission) => {
-            if (permission.scope.length > 0) {
-                tasks.push(this.grantOAuth2Permission(sp.id, permission.resourceId, permission.scope.join(' ')));
-                if (this.debug) {
-                    await logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with delegated permissions: ${permission.scope.join(',')}`);
-                }
-            }
-            permission.resourceAccess.filter(access => access.type === "Role").forEach(async (access) => {
-                tasks.push(this.addRoleToServicePrincipal(sp.id, permission.resourceId, access.id));
-                if (this.debug) {
-                    await logger.logToStderr(`Admin consent granted for following resource ${permission.resourceId}, with application permission: ${access.id}`);
-                }
-            });
-        });
-        await Promise.all(tasks);
+        appInfo.secrets.push(secret);
         return appInfo;
     }
-    async addRoleToServicePrincipal(objectId, resourceId, appRoleId) {
+    async createSecret({ appObjectId, displayName = undefined, expirationDate = undefined }) {
+        let secretExpirationDate = expirationDate;
+        if (!secretExpirationDate) {
+            secretExpirationDate = new Date();
+            secretExpirationDate.setFullYear(secretExpirationDate.getFullYear() + 1);
+        }
+        const secretName = displayName ?? 'Default';
         const requestOptions = {
-            url: `${this.resource}/v1.0/myorganization/servicePrincipals/${objectId}/appRoleAssignments`,
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            responseType: 'json',
-            data: {
-                appRoleId: appRoleId,
-                principalId: objectId,
-                resourceId: resourceId
-            }
-        };
-        return request.post(requestOptions);
-    }
-    async grantOAuth2Permission(appId, resourceId, scopeName) {
-        const grantAdminConsentApplicationRequestOptions = {
-            url: `${this.resource}/v1.0/myorganization/oauth2PermissionGrants`,
+            url: `${this.resource}/v1.0/myorganization/applications/${appObjectId}/addPassword`,
             headers: {
-                accept: 'application/json;odata.metadata=none'
+                'content-type': 'application/json'
             },
             responseType: 'json',
             data: {
-                clientId: appId,
-                consentType: "AllPrincipals",
-                principalId: null,
-                resourceId: resourceId,
-                scope: scopeName
+                passwordCredential: {
+                    displayName: secretName,
+                    endDateTime: secretExpirationDate.toISOString()
+                }
             }
         };
-        return request.post(grantAdminConsentApplicationRequestOptions);
-    }
-    async createServicePrincipal(appId) {
-        const requestOptions = {
-            url: `${this.resource}/v1.0/myorganization/servicePrincipals`,
-            headers: {
-                'content-type': 'application/json'
-            },
-            data: {
-                appId: appId
-            },
-            responseType: 'json'
+        const response = await request.post(requestOptions);
+        return {
+            displayName: secretName,
+            value: response.secretText
         };
-        return request.post(requestOptions);
     }
     async updateAppFromManifest(args, appInfo) {
         if (!args.options.manifest) {
@@ -423,180 +361,6 @@ class EntraAppAddCommand extends GraphCommand {
         await request.patch(requestOptions);
         return appInfo;
     }
-    async resolveApis(args, logger) {
-        if (!args.options.apisDelegated && !args.options.apisApplication
-            && (typeof this.manifest?.requiredResourceAccess === 'undefined' || this.manifest.requiredResourceAccess.length === 0)) {
-            return [];
-        }
-        if (this.verbose) {
-            await logger.logToStderr('Resolving requested APIs...');
-        }
-        const servicePrincipals = await odata.getAllItems(`${this.resource}/v1.0/myorganization/servicePrincipals?$select=appId,appRoles,id,oauth2PermissionScopes,servicePrincipalNames`);
-        let resolvedApis = [];
-        try {
-            if (args.options.apisDelegated || args.options.apisApplication) {
-                resolvedApis = await this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisDelegated, 'Scope', logger);
-                if (this.verbose) {
-                    await logger.logToStderr(`Resolved delegated permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
-                }
-                const resolvedApplicationApis = await this.getRequiredResourceAccessForApis(servicePrincipals, args.options.apisApplication, 'Role', logger);
-                if (this.verbose) {
-                    await logger.logToStderr(`Resolved application permissions: ${JSON.stringify(resolvedApplicationApis, null, 2)}`);
-                }
-                // merge resolved application APIs onto resolved delegated APIs
-                resolvedApplicationApis.forEach(resolvedRequiredResource => {
-                    const requiredResource = resolvedApis.find(api => api.resourceAppId === resolvedRequiredResource.resourceAppId);
-                    if (requiredResource) {
-                        requiredResource.resourceAccess.push(...resolvedRequiredResource.resourceAccess);
-                    }
-                    else {
-                        resolvedApis.push(resolvedRequiredResource);
-                    }
-                });
-            }
-            else {
-                const manifestApis = this.manifest.requiredResourceAccess;
-                manifestApis.forEach(manifestApi => {
-                    resolvedApis.push(manifestApi);
-                    const app = servicePrincipals.find(servicePrincipals => servicePrincipals.appId === manifestApi.resourceAppId);
-                    if (app) {
-                        manifestApi.resourceAccess.forEach((res => {
-                            const resourceAccessPermission = {
-                                id: res.id,
-                                type: res.type
-                            };
-                            const oAuthValue = app.oauth2PermissionScopes.find(scp => scp.id === res.id)?.value;
-                            this.updateAppPermissions(app.id, resourceAccessPermission, oAuthValue);
-                        }));
-                    }
-                });
-            }
-            if (this.verbose) {
-                await logger.logToStderr(`Merged delegated and application permissions: ${JSON.stringify(resolvedApis, null, 2)}`);
-                await logger.logToStderr(`App role assignments: ${JSON.stringify(this.appPermissions.flatMap(permission => permission.resourceAccess.filter(access => access.type === "Role")), null, 2)}`);
-                await logger.logToStderr(`OAuth2 permissions: ${JSON.stringify(this.appPermissions.flatMap(permission => permission.scope), null, 2)}`);
-            }
-            return resolvedApis;
-        }
-        catch (e) {
-            throw e;
-        }
-    }
-    async getRequiredResourceAccessForApis(servicePrincipals, apis, scopeType, logger) {
-        if (!apis) {
-            return [];
-        }
-        const resolvedApis = [];
-        const requestedApis = apis.split(',').map(a => a.trim());
-        for (const api of requestedApis) {
-            const pos = api.lastIndexOf('/');
-            const permissionName = api.substr(pos + 1);
-            const servicePrincipalName = api.substr(0, pos);
-            if (this.debug) {
-                await logger.logToStderr(`Resolving ${api}...`);
-                await logger.logToStderr(`Permission name: ${permissionName}`);
-                await logger.logToStderr(`Service principal name: ${servicePrincipalName}`);
-            }
-            const servicePrincipal = servicePrincipals.find(sp => (sp.servicePrincipalNames.indexOf(servicePrincipalName) > -1 ||
-                sp.servicePrincipalNames.indexOf(`${servicePrincipalName}/`) > -1));
-            if (!servicePrincipal) {
-                throw `Service principal ${servicePrincipalName} not found`;
-            }
-            const scopesOfType = scopeType === 'Scope' ? servicePrincipal.oauth2PermissionScopes : servicePrincipal.appRoles;
-            const permission = scopesOfType.find(scope => scope.value === permissionName);
-            if (!permission) {
-                throw `Permission ${permissionName} for service principal ${servicePrincipalName} not found`;
-            }
-            let resolvedApi = resolvedApis.find(a => a.resourceAppId === servicePrincipal.appId);
-            if (!resolvedApi) {
-                resolvedApi = {
-                    resourceAppId: servicePrincipal.appId,
-                    resourceAccess: []
-                };
-                resolvedApis.push(resolvedApi);
-            }
-            const resourceAccessPermission = {
-                id: permission.id,
-                type: scopeType
-            };
-            resolvedApi.resourceAccess.push(resourceAccessPermission);
-            this.updateAppPermissions(servicePrincipal.id, resourceAccessPermission, permission.value);
-        }
-        return resolvedApis;
-    }
-    updateAppPermissions(spId, resourceAccessPermission, oAuth2PermissionValue) {
-        // During API resolution, we store globally both app role assignments and oauth2permissions
-        // So that we'll be able to parse them during the admin consent process
-        let existingPermission = this.appPermissions.find(oauth => oauth.resourceId === spId);
-        if (!existingPermission) {
-            existingPermission = {
-                resourceId: spId,
-                resourceAccess: [],
-                scope: []
-            };
-            this.appPermissions.push(existingPermission);
-        }
-        if (resourceAccessPermission.type === 'Scope' && oAuth2PermissionValue && !existingPermission.scope.find(scp => scp === oAuth2PermissionValue)) {
-            existingPermission.scope.push(oAuth2PermissionValue);
-        }
-        if (!existingPermission.resourceAccess.find(res => res.id === resourceAccessPermission.id)) {
-            existingPermission.resourceAccess.push(resourceAccessPermission);
-        }
-    }
-    async configureSecret(args, appInfo, logger) {
-        if (!args.options.withSecret || (appInfo.secrets && appInfo.secrets.length > 0)) {
-            return appInfo;
-        }
-        if (this.verbose) {
-            await logger.logToStderr(`Configure Microsoft Entra app secret...`);
-        }
-        const secret = await this.createSecret({ appObjectId: appInfo.id });
-        if (!appInfo.secrets) {
-            appInfo.secrets = [];
-        }
-        appInfo.secrets.push(secret);
-        return appInfo;
-    }
-    async createSecret({ appObjectId, displayName = undefined, expirationDate = undefined }) {
-        let secretExpirationDate = expirationDate;
-        if (!secretExpirationDate) {
-            secretExpirationDate = new Date();
-            secretExpirationDate.setFullYear(secretExpirationDate.getFullYear() + 1);
-        }
-        const secretName = displayName ?? 'Default';
-        const requestOptions = {
-            url: `${this.resource}/v1.0/myorganization/applications/${appObjectId}/addPassword`,
-            headers: {
-                'content-type': 'application/json'
-            },
-            responseType: 'json',
-            data: {
-                passwordCredential: {
-                    displayName: secretName,
-                    endDateTime: secretExpirationDate.toISOString()
-                }
-            }
-        };
-        const response = await request.post(requestOptions);
-        return {
-            displayName: secretName,
-            value: response.secretText
-        };
-    }
-    async getCertificateBase64Encoded(args, logger) {
-        if (args.options.certificateBase64Encoded) {
-            return args.options.certificateBase64Encoded;
-        }
-        if (this.debug) {
-            await logger.logToStderr(`Reading existing ${args.options.certificateFile}...`);
-        }
-        try {
-            return fs.readFileSync(args.options.certificateFile, { encoding: 'base64' });
-        }
-        catch (e) {
-            throw new Error(`Error reading certificate file: ${e}. Please add the certificate using base64 option '--certificateBase64Encoded'.`);
-        }
-    }
     async saveAppInfo(args, appInfo, logger) {
         if (!args.options.save) {
             return appInfo;

package/dist/m365/entra/commands/enterpriseapp/enterpriseapp-remove.js

@@ -0,0 +1,123 @@
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EntraEnterpriseAppRemoveCommand_instances, _EntraEnterpriseAppRemoveCommand_initTelemetry, _EntraEnterpriseAppRemoveCommand_initOptions, _EntraEnterpriseAppRemoveCommand_initValidators, _EntraEnterpriseAppRemoveCommand_initOptionSets, _EntraEnterpriseAppRemoveCommand_initTypes;
+import { cli } from '../../../../cli/cli.js';
+import request from '../../../../request.js';
+import { odata } from '../../../../utils/odata.js';
+import { formatting } from '../../../../utils/formatting.js';
+import { validation } from '../../../../utils/validation.js';
+import GraphCommand from '../../../base/GraphCommand.js';
+import commands from '../../commands.js';
+class EntraEnterpriseAppRemoveCommand extends GraphCommand {
+    get name() {
+        return commands.ENTERPRISEAPP_REMOVE;
+    }
+    get description() {
+        return 'Deletes an enterprise application (or service principal)';
+    }
+    alias() {
+        return [commands.SP_REMOVE];
+    }
+    constructor() {
+        super();
+        _EntraEnterpriseAppRemoveCommand_instances.add(this);
+        __classPrivateFieldGet(this, _EntraEnterpriseAppRemoveCommand_instances, "m", _EntraEnterpriseAppRemoveCommand_initTelemetry).call(this);
+        __classPrivateFieldGet(this, _EntraEnterpriseAppRemoveCommand_instances, "m", _EntraEnterpriseAppRemoveCommand_initOptions).call(this);
+        __classPrivateFieldGet(this, _EntraEnterpriseAppRemoveCommand_instances, "m", _EntraEnterpriseAppRemoveCommand_initValidators).call(this);
+        __classPrivateFieldGet(this, _EntraEnterpriseAppRemoveCommand_instances, "m", _EntraEnterpriseAppRemoveCommand_initOptionSets).call(this);
+        __classPrivateFieldGet(this, _EntraEnterpriseAppRemoveCommand_instances, "m", _EntraEnterpriseAppRemoveCommand_initTypes).call(this);
+    }
+    async commandAction(logger, args) {
+        const removeEnterpriseApplication = async () => {
+            if (this.verbose) {
+                await logger.logToStderr(`Removing enterprise application ${args.options.id || args.options.displayName || args.options.objectId}...`);
+            }
+            try {
+                let url = `${this.resource}/v1.0`;
+                if (args.options.id) {
+                    url += `/servicePrincipals(appId='${args.options.id}')`;
+                }
+                else {
+                    const id = await this.getSpId(args.options);
+                    url += `/servicePrincipals/${id}`;
+                }
+                const requestOptions = {
+                    url: url,
+                    headers: {
+                        accept: 'application/json;odata.metadata=none'
+                    },
+                    responseType: 'json'
+                };
+                await request.delete(requestOptions);
+            }
+            catch (err) {
+                this.handleRejectedODataJsonPromise(err);
+            }
+        };
+        if (args.options.force) {
+            await removeEnterpriseApplication();
+        }
+        else {
+            const result = await cli.promptForConfirmation({ message: `Are you sure you want to remove enterprise application '${args.options.id || args.options.displayName || args.options.objectId}'?` });
+            if (result) {
+                await removeEnterpriseApplication();
+            }
+        }
+    }
+    async getSpId(options) {
+        if (options.objectId) {
+            return options.objectId;
+        }
+        const spItemsResponse = await odata.getAllItems(`${this.resource}/v1.0/servicePrincipals?$filter=displayName eq '${formatting.encodeQueryParameter(options.displayName)}'&$select=id`);
+        if (spItemsResponse.length === 0) {
+            throw `The specified enterprise application does not exist.`;
+        }
+        if (spItemsResponse.length > 1) {
+            const resultAsKeyValuePair = formatting.convertArrayToHashTable('id', spItemsResponse);
+            const result = await cli.handleMultipleResultsFound(`Multiple enterprise applications with name '${options.displayName}' found.`, resultAsKeyValuePair);
+            return result.id;
+        }
+        const spItem = spItemsResponse[0];
+        return spItem.id;
+    }
+}
+_EntraEnterpriseAppRemoveCommand_instances = new WeakSet(), _EntraEnterpriseAppRemoveCommand_initTelemetry = function _EntraEnterpriseAppRemoveCommand_initTelemetry() {
+    this.telemetry.push((args) => {
+        Object.assign(this.telemetryProperties, {
+            id: typeof args.options.id !== 'undefined',
+            displayName: typeof args.options.displayName !== 'undefined',
+            objectId: typeof args.options.objectId !== 'undefined',
+            force: !!args.options.force
+        });
+    });
+}, _EntraEnterpriseAppRemoveCommand_initOptions = function _EntraEnterpriseAppRemoveCommand_initOptions() {
+    this.options.unshift({
+        option: '-i, --id [id]'
+    }, {
+        option: '-n, --displayName [displayName]'
+    }, {
+        option: '--objectId [objectId]'
+    }, {
+        option: '-f, --force'
+    });
+}, _EntraEnterpriseAppRemoveCommand_initValidators = function _EntraEnterpriseAppRemoveCommand_initValidators() {
+    this.validators.push(async (args) => {
+        if (args.options.id && !validation.isValidGuid(args.options.id)) {
+            return `The option 'id' with value '${args.options.id}' is not a valid GUID.`;
+        }
+        if (args.options.objectId && !validation.isValidGuid(args.options.objectId)) {
+            return `The option 'objectId' with value '${args.options.objectId}' is not a valid GUID.`;
+        }
+        return true;
+    });
+}, _EntraEnterpriseAppRemoveCommand_initOptionSets = function _EntraEnterpriseAppRemoveCommand_initOptionSets() {
+    this.optionSets.push({ options: ['id', 'displayName', 'objectId'] });
+}, _EntraEnterpriseAppRemoveCommand_initTypes = function _EntraEnterpriseAppRemoveCommand_initTypes() {
+    this.types.string.push('id', 'displayName', 'objectId');
+    this.types.boolean.push('force');
+};
+export default new EntraEnterpriseAppRemoveCommand();
+//# sourceMappingURL=enterpriseapp-remove.js.map