update init and utils functions

silverhack · silverhack · commit a1475c73dc31 · 2026-02-26T20:26:05.000+01:00
diff --git a/core/utils/ConvertTo-Monkey365AccessToken.ps1 b/core/utils/ConvertTo-Monkey365AccessToken.ps1
@@ -0,0 +1,108 @@
+﻿# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Function ConvertTo-Monkey365AccessToken{
+    <#
+        .SYNOPSIS
+        Utility to convert access tokens into a closed version of an AuthenticationTokenResult object
+
+        .DESCRIPTION
+        Utility to convert access tokens into a closed version of an AuthenticationTokenResult object
+
+        .INPUTS
+
+        .OUTPUTS
+
+        .EXAMPLE
+
+        .NOTES
+	        Author		: Juan Garrido
+            Twitter		: @tr1ana
+            File Name	: ConvertTo-Monkey365AccessToken
+            Version     : 1.0
+
+        .LINK
+            https://github.com/silverhack/monkey365
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("InjectionRisk.Create", "", Scope="Function")]
+    [CmdletBinding()]
+    [OutputType([System.Management.Automation.PSCustomObject])]
+    Param (
+        [parameter(Mandatory=$True, ValueFromPipeline = $True, HelpMessage="Access Token")]
+        [String]$InputObject
+    )
+    Process{
+        Try{
+            #Set Null
+            $at_info = $authObject = $null
+            #Set authType
+            $authType = 'Unknown';
+            If($null -ne (Get-Command -Name "Read-JWTtoken" -ErrorAction ignore)){
+                Try{
+                    $at_info = Read-JWTtoken -token $InputObject | Select-Object appid,app_displayname,idtyp,scp,aud,exp,tid -ErrorAction Ignore
+                }
+                Catch{
+                    Write-Error $_
+                }
+            }
+            If($null -ne $at_info){
+                #Check if expired token
+                $expiry = [System.DateTimeOffset]::FromUnixTimeSeconds($at_info.exp).UtcDateTime
+                $now = [System.DateTime]::Now.ToUniversalTime();
+                If($expiry -ge $now){
+                    #Get idTyp
+                    If($null -ne $at_info.idtyp){
+                        If($at_info.idtyp.ToLower() -eq "user"){
+                            $authType = 'Interactive'
+                        }
+                        Else{
+                            $authType = 'Certificate_Credentials'
+                        }
+                    }
+                    #Set PsCustomObject
+                    $authObject = [PsCustomObject]@{
+                        AuthType = $authType;
+                        resource = $at_info.aud;
+                        clientId = $at_info.appid;
+                        renewable = $false;
+                        AccessToken = $InputObject;
+                        ExpiresOn = [System.DateTimeOffset]::FromUnixTimeSeconds($at_info.exp);
+                        TenantId = $at_info.tid;
+                        Scopes = [System.Collections.Generic.HashSet[System.String]]::new()
+                    }
+                    #Set Scopes
+                    #Add .default
+                    [void]$authObject.Scopes.Add(('{0}/.default' -f $authObject.resource));
+                    If($null -ne $at_info.scp -and $at_info.idtyp.ToLower() -eq "user"){
+                        ForEach($scope in @($at_info.scp).GetEnumerator()){
+                            [void]$authObject.Scopes.Add(('{0}/{1}' -f $authObject.resource,$scope));
+                        }
+                    }
+                    #Add IsNearExpiry script method
+                    $authObject | Add-Member -Type ScriptMethod -Name IsNearExpiry -Value {
+                        return ([System.Datetime]::UtcNow -gt $this.ExpiresOn.UtcDateTime.AddMinutes(-15))
+                    }
+                    #return object
+                    return $authObject;
+                }
+                Else{
+                    Write-Warning ("Expired token for {0}" -f $at_info.aud)
+                }
+            }
+        }
+        Catch{
+            Write-Error $_
+        }
+    }
+}
diff --git a/core/utils/Get-MonkeyPowerBIBackend.ps1 b/core/utils/Get-MonkeyPowerBIBackend.ps1
@@ -42,7 +42,7 @@ Function Get-MonkeyPowerBIBackend{
         $rawQuery = ('{0}/v1.0/myorg/admin/groups?$top=1' -f $O365Object.Environment.PowerBIAPI);
         #Get Auth header
         $AuthHeader = @{
-            Authorization = $O365Object.auth_tokens.PowerBI.CreateAuthorizationHeader();
+            Authorization = ("Bearer {0}" -f $O365Object.auth_tokens.PowerBI.AccessToken);
         }
     }
     Process{
diff --git a/core/utils/Import-ExternalAccessToken.ps1 b/core/utils/Import-ExternalAccessToken.ps1
@@ -0,0 +1,192 @@
+﻿# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+function Import-ExternalAccessToken {
+    <#
+        .SYNOPSIS
+        Utility to import external access tokens into internal Monkey365 auth object
+
+        .DESCRIPTION
+        Utility to import external access tokens into internal Monkey365 auth object
+
+        .INPUTS
+
+        .OUTPUTS
+
+        .EXAMPLE
+
+        .NOTES
+	        Author		: Juan Garrido
+            Twitter		: @tr1ana
+            File Name	: Import-ExternalAccessToken
+            Version     : 1.0
+
+        .LINK
+            https://github.com/silverhack/monkey365
+    #>
+    Param (
+        [parameter(Mandatory=$True, HelpMessage="Access Token")]
+        [Object]$InputObject
+    )
+    Begin{
+        #Set null
+        $initialDomain = $spoAdminUrl = $spoUrl = $null;
+        #Set Array
+        $allAuthObjects = [System.Collections.Generic.List[System.Management.Automation.PsObject]]::new()
+        ForEach($at in @($InputObject).Where({$null -ne $_})){
+            #Get Access Token
+            $accessToken = $at | ConvertTo-Monkey365AccessToken
+            If($null -ne $accessToken){
+                [void]$allAuthObjects.Add($accessToken);
+            }
+        }
+    }
+    Process{
+        Try{
+            If($allAuthObjects.Count -gt 0){
+                #Check if mixed tokens were passed
+                $nonMixedTokens = @($allAuthObjects | Select-Object -ExpandProperty TenantId -Unique).Count -eq 1
+                If($nonMixedTokens -and $nonMixedTokens -eq $O365Object.TenantId){
+                    #Get Tokens for SPO
+                    $spoAt = $allAuthObjects.Where({$_.resource -eq '00000003-0000-0ff1-ce00-000000000000'})
+                    If($spoAt.Count -gt 0){
+                        #Access Token for SharePoint Online detected
+                        #Get Token for MSGraph
+                        $msGraph = $allAuthObjects.Where({$_.resource -match "https://graph.microsoft.com?.$|.us?.$|microsoftgraph.chinacloudapi.cn?.$";}) | Select-Object -First 1 -ErrorAction Ignore
+                        If($null -ne $msGraph){
+                            #Get domains
+                            $domains = Get-MonkeyMSGraphObject -Authentication $msGraph -Environment $O365Object.Environment -ObjectType domains
+                            IF($null -ne $domains){
+                                $O365Object.Tenant.MyDomain = @($domains).Where({$_.isDefault}) | Select-Object -ExpandProperty id -ErrorAction Ignore
+                            }
+                            If($O365Object.initParams.ContainsKey('SpoSites') -and @($O365Object.initParams.SpoSites).Count -gt 0){
+                                [uri]$dnsName = $O365Object.initParams.SpoSites | Select-Object -First 1
+                                $initialDomain = ("{0}" -f $dnsName.DnsSafeHost)
+                            }
+                            Else{
+                                If($null -ne $domains){
+                                    $initialDomain = @($domains).Where({$_.supportedServices -like "*OfficeCommunicationsOnline*" -and $_.isDefault -eq $true}) | Select-Object -ExpandProperty id -ErrorAction Ignore
+                                }
+                            }
+                        }
+                        If($null -ne $initialDomain){
+                            $CloudType = $O365Object.cloudEnvironment;
+                            $sps_p = @{
+                                Endpoint = $initialDomain;
+                                Environment = $CloudType;
+                                InformationAction = $O365Object.InformationAction;
+                                Verbose = $O365Object.verbose;
+                                Debug = $O365Object.debug;
+                            }
+                            $spoAdminUrl = Get-SharepointAdminUrl @sps_p
+                            $spoUrl = Get-SharepointUrl @sps_p
+                        }
+                        If($null -ne $spoAdminUrl -and $null -ne $spoUrl){
+                            #Get Tokens for SPO Admin Url
+                            $spoAt = $allAuthObjects.Where({$_.resource -eq '00000003-0000-0ff1-ce00-000000000000'})
+                            ForEach($spoToken in $spoAt){
+                                #Test site connection
+                                $adminConnected = Test-SiteConnection -Authentication $spoToken -Site $spoAdminUrl
+                                If($adminConnected){
+                                    #Update token and break
+                                    $spoToken.resource = $spoAdminUrl;
+                                    break
+                                }
+                            }
+                            #Get Tokens for SPO
+                            $spoAt = $allAuthObjects.Where({$_.resource -eq '00000003-0000-0ff1-ce00-000000000000'})
+                            ForEach($spoToken in $spoAt){
+                                #Test site connection
+                                $connected = Test-SiteConnection -Authentication $spoToken -Site $spoUrl
+                                If($connected){
+                                    #Update token and break
+                                    $spoToken.resource = $spoUrl;
+                                    break
+                                }
+                            }
+                        }
+                        Else{
+                            $msg = @{
+                                MessageData = ($message.SPOTokenImportErrorMessage);
+                                callStack = (Get-PSCallStack | Select-Object -First 1);
+                                logLevel = 'warning';
+                                InformationAction = $O365Object.InformationAction;
+                                Tags = @('Monkey365ImportTokenInfo');
+                            }
+                            Write-Warning @msg
+                            #Clear tokens for SPO
+                            $allAuthObjects = $allAuthObjects.Where({$_.resource -ne '00000003-0000-0ff1-ce00-000000000000'})
+                        }
+                    }
+                }
+                Else{
+                    $msg = @{
+                        MessageData = ($message.MixedTokensErrorMessage);
+                        callStack = (Get-PSCallStack | Select-Object -First 1);
+                        logLevel = 'warning';
+                        InformationAction = $O365Object.InformationAction;
+                        Tags = @('Monkey365ImportTokenInfo');
+                    }
+                    Write-Warning @msg
+                    #Clear array
+                    $allAuthObjects.Clear()
+                }
+            }
+        }
+        Catch{
+            Write-Error $_
+        }
+    }
+    End{
+        If($allAuthObjects.Count -gt 0){
+            #Importing tokens
+            ForEach($accessToken in $allAuthObjects){
+                $tokenResource = Read-JWTtoken -token $accessToken.AccessToken | Select-Object -ExpandProperty aud -ErrorAction Ignore | Get-MSServiceFromAudience
+                If($null -ne $tokenResource){
+                    $msg = @{
+                        MessageData = ($message.ValidTokenInfoMessage -f $tokenResource);
+                        callStack = (Get-PSCallStack | Select-Object -First 1);
+                        logLevel = 'info';
+                        InformationAction = $O365Object.InformationAction;
+                        Tags = @('Monkey365ImportTokenInfo');
+                    }
+                    Write-Information @msg
+                    $msg = @{
+                        MessageData = ($message.ImportTokenInfoMessage);
+                        callStack = (Get-PSCallStack | Select-Object -First 1);
+                        logLevel = 'info';
+                        InformationAction = $O365Object.InformationAction;
+                        Tags = @('Monkey365ImportTokenInfo');
+                    }
+                    Write-Information @msg
+                    If($tokenResource.ToLower() -eq 'sharepoint'){
+                        If($accessToken.resource.ToLower() -match "admin"){
+                            $O365Object.auth_tokens.SharePointAdminOnline = $accessToken;
+                        }
+                        Else{
+                            $O365Object.auth_tokens.SharePointOnline = $accessToken;
+                        }
+                    }
+                    ElseIf($tokenResource.ToLower() -eq 'exchangeonline'){
+                        $O365Object.auth_tokens.ExchangeOnline = $accessToken;
+                        $O365Object.auth_tokens.ComplianceCenter = $accessToken;
+                    }
+                    Else{
+                        $O365Object.auth_tokens.Item($tokenResource) = $accessToken;
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/core/utils/localized.psd1 b/core/utils/localized.psd1
@@ -185,4 +185,9 @@ CompressingJob                   = Compressing Monkey data into {0}
 TokenAcquiredGenericMessage      = A new token was successfully acquired
 LocalCDNMessage                  = Local CDN set at {0}
 LocalCDNErrorMessage             = Unable to produce local html report. The error was {0}
+ValidTokenInfoMessage            = A valid access token was found for {0}
+ImportTokenInfoMessage           = Import token into Monkey365
+MixedTokensErrorMessage          = Unable to import access tokens. Missing TenantId parameter or mixed tokens detected
+SPOTokenImportErrorMessage       = Unable to import access token for SharePoint Online. Unable to get valid URL
+ConnectImportTokenErrorMessage   = Unable to execute Monkey365 using external access tokens
 '@;

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ Function Get-MonkeyPowerBIBackend{`
`42`	`42`	`$rawQuery = ('{0}/v1.0/myorg/admin/groups?$top=1' -f $O365Object.Environment.PowerBIAPI);`
`43`	`43`	`#Get Auth header`
`44`	`44`	`$AuthHeader = @{`
`45`		`- Authorization = $O365Object.auth_tokens.PowerBI.CreateAuthorizationHeader();`
	`45`	`+ Authorization = ("Bearer {0}" -f $O365Object.auth_tokens.PowerBI.AccessToken);`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`	`Process{`