src/cmdlets/Get-GraphApplicationConsent.ps1

# Copyright 2019, Adam Edwards
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

. (import-script Invoke-GraphRequest)
. (import-script ../graphservice/ApplicationAPI)
. (import-script common/ConsentHelper)
. (import-script common/CommandContext)

function Get-GraphApplicationConsent {
    [cmdletbinding(positionalbinding=$false, defaultparametersetname='TenantOrSpecificPrincipal')]
    param(
        [parameter(position=0, valuefrompipelinebypropertyname = $true, mandatory=$true)]
        [Guid[]] $AppId,

        [parameter(parametersetname='entiretenant', mandatory=$true)]
        [parameter(parametersetname='TenantOrSpecificPrinicpal')]
        [switch] $Tenant,

        [switch] $RawContent,

        [parameter(parametersetname='specificprincipal', mandatory=$true)]
        [parameter(parametersetname='TenantOrSpecificPrinicpal')]
        $Principal
    )

    begin {}

    process {
        Enable-ScriptClassVerbosePreference

        $commandContext = new-so CommandContext $null $null $null $null $::.ApplicationAPI.DefaultApplicationApiVersion
        $appAPI = new-so ApplicationAPI $commandContext.connection $commandContext.version

        $app = try {
            $appAPI |=> GetApplicationByAppId $AppId
        } catch {
            throw [Exception]::new("Unable to find application with AppId '$AppId'", $_.exception)
        }

        $appSP = try {
            $appAPI |=> GetAppServicePrincipal $AppId
        } catch {
            throw [Exception]::new("Unable to find a service prinicpal for application with AppId '$AppId', the application may not yet have been accessed in this tenant", $_.exception)
        }

        if ( ! $appSP ) {
            write-verbose "Unable to find service principal for application '$AppId', assuming no consent exists"
        } else {

            $appSPId = $appSP.id

            $appFilter = "clientId eq '$appSPId'"
            $filterClauses = @($appFilter)

            $grantFilter = if ( $Tenant.IsPresent ) {
                "consentType eq 'AllPrincipals'"
            } elseif ( $Principal ) {
                "consentType eq 'Principal' and 'principalId' eq '$Principal'"
            }

            if ( $grantFilter ) {
                $filterClauses += $grantFilter
            }

            $filter = $filterClauses -join ' and '

            $filterArgument = @{ Filter = $filter }

            $RawContentArgument = @{ RawContent = $RawContent }

            $response = Invoke-GraphRequest /oauth2PermissionGrants -method GET -Filter $filter -version $::.ApplicationAPI.DefaultApplicationApiVersion @RawContentArgument

            if ( $response ) {
                if ( ! $RawContent.IsPresent ) {
                    if ( $response | gm id -erroraction ignore ) {
                        $response | foreach {
                            $::.ConsentHelper |=> ToDisplayableObject $_
                        }
                    }
                } else {
                    $response
                }
            }

            $roleResponse = Invoke-GraphRequest /servicePrincipals/$appSPId/appRoleAssignedTo -method GET -version $::.ApplicationAPI.DefaultApplicationApiVersion @RawContentArgument

            if ( $roleResponse ) {
                if ( ! $RawContent.IsPresent ) {
                    if ( $roleResponse | gm id -erroraction ignore ) {
                        $roleResponse | foreach {
                            $::.ConsentHelper |=> ToDisplayableObject $_
                        }
                    }
                } else {
                    $roleResponse
                }
            }
        }
    }

    end {}
}