AzSKStaging

3.9.5

Framework/Core/SVT/AzureDevOps/AzureDevOps.ServiceConnection.ps1

                                Set-StrictMode -Version Latest 

class ServiceConnection: SVTBase

{    

    [PSObject] $ServiceEndPointsObj = $null

    ServiceConnection([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId,$svtResource) 

    { 

        $apiURL = "https://dev.azure.com/{0}/{1}/_apis/serviceendpoint/endpoints?api-version=4.1-preview.1" -f $($this.SubscriptionContext.SubscriptionName),$($this.ResourceContext.ResourceGroupName);

        $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL);

        $this.ServiceEndPointsObj = $responseObj

    }

    hidden [ControlResult] CheckServiceConnectionAccess([ControlResult] $controlResult)

    {

       $azureRMEndpoints = $this.ServiceEndPointsObj | Where-Object { $_.type -eq "azurerm" }

        if(($azureRMEndpoints | Measure-Object).Count -gt 0)

        {

            $subLevelSPNList = @()

            $azureRMEndpoints| ForEach-Object{

                $Endpoint = $_

                if([Helpers]::CheckMember($Endpoint, "data.scopeLevel") )

                {

                    if($Endpoint.data.scopeLevel -eq "Subscription")

                    {

                        $AuthType = ""

                        if([Helpers]::CheckMember($Endpoint,"authorization.parameters.authenticationType"))

                        {

                            $AuthType = $Endpoint.authorization.parameters.authenticationType

                        }

                        $subLevelSPNList  += @{EndPointName= $Endpoint.Name; Creator = $Endpoint.createdBy.displayName; AuthType=$AuthType }

                    }                 

                }

                else

                {

                  $subLevelSPNList += @{EndPointName= $Endpoint.Name; Creator = $Endpoint.createdBy.displayName}

                }

              }

            if($subLevelSPNList.Count -eq 0 )

            {

                $controlResult.AddMessage([VerificationResult]::Passed,

                                            "All service endpoints are configured with RG level scope");

            }

            else {

                $controlResult.AddMessage([VerificationResult]::Failed,

                                            "Define RG level scope for below service endpoints",$subLevelSPNList);

            }

        }

        else {

            $controlResult.AddMessage([VerificationResult]::Passed,

                                            "No AzureRM Service Endpoints found");

        }

        return $controlResult;

    }

    hidden [ControlResult] CheckClassConnections([ControlResult] $controlResult)

    {

       $classicEndpoints = $this.ServiceEndPointsObj | Where-Object { $_.type -eq "azure" }

        if(($classicEndpoints | Measure-Object).Count -gt 0)

        {

                $classicConnectionList = @()

                $classicConnectionList  += $classicEndpoints | Select-Object @{Name="EndPointName"; Expression = {$_.Name}},@{Name="Creator"; Expression = {$_.createdBy.displayName}}

                $controlResult.AddMessage([VerificationResult]::Failed,

                                            "Found below classic service endpoints",$classicConnectionList);

        }

        else {

            $controlResult.AddMessage([VerificationResult]::Passed,

                                            "No Classic Endpoints found");

        }

        return $controlResult;

    }

    hidden [ControlResult] CheckSPNAuthenticationCertificate([ControlResult] $controlResult)

    {

        $azureRMEndpoints = $this.ServiceEndPointsObj | Where-Object { $_.type -eq "azurerm" }

        if(($azureRMEndpoints | Measure-Object).Count -gt 0)

        {

            $keybasedSPNList = @()

            $azureRMEndpoints | ForEach-Object{

                $Endpoint = $_

                if([Helpers]::CheckMember($Endpoint, "authorization.parameters.authenticationType"))

                {

                    $keybasedSPNList += @{EndPointName= $Endpoint.Name; Creator = $Endpoint.createdBy.displayName; AuthType=$Endpoint.authorization.parameters.authenticationType }

                }

                else

                {

                $keybasedSPNList += @{EndPointName= $Endpoint.Name; Creator = $Endpoint.createdBy.displayName}

                }

            }

                if($keybasedSPNList.Count -eq 0 )

                {

                    $controlResult.AddMessage([VerificationResult]::Passed,

                                                "All Service Endpoints are Cert based authenticated");

                }

                else {

                    $controlResult.AddMessage([VerificationResult]::Failed,

                                                "Below endpoints are used with secret based auth",$keybasedSPNList);

                }

            }

            else {

                $controlResult.AddMessage([VerificationResult]::Passed,

                                                "No AzureRM Service Endpoints found");

            }

        return $controlResult;

    }

    hidden [ControlResult] CheckInactiveEndpoints([ControlResult] $controlResult)

    {

        $inactiveEnpoints = @()

        $this.ServiceEndPointsObj | ForEach-Object{

            $Endpoint = $_

            $apiURL = "https://dev.azure.com/organization/project/_apis/serviceendpoint/$($Endpoint.Id)/executionhistory/?api-version=4.1-preview.1" 

            $serverFileContent = [WebRequestHelper]::InvokeGetWebRequest($apiURL);

            if($serverFileContent.Count -gt 0)

            {

                if([DateTime]$serverFileContent[0].value[0].data.startTime -gt (Get-Date).AddDays(-180))

                {

                    $inactiveEnpoints += @{EndPointName= $Endpoint.Name; Creator = $Endpoint.createdBy.displayName; LastAccessDate=$serverFileContent[0].value[0].data.startTime }

                }                

            }

          }

        if($inactiveEnpoints.Count -eq 0 )

        {

            $controlResult.AddMessage([VerificationResult]::Passed,

                                        "All Service Endpoints are Cert based authenticated");

        }

        else {

            $controlResult.AddMessage([VerificationResult]::Failed,

                                        "Below endpoints are used with secret based auth",$inactiveEnpoints);

        }

        return $controlResult;

    }

}