public async Task <ActionResult> Upload(HttpPostedFileBase[] files, OverwriteBehaviour overwriteBehaviour, string clientId) { SignalRMessage signalRMessage = new SignalRMessage(clientId); try { GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); IEnumerable <ConditionalAccessPolicy> conditionalAccessPolicies = await graphConditionalAccess.GetConditionalAccessPoliciesAsync(); List <string> uploadedConditionalAccessPolicies = new List <string>(); if (files.Length > 0 && files[0].FileName.Contains(".json")) { foreach (HttpPostedFileBase file in files) { BinaryReader binaryReader = new BinaryReader(file.InputStream); byte[] binData = binaryReader.ReadBytes(file.ContentLength); uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(binData)); } } else if (files.Length > 0 && files[0].FileName.Contains(".zip")) { try { MemoryStream target = new MemoryStream(); files[0].InputStream.CopyTo(target); byte[] data = target.ToArray(); using (var zippedStream = new MemoryStream(data)) { using (var archive = new ZipArchive(zippedStream)) { foreach (var entry in archive.Entries) { try { if (entry != null) { using (var unzippedEntryStream = entry.Open()) { using (var ms = new MemoryStream()) { unzippedEntryStream.CopyTo(ms); var unzippedArray = ms.ToArray(); uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(unzippedArray)); } } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } } } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } } foreach (string uploadedPolicy in uploadedConditionalAccessPolicies) { ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(uploadedPolicy); switch (overwriteBehaviour) { case OverwriteBehaviour.DISCARD: // Check for any policy with same name or id if (conditionalAccessPolicies.All(p => !p.id.Contains(conditionalAccessPolicy.id) && conditionalAccessPolicies.All(policy => !policy.displayName.Equals(conditionalAccessPolicy.displayName)))) { var response = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } else { if (conditionalAccessPolicies.Any(p => p.id.Contains(conditionalAccessPolicy.id))) { signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' ({conditionalAccessPolicy.id}) already exists!"); } else { signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' - policy with this name already exists!"); } } break; case OverwriteBehaviour.IMPORT_AS_DUPLICATE: await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); break; case OverwriteBehaviour.OVERWRITE_BY_ID: // match by object ID if (conditionalAccessPolicies.Any(policy => policy.id.Equals(conditionalAccessPolicy.id))) { await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy); } // Create a new policy else { var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } break; case OverwriteBehaviour.OVERWRITE_BY_NAME: if (conditionalAccessPolicies.Any(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName))) { string replaceObjectId = conditionalAccessPolicies.Where(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName)).Select(policy => policy.id).First(); conditionalAccessPolicy.id = replaceObjectId; await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy); } else { var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } break; } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } signalRMessage.sendMessage("Done#!"); return(new HttpStatusCodeResult(204)); }
public async Task <ActionResult> DeployBaseline(string displayName, string selectedBaseline, string policyPrefix, string allowLegacyAuth, string clientId = null) { SignalRMessage signalR = new SignalRMessage(clientId); GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); signalR.sendMessage("Selected baseline: " + selectedBaseline); try { // Create exclusion group (if the group already exists we retrieve the ID) Microsoft.Graph.Group createdGroup = await GraphHelper.CreateGroup(displayName, clientId); List <string> groupsCreated = new List <string> { createdGroup.Id }; // Load CA policies for policy set string[] filePaths = Directory.GetFiles(Server.MapPath(TEMPLATE_CA_POLICY_FOLDER_PATH + selectedBaseline), "*.json"); if (filePaths.Length == 0) { signalR.sendMessage($"Warning no Conditional Access Policies found within selected set ({selectedBaseline})!"); } // Modify exclusions & Display Name List <ConditionalAccessPolicy> conditionalAccessPolicies = new List <ConditionalAccessPolicy>(); foreach (string filePath in filePaths) { try { if (System.IO.File.Exists(filePath)) { using (var streamReader = new StreamReader(filePath, Encoding.UTF8)) { string textCaPolicy = streamReader.ReadToEnd(); // Modify properties on template ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(textCaPolicy); conditionalAccessPolicy.conditions.users.excludeGroups = groupsCreated.ToArray(); string placeholder = "<RING> -"; int startDisplayName = conditionalAccessPolicy.displayName.IndexOf(placeholder) + placeholder.Length; conditionalAccessPolicy.displayName = conditionalAccessPolicy.displayName.Substring(startDisplayName, conditionalAccessPolicy.displayName.Length - startDisplayName); conditionalAccessPolicy.displayName = conditionalAccessPolicy.displayName.Insert(0, policyPrefix).Replace("<PREFIX> -", "").Trim(); // Check for legacy auth exclusion group if (conditionalAccessPolicy.conditions.clientAppTypes.Contains("other") && conditionalAccessPolicy.grantControls.builtInControls.Contains("block")) { // Wee need to initialize a new list to avoid modifications to the existing! List <String> newGroupsCreated = new List <String>(groupsCreated); Microsoft.Graph.Group allowLegacyAuthGroup = await GraphHelper.CreateGroup(allowLegacyAuth, clientId); newGroupsCreated.Add(allowLegacyAuthGroup.Id); conditionalAccessPolicy.conditions.users.excludeGroups = newGroupsCreated.ToArray(); } // Create the policy await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } } } catch (Exception e) { signalR.sendMessage("Error: " + e.Message); } } } catch (Exception e) { signalR.sendMessage("Error: " + e.Message); } signalR.sendMessage("Done#!"); return(new HttpStatusCodeResult(204)); }