-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathgrantPermission.ps1
177 lines (157 loc) · 6.06 KB
/
grantPermission.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#region Initialize default properties
$config = ConvertFrom-Json $configuration
$p = $person | ConvertFrom-Json
$pp = $previousPerson | ConvertFrom-Json
$pd = $personDifferences | ConvertFrom-Json
$m = $manager | ConvertFrom-Json
$aRef = $accountReference | ConvertFrom-Json
$mRef = $managerAccountReference | ConvertFrom-Json
$pRef = $permissionReference | ConvertFrom-json
$success = $False
$auditLogs = [Collections.Generic.List[PSCustomObject]]@()
#endregion Initialize default properties
#region Support Functions
function Get-GoogleAccessToken() {
### exchange the refresh token for an access token
$requestUri = "https://www.googleapis.com/oauth2/v4/token"
$refreshTokenParams = @{
client_id=$config.clientId;
client_secret=$config.clientSecret;
redirect_uri=$config.redirectUri;
refresh_token=$config.refreshToken;
grant_type="refresh_token"; # Fixed value
};
$response = Invoke-RestMethod -Method Post -Uri $requestUri -Body $refreshTokenParams -Verbose:$false
$accessToken = $response.access_token
#Add the authorization header to the request
$authorization = [ordered]@{
Authorization = "Bearer $accesstoken";
'Content-Type' = "application/json; charset=utf-8";
Accept = "application/json";
}
$authorization
}
#endregion Support Functions
#region Execute
if(-Not($dryRun -eq $True)) {
try
{
#Add the authorization header to the request
$authorization = Get-GoogleAccessToken
#Get Member Email
$splat = @{
Uri = "https://www.googleapis.com/admin/directory/v1/users/$($aRef)"
Method = 'GET'
Headers = $authorization
Verbose = $False
}
$userResponse = Invoke-RestMethod @splat
Write-Information "Found user: $($userResponse[0].primaryEmail)"
if($pRef.Type -eq "Group")
{
Write-Information "Applying Group Permission"
$account = [PSCustomObject]@{
email = $userResponse[0].primaryEmail
role = "MEMBER"
}
$splat = @{
Uri = "https://www.googleapis.com/admin/directory/v1/groups/$($pRef.Id)/members"
Body = [System.Text.Encoding]::UTF8.GetBytes(($account | ConvertTo-Json))
Method = 'POST'
Headers = $authorization
}
$response = Invoke-RestMethod @splat
$success = $True
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) successfully"
IsError = $false;
});
}
elseif($pRef.Type -eq "License")
{
Write-Information "Applying License Permission"
$account = [PSCustomObject]@{
userId = $userResponse[0].primaryEmail
}
$splat = @{
Uri = "https://licensing.googleapis.com/apps/licensing/v1/product/$($pRef.ProductId)/sku/$($pRef.SkuId)/user"
Body = [System.Text.Encoding]::UTF8.GetBytes(($account | ConvertTo-Json))
Method = 'POST'
Headers = $authorization
}
$response = Invoke-RestMethod @splat
$success = $True
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) successfully"
IsError = $false;
});
}
else
{
$success = $False
Write-Error "(unknown permission type: $($pRef.Type))";
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) to $($pRef.DisplayName) not successful (unknown permission type: $($pRef.Type))"
IsError = $true;
});
}
}catch
{
Write-Information "Status Code: $($_.Exception.Response.StatusCode.value__)"
Write-Information ($_ | ConvertFrom-Json).error.message;
if($_.Exception.Response.StatusCode.value__ -eq 409)
{
$success = $True;
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) (already exists)"
IsError = $false
});
}
elseif($_.Exception.Response.StatusCode.value__ -eq 412)
{
if( ($_ | ConvertFrom-Json).error.message -like "*User already has a license for the specified product and SKU*" )
{
$success = $true;
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) (already exists)"
IsError = $false
});
}
else
{
$success = $false;
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) not successful - $($_)"
IsError = $true
});
Write-Error $_;
}
}
else
{
$success = $false;
$auditLogs.Add([PSCustomObject]@{
Action = "GrantMembership"
Message = "Membership for person $($p.DisplayName) added to $($pRef.DisplayName) not successful - $($_)"
IsError = $true
});
Write-Error $_;
}
}
}
#endregion Execute
#region Build up result
Write-Information ($auditLogs | ConvertTo-Json)
$result = [PSCustomObject]@{
Success = $success
Account = $account
AuditLogs = $auditLogs;
}
Write-Output ($result | ConvertTo-Json -Depth 10)
#endregion Build up result