From f3d89d83aaabf163e86e681a559e07bb016c45a5 Mon Sep 17 00:00:00 2001
From: mitchelbaker-cisa <mitchel.baker@cisa.dhs.gov>
Date: Thu, 19 Dec 2024 02:31:52 +0000
Subject: [PATCH] move PermissionsJson into ScubaConfig

---
 .../AADRiskyPermissionsHelper.psm1             | 18 +++++++++++-------
 .../Modules/ScubaConfig/ScubaConfig.psm1       |  7 ++++++-
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/PowerShell/ScubaGear/Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1 b/PowerShell/ScubaGear/Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1
index 52e6b20fe2..05d7b768b2 100644
--- a/PowerShell/ScubaGear/Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1
+++ b/PowerShell/ScubaGear/Modules/Providers/ProviderHelpers/AADRiskyPermissionsHelper.psm1
@@ -1,5 +1,6 @@
-$PermissionsPath = Join-Path -Path ((Get-Item -Path $PSScriptRoot).Parent.Parent.FullName) -ChildPath "Permissions"
-$PermissionsJson = Get-Content -Path (Join-Path -Path $PermissionsPath -ChildPath "RiskyPermissions.json") | ConvertFrom-Json
+using module 'ScubaConfig\ScubaConfig.psm1'
+#$PermissionsPath = Join-Path -Path ((Get-Item -Path $PSScriptRoot).Parent.Parent.FullName) -ChildPath "Permissions"
+#$PermissionsJson = Get-Content -Path (Join-Path -Path $PermissionsPath -ChildPath "RiskyPermissions.json") | ConvertFrom-Json
 
 function Format-RiskyPermission {
     <#
@@ -128,6 +129,7 @@ function Get-ApplicationsWithRiskyPermissions {
     ##>
     process {
         try {
+            $RiskyPermissionsJson = [ScubaConfig]::GetInstance().RiskyPermissions
             $Applications = Get-MgBetaApplication -All
             $ApplicationResults = @()
             foreach ($App in $Applications) {
@@ -148,10 +150,10 @@ function Get-ApplicationsWithRiskyPermissions {
                     $IsAdminConsented = $false
 
                     foreach($Role in $Roles) {
-                        $ResourceDisplayName = $PermissionsJson.resources.$ResourceAppId
+                        $ResourceDisplayName = $RiskyPermissionsJson.resources.$ResourceAppId
                         $RoleId = $Role.Id
                         $MappedPermissions += Format-RiskyPermission `
-                            -Json $PermissionsJson `
+                            -Json $RiskyPermissionsJson `
                             -Resource $ResourceDisplayName `
                             -Id $RoleId `
                             -IsAdminConsented $IsAdminConsented
@@ -211,9 +213,11 @@ function Get-ServicePrincipalsWithRiskyPermissions {
     #Internal
     ##>
     process {
-        try {
+        try { 
+            $RiskyPermissionsJson = [ScubaConfig]::GetInstance().RiskyPermissions
             $ServicePrincipalResults = @()
-            $ServicePrincipals = Get-MgBetaServicePrincipal -All
+            # Get all service principals excluding ones owned by Microsoft 
+            $ServicePrincipals = Get-MgBetaServicePrincipal -All | Where-Object { $_.AppOwnerOrganizationId -ne "f8cdef31-a31e-4b4a-93e4-5f571e91255a" }
             foreach ($ServicePrincipal in $ServicePrincipals) {
                 # Only retrieves admin consented permissions
                 $AppRoleAssignments = Get-MgBetaServicePrincipalAppRoleAssignment -All -ServicePrincipalId $ServicePrincipal.Id
@@ -227,7 +231,7 @@ function Get-ServicePrincipalsWithRiskyPermissions {
                         # `Get-MgBetaServicePrincipalAppRoleAssignment` only returns admin consented permissions
                         $IsAdminConsented = $true
                         $MappedPermissions += Format-RiskyPermission `
-                            -Json $PermissionsJson `
+                            -Json $RiskyPermissionsJson `
                             -Resource $ResourceDisplayName `
                             -Id $RoleId `
                             -IsAdminConsented $IsAdminConsented
diff --git a/PowerShell/ScubaGear/Modules/ScubaConfig/ScubaConfig.psm1 b/PowerShell/ScubaGear/Modules/ScubaConfig/ScubaConfig.psm1
index 7dda64b158..b1f666edf6 100644
--- a/PowerShell/ScubaGear/Modules/ScubaConfig/ScubaConfig.psm1
+++ b/PowerShell/ScubaGear/Modules/ScubaConfig/ScubaConfig.psm1
@@ -42,7 +42,8 @@ class ScubaConfig {
             "Application Administrator",
             "Cloud Application Administrator")
         DefaultOPAVersion = '0.70.0'
-    }
+    }    
+    hidden static [PSCustomObject]$RiskyPermissions 
 
     static [object]ScubaDefault ([string]$Name){
         return [ScubaConfig]::ScubaDefaults[$Name]
@@ -59,6 +60,10 @@ class ScubaConfig {
         $this.SetParameterDefaults()
         [ScubaConfig]::_IsLoaded = $true
 
+        [Scubaconfig]::RiskyPermissions = Get-Content -Path (
+            Join-Path -Path (Get-Item -Path $PSScriptRoot).Parent.Parent.FullName -ChildPath "Permissions/RiskyPermissions.json"
+        ) | ConvertFrom-Json
+
         # If OmitPolicy was included in the config file, validate the policy IDs included there.
         if ($this.Configuration.ContainsKey("OmitPolicy")) {
             foreach ($Policy in $this.Configuration.OmitPolicy.Keys) {