PSScripts/AzureRoleAnalyzingScripts/Check-AppRoles.ps1

[CmdletBinding()]
param(
    [Parameter(Mandatory=$true)]
    [string]$InputFile
)

# Ensure you're logged into Azure CLI
try {
    $null = az account show
}
catch {
    Write-Host "Please log in to Azure CLI first using 'az login'"
    exit
}

# Function to get all role definitions
function Get-AllRoleDefinitions {
    $roles = az role definition list |
        ConvertFrom-Json |
        ForEach-Object { $_ } |
#        Where-Object { $_.roleName -eq "Website Contributor" }
        Where-Object { $_.roleType -ne "CustomRole" -and $_.roleName -ne "Contributor" -and $_.roleName -ne "Owner" }
    return $roles
}

# Function to check if a string matches a resource type pattern
function Test-ResourceTypeMatch {
    param (
        [string]$Pattern,
        [string]$ResourceType
    )
    $patternParts = $Pattern -split '/'
    $resourceTypeParts = $ResourceType -split '/'

    for ($i = 0; $i -lt $patternParts.Count; $i++) {
        if ($i -ge $resourceTypeParts.Count -and $patternParts[$i] -ne "*") {
            return $false
        }

        if ($patternParts[$i] -eq '*') {
            if ($i -eq $patternParts.Count - 1) {
                return $true
            }
            continue
        }

        if ($patternParts[$i] -ne $resourceTypeParts[$i]) {
            return $false
        }
    }

    # If the pattern is shorter than the resource type, it's only a match if the last part was a wildcard
    return ($patternParts.Count -eq $resourceTypeParts.Count) -or ($patternParts[-1] -eq '*')
}

# Function to check if a role grants access to a resource type
function Test-RoleAccess {
    param (
        $Role,
        $ResourceType
    )
    $hasAccess = $false
    foreach ($permission in $Role.permissions) {
        # Check actions and dataActions
        foreach ($action in ($permission.actions + $permission.dataActions)) {
            if (Test-ResourceTypeMatch -Pattern $action -ResourceType $ResourceType) {
                $hasAccess = $true
                break
            }
        }
        
        # Check notActions and notDataActions
        foreach ($notAction in ($permission.notActions + $permission.notDataActions)) {
            if (Test-ResourceTypeMatch -Pattern $notAction -ResourceType $ResourceType) {
                return $false  # Explicitly not allowed
            }
        }
        
        if ($hasAccess) {
            break
        }
    }
    return $hasAccess
}

# Get all role definitions
$allRoles = Get-AllRoleDefinitions

# Read the file with resource types
try {
    $resourceTypes = Get-Content -Path $InputFile -ErrorAction Stop
    $resourceTypes = $resourceTypes | Sort-Object
}
catch {
    Write-Host "Error reading input file: $_"
    exit
}

# Process each resource type
foreach ($resourceType in $resourceTypes) {
    Write-Host "Resource Type: $resourceType"
    $matchingRoles = @()

    foreach ($role in $allRoles) {
        if (Test-RoleAccess -Role $role -ResourceType $resourceType) {
            $matchingRoles += $role.roleName
        }
    }

    if ($matchingRoles.Count -gt 0) {
        Write-Host "Roles granting access:"
        $matchingRoles | ForEach-Object { Write-Host "  - $_" }
    } else {
        Write-Host "No roles found granting access to this resource type."
    }
    Write-Host ""
}