feat: add Invoke-ExecCippLogsSas function to generate read-only SAS token for CippLogs table

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecCippLogsSas.ps1

@@ -0,0 +1,63 @@
+function Invoke-ExecCippLogsSas {
+    <#
+    .SYNOPSIS
+        Generate a read-only SAS token for the CippLogs table
+    .DESCRIPTION
+        Creates a long-lived, read-only SAS URL for the CippLogs Azure Storage table.
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        CIPP.AppSettings.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    Write-LogMessage -headers $Request.Headers -API $APIName -message 'Generating CippLogs readonly SAS token' -Sev Info
+
+    try {
+        $conn = @{}
+        foreach ($part in ($env:AzureWebJobsStorage -split ';')) {
+            $p = $part.Trim()
+            if ($p -match '^(.+?)=(.+)$') { $conn[$matches[1]] = $matches[2] }
+        }
+
+        $Days = [int]($Request.Query.Days ?? $Request.Body.Days ?? 365)
+        if ($Days -lt 1 -or $Days -gt 3650) {
+            throw 'Days must be between 1 and 3650'
+        }
+
+        $Sas = New-CIPPAzServiceSAS `
+            -AccountName $conn['AccountName'] `
+            -AccountKey $conn['AccountKey'] `
+            -Service 'table' `
+            -ResourcePath 'CippLogs' `
+            -Permissions 'r' `
+            -ExpiryTime ([DateTime]::UtcNow.AddDays($Days))
+
+        $SASTable = Get-CIPPTable -TableName 'CippSASTokens'
+        $Entity = @{
+            PartitionKey = 'SAS'
+            RowKey       = 'CippLogs'
+            Permissions  = 'r'
+            ExpiryTime   = $Sas.ExpiryTime
+        }
+        Add-CIPPAzDataTableEntity @SASTable -Entity $Entity
+
+        $Body = @{
+            SASUrl    = $Sas.ResourceUri + $Sas.Token
+            ExpiresOn = $Sas.Query['se']
+        }
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -headers $Request.Headers -API $APIName -message "Failed to generate CippLogs readonly SAS token: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+        $Body = @{ Results = "Failed to generate readonly SAS token: $($ErrorMessage.NormalizedError)" }
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+
+    return ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = $Body
+        })
+}

Modules/CIPPCore/Public/GraphHelper/New-CIPPAzServiceSAS.ps1

@@ -38,7 +38,7 @@ function New-CIPPAzServiceSAS {
             'blob' { return "/blob/$AccountName/$decodedPath" }
             'queue' { return "/queue/$AccountName/$decodedPath" }
             'file' { return "/file/$AccountName/$decodedPath" }
-            'table' { return "/table/$AccountName/$decodedPath" }
+            'table' { return "/table/$AccountName/$($decodedPath.ToLowerInvariant())" }
         }
     }
 
@@ -171,9 +171,9 @@ function New-CIPPAzServiceSAS {
         $q['sr'] = $SignedResource
         if ($SnapshotTime) { $q['sst'] = $SnapshotTime }
     } elseif ($Service -eq 'table') {
+        # Table SAS requires tn (table name) in the query string
+        $q['tn'] = $ResourcePath.TrimStart('/')
         # Table SAS may include ranges (spk/srk/epk/erk), omitted here unless future parameters are added
-        # Table also uses tn (table name) in query, but canonicalizedResource already includes table name
-        # We rely on canonicalizedResource and omit tn unless specified by callers via ResourcePath
     } elseif ($Service -eq 'queue') {
         # No sr for queue
     }
@@ -262,7 +262,7 @@ function New-CIPPAzServiceSAS {
     $q['sig'] = $SignatureBase64
 
     # Compose ordered query for readability (common fields first)
-    $orderedKeys = @('sp', 'st', 'se', 'sip', 'spr', 'sv', 'sr', 'si', 'snapshot', 'ses', 'sdd', 'rscc', 'rscd', 'rsce', 'rscl', 'rsct', 'sig')
+    $orderedKeys = @('sp', 'st', 'se', 'sip', 'spr', 'sv', 'sr', 'tn', 'si', 'snapshot', 'ses', 'sdd', 'rscc', 'rscd', 'rsce', 'rscl', 'rsct', 'sig')
     $parts = [System.Collections.Generic.List[string]]::new()
     foreach ($k in $orderedKeys) {
         if ($q.ContainsKey($k) -and -not [string]::IsNullOrEmpty($q[$k])) {