Files
claudetools/.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh
Mike Swanson da87d314c5 harness: fleet-wide functional-error + correction + friction logging
Add .claude/scripts/log-skill-error.sh — the canonical agent error log helper
(writes errorlog.md in DATE | MACHINE | skill | [type] error format, soft-fails).
Three categories: execution failures (default), user corrections (--correction),
and preventable self-inflicted friction (--friction; cite ref= when it repeats a
documented gotcha). Goal: stop paying tokens twice for the same avoidable mistake.

- CLAUDE.md: make logging mandatory for all skills + corrections + friction.
- skill-creator: new skills must wire in the helper (guidance + checklist).
- Retrofit every skill script's genuine failure branches to call the helper
  (b2/bitdefender/mailprotector/packetdial/coord python CLIs; remediation-tool
  + onboard365 bash; vault, rmm-auth, post-bot-alert, agy, grok, 1password,
  run-onboarding-diagnostic). Handled conditions + self-tests left alone.
- errorlog.md: broaden header to cover skills + harness + corrections; seed this
  session's corrections (INKY, Mail.Send token-audience, omnibox-strictness) and
  friction (git-bash /tmp, env-persistence, argv-limit, PowerShell var-case).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 11:40:25 -07:00

188 lines
9.9 KiB
Bash
Executable File

#!/usr/bin/env bash
# Patch the Tenant Admin app manifest to add RoleManagement.ReadWrite.Directory,
# then grant admin consent for that role in the ACG home tenant.
#
# Usage: patch-tenant-admin-manifest.sh
#
# Requirements:
# - Management app token (ACG home tenant) via SOPS vault
# - jq on PATH
# - curl on PATH
set -euo pipefail
ACG_HOME_TENANT="ce61461e-81a0-4c84-bb4a-7b354a9a356d"
MANAGEMENT_CLIENT_ID="0df4e185-4cf2-478c-a490-cc4ef36c6118"
MANAGEMENT_VAULT_PATH="msp-tools/computerguru-management.sops.yaml"
TENANT_ADMIN_APP_ID="709e6eed-0711-4875-9c44-2d3518c47063"
GRAPH_RESOURCE_APP_ID="00000003-0000-0000-c000-000000000000"
ROLE_MGMT_PERMISSION_ID="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"
# Repo root for the functional-error logger (4 levels up from this scripts dir).
__ELOG_ROOT="${CLAUDETOOLS_ROOT_ENV:-$(cd "$SCRIPT_DIR/../../../.." && pwd)}"
VAULT_ROOT="${VAULT_PATH:-}"
if [[ -z "$VAULT_ROOT" && -f "$IDENTITY_FILE" ]]; then
for py in py python3 python; do
if command -v "$py" >/dev/null 2>&1; then
VAULT_ROOT=$("$py" -c "import json; print(json.load(open('$IDENTITY_FILE')).get('vault_path',''))" 2>/dev/null) && break
fi
done
fi
[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] vault_path not set in $IDENTITY_FILE and VAULT_PATH env var not set" >&2; exit 3; }
[[ ! -d "$VAULT_ROOT" ]] && { echo "[ERROR] vault not found at $VAULT_ROOT (check vault_path in $IDENTITY_FILE)" >&2; exit 3; }
# ── Step 1: Get Management app client secret ──────────────────────────────────
echo "[INFO] Reading Management app secret from vault..."
CLIENT_SECRET=""
CLIENT_SECRET=$(bash "$VAULT_ROOT/scripts/vault.sh" get-field "$MANAGEMENT_VAULT_PATH" credentials.client_secret 2>/dev/null | tr -d '\r\n' || true)
if [[ -z "$CLIENT_SECRET" ]]; then
CLIENT_SECRET=$(bash "$VAULT_ROOT/scripts/vault.sh" get-field "$MANAGEMENT_VAULT_PATH" credentials.credential 2>/dev/null | tr -d '\r\n' || true)
fi
[[ -z "$CLIENT_SECRET" ]] && { echo "[ERROR] Could not read secret from $MANAGEMENT_VAULT_PATH" >&2; bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: could not read Management app secret from vault" --context "vault=$MANAGEMENT_VAULT_PATH" >/dev/null 2>&1 || true; exit 4; }
echo "[OK] Management app secret retrieved"
# ── Step 2: Get Management app token (home tenant) ───────────────────────────
echo "[INFO] Acquiring Management app token for ACG home tenant..."
TOKEN_RESP=$(curl -s --max-time 15 -X POST \
"https://login.microsoftonline.com/${ACG_HOME_TENANT}/oauth2/v2.0/token" \
--data-urlencode "client_id=${MANAGEMENT_CLIENT_ID}" \
--data-urlencode "client_secret=${CLIENT_SECRET}" \
--data-urlencode "scope=https://graph.microsoft.com/.default" \
--data-urlencode "grant_type=client_credentials")
MGMT_TOKEN=$(echo "$TOKEN_RESP" | jq -r '.access_token // empty')
if [[ -z "$MGMT_TOKEN" ]]; then
echo "[ERROR] Failed to acquire Management app token" >&2
echo "$TOKEN_RESP" >&2
bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: failed to acquire Management app token (home tenant)" --context "err=$(echo "$TOKEN_RESP" | jq -r '.error // empty' 2>/dev/null)" >/dev/null 2>&1 || true
exit 5
fi
echo "[OK] Management app token acquired"
# ── Step 3: Get current Tenant Admin app object + requiredResourceAccess ──────
echo "[INFO] Fetching Tenant Admin app registration (appId=$TENANT_ADMIN_APP_ID)..."
APP_RESP=$(curl -s --max-time 15 \
-H "Authorization: Bearer $MGMT_TOKEN" \
-G \
--data-urlencode "\$filter=appId eq '$TENANT_ADMIN_APP_ID'" \
--data-urlencode "\$select=id,displayName,requiredResourceAccess" \
"https://graph.microsoft.com/v1.0/applications")
APP_OBJ_ID=$(echo "$APP_RESP" | jq -r '.value[0].id // empty')
APP_DISPLAY=$(echo "$APP_RESP" | jq -r '.value[0].displayName // empty')
if [[ -z "$APP_OBJ_ID" ]]; then
echo "[ERROR] Tenant Admin application not found (appId=$TENANT_ADMIN_APP_ID)" >&2
echo "Response: $APP_RESP" >&2
bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: Tenant Admin application registration not found" --context "appId=$TENANT_ADMIN_APP_ID" >/dev/null 2>&1 || true
exit 6
fi
echo "[OK] Found app: $APP_DISPLAY (objectId=$APP_OBJ_ID)"
# ── Step 4: Check whether RoleManagement.ReadWrite.Directory already present ──
ALREADY_PRESENT=$(echo "$APP_RESP" | jq --arg pid "$ROLE_MGMT_PERMISSION_ID" \
'[.value[0].requiredResourceAccess[].resourceAccess[].id] | map(select(. == $pid)) | length > 0')
if [[ "$ALREADY_PRESENT" == "true" ]]; then
echo "[OK] RoleManagement.ReadWrite.Directory already present in manifest — no patch needed"
else
echo "[INFO] RoleManagement.ReadWrite.Directory not in manifest — patching..."
# Build updated requiredResourceAccess: inject new permission into the Graph entry
UPDATED_RRA=$(echo "$APP_RESP" | jq --arg gid "$GRAPH_RESOURCE_APP_ID" \
--arg pid "$ROLE_MGMT_PERMISSION_ID" '
.value[0].requiredResourceAccess
| map(
if .resourceAppId == $gid
then .resourceAccess += [{"id": $pid, "type": "Role"}]
else .
end
)
')
# PATCH the application
PATCH_RESP=$(curl -s --max-time 15 -o /dev/null -w "%{http_code}" -X PATCH \
-H "Authorization: Bearer $MGMT_TOKEN" \
-H "Content-Type: application/json" \
"https://graph.microsoft.com/v1.0/applications/$APP_OBJ_ID" \
-d "{\"requiredResourceAccess\": $UPDATED_RRA}")
if [[ "$PATCH_RESP" == "204" ]]; then
echo "[OK] App manifest patched (HTTP 204)"
else
echo "[ERROR] PATCH returned HTTP $PATCH_RESP" >&2
bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: app manifest PATCH failed" --context "appObjId=$APP_OBJ_ID http=$PATCH_RESP" >/dev/null 2>&1 || true
exit 7
fi
fi
# ── Step 5: Locate Tenant Admin SP and Graph SP in the home tenant ─────────────
echo "[INFO] Locating Tenant Admin service principal in home tenant..."
TA_SP_RESP=$(curl -s --max-time 15 \
-H "Authorization: Bearer $MGMT_TOKEN" \
-G \
--data-urlencode "\$filter=appId eq '$TENANT_ADMIN_APP_ID'" \
--data-urlencode "\$select=id,displayName" \
"https://graph.microsoft.com/v1.0/servicePrincipals")
TA_SP_OID=$(echo "$TA_SP_RESP" | jq -r '.value[0].id // empty')
[[ -z "$TA_SP_OID" ]] && { echo "[ERROR] Tenant Admin SP not found in home tenant" >&2; bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: Tenant Admin SP not found in home tenant" --context "appId=$TENANT_ADMIN_APP_ID" >/dev/null 2>&1 || true; exit 8; }
echo "[OK] Tenant Admin SP: $TA_SP_OID"
echo "[INFO] Locating Microsoft Graph SP in home tenant..."
GRAPH_SP_RESP=$(curl -s --max-time 15 \
-H "Authorization: Bearer $MGMT_TOKEN" \
-G \
--data-urlencode "\$filter=appId eq '00000003-0000-0000-c000-000000000000'" \
--data-urlencode "\$select=id" \
"https://graph.microsoft.com/v1.0/servicePrincipals")
GRAPH_SP_OID=$(echo "$GRAPH_SP_RESP" | jq -r '.value[0].id // empty')
[[ -z "$GRAPH_SP_OID" ]] && { echo "[ERROR] Microsoft Graph SP not found in home tenant" >&2; bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: Microsoft Graph SP not found in home tenant" >/dev/null 2>&1 || true; exit 8; }
echo "[OK] Microsoft Graph SP: $GRAPH_SP_OID"
# ── Step 6: Check if appRoleAssignment already granted ────────────────────────
echo "[INFO] Checking existing appRoleAssignments for Tenant Admin SP..."
EXISTING_RESP=$(curl -s --max-time 15 \
-H "Authorization: Bearer $MGMT_TOKEN" \
"https://graph.microsoft.com/v1.0/servicePrincipals/$TA_SP_OID/appRoleAssignments")
ALREADY_GRANTED=$(echo "$EXISTING_RESP" | jq --arg rid "$ROLE_MGMT_PERMISSION_ID" \
'[.value[] | select(.appRoleId == $rid)] | length > 0')
if [[ "$ALREADY_GRANTED" == "true" ]]; then
echo "[OK] RoleManagement.ReadWrite.Directory appRoleAssignment already granted in home tenant — nothing to do"
else
echo "[INFO] Granting RoleManagement.ReadWrite.Directory appRoleAssignment in home tenant..."
GRANT_BODY=$(jq -n \
--arg principal "$TA_SP_OID" \
--arg resource "$GRAPH_SP_OID" \
--arg role "$ROLE_MGMT_PERMISSION_ID" \
'{"principalId": $principal, "resourceId": $resource, "appRoleId": $role}')
GRANT_RESP=$(curl -s --max-time 15 \
-H "Authorization: Bearer $MGMT_TOKEN" \
-H "Content-Type: application/json" \
-X POST \
"https://graph.microsoft.com/v1.0/servicePrincipals/$TA_SP_OID/appRoleAssignments" \
-d "$GRANT_BODY")
GRANT_ID=$(echo "$GRANT_RESP" | jq -r '.id // empty')
if [[ -z "$GRANT_ID" ]]; then
echo "[ERROR] Failed to grant appRoleAssignment" >&2
echo "$GRANT_RESP" >&2
bash "$__ELOG_ROOT/.claude/scripts/log-skill-error.sh" "remediation-tool" "patch-tenant-admin-manifest: failed to grant RoleManagement.ReadWrite.Directory appRoleAssignment" --context "msg=$(echo "$GRANT_RESP" | jq -r '.error.message // empty' 2>/dev/null | head -c 80)" >/dev/null 2>&1 || true
exit 9
fi
echo "[OK] appRoleAssignment granted (id=$GRANT_ID)"
fi
echo ""
echo "[SUCCESS] Tenant Admin app manifest patched and home-tenant consent granted."
echo " RoleManagement.ReadWrite.Directory (id=$ROLE_MGMT_PERMISSION_ID) is now active."
echo ""
echo "[INFO] Next step: re-run admin consent in any customer tenants where Tenant Admin"
echo " is already consented, so the new permission is reflected in their service principal."
echo ""
echo " Consent URL pattern:"
echo " https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent"