kawa/Sharepoint-Toolbox
1
0
Fork 0
Code Issues Pull Requests Actions Releases 9 Wiki Activity

feat(07-02): implement UserAccessAuditService

Browse Source 
- Scans permissions via IPermissionsService.ScanSiteAsync per site
- Filters PermissionEntry results to matching target user logins (case-insensitive contains)
- Splits semicolon-delimited users/logins/levels into per-user UserAccessEntry rows
- Classifies AccessType: Inherited (!HasUniquePermissions), Group (GrantedThrough), Direct
- Flags IsHighPrivilege (Full Control, Site Collection Administrator) and IsExternalUser (#EXT#)
This commit is contained in:
Dev
2026-04-07 12:39:57 +02:00
parent 9f891aa512
commit 44b238e07a
1 changed files with 148 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
SharepointToolbox/Services/UserAccessAuditService.cs Normal file
View File

@@ -0,0 +1,148 @@
using SharepointToolbox.Core.Helpers;
using SharepointToolbox.Core.Models;
namespace SharepointToolbox.Services;
/// <summary>
/// Scans permissions across multiple sites via PermissionsService,
/// then filters and transforms results into user-centric UserAccessEntry records.
/// </summary>
public class UserAccessAuditService : IUserAccessAuditService
{
private readonly IPermissionsService _permissionsService;
private static readonly HashSet<string> HighPrivilegeLevels = new(StringComparer.OrdinalIgnoreCase)
{
"Full Control",
"Site Collection Administrator"
};
public UserAccessAuditService(IPermissionsService permissionsService)
{
_permissionsService = permissionsService;
}
public async Task<IReadOnlyList<UserAccessEntry>> AuditUsersAsync(
ISessionManager sessionManager,
IReadOnlyList<string> targetUserLogins,
IReadOnlyList<SiteInfo> sites,
ScanOptions options,
IProgress<OperationProgress> progress,
CancellationToken ct)
{
// Normalize target logins for case-insensitive matching.
// Users may be identified by email ("alice@contoso.com") or full claim
// ("i:0#.f|membership|alice@contoso.com"), so we match on "contains".
var targets = targetUserLogins
.Select(l => l.Trim().ToLowerInvariant())
.Where(l => l.Length > 0)
.ToHashSet();
if (targets.Count == 0)
return Array.Empty<UserAccessEntry>();
var allEntries = new List<UserAccessEntry>();
for (int i = 0; i < sites.Count; i++)
{
ct.ThrowIfCancellationRequested();
var site = sites[i];
progress.Report(new OperationProgress(i, sites.Count,
$"Scanning site {i + 1}/{sites.Count}: {site.Title}..."));
var profile = new TenantProfile
{
TenantUrl = site.Url,
ClientId = string.Empty, // Will be set by SessionManager from cached session
Name = site.Title
};
var ctx = await sessionManager.GetOrCreateContextAsync(profile, ct);
var permEntries = await _permissionsService.ScanSiteAsync(ctx, options, progress, ct);
var userEntries = TransformEntries(permEntries, targets, site);
allEntries.AddRange(userEntries);
}
progress.Report(new OperationProgress(sites.Count, sites.Count,
$"Audit complete: {allEntries.Count} access entries found."));
return allEntries;
}
/// <summary>
/// Transforms PermissionEntry list into UserAccessEntry list,
/// filtering to only entries that match target user logins.
/// </summary>
private static IEnumerable<UserAccessEntry> TransformEntries(
IReadOnlyList<PermissionEntry> permEntries,
HashSet<string> targets,
SiteInfo site)
{
foreach (var entry in permEntries)
{
// Split semicolon-delimited Users and UserLogins
var logins = entry.UserLogins.Split(';', StringSplitOptions.RemoveEmptyEntries);
var names = entry.Users.Split(';', StringSplitOptions.RemoveEmptyEntries);
// Split semicolon-delimited PermissionLevels
var permLevels = entry.PermissionLevels.Split(';', StringSplitOptions.RemoveEmptyEntries);
for (int u = 0; u < logins.Length; u++)
{
var login = logins[u].Trim();
var loginLower = login.ToLowerInvariant();
var displayName = u < names.Length ? names[u].Trim() : login;
// Check if this login matches any target user.
// Match by "contains" because SharePoint claims may wrap the email:
// "i:0#.f|membership|alice@contoso.com" contains "alice@contoso.com"
bool isTarget = targets.Any(t =>
loginLower.Contains(t) || t.Contains(loginLower));
if (!isTarget) continue;
// Determine access type
var accessType = ClassifyAccessType(entry);
// Emit one UserAccessEntry per permission level
foreach (var level in permLevels)
{
var trimmedLevel = level.Trim();
if (string.IsNullOrEmpty(trimmedLevel)) continue;
yield return new UserAccessEntry(
UserDisplayName: displayName,
UserLogin: login,
SiteUrl: site.Url,
SiteTitle: site.Title,
ObjectType: entry.ObjectType,
ObjectTitle: entry.Title,
ObjectUrl: entry.Url,
PermissionLevel: trimmedLevel,
AccessType: accessType,
GrantedThrough: entry.GrantedThrough,
IsHighPrivilege: HighPrivilegeLevels.Contains(trimmedLevel),
IsExternalUser: PermissionEntryHelper.IsExternalUser(login));
}
}
}
}
/// <summary>
/// Classifies a PermissionEntry into Direct, Group, or Inherited access type.
/// </summary>
private static AccessType ClassifyAccessType(PermissionEntry entry)
{
// Inherited: object does not have unique permissions
if (!entry.HasUniquePermissions)
return AccessType.Inherited;
// Group: GrantedThrough starts with "SharePoint Group:"
if (entry.GrantedThrough.StartsWith("SharePoint Group:", StringComparison.OrdinalIgnoreCase))
return AccessType.Group;
// Direct: unique permissions, granted directly
return AccessType.Direct;
}
}