Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit

Feature work: - Certificate (app-only) auth per profile: cert store, context/Graph client factories, automated app-registration provisioning (delegated + application permissions, admin consent), and a SessionManager seam that resolves the auth model per profile. - Scheduled reports: repositories, hosted service/runner/coordinator, report pages, and email delivery (app-only Mail.Send). - Tenant-wide user-access audit when no site is selected. Audit fixes: - Site enumeration: app-only discovery used Graph getAllSites (needs Graph Sites.Read.All the cert app lacks) and silently returned empty. Switched to the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth models now share one enumeration path. - Group expansion: the scan records a SharePoint group as a single principal, so user-centric audits found nothing for group-granted access. Resolve group membership (shared by audit + scheduler) and attribute it to the target user. - M365 group claims: the resolver only recognized AAD security groups (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim. - Provision Directory.Read.All as an application permission so M365/AAD group expansion works under the cert identity. Also: ignore data/appcerts/ (encrypted certificate key material). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 17:55:28 +02:00
parent 1b0f4ce588
commit 6d9c79ad5a
40 changed files with 3020 additions and 269 deletions
@@ -4,6 +4,7 @@
@inject IUserContextAccessor UserContext
@inject ISessionCredentialStore CredStore
@inject ISessionManager SessionManager
+@inject SharepointToolbox.Web.Infrastructure.Auth.IAppOnlyContextFactory AppOnly
@inject NavigationManager Nav
@inject IJSRuntime JS
@inject SharepointToolbox.Web.Services.OAuth.IOAuthFlowCache OAuthCache
@@ -44,8 +45,11 @@
                    {
                        <div style="font-size:10px;color:var(--text-muted);margin-top:4px">
                            SP: @_credUsername
-                            <button class="btn btn-secondary btn-sm" style="padding:2px 6px;font-size:10px;margin-left:4px"
-                                    @onclick="ReconnectAsync">@T["nav.reconnect"]</button>
+                            @if (!CurrentProfileUsesCert)
+                            {
+                                <button class="btn btn-secondary btn-sm" style="padding:2px 6px;font-size:10px;margin-left:4px"
+                                        @onclick="ReconnectAsync">@T["nav.reconnect"]</button>
+                            }
                        </div>
                    }
                </div>
@@ -149,7 +153,9 @@
        new("/folder-structure",       "📁", "tab.folderStructure",  "nav.section.bulk",   "profile"),
        new("/user-audit",             "👤", "tab.userAccessAudit",  "nav.section.audit",  "profile"),
        new("/user-directory",         "📖", "nav.userDirectory",    "nav.section.audit",  "profile"),
+        new("/reports",                "📑", "nav.reports",          "nav.section.audit",  "profile"),
        new("/templates",              "📐", "tab.templates",        "nav.section.config", "profile"),
+        new("/scheduled-reports",      "⏰", "nav.scheduledReports", "nav.section.admin",  "admin"),
        new("/profiles",               "⚙️", "nav.clientProfiles",   "nav.section.admin",  "admin"),
        new("/admin/users",            "👥", "nav.userManagement",   "nav.section.admin",  "admin"),
        new("/admin/audit",            "📋", "nav.auditLogs",        "nav.section.admin",  "admin"),
@@ -219,11 +225,16 @@
            }
        }

-        // If profile selected but no credentials → show modal
-        if (Session.HasProfile && !_hasCredentials && _credModal is not null)
+        // If profile selected but no credentials → show modal (cert profiles never prompt)
+        if (Session.HasProfile && !_hasCredentials && !CurrentProfileUsesCert && _credModal is not null)
            await _credModal.ShowAsync();
    }

+    // True when the selected profile authenticates app-only via a stored certificate —
+    // technicians operate under the app identity and are never prompted to sign in.
+    private bool CurrentProfileUsesCert =>
+        Session.CurrentProfile is { } p && AppOnly.IsConfigured(p);
+
    private async Task HandleOAuthCallbackAsync()
    {
        var uri   = new Uri(Nav.Uri);
@@ -256,6 +267,16 @@

    private async Task RefreshCredentialState()
    {
+        // Certificate-configured profiles need no session tokens — mark as connected
+        // under the app identity and skip the delegated token bookkeeping entirely.
+        if (CurrentProfileUsesCert)
+        {
+            _hasCredentials = true;
+            _credUsername   = $"{Session.CurrentProfile!.Name} ({T["nav.appIdentity"]})";
+            await InvokeAsync(StateHasChanged);
+            return;
+        }
+
        var tokens = await CredStore.GetAsync();

        // Session tokens are tenant-bound (refresh token issued for the profile's TenantId/ClientId).