Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit
Feature work: - Certificate (app-only) auth per profile: cert store, context/Graph client factories, automated app-registration provisioning (delegated + application permissions, admin consent), and a SessionManager seam that resolves the auth model per profile. - Scheduled reports: repositories, hosted service/runner/coordinator, report pages, and email delivery (app-only Mail.Send). - Tenant-wide user-access audit when no site is selected. Audit fixes: - Site enumeration: app-only discovery used Graph getAllSites (needs Graph Sites.Read.All the cert app lacks) and silently returned empty. Switched to the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth models now share one enumeration path. - Group expansion: the scan records a SharePoint group as a single principal, so user-centric audits found nothing for group-granted access. Resolve group membership (shared by audit + scheduler) and attribute it to the target user. - M365 group claims: the resolver only recognized AAD security groups (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim. - Provision Directory.Read.All as an application permission so M365/AAD group expansion works under the cert identity. Also: ignore data/appcerts/ (encrypted certificate key material). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,51 @@
|
||||
namespace SharepointToolbox.Web.Core.Models;
|
||||
|
||||
public enum ReportRunStatus
|
||||
{
|
||||
Success,
|
||||
Failed
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// One produced report file, listed per client. The file itself lives under
|
||||
/// {ExportsFolder}/{ProfileId}/{FileName}; this record is the index entry that the
|
||||
/// "Reports" list and the id-based download endpoint resolve against.
|
||||
/// Persisted to reports-index.json.
|
||||
/// </summary>
|
||||
public class GeneratedReport
|
||||
{
|
||||
public string Id { get; set; } = Guid.NewGuid().ToString();
|
||||
|
||||
public string ProfileId { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>The schedule that produced this; null for an ad-hoc/manual run.</summary>
|
||||
public string? ScheduledReportId { get; set; }
|
||||
|
||||
public ReportType Type { get; set; }
|
||||
|
||||
/// <summary>Human label (usually copied from the schedule name).</summary>
|
||||
public string Name { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>File name on disk, relative to the profile's exports subfolder.</summary>
|
||||
public string FileName { get; set; } = string.Empty;
|
||||
|
||||
public string Mime { get; set; } = string.Empty;
|
||||
|
||||
public long SizeBytes { get; set; }
|
||||
|
||||
public DateTime GeneratedUtc { get; set; } = DateTime.UtcNow;
|
||||
|
||||
public ReportRunStatus Status { get; set; } = ReportRunStatus.Success;
|
||||
|
||||
/// <summary>Populated when <see cref="Status"/> is Failed.</summary>
|
||||
public string? Error { get; set; }
|
||||
|
||||
/// <summary>True when the report was successfully emailed via Graph.</summary>
|
||||
public bool Emailed { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Populated when email delivery was requested but failed. The report itself still
|
||||
/// succeeded (file is on disk) — only delivery failed.
|
||||
/// </summary>
|
||||
public string? EmailError { get; set; }
|
||||
}
|
||||
Reference in New Issue
Block a user