kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c2605b53209baf6509a8167592e90120e4d9a1e
SharepointToolbox-Web/Infrastructure/Auth/GraphClientFactory.cs
T
kawa 6d9c79ad5a Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit 
Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 17:55:28 +02:00

45 lines
1.6 KiB
C#
Raw Blame History

using Microsoft.Graph;
using SharepointToolbox.Web.Core.Models;
using SharepointToolbox.Web.Services;
using SharepointToolbox.Web.Services.Session;
namespace SharepointToolbox.Web.Infrastructure.Auth;
/// <summary>
/// Builds a Graph client for a profile. Certificate-configured profiles get an app-only
/// client (no interactive sign-in); all others use the delegated OAuth2 refresh-token flow
/// via ISessionManager.
/// </summary>
public class GraphClientFactory
{
private readonly ISessionCredentialStore _credentialStore;
private readonly ISessionManager _sessionManager;
private readonly IAppOnlyContextFactory _appOnly;
public GraphClientFactory(
ISessionCredentialStore credentialStore,
ISessionManager sessionManager,
IAppOnlyContextFactory appOnly)
{
_credentialStore = credentialStore;
_sessionManager = sessionManager;
_appOnly = appOnly;
}
public async Task<GraphServiceClient> CreateClientAsync(TenantProfile profile)
{
ArgumentException.ThrowIfNullOrEmpty(profile.TenantId);
if (_appOnly.IsConfigured(profile))
return await _appOnly.CreateGraphClientAsync(profile);
var hasTokens = await _credentialStore.HasCredentialsAsync();
if (!hasTokens)
throw new InvalidOperationException(
"No session tokens found. Please authenticate via Microsoft first.");
var credential = new SessionTokenCredential(_sessionManager);
return new GraphServiceClient(credential, ["https://graph.microsoft.com/.default"]);
}
}
Reference in New Issue View Git Blame Copy Permalink