kawa
6d9c79ad5a
Feature work: - Certificate (app-only) auth per profile: cert store, context/Graph client factories, automated app-registration provisioning (delegated + application permissions, admin consent), and a SessionManager seam that resolves the auth model per profile. - Scheduled reports: repositories, hosted service/runner/coordinator, report pages, and email delivery (app-only Mail.Send). - Tenant-wide user-access audit when no site is selected. Audit fixes: - Site enumeration: app-only discovery used Graph getAllSites (needs Graph Sites.Read.All the cert app lacks) and silently returned empty. Switched to the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth models now share one enumeration path. - Group expansion: the scan records a SharePoint group as a single principal, so user-centric audits found nothing for group-granted access. Resolve group membership (shared by audit + scheduler) and attribute it to the target user. - M365 group claims: the resolver only recognized AAD security groups (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim. - Provision Directory.Read.All as an application permission so M365/AAD group expansion works under the cert identity. Also: ignore data/appcerts/ (encrypted certificate key material). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
48 lines
2.4 KiB
C#
48 lines
2.4 KiB
C#
using Azure.Core;
|
|
using Microsoft.Graph;
|
|
using Microsoft.SharePoint.Client;
|
|
using SharepointToolbox.Web.Core.Models;
|
|
|
|
namespace SharepointToolbox.Web.Infrastructure.Auth;
|
|
|
|
/// <summary>
|
|
/// Builds app-only (certificate-based) clients for a client profile. Drives BOTH the
|
|
/// background report scheduler AND the interactive session: when a profile is configured
|
|
/// for certificate auth (see <see cref="IsConfigured"/>), technicians operate through the
|
|
/// app identity and never sign in to SharePoint per profile. Requires
|
|
/// <see cref="TenantProfile.AppOnlyEnabled"/>, an app-only client id, and a stored certificate.
|
|
/// </summary>
|
|
public interface IAppOnlyContextFactory
|
|
{
|
|
/// <summary>
|
|
/// True when this profile can authenticate app-only without an interactive sign-in:
|
|
/// <see cref="TenantProfile.AppOnlyEnabled"/> is set, an app-only client id is present,
|
|
/// and a certificate is stored for the profile. When false, callers fall back to the
|
|
/// delegated refresh-token flow.
|
|
/// </summary>
|
|
bool IsConfigured(TenantProfile profile);
|
|
|
|
/// <summary>CSOM context for a specific site, authenticated app-only.</summary>
|
|
Task<ClientContext> CreateContextAsync(TenantProfile profile, string siteUrl, CancellationToken ct = default);
|
|
|
|
/// <summary>Microsoft Graph client, authenticated app-only.</summary>
|
|
Task<GraphServiceClient> CreateGraphClientAsync(TenantProfile profile, CancellationToken ct = default);
|
|
|
|
/// <summary>Acquires an app-only access token for an arbitrary scope (e.g. a SharePoint host or Graph).</summary>
|
|
Task<AccessToken> GetTokenAsync(TenantProfile profile, string scope, CancellationToken ct = default);
|
|
|
|
/// <summary>
|
|
/// Verifies the stored credentials can authenticate against the tenant root web.
|
|
/// Returns null on success, or an error message describing the failure.
|
|
/// </summary>
|
|
Task<string?> TestConnectionAsync(TenantProfile profile, CancellationToken ct = default);
|
|
|
|
/// <summary>
|
|
/// Polls <see cref="TestConnectionAsync"/> until it succeeds or <paramref name="timeout"/>
|
|
/// elapses. After a fresh app registration, the certificate key credential and app-role
|
|
/// admin consent take time to propagate through Entra (token requests 401 until then);
|
|
/// this waits that window out. Returns null once ready, or the last error on timeout.
|
|
/// </summary>
|
|
Task<string?> WaitUntilReadyAsync(TenantProfile profile, TimeSpan timeout, CancellationToken ct = default);
|
|
}
|