kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ebda614aaa662b82d631ccba7b2f3d966fa6dd24
SharepointToolbox-Web/Services/SiteDiscoveryService.cs
T
kawa 6d9c79ad5a Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit 
Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 17:55:28 +02:00

61 lines
2.8 KiB
C#
Raw Blame History

using SharepointToolbox.Web.Core.Helpers;
using SharepointToolbox.Web.Core.Models;
using SharepointToolbox.Web.Infrastructure.Auth;
using SharepointToolbox.Web.Services.Session;
namespace SharepointToolbox.Web.Services;
/// <summary>
/// Enumerates every site collection in a tenant via the SharePoint tenant-admin endpoint
/// (<c>Tenant.GetSitePropertiesFromSharePointByFilters</c>), paging through all results.
/// The auth model only changes how the admin-host context is built:
///
/// • Certificate (app-only) profiles build the admin context through the cert factory — the
/// same path the background report scheduler uses (<see cref="Services.Reports"/>), which
/// relies only on the SharePoint <c>Sites.FullControl.All</c> application permission the cert
/// app already holds. (The earlier Graph <c>/sites/getAllSites</c> path was dropped: it needs
/// a separate Graph <c>Sites.Read.All</c> grant the cert app is not provisioned with, so it
/// returned empty/403 and tenant-wide audits silently fell back to the root site alone.)
/// • Delegated profiles build the admin context through the session manager; this requires the
/// signed-in user to be a SharePoint administrator.
///
/// The Graph <c>/sites?search=*</c> endpoint was deliberately abandoned for both: it ranks by
/// relevance and is capped server-side, silently dropping sites and returning varying counts.
/// </summary>
public class SiteDiscoveryService : ISiteDiscoveryService
{
private readonly ISessionManager _sessionManager;
private readonly IAppOnlyContextFactory _appOnly;
public SiteDiscoveryService(
ISessionManager sessionManager,
IAppOnlyContextFactory appOnly)
{
_sessionManager = sessionManager;
_appOnly = appOnly;
}
public async Task<IReadOnlyList<SiteInfo>> SearchSitesAsync(
TenantProfile profile,
string? query = null,
CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrEmpty(profile.TenantUrl);
var adminUrl = TenantSiteEnumerator.BuildAdminUrl(profile.TenantUrl);
// App-only profiles: build the admin-host context through the cert factory (matches the
// scheduler), enumerating under the SharePoint app permission the cert already grants.
if (_appOnly.IsConfigured(profile))
{
using var adminCtx = await _appOnly.CreateContextAsync(profile, adminUrl, ct);
return await TenantSiteEnumerator.EnumerateAsync(adminCtx, ct);
}
// Delegated profiles: enumeration only exists on the tenant admin endpoint.
var adminProfile = profile.CloneForSite(adminUrl);
var ctx = await _sessionManager.GetOrCreateContextAsync(adminProfile, ct);
return await TenantSiteEnumerator.EnumerateAsync(ctx, ct);
}
}
Reference in New Issue View Git Blame Copy Permalink