kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fe33960c0e12bc5822516b359c8313668379b6a3
SharepointToolbox-Web/Infrastructure/Auth/SessionManager.cs
T
kawa 6d9c79ad5a Add scheduled reports + app-only cert auth; fix tenant-wide user-access audit 
Feature work:
- Certificate (app-only) auth per profile: cert store, context/Graph client
  factories, automated app-registration provisioning (delegated + application
  permissions, admin consent), and a SessionManager seam that resolves the auth
  model per profile.
- Scheduled reports: repositories, hosted service/runner/coordinator, report
  pages, and email delivery (app-only Mail.Send).
- Tenant-wide user-access audit when no site is selected.

Audit fixes:
- Site enumeration: app-only discovery used Graph getAllSites (needs Graph
  Sites.Read.All the cert app lacks) and silently returned empty. Switched to
  the admin-host CSOM TenantSiteEnumerator, matching the scheduler; both auth
  models now share one enumeration path.
- Group expansion: the scan records a SharePoint group as a single principal, so
  user-centric audits found nothing for group-granted access. Resolve group
  membership (shared by audit + scheduler) and attribute it to the target user.
- M365 group claims: the resolver only recognized AAD security groups
  (c:0t.c|). Group-connected/Teams sites grant via the M365 group claim
  (c:0o.c|…|<guid>[_o]); now expanded too, resolving owners for the "_o" claim.
- Provision Directory.Read.All as an application permission so M365/AAD group
  expansion works under the cert identity.

Also: ignore data/appcerts/ (encrypted certificate key material).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 17:55:28 +02:00

178 lines
6.9 KiB
C#
Raw Blame History

using Microsoft.SharePoint.Client;
using SharepointToolbox.Web.Core.Models;
using SharepointToolbox.Web.Services;
using SharepointToolbox.Web.Services.Auth;
using SharepointToolbox.Web.Services.Session;
namespace SharepointToolbox.Web.Infrastructure.Auth;
/// <summary>
/// Session manager that resolves the auth model per profile. When a profile is configured
/// for certificate auth (<see cref="IAppOnlyContextFactory.IsConfigured"/>), contexts are
/// built app-only via the stored certificate and no interactive sign-in is required.
/// Otherwise it falls back to the delegated OAuth2 refresh-token flow, whose access tokens
/// come from ISessionCredentialStore (ProtectedSessionStorage — browser-side only) and are
/// cached in-memory per scope for the duration of the Blazor circuit.
/// Scoped per Blazor circuit.
/// </summary>
public class SessionManager : ISessionManager
{
private readonly ISessionCredentialStore _credentialStore;
private readonly ITokenRefreshService _tokenRefresh;
private readonly IAppOnlyContextFactory _appOnly;
private readonly Dictionary<string, ClientContext> _contexts = new();
private readonly Dictionary<string, (string Token, DateTimeOffset ExpiresAt)> _accessTokenCache = new();
private readonly SemaphoreSlim _lock = new(1, 1);
public SessionManager(
ISessionCredentialStore credentialStore,
ITokenRefreshService tokenRefresh,
IAppOnlyContextFactory appOnly)
{
_credentialStore = credentialStore;
_tokenRefresh = tokenRefresh;
_appOnly = appOnly;
}
public bool IsAuthenticated(string tenantUrl) => _contexts.ContainsKey(NormalizeUrl(tenantUrl));
public async Task<(string Token, DateTimeOffset ExpiresAt)> GetAccessTokenWithExpiryAsync(
string scope, CancellationToken ct = default)
{
await _lock.WaitAsync(ct);
try
{
if (_accessTokenCache.TryGetValue(scope, out var cached) && cached.ExpiresAt > DateTimeOffset.UtcNow)
return cached;
var tokens = await _credentialStore.GetAsync()
?? throw new InvalidOperationException(
"No session tokens found. Please authenticate via Microsoft first.");
var result = await _tokenRefresh.RefreshAsync(tokens.RefreshToken, tokens.TenantId, tokens.ClientId, scope);
// Persist rotated refresh token back to browser storage
if (result.RefreshToken != tokens.RefreshToken)
await _credentialStore.UpdateRefreshTokenAsync(result.RefreshToken);
var entry = (result.AccessToken, result.ExpiresAt);
_accessTokenCache[scope] = entry;
return entry;
}
finally { _lock.Release(); }
}
public async Task<ClientContext> GetOrCreateContextAsync(TenantProfile profile, CancellationToken ct = default)
{
ArgumentException.ThrowIfNullOrEmpty(profile.TenantUrl);
ArgumentException.ThrowIfNullOrEmpty(profile.TenantId);
var key = NormalizeUrl(profile.TenantUrl);
var spScope = NormalizeScopeUrl(profile.TenantUrl) + "/.default";
// Certificate-configured profiles authenticate app-only: no interactive sign-in,
// no session tokens. Build the context through the cert factory and cache it under
// the same key so report services see an ordinary authenticated ClientContext.
if (_appOnly.IsConfigured(profile))
{
await _lock.WaitAsync(ct);
try
{
if (_contexts.TryGetValue(key, out var existingCert))
return existingCert;
var certCtx = await _appOnly.CreateContextAsync(profile, profile.TenantUrl, ct);
_contexts[key] = certCtx;
return certCtx;
}
finally { _lock.Release(); }
}
await _lock.WaitAsync(ct);
try
{
if (_contexts.TryGetValue(key, out var existing))
return existing;
// Validate tokens are present before creating context
var tokens = await _credentialStore.GetAsync()
?? throw new InvalidOperationException(
"No session tokens found. Please authenticate via Microsoft first.");
_ = tokens; // validated; actual token acquired per-request below
var ctx = new ClientContext(profile.TenantUrl);
ctx.ExecutingWebRequest += async (_, e) =>
{
var (token, _) = await GetAccessTokenWithExpiryAsyncInternal(spScope, tokens.TenantId);
e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + token;
};
_contexts[key] = ctx;
return ctx;
}
finally { _lock.Release(); }
}
public async Task<ClientContext> GetOrCreateContextAsync(string siteUrl, TenantProfile profile, CancellationToken ct = default)
{
return await GetOrCreateContextAsync(profile.CloneForSite(siteUrl), ct);
}
public async Task ClearSessionAsync(string tenantUrl)
{
var key = NormalizeUrl(tenantUrl);
await _lock.WaitAsync();
try
{
if (_contexts.TryGetValue(key, out var ctx))
{
ctx.Dispose();
_contexts.Remove(key);
}
}
finally { _lock.Release(); }
}
public async Task ClearAllAsync()
{
await _lock.WaitAsync();
try
{
foreach (var ctx in _contexts.Values) ctx.Dispose();
_contexts.Clear();
_accessTokenCache.Clear();
}
finally { _lock.Release(); }
}
// Internal version that bypasses the outer lock (called from ExecutingWebRequest which may run concurrently)
private async Task<(string Token, DateTimeOffset ExpiresAt)> GetAccessTokenWithExpiryAsyncInternal(
string scope, string tenantId)
{
if (_accessTokenCache.TryGetValue(scope, out var cached) && cached.ExpiresAt > DateTimeOffset.UtcNow)
return cached;
var tokens = await _credentialStore.GetAsync()
?? throw new InvalidOperationException("No session tokens in store.");
var result = await _tokenRefresh.RefreshAsync(tokens.RefreshToken, tenantId, tokens.ClientId, scope);
if (result.RefreshToken != tokens.RefreshToken)
await _credentialStore.UpdateRefreshTokenAsync(result.RefreshToken);
var entry = (result.AccessToken, result.ExpiresAt);
_accessTokenCache[scope] = entry;
return entry;
}
private static string NormalizeUrl(string url) => url.TrimEnd('/').ToLowerInvariant();
private static string NormalizeScopeUrl(string siteUrl)
{
if (Uri.TryCreate(siteUrl, UriKind.Absolute, out var uri))
return $"{uri.Scheme}://{uri.Host}";
return siteUrl.TrimEnd('/');
}
}
Reference in New Issue View Git Blame Copy Permalink