Add support for checking minimal permissions for any API without APIC. …

…Closes #861 (#889)

dev-proxy-plugins/GraphUtils.cs

@@ -1,92 +1,92 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-
-using System.Net.Http.Json;
-using Microsoft.DevProxy.Plugins.MinimalPermissions;
-using Microsoft.Extensions.Logging;
-using Titanium.Web.Proxy.Http;
-
-namespace Microsoft.DevProxy.Plugins;
-
-public class GraphUtils
-{
- // throttle requests per workload
- public static string BuildThrottleKey(Request r) => BuildThrottleKey(r.RequestUri);
-
- public static string BuildThrottleKey(Uri uri)
- {
- if (uri.Segments.Length < 3)
- {
- return uri.Host;
- }
-
- // first segment is /
- // second segment is Graph version (v1.0, beta)
- // third segment is the workload (users, groups, etc.)
- // segment can end with / if there are other segments following
- var workload = uri.Segments[2].Trim('/');
-
- // TODO: handle 'me' which is a proxy to other resources
-
- return workload;
- }
-
- internal static string GetScopeTypeString(PermissionsType type)
- {
- return type switch
- {
- PermissionsType.Application => "Application",
- PermissionsType.Delegated => "DelegatedWork",
- _ => throw new InvalidOperationException($"Unknown scope type: {type}")
- };
- }
-
- internal static async Task<IEnumerable<string>> UpdateUserScopesAsync(IEnumerable<string> minimalScopes, IEnumerable<(string method, string url)> endpoints, PermissionsType permissionsType, ILogger logger)
- {
- var userEndpoints = endpoints.Where(e => e.url.Contains("/users/{", StringComparison.OrdinalIgnoreCase));
- if (!userEndpoints.Any())
- {
- return minimalScopes;
- }
-
- var newMinimalScopes = new HashSet<string>(minimalScopes);
-
- var url = $"https://graphexplorerapi.azurewebsites.net/permissions?scopeType={GetScopeTypeString(permissionsType)}";
- using var httpClient = new HttpClient();
- var urls = userEndpoints.Select(e => {
- logger.LogDebug("Getting permissions for {method} {url}", e.method, e.url);
- return $"{url}&requesturl={e.url}&method={e.method}";
- });
- var tasks = urls.Select(u => {
- logger.LogTrace("Calling {url}...", u);
- return httpClient.GetFromJsonAsync<PermissionInfo[]>(u);
- });
- await Task.WhenAll(tasks);
-
- foreach (var task in tasks)
- {
- var response = await task;
- if (response is null)
- {
- continue;
- }
-
- // there's only one scope so it must be minimal already
- if (response.Length < 2)
- {
- continue;
- }
-
- if (newMinimalScopes.Contains(response[0].Value))
- {
- logger.LogDebug("Replacing scope {old} with {new}", response[0].Value, response[1].Value);
- newMinimalScopes.Remove(response[0].Value);
- newMinimalScopes.Add(response[1].Value);
- }
- }
-
- logger.LogDebug("Updated minimal scopes. Original: {original}, New: {new}", string.Join(", ", minimalScopes), string.Join(", ", newMinimalScopes));
-
- return newMinimalScopes;
- }
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Net.Http.Json;
+using Microsoft.DevProxy.Plugins.MinimalPermissions;
+using Microsoft.Extensions.Logging;
+using Titanium.Web.Proxy.Http;
+
+namespace Microsoft.DevProxy.Plugins;
+
+public class GraphUtils
+{
+ // throttle requests per workload
+ public static string BuildThrottleKey(Request r) => BuildThrottleKey(r.RequestUri);
+
+ public static string BuildThrottleKey(Uri uri)
+ {
+ if (uri.Segments.Length < 3)
+ {
+ return uri.Host;
+ }
+
+ // first segment is /
+ // second segment is Graph version (v1.0, beta)
+ // third segment is the workload (users, groups, etc.)
+ // segment can end with / if there are other segments following
+ var workload = uri.Segments[2].Trim('/');
+
+ // TODO: handle 'me' which is a proxy to other resources
+
+ return workload;
+ }
+
+ internal static string GetScopeTypeString(GraphPermissionsType type)
+ {
+ return type switch
+ {
+ GraphPermissionsType.Application => "Application",
+ GraphPermissionsType.Delegated => "DelegatedWork",
+ _ => throw new InvalidOperationException($"Unknown scope type: {type}")
+ };
+ }
+
+ internal static async Task<IEnumerable<string>> UpdateUserScopesAsync(IEnumerable<string> minimalScopes, IEnumerable<(string method, string url)> endpoints, GraphPermissionsType permissionsType, ILogger logger)
+ {
+ var userEndpoints = endpoints.Where(e => e.url.Contains("/users/{", StringComparison.OrdinalIgnoreCase));
+ if (!userEndpoints.Any())
+ {
+ return minimalScopes;
+ }
+
+ var newMinimalScopes = new HashSet<string>(minimalScopes);
+
+ var url = $"https://graphexplorerapi.azurewebsites.net/permissions?scopeType={GetScopeTypeString(permissionsType)}";
+ using var httpClient = new HttpClient();
+ var urls = userEndpoints.Select(e => {
+ logger.LogDebug("Getting permissions for {method} {url}", e.method, e.url);
+ return $"{url}&requesturl={e.url}&method={e.method}";
+ });
+ var tasks = urls.Select(u => {
+ logger.LogTrace("Calling {url}...", u);
+ return httpClient.GetFromJsonAsync<GraphPermissionInfo[]>(u);
+ });
+ await Task.WhenAll(tasks);
+
+ foreach (var task in tasks)
+ {
+ var response = await task;
+ if (response is null)
+ {
+ continue;
+ }
+
+ // there's only one scope so it must be minimal already
+ if (response.Length < 2)
+ {
+ continue;
+ }
+
+ if (newMinimalScopes.Contains(response[0].Value))
+ {
+ logger.LogDebug("Replacing scope {old} with {new}", response[0].Value, response[1].Value);
+ newMinimalScopes.Remove(response[0].Value);
+ newMinimalScopes.Add(response[1].Value);
+ }
+ }
+
+ logger.LogDebug("Updated minimal scopes. Original: {original}, New: {new}", string.Join(", ", minimalScopes), string.Join(", ", newMinimalScopes));
+
+ return newMinimalScopes;
+ }
 }

dev-proxy-plugins/MinimalPermissions/ApiOperation.cs

@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+public class ApiOperation
+{
+ public required string Method { get; init; }
+ public required string OriginalUrl { get; init; }
+ public required string TokenizedUrl { get; init; }
+}

dev-proxy-plugins/MinimalPermissions/ApiPermissionError.cs

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+public class ApiPermissionError
+{
+ public required string Request { get; init; }
+ public required string Error { get; init; }
+}

dev-proxy-plugins/MinimalPermissions/ApiPermissionsInfo.cs

@@ -0,0 +1,13 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+public class ApiPermissionsInfo
+{
+ public required List<string> TokenPermissions { get; init; }
+ public required List<ApiOperation> OperationsFromRequests { get; init; }
+ public required string[] MinimalScopes { get; init; }
+ public required string[] UnmatchedOperations { get; init; }
+ public required List<ApiPermissionError> Errors { get; init; }
+}

dev-proxy-plugins/MinimalPermissions/PermissionError.cs → dev-proxy-plugins/MinimalPermissions/GraphPermissionError.cs

@@ -1,10 +1,13 @@
-using System.Text.Json.Serialization;
-
-namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
-
-internal class PermissionError
-{
- [JsonPropertyName("requestUrl")]
- public string Url { get; set; } = string.Empty;
- public string Message { get; set; } = string.Empty;
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+internal class GraphPermissionError
+{
+ [JsonPropertyName("requestUrl")]
+ public string Url { get; set; } = string.Empty;
+ public string Message { get; set; } = string.Empty;
 }

dev-proxy-plugins/MinimalPermissions/PermissionInfo.cs → dev-proxy-plugins/MinimalPermissions/GraphPermissionInfo.cs

@@ -1,12 +1,15 @@
-namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
-
-internal class PermissionInfo
-{
- public string Value { get; set; } = string.Empty;
- public string ScopeType { get; set; } = string.Empty;
- public string ConsentDisplayName { get; set; } = string.Empty;
- public string ConsentDescription { get; set; } = string.Empty;
- public bool IsAdmin { get; set; }
- public bool IsLeastPrivilege { get; set; }
- public bool IsHidden { get; set; }
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+internal class GraphPermissionInfo
+{
+ public string Value { get; set; } = string.Empty;
+ public string ScopeType { get; set; } = string.Empty;
+ public string ConsentDisplayName { get; set; } = string.Empty;
+ public string ConsentDescription { get; set; } = string.Empty;
+ public bool IsAdmin { get; set; }
+ public bool IsLeastPrivilege { get; set; }
+ public bool IsHidden { get; set; }
 }

dev-proxy-plugins/MinimalPermissions/GraphPermissionsType.cs

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+public enum GraphPermissionsType
+{
+ Application,
+ Delegated
+}

dev-proxy-plugins/MinimalPermissions/RequestInfo.cs → dev-proxy-plugins/MinimalPermissions/GraphRequestInfo.cs

@@ -1,11 +1,14 @@
-
-using System.Text.Json.Serialization;
-
-namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
-
-public class RequestInfo
-{
- [JsonPropertyName("requestUrl")]
- public string Url { get; set; } = string.Empty;
- public string Method { get; set; } = string.Empty;
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+
+using System.Text.Json.Serialization;
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+public class GraphRequestInfo
+{
+ [JsonPropertyName("requestUrl")]
+ public string Url { get; set; } = string.Empty;
+ public string Method { get; set; } = string.Empty;
 }

dev-proxy-plugins/MinimalPermissions/GraphResultsAndErrors.cs

@@ -0,0 +1,10 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace Microsoft.DevProxy.Plugins.MinimalPermissions;
+
+internal class GraphResultsAndErrors
+{
+ public GraphPermissionInfo[]? Results { get; set; }
+ public GraphPermissionError[]? Errors { get; set; }
+}