feat: add custom blueprint permissions configuration and management#273
Open
sellakumaran wants to merge 5 commits intomainfrom
Open
feat: add custom blueprint permissions configuration and management#273sellakumaran wants to merge 5 commits intomainfrom
sellakumaran wants to merge 5 commits intomainfrom
Conversation
…Azure Bot Service naming rules When long hostnames (e.g., ngrok free domains) are truncated to 42 characters for Azure Bot Service, they can end with trailing hyphens. Azure Bot Service rejects such names with InternalServerError. Changes: - EndpointHelper.GetEndpointName() now trims trailing hyphens after truncation - Added input validation for null/whitespace endpoint names - Fixed CleanupCommand to display truncated endpoint name in preview - Added comprehensive test coverage (12 tests) including edge cases Fixes endpoint registration failures for users with long messaging endpoint URLs. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Addresses review comment from ajmfehr on PR #257: Changed "Please use a shorter hostname" to "Please use a longer hostname" in the error message when endpoint name becomes too short after trimming. Rationale: When an endpoint name becomes < 4 characters after trimming trailing hyphens, the user needs a LONGER original hostname to compensate, not a shorter one. Example: - Input: "abc----" → After trim: "abc" (3 chars, too short) - Solution: Use longer hostname like "abcdef----" → "abcdef" (6 chars, valid) All 12 EndpointHelper tests passing. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…ity fixes ## Feature: Custom Blueprint Permissions - Add support for custom API permissions in agent blueprints - Auto-resolve resource display names from Azure (eliminates manual "Resource Name" prompt) - New `a365 setup permissions custom` command - New `a365 config init --custom-blueprint-permissions` management commands - Comprehensive validation with GUID format checks and duplicate scope detection - Integration with `a365 setup all` workflow ## Bug Fix: Graph API Error - Fix "Agent Blueprints are not supported on the API version used" error - Change addToRequiredResourceAccess from true to false (matches CopilotStudio/MCP pattern) - Inheritable permissions now configure correctly without Graph API errors ## Code Quality Improvements (12 fixes from code review) Security & Reliability: - Add HttpResponseMessage disposal with using statements - Add GUID validation to prevent OData injection in service principal lookups - Add safe substring operations with null/length checks in fallback name generation - Fix duplicate error logging when re-throwing exceptions Maintainability: - Add WithCustomBlueprintPermissions() helper to eliminate config reconstruction anti-pattern - Add --force flag for non-interactive permission updates - Add early validation for empty/whitespace scope inputs - Fix inconsistent null handling in Scopes property with setter null protection - Extract magic strings to constants in fallback resource names Documentation: - Add complete XML documentation with 10 parameter descriptions - Remove redundant test comments - Add trailing commas for consistency ## Files Modified - 7 new/modified documentation files - 12 source files (commands, models, services) - 4 test files with 6 new unit tests ## Test Results - ✅ 992 tests passing (6 new tests for custom permissions) - ✅ Build: 0 warnings, 0 errors - ✅ All critical/high priority issues resolved Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request introduces comprehensive support for configuring and managing custom API permissions (custom blueprint permissions) for agent blueprints in Agent 365. The feature enables users to grant additional Microsoft Graph scopes (Presence, Files, Chat) and custom API permissions beyond the standard agent operation requirements.
Changes:
- Added new CLI options to
a365 config initcommand for managing custom blueprint permissions with parameter-based configuration (--custom-blueprint-permissions,--resourceAppId,--scopes,--reset,--force) - Implemented
a365 setup permissions customsubcommand with auto-lookup of resource names, validation, and integration with the existing setup workflow - Enhanced endpoint name handling to comply with Azure Bot Service naming constraints (42 character limit, no trailing hyphens)
- Comprehensive test coverage including unit tests for validation, configuration, and service interactions
- Detailed documentation covering usage, configuration, validation, error handling, and best practices
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
EndpointHelperTests.cs |
Tests for endpoint name truncation, hyphen trimming, and validation |
GraphApiServiceTests.cs |
Tests for service principal display name lookup functionality |
CustomResourcePermissionTests.cs |
Comprehensive validation tests for custom permission model |
Agent365ConfigTests.cs |
Tests for config validation with custom permissions including duplicates |
PermissionsSubcommandTests.cs |
Tests for custom permissions command integration |
EndpointHelper.cs |
Enhanced endpoint name handling with validation and hyphen trimming |
GraphApiService.cs |
Added GetServicePrincipalDisplayNameAsync with GUID validation and proper disposal |
CustomResourcePermission.cs |
New model with validation for resource app ID, scopes, and duplicates |
Agent365Config.cs |
Added CustomBlueprintPermissions property with validation and WithCustomBlueprintPermissions helper |
SetupResults.cs |
Added tracking for custom permissions configuration state |
SetupHelpers.cs |
Updated setup summary to display custom permissions status |
PermissionsSubcommand.cs |
Implemented CreateCustomSubcommand and ConfigureCustomPermissionsAsync with auto-lookup |
AllSubcommand.cs |
Integrated custom permissions into the setup all workflow |
ConfigCommand.cs |
Added parameter-based custom permissions management with validation and confirmation |
CleanupCommand.cs |
Improved endpoint cleanup logging to show actual truncated endpoint name |
design.md |
Documented custom blueprint permissions feature architecture and usage |
setup-permissions-custom.md |
Comprehensive command documentation with examples and troubleshooting |
integration-test-workflow.md |
Added integration tests for custom permissions configuration and verification |
Readme-Usage.md |
Updated usage documentation with custom permissions examples |
src/Microsoft.Agents.A365.DevTools.Cli/Commands/ConfigCommand.cs
Outdated
Show resolved
Hide resolved
Changed the _scopes field in CustomResourcePermission to a public Scopes property with getter and setter. The setter ensures null values are replaced with an empty list, allowing safe external access and modification of scopes.
Docs clarify that resource name is not prompted or required during `a365 config init --custom-blueprint-permissions`; it is now set to null and auto-resolved during setup. Updated sample config and validation requirements to reflect this. Minor code refactor in ConfigCommand.cs to adjust validation order.
| using FluentAssertions; | ||
| using Microsoft.Agents.A365.DevTools.Cli.Exceptions; | ||
| using Microsoft.Agents.A365.DevTools.Cli.Services.Helpers; | ||
| using Xunit; |
There was a problem hiding this comment.
The test project has global using enabled for Xunit via the project file configuration. The explicit using Xunit; statement on line 7 is redundant and should be removed to align with the codebase convention of using global usings for test frameworks.
Suggested change
| using Xunit; |
|
|
||
| using FluentAssertions; | ||
| using Microsoft.Agents.A365.DevTools.Cli.Models; | ||
| using Xunit; |
There was a problem hiding this comment.
The test project has global using enabled for Xunit via the project file configuration. The explicit using Xunit; statement on line 6 is redundant and should be removed to align with the codebase convention of using global usings for test frameworks.
Suggested change
| using Xunit; |
| ### Error: Invalid Permission Configuration | ||
|
|
||
| ``` | ||
| ERROR: Invalid custom permission configuration: resourceAppId must be a valid GUID, resourceName is required, At least one scope is required |
There was a problem hiding this comment.
The error message example is inconsistent with the actual behavior. According to the code and documentation, resourceName is optional and will be auto-resolved during setup. The error message should not include "resourceName is required". Consider updating this example to reflect the actual validation errors or add a note clarifying that this is a hypothetical example that may not reflect all actual error messages.
Suggested change
| ERROR: Invalid custom permission configuration: resourceAppId must be a valid GUID, resourceName is required, At least one scope is required | |
| ERROR: Invalid custom permission configuration: resourceAppId must be a valid GUID, At least one scope is required |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces comprehensive support for configuring and managing custom API permissions ("custom blueprint permissions") for agent blueprints in Agent 365. The changes add new CLI options, update documentation, and enhance integration test coverage to enable users to specify, view, and reset custom permissions for both Microsoft Graph and custom APIs. The implementation ensures validation, idempotency, and user-friendly feedback throughout the workflow.
Key changes include:
CLI Enhancements for Custom Blueprint Permissions
a365 config initcommand:--custom-blueprint-permissions,--resourceAppId,--scopes,--reset, and--force, allowing users to add, update, view, or clear custom API permissions directly from the CLI.Documentation Updates
Readme-Usage.mdto cover custom blueprint permissions configuration, setup, and reset workflows, with CLI command examples and links to detailed guides. [1] [2]Integration Test Workflow Improvements
integration-test-workflow.mdfor configuring, applying, and verifying custom blueprint permissions, including auto-lookup of resource names, Azure Portal validation, and Graph API verification of inheritable permissions. [1] [2] [3]Other Improvements
These changes provide a robust and user-friendly workflow for managing custom API permissions, supporting advanced agent scenarios and improving overall configuration transparency.
Closes #194