Task: use kibali for permissions

PermissionsService/PermissionsService.csproj

@@ -8,6 +8,7 @@
     <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Graph.Kibali" Version="0.15.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 

PermissionsService/Services/PermissionsStore.cs

@@ -5,12 +5,14 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
 using System.Net.Http;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using FileService.Common;
 using FileService.Interfaces;
+using Kibali;
 using Microsoft.ApplicationInsights;
 using Microsoft.ApplicationInsights.DataContracts;
 using Microsoft.Extensions.Caching.Memory;
@@ -35,7 +37,7 @@ public class PermissionsStore : IPermissionsStore
         private readonly Dictionary<string, string> _permissionsTracePropertiesWithSanitizeIgnore =
             new() { { UtilityConstants.TelemetryPropertyKey_Permissions, nameof(PermissionsStore) },
                     { UtilityConstants.TelemetryPropertyKey_SanitizeIgnore, nameof(PermissionsStore) } };
-        private readonly Dictionary<ScopeType, string> permissionDescriptionGroups = 
+        private readonly Dictionary<ScopeType, string> permissionDescriptionGroups =
             new() { { ScopeType.DelegatedWork, Delegated },
                     { ScopeType.DelegatedPersonal, Delegated },
                     { ScopeType.Application, Application } };
@@ -63,7 +65,7 @@ public UriTemplateMatcher UriTemplateMatcher
             public Dictionary<int, Dictionary<string, Dictionary<ScopeType, SchemePermissions>>> PathPermissions
             {
                 get; set;
-            } = new ();
+            } = new();
         }
 
         public PermissionsStore(IConfiguration configuration, IHttpClientUtility httpClientUtility,
@@ -95,6 +97,35 @@ public PermissionsStore(IConfiguration configuration, IHttpClientUtility httpCli
                 return permissionsData;
             });
 
+        private Task<PermissionsDocument> LoadDocument =>
+            _cache.GetOrCreateAsync("Permissionsdocument", async entry =>
+            {
+                _telemetryClient?.TrackTrace($"Fetching permissions from file source '{_permissionsBlobName}'",
+                             SeverityLevel.Information,
+                             _permissionsTracePropertiesWithSanitizeIgnore);
+                PermissionsDocument permissionsDocument;
+
+                try
+                {
+                    var permissions = @"https://raw.githubusercontent.com/microsoftgraph/microsoft-graph-devx-content/dev/permissions/new/permissions.json";
+                    using HttpClient client = new HttpClient();
+                    var response = await client.GetAsync(permissions);
+                    response.EnsureSuccessStatusCode();
+                    var fileStream = await response.Content.ReadAsStreamAsync();
+                    permissionsDocument = PermissionsDocument.Load(fileStream);
+
+                    entry.AbsoluteExpirationRelativeToNow = permissionsDocument is not null ? TimeSpan.FromHours(_defaultRefreshTimeInHours) : TimeSpan.FromMilliseconds(1);
+                }
+                catch (Exception exception)
+                {
+
+                    _telemetryClient?.TrackException(exception);
+                    permissionsDocument = null;
+                }
+                return permissionsDocument;
+
+            });
+
         /// <summary>
         /// Populates the template table with the request urls and the scopes table with the permission scopes.
         /// </summary>
@@ -110,14 +141,15 @@ private async Task<PermissionsDataInfo> LoadPermissionsDataAsync()
 
                 // Get file contents from source
                 string relativePermissionPath = FileServiceHelper.GetLocalizedFilePathSource(_permissionsContainerName, _permissionsBlobName);
+
                 string permissionsJson = await _fileUtility.ReadFromFile(relativePermissionPath);
                 var fetchedPermissions = JsonConvert.DeserializeObject<Dictionary<string, Dictionary<string, Dictionary<ScopeType, SchemePermissions>>>>(permissionsJson);
 
                 _telemetryClient?.TrackTrace("Finished fetching permissions from file",
                                          SeverityLevel.Information,
                                          _permissionsTraceProperties);
 
-                
+
                 int count = 0;
                 var urlTemplateMatcher = new UriTemplateMatcher();
                 var pathPermissions = new Dictionary<int, Dictionary<string, Dictionary<ScopeType, SchemePermissions>>>();
@@ -137,7 +169,7 @@ private async Task<PermissionsDataInfo> LoadPermissionsDataAsync()
                     urlTemplateMatcher.Add(count.ToString(), requestUrl);
 
                     // Add the permission scopes for path
-                    pathPermissions.Add(count, fetchedPermissions[key]);                    
+                    pathPermissions.Add(count, fetchedPermissions[key]);
                 }
 
                 permissionsData = new PermissionsDataInfo()
@@ -157,7 +189,7 @@ private async Task<PermissionsDataInfo> LoadPermissionsDataAsync()
             }
 
             return permissionsData;
-        }       
+        }
 
         /// <summary>
         /// Gets or creates the localized permissions descriptions from the cache.
@@ -316,10 +348,13 @@ public async Task<PermissionResult> GetScopesAsync(List<RequestInfo> requests =
                                                    string org = null,
                                                    string branchName = null)
         {
-            var permissionsData = await PermissionsData;
-            if (permissionsData?.PathPermissions == null)
+            var permissionsDocument = await LoadDocument;
+            if (permissionsDocument == null)
                 throw new InvalidOperationException("Failed to fetch permissions");
 
+            var authZChecker = new AuthZChecker();
+            authZChecker.Load(permissionsDocument);
+
             var scopes = new List<ScopeInformation>();
             var errors = new List<PermissionError>();
 
@@ -340,10 +375,26 @@ await Parallel.ForEachAsync(uniqueRequests, async (request, _) =>
                 {
                     try
                     {
-                        var scopesForUrl = await GetScopesForRequestUrlAsync(request.RequestUrl, request.HttpMethod, scopeType);
-                        if (scopesForUrl == null || !scopesForUrl.Any())
-                            throw new InvalidOperationException($"Permissions information for '{request.HttpMethod} {request.RequestUrl}' was not found.");
+                        var resource = authZChecker.FindResource(request.RequestUrl);
 
+                        if (resource == null)
+                            throw new InvalidOperationException($"Permissions information for '{request.HttpMethod} {request.RequestUrl}' was not found.");
+                        var leastPrivilege = resource.FetchLeastPrivilege(request.HttpMethod);
+                        leastPrivilege.TryGetValue(request.HttpMethod, out var methodPermissions);
+                        methodPermissions.TryGetValue(scopeType.ToString(), out var leastPrivilegedPermissions);
+                        IEnumerable<ScopeInformation> scopesForUrl = new List<ScopeInformation>
+                        {
+                            new ScopeInformation
+                            {
+                                Description = "",
+                                DisplayName = "",
+                                IsAdmin = false,
+                                IsHidden = false,
+                                IsLeastPrivilege = true,
+                                ScopeName = leastPrivilegedPermissions.First(),
+                                ScopeType = scopeType
+                            }
+                        };
                         scopesByRequestUrl.TryAdd($"{request.HttpMethod} {request.RequestUrl}", scopesForUrl);
                     }
                     catch (Exception exception)
@@ -385,11 +436,11 @@ await Parallel.ForEachAsync(uniqueRequests, async (request, _) =>
 
             // Get consent display name and description
             var scopesInfo = GetAdditionalScopesInformation(
-                scopesInformationDictionary, 
+                scopesInformationDictionary,
                 scopes.DistinctBy(static x => $"{x.ScopeName}{x.ScopeType}", StringComparer.OrdinalIgnoreCase).ToList(),
-                scopeType, 
+                scopeType,
                 getAllScopes);
-            
+
             // exclude hidden permissions unless stated otherwise
             scopesInfo = scopesInfo.Where(x => includeHidden || !x.IsHidden).ToList();
 
@@ -401,9 +452,9 @@ await Parallel.ForEachAsync(uniqueRequests, async (request, _) =>
                 });
             }
 
-            _telemetryClient?.TrackTrace(requests == null || !requests.Any() ? 
-                "Return all permissions" : $"Return permissions for '{string.Join(", ", requests.Select(x => x.RequestUrl))}'", 
-                SeverityLevel.Information, 
+            _telemetryClient?.TrackTrace(requests == null || !requests.Any() ?
+                "Return all permissions" : $"Return permissions for '{string.Join(", ", requests.Select(x => x.RequestUrl))}'",
+                SeverityLevel.Information,
                 _permissionsTraceProperties);
 
             return new PermissionResult()
@@ -430,92 +481,6 @@ private async Task<IEnumerable<ScopeInformation>> GetAllScopesAsync(ScopeType? s
             return scopes;
         }
 
-        private async Task<IEnumerable<ScopeInformation>> GetScopesForRequestUrlAsync(string requestUrl,
-                                                              string method,
-                                                              ScopeType? scopeType = null)
-        {
-            if (string.IsNullOrEmpty(requestUrl))
-                throw new InvalidOperationException("The request URL cannot be null or empty.");
-
-            if (string.IsNullOrEmpty(method))
-                throw new InvalidOperationException("The HTTP method value cannot be null or empty.");
-
-            var permissionsData = await PermissionsData;
-
-            requestUrl = CleanRequestUrl(requestUrl);
-
-            var resultMatch = permissionsData.UriTemplateMatcher.Match(new Uri(requestUrl, UriKind.RelativeOrAbsolute));
-
-            if (resultMatch is null)
-            {
-                _telemetryClient?.TrackTrace($"Url '{requestUrl}' not found", SeverityLevel.Error, _permissionsTraceProperties);
-                return Enumerable.Empty<ScopeInformation>();
-            }
-
-            if (!int.TryParse(resultMatch.Key, out int key))
-                throw new InvalidOperationException($"Failed to parse '{resultMatch.Key}' to int.");
-
-            if (!permissionsData.PathPermissions.TryGetValue(key, out var pathPermissions))
-            {
-                _telemetryClient?.TrackTrace($"Permissions information for {requestUrl} were not found.", SeverityLevel.Error, _permissionsTraceProperties);
-                return Enumerable.Empty<ScopeInformation>();
-            }
-
-            if (pathPermissions == null)
-            {
-                _telemetryClient?.TrackTrace($"Key '{permissionsData.PathPermissions[key]}' in the {nameof(permissionsData.PathPermissions)} has a null value.",
-                                             SeverityLevel.Error,
-                                             _permissionsTraceProperties);
-
-                return Enumerable.Empty<ScopeInformation>();
-            }
-
-            var scopes = pathPermissions
-                .Where(x => x.Key.Equals(method, StringComparison.OrdinalIgnoreCase))
-                .SelectMany(static x => x.Value)
-                .Where(x => scopeType == null || x.Key == scopeType)
-                .SelectMany(x => x.Value.AllPermissions,
-                    (x, permission) => new ScopeInformation
-                    {
-                        ScopeType = x.Key,
-                        ScopeName = permission,
-                        IsLeastPrivilege = x.Value.LeastPrivilegePermissions.Contains(permission)
-                    })
-                .DistinctBy(static x => $"{x.ScopeName}{x.ScopeType}", StringComparer.OrdinalIgnoreCase);
-
-            return scopes;
-        }
-
-        /// <summary>
-        /// Cleans up the request url by applying string formatting operations
-        /// on the target value in line with the expected standardized output value.
-        /// </summary>
-        /// <remarks>The expected standardized output value is the request url value
-        /// format as captured in the permissions doc. This is to ensure efficacy
-        /// of the uri template matching.</remarks>
-        /// <param name="requestUrl">The target request url string value.</param>
-        /// <returns>The target request url formatted to the expected standardized
-        /// output value.</returns>
-        private static string CleanRequestUrl(string requestUrl)
-        {
-            if (string.IsNullOrEmpty(requestUrl))
-            {
-                return requestUrl;
-            }
-
-            requestUrl = requestUrl.BaseUriPath() // remove any query params
-                                   .UriTemplatePathFormat(true)
-                                   .RemoveParentheses();
-
-            /* Remove ${value} segments from paths,
-             * ex: /me/photo/$value --> $value or /applications/{application-id}/owners/$ref --> $ref
-             * Because these segments are not accounted for in the permissions doc.
-             * ${value} segments will always appear as the last segment in a path.
-            */
-            return Regex.Replace(requestUrl, @"(\$.*)", string.Empty, RegexOptions.None, TimeSpan.FromSeconds(5))
-                        .TrimEnd('/')
-                        .ToLowerInvariant();
-        }
 
         /// <summary>
         /// Retrieves the scopes information for a given list of scopes.
@@ -550,15 +515,15 @@ private List<ScopeInformation> GetAdditionalScopesInformation(IDictionary<string
                 if (scopesInformationDictionary[schemeKey].TryGetValue(scope.ScopeName, out var scopeInfo))
                 {
                     return new ScopeInformation()
-                        {
-                            ScopeName = scopeInfo.ScopeName,
-                            DisplayName = scopeInfo.DisplayName,
-                            IsAdmin = scopeInfo.IsAdmin,
-                            IsHidden = scopeInfo.IsHidden,
-                            Description = scopeInfo.Description,
-                            ScopeType = scope.ScopeType,
-                            IsLeastPrivilege = scope.IsLeastPrivilege
-                        };                  
+                    {
+                        ScopeName = scopeInfo.ScopeName,
+                        DisplayName = scopeInfo.DisplayName,
+                        IsAdmin = scopeInfo.IsAdmin,
+                        IsHidden = scopeInfo.IsHidden,
+                        Description = scopeInfo.Description,
+                        ScopeType = scope.ScopeType,
+                        IsLeastPrivilege = scope.IsLeastPrivilege
+                    };
                 }
                 return scope;
             }).ToList();