Feature: Unconsent permissions

src/app/services/actions/autocomplete-action-creators.spec.ts

@@ -111,6 +111,11 @@ const mockState: IRootState = {
  pending: false,
  data: {},
  error: null
+ },
+ unconsentingScopes: {
+ pending: false,
+ data: [],
+ error: null
  }
 }
 

src/app/services/actions/permissions-action-creator.spec.ts

@@ -107,6 +107,11 @@ const mockState: IRootState = {
  pending: false,
  data: {},
  error: null
+ },
+ unconsentingScopes: {
+ pending: false,
+ data: [],
+ error: null
  }
 }
 const currentState = store.getState();

src/app/services/actions/permissions-action-creator.ts

@@ -10,20 +10,29 @@ import { sanitizeQueryUrl } from '../../utils/query-url-sanitization';
 import { parseSampleUrl } from '../../utils/sample-url-generation';
 import { translateMessage } from '../../utils/translate-messages';
 import { getConsentAuthErrorHint } from '../../../modules/authentication/authentication-error-hints';
-import { ACCOUNT_TYPE, PERMS_SCOPE } from '../graph-constants';
+import {
+ ACCOUNT_TYPE, DEFAULT_USER_SCOPES, GRAPH_URL, PERMS_SCOPE,
+ UNCONSENTING_PERMISSIONS_REQUIRED_SCOPES
+} from '../graph-constants';
 import {
  FETCH_SCOPES_ERROR,
  FETCH_FULL_SCOPES_PENDING,
  FETCH_URL_SCOPES_PENDING,
  FETCH_FULL_SCOPES_SUCCESS,
- FETCH_URL_SCOPES_SUCCESS
+ FETCH_URL_SCOPES_SUCCESS,
+ REVOKE_PERMISSION_PENDING,
+ REVOKE_PERMISSION_SUCCESS,
+ REVOKE_PERMISSION_ERROR
 } from '../redux-constants';
 import {
  getAuthTokenSuccess,
  getConsentedScopesSuccess
 } from './auth-action-creators';
 import { getProfileInfo } from './profile-action-creators';
 import { setQueryResponseStatus } from './query-status-action-creator';
+import { GraphClient } from '../graph-client';
+import { IQuery } from '../../../types/query-runner';
+import { makeGraphRequest, parseResponse } from './query-action-creator-util';
 
 export function fetchFullScopesSuccess(response: object): IAction {
  return {
@@ -50,6 +59,27 @@ export function fetchScopesError(response: object): IAction {
  };
 }
 
+export function revokePermissionPending(response: boolean): any {
+ return {
+ type: REVOKE_PERMISSION_PENDING,
+ response
+ }
+}
+
+export function revokePermissionSuccess(response: boolean): any {
+ return {
+ type: REVOKE_PERMISSION_SUCCESS,
+ response
+ }
+}
+
+export function revokePermissionError(response: object): any {
+ return {
+ type: REVOKE_PERMISSION_ERROR,
+ response
+ }
+}
+
 export function fetchScopes(): Function {
  return async (dispatch: Function, getState: Function) => {
  try {
@@ -142,3 +172,170 @@ export function consentToScopes(scopes: string[]): Function {
  }
  };
 }
+
+export function unconsentToScopes(permissionToDelete: string): Function {
+ return async (dispatch: Function, getState: Function) => {
+ const { consentedScopes, profile } = getState();
+ const requiredPermissions = UNCONSENTING_PERMISSIONS_REQUIRED_SCOPES.split(' ');
+ const defaultScopes = DEFAULT_USER_SCOPES.split(' ');
+ let response = null;
+
+ if (userUnconsentingToDefaultScopes(defaultScopes, permissionToDelete)) {
+ dispatch(
+ setQueryResponseStatus({
+ statusText: translateMessage('Default scope'),
+ status: translateMessage('Cannot delete default scope'),
+ ok: false,
+ messageType: MessageBarType.error
+ })
+ );
+ return;
+ }
+
+ if (!userHasRequiredPermissions(requiredPermissions, consentedScopes)) {
+ dispatch(
+ setQueryResponseStatus({
+ statusText: translateMessage('Unable to dissent'),
+ status: translateMessage('You require the following permissions to unconsent'),
+ ok: false,
+ messageType: MessageBarType.error
+ })
+ );
+ return;
+ }
+
+ try {
+ if (!consentedScopes && consentedScopes.length < 1) {
+ return;
+ }
+
+ const newScopesArray: string[] = (consentedScopes.filter((scope: string) => scope !== permissionToDelete));
+ const newScopesString = newScopesArray.join(' ');
+
+ const servicePrincipalAppId = await getCurrentAppId(consentedScopes);
+ response = await getPermissionGrant(consentedScopes, servicePrincipalAppId, profile.id);
+ const permissionGrantId = response.id;
+
+ await revokePermission(consentedScopes, permissionGrantId, newScopesString);
+
+ response = await getPermissionGrant(consentedScopes, servicePrincipalAppId, profile.id);
+ const updatedScopes = response.scope.split(' ');
+
+ if (updatedScopes.length !== newScopesArray.length) {
+ return;
+ }
+
+ const authResponse = await getNewAuthObject(updatedScopes);
+ console.log('We have the authentication response. Now going back')
+
+ if (authResponse && authResponse.accessToken) {
+ console.log('We are here now after getting the auth results')
+ dispatch(getAuthTokenSuccess(true));
+ dispatch(getConsentedScopesSuccess(authResponse.scopes));
+ dispatch(revokePermissionSuccess(true));
+ dispatch(
+ setQueryResponseStatus({
+ statusText: translateMessage('Success'),
+ status: translateMessage('Permission unconsented'),
+ ok: true,
+ messageType: MessageBarType.success
+ })
+ );
+ // if (authResponse.account && authResponse.account.localAccountId !== profile?.id) {
+ // dispatch(getProfileInfo());
+ // }
+ }
+
+ }
+ catch (error: any) {
+ dispatch(revokePermissionError(error));
+ dispatch(
+ setQueryResponseStatus({
+ statusText: translateMessage('Unable to dissent'),
+ // eslint-disable-next-line max-len
+ status: error ? error : translateMessage('An error was encountered when dissenting. Confirm that you have the right permissions'),
+ ok: false,
+ messageType: MessageBarType.error
+ })
+ );
+ }
+ }
+}
+
+const getQuery: IQuery = {
+ selectedVerb: 'GET',
+ sampleHeaders: [
+ {
+ name: 'Cache-Control',
+ value: 'no-cache'
+ }
+ ],
+ selectedVersion: '',
+ sampleUrl: ''
+};
+
+const patchQuery: IQuery = {
+ selectedVerb: 'PATCH',
+ sampleHeaders: [
+ {
+ name: 'Cache-Control',
+ value: 'no-cache'
+ }
+ ],
+ selectedVersion: '',
+ sampleUrl: ''
+};
+
+const userHasRequiredPermissions = (requiredPermissions: string[],
+ consentedScopes: string[]) => {
+ return requiredPermissions.every(scope => consentedScopes.includes(scope));
+}
+
+const userUnconsentingToDefaultScopes = (currentScopes: string[], permissionToDelete: string) => {
+ return currentScopes.includes(permissionToDelete);
+}
+
+const getCurrentAppId = async (scopes: string[]) => {
+ const currentAppId = process.env.REACT_APP_CLIENT_ID;
+ getQuery.sampleUrl = `${GRAPH_URL}/v1.0/servicePrincipals?$filter=appId eq '${currentAppId}'`;
+ const response = await getPermissionResponse(scopes, getQuery);
+ return response.value[0].id;
+}
+const revokePermission = async (oldScopes: string[], permissionGrantId: string, newScopes: string) => {
+ patchQuery.sampleUrl = `${GRAPH_URL}/v1.0/oauth2PermissionGrants/${permissionGrantId}`;
+ patchQuery.sampleBody = JSON.stringify({
+ scope: newScopes
+ });
+ await getPermissionResponse(oldScopes, patchQuery);
+}
+
+const getPermissionGrant = async (scopes: string[], servicePrincipalAppId: string, principalid: string) => {
+ getQuery.sampleUrl = `${GRAPH_URL}/v1.0/oauth2PermissionGrants?$filter=clientId eq '${servicePrincipalAppId}'`;
+ const response = await getPermissionResponse(scopes, getQuery);
+
+ if (response && response.value.length > 1) {
+ const filteredResponse = response.value.filter((permissionGrant: any) =>
+ permissionGrant.principalId === principalid);
+ return filteredResponse[0];
+ }
+ return response.value[0];
+}
+
+const getPermissionResponse = async (scopes: string[], query: IQuery) => {
+ const respHeaders: any = {};
+ const response = await makeGraphRequest(scopes)(query);
+ return parseResponse(response, respHeaders);
+}
+
+const getNewAuthObject = async (updatedScopes: string[]) => {
+ let authResponse = await authenticationWrapper.consentToScopes(updatedScopes);
+ let count = 4;
+
+ while ((authResponse.scopes.length !== updatedScopes.length) && count > 0) {
+ authResponse = await authenticationWrapper.consentToScopes(updatedScopes);
+ count--;
+ }
+
+ return authResponse;
+}
+

src/app/services/actions/query-action-creator-util.ts

@@ -96,6 +96,7 @@ function createAuthenticatedRequest(
  sampleHeaders[header.name] = header.value;
  });
  }
+ const updatedHeaders = { ...sampleHeaders, 'cache-control': 'no-cache', pragma: 'no-cache' }
 
  const msalAuthOptions: AuthCodeMSALBrowserAuthenticationProviderOptions = {
  account: authenticationWrapper.getAccount()!,
@@ -109,7 +110,7 @@ function createAuthenticatedRequest(
  return GraphClient.getInstance()
  .api(encodeHashCharacters(query))
  .middlewareOptions([middlewareOptions])
- .headers(sampleHeaders)
+ .headers(updatedHeaders)
  .responseType(ResponseType.RAW);
 }
 

src/app/services/actions/query-action-creators.ts

@@ -19,7 +19,7 @@ import {
 } from './query-action-creator-util';
 import { setQueryResponseStatus } from './query-status-action-creator';
 import { addHistoryItem } from './request-history-action-creators';
-
+//Boku9765
 export function runQuery(query: IQuery): Function {
  return (dispatch: Function, getState: Function) => {
  const tokenPresent = !!getState()?.authToken?.token;

src/app/services/actions/resource-explorer-action-creators.spec.ts

@@ -105,6 +105,11 @@ const mockState: IRootState = {
  pending: false,
  data: {},
  error: null
+ },
+ unconsentingScopes: {
+ pending: false,
+ data: [],
+ error: null
  }
 }
 

src/app/services/graph-constants.ts

@@ -28,3 +28,5 @@ export const MOZILLA_CORS_DOCUMENTATION_LINK =
  'https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS';
 export const USER_ORGANIZATION_URL = `${GRAPH_URL}/v1.0/organization`;
 export const NPS_FEEDBACK_URL = 'https://petrol.office.microsoft.com/v1/feedback';
+// eslint-disable-next-line max-len
+export const UNCONSENTING_PERMISSIONS_REQUIRED_SCOPES = 'DelegatedPermissionGrant.ReadWrite.All Directory.ReadWrite.All';

src/app/services/reducers/index.ts

@@ -8,7 +8,7 @@ import { dimensions } from './dimensions-reducers';
 import { graphExplorerMode } from './graph-explorer-mode-reducer';
 import { policies } from './ocps-reducers';
 import { permissionsPanelOpen } from './permissions-panel-reducer';
-import { scopes } from './permissions-reducer';
+import { scopes, unconsentingScopes } from './permissions-reducer';
 import { profile } from './profile-reducer';
 import { proxyUrl } from './proxy-url-reducer';
 import { sampleQuery } from './query-input-reducers';
@@ -45,6 +45,7 @@ export default combineReducers({
  sampleQuery,
  samples,
  scopes,
+ unconsentingScopes,
  sidebarProperties,
  snippets,
  termsOfUse,

src/app/services/reducers/permissions-reducer.ts

@@ -1,8 +1,9 @@
 import { IAction } from '../../../types/action';
-import { IPermissionsResponse, IScopes } from '../../../types/permissions';
+import { IPermissionsResponse, IScopes, IUnconsent } from '../../../types/permissions';
 import {
  FETCH_SCOPES_ERROR, FETCH_URL_SCOPES_PENDING, FETCH_FULL_SCOPES_SUCCESS,
- FETCH_URL_SCOPES_SUCCESS, FETCH_FULL_SCOPES_PENDING
+ FETCH_URL_SCOPES_SUCCESS, FETCH_FULL_SCOPES_PENDING,
+ REVOKE_PERMISSION_PENDING, REVOKE_PERMISSION_SUCCESS, REVOKE_PERMISSION_ERROR
 } from '../redux-constants';
 
 const initialState: IScopes = {
@@ -55,3 +56,35 @@ export function scopes(state: IScopes = initialState, action: IAction): any {
  return state;
  }
 }
+
+const unconsentInitialState: IUnconsent = {
+ pending: false,
+ error: null,
+ data: []
+}
+
+export function unconsentingScopes(state: IUnconsent = unconsentInitialState, action: IAction): any {
+ switch (action.type) {
+ case REVOKE_PERMISSION_PENDING:
+ return {
+ pending: action.response,
+ error: null,
+ data: []
+ }
+ case REVOKE_PERMISSION_SUCCESS:
+ return {
+ pending: false,
+ error: null,
+ data: action.response
+ }
+
+ case REVOKE_PERMISSION_ERROR:
+ return {
+ pending: false,
+ error: action.response,
+ data: []
+ }
+ default:
+ return state;
+ }
+}

src/app/services/redux-constants.ts

@@ -54,3 +54,6 @@ export const RESOURCEPATHS_ADD_SUCCESS = 'RESOURCEPATHS_ADD_SUCCESS';
 export const RESOURCEPATHS_DELETE_SUCCESS = 'RESOURCEPATHS_DELETE_SUCCESS';
 export const BULK_ADD_HISTORY_ITEMS_SUCCESS = 'BULK_ADD_HISTORY_ITEMS_SUCCESS';
 export const SET_SNIPPET_TAB_SUCCESS = 'SET_SNIPPET_TAB_SUCCESS';
+export const REVOKE_PERMISSION_PENDING = 'REVOKE_PERMISSION_PENDING';
+export const REVOKE_PERMISSION_SUCCESS = 'REVOKE_PERMISSION_SUCCESS';
+export const REVOKE_PERMISSION_ERROR = 'REVOKE_PERMISSION_ERROR';

src/app/views/authentication/Authentication.tsx

@@ -35,6 +35,7 @@ const Authentication = (props: any) => {
 
  try {
  const authResponse = await authenticationWrapper.logIn();
+ console.log('Here is the auth response ', authResponse);
  if (authResponse) {
  setLoginInProgress(false);
  dispatch(getAuthTokenSuccess(!!authResponse.accessToken));