public async Task <dynamic> GetUserFromGraph(string query)
{
// get an access token
var accessToken = await AccessTokenFetcher.GetAccessToken("https://graph.microsoft.com", "GRAPH");
// get the user info
using (var request = new HttpRequestMessage()
{
RequestUri = new Uri($"https://graph.microsoft.com/beta/users/{query}"),
Method = HttpMethod.Get
})
{
request.Headers.Add("Authorization", $"Bearer {accessToken}");
using (var response = await this.HttpClient.SendAsync(request))
{
var raw = await response.Content.ReadAsStringAsync();
if ((int)response.StatusCode == 404) // Not Found
{
return(null);
}
else if ((int)response.StatusCode == 403) // Forbidden
{
throw new Exception("GetUserById: the auth identity does not have the Directory.Read.All right");
}
else if (!response.IsSuccessStatusCode)
{
throw new Exception($"GetUserById: HTTP {(int)response.StatusCode} - {raw}");
}
dynamic json = JObject.Parse(raw);
return(json);
}
};
}
private async Task <bool> IsUserEnabled(string userId)
{
// get an access token
var accessToken = await AccessTokenFetcher.GetAccessToken("https://graph.microsoft.com", "GRAPH");
// check for enabled
using (var request = new HttpRequestMessage()
{
RequestUri = new Uri($"https://graph.microsoft.com/beta/users/{userId}?$select=accountEnabled"),
Method = HttpMethod.Get
})
{
request.Headers.Add("Authorization", $"Bearer {accessToken}");
using (var response = await this.HttpClient.SendAsync(request))
{
var raw = await response.Content.ReadAsStringAsync();
if ((int)response.StatusCode == 403) // Forbidden
{
throw new Exception("IsUserEnabled: the auth identity does not have the Directory.Read.All right");
}
else if (!response.IsSuccessStatusCode)
{
throw new Exception($"IsUserEnabled: HTTP {(int)response.StatusCode} - {raw}");
}
dynamic json = JObject.Parse(raw);
return((bool)json.accountEnabled);
}
};
}
private async Task <List <RoleAssignments> > GetRoleAssignments(string userId)
{
List <RoleAssignments> assignments = new List <RoleAssignments>();
// get the list of applications to consider for roles
var appIds = CasConfig.AzureApplicationIds;
if (appIds == null || appIds.Count() < 1)
{
return(assignments);
}
// get an access token
var accessToken = await AccessTokenFetcher.GetAccessToken("https://graph.microsoft.com", "GRAPH");
// lookup all specified applications
// NOTE: catch the possible 403 Forbidden because access rights have not been granted
List <AppRoles> apps = new List <AppRoles>();
string filter = "$filter=" + string.Join(" or ", appIds.Select(appId => $"appId eq '{appId}'"));
string select = "$select=appId,appRoles";
using (var request = new HttpRequestMessage()
{
RequestUri = new Uri($"https://graph.microsoft.com/beta/applications/?{filter}&{select}"),
Method = HttpMethod.Get
})
{
request.Headers.Add("Authorization", $"Bearer {accessToken}");
using (var response = await this.HttpClient.SendAsync(request))
{
var raw = await response.Content.ReadAsStringAsync();
if ((int)response.StatusCode == 403) // Forbidden
{
throw new Exception("GetRoleAssignments: the auth identity does not have the Directory.Read.All right");
}
else if (!response.IsSuccessStatusCode)
{
throw new Exception($"GetRoleAssignments: HTTP {(int)response.StatusCode} - {raw}");
}
dynamic json = JObject.Parse(raw);
var values = (JArray)json.value;
foreach (dynamic value in values)
{
var app = new AppRoles()
{
AppId = (string)value.appId
};
apps.Add(app);
foreach (dynamic appRole in value.appRoles)
{
app.Roles.Add((string)appRole.id, (string)appRole.value);
}
}
}
};
// get the roles that the user is in
using (var request = new HttpRequestMessage()
{
RequestUri = new Uri($"https://graph.microsoft.com/beta/users/{userId}/appRoleAssignments"),
Method = HttpMethod.Get
})
{
request.Headers.Add("Authorization", $"Bearer {accessToken}");
using (var response = await this.HttpClient.SendAsync(request))
{
var raw = await response.Content.ReadAsStringAsync();
if ((int)response.StatusCode == 404) // Not Found
{
// ignore, the user might not be in the directory
return(assignments);
}
else if (!response.IsSuccessStatusCode)
{
throw new Exception($"GetRoleAssignments: HTTP {(int)response.StatusCode} - {raw}");
}
dynamic json = JObject.Parse(raw);
var values = (JArray)json.value;
foreach (dynamic value in values)
{
var appRoleId = (string)value.appRoleId;
var app = apps.FirstOrDefault(a => a.Roles.ContainsKey(appRoleId));
if (app != null)
{
var roleName = app.Roles[appRoleId];
var existingAssignment = assignments.FirstOrDefault(ra => ra.AppId == app.AppId);
if (existingAssignment != null)
{
existingAssignment.Roles.Add(roleName);
}
else
{
var assignment = new RoleAssignments()
{
AppId = (string)app.AppId
};
assignment.Roles.Add(roleName);
assignments.Add(assignment);
}
}
}
}
};
return(assignments);
}
