Exemplo n.º 1
0
        /// <summary>
        /// Tries to get a token for the provided audience
        /// </summary>
        /// <param name="tokenAudience">Audience to try to get a token for</param>
        /// <param name="orRoles">The specific roles to request access to (i.e. Group.ReadWrite.All). Optional, will use default groups assigned to clientId if not specified.</param>
        /// <returns><see cref="GenericToken"/> for the audience or NULL if unable to retrieve a token for the audience on the current connection</returns>
        internal GenericToken TryGetToken(TokenAudience tokenAudience, AzureEnvironment azureEnvironment, string[] orRoles = null, string[] andRoles = null, TokenType tokenType = TokenType.All)
        {
            GenericToken token = null;

            switch (tokenAudience)
            {
            case TokenAudience.MicrosoftGraph:

                if (ConnectionMethod == ConnectionMethod.DeviceLogin || ConnectionMethod == ConnectionMethod.GraphDeviceLogin)
                {
                    var officeManagementApiScopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray();
                    // Take the remaining scopes and try requesting them from the Microsoft Graph API
                    var scopes = Scopes.Except(officeManagementApiScopes).ToArray();
                    token = GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.PnPManagementShellClientId, scopes, DeviceLoginCallback(null, false), AzureEnvironment);
                }
                else
                {
                    if (!string.IsNullOrEmpty(Tenant))
                    {
                        if (Certificate != null)
                        {
                            token = GraphToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment);
                        }
                        else if (ClientSecret != null)
                        {
                            token = GraphToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment);
                        }
                        else if (Scopes != null)
                        {
                            var officeManagementApiScopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray();
                            // Take the remaining scopes and try requesting them from the Microsoft Graph API
                            var scopes = Scopes.Except(officeManagementApiScopes).ToArray();
                            if (scopes.Length > 0)
                            {
                                token = PSCredential == null?GraphToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : GraphToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment);
                            }
                            else
                            {
                                throw new PSSecurityException($"Access to {tokenAudience} failed because you did not connect with any permission scopes related to this service (for instance 'Group.Read.All').");
                            }
                        }
                    }
                }
                break;

            case TokenAudience.OfficeManagementApi:
                if (!string.IsNullOrEmpty(Tenant))
                {
                    if (Certificate != null)
                    {
                        token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, Certificate, AzureEnvironment);
                    }
                    else if (ClientSecret != null)
                    {
                        token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret, AzureEnvironment);
                    }
                    else if (Scopes != null)
                    {
                        var scopes = Enum.GetNames(typeof(OfficeManagementApiPermission)).Select(s => s.Replace("_", ".")).Intersect(Scopes).ToArray();
                        // Take the remaining scopes and try requesting them from the Microsoft Graph API
                        if (scopes.Length > 0)
                        {
                            token = PSCredential == null?OfficeManagementApiToken.AcquireApplicationTokenInteractive(PnPManagementShellClientId, scopes, azureEnvironment) : OfficeManagementApiToken.AcquireDelegatedTokenWithCredentials(PnPManagementShellClientId, scopes, PSCredential.UserName, PSCredential.Password, azureEnvironment);
                        }
                        else
                        {
                            throw new PSSecurityException($"Access to {tokenAudience} failed because you did not connect with any permission scopes related to this service (for instance 'ServiceHealth.Read').");
                        }
                    }
                }
                break;

            case TokenAudience.SharePointOnline:
                // This is not a token type we can request on demand
                return(null);
            }

            if (token != null)
            {
                var validationResults = ValidateTokenForPermissions(token, tokenAudience, orRoles, andRoles, tokenType);
                if (!validationResults.valid)
                {
                    throw new PSSecurityException($"Access to {tokenAudience} failed because the app registration {ClientId} in tenant {Tenant} is not granted {validationResults.message}");
                }
                return(token);
            }

            // Didn't have a token yet and unable to retrieve one
            return(null);
        }
Exemplo n.º 2
0
        /// <summary>
        /// Tries to get a token for the provided audience
        /// </summary>
        /// <param name="tokenAudience">Audience to try to get a token for</param>
        /// <param name="orRoles">The specific roles to request access to (i.e. Group.ReadWrite.All). Optional, will use default groups assigned to clientId if not specified.</param>
        /// <returns><see cref="GenericToken"/> for the audience or NULL if unable to retrieve a token for the audience on the current connection</returns>
        internal GenericToken TryGetToken(TokenAudience tokenAudience, string[] orRoles = null, string[] andRoles = null, TokenType tokenType = TokenType.All)
        {
            GenericToken token = null;

            //Validate if we have a token already
            //if (AccessTokens.ContainsKey(tokenAudience))
            //{
            //    // We have a token already, ensure it is still valid
            //    token = AccessTokens[tokenAudience];

            //    if (token.ExpiresOn > DateTime.Now)
            //    {
            //        var validationResults = ValidateTokenForPermissions(token, tokenAudience, orRoles, andRoles, tokenType);
            //        if (validationResults.valid)
            //        {
            //            return token;
            //        }
            //        throw new PSSecurityException($"Access to {tokenAudience} failed because the app registration {ClientId} in tenant {Tenant} is not granted {validationResults.message}");
            //    }

            //    // Token was no longer valid, proceed with trying to create a new token
            //}

            // We do not have a token for the requested audience yet or it was no longer valid, try to create (a new) one
            switch (tokenAudience)
            {
            case TokenAudience.MicrosoftGraph:
                if (ConnectionMethod == ConnectionMethod.DeviceLogin || ConnectionMethod == ConnectionMethod.GraphDeviceLogin)
                {
                    token = GraphToken.AcquireApplicationTokenDeviceLogin(PnPConnection.DeviceLoginClientId, Scopes, DeviceLoginCallback(null, false));
                }
                else
                {
                    if (!string.IsNullOrEmpty(Tenant))
                    {
                        if (Certificate != null)
                        {
                            token = GraphToken.AcquireApplicationToken(Tenant, ClientId, Certificate);
                        }
                        else if (ClientSecret != null)
                        {
                            token = GraphToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret);
                        }
                        else if (Scopes != null)
                        {
                            token = PSCredential == null?GraphToken.AcquireApplicationTokenInteractive(DeviceLoginClientId, Scopes) : GraphToken.AcquireDelegatedTokenWithCredentials(DeviceLoginClientId, Scopes, PSCredential.UserName, PSCredential.Password);
                        }
                    }
                }
                break;

            case TokenAudience.OfficeManagementApi:
                if (!string.IsNullOrEmpty(Tenant))
                {
                    if (Certificate != null)
                    {
                        token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, Certificate);
                    }
                    else if (ClientSecret != null)
                    {
                        token = OfficeManagementApiToken.AcquireApplicationToken(Tenant, ClientId, ClientSecret);
                    }
                }
                break;

            case TokenAudience.SharePointOnline:
                // This is not a token type we can request on demand
                return(null);
            }

            if (token != null)
            {
                var validationResults = ValidateTokenForPermissions(token, tokenAudience, orRoles, andRoles, tokenType);
                if (!validationResults.valid)
                {
                    throw new PSSecurityException($"Access to {tokenAudience} failed because the app registration {ClientId} in tenant {Tenant} is not granted {validationResults.message}");
                }
                // Managed to create a token for the requested audience, add it to our collection with tokens
                //AccessTokens[tokenAudience] = token;
                return(token);
            }

            // Didn't have a token yet and unable to retrieve one
            return(null);
        }