@mindline/sync 1.0.73 → 1.0.75

package/index.ts

@@ -1,8 +1,9 @@
 //index.ts - published interface - AAD implementations, facade to Mindline Config API
 import * as signalR from "@microsoft/signalr"
+import { AccountInfo } from "@azure/msal-common";
 import { IPublicClientApplication, AuthenticationResult } from "@azure/msal-browser"
 import { deserializeArray } from 'class-transformer';
-import { defineHeaders, adminDelete, adminPost, adminsGet, configConsentReadPut, configConsentWritePut, configDelete, configsGet, configPost, configPut, initPost, readerPost, tenantPost, tenantDelete, tenantsGet, workspacePut, workspacesGet } from './hybridspa';
+import { processErrors, adminDelete, adminPost, adminsGet, configConsentReadPut, configConsentWritePut, configDelete, configsGet, configPost, configPut, initPost, readerPost, tenantPost, tenantDelete, tenantsGet, workspacePut, workspacesGet } from './hybridspa';
 import { version } from './package.json';
 import users from "./users.json";
 import tenants from "./tenants.json";
@@ -10,6 +11,8 @@ import configs from "./configs.json";
 import workspaces from "./workspaces.json";
 import tasksData from "./tasks";
 import syncmilestones from './syncmilestones';
+import resources from './resources';
+import actors from './actors';
 import { log } from "console";
 const FILTER_FIELD = "workspaceIDs";
 // called by unit tests
@@ -28,6 +31,11 @@ export class APIResult {
     array: Array<Object> | null;
     constructor() { this.result = true; this.status = 200; this.error = ""; this.version = version; this.array = null; }
 }
+export class azureConfig {
+    // azure graph REST API endpoints
+    static azureElevateAccess: string = "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01";
+    static azureListRootAssignments: string = "https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId+eq+";
+};
 export class mindlineConfig {
     static environmentTag: string = "dev";
     // config API endpoints
@@ -119,7 +127,9 @@ export class User {
     workspaceIDs: string;
     session: string;  // button text
     spacode: string;  // to get front end access token
-    accessToken: string; // front end access token
+    graphAccessToken: string; // front end graph access token
+    mindlineAccessToken: string; // front end mindline access token
+    azureAccessToken: string; // front end azure access token
     loginHint: string; // to help sign out without prompt
     scopes: string[]; // to detect if incremental consent has happened
     authTS: Date; // timestamp user was authenticated
@@ -136,7 +146,9 @@ export class User {
         this.workspaceIDs = "";
         this.session = "Sign In";
         this.spacode = "";
-        this.accessToken = "";
+        this.graphAccessToken = "";
+        this.mindlineAccessToken = "";
+        this.azureAccessToken = "";
         this.loginHint = "";
         this.scopes = new Array();
         this.authTS = new Date(0);
@@ -424,7 +436,7 @@ export class InitInfo {
                 newuser.workspaceIDs = user.workspaceIDs;
                 newuser.session = user.session;
                 newuser.spacode = user.spacode;
-                newuser.accessToken = user.accessToken;
+                newuser.graphAccessToken = user.graphAccessToken;
                 newuser.loginHint = user.loginHint;
                 newuser.scopes = user.scopes;
                 newuser.authTS = new Date(user.authTS);
@@ -1228,14 +1240,153 @@ export class TenantNode {
         }
     }
 }
+export class ResourceArray {
+    resourceNodes: ResourceNode[];
+    constructor(bInitialize: boolean, bClearLocalStorage: boolean) {
+        this.resourceNodes = new Array<ResourceNode>();
+        if (bInitialize) {
+            this.init(bClearLocalStorage);
+        }
+    }
+    // get resource data from localStorage or file
+    init(bClearLocalStorage: boolean): void {
+        console.log(`Calling ResourceArray::init(bClearLocalStorage: ${bClearLocalStorage ? "true" : "false"})`);
+        // if we have a non-empty string value stored, read it from localStorage
+        if (storageAvailable("localStorage")) {
+            let result = localStorage.getItem("ResourceArray");
+            if (result != null && typeof result === "string" && result !== "") {
+                if (bClearLocalStorage) {
+                    localStorage.removeItem("ResourceArray");
+                }
+                else {
+                    // read entire object from localstorage
+                    let raString: string = result;
+                    let resourceArray: ResourceArray = JSON.parse(raString);
+                    this.resourceNodes = resourceArray.resourceNodes;
+                    return;
+                }
+            }
+        }
+        // if storage unavailable or we were just asked to clear, read resources from file
+        var resourceNodesString = JSON.stringify(resources);
+        try {
+            this.resourceNodes = deserializeArray(ResourceNode, resourceNodesString);
+        } catch (e) {
+            debugger;
+        }
+    }
+    // read
+    async read(instance: IPublicClientApplication, user: User): Promise<ResourceArray> {
+        let resources: ResourceArray = new ResourceArray(false, false);
+        resources.resourceNodes = await readResources(instance, user);
+        return resources;
+    }
+    // save resource data to localstorage
+    save(): void {
+        // if we have localStorage, save resources
+        if (storageAvailable("localStorage")) {
+            let raString: string = JSON.stringify(this);
+            localStorage.setItem("ResourceArray", raString);
+        }
+    }
+}
+export class ResourceNode {
+    type: string;
+    resource: string;
+    cost: number;
+    expanded: boolean;
+    resources: ResourceNode[];
+    constructor(type: string, resource: string, cost: number) {
+        this.type = type;
+        this.resource = resource;
+        this.cost = cost;
+        this.expanded = false;
+        this.resources = new Array<ResourceNode>();
+    }
+}
+export class ActorArray {
+    actorNodes: ActorNode[];
+    constructor(bClearLocalStorage: boolean) {
+        this.actorNodes = new Array<ActorNode>();
+        this.init(bClearLocalStorage);
+    }
+    // get initial data from localStorage or file
+    init(bClearLocalStorage: boolean): void {
+        console.log(`Calling ResourceArray::init(bClearLocalStorage: ${bClearLocalStorage ? "true" : "false"})`);
+        // if we have a non-empty string value stored, read it from localStorage
+        if (storageAvailable("localStorage")) {
+            let result = localStorage.getItem("RBACActors");
+            if (result != null && typeof result === "string" && result !== "") {
+                if (bClearLocalStorage) {
+                    localStorage.removeItem("RBACActors");
+                }
+                else {
+                    let actorArrayString: string = result;
+                    let aaFromLocalStorage: ActorArray = JSON.parse(actorArrayString);
+                    this.actorNodes = aaFromLocalStorage.actorNodes;
+                    return;
+                }
+            }
+        }
+        // if storage unavailable or we were just asked to clear, read defaults to enable usable UI
+        var actorsString = JSON.stringify(actors);
+        try {
+            this.actorNodes = deserializeArray(ActorNode, actorsString);
+        } catch (e) {
+            debugger;
+        }
+    }
+}
+export class ActorNode {
+    type: string;
+    actor: string;
+    resource: string;
+    role: string;
+    updatedby: string;
+    updatedon: string;
+    actors: ActorNode[];
+    constructor(type: string, actor: string, resource: string, role: string, updatedby: string, updatedon: string) {
+        this.type = type;
+        this.actor = resource;
+        this.resource = resource;
+        this.role = role;
+        this.updatedby = updatedby;
+        this.updatedon = updatedon;
+        this.actors = new Array<ActorNode>();
+    }
+}
 // ======================= Azure AD Graph API ===============================
+// TODO: this is where you want to trigger a re-authentication if token expires
+async function graphDefineHeaders(
+    instance: IPublicClientApplication,
+    user: User
+): Promise<Headers> {
+    const headers = new Headers();
+    headers.append("Content-Type", "application/json");
+    headers.append("accept", "*/*");
+    // authorization header - if needed, retrieve and cache access token
+    if (user.graphAccessToken == null || user.graphAccessToken === "") {
+        try {
+            let response: AuthenticationResult = await instance.acquireTokenByCode({
+                code: user.spacode,
+            });
+            user.graphAccessToken = response.accessToken; // cache access token
+            console.log("Front end token acquired: " + user.graphAccessToken.slice(0, 20));
+        }
+        catch (error: any) {
+            console.log("Front end token failure: " + error);
+        }
+    }
+    headers.append("Authorization", `Bearer ${user.graphAccessToken}`);
+    return headers;
+}
 export async function groupsGet(instance: IPublicClientApplication, user: User | undefined, groupSearchString: string): Promise<{ groups: Group[], error: string }> {
     // need a logged in user to get graph users
     if (user == null || user.spacode == "") {
         return { groups: [], error: `500: invalid user passed to groupsGet` };
     }
     // create headers
-    const headers = await defineHeaders(instance, user);
+    const headers = await graphDefineHeaders(instance, user);
     let options = { method: "GET", headers: headers };
     // make /groups endpoint call
     try {
@@ -1286,7 +1437,7 @@ export async function oauth2PermissionGrantsSet(instance: IPublicClientApplicati
         let grantsurl: string = getGraphEndpoint(loggedInUser.authority);
         grantsurl += graphConfig.graphOauth2PermissionGrantsPredicate + `/${id}`;
         let scopesBody: string = `{ "scope": "${scopes}" }`;
-        const headers = await defineHeaders(instance, loggedInUser);
+        const headers = await graphDefineHeaders(instance, loggedInUser);
         let options: RequestInit = { method: "PATCH", headers: headers, body: scopesBody };
         let response = await fetch(grantsurl, options);
         if (response.status == 204 && response.statusText == "No Content") {
@@ -1472,12 +1623,12 @@ export async function tenantRelationshipsGetByDomain(loggedInUser: User, tenant:
     // do we already have a valid tenant name? if so, nothing to add
     if (tenant.name != null && tenant.name !== "") return false;
     // if needed, retrieve and cache access token
-    if (loggedInUser.accessToken != null && loggedInUser.accessToken === "") {
+    if (loggedInUser.graphAccessToken != null && loggedInUser.graphAccessToken === "") {
         console.log(`tenantRelationshipsGetByDomain called with invalid logged in user: ${loggedInUser.name}`);
         try {
-            let response: AuthenticationResult = await instance.acquireTokenByCode({ code: loggedInUser.spacode });
-            loggedInUser.accessToken = response.accessToken; // cache access token on the user
-            console.log("tenantRelationshipsGetByDomain: Front end token acquired: " + loggedInUser.accessToken.slice(0, 20));
+            let response: AuthenticationResult = await instance.acquireTokenByCode({ code: loggedInUser.spacode, scopes: ["user.read", "contacts.read", "CrossTenantInformation.ReadBasic.All"] });
+            loggedInUser.graphAccessToken = response.accessToken; // cache access token on the user
+            console.log("tenantRelationshipsGetByDomain: Front end token acquired: " + loggedInUser.graphAccessToken.slice(0, 20));
         }
         catch (error: any) {
             console.log("tenantRelationshipsGetByDomain: Front end token failure: " + error);
@@ -1486,7 +1637,7 @@ export async function tenantRelationshipsGetByDomain(loggedInUser: User, tenant:
     }
     // prepare Authorization headers as part of options
     const headers = new Headers();
-    const bearer = `Bearer ${loggedInUser.accessToken}`;
+    const bearer = `Bearer ${loggedInUser.graphAccessToken}`;
     headers.append("Authorization", bearer);
     let options = { method: "GET", headers: headers };
     // make tenant endpoint call
@@ -1530,11 +1681,11 @@ export async function tenantRelationshipsGetById(loggedInUser: User, tenant: Ten
     console.log("**** tenantRelationshipsGetById");
     if (debug) debugger;
     // if needed, retrieve and cache access token
-    if (loggedInUser.accessToken === "") {
+    if (loggedInUser.graphAccessToken === "") {
         try {
-            let response: AuthenticationResult = await instance.acquireTokenByCode({ code: loggedInUser.spacode });
-            loggedInUser.accessToken = response.accessToken; // cache access token
-            console.log("tenantRelationshipsGetById: Front end token acquired: " + loggedInUser.accessToken.slice(0, 20));
+            let response: AuthenticationResult = await instance.acquireTokenByCode({ code: loggedInUser.spacode, scopes: ["user.read", "contacts.read", "CrossTenantInformation.ReadBasic.All"] });
+            loggedInUser.graphAccessToken = response.accessToken; // cache access token
+            console.log("tenantRelationshipsGetById: Front end token acquired: " + loggedInUser.graphAccessToken.slice(0, 20));
         }
         catch (error: any) {
             console.log("tenantRelationshipsGetById: Front end token failure: " + error);
@@ -1543,7 +1694,7 @@ export async function tenantRelationshipsGetById(loggedInUser: User, tenant: Ten
     }
     // prepare Authorization headers as part of options
     const headers = new Headers();
-    const bearer = `Bearer ${loggedInUser.accessToken}`;
+    const bearer = `Bearer ${loggedInUser.graphAccessToken}`;
     headers.append("Authorization", bearer);
     let options = { method: "GET", headers: headers };
     // make tenant endpoint call
@@ -1600,7 +1751,7 @@ export async function tenantUnauthenticatedLookup(tenant: Tenant, debug: boolean
             openidEndpoint += "/.well-known/openid-configuration";
             console.log("Attempting GET from openid well-known endpoint: ", openidEndpoint);
             response = await fetch(openidEndpoint);
-            if (response.status == 200 && response.statusText == "OK") {
+            if (response.status == 200) {
                 let data = await response.json();
                 if (data) {
                     // store tenant ID and authority
@@ -1640,7 +1791,7 @@ export async function userDelegatedScopesGet(instance: IPublicClientApplication,
         return { scopes: null, id: null, error: `500: invalid parameter(s) passed to getUserDelegatedScopes` };
     }
     // create headers
-    const headers = await defineHeaders(instance, loggedInUser);
+    const headers = await graphDefineHeaders(instance, loggedInUser);
     let options: RequestInit = { method: "GET", headers: headers };
     try {
         // first, cache Graph resource ID (service principal) for this tenant if we don't have it already
@@ -1696,12 +1847,12 @@ export async function userDelegatedScopesRemove(instance: IPublicClientApplicati
 export async function usersGet(instance: IPublicClientApplication, user: User | undefined): Promise<{ users: string[], error: string }> {
     // need a logged in user to get graph users
     if (user == null || user.spacode == "") {
-        return { users: [], error: `500: invalid user passed to groupsGet` };
+        return { users: [], error: `500: invalid user passed to usersGet` };
     }
     // make /users endpoint call
     try {
         // create headers
-        const headers = await defineHeaders(instance, user);
+        const headers = await graphDefineHeaders(instance, user);
         let options = { method: "GET", headers: headers };
         let usersEndpoint = getGraphEndpoint(user.authority);
         usersEndpoint += graphConfig.graphUsersPredicate;
@@ -1796,7 +1947,8 @@ export async function configsRefresh(instance: IPublicClientApplication, authori
 export async function initGet(instance: IPublicClientApplication, user: User, ii: InitInfo, tasks: TaskArray, debug: boolean): Promise<APIResult> {
     console.log(`>>>>>> initGet`);
     let result: APIResult = new APIResult();
-    if (debug) debugger;
+    if (debug)
+        debugger;
     // lookup authority for this user (the lookup call does it based on domain, but TID works as well to find authority)
     let tenant: Tenant = new Tenant();
     tenant.tid = user.tid;
@@ -2087,4 +2239,146 @@ async function workspaceInfoGet(instance: IPublicClientApplication, user: User,
     result.result = false;
     result.status = 500;
     return result;
+}
+// ======================= Azure REST API ===============================
+// TODO: this is where you want to trigger a re-authentication if token expires
+async function azureDefineHeaders(
+    instance: IPublicClientApplication,
+    user: User
+): Promise<Headers> {
+    const headers = new Headers();
+    headers.append("Content-Type", "application/json");
+    headers.append("accept", "*/*");
+    // authorization header - if needed, retrieve and cache access token
+    if (user.azureAccessToken == null || user.azureAccessToken === "") {
+        try {
+            let accounts: AccountInfo[] = instance.getAllAccounts();
+            let homeAccountId = user.oid + "." + user.tid;
+            let account: AccountInfo = null;
+            for (let i: number = 0; i < accounts.length; i++) {
+                if (accounts[i].homeAccountId == homeAccountId) {
+                    account = accounts[i];
+                }
+            }
+            debugger;
+            let response: AuthenticationResult = await instance.acquireTokenSilent({
+                scopes: ["https://management.azure.com/user_impersonation"],
+                account: account
+            });
+            user.azureAccessToken = response.accessToken; // cache access token
+            console.log("Front end token acquired silently: " + user.azureAccessToken.slice(0, 20));
+        }
+        catch (error: any) {
+            try {
+                console.log("Front end token silent acquisition failure: " + error);
+                // fallback to redirect if silent acquisition fails
+                let accounts: AccountInfo[] = instance.getAllAccounts();
+                let homeAccountId = user.oid + "." + user.tid;
+                let account: AccountInfo = null;
+                for (let i: number = 0; i < accounts.length; i++) {
+                    if (accounts[i].homeAccountId == homeAccountId) {
+                        account = accounts[i];
+                    }
+                }
+                instance.acquireTokenRedirect({
+                    scopes: ["https://management.azure.com/user_impersonation"],
+                    account: account
+                });
+            }
+            catch (error: any) {
+                console.log("Front end token popup acquisition failure: " + error);
+            }
+        }
+    }
+    headers.append("Authorization", `Bearer ${user.azureAccessToken}`);
+    return headers;
+}
+export async function canListRootAssignments(instance: IPublicClientApplication, user: User): Promise<boolean> {
+    // need a logged in user to call Azure REST API
+    if (user == null || user.spacode == "") {
+        return false;
+    }
+    // make Azure REST API call
+    try {
+        // create headers
+        const headers = await azureDefineHeaders(instance, user);
+        let options = { method: "GET", headers: headers };
+        let listrootassignmentsEndpoint: string = azureConfig.azureListRootAssignments;
+        listrootassignmentsEndpoint += "'";
+        listrootassignmentsEndpoint += user.oid;
+        listrootassignmentsEndpoint += "'";
+        let response = await fetch(listrootassignmentsEndpoint, options);
+        if (response.status == 200) {
+            let data = await response.json();
+            debugger;
+            console.log("Successful call to Azure Resource Graph list root assignments");
+        }
+        else {
+            console.log(await processErrors(response));
+            return false;
+        }
+    }
+    catch (error: any) {
+        console.log(error);
+        return false;
+    }
+    return true;
+}
+export async function elevateGlobalAdminToUserAccessAdmin(instance: IPublicClientApplication, user: User): Promise<boolean> {
+    // need a logged in user to call Azure REST API
+    if (user == null || user.spacode == "") {
+        return false;
+    }
+    // make Azure REST API call
+    try {
+        // create headers
+        const headers = await azureDefineHeaders(instance, user);
+        let options = { method: "POST", headers: headers };
+        let elevateaccessEndpoint: string = azureConfig.azureElevateAccess;
+        let response = await fetch(elevateaccessEndpoint, options);
+        if (response.status == 200) {
+            console.log("Successful call to Azure Resource Graph list root assignments");
+        }
+        else {
+            console.log(await processErrors(response));
+            return false;
+        }
+    }
+    catch (error: any) {
+        console.log(error);
+        return false;
+    }
+    return true; 
+}
+async function readResources(instance: IPublicClientApplication, user: User): Promise<ResourceNode[]> {
+    // need a logged in user to call Azure REST API
+    let resources: ResourceNode[] = new Array<ResourceNode>();
+    if (user == null || user.spacode == "") {
+        return resources;
+    }
+    // make Azure REST API call
+    try {
+        // create headers
+        const headers = await azureDefineHeaders(instance, user);
+        let options = { method: "GET", headers: headers };
+        let listrootassignmentsEndpoint: string = azureConfig.azureListRootAssignments;
+        listrootassignmentsEndpoint += "'";
+        listrootassignmentsEndpoint += user.oid;
+        listrootassignmentsEndpoint += "'";
+        let response = await fetch(listrootassignmentsEndpoint, options);
+        if (response.status == 200) {
+            let data = await response.json();
+            debugger;
+            console.log("Successful call to Azure Resource Graph list root assignments");
+        }
+        else {
+            console.log(await processErrors(response));
+            return false;
+        }
+    }
+    catch (error: any) {
+        console.log(error);
+        return false;
+    }
+    return true;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mindline/sync",
   "type": "module",
-  "version": "1.0.73",
+  "version": "1.0.75",
   "types": "index.d.ts",
   "exports": "./index.ts",
   "description": "sync is a node.js package encapsulating javscript classes required for configuring Mindline sync service.",

package/resources.json

@@ -0,0 +1,58 @@
+[
+  {
+    "type": "mg",
+    "resource": "Tenant Root Group",
+    "cost": 0,
+    "expanded": true,
+    "resources": [
+      {
+        "type": "sub",
+        "resource": "Applications",
+        "cost": 16677.52,
+        "expanded": true,
+        "resources": [
+          {
+            "type": "rg",
+            "resource": "ssfdev",
+            "cost": 7500.08,
+            "expanded": true,
+            "resources": [
+              {
+                "type": "resources",
+                "resource": "SSFServices",
+                "cost": 0,
+                "expanded": false,
+                "resources": [
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "type": "sub",
+        "resource": "Infrastructure",
+        "cost": 8737.58,
+        "expanded": true,
+        "resources": [
+          {
+            "type": "rg",
+            "resource": "SFFA_Prod_Mgmt_Shared_Resources_RG",
+            "cost": 7500.08,
+            "expanded": true,
+            "resources": [
+              {
+                "type": "resources",
+                "resource": "SSFA-Prod-UTIL-01",
+                "cost": 0,
+                "expanded": false,
+                "resources": [
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+]