Edit TodoItem

Calling Graph
Few refactoring

Author: Tiago Brenck

1-WebApp-OIDC/1-2-AnyOrg/AppCreationScripts/sample.json

@@ -20,6 +20,12 @@
       "HomePage": "https://localhost:44321/",
       "ReplyUrls": "https://localhost:44321/, https://localhost:44321/signin-oidc",
       "LogoutUrl": "https://localhost:44321/signout-oidc",
+      "RequiredResourcesAccess": [
+        {
+          "Resource": "Microsoft Graph",
+          "DelegatedPermissions": [ "User.Read" ]
+        }
+      ]
     }
   ],
 
@@ -46,6 +52,10 @@
         {
           "key": "Domain",
           "value": "$tenantName"
+        },
+        {
+          "key": "ClientSecret",
+          "value": ".AppKey"
         }
       ]
     }

1-WebApp-OIDC/1-2-AnyOrg/BLL/IMSGraphService.cs

@@ -0,0 +1,14 @@
+using Microsoft.AspNetCore.Mvc.Rendering;
+using Microsoft.Graph;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.BLL
+{
+    public interface IMSGraphService
+    {
+        Task<IEnumerable<User>> GetUsersAsync(string accessToken);
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/BLL/ITodoItemService.cs

@@ -9,9 +9,10 @@ namespace WebApp_OpenIDConnect_DotNet.BLL
 {
     public interface ITodoItemService
     {
-        Task<TodoItem> Create(string text, ClaimsPrincipal loggedUser);
-        Task<IEnumerable<TodoItem>> List(bool showAll, ClaimsPrincipal loggedUser);
-        Task<TodoItem> Get(int id, ClaimsPrincipal loggedUser);
-        Task Delete(int id, ClaimsPrincipal loggedUser);
+        Task<TodoItem> Create(string text, ClaimsPrincipal user);
+        Task<IEnumerable<TodoItem>> List(bool showAll, ClaimsPrincipal user);
+        Task<TodoItem> Get(int id, ClaimsPrincipal user);
+        Task Delete(int id, ClaimsPrincipal user);
+        Task<TodoItem> Edit(TodoItem todoItem, ClaimsPrincipal user);
     }
 }

1-WebApp-OIDC/1-2-AnyOrg/BLL/MSGraphService.cs

@@ -0,0 +1,78 @@
+using Microsoft.AspNetCore.Mvc.Rendering;
+using Microsoft.Graph;
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.BLL
+{
+    public class MSGraphService : IMSGraphService
+    {
+        // the Graph SDK's GraphServiceClient
+        private GraphServiceClient graphServiceClient;
+
+        /// <summary>
+        /// Gets the users in a tenant.
+        /// </summary>
+        /// <param name="accessToken">The access token for MS Graph.</param>
+        /// <returns>
+        /// A list of users
+        /// </returns>
+        public async Task<IEnumerable<User>> GetUsersAsync(string accessToken)
+        {
+            var usersDropDown = new List<SelectListItem>();
+            
+            try
+            {
+                PrepareAuthenticatedClient(accessToken);
+                IGraphServiceUsersCollectionPage users = await graphServiceClient.Users.Request()
+                    .Filter($"accountEnabled eq true")
+                    .Select("id, userPrincipalName")
+                    .GetAsync();
+                
+                if (users?.CurrentPage.Count > 0)
+                {
+                    usersDropDown = users.Select(u => new SelectListItem 
+                                    { 
+                                        Text = u.UserPrincipalName,
+                                        Value = u.Id
+                                    }).ToList();
+                }
+            }
+            catch (ServiceException e)
+            {
+                Debug.WriteLine("We could not retrieve the user's list: " + $"{e}");
+                return null;
+            }
+            
+            return usersDropDown;
+        }
+
+        /// <summary>
+        /// Prepares the authenticated client.
+        /// </summary>
+        /// <param name="accessToken">The access token.</param>
+        private void PrepareAuthenticatedClient(string accessToken)
+        {
+            try
+            {
+                graphServiceClient = new GraphServiceClient("https://graph.microsoft.com/beta",
+                                                                     new DelegateAuthenticationProvider(
+                                                                         async (requestMessage) =>
+                                                                         {
+                                                                             await Task.Run(() =>
+                                                                             {
+                                                                                 requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
+                                                                             });
+                                                                         }));
+            }
+            catch (Exception ex)
+            {
+                Debug.WriteLine($"Could not create a graph client {ex}");
+            }
+        }
+    }
+}

1-WebApp-OIDC/1-2-AnyOrg/BLL/TodoItemService.cs

@@ -18,14 +18,45 @@ public TodoItemService(SampleDbContext sampleDbContext)
             this.sampleDbContext = sampleDbContext;
         }
 
-        public async Task<TodoItem> Create(string text, ClaimsPrincipal loggedUser)
+        /// <summary>
+        /// Lists only items from the user's tenant
+        /// </summary>
+        /// <param name="showAll"></param>
+        /// <param name="user"></param>
+        /// <returns></returns>
+        public async Task<IEnumerable<TodoItem>> List(bool showAll, ClaimsPrincipal user)
         {
+            var tenantId = user.GetTenantId();
+            var userIdentifier = user.GetObjectId();
+
+            var filteredResult = sampleDbContext.TodoItems.Where(x => x.TenantId == tenantId);
+
+            if (showAll)
+                return await filteredResult.ToListAsync();
+            else
+                return await filteredResult.Where(x => x.AssignedTo == userIdentifier).ToListAsync();
+        }
+
+        public async Task<TodoItem> Get(int id, ClaimsPrincipal user)
+        {
+            var tenantId = user.GetTenantId();
+            var userIdentifier = user.GetObjectId();
+
+            return await sampleDbContext.TodoItems.SingleOrDefaultAsync(x =>
+                x.Id == id
+                && x.TenantId == tenantId
+                && x.AssignedTo == userIdentifier);
+        }
+
+        public async Task<TodoItem> Create(string text, ClaimsPrincipal user)
+        {
+            //TodoItem table has the TenantId column so we can separate data from each different tenant, preserving its confidentiality
             TodoItem todoItem = new TodoItem
-            { 
+            {
                 Text = text,
-                UserName = loggedUser.Identity.Name,
-                AssignedTo = loggedUser.GetObjectId(),
-                TenantId = loggedUser.GetTenantId()
+                UserName = user.Identity.Name,
+                AssignedTo = user.GetObjectId(),
+                TenantId = user.GetTenantId()
             };
 
             sampleDbContext.TodoItems.Add(todoItem);
@@ -34,38 +65,43 @@ public async Task<TodoItem> Create(string text, ClaimsPrincipal loggedUser)
             return todoItem;
         }
 
-        public async Task Delete(int id, ClaimsPrincipal loggedUser)
+        public async Task<TodoItem> Edit(TodoItem todoItem, ClaimsPrincipal user)
+        {
+            //Validate item ownership
+            if (!IsAuthorizedToModify(todoItem.Id, user))
+                throw new InvalidOperationException();
+
+            sampleDbContext.TodoItems.Update(todoItem);
+            await sampleDbContext.SaveChangesAsync();
+
+            return todoItem;
+        }
+
+        public async Task Delete(int id, ClaimsPrincipal user)
         {
-            var todoItem = await Get(id, loggedUser);
+            //Validate item ownership
+            if (!IsAuthorizedToModify(id, user))
+                throw new InvalidOperationException();
+
+            var todoItem = await Get(id, user);
             if (todoItem != null)
             {
                 sampleDbContext.TodoItems.Remove(todoItem);
                 await sampleDbContext.SaveChangesAsync();
             }
         }
-
-        public async Task<TodoItem> Get(int id, ClaimsPrincipal loggedUser)
-        {
-            var tenantId = loggedUser.GetTenantId();
-            var userIdentifier = loggedUser.GetObjectId();
-
-            return await sampleDbContext.TodoItems.SingleOrDefaultAsync(x => 
-                x.Id == id 
-                && x.TenantId == tenantId 
-                && x.AssignedTo == userIdentifier);
-        }
-
-        public async Task<IEnumerable<TodoItem>> List(bool showAll, ClaimsPrincipal loggedUser)
+        
+        private bool IsAuthorizedToModify(int itemId, ClaimsPrincipal user)
         {
-            var tenantId = loggedUser.GetTenantId();
-            var userIdentifier = loggedUser.GetObjectId();
-
-            var filteredResult = sampleDbContext.TodoItems.Where(x => x.TenantId == tenantId);
+            var tenantId = user.GetTenantId();
+            var userIdentifier = user.GetObjectId();
 
-            if (showAll)
-                return await filteredResult.ToListAsync();
-            else
-                return await filteredResult.Where(x => x.AssignedTo == userIdentifier).ToListAsync();
+            // The user can only modify their own items
+            return sampleDbContext.TodoItems
+                .AsNoTracking()
+                .Where(x => x.Id == itemId
+                    && x.TenantId == tenantId
+                    && x.AssignedTo == userIdentifier).Count() == 1;
         }
     }
 }

1-WebApp-OIDC/1-2-AnyOrg/Controllers/TodoListController.cs

@@ -4,24 +4,31 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.Identity.Web;
 using WebApp_OpenIDConnect_DotNet.BLL;
 using WebApp_OpenIDConnect_DotNet.Models;
+using WebApp_OpenIDConnect_DotNet.Utils;
 
 namespace WebApp_OpenIDConnect_DotNet.Controllers
 {
     [Authorize]
     public class TodoListController : Controller
     {
         private readonly ITodoItemService _todoItemService;
-        public TodoListController(ITodoItemService todoItemService)
+        private readonly ITokenAcquisition _tokenAcquisition;
+        private readonly IMSGraphService _msGraphService;
+
+        public TodoListController(ITodoItemService todoItemService, ITokenAcquisition tokenAcquisition, IMSGraphService msGraphService)
         {
             _todoItemService = todoItemService;
+            _tokenAcquisition = tokenAcquisition;
+            _msGraphService = msGraphService;
         }
 
         public async Task<IActionResult> Index(bool showAllFilter)
         {
-            @TempData["ShowAllFilter"] = showAllFilter;
+            ViewData["ShowAllFilter"] = showAllFilter;
 
             var items = await _todoItemService.List(showAllFilter, User);
             return View(items);
@@ -34,19 +41,60 @@ public IActionResult Create()
             {
                 AssignedTo = User.GetObjectId(),
                 TenantId = User.GetTenantId(),
-                UserName = User.Identity.Name
+                UserName = User.GetDisplayName()
             };
 
             return View(model);
         }
 
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public async Task<IActionResult> Create(TodoItem model)
         {
+            if (!ModelState.IsValid)
+            {
+                return View(model);
+            }
+
             await _todoItemService.Create(model.Text, User);
             return RedirectToAction("Index");
         }
 
+        [HttpGet]
+        [AuthorizeForScopes(Scopes = new string[] { GraphScope.DirectoryReadAll })]
+        public async Task<IActionResult> Edit(int id)
+        {
+            TodoItem todoItem = await _todoItemService.Get(id, User);
+
+            if(todoItem == null)
+            {
+                TempData["ErrorMessage"] = "Item not found";
+                return RedirectToAction("Error", "Home");
+            }
+
+            var userTenant = User.GetTenantId();
+
+            // Acquiring token for graph using the user's tenantId, so it can return all the users from their tenant
+            var graphAccessToken = await _tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new string[] { GraphScope.DirectoryReadAll }, userTenant);
+
+            TempData["UsersDropDown"] = (await _msGraphService.GetUsersAsync(graphAccessToken))
+                .Select(u => new SelectListItem
+                {
+                    Text = u.UserPrincipalName,
+                    Value = u.Id
+                }).ToList();
+
+            return View(todoItem);
+        }
+
+        [HttpPost]
+        [ValidateAntiForgeryToken]
+        public async Task<IActionResult> Edit(TodoItem todoItem)
+        {
+            await _todoItemService.Edit(todoItem, User);
+            return RedirectToAction("Index");
+        }
+
         [HttpGet]
         public async Task<IActionResult> Delete(int id)
         {

1-WebApp-OIDC/1-2-AnyOrg/Models/TodoItem.cs

@@ -12,9 +12,13 @@ public class TodoItem
         [Key]
         [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
         public int Id { get; set; }
+        [Required]
         public string Text { get; set; }
+        [Required]
         public string UserName { get; set; }
+        [Required]
         public string AssignedTo { get; set; }
+        [Required]
         public string TenantId { get; set; }
     }
 }

1-WebApp-OIDC/1-2-AnyOrg/Startup.cs

@@ -11,6 +11,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
+using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using Microsoft.IdentityModel.Logging;
 using Microsoft.IdentityModel.Tokens;
 using System;
@@ -48,9 +49,12 @@ public void ConfigureServices(IServiceCollection services)
             services.AddDbContext<SampleDbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("SampleDbConnStr")));
 
             services.AddScoped<ITodoItemService, TodoItemService>();
+            services.AddScoped<IMSGraphService, MSGraphService>();
 
             // Sign-in users with the Microsoft identity platform
-            services.AddMicrosoftIdentityPlatformAuthentication(Configuration);
+            services.AddMicrosoftIdentityPlatformAuthentication(Configuration)
+                    .AddMsal(Configuration, new string[] { GraphScope.DirectoryReadAll })
+                    .AddInMemoryTokenCaches();
 
             services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
             {

1-WebApp-OIDC/1-2-AnyOrg/Utils/GraphScope.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace WebApp_OpenIDConnect_DotNet.Utils
+{
+    public static class GraphScope
+    {
+        public const string DirectoryReadAll = "Directory.Read.All";
+    }
+}