Extends minimal permissions plugins with support for batch requests. Closes #283 (#293)

Author: waldekmastykarz

m365-developer-proxy-abstractions/GraphBatchRequestPayload.cs

@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Text.Json.Serialization;
+
+namespace Microsoft365.DeveloperProxy.Abstractions;
+
+public class GraphBatchRequestPayload {
+    [JsonPropertyName("requests")]
+    public GraphBatchRequestPayloadRequest[] Requests { get; set; } = Array.Empty<GraphBatchRequestPayloadRequest>();
+}
+
+public class GraphBatchRequestPayloadRequest {
+    [JsonPropertyName("id")]
+    public string Id { get; set; } = string.Empty;
+    [JsonPropertyName("method")]
+    public string Method { get; set; } = string.Empty;
+    [JsonPropertyName("url")]
+    public string Url { get; set; } = string.Empty;
+    [JsonPropertyName("headers")]
+    public Dictionary<string, string>? Headers { get; set; } = new Dictionary<string, string>();
+    [JsonPropertyName("body")]
+    public object? Body { get; set; }
+}

m365-developer-proxy-abstractions/ProxyUtils.cs

@@ -28,11 +28,17 @@ public static bool IsGraphUrl(Uri uri) =>
         uri.Host.StartsWith("graph.microsoft.", StringComparison.OrdinalIgnoreCase) ||
         uri.Host.StartsWith("microsoftgraph.", StringComparison.OrdinalIgnoreCase);
 
+    public static bool IsGraphBatchUrl(Uri uri) => 
+        uri.AbsoluteUri.EndsWith("/$batch", StringComparison.OrdinalIgnoreCase);
+
     public static bool IsSdkRequest(Request request) => request.Headers.HeaderExists("SdkVersion");
 
     public static bool IsGraphBetaRequest(Request request) => 
         IsGraphRequest(request) &&
-        request.RequestUri.AbsolutePath.Contains("/beta/", StringComparison.OrdinalIgnoreCase);
+        IsGraphBetaUrl(request.RequestUri);
+
+    public static bool IsGraphBetaUrl(Uri uri) => 
+        uri.AbsolutePath.Contains("/beta/", StringComparison.OrdinalIgnoreCase);
 
     /// <summary>
     /// Utility to build HTTP response headers consistent with Microsoft Graph

m365-developer-proxy-plugins/RequestLogs/MinimalPermissionsGuidancePlugin.cs

@@ -48,21 +48,34 @@ private async void AfterRecordingStop(object? sender, RecordingArgs e)
 
       var methodAndUrlString = request.Message.First();
       var methodAndUrl = GetMethodAndUrl(methodAndUrlString);
+      var requestsFromBatch = Array.Empty<Tuple<string, string>>();
 
-      if (!ProxyUtils.IsGraphUrl(new Uri(methodAndUrl.Item2)))
+      var uri = new Uri(methodAndUrl.Item2);
+      if (!ProxyUtils.IsGraphUrl(uri))
       {
         continue;
       }
 
-      methodAndUrl = new Tuple<string, string>(methodAndUrl.Item1, GetTokenizedUrl(methodAndUrl.Item2));
+      if (ProxyUtils.IsGraphBatchUrl(uri)) {
+        var graphVersion = ProxyUtils.IsGraphBetaUrl(uri) ? "beta" : "v1.0";
+        requestsFromBatch = GetRequestsFromBatch(request.Context?.Session.HttpClient.Request.BodyString!, graphVersion, uri.Host);
+      }
+      else {
+        methodAndUrl = new Tuple<string, string>(methodAndUrl.Item1, GetTokenizedUrl(methodAndUrl.Item2));
+      }
 
       var scopesAndType = GetPermissionsAndType(request);
       if (scopesAndType.Item1 == PermissionsType.Delegated)
       {
         // use the scopes from the last request in case the app is using incremental consent
         scopesToEvaluate = scopesAndType.Item2;
 
-        delegatedEndpoints.Add(methodAndUrl);
+        if (ProxyUtils.IsGraphBatchUrl(uri)) {
+          delegatedEndpoints.AddRange(requestsFromBatch);
+        }
+        else {
+          delegatedEndpoints.Add(methodAndUrl);
+        }
       }
       else
       {
@@ -74,7 +87,12 @@ private async void AfterRecordingStop(object? sender, RecordingArgs e)
           rolesToEvaluate.Length == 0) {
           rolesToEvaluate = scopesAndType.Item2;
 
-          applicationEndpoints.Add(methodAndUrl);
+          if (ProxyUtils.IsGraphBatchUrl(uri)) {
+            applicationEndpoints.AddRange(requestsFromBatch);
+          }
+          else {
+            applicationEndpoints.Add(methodAndUrl);
+          }
         }
       }
     }
@@ -112,6 +130,38 @@ private async void AfterRecordingStop(object? sender, RecordingArgs e)
     }
   }
 
+  private Tuple<string, string>[] GetRequestsFromBatch(string batchBody, string graphVersion, string graphHostName)
+  {
+    var requests = new List<Tuple<string, string>>();
+
+    if (String.IsNullOrEmpty(batchBody))
+    {
+      return requests.ToArray();
+    }
+
+    try {
+      var batch = JsonSerializer.Deserialize<GraphBatchRequestPayload>(batchBody);
+      if (batch == null)
+      {
+        return requests.ToArray();
+      }
+
+      foreach (var request in batch.Requests)
+      {
+        try {
+          var method = request.Method;
+          var url = request.Url;
+          var absoluteUrl = $"https://{graphHostName}/{graphVersion}{url}";
+          requests.Add(new Tuple<string, string>(method, GetTokenizedUrl(absoluteUrl)));
+        }
+        catch {}
+      }
+    }
+    catch {}
+
+    return requests.ToArray();
+  }
+
   /// <summary>
   /// Returns permissions and type (delegated or application) from the access token
   /// used on the request.

m365-developer-proxy-plugins/RequestLogs/MinimalPermissionsPlugin.cs

@@ -52,14 +52,21 @@ private async void AfterRecordingStop(object? sender, RecordingArgs e)
       var methodAndUrlString = request.Message.First();
       var methodAndUrl = GetMethodAndUrl(methodAndUrlString);
 
-      if (!ProxyUtils.IsGraphUrl(new Uri(methodAndUrl.Item2)))
+      var uri = new Uri(methodAndUrl.Item2);
+      if (!ProxyUtils.IsGraphUrl(uri))
       {
         continue;
       }
 
-      methodAndUrl = new Tuple<string, string>(methodAndUrl.Item1, GetTokenizedUrl(methodAndUrl.Item2));
-
-      endpoints.Add(methodAndUrl);
+      if (ProxyUtils.IsGraphBatchUrl(uri)) {
+        var graphVersion = ProxyUtils.IsGraphBetaUrl(uri) ? "beta" : "v1.0";
+        var requestsFromBatch = GetRequestsFromBatch(request.Context?.Session.HttpClient.Request.BodyString!, graphVersion, uri.Host);
+        endpoints.AddRange(requestsFromBatch);
+      }
+      else {
+        methodAndUrl = new Tuple<string, string>(methodAndUrl.Item1, GetTokenizedUrl(methodAndUrl.Item2));
+        endpoints.Add(methodAndUrl);
+      }
     }
 
     // Remove duplicates
@@ -82,6 +89,38 @@ private async void AfterRecordingStop(object? sender, RecordingArgs e)
     await DetermineMinimalScopes(endpoints);
   }
 
+  private Tuple<string, string>[] GetRequestsFromBatch(string batchBody, string graphVersion, string graphHostName)
+  {
+    var requests = new List<Tuple<string, string>>();
+
+    if (String.IsNullOrEmpty(batchBody))
+    {
+      return requests.ToArray();
+    }
+
+    try {
+      var batch = JsonSerializer.Deserialize<GraphBatchRequestPayload>(batchBody);
+      if (batch == null)
+      {
+        return requests.ToArray();
+      }
+
+      foreach (var request in batch.Requests)
+      {
+        try {
+          var method = request.Method;
+          var url = request.Url;
+          var absoluteUrl = $"https://{graphHostName}/{graphVersion}{url}";
+          requests.Add(new Tuple<string, string>(method, GetTokenizedUrl(absoluteUrl)));
+        }
+        catch {}
+      }
+    }
+    catch {}
+
+    return requests.ToArray();
+  }
+
   private string GetScopeTypeString()
   {
     return _configuration.Type switch

m365-developer-proxy/ProxyEngine.cs

@@ -340,6 +340,13 @@ async Task OnRequest(object sender, SessionEventArgs e) {
         var method = e.HttpClient.Request.Method.ToUpper();
         // The proxy does not intercept or alter OPTIONS requests
         if (method is not "OPTIONS" && IsProxiedHost(e.HttpClient.Request.RequestUri.Host)) {
+            // // we need to keep the request body for further processing
+            // // by plugins
+            e.HttpClient.Request.KeepBody = true;
+            if (e.HttpClient.Request.HasBody) {
+                await e.GetRequestBodyAsString();
+            }
+            
             e.UserData = e.HttpClient.Request;
             _logger.LogRequest(new[] { $"{e.HttpClient.Request.Method} {e.HttpClient.Request.Url}" }, MessageType.InterceptedRequest, new LoggingContext(e));
             HandleRequest(e);