Merge pull request #59 from splunk-soar-connectors/tapishj/PAPP-36205

fix: make automatic auth more clear

Author: tapishj-splunk

NOTICE

@@ -1,9 +1,65 @@
-Splunk SOAR MS Graph for Office 365
-Copyright (c) 2017-2024 Splunk Inc.
+Splunk SOAR App: MS Graph for Office 365
+Copyright (c) 2017-2025 Splunk Inc.
+Third Party Software Attributions:
 
-Third-party Software Attributions:
+@@@@============================================================================
+
+Library: msal - 1.31.0
+Homepage: https://github.com/AzureAD/microsoft-authentication-library-for-python
+License: MIT License
+License Text:
+
+The MIT License (MIT)
+
+Copyright (c) Microsoft Corporation.
+All rights reserved.
+
+This code is licensed under the MIT License.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files(the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions :
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+@@@@============================================================================
+
+Library: python-magic - 0.4.18
+Homepage: http://github.com/ahupp/python-magic
+License: MIT License
+License Text:
+
+The MIT License (MIT)
+
+Copyright (c) 2001-2014 Adam Hupp
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 
-Library: python-magic
-Version: 0.4.18
-License: MIT
-Copyright 2001-2014 Adam Hupp

README.md

@@ -92,11 +92,13 @@ After making these changes, click **Add permissions** , then select **Grant admi
 
 ## Splunk SOAR Graph Asset
 
-When creating an asset for the **MS Graph for Office 365** app, place **Application ID** of the app
-created during the app registration on the Azure Portal in the **Application ID** field and place
-the client secret generated during the app registration process in the **Application Secret** field.
-Then, after filling out the **Tenant** field, click **SAVE** . Both the Application/Client ID and
-the Tenant ID can be found in the **Overview** tab on your app's Azure page.
+When creating an asset you must choose one of the 3 auth types: **Automatic**, **OAuth**, or **CBA**; and specify your
+choice in the **Authentication type to use for connectivity** field. "Automatic" auth means that the app will first try OAuth,
+and then if that doesn't work, it will try CBA. For this reason if you choose Automatic auth, the most resilient strategy would be
+to specify the parameters required for both OAuth and CBA.
+
+For all three auth types you must fill out the **Application ID** and **Tenant** fields. Both the Application/Client ID and
+the Tenant ID can be found in the **Overview** tab on your app's Azure page. After you have these fields filled out click **SAVE**.
 
 After saving, a new field will appear in the **Asset Settings** tab. Take the URL found in the
 **POST incoming for MS Graph for Office 365 to this location** field and place it in the **Redirect
@@ -131,7 +133,7 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Admin User Workflow (OAuth)
 
-- Configure the asset with required details while keeping the **Admin Access Required** as
+- Configure the asset with **Tenant ID**, **Application ID** and **Application Secret** while keeping the **Admin Access Required** as
   checked.
 - While configuring the asset for the first time, keep **Admin Consent Already Provided** as
   unchecked.
@@ -154,7 +156,7 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Non-Admin User Workflow (OAuth)
 
-- Configure the asset with required details while keeping the **Admin Access Required** as
+- Configure the asset with **Tenant ID**, **Application ID** and **Application Secret** while keeping the **Admin Access Required** as
   unchecked. **Admin Consent Already Provided** config parameter will be ignored in the non-admin
   workflow.
 - Provide **Access Scope** parameter in the asset configuration. All the actions will get executed
@@ -184,8 +186,8 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Automatic Authentication Workflow
 
-- Configure the asset with the required details, including either the **Application Secret** or a combination of **Certificate Thumbprint** and **Certificate Private Key (.PEM)**.
-- If **Application Secret** exists, it will take priority and follow the OAuth workflow. Otherwise, it will continue with the CBA workflow.
+- Configure the asset with both the parameters needed for OAuth and CBA. This means you need to specify either the **Application Secret** or a combination of **Certificate Thumbprint** and **Certificate Private Key (.PEM)**. You may provide all three.
+- The OAuth workflow will take priority over the CBA workflow.
 - The system doesn’t automatically switch from OAuth to CBA when the **Application Secret** expires. However, if **Admin Access Required** is disabled, **Access Scope** is not specified, and **Admin Consent Already Provided** is enabled, it will switch to CBA upon **Application Secret** expiration.
 
 The app should now be ready to be used.
@@ -309,7 +311,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 -------- | -------- | ---- | -----------
 **tenant** | required | string | Tenant ID (e.g. 1e309abf-db6c-XXXX-a1d2-XXXXXXXXXXXX) |
 **client_id** | required | string | Application ID |
-**auth_type** | optional | string | Authentication type to use for connectivity |
+**auth_type** | required | string | Authentication type to use for connectivity |
 **client_secret** | optional | password | Application Secret(required for OAuth) |
 **certificate_thumbprint** | optional | password | Certificate Thumbprint (required for CBA) |
 **certificate_private_key** | optional | password | Certificate Private Key (.PEM) |

manual_readme_content.md

@@ -82,11 +82,13 @@ After making these changes, click **Add permissions** , then select **Grant admi
 
 ## Splunk SOAR Graph Asset
 
-When creating an asset for the **MS Graph for Office 365** app, place **Application ID** of the app
-created during the app registration on the Azure Portal in the **Application ID** field and place
-the client secret generated during the app registration process in the **Application Secret** field.
-Then, after filling out the **Tenant** field, click **SAVE** . Both the Application/Client ID and
-the Tenant ID can be found in the **Overview** tab on your app's Azure page.
+When creating an asset you must choose one of the 3 auth types: **Automatic**, **OAuth**, or **CBA**; and specify your
+choice in the **Authentication type to use for connectivity** field. "Automatic" auth means that the app will first try OAuth,
+and then if that doesn't work, it will try CBA. For this reason if you choose Automatic auth, the most resilient strategy would be
+to specify the parameters required for both OAuth and CBA.
+
+For all three auth types you must fill out the **Application ID** and **Tenant** fields. Both the Application/Client ID and
+the Tenant ID can be found in the **Overview** tab on your app's Azure page. After you have these fields filled out click **SAVE**.
 
 After saving, a new field will appear in the **Asset Settings** tab. Take the URL found in the
 **POST incoming for MS Graph for Office 365 to this location** field and place it in the **Redirect
@@ -121,7 +123,7 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Admin User Workflow (OAuth)
 
-- Configure the asset with required details while keeping the **Admin Access Required** as
+- Configure the asset with **Tenant ID**, **Application ID** and **Application Secret** while keeping the **Admin Access Required** as
   checked.
 - While configuring the asset for the first time, keep **Admin Consent Already Provided** as
   unchecked.
@@ -144,7 +146,7 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Non-Admin User Workflow (OAuth)
 
-- Configure the asset with required details while keeping the **Admin Access Required** as
+- Configure the asset with **Tenant ID**, **Application ID** and **Application Secret** while keeping the **Admin Access Required** as
   unchecked. **Admin Consent Already Provided** config parameter will be ignored in the non-admin
   workflow.
 - Provide **Access Scope** parameter in the asset configuration. All the actions will get executed
@@ -174,8 +176,8 @@ the window. To give this user permission to view assets, follow these steps:
 
 #### Automatic Authentication Workflow
 
-- Configure the asset with the required details, including either the **Application Secret** or a combination of **Certificate Thumbprint** and **Certificate Private Key (.PEM)**.
-- If **Application Secret** exists, it will take priority and follow the OAuth workflow. Otherwise, it will continue with the CBA workflow.
+- Configure the asset with both the parameters needed for OAuth and CBA. This means you need to specify either the **Application Secret** or a combination of **Certificate Thumbprint** and **Certificate Private Key (.PEM)**. You may provide all three.
+- The OAuth workflow will take priority over the CBA workflow.
 - The system doesn’t automatically switch from OAuth to CBA when the **Application Secret** expires. However, if **Admin Access Required** is disabled, **Access Scope** is not specified, and **Admin Consent Already Provided** is enabled, it will switch to CBA upon **Application Secret** expiration.
 
 The app should now be ready to be used.

office365.json

@@ -61,8 +61,8 @@
         "auth_type": {
             "data_type": "string",
             "order": 2,
+            "required": true,
             "description": "Authentication type to use for connectivity",
-            "default": "Automatic",
             "value_list": [
                 "Automatic",
                 "OAuth",
@@ -8668,12 +8668,44 @@
         "wheel": [
             {
                 "module": "PyJWT",
-                "input_file": "wheels/py3/PyJWT-2.10.0-py3-none-any.whl"
+                "input_file": "wheels/py3/PyJWT-2.10.1-py3-none-any.whl"
             },
             {
                 "module": "cffi",
                 "input_file": "wheels/py39/cffi-1.17.1-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl"
             },
+            {
+                "module": "cryptography",
+                "input_file": "wheels/py3/cryptography-45.0.5-cp37-abi3-manylinux_2_28_x86_64.whl"
+            },
+            {
+                "module": "msal",
+                "input_file": "wheels/py3/msal-1.31.0-py3-none-any.whl"
+            },
+            {
+                "module": "pycparser",
+                "input_file": "wheels/py3/pycparser-2.22-py3-none-any.whl"
+            },
+            {
+                "module": "python_magic",
+                "input_file": "wheels/shared/python_magic-0.4.18-py2.py3-none-any.whl"
+            }
+        ]
+    },
+    "pip313_dependencies": {
+        "wheel": [
+            {
+                "module": "PyJWT",
+                "input_file": "wheels/py3/PyJWT-2.10.1-py3-none-any.whl"
+            },
+            {
+                "module": "cffi",
+                "input_file": "wheels/py313/cffi-1.17.1-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl"
+            },
+            {
+                "module": "cryptography",
+                "input_file": "wheels/py3/cryptography-45.0.5-cp311-abi3-manylinux_2_28_x86_64.whl"
+            },
             {
                 "module": "msal",
                 "input_file": "wheels/py3/msal-1.31.0-py3-none-any.whl"

office365_connector.py

@@ -1406,6 +1406,11 @@ def _handle_test_connectivity(self, param):
                 else:
                     self._auth_type = "cba"
                     self.save_progress("Failed to obtain consent, switching to Certificate Based Authentication")
+                    if not (self._thumbprint and self._certificate_private_key):
+                        return action_result.set_status(
+                            phantom.APP_ERROR,
+                            "Tried switching to Certificate Based Authentication, but the necessary CBA configuraiton parameters are not set.",
+                        )
 
         self.save_progress("Getting the token")
         ret_val = self._get_token(action_result)
@@ -3396,9 +3401,6 @@ def initialize(self):
         config = self.get_config()
         self._asset_id = self.get_asset_id()
 
-        # Load all the asset configuration in global variables
-        self._state = self.load_state()
-
         self._tenant = config["tenant"]
         self._client_id = config["client_id"]
         self._auth_type = MSGOFFICE365_AUTH_TYPES.get(config.get("auth_type", MSGOFFICE365_AUTH_AUTOMATIC))
@@ -3409,6 +3411,23 @@ def initialize(self):
         self._certificate_private_key = config.get("certificate_private_key")
         self._scope = config.get("scope") if config.get("scope") else None
 
+        if self._auth_type == "cba":
+            # Certificate Based Authentication requires both Certificate Thumbprint and Certificate Private Key
+            if not (self._thumbprint and self._certificate_private_key):
+                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_CBA_AUTH_ERROR)
+
+            # Check non-interactive is enabled for CBA auth
+            if not self._admin_consent:
+                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_CBA_ADMIN_CONSENT_ERROR)
+        elif self._auth_type == "oauth":
+            # OAuth Authentication requires Client Secret
+            if not self._client_secret:
+                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_OAUTH_AUTH_ERROR)
+        else:
+            # Must either supply cba or oauth credentials for automatic auth
+            if not self._client_secret and not (self._thumbprint and self._certificate_private_key):
+                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_AUTOMATIC_AUTH_ERROR)
+
         self._number_of_retries = config.get("retry_count", MSGOFFICE365_DEFAULT_NUMBER_OF_RETRIES)
         ret_val, self._number_of_retries = _validate_integer(
             self, self._number_of_retries, "'Maximum attempts to retry the API call' asset configuration"
@@ -3426,6 +3445,9 @@ def initialize(self):
         if phantom.is_fail(ret_val):
             return self.get_status()
 
+        # Load all the asset configuration in global variables
+        self._state = self.load_state()
+
         if not self._admin_access:
             if not self._scope and self._auth_type == "oauth":
                 return self.set_status(phantom.APP_ERROR, MSGOFFICE365_NON_ADMIN_SCOPE_ERROR)
@@ -3435,23 +3457,6 @@ def initialize(self):
         else:
             self._access_token = self._state.get("admin_auth", {}).get("access_token", None)
 
-        if self._auth_type == "cba":
-            # Certificate Based Authentication requires both Certificate Thumbprint and Certificate Private Key
-            if not (self._thumbprint and self._certificate_private_key):
-                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_CBA_AUTH_ERROR)
-
-            # Check non-interactive is enabled for CBA auth
-            if not self._admin_consent:
-                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_CBA_ADMIN_CONSENT_ERROR)
-        elif self._auth_type == "oauth":
-            # OAuth Authentication requires Client Secret
-            if not self._client_secret:
-                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_OAUTH_AUTH_ERROR)
-        else:
-            # Must either supply client_secret, or both thumbprint and private key
-            if not self._client_secret and not (self._thumbprint and self._certificate_private_key):
-                return self.set_status(phantom.APP_ERROR, MSGOFFICE365_AUTOMATIC_AUTH_ERROR)
-
         if action_id == "test_connectivity":
             # User is trying to complete the authentication flow, so just return True from here so that test connectivity continues
             return phantom.APP_SUCCESS

release_notes/unreleased.md

@@ -1,3 +1,3 @@
 **Unreleased**
 
-* chore(ci): update pre-commit config
+* fix: Improvement to automatic auth by failing Certificate Based Authentication before tokens are deleted if the config parameters for CBA are not provided