Update for release 3.3.0.11 (#284)

- Migrate from ProvisioningAPI to Graph API
- Fixed some typos
- Merged PR for Windows Server 2025 support: #269
- Implemented filtering of ASR Rule based on presence of exchange
- Updated readme.md

---------

Signed-off-by: HerbieSmith-Netwrix <Herbert.Smith@netwrix.com>

Author: HerbieSmith-Netwrix

ADWS/ADWSConnection.cs

@@ -421,7 +421,7 @@ private void EnumerateInternalWithADWS(string distinguishedName, string filter,
                             }
                         }
                     }
-					throw new PingCastleException("An ADWS exception occured (fault:" + ex.Message + ";reason:" + ex.Reason + ").\r\nADWS is a faster protocol than LDAP but bound to a default 30 minutes limitation. If this error persists, we recommand to force the LDAP protocol. Run PingCastle with the following switches: --protocol LDAPOnly --interactive");
+					throw new PingCastleException("An ADWS exception occured (fault:" + ex.Message + ";reason:" + ex.Reason + ").\r\nADWS is a faster protocol than LDAP but bound to a default 30 minutes limitation. If this error persists, we recommend to force the LDAP protocol. Run PingCastle with the following switches: --protocol LDAPOnly --interactive");
 				}
 				Trace.WriteLine("[" + DateTime.Now.ToLongTimeString() + "]Pull successful");
 				if (pullResponse.EndOfSequence != null)

Bot/Bot.cs

@@ -1,5 +1,6 @@
 using PingCastle.Data;
 using PingCastle.Healthcheck;
+using PingCastle.PingCastleLicense;
 using PingCastle.Report;
 using PingCastle.Rules;
 using System;
@@ -195,7 +196,7 @@ private BotInputOutput ToHtml(BotInputOutput input)
                 {
                     HealthcheckData healthcheckData = DataHelper<HealthcheckData>.LoadXml(ms, "bot", null);
                     var endUserReportGenerator = new ReportHealthCheckSingle();
-                    var license = LicenseManager.Validate(typeof(Program), new Program()) as ADHealthCheckingLicense;
+                    var license = LicenseCache.Instance.GetLicense();
                     var report = endUserReportGenerator.GenerateReportFile(healthcheckData, license, healthcheckData.GetHumanReadableFileName());
 
                     var o = new BotInputOutput();

Cloud/Analyzer/Analyzer.cs

@@ -24,6 +24,7 @@ namespace PingCastle.Cloud.Credentials
 {
     public class CertificateCredential : IDisposable, IAzureCredential
     {
+        public bool ForceRefreshByRefreshToken { get; set; }
         private CertificateCredential()
         {
 

Cloud/Credentials/CertificateCredential.cs

@@ -27,22 +27,44 @@ public CredentialBase(string tenantid)
 
         Dictionary<Type, Token> cache = new Dictionary<Type, Token>();
         public Token LastTokenQueried { get; protected set; }
+
+        public bool ForceRefreshByRefreshToken { get; set; }
+
         public async Task<Token> GetToken<T>() where T : IAzureService
         {
-            Token token;
             if (cache.ContainsKey(typeof(T)))
             {
-                token = cache[typeof(T)];
+              var  caschedToken = cache[typeof(T)];
+
+                var networkLatency = 5;
+                var expiresOn = DateTimeOffset.FromUnixTimeSeconds(caschedToken.expires_on).AddSeconds(-networkLatency);
+
+                if (expiresOn <= DateTime.UtcNow || ForceRefreshByRefreshToken)
+                {
+                    caschedToken = await TokenFactory.RefreshToken<T>(tenantId, caschedToken);
+                    UpdateTokenCache<T>(caschedToken);
+                }
+
+                return caschedToken;
+            }
+
+            var newToken = await TokenFactory.GetToken<T>(this);
+            UpdateTokenCache<T>(newToken);
 
-                // TODO refresh
+            return newToken;
+        }
 
-                return token;
+        private void UpdateTokenCache<T>(Token token) where T : IAzureService
+        {
+            if (token.expires_on == 0)
+            {
+                token.expires_on = (uint)((DateTimeOffset)DateTime.UtcNow.AddSeconds(token.expires_in)).ToUnixTimeSeconds();
             }
-            token = await TokenFactory.GetToken<T>(this);
+
             LastTokenQueried = token;
             cache[typeof(T)] = token;
-            return token;
         }
+
         string tenantId;
         public string Tenantid
         {

Cloud/Credentials/CredentialBase.cs

@@ -20,5 +20,6 @@ public interface IAzureCredential
         string TenantidToQuery { get; set; }
         Task<Token> GetToken<T>() where T : IAzureService;
         Token LastTokenQueried { get; }
+        bool ForceRefreshByRefreshToken { get; set; }
     }
 }

Cloud/Credentials/IAzureCredential.cs

@@ -330,10 +330,6 @@ string ComputeIntegrity()
 
         public string ProvisionDirectorySynchronizationStatus { get; set; }
 
-        public List<string> ProvisionCompanyTags { get; set; }
-
-        public string ProvisionCompanyType { get; set; }
-
         public bool? ProvisionPasswordSynchronizationEnabled { get; set; }
 
         public List<string> ProvisionAuthorizedServiceInstances { get; set; }

Cloud/Data/HealthCheckCloudData.cs

@@ -0,0 +1,30 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Kiota.Abstractions.Authentication;
+using PingCastle.Cloud.Credentials;
+using PingCastle.Cloud.RESTServices.Azure;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public class AzureCredentialTokenProvider<T> : IAccessTokenProvider where T : IAzureService
+    {
+        private readonly IAzureCredential _credential;
+
+        public AzureCredentialTokenProvider(IAzureCredential credential)
+        {
+            _credential = credential;
+        }
+
+        public async Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object> additionalAuthenticationContext = default, CancellationToken cancellationToken = default)
+        {
+            Trace.WriteLine($"ACTP: the token has been requested {uri}");
+            var token = await _credential.GetToken<T>();
+            return token.access_token;
+        }
+
+        public AllowedHostsValidator AllowedHostsValidator => new AllowedHostsValidator();
+    }
+}

Cloud/MsGraph/AzureCredentialTokenProvider.cs

@@ -0,0 +1,13 @@
+using PingCastle.Cloud.Credentials;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public static class GraphApiClientFactory
+    {
+        public static IGraphApiClient Create(IAzureCredential credential)
+        {
+            var client = GraphServiceClientFactory.Create<MsGraphApiFacade>(credential);
+            return new MsGraphApiFacade(client);
+        }
+    }
+}

Cloud/MsGraph/GraphApiClientFactory.cs

@@ -0,0 +1,29 @@
+using Microsoft.Graph;
+using Microsoft.Graph.Beta;
+using Microsoft.Kiota.Abstractions.Authentication;
+using PingCastle.Cloud.Credentials;
+using PingCastle.Cloud.RESTServices.Azure;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public static class GraphServiceClientFactory
+    {
+        public static GraphServiceClient Create(string accessToken)
+        {
+            return Create(new SimpleAccessTokenProvider(accessToken));
+        }
+
+        public static GraphServiceClient Create<T>(IAzureCredential credential) where T : IAzureService
+        {
+            return Create(new AzureCredentialTokenProvider<T>(credential));
+        }
+
+        public static GraphServiceClient Create(IAccessTokenProvider tokenProvider)
+        {
+            var authProvider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
+            var httpClient = GraphClientFactory.Create(authProvider, version: "beta");
+
+            return new GraphServiceClient(httpClient);
+        }
+    }
+}

Cloud/MsGraph/GraphServiceClientFactory.cs

@@ -0,0 +1,19 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.Graph.Beta.Models;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public interface IGraphApiClient
+    {
+        Task<Organization> GetCompanyInfoAsync();
+        Task<AuthorizationPolicy> GetAuthorizationPolicyAsync();
+        Task<OnPremisesDirectorySynchronization> GetOnPremisesDirectorySynchronizationAsync();
+        Task<IReadOnlyList<LicenseDetails>> GetUserLicensesAsync(string userId);
+        IAsyncEnumerable<DirectoryRole> GetRolesAsync();
+        IAsyncEnumerable<DirectoryRoleTemplate> GetRoleTemplatesAsync();
+        Task<IReadOnlyList<Domain>> GetDomainsAsync();
+        Task<IReadOnlyList<DomainDnsRecord>> GetDomainDnsRecordsAsync(string domainName);
+        IAsyncEnumerable<UserRegistrationDetails> GetUserRegistrationDetailsAsync();
+    }
+}

Cloud/MsGraph/IGraphApiClient.cs

@@ -0,0 +1,133 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Linq;
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.Graph.Beta;
+using Microsoft.Graph.Beta.Models;
+using PingCastle.Cloud.MsGraph;
+using PingCastle.Cloud.RESTServices.Azure;
+
+namespace PingCastle.Cloud
+{
+    [AzureService("1b730954-1685-4b74-9bfd-dac224a7b894", "https://graph.microsoft.com")]
+    [EndPoint("https://login.microsoftonline.com/common/oauth2/v2.0/authorize", "https://login.microsoftonline.com/common/oauth2/v2.0/token", "https://graph.microsoft.com/.default")]
+    public class MsGraphApiFacade : IAzureService, IGraphApiClient
+    {
+        private readonly GraphServiceClient _client;
+
+        public MsGraphApiFacade(GraphServiceClient client)
+        {
+            _client = client;
+        }
+
+        public async Task<Organization> GetCompanyInfoAsync()
+        {
+            var companies = await _client.Organization.GetAsync();
+            return companies.Value.FirstOrDefault();
+        }
+
+        public async Task<AuthorizationPolicy> GetAuthorizationPolicyAsync()
+        {
+            var policies = await _client.Policies.AuthorizationPolicy.GetAsync();
+            return policies.Value.FirstOrDefault();
+        }
+     
+        public async Task<OnPremisesDirectorySynchronization> GetOnPremisesDirectorySynchronizationAsync()
+        {
+            var onPremSync = await _client.Directory.OnPremisesSynchronization.GetAsync();
+            return onPremSync.Value.FirstOrDefault();
+        }
+
+        public async Task<IReadOnlyList<LicenseDetails>> GetUserLicensesAsync(string userId)
+        {
+            try
+            {
+                var licenses = await _client.Users[userId].LicenseDetails.GetAsync();
+                return licenses.Value;
+            }
+            catch (Exception ex)
+            {
+                Trace.TraceError($"User id: {userId} not found. Error: {ex}");
+                return null;
+            }
+        }
+
+        public async IAsyncEnumerable<DirectoryRole> GetRolesAsync()
+        {
+            var roles = await _client.DirectoryRoles
+                .GetAsync(configuration =>
+                {
+                    configuration.QueryParameters.Expand = new[] { "members" };
+                });
+
+            do
+            {
+                foreach (var role in roles.Value)
+                {
+                    yield return role;
+                }
+            }
+            while (roles.OdataNextLink != null &&
+                    (roles = await _client.DirectoryRoles.WithUrl(roles.OdataNextLink).GetAsync()) != null);
+        }
+
+        public async IAsyncEnumerable<DirectoryRoleTemplate> GetRoleTemplatesAsync()
+        {
+            var templates = await _client.DirectoryRoleTemplates.GetAsync();
+
+            do
+            {
+                foreach (var template in templates.Value)
+                {
+                    yield return template;
+                }
+            }
+            while (templates.OdataNextLink != null &&
+                    (templates = await _client.DirectoryRoleTemplates.WithUrl(templates.OdataNextLink).GetAsync()) != null);
+        }
+
+        public async Task<IReadOnlyList<Domain>> GetDomainsAsync()
+        {
+            var domains = await _client.Domains.GetAsync(configuration =>
+            {
+                configuration.QueryParameters.Expand = new[] { "rootDomain" };
+            });
+            return domains.Value;
+        }
+
+        public async Task<IReadOnlyList<DomainDnsRecord>> GetDomainDnsRecordsAsync(string domainName)
+        {
+            try
+            {
+                var records = await _client.Domains[domainName].VerificationDnsRecords.GetAsync();
+                return records.Value;
+            }
+            catch (Exception ex)
+            {
+                Trace.TraceError($"Domain id: {domainName} not found. Error: {ex}");
+                return null;
+            }
+        }
+
+        public async IAsyncEnumerable<UserRegistrationDetails> GetUserRegistrationDetailsAsync()
+        {
+            var details = await _client.Reports.AuthenticationMethods.UserRegistrationDetails
+                .GetAsync(configuration =>
+                {
+                    configuration.QueryParameters.Select = new[] { "id", "isMfaRegistered", "isMfaCapable" };
+                });
+
+            do
+            {
+                foreach (var detail in details.Value)
+                {
+                    yield return detail;
+                }
+            }
+            while (details.OdataNextLink != null &&
+                (details = await _client.Reports.AuthenticationMethods.UserRegistrationDetails.WithUrl(details.OdataNextLink).GetAsync()) != null);
+        }
+    }
+}

Cloud/MsGraph/MsGraphApiFacade.cs

@@ -0,0 +1,25 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Kiota.Abstractions.Authentication;
+using System;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public class SimpleAccessTokenProvider : IAccessTokenProvider
+    {
+        private readonly string _accessToken;
+
+        public SimpleAccessTokenProvider(string accessToken)
+        {
+            _accessToken = accessToken;
+        }
+
+        public async Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object> additionalAuthenticationContext = default, CancellationToken cancellationToken = default)
+        {
+            return await Task.FromResult(_accessToken);
+        }
+
+        public AllowedHostsValidator AllowedHostsValidator => new AllowedHostsValidator();
+    }
+}

Cloud/MsGraph/SimpleAccessTokenProvider.cs

@@ -1678,7 +1678,7 @@ public object BeforeSendRequest(ref Message request, IClientChannel channel)
                 request.Headers.Add(myHeader);
                 ClientVersionHeader clientVersionHeader = new ClientVersionHeader();
                 clientVersionHeader.ClientId = new Guid("50afce61-c917-435b-8c6d-60aa5a8b8aa7");
-                clientVersionHeader.Version = "1.2.183.66";
+                clientVersionHeader.Version = "1.2.183.81";
                 request.Headers.Add(MessageHeader.CreateHeader("ClientVersionHeader", "http://provisioning.microsoftonline.com/", clientVersionHeader));
                 ContractVersionHeader contractVersionHeader = new ContractVersionHeader();
                 contractVersionHeader.BecVersion = Version.Version47;

Cloud/RESTServices/Azure/ProvisioningApi.cs

@@ -5,24 +5,22 @@
 // Licensed under the Non-Profit OSL. See LICENSE file in the project root for full license information.
 //
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 using System.Reflection;
 
 namespace PingCastle.Cloud.RESTServices.Azure
 {
     public class EndPointAttribute : Attribute
     {
-        public EndPointAttribute(string Authorize, string Token)
+        public EndPointAttribute(string authorize, string token, string scope = null)
         {
-            this.AuthorizeEndPoint = Authorize;
-            this.TokenEndPoint = Token;
+            AuthorizeEndPoint = authorize;
+            TokenEndPoint = token;
+            Scope = scope;
         }
 
         public string AuthorizeEndPoint { get; private set; }
         public string TokenEndPoint { get; private set; }
+        public string Scope { get; private set; }
 
         public static EndPointAttribute GetEndPointAttribute<T>() where T : IAzureService
         {