Update for release 3.3.0.11 (#284)

- Migrate from ProvisioningAPI to Graph API
- Fixed some typos
- Merged PR for Windows Server 2025 support: #269
- Implemented filtering of ASR Rule based on presence of exchange
- Updated readme.md

---------

Signed-off-by: HerbieSmith-Netwrix <Herbert.Smith@netwrix.com>

Author: HerbieSmith-Netwrix

ADWS/ADWSConnection.cs

@@ -421,7 +421,7 @@ private void EnumerateInternalWithADWS(string distinguishedName, string filter,
                             }
                         }
                     }
-					throw new PingCastleException("An ADWS exception occured (fault:" + ex.Message + ";reason:" + ex.Reason + ").\r\nADWS is a faster protocol than LDAP but bound to a default 30 minutes limitation. If this error persists, we recommand to force the LDAP protocol. Run PingCastle with the following switches: --protocol LDAPOnly --interactive");
+					throw new PingCastleException("An ADWS exception occured (fault:" + ex.Message + ";reason:" + ex.Reason + ").\r\nADWS is a faster protocol than LDAP but bound to a default 30 minutes limitation. If this error persists, we recommend to force the LDAP protocol. Run PingCastle with the following switches: --protocol LDAPOnly --interactive");
 				}
 				Trace.WriteLine("[" + DateTime.Now.ToLongTimeString() + "]Pull successful");
 				if (pullResponse.EndOfSequence != null)

Bot/Bot.cs

@@ -1,5 +1,6 @@
 using PingCastle.Data;
 using PingCastle.Healthcheck;
+using PingCastle.PingCastleLicense;
 using PingCastle.Report;
 using PingCastle.Rules;
 using System;
@@ -195,7 +196,7 @@ private BotInputOutput ToHtml(BotInputOutput input)
                 {
                     HealthcheckData healthcheckData = DataHelper<HealthcheckData>.LoadXml(ms, "bot", null);
                     var endUserReportGenerator = new ReportHealthCheckSingle();
-                    var license = LicenseManager.Validate(typeof(Program), new Program()) as ADHealthCheckingLicense;
+                    var license = LicenseCache.Instance.GetLicense();
                     var report = endUserReportGenerator.GenerateReportFile(healthcheckData, license, healthcheckData.GetHumanReadableFileName());
 
                     var o = new BotInputOutput();

Cloud/Analyzer/Analyzer.cs

@@ -24,6 +24,7 @@ namespace PingCastle.Cloud.Credentials
 {
     public class CertificateCredential : IDisposable, IAzureCredential
     {
+        public bool ForceRefreshByRefreshToken { get; set; }
         private CertificateCredential()
         {
 

Cloud/Credentials/CertificateCredential.cs

@@ -27,22 +27,44 @@ public CredentialBase(string tenantid)
 
         Dictionary<Type, Token> cache = new Dictionary<Type, Token>();
         public Token LastTokenQueried { get; protected set; }
+
+        public bool ForceRefreshByRefreshToken { get; set; }
+
         public async Task<Token> GetToken<T>() where T : IAzureService
         {
-            Token token;
             if (cache.ContainsKey(typeof(T)))
             {
-                token = cache[typeof(T)];
+              var  caschedToken = cache[typeof(T)];
+
+                var networkLatency = 5;
+                var expiresOn = DateTimeOffset.FromUnixTimeSeconds(caschedToken.expires_on).AddSeconds(-networkLatency);
+
+                if (expiresOn <= DateTime.UtcNow || ForceRefreshByRefreshToken)
+                {
+                    caschedToken = await TokenFactory.RefreshToken<T>(tenantId, caschedToken);
+                    UpdateTokenCache<T>(caschedToken);
+                }
+
+                return caschedToken;
+            }
+
+            var newToken = await TokenFactory.GetToken<T>(this);
+            UpdateTokenCache<T>(newToken);
 
-                // TODO refresh
+            return newToken;
+        }
 
-                return token;
+        private void UpdateTokenCache<T>(Token token) where T : IAzureService
+        {
+            if (token.expires_on == 0)
+            {
+                token.expires_on = (uint)((DateTimeOffset)DateTime.UtcNow.AddSeconds(token.expires_in)).ToUnixTimeSeconds();
             }
-            token = await TokenFactory.GetToken<T>(this);
+
             LastTokenQueried = token;
             cache[typeof(T)] = token;
-            return token;
         }
+
         string tenantId;
         public string Tenantid
         {

Cloud/Credentials/CredentialBase.cs

@@ -20,5 +20,6 @@ public interface IAzureCredential
         string TenantidToQuery { get; set; }
         Task<Token> GetToken<T>() where T : IAzureService;
         Token LastTokenQueried { get; }
+        bool ForceRefreshByRefreshToken { get; set; }
     }
 }

Cloud/Credentials/IAzureCredential.cs

@@ -330,10 +330,6 @@ string ComputeIntegrity()
 
         public string ProvisionDirectorySynchronizationStatus { get; set; }
 
-        public List<string> ProvisionCompanyTags { get; set; }
-
-        public string ProvisionCompanyType { get; set; }
-
         public bool? ProvisionPasswordSynchronizationEnabled { get; set; }
 
         public List<string> ProvisionAuthorizedServiceInstances { get; set; }

Cloud/Data/HealthCheckCloudData.cs

@@ -0,0 +1,30 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Kiota.Abstractions.Authentication;
+using PingCastle.Cloud.Credentials;
+using PingCastle.Cloud.RESTServices.Azure;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public class AzureCredentialTokenProvider<T> : IAccessTokenProvider where T : IAzureService
+    {
+        private readonly IAzureCredential _credential;
+
+        public AzureCredentialTokenProvider(IAzureCredential credential)
+        {
+            _credential = credential;
+        }
+
+        public async Task<string> GetAuthorizationTokenAsync(Uri uri, Dictionary<string, object> additionalAuthenticationContext = default, CancellationToken cancellationToken = default)
+        {
+            Trace.WriteLine($"ACTP: the token has been requested {uri}");
+            var token = await _credential.GetToken<T>();
+            return token.access_token;
+        }
+
+        public AllowedHostsValidator AllowedHostsValidator => new AllowedHostsValidator();
+    }
+}

Cloud/MsGraph/AzureCredentialTokenProvider.cs

@@ -0,0 +1,13 @@
+using PingCastle.Cloud.Credentials;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public static class GraphApiClientFactory
+    {
+        public static IGraphApiClient Create(IAzureCredential credential)
+        {
+            var client = GraphServiceClientFactory.Create<MsGraphApiFacade>(credential);
+            return new MsGraphApiFacade(client);
+        }
+    }
+}

Cloud/MsGraph/GraphApiClientFactory.cs

@@ -0,0 +1,29 @@
+using Microsoft.Graph;
+using Microsoft.Graph.Beta;
+using Microsoft.Kiota.Abstractions.Authentication;
+using PingCastle.Cloud.Credentials;
+using PingCastle.Cloud.RESTServices.Azure;
+
+namespace PingCastle.Cloud.MsGraph
+{
+    public static class GraphServiceClientFactory
+    {
+        public static GraphServiceClient Create(string accessToken)
+        {
+            return Create(new SimpleAccessTokenProvider(accessToken));
+        }
+
+        public static GraphServiceClient Create<T>(IAzureCredential credential) where T : IAzureService
+        {
+            return Create(new AzureCredentialTokenProvider<T>(credential));
+        }
+
+        public static GraphServiceClient Create(IAccessTokenProvider tokenProvider)
+        {
+            var authProvider = new BaseBearerTokenAuthenticationProvider(tokenProvider);
+            var httpClient = GraphClientFactory.Create(authProvider, version: "beta");
+
+            return new GraphServiceClient(httpClient);
+        }
+    }
+}