fix: add default event uri to client expired background job (#139)

stijnmoreels · web-flow · commit fc3e7cc4329b · 2022-05-16T10:27:13.000+02:00
* fix: add default event uri to client expired background job

* Update ClientSecretExpirationJob.cs

* Update ClientSecretExpirationJob.cs

* pr-fix: use sec event tracking

* pr-fix: follow-up merge w/ 'master'
diff --git a/src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJob.cs b/src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJob.cs
@@ -1,10 +1,8 @@
 ﻿using System;
 using System.Collections.Generic;
-using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
 using Arcus.EventGrid.Publishing.Interfaces;
-using Arcus.Security.Core;
 using Azure.Identity;
 using CloudNative.CloudEvents;
 using CronScheduler.Extensions.Scheduler;
@@ -72,30 +70,49 @@ public async Task ExecuteAsync(CancellationToken stoppingToken)
         {
             try
             {
-                _logger.LogTrace("Executing {Name}", nameof(ClientSecretExpirationJob));
-                var graphServiceClient = new GraphServiceClient(new DefaultAzureCredential());
-                _logger.LogTrace("Token retrieved, getting a list of applications with expired or about to expire secrets");
-
-                var clientSecretExpirationInfoProvider = new ClientSecretExpirationInfoProvider(graphServiceClient, _logger);
-                IEnumerable<AzureApplication> applications =
-                    await clientSecretExpirationInfoProvider.GetApplicationsWithPotentialExpiredSecrets(_options.UserOptions.ExpirationThreshold);
+                _logger.LogTrace("Executing {Name}", Name);
+                IEnumerable<AzureApplication> applications = await GetAzureApplicationsWithPotentialExpiredSecretsAsync();
 
                 foreach (AzureApplication application in applications)
                 {
                     ClientSecretExpirationEventType eventType = DetermineExpirationEventType(application);
+                    
+                    LogPotentialSecretEvent(application, eventType);
 
-                    CloudEvent @event = _options.UserOptions.CreateEvent(application, eventType, _options.UserOptions.EventUri);
-                    await _eventGridPublisher.PublishAsync(@event);
+                    await PublishPotentialSecretEventAsync(application, eventType);
                 }
-                _logger.LogTrace("Executing {Name} finished", nameof(ClientSecretExpirationJob));
+                _logger.LogTrace("Executing {Name} finished", Name);
             }
             catch (Exception exception)
             {
                 _logger.LogCritical(exception, "Could not correctly publish Azure EventGrid events for potential expired client secrets in the Azure Active Directory due to an exception");
             }
         }
 
-        private ClientSecretExpirationEventType DetermineExpirationEventType(AzureApplication application)
+        private async Task<IEnumerable<AzureApplication>> GetAzureApplicationsWithPotentialExpiredSecretsAsync()
+        {
+            var graphServiceClient = new GraphServiceClient(new DefaultAzureCredential());
+            _logger.LogTrace("Token retrieved, getting a list of applications with expired or about to expire secrets");
+
+            var clientSecretExpirationInfoProvider = new ClientSecretExpirationInfoProvider(graphServiceClient, _logger);
+            
+            IEnumerable<AzureApplication> applications =
+                await clientSecretExpirationInfoProvider.GetApplicationsWithPotentialExpiredSecrets(_options.UserOptions.ExpirationThreshold);
+            
+            return applications;
+        }
+
+        private static ClientSecretExpirationEventType DetermineExpirationEventType(AzureApplication application)
+        {
+            if (application.RemainingValidDays < 0)
+            {
+                return ClientSecretExpirationEventType.ClientSecretExpired;
+            }
+
+            return ClientSecretExpirationEventType.ClientSecretAboutToExpire;
+        }
+
+        private void LogPotentialSecretEvent(AzureApplication application, ClientSecretExpirationEventType eventType)
         {
             var telemetryContext = new Dictionary<string, object>
             {
@@ -104,18 +121,27 @@ private ClientSecretExpirationEventType DetermineExpirationEventType(AzureApplic
                 { "RemainingValidDays", application.RemainingValidDays }
             };
 
-            var eventType = ClientSecretExpirationEventType.ClientSecretAboutToExpire;
-            if (application.RemainingValidDays < 0)
+            switch (eventType)
             {
-                eventType = ClientSecretExpirationEventType.ClientSecretExpired;
-                _logger.LogEvent($"The secret {application.KeyId} for Azure Active Directory application {application.Name} has expired.", telemetryContext);
-            }
-            else
-            {
-                _logger.LogEvent($"The secret {application.KeyId} for Azure Active Directory application {application.Name} will expire within {application.RemainingValidDays} days.", telemetryContext);
+                case ClientSecretExpirationEventType.ClientSecretExpired:
+                    telemetryContext["Description"] = $"The secret {application.KeyId} for Azure Active Directory application {application.Name} has expired.";
+                    _logger.LogSecurityEvent("Expired Azure Active Directory application secret", telemetryContext);
+                    break;
+                
+                case ClientSecretExpirationEventType.ClientSecretAboutToExpire:
+                    telemetryContext["Description"] = $"The secret {application.KeyId} for Azure Active Directory application {application.Name} will expire within {application.RemainingValidDays} days.";
+                    _logger.LogSecurityEvent("Soon expired Azure Active Directory application secret", telemetryContext);
+                    break;
+                
+                default: 
+                    throw new ArgumentOutOfRangeException(nameof(eventType), eventType, "Could not determine event type for potential expired Azure Application secret");
             }
+        }
 
-            return eventType;
+        private async Task PublishPotentialSecretEventAsync(AzureApplication application, ClientSecretExpirationEventType eventType)
+        {
+            CloudEvent @event = _options.UserOptions.CreateEvent(application, eventType);
+            await _eventGridPublisher.PublishAsync(@event);
         }
     }
 }
diff --git a/src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJobOptions.cs b/src/Arcus.BackgroundJobs.AzureActiveDirectory/ClientSecretExpirationJobOptions.cs
@@ -7,13 +7,13 @@
 namespace Arcus.BackgroundJobs.AzureActiveDirectory
 {
     /// <summary>
-    /// Represents the additional options that the user can configure during the <see cref="IServiceCollectionExtensions.AddClientSecretExpirationJob(IServiceCollection,Action{ClientSecretExpirationJobOptions})"/> call.
+    /// Represents the additional options that the user can configure during the <see cref="IServiceCollectionExtensions.AddClientSecretExpirationJob(IServiceCollection, Action{ClientSecretExpirationJobOptions})"/> call.
     /// </summary>
     public class ClientSecretExpirationJobOptions
     {
         private int _runAtHour = 0;
         private bool _runImmediately = false;
-        private Uri _eventUri = null;
+        private Uri _eventUri = new Uri("https://azure.net/");
         private int _expirationThreshold = 14;
 
         /// <summary>
@@ -79,25 +79,22 @@ public int ExpirationThreshold
         /// </summary>
         /// <param name="application">The <see cref="AzureApplication"/> containing the information regarding the application and its expiring or about to expire secret.</param>
         /// <param name="type">The type used in the creation of the <see cref="CloudEvent"/>.</param>
-        /// <param name="eventUri">The uri used in the creation of the <see cref="CloudEvent"/>.</param>
         /// <exception cref="ArgumentNullException">Thrown when the <paramref name="application"/> is null.</exception>
         /// <exception cref="ArgumentException">Thrown when the <paramref name="application"/> name is blank.</exception>
-        /// <exception cref="ArgumentException">Thrown when the <paramref name="eventUri"/> is blank.</exception>
-        internal CloudEvent CreateEvent(AzureApplication application, ClientSecretExpirationEventType type, Uri eventUri)
+        internal CloudEvent CreateEvent(AzureApplication application, ClientSecretExpirationEventType type)
         {
             Guard.NotNull(application, nameof(application));
             Guard.NotNullOrWhitespace(application.Name, nameof(application.Name));
-            Guard.NotNullOrWhitespace(eventUri.OriginalString, nameof(eventUri));
 
             string eventSubject = $"/appregistrations/clientsecrets/{application.KeyId}";
             string eventId = Guid.NewGuid().ToString();
 
             CloudEvent @event = new CloudEvent(
-                                    CloudEventsSpecVersion.V1_0,
-                                    type.ToString(),
-                                    eventUri,
-                                    eventSubject,
-                                    eventId)
+                                     CloudEventsSpecVersion.V1_0,
+                                     type.ToString(),
+                                     _eventUri,
+                                     eventSubject,
+                                     eventId)
             {
                 Data = application,
                 DataContentType = new ContentType("application/json")
diff --git a/src/Arcus.BackgroundJobs.AzureActiveDirectory/Extensions/IServiceCollectionExtensions.cs b/src/Arcus.BackgroundJobs.AzureActiveDirectory/Extensions/IServiceCollectionExtensions.cs
@@ -20,8 +20,8 @@ public static class IServiceCollectionExtensions
         /// which will query Azure Active Directory for applications that have expired or soon to be expired secrets and send a CloudEvent to an Event Grid Topic.
         /// </summary>
         /// <remarks>
-        ///     Make sure that the application has an Arcus EventGrid publisher configured.
-        ///     For on the Arcus secret store: <a href="https://eventgrid.arcus-azure.net/Features/publishing-events" />.
+        ///     Make sure that you register an <see cref="IEventGridPublisher"/> instance that the background job can use to publish events for potential expired Azure Application secrets.
+        ///     For more information on Azure EventGrid, see: <a href="https://eventgrid.arcus-azure.net/Features/publishing-events" />.
         /// </remarks>
         /// <param name="services">The services to add the background job to.</param>
         /// <exception cref="ArgumentNullException">Thrown when <paramref name="services"/> is <c>null</c>.</exception>
@@ -36,8 +36,8 @@ public static IServiceCollection AddClientSecretExpirationJob(this IServiceColle
         /// which will query Azure Active Directory for applications that have expired or soon to be expired secrets and send a CloudEvent to an Event Grid Topic.
         /// </summary>
         /// <remarks>
-        ///     Make sure that the application has an Arcus EventGrid publisher configured.
-        ///     For on the Arcus secret store: <a href="https://eventgrid.arcus-azure.net/Features/publishing-events" />.
+        ///     Make sure that you register an <see cref="IEventGridPublisher"/> instance that the background job can use to publish events for potential expired Azure Application secrets.
+        ///     For more information on Azure EventGrid, see: <a href="https://eventgrid.arcus-azure.net/Features/publishing-events" />.
         /// </remarks>
         /// <param name="services">The services to add the background job to.</param>
         /// <param name="configureOptions">The optional additional customized user configuration of options for this background job.</param>
diff --git a/src/Arcus.BackgroundJobs.Tests.Unit/AzureActiveDirectory/IServiceCollectionExtensionsTests.cs b/src/Arcus.BackgroundJobs.Tests.Unit/AzureActiveDirectory/IServiceCollectionExtensionsTests.cs
@@ -0,0 +1,35 @@
+﻿using System;
+using Arcus.EventGrid.Publishing;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Xunit;
+
+namespace Arcus.BackgroundJobs.Tests.Unit.AzureActiveDirectory
+{
+    // ReSharper disable once InconsistentNaming
+    [Trait(name: "Category", value: "Unit")]
+    public class IServiceCollectionExtensionsTests
+    {
+        [Fact]
+        public void AddClientSecretExpirationJob_WithoutOptions_Succeeds()
+        {
+            // Arrange
+            var services = new ServiceCollection();
+            services.AddLogging();
+            services.AddSingleton<IConfiguration>(new ConfigurationBuilder().Build());
+            services.AddSingleton(
+                EventGridPublisherBuilder
+                    .ForTopic("https://some-topic")
+                    .UsingAuthenticationKey("<key>")
+                    .Build());
+
+            // Act
+            services.AddClientSecretExpirationJob();
+
+            // Assert
+            IServiceProvider provider = services.BuildServiceProvider();
+            Assert.NotNull(provider.GetService<IHostedService>());
+        }
+    }
+}
