Skip to content

Minimal SharePoint CSOM permissions plugin #1018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
waldekmastykarz opened this issue Mar 1, 2025 · 4 comments · Fixed by #1061
Closed

Minimal SharePoint CSOM permissions plugin #1018

waldekmastykarz opened this issue Mar 1, 2025 · 4 comments · Fixed by #1061
Assignees
@waldekmastykarz
Labels
enhancement New feature or request work in progress

Comments

@waldekmastykarz
Copy link
Collaborator

waldekmastykarz commented Mar 1, 2025
edited
Loading

To detect minimal permissions when using SharePoint CSOM, we need to build a new plugin. CSOM uses a single endpoint (/_vti_bin/client.svc/ProcessQuery) to which you POST the body with one or more CSOM operations. This is why we can't use the existing plugin based on OpenAPI specs, but rather need a new plugin that will parse the request body, extract the operations and determine the necessary set of minimal permissions.
@waldekmastykarz waldekmastykarz added enhancement New feature or request needs peer review Issue needs review from other team members labels Mar 1, 2025
@waldekmastykarz
Copy link
Collaborator Author

Here's how it could work.

In devproxyrc.json, you activate the new plugin and specify the path to the file that defines scopes for the different CSOM actions:

{
  "$schema": "https://raw.githubusercontent.com/dotnet/dev-proxy/main/schemas/v0.25.0/rc.schema.json",
  "plugins": [
    {
      "name": "MinimalSharePointCSOMPermissionsPlugin",
      "enabled": true,
      "pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
      "configSection": "minimalSharePointCSOMPermissionsPlugin"
    }
  ],
  "urlsToWatch": [
    "https://*.sharepoint.com/*"
  ],
  "minimalSharePointCSOMPermissionsPlugin": {
    "$schema": "https://raw.githubusercontent.com/dotnet/dev-proxy/main/schemas/v0.25.0/minimalsharepointcsompermissionsplugin.schema.json",
    "permissionsFile": "csom.json"
  },
  "logLevel": "information",
  "newVersionNotification": "stable",
  "showSkipMessages": true,
  "record": true
}

In the csom.json file, which we ship with Dev Proxy, we define the list of actions and the supported scopes:

{
  "$schema": "schema.json",
  "types": {
    // for readability to map CSOM type GUIDs to human-readable names
    "268004ae-ef6b-4e9b-8425-127220d84719": "Microsoft.SharePoint.SPTenant"
  },
  "actions": {
    "268004ae-ef6b-4e9b-8425-127220d84719.RemoveDeletedSite": {
      "delegated": [
        // all permissions that can be used to perform this operation
        // sorted ascending by privilege level, least privileged first
        "AllSites.FullControl"
      ],
      "application": [
        "Sites.FullControl.All"
      ]
    }
  }
}

We include these mappings in a separate files, so that users are not blocked in case they need actions that we haven't documented yet.

At runtime, this plugin intercepts requests to /_vti_bin/client.svc/ProcessQuery and parses the body to get the list of actions, and the necessary permissions to perform them.

The complexity of the implementation is twofold:

  1. Properly parsing CSOM request bodies to get the operations
  2. Mapping the SharePoint permissions supported by each operation

@Adam-it
Copy link

Adam-it commented Mar 4, 2025

nice idea 👍
Unfortunately I don't have anything creative to add. I really like the idea in the csom.json to add the types node which allows to define GUID to something more meaningful to humans.
Maybe if we already define that "268004ae-ef6b-4e9b-8425-127220d84719": "Microsoft.SharePoint.SPTenant" then in the actions node we define scopes as "Microsoft.SharePoint.SPTenant.RemoveDeletedSite": { ... instead of "268004ae-ef6b-4e9b-8425-127220d84719.RemoveDeletedSite": {.... So also here drop the GUID. What do you think?

@waldekmastykarz
Copy link
Collaborator Author

We could do absolutely do that @Adam-it. That's a nice suggestion that'll make it all a bit more readable with fewer look up, especially as the file grows.

@waldekmastykarz waldekmastykarz self-assigned this Mar 10, 2025
@waldekmastykarz
Copy link
Collaborator Author

Here's a POC of how detecting permissions from CSOM requests could work: https://github.com/waldekmastykarz/dotnet-parse-csom

@waldekmastykarz waldekmastykarz added work in progress and removed needs peer review Issue needs review from other team members labels Mar 14, 2025
waldekmastykarz added a commit to waldekmastykarz/dev-proxy that referenced this issue Mar 14, 2025
@waldekmastykarz
Adds Minimal SharePoint CSOM permissions plugin. Closes dotnet#1018
de3d733
@waldekmastykarz waldekmastykarz mentioned this issue Mar 14, 2025
Merged
waldekmastykarz added a commit to waldekmastykarz/dev-proxy that referenced this issue Mar 17, 2025
@waldekmastykarz
Adds Minimal SharePoint CSOM permissions plugin. Closes dotnet#1018
c3f7c08
garrytrinder pushed a commit to waldekmastykarz/dev-proxy that referenced this issue Mar 20, 2025
@waldekmastykarz @garrytrinder
Adds Minimal SharePoint CSOM permissions plugin. Closes dotnet#1018
23a163a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@waldekmastykarz waldekmastykarz

Labels
enhancement New feature or request work in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds Minimal SharePoint CSOM permissions plugin. Closes #1018 waldekmastykarz/dev-proxy
2 participants
@waldekmastykarz @Adam-it