tenseleyflow/rcal / f21746c

+        ProviderConfig, ProviderError, ReqwestMicrosoftHttpClient, inspect_token, list_calendars,

+    "  rcal providers microsoft auth inspect --account ID\n",

+    AuthInspect {

+        account: String,

+    },

+        "inspect" => {

+            let account = parse_required_account(args)?;

+            Ok(CliAction::Providers(ProviderCliAction::Microsoft(

+                MicrosoftCliAction::AuthInspect { account },

+            )))

+        }

+        MicrosoftCliAction::AuthInspect { account } => {

+            inspect_token(&account, &token_store).map(|inspection| {

+                let _ = writeln!(

+                    stdout,

+                    "account={} authenticated=true",

+                    inspection.account_id

+                );

+                let _ = writeln!(

+                    stdout,

+                    "aud={}",

+                    inspection.audience.as_deref().unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "scp={}",

+                    inspection.scopes.as_deref().unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "roles={}",

+                    if inspection.roles.is_empty() {

+                        "<missing>".to_string()

+                    } else {

+                        inspection.roles.join(",")

+                    }

+                );

+                let _ = writeln!(

+                    stdout,

+                    "tid={}",

+                    inspection.tenant_id.as_deref().unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "iss={}",

+                    inspection.issuer.as_deref().unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "appid={}",

+                    inspection.app_id.as_deref().unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "azp={}",

+                    inspection

+                        .authorized_party

+                        .as_deref()

+                        .unwrap_or("<missing>")

+                );

+                let _ = writeln!(

+                    stdout,

+                    "jwt_exp={}",

+                    inspection

+                        .jwt_expires_at_epoch_seconds

+                        .map(|value| value.to_string())

+                        .unwrap_or_else(|| "<missing>".to_string())

+                );

+                let _ = writeln!(

+                    stdout,

+                    "stored_exp={}",

+                    inspection.stored_expires_at_epoch_seconds

+                );

+                let _ = writeln!(stdout, "has_refresh_token={}", inspection.has_refresh_token);

+            })

+        }

+        let inspect_action = parse_args_with_config(

+            [

+                arg("providers"),

+                arg("microsoft"),

+                arg("auth"),

+                arg("inspect"),

+                arg("--account"),

+                arg("work"),

+            ],

+            today.into(),

+            user_config.clone(),

+            None,

+        )

+        .expect("inspect parses");

+        assert_eq!(

+            inspect_action,

+            CliAction::Providers(ProviderCliAction::Microsoft(

+                MicrosoftCliAction::AuthInspect {

+                    account: "work".to_string(),

+                },

+            ))

+        );

+

+    pub headers: Vec<(String, String)>,

+        let headers = response

+            .headers()

+            .iter()

+            .map(|(name, value)| {

+                (

+                    name.as_str().to_string(),

+                    value.to_str().unwrap_or_default().to_string(),

+                )

+            })

+            .collect();

+        Ok(MicrosoftHttpResponse {

+            status,

+            headers,

+            body,

+        })

+#[derive(Debug, Clone, PartialEq, Eq)]

+pub struct MicrosoftTokenInspection {

+    pub account_id: String,

+    pub stored_expires_at_epoch_seconds: u64,

+    pub jwt_expires_at_epoch_seconds: Option<i64>,

+    pub audience: Option<String>,

+    pub scopes: Option<String>,

+    pub roles: Vec<String>,

+    pub tenant_id: Option<String>,

+    pub issuer: Option<String>,

+    pub app_id: Option<String>,

+    pub authorized_party: Option<String>,

+    pub has_refresh_token: bool,

+}

+

+pub fn inspect_token(

+    account_id: &str,

+    token_store: &dyn MicrosoftTokenStore,

+) -> Result<MicrosoftTokenInspection, ProviderError> {

+    let token = token_store.load(account_id)?.ok_or_else(|| {

+        ProviderError::Auth(format!(

+            "Microsoft account '{account_id}' is not authenticated"

+        ))

+    })?;

+    let claims = access_token_claims(&token.access_token)?;

+    Ok(MicrosoftTokenInspection {

+        account_id: account_id.to_string(),

+        stored_expires_at_epoch_seconds: token.expires_at_epoch_seconds,

+        jwt_expires_at_epoch_seconds: graph_i64(&claims, "exp"),

+        audience: graph_string(&claims, "aud"),

+        scopes: graph_string(&claims, "scp"),

+        roles: claims

+            .get("roles")

+            .and_then(Value::as_array)

+            .map(|roles| {

+                roles

+                    .iter()

+                    .filter_map(Value::as_str)

+                    .map(ToString::to_string)

+                    .collect()

+            })

+            .unwrap_or_default(),

+        tenant_id: graph_string(&claims, "tid"),

+        issuer: graph_string(&claims, "iss"),

+        app_id: graph_string(&claims, "appid"),

+        authorized_party: graph_string(&claims, "azp"),

+        has_refresh_token: !token.refresh_token.is_empty(),

+    })

+}

+

+    let www_authenticate = response

+        .headers

+        .iter()

+        .find(|(name, _)| name.eq_ignore_ascii_case("www-authenticate"))

+        .map(|(_, value)| value.as_str());

+        return match www_authenticate {

+            Some(header) if !header.is_empty() => format!("{code}: {message} ({header})"),

+            _ => format!("{code}: {message}"),

+        };

+    }

+    match (response.body.trim(), www_authenticate) {

+        ("", Some(header)) if !header.is_empty() => format!("HTTP {}: {header}", response.status),

+        (body, Some(header)) if !header.is_empty() => {

+            format!("HTTP {}: {body} ({header})", response.status)

+        }

+        (body, _) => format!("HTTP {}: {body}", response.status),

+fn access_token_claims(access_token: &str) -> Result<Value, ProviderError> {

+    let payload = access_token.split('.').nth(1).ok_or_else(|| {

+        ProviderError::Auth("stored Microsoft access token is not a JWT".to_string())

+    })?;

+    let bytes = base64_url_decode_no_pad(payload).ok_or_else(|| {

+        ProviderError::Auth("stored Microsoft access token has invalid JWT encoding".to_string())

+    })?;

+    serde_json::from_slice(&bytes).map_err(|err| {

+        ProviderError::Auth(format!("stored Microsoft access token is invalid: {err}"))

+    })

+}

+

+fn base64_url_decode_no_pad(input: &str) -> Option<Vec<u8>> {

+    let mut output = Vec::new();

+    let mut buffer = 0_u32;

+    let mut bits = 0_u8;

+    for byte in input.bytes() {

+        if byte == b'=' {

+            break;

+        }

+        let value = match byte {

+            b'A'..=b'Z' => byte - b'A',

+            b'a'..=b'z' => byte - b'a' + 26,

+            b'0'..=b'9' => byte - b'0' + 52,

+            b'-' => 62,

+            b'_' => 63,

+            _ => return None,

+        } as u32;

+        buffer = (buffer << 6) | value;

+        bits += 6;

+        if bits >= 8 {

+            bits -= 8;

+            output.push(((buffer >> bits) & 0xff) as u8);

+            buffer &= (1 << bits) - 1;

+        }

+    }

+    Some(output)

+}

+

+                headers: Vec::new(),

+

+        fn text_with_header(

+            status: u16,

+            body: &str,

+            name: &str,

+            value: &str,

+        ) -> MicrosoftHttpResponse {

+            MicrosoftHttpResponse {

+                status,

+                headers: vec![(name.to_string(), value.to_string())],

+                body: body.to_string(),

+            }

+        }

+    #[test]

+    fn graph_errors_include_www_authenticate_header_when_body_is_empty() {

+        let response = RecordingHttpClient::text_with_header(

+            401,

+            "",

+            "WWW-Authenticate",

+            "Bearer error=\"invalid_token\", error_description=\"Invalid audience\"",

+        );

+

+        let err = parse_graph_success_json(response).expect_err("401 fails");

+

+        assert_eq!(

+            err.to_string(),

+            "Microsoft Graph error: HTTP 401: Bearer error=\"invalid_token\", error_description=\"Invalid audience\""

+        );

+    }

+

+    #[test]

+    fn inspect_token_reports_safe_jwt_claims_without_token_body() {

+        let store = MemoryTokenStore::default();

+        let claims = json!({

+            "aud": "https://graph.microsoft.com",

+            "scp": "User.Read Calendars.ReadWrite",

+            "tid": "tenant-id",

+            "iss": "https://sts.windows.net/tenant-id/",

+            "appid": "app-id",

+            "azp": "authorized-party",

+            "exp": 1_777_000_000

+        });

+        let access_token = format!(

+            "{}.{}.signature",

+            base64_url_no_pad(br#"{"alg":"none"}"#),

+            base64_url_no_pad(claims.to_string().as_bytes())

+        );

+        store.tokens.borrow_mut().insert(

+            "work".to_string(),

+            MicrosoftToken {

+                access_token,

+                refresh_token: "refresh".to_string(),

+                expires_at_epoch_seconds: 1_777_000_100,

+            },

+        );

+

+        let inspection = inspect_token("work", &store).expect("token inspects");

+

+        assert_eq!(inspection.account_id, "work");

+        assert_eq!(

+            inspection.audience.as_deref(),

+            Some("https://graph.microsoft.com")

+        );

+        assert_eq!(

+            inspection.scopes.as_deref(),

+            Some("User.Read Calendars.ReadWrite")

+        );

+        assert_eq!(inspection.tenant_id.as_deref(), Some("tenant-id"));

+        assert_eq!(inspection.jwt_expires_at_epoch_seconds, Some(1_777_000_000));

+        assert!(inspection.has_refresh_token);

+    }

+