[BUG]: GraphMinimalPermissionsPlugin / GraphMinimalPermissionsGuidancePlugin - 404 Error on certain API's

[bnicht]

Description

Running either Plugin to retrieve another users inbox results in an Exception and no permissions reported.

GET https://graph.microsoft.com/v1.0/users/EMAILADDRESS/mailFolders/inbox?$select=id

An error while retrieving minimal permissions: Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at System.Net.Http.Json.HttpClientJsonExtensions.<FromJsonAsyncCore>g__Core|12_0[TValue,TJsonOptions](HttpClient client, Task`1 responseTask, Boolean usingResponseHeadersRead, CancellationTokenSource linkedCTS, Func`4 deserializeMethod, TJsonOptions jsonOptions, CancellationToken cancellationToken)
   at DevProxy.Plugins.Utils.GraphUtils.UpdateUserScopesAsync(IEnumerable`1 minimalScopes, IEnumerable`1 endpoints, GraphPermissionsType permissionsType)
   at DevProxy.Plugins.Reporting.GraphMinimalPermissionsPlugin.DetermineMinimalScopesAsync(IEnumerable`1 endpoints, CancellationToken cancellationToken)

Expected behaviour

Relevant permissions are reported and any unknown endpoints are grouped together as Unknown or similar.
Currently one bad endpoint prevents results for the entire recording.

Actual behaviour

No permissions are reported.

Steps to reproduce

Configure the GraphMinimalPermissionsguidanceplugin
https://learn.microsoft.com/en-us/microsoft-cloud/dev/dev-proxy/technical-reference/graphminimalpermissionsguidanceplugin

Run Devproxy for the Graph endpoint.
devproxy --urls-to-watch https://graph.microsoft.com/* --record

Execute a GET request with valid token to a user inbox (not the token owner)
GET https://graph.microsoft.com/v1.0/users/<EMAILADDRESS>/mailFolders/inbox?$select=id

Stop the recording
s

Notice the Exception and no results are shown.

Dev Proxy Version

2.1.0

Operating system (environment)

Windows

Shell

PowerShell

Configuration file

{
"$schema": "https://raw.githubusercontent.com/dotnet/dev-proxy/main/schemas/v2.1.0/rc.schema.json",
"plugins": [
{
"name": "GraphMinimalPermissionsPlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/DevProxy.Plugins.dll",
"configSection": "graphMinimalPermissionsPlugin"
}
],
"graphMinimalPermissionsPlugin": {
"$schema": "https://raw.githubusercontent.com/dotnet/dev-proxy/main/schemas/v2.1.0/graphminimalpermissionsplugin.schema.json",
"type": "delegated"
}
}

Additional Info

No response

[waldekmastykarz]

Thanks for reporting the issue @bnicht and sorry for the trouble. Let us see try and repro it and we'll take it from there.

[waldekmastykarz]

Thanks for reporting this! I can reproduce the issue.

The problem is in GraphUtils. It fires all permissions API calls using Task.WhenAll without handling individual failures. When the permissions API returns a 404 for an unrecognized endpoint (like /users/{email}/mailFolders/inbox), the exception from that single call causes the entire Task.WhenAll to fail, which then bubbles up and prevents any permissions from being reported.UpdateUserScopesAsync`

Working on a fix.

[bnicht]

@waldekmastykarz - Thank you for the quick reply! If we could group and report any unrecognized endpoints that would be great so I can then go and check them manually. Is there another repo/project to report another issue that this graph endpoint is not being recognized?
This was found in a POC but I suspect there will be more when I run this with a larger project.

[waldekmastykarz]

@bnicht We're using a separate service for permission discovery, but I don't know top of my head if it's open source or at least has a GH repo where you could submit issues. Let me dig around and I'll report back when I know more.