Add RBAC support for Service Bus authentication

sambetts · sambetts · commit aad399830fa9 · 2025-10-23T18:03:34.000+02:00
Introduce `UseRBACForServiceBus` flag in `AppConfig.cs` to toggle between RBAC and SAS for Service Bus authentication. Default is false. Update logic to parse this setting and conditionally initialize `ServiceBusClient` in `CallQueueProcessor.cs` using AAD credentials if RBAC is enabled. Remove old RBAC setup in `GraphImportTests.cs`. Add logging for RBAC initialization. Maintain backward compatibility with SAS.
diff --git a/src/AnalyticsEngine/Common/Entities/Config/AppConfig.cs b/src/AnalyticsEngine/Common/Entities/Config/AppConfig.cs
@@ -75,6 +75,17 @@ public AppConfig()
                     this.MetadataRefreshMinutes = metadataRefreshMinutesInt;
                 }
             }
+
+            // New optional flag: UseRBACForServiceBus (default false)
+            var useRbacForSb = ConfigurationManager.AppSettings.Get("UseRBACForServiceBus");
+            if (!string.IsNullOrEmpty(useRbacForSb))
+            {
+                bool parsed = false;
+                if (bool.TryParse(useRbacForSb, out parsed))
+                {
+                    this.UseRBACForServiceBus = parsed;
+                }
+            }
         }
 
         public string BuildLabel { get; set; }
@@ -141,5 +152,11 @@ public List<string> ContentTypesToRead
         /// Optional filter for user groups
         /// </summary>
         public string UserGroupsFilter { get; set; }
+
+        /// <summary>
+        /// When true, use RBAC (AAD) auth to connect to Service Bus instead of SAS connection string.
+        /// Default false.
+        /// </summary>
+        public bool UseRBACForServiceBus { get; set; } = false;
     }
 }
diff --git a/src/AnalyticsEngine/Tests.UnitTests/App.Release.config b/src/AnalyticsEngine/Tests.UnitTests/App.Release.config
@@ -19,6 +19,7 @@
 		<add key="ClientSecret" value="__ClientSecret__" />
 		<add key="TenantGUID" value="__TenantGUID__" />
 		<add key="TenantDomain" value="__TenantDomain__" />
+		<add key="UseRBACForServiceBus" value="true" />
 
 		<!--Cognitive endpoint-->
 		<add key="CognitiveEndpoint" value="__CognitiveEndpoint__" />
diff --git a/src/AnalyticsEngine/Tests.UnitTests/GraphImportTests.cs b/src/AnalyticsEngine/Tests.UnitTests/GraphImportTests.cs
@@ -277,15 +277,6 @@ public async Task CallQueueProcessorTest()
             var fqNamespace = sbConnectionProps.Endpoint.Host; // e.g. namespace.servicebus.windows.net
             var queueName = sbConnectionProps.EntityPath; // queue name
 
-            // Build credential from app registration (client ID / secret or certificate)
-            // NOTE: Service Bus RBAC requires Standard or Premium tier and the app registration must have role
-            // 'Azure Service Bus Data Sender' at namespace or queue scope. Basic tier does NOT support AAD RBAC.
-            // Using direct ClientSecretCredential avoids any graph-specific token logic.
-            telemetry.LogInformation($"Creating Service Bus client with client ID {config.ClientID}");
-            var sbCredential = new Azure.Identity.ClientSecretCredential(config.TenantGUID.ToString(), config.ClientID, config.ClientSecret);
-            var sbClient = new ServiceBusClient(fqNamespace, sbCredential);
-            var sbSender = sbClient.CreateSender(queueName);
-
             using (var db = new AnalyticsEntitiesContext())
             {
                 var callCountInitial = await db.CallRecords.CountAsync();
@@ -300,6 +291,8 @@ public async Task CallQueueProcessorTest()
                         _ = callProcessor.BeginProcessCallsQueue();
 
                         // START TEST: Send fake msgs through SB - remember IDs
+                        var sbSender = callProcessor.ServiceBusClient.CreateSender(queueName);
+
                         var testIds = new List<string>();
                         for (int i = 0; i < CALLS_TO_ADD; i++)
                         {
diff --git a/src/AnalyticsEngine/WebJob.Office365ActivityImporter.Engine/Graph/Calls/CallQueueProcessor.cs b/src/AnalyticsEngine/WebJob.Office365ActivityImporter.Engine/Graph/Calls/CallQueueProcessor.cs
@@ -11,6 +11,7 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
 using WebJob.Office365ActivityImporter.Engine.Entities.Serialisation;
+using Azure.Identity; // Added for ClientSecretCredential
 
 namespace WebJob.Office365ActivityImporter.Engine.Graph.Calls
 {
@@ -32,7 +33,7 @@ public class CallQueueProcessor : IDisposable
         private ManualGraphCallClient _graphCallClient;
         private bool _isInitialised = false;
 
-
+        public ServiceBusClient ServiceBusClient => _sbClient;
         public static CallQueueProcessor _singleton = null;
         public static async Task<CallQueueProcessor> GetCallQueueProcessor(AppConfig config, string thisTenantId, ManualGraphCallClient graphCallClient)
         {
@@ -53,18 +54,38 @@ private CallQueueProcessor(AppConfig config, string thisTenantId)
             _auth = new GraphAppIndentityOAuthContext(_telemetry, config.ClientID, config.TenantGUID.ToString(), config.ClientSecret, config.KeyVaultUrl, config.UseClientCertificate);
             this._thisTenantId = thisTenantId;
 
-            var sbCredential = new Azure.Identity.ClientSecretCredential(config.TenantGUID.ToString(), config.ClientID, config.ClientSecret);
-
-            _sbClient = new ServiceBusClient(config.ConnectionStrings.ServiceBusConnectionString, sbCredential);
-            var sbConnectionInfo = ServiceBusConnectionStringProperties.Parse(config.ConnectionStrings.ServiceBusConnectionString);
-            _processor = _sbClient.CreateProcessor(sbConnectionInfo.EntityPath, new ServiceBusProcessorOptions
+            // If RBAC is enabled, build ServiceBusClient using AAD credential
+            if (config.UseRBACForServiceBus)
+            {
+                _telemetry.LogInformation("Initializing ServiceBusClient using RBAC (ClientSecretCredential).");
+                var credential = new ClientSecretCredential(config.TenantGUID.ToString(), config.ClientID, config.ClientSecret);
+                // Extract fully qualified namespace from connection string (Endpoint=sb://namespace.servicebus.windows.net/;...)
+                var sbProps = ServiceBusConnectionStringProperties.Parse(config.ConnectionStrings.ServiceBusConnectionString);
+                var fullyQualifiedNamespace = sbProps.FullyQualifiedNamespace; // e.g. namespace.servicebus.windows.net
+                _sbClient = new ServiceBusClient(fullyQualifiedNamespace, credential);
+                _processor = _sbClient.CreateProcessor(sbProps.EntityPath, new ServiceBusProcessorOptions
+                {
+                    MaxConcurrentCalls = 10,
+                    PrefetchCount = 0,
+                    ReceiveMode = ServiceBusReceiveMode.PeekLock,
+                    MaxAutoLockRenewalDuration = TimeSpan.FromHours(24),        // Queue should be configured for 5 minute lock timeout
+                    AutoCompleteMessages = false                                // Messages are completed only when the migrator has succeeded to migrate the file
+                });
+            }
+            else
             {
-                MaxConcurrentCalls = 10,
-                PrefetchCount = 0,
-                ReceiveMode = ServiceBusReceiveMode.PeekLock,
-                MaxAutoLockRenewalDuration = TimeSpan.FromHours(24),        // Queue should be configured for 5 minute lock timeout
-                AutoCompleteMessages = false                                // Messages are completed only when the migrator has succeeded to migrate the file
-            });
+                // Legacy SAS connection string approach
+                _sbClient = new ServiceBusClient(config.ConnectionStrings.ServiceBusConnectionString);
+                var sbConnectionInfo = ServiceBusConnectionStringProperties.Parse(config.ConnectionStrings.ServiceBusConnectionString);
+                _processor = _sbClient.CreateProcessor(sbConnectionInfo.EntityPath, new ServiceBusProcessorOptions
+                {
+                    MaxConcurrentCalls = 10,
+                    PrefetchCount = 0,
+                    ReceiveMode = ServiceBusReceiveMode.PeekLock,
+                    MaxAutoLockRenewalDuration = TimeSpan.FromHours(24),        // Queue should be configured for 5 minute lock timeout
+                    AutoCompleteMessages = false                                // Messages are completed only when the migrator has succeeded to migrate the file
+                });
+            }
         }
 
         #endregion

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,17 @@ public AppConfig()`
`75`	`75`	`this.MetadataRefreshMinutes = metadataRefreshMinutesInt;`
`76`	`76`	`}`
`77`	`77`	`}`
	`78`	`+`
	`79`	`+ // New optional flag: UseRBACForServiceBus (default false)`
	`80`	`+ var useRbacForSb = ConfigurationManager.AppSettings.Get("UseRBACForServiceBus");`
	`81`	`+ if (!string.IsNullOrEmpty(useRbacForSb))`
	`82`	`+ {`
	`83`	`+ bool parsed = false;`
	`84`	`+ if (bool.TryParse(useRbacForSb, out parsed))`
	`85`	`+ {`
	`86`	`+ this.UseRBACForServiceBus = parsed;`
	`87`	`+ }`
	`88`	`+ }`
`78`	`89`	`}`
`79`	`90`
`80`	`91`	`public string BuildLabel { get; set; }`
`@@ -141,5 +152,11 @@ public List<string> ContentTypesToRead`
`141`	`152`	`/// Optional filter for user groups`
`142`	`153`	`/// </summary>`
`143`	`154`	`public string UserGroupsFilter { get; set; }`
	`155`	`+`
	`156`	`+ /// <summary>`
	`157`	`+ /// When true, use RBAC (AAD) auth to connect to Service Bus instead of SAS connection string.`
	`158`	`+ /// Default false.`
	`159`	`+ /// </summary>`
	`160`	`+ public bool UseRBACForServiceBus { get; set; } = false;`
`144`	`161`	`}`
`145`	`162`	`}`