Automated giteaflow PR from branch 429-exchange-teams-source-surface-catalog-adapter-strategy. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #496
164 lines
12 KiB
Markdown
164 lines
12 KiB
Markdown
# Adapter Strategy
|
|
|
|
Spec 429 catalog status: documentation only. This file does not create adapters, clients, provider calls, tests, evidence, OperationRuns, UI, or runtime registry consumption.
|
|
|
|
## Source Authority Rules
|
|
|
|
Allowed source authority for future specs:
|
|
|
|
- Official Microsoft documentation for source surface availability, authentication, authorization, and API/cmdlet behavior.
|
|
- Current repo contracts and tests for TenantPilot runtime truth.
|
|
- Existing Coverage v2 source-contract, identity, evidence, compare/render, Claim Guard, OperationRun, workspace/managed-environment/provider-connection, and redaction patterns.
|
|
|
|
Forbidden source authority:
|
|
|
|
- Guessed Microsoft Graph endpoints.
|
|
- Admin portal UI pages as runtime source contracts.
|
|
- PowerShell examples as proof that TenantPilot has runtime support.
|
|
- Registry aliases as evidence support.
|
|
- Historical completed specs as mutable artifacts.
|
|
- Display names as stable identity.
|
|
- `tenant_id` as platform-core ownership truth.
|
|
- Real shell execution in unit tests.
|
|
|
|
## Adapter Pattern Matrix
|
|
|
|
| Adapter pattern | Source surface class | Use when | Required future implementation constraints | Spec 429 decision |
|
|
| --- | --- | --- | --- | --- |
|
|
| `existing_graph_client_contract` | `graph_v1` | A repo Graph contract already exists and is production-safe. | Must go through `GraphClientInterface` and `config/graph_contracts.php`; no render-time Graph call; tests must prove scope, permissions, pagination, identity, redaction, and no customer overclaim. | Not used for current Exchange/Teams policy Cohort 1. |
|
|
| `new_graph_contract` | `graph_v1` or `graph_beta_experimental` | Official Graph source exists and policy/resource shape fits Coverage v2. | Add contract registry entry, permission review, pagination, allowed select/expand, schema hash, fake Graph tests, and beta/internal-only handling where needed. | Deferred for Teams inventory/app-installation style future work; not the first adapter path. |
|
|
| `new_exchange_admin_api_contract` | `exchange_online_admin_api` | The focused preview Admin API supports the target and preview/internal-only limitations are acceptable. | OAuth token path, Exchange RBAC role groups, POST-only endpoint handling, X-AnchorMailbox handling if required, paging/property selection, response-shape guard, preview no-certification rule, fake HTTP tests. | Candidate for `acceptedDomain` and `organizationConfig`; not a full Exchange replacement. |
|
|
| `new_exchange_powershell_adapter` | `exchange_online_powershell_rest` | Exchange source truth is only in Exchange Online PowerShell or the Admin API is too narrow/preview-limited. | App-only/certificate or managed identity feasibility, Exchange RBAC, command allowlist, no arbitrary script execution, fake command runner, module/runtime container decision, throttling/retry, structured errors, redaction, source metadata, OperationRun for real remote work. | Recommended first Spec 430 adapter pattern. |
|
|
| `new_teams_powershell_adapter` | `teams_powershell` | Teams policy/configuration source truth is in MicrosoftTeams PowerShell. | Application-based authentication, Teams RBAC roles, supported-cmdlet check, command allowlist, fake command runner, module/runtime container decision, throttling/retry, structured errors, redaction, source metadata, OperationRun for real remote work. | Recommended second slice after Exchange PowerShell proof, or reduced paired slice if Spec 430 must cover both workloads. |
|
|
| `new_security_compliance_adapter` | `security_compliance_powershell` | Purview/Security & Compliance policy source truth is explicitly in compliance PowerShell. | Separate security review, role/permission minimization, content-sensitive redaction, no customer claims until proven, fake command runner, OperationRun for remote work. | Deferred; not part of Exchange/Teams Cohort 1. |
|
|
| `defer_to_purview_adapter` | `security_compliance_powershell` | The target is primarily Purview/Defender/Compliance rather than Exchange/Teams. | Create a separate Purview/Security & Compliance source-surface strategy/spec. | Deferred. |
|
|
| `unsupported` | `unsupported_manual_only`, `unknown_requires_research`, `sharepoint_pnp_related` | Source is manual, unknown, portal-only, or belongs to another workload boundary. | Do not implement; document blocker. | Blocked/deferred. |
|
|
|
|
## Graph Contract Concerns
|
|
|
|
Future Graph-based Teams work must answer:
|
|
|
|
- Is the resource available in Graph v1.0, or only beta?
|
|
- Does the resource represent durable configuration, or collaboration/content activity?
|
|
- Which Graph application/delegated permissions are required?
|
|
- Does the endpoint page, delta, select, expand, or filter?
|
|
- Which identity fields are stable across tenants and exports?
|
|
- Does the response include chat/message/file/recording/transcript/content or other forbidden data?
|
|
- Can the existing `GraphClientInterface` and `config/graph_contracts.php` model the endpoint without a new provider framework?
|
|
- How are empty, denied, unsupported, unavailable, throttled, and malformed responses distinguished?
|
|
|
|
Spec 429 does not select a Graph-native policy path for Exchange/Teams Cohort 1 because current repo truth already removed unverified Graph endpoint claims for the first four Exchange/Teams target types.
|
|
|
|
## Exchange Online Admin API Concerns
|
|
|
|
The Exchange Online Admin API is a focused preview REST administrative surface. Future use must document:
|
|
|
|
- Preview status and tenant availability.
|
|
- Supported endpoint and cmdlet subset.
|
|
- Unsupported scenarios and why the API does not replace Exchange Online PowerShell.
|
|
- OAuth flow: delegated `Exchange.ManageV2` or app-only `Exchange.ManageAsAppV2`.
|
|
- Exchange RBAC role groups and least-privilege custom role options.
|
|
- POST-only request model.
|
|
- Paging/property selection.
|
|
- X-AnchorMailbox/routing requirements where applicable.
|
|
- Response shape, empty result, denied result, unsupported result, unavailable result, and malformed result handling.
|
|
- Preview/internal-only claim posture: no certification or customer-ready claim from preview-only source proof.
|
|
|
|
Spec 429 treats `acceptedDomain` and `organizationConfig` as Admin API candidates but does not make them runtime-supported.
|
|
|
|
## Exchange PowerShell Adapter Concerns
|
|
|
|
A future `new_exchange_powershell_adapter` must include:
|
|
|
|
- Authentication: app-only certificate-based authentication or managed identity where supported by deployment topology.
|
|
- Tenant consent: required Office 365 Exchange Online application permissions and admin consent must be explicit.
|
|
- RBAC: least-privilege Exchange role group or custom role group, not broad Global Administrator by default.
|
|
- Execution environment: container image/module installation, PowerShell version, module version pinning/update policy, non-interactive execution, timeout handling, and process isolation.
|
|
- Command allowlist: only approved read cmdlets and approved parameters.
|
|
- No shell execution in unit tests: use a fake command runner with deterministic serialized outputs.
|
|
- Throttling and retries: classify throttled/transient failures separately from denied/unsupported/source-unavailable.
|
|
- Error normalization: sanitize command errors and map to stable reason codes.
|
|
- Response serialization: canonical JSON with sorted keys where appropriate, source version, command name, parameter hash, schema/hash metadata, and no raw terminal transcript by default.
|
|
- Redaction: remove or hide secrets, tokens, credentials, authorization headers, certificate/private-key material, raw provider responses, mail content, message content, header/body/subject patterns where unsafe, smart hosts when unsafe, and PII-heavy fields.
|
|
- OperationRun: real provider execution is remote/long-running and must be OperationRun-backed in a later runtime spec.
|
|
|
|
Recommended first Exchange runtime proof:
|
|
|
|
- `transportRule`
|
|
- `remoteDomain`
|
|
- one connector type, preferably `inboundConnector` first if a later spec confirms source output shape
|
|
|
|
Do not include `sharedMailbox`, `managementRoleAssignment`, or compliance policies in the first Exchange adapter slice.
|
|
|
|
## Teams PowerShell Adapter Concerns
|
|
|
|
A future `new_teams_powershell_adapter` must include:
|
|
|
|
- Authentication: application-based authentication with certificate or access-token flow, plus explicit Teams module version support.
|
|
- RBAC: Microsoft Entra roles and Teams admin roles assigned to the application/service principal; verify supported cmdlets and unsupported cmdlet list.
|
|
- Permissions: Graph permissions required by Teams PowerShell application authentication must be explicit, while avoiding unnecessary Skype and Teams Tenant Admin API configuration where Microsoft guidance warns against it.
|
|
- Execution environment: module installation, PowerShell runtime, container compatibility, non-interactive execution, timeout handling, and process isolation.
|
|
- Command allowlist: only approved read cmdlets and parameters.
|
|
- No shell execution in unit tests: use a fake command runner.
|
|
- Response serialization: canonical shape with source command, module version, policy ID/source ID, and schema/hash metadata.
|
|
- Error normalization: distinguish empty, denied, unsupported, source-unavailable, throttled, and malformed output.
|
|
- Redaction: never capture or default-render chat messages, file content, meeting recordings, transcripts, app secrets, app credentials, raw provider responses, or raw access tokens.
|
|
- OperationRun: real provider execution is remote/long-running and must be OperationRun-backed in a later runtime spec.
|
|
|
|
Recommended first Teams runtime proof:
|
|
|
|
- `appPermissionPolicy`
|
|
- `appSetupPolicy`
|
|
- `meetingPolicy`
|
|
|
|
Do not include voice/phone-number policy, team/channel inventory, app-centric management migration, or SharePoint/OneDrive file governance in the first Teams adapter slice.
|
|
|
|
## Security & Compliance / Purview Boundary
|
|
|
|
Targets such as `dlpCompliancePolicy`, `labelPolicy`, `retentionCompliancePolicy`, `autoSensitivityLabelPolicy`, `protectionAlert`, and `complianceTag` are not Exchange/Teams Cohort 1. They need a separate Purview/Security & Compliance adapter strategy because they can involve:
|
|
|
|
- compliance-specific roles and permissions,
|
|
- content-sensitive policy scopes,
|
|
- retention/legal/compliance meaning,
|
|
- Defender/Purview portal overlap,
|
|
- stronger redaction and customer-output controls.
|
|
|
|
## Unsupported / Unknown Follow-Up Paths
|
|
|
|
- Portal-only settings stay `unsupported` until official automation support is found.
|
|
- Unknown policy families stay `unknown_requires_research`.
|
|
- Teams files/storage governance belongs to SharePoint/OneDrive/PnP follow-up, not Teams policy capture.
|
|
- Microsoft cmdlets that perform operational actions rather than durable configuration reads are not target types.
|
|
|
|
## First Spec 430 Implementation Slice
|
|
|
|
Recommended first adapter pattern: `new_exchange_powershell_adapter`.
|
|
|
|
Why this should come first:
|
|
|
|
- It addresses the highest-value Exchange blocker (`transportRule`) that Spec 426/427 intentionally kept blocked.
|
|
- It proves the hardest shared constraints early: process isolation, command allowlist, fake command runner, redaction, stable source metadata, and response-shape distinction.
|
|
- It avoids depending on the preview Exchange Admin API for the first runtime proof.
|
|
- It creates a reusable but narrow command-runner pattern that the Teams PowerShell adapter can mirror only after Exchange proves the constraints.
|
|
|
|
Spec 430 minimum scope should be:
|
|
|
|
- Implement a read-only Exchange PowerShell adapter with no arbitrary command execution.
|
|
- Use a fake command runner in unit tests and no shell execution in unit tests.
|
|
- Capture only `transportRule`, `remoteDomain`, and one connector type if the official source shape is verified in the spec.
|
|
- Preserve workspace + managed environment + provider connection ownership.
|
|
- Create/reuse OperationRun for any real provider execution.
|
|
- Add RBAC/policy tests, provider-scope tests, redaction tests, blocked/denied/unavailable tests, and no-customer-claim tests.
|
|
- Keep UI/browser proof `N/A` unless rendered product surfaces change.
|
|
|
|
Stop conditions for Spec 430:
|
|
|
|
- PowerShell execution cannot be isolated safely in the container runtime.
|
|
- Least-privilege Exchange RBAC cannot be defined.
|
|
- The adapter cannot distinguish empty, denied, unsupported, unavailable, throttled, and malformed responses.
|
|
- Redaction cannot safely prevent mail/message/header/body content exposure.
|
|
- Implementation requires `tenant_id`, legacy shims, fallback readers, dual writes, or customer claims.
|
|
- Implementation needs broad Exchange/Teams/Purview/SharePoint mini-platform work.
|
|
|
|
If both Exchange and Teams must ship in Spec 430, reduce the scope to two Exchange and two Teams types and explicitly document the extra fixture/runtime cost.
|