#836 ClientContext.with_client_certificate support for Passphrase if the private_key is encrypted

Author: vgrem

README.md

@@ -75,7 +75,7 @@ Steps to access:
    - [Granting access using SharePoint App-Only](https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs)  
    - [wiki](https://github.com/vgrem/Office365-REST-Python-Client/wiki/How-to-connect-to-SharePoint-Online-and-and-SharePoint-2013-2016-2019-on-premises--with-app-principal)
   
-   Example: [connect_with_app_principal.py](examples/sharepoint/connect_with_app_only_principal.py)
+   Example: [connect_with_app_principal.py](examples/sharepoint/auth_app_only.py)
   
 #### 2. Using username and password 
 
@@ -85,15 +85,15 @@ Steps to access:
    ctx = ClientContext('{url}').with_credentials(user_credentials)
    ```
   
-   Example: [connect_with_user_credential.py](examples/sharepoint/connect_with_user_credential.py)
+   Example: [connect_with_user_credential.py](examples/sharepoint/auth_user_credential.py)
   
 #### 3. Using an Azure AD application (certificate credentials flow) 
 
   Documentation: 
    - [Granting access via Azure AD App-Only](https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread)  
    - [wiki](https://github.com/vgrem/Office365-REST-Python-Client/wiki/How-to-connect-to-SharePoint-Online-with-certificate-credentials) 
   
-  Example: [connect_with_client_certificate.py](examples/sharepoint/connect_with_client_certificate.py)
+  Example: [connect_with_client_certificate.py](examples/sharepoint/auth_client_certificate.py)
 
 #### 4. Interactive
 
@@ -104,7 +104,7 @@ Steps to access:
    > In Azure Portal, configure the Redirect URI of your
    "Mobile and Desktop application" as ``http://localhost``.
 
-  Example: [connect_interactive.py](examples/sharepoint/connect_interactive.py)
+  Example: [connect_interactive.py](examples/sharepoint/auth_interactive.py)
 
   Usage:
 ```python

examples/communications/create_call.py

@@ -2,9 +2,9 @@
 Create peer-to-peer VoIP call with service hosted media
 """
 from office365.graph_client import GraphClient
-from tests.graph_case import acquire_token_by_client_credentials
+from tests import test_client_id, test_client_secret, test_tenant
 
-client = GraphClient(acquire_token_by_client_credentials)
+client = GraphClient.with_client_secret(test_tenant, test_client_id, test_client_secret)
 call = client.communications.calls.create(
     "https://mediadev8.com/teamsapp/api/calling"
 ).execute_query()

examples/outlook/messages/download_with_attachments.py

@@ -8,10 +8,14 @@
 import tempfile
 
 from office365.graph_client import GraphClient
-from tests import test_user_principal_name
-from tests.graph_case import acquire_token_by_client_credentials
+from tests import (
+    test_client_id,
+    test_client_secret,
+    test_tenant,
+    test_user_principal_name,
+)
 
-client = GraphClient(acquire_token_by_client_credentials)
+client = GraphClient.with_client_secret(test_tenant, test_client_id, test_client_secret)
 user = client.users[test_user_principal_name]
 messages = (
     user.messages.filter("hasAttachments eq true")

examples/sharepoint/connect_with_app_only_principal.py renamed to examples/sharepoint/auth_app_only.py

@@ -20,7 +20,6 @@
     test_client_id,
     test_site_url,
     test_tenant,
-    test_tenant_name,
 )
 
 cert_credentials = {

examples/sharepoint/connect_with_app_principal_aad.py renamed to examples/sharepoint/auth_app_principal_aad.py

@@ -0,0 +1,37 @@
+"""
+When using SharePoint Online you can define applications in Azure AD and these applications can
+be granted permissions to SharePoint, but also to all the other services in Office 365.
+This model is the preferred model in case you're using SharePoint Online, if you're using SharePoint on-premises
+you have to use the SharePoint Only model via based Azure ACS as described in here:
+
+Demonstrates how to use Azure AD App-Only auth flow
+
+https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread
+
+Refer wiki for a more details:
+https://github.com/vgrem/Office365-REST-Python-Client/wiki/How-to-connect-to-SharePoint-Online-with-certificate-credentials
+
+To create a self signed certificate with encrypted private key run:
+openssl req -x509 -newkey rsa:2048 -keyout selfsignkey.pem -out selfsigncert.pem -days 365
+"""
+
+import os
+
+from office365.sharepoint.client_context import ClientContext
+from tests import (
+    test_cert_thumbprint,
+    test_client_id,
+    test_site_url,
+    test_tenant,
+)
+
+cert_credentials = {
+    "tenant": test_tenant,
+    "client_id": test_client_id,
+    "thumbprint": test_cert_thumbprint,
+    "cert_path": "{0}/../selfsignkeyenc.pem".format(os.path.dirname(__file__)),
+    "passphrase": "Password",
+}
+ctx = ClientContext(test_site_url).with_client_certificate(**cert_credentials)
+current_web = ctx.web.get().execute_query()
+print("{0}".format(current_web.url))

examples/sharepoint/connect_with_client_certificate.py renamed to examples/sharepoint/auth_client_certificate.py

@@ -1,15 +1,20 @@
 """
 Demonstrates how to create a site field of type Taxonomy
 """
+import sys
 
 from office365.sharepoint.client_context import ClientContext
 from tests import create_unique_name, test_client_credentials, test_team_site_url
 
 client = ClientContext(test_team_site_url).with_credentials(test_client_credentials)
 
-# term_sets = client.taxonomy.term_store.get_term_sets_by_name("Sweden").execute_query()
+term_set_id = "3b712032-95c4-4bb5-952d-f85ae9288f99"
+# term_sets = client.taxonomy.term_store.get_term_sets_by_name("Countries").execute_query()
+# if len(term_sets) == 0:
+#    sys.exit("No term sets found")
 
-# field_name = create_unique_name("TaxColumn")
-# field = client.web.fields.create_taxonomy_field(field_name).execute_query()
-# print("Field  {0} has been created".format(field.internal_name))
-# field.delete_object().execute_query()  # clean up
+field_name = create_unique_name(create_unique_name("Country"))
+field = client.web.fields.create_taxonomy_field(field_name, term_set_id).execute_query()
+print("Field  {0} has been created".format(field.internal_name))
+
+field.delete_object().execute_query()  # clean up

examples/sharepoint/connect_with_client_certificate_adal.py renamed to examples/sharepoint/auth_client_certificate_adal.py

@@ -1,3 +1,6 @@
+"""
+Prints metadata about the site
+"""
 from office365.sharepoint.client_context import ClientContext
 from office365.sharepoint.webs.web import Web
 from tests import test_client_credentials, test_site_url

examples/sharepoint/auth_client_certificate_passphrase.py

@@ -1,11 +1,13 @@
+"""
+Demonstrates how to construct and submit requests without model involved
+"""
+
 import json
 
 from office365.sharepoint.client_context import ClientContext
 from tests import test_site_url, test_user_credentials
 
 if __name__ == "__main__":
-    """Demonstrates how to construct and submit requests without model involved"""
-
     client = ClientContext(test_site_url).with_credentials(test_user_credentials)
     response = client.execute_request_direct("web")
     response.raise_for_status()

examples/sharepoint/connect_with_client_certificate_private_key.py renamed to examples/sharepoint/auth_client_certificate_private_key.py

@@ -47,6 +47,7 @@ def with_client_certificate(
         cert_path=None,
         private_key=None,
         scopes=None,
+        passphrase=None,
     ):
         """Initializes a client to acquire a token via certificate credentials
 
@@ -56,6 +57,7 @@ def with_client_certificate(
         :param str or None cert_path: Path to A PEM encoded certificate private key.
         :param str or None private_key: A PEM encoded certificate private key.
         :param list[str] or None scopes:  Scopes requested to access a protected API (a resource)
+        :param str passphrase: Passphrase if the private_key is encrypted
         """
         if scopes is None:
             resource = get_absolute_url(self.url)
@@ -70,7 +72,11 @@ def with_client_certificate(
 
         def _acquire_token():
             authority_url = "https://login.microsoftonline.com/{0}".format(tenant)
-            credentials = {"thumbprint": thumbprint, "private_key": private_key}
+            credentials = {
+                "thumbprint": thumbprint,
+                "private_key": private_key,
+                "passphrase": passphrase,
+            }
             import msal
 
             app = msal.ConfidentialClientApplication(
@@ -187,7 +193,11 @@ def with_credentials(self, credentials, **kwargs):
                 browser_mode = kwargs.get("browser_mode", False)
                 environment = kwargs.get("environment")
                 provider = SamlTokenProvider(
-                    self.url, credentials.userName, credentials.password, browser_mode, environment
+                    self.url,
+                    credentials.userName,
+                    credentials.password,
+                    browser_mode,
+                    environment,
                 )
         else:
             raise ValueError("Unknown credential type")

examples/sharepoint/connect_with_client_certificate_scopes.py renamed to examples/sharepoint/auth_client_certificate_scopes.py

@@ -82,8 +82,9 @@ def with_client_certificate(
         cert_path=None,
         private_key=None,
         scopes=None,
+        passphrase=None,
     ):
-        # type: (str, str, str, Optional[str], Optional[str], Optional[List[str]]) -> Self
+        # type: (str, str, str, Optional[str], Optional[str], Optional[List[str]], Optional[str]) -> Self
         """
         Creates authenticated SharePoint context via certificate credentials
 
@@ -93,9 +94,10 @@ def with_client_certificate(
         :param str thumbprint: Hex encoded thumbprint of the certificate.
         :param str client_id: The OAuth client id of the calling application.
         :param list[str] or None scopes:  Scopes requested to access a protected API (a resource)
+        :param str passphrase: Passphrase if the private_key is encrypted
         """
         self.authentication_context.with_client_certificate(
-            tenant, client_id, thumbprint, cert_path, private_key, scopes
+            tenant, client_id, thumbprint, cert_path, private_key, scopes, passphrase
         )
         return self