Upgrade to .NET 10, security fixes, tests, and docs reorganization

- Upgrade all projects to .NET 10.0 (LTS) with aligned NuGet packages
- Fix JSON injection in EntraADHelper (use JsonObject instead of string interpolation)
- Fix index out of bounds with extension attribute name whitelist validation
- Fix thread-unsafe token cache with SemaphoreSlim double-check locking
- Fix OData filter injection in IntuneHelper (escape single quotes)
- Fix URL parameter injection in EntraADHelper (Uri.EscapeDataString)
- Fix resource disposal for DirectoryEntry in ADHelper
- Replace Console.WriteLine with ILogger in library code
- Fix deprecated ConfigureHttpMessageHandlerBuilder API
- Target net10.0-windows for Worker/Tests (eliminates CA1416 warnings)
- Remove redundant System.Text.Json and old SignalR packages
- Add SupportedOSPlatform attributes for Windows-only code paths
- Add unit test project with 28 tests (DN parsing, config, attribute validation)
- Move documentation files to docs/ folder
- Update README with .NET 10 badges, correct paths, and docs links
- Remove legacy empty folders from previous rename

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: robgrame

Nimbus.ExtensionAttributes.AD.Helper/ADHelper.cs

@@ -2,15 +2,15 @@
 
   <PropertyGroup>
     <OutputType>Library</OutputType>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.4" />
-    <PackageReference Include="Microsoft.Extensions.Options" Version="9.0.4" />
-    <PackageReference Include="System.DirectoryServices" Version="9.0.4" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.0" />
+    <PackageReference Include="System.DirectoryServices" Version="10.0.0" />
   </ItemGroup>
 
 </Project>

Nimbus.ExtensionAttributes.AD.Helper/Nimbus.ExtensionAttributes.AD.Helper.csproj

@@ -8,10 +8,11 @@
 
 namespace Nimbus.ExtensionAttributes.EntraAD.Authentication
 {
-    public class AuthenticationHandler
+    public class AuthenticationHandler : IDisposable
     {
         private readonly EntraADHelperSettings _settings;
         private readonly ILogger<AuthenticationHandler> _logger;
+        private readonly SemaphoreSlim _tokenLock = new(1, 1);
         private AccessToken? _accessToken;
         private DateTime _tokenExpiration;
 
@@ -23,21 +24,27 @@ public AuthenticationHandler(IOptions<EntraADHelperSettings> settings, ILogger<A
 
         public async Task<AccessToken> GetAccessTokenAsync()
         {
-            try
+            // Fast path: check cache without locking
+            if (_accessToken != null && _accessToken.Value.ExpiresOn.UtcDateTime > DateTime.UtcNow.AddMinutes(_settings.TokenExpirationBuffer))
             {
+                _logger.LogTrace("Using cached access token.");
+                return _accessToken.Value;
+            }
 
-                // Check if the access token is cached and not expired within the buffer time
+            await _tokenLock.WaitAsync();
+            try
+            {
+                // Double-check after acquiring lock (another thread may have refreshed)
                 if (_accessToken != null && _accessToken.Value.ExpiresOn.UtcDateTime > DateTime.UtcNow.AddMinutes(_settings.TokenExpirationBuffer))
                 {
-                    _logger.LogTrace("Using cached access token.");
+                    _logger.LogTrace("Using cached access token (refreshed by another thread).");
                     return _accessToken.Value;
                 }
 
-                // Check if ClientId and TenantId are set
                 if (string.IsNullOrEmpty(_settings.ClientId) || string.IsNullOrEmpty(_settings.TenantId))
                 {
                     _logger.LogError("ClientId or TenantId is not set.");
-                    throw new Exception("ClientId or TenantId is not set.");
+                    throw new InvalidOperationException("ClientId or TenantId is not set.");
                 }
 
                 _logger.LogTrace("Fetching new access token...");
@@ -52,13 +59,13 @@ public async Task<AccessToken> GetAccessTokenAsync()
                     if (string.IsNullOrEmpty(_settings.CertificateThumbprint))
                     {
                         _logger.LogError("Certificate thumbprint is not set.");
-                        throw new Exception("Certificate thumbprint is not set.");
+                        throw new InvalidOperationException("Certificate thumbprint is not set.");
                     }
                     var certificate = FindCertificateByThumbprint(_settings.CertificateThumbprint);
                     if (certificate == null)
                     {
                         _logger.LogError("Certificate with thumbprint {Thumbprint} not found", _settings.CertificateThumbprint);
-                        throw new Exception("Certificate not found");
+                        throw new InvalidOperationException($"Certificate with thumbprint {_settings.CertificateThumbprint} not found.");
                     }
 
                     credential = new ClientCertificateCredential(_settings.TenantId, _settings.ClientId, certificate);
@@ -97,6 +104,15 @@ public async Task<AccessToken> GetAccessTokenAsync()
                 _logger.LogError(ex, "Failed to get access token.");
                 throw new InvalidOperationException("An unexpected error occurred while getting the access token.", ex);
             }
+            finally
+            {
+                _tokenLock.Release();
+            }
+        }
+
+        public void Dispose()
+        {
+            _tokenLock.Dispose();
         }
 
         private X509Certificate2? FindCertificateByThumbprint(string thumbprint)

Nimbus.ExtensionAttributes.EntraAD.Helper/Authentication/AuthenticationHandler.cs

@@ -24,6 +24,16 @@ public class EntraADHelper : IEntraADHelper
         private readonly HttpClient _httpClient;
         private readonly AuthenticationHandler _authenticationHandler;
 
+        // Whitelist of valid extension attribute property names
+        private static readonly HashSet<string> ValidExtensionAttributes = new(StringComparer.OrdinalIgnoreCase)
+        {
+            "ExtensionAttribute1", "ExtensionAttribute2", "ExtensionAttribute3",
+            "ExtensionAttribute4", "ExtensionAttribute5", "ExtensionAttribute6",
+            "ExtensionAttribute7", "ExtensionAttribute8", "ExtensionAttribute9",
+            "ExtensionAttribute10", "ExtensionAttribute11", "ExtensionAttribute12",
+            "ExtensionAttribute13", "ExtensionAttribute14", "ExtensionAttribute15"
+        };
+
         public EntraADHelper(ILogger<IEntraADHelper> logger, IHttpClientFactory httpClientFactory,IOptions<EntraADHelperSettings> settings,GraphServiceClient graphServiceClient, AuthenticationHandler authenticationHandler)
         {
             _graphServiceClient = graphServiceClient;
@@ -33,6 +43,29 @@ public EntraADHelper(ILogger<IEntraADHelper> logger, IHttpClientFactory httpClie
             _authenticationHandler = authenticationHandler;
         }
 
+        /// <summary>
+        /// Normalizes extension attribute name to proper casing (e.g. "extensionattribute1" → "extensionAttribute1")
+        /// and validates it against the whitelist.
+        /// </summary>
+        private string NormalizeExtensionAttributeName(string extensionAttribute)
+        {
+            ArgumentException.ThrowIfNullOrWhiteSpace(extensionAttribute);
+
+            // Find matching attribute from whitelist (case-insensitive)
+            var match = ValidExtensionAttributes.FirstOrDefault(a => 
+                string.Equals(a, extensionAttribute, StringComparison.OrdinalIgnoreCase));
+
+            if (match == null)
+            {
+                throw new ArgumentException(
+                    $"Invalid extension attribute name: '{extensionAttribute}'. Must be extensionAttribute1 through extensionAttribute15.",
+                    nameof(extensionAttribute));
+            }
+
+            // Return with correct casing for Graph API: "extensionAttribute1" (lowercase 'e', uppercase 'A')
+            return char.ToLowerInvariant(match[0]) + match[1..];
+        }
+
 
         public async Task<IEnumerable<User>> GetUsers()
         {
@@ -110,7 +143,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
             }
             catch (ServiceException ex)
             {
-                Console.WriteLine($"An error occurred: {ex.Message}");
+                _logger.LogError(ex, "An error occurred retrieving user {UserId}", userId);
                 return null;
             }
         }
@@ -124,7 +157,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
             }
             catch (ServiceException ex)
             {
-                Console.WriteLine($"An error occurred retrieving Device directory object: {ex.Message}");
+                _logger.LogError(ex, "An error occurred retrieving Device directory object for {DeviceId}", deviceId);
                 return null;
             }
         }
@@ -139,7 +172,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
 
                 _logger.LogTrace("Building the request to the Microsoft Graph API (beta)");
                 var request = new HttpRequestMessage(HttpMethod.Get, 
-                    $"https://graph.microsoft.com/beta/devices?$filter=displayName eq '{deviceName}'&$select={string.Join(",", _settings.AttributesToLoad ?? new[] {"id","deviceId","accountEnabled","approximateLastSignInDateTime","displayName","trustType"})}");
+                    $"https://graph.microsoft.com/beta/devices?$filter=displayName eq '{Uri.EscapeDataString(deviceName)}'&$select={string.Join(",", _settings.AttributesToLoad ?? new[] {"id","deviceId","accountEnabled","approximateLastSignInDateTime","displayName","trustType"})}");
                 _logger.LogTrace("Request built");
 
                 _logger.LogTrace("Adding the access token to the request headers");
@@ -215,9 +248,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
         {
             _logger.LogTrace("GetExtensionAttribute Called");
 
-            string lowerCasedExtensionAttribute = extensionAttribute.ToLowerInvariant();
-            string correctCasingAttribute = char.ToUpperInvariant(lowerCasedExtensionAttribute[0]) + lowerCasedExtensionAttribute.Substring(1);
-            correctCasingAttribute = correctCasingAttribute.Substring(0, 9) + char.ToUpperInvariant(extensionAttribute[9]) + extensionAttribute.Substring(10);
+            string correctCasingAttribute = NormalizeExtensionAttributeName(extensionAttribute);
             _logger.LogTrace("Extension attribute name {extensionAttribute} converted to {correctCasingAttribute}", extensionAttribute, correctCasingAttribute);
 
             try
@@ -255,7 +286,10 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
                         _logger.LogError("Extension attributes are null for device {DeviceId}", deviceId);
                         return null;
                     }
-                    var extensionAttributeValue = device.ExtensionAttributes.GetType().GetProperty(correctCasingAttribute)?.GetValue(device.ExtensionAttributes, null);
+
+                    // Use PascalCase for reflection on the model property
+                    var pascalCaseAttr = char.ToUpperInvariant(correctCasingAttribute[0]) + correctCasingAttribute[1..];
+                    var extensionAttributeValue = device.ExtensionAttributes.GetType().GetProperty(pascalCaseAttr)?.GetValue(device.ExtensionAttributes, null);
                     if (extensionAttributeValue == null)
                     {
                         _logger.LogWarning("Extension attribute {ExtensionAttribute} is null for device {DeviceId}", extensionAttribute, deviceId);
@@ -295,9 +329,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
 
             foreach (string extensionAttribute in extensionAttributes)
             {
-                string lowerCasedExtensionAttribute = extensionAttribute.ToLowerInvariant();
-                string correctCasingAttribute = char.ToUpperInvariant(lowerCasedExtensionAttribute[0]) + lowerCasedExtensionAttribute.Substring(1);
-                correctCasingAttribute = correctCasingAttribute.Substring(0, 9) + char.ToUpperInvariant(extensionAttribute[9]) + extensionAttribute.Substring(10);
+                string correctCasingAttribute = NormalizeExtensionAttributeName(extensionAttribute);
                 _logger.LogTrace("Extension attribute name {extensionAttribute} converted to {correctCasingAttribute}", extensionAttribute, correctCasingAttribute);
                 correctCasingAttributes.Add(correctCasingAttribute);
             }
@@ -339,7 +371,8 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
                     }
 
                     var extensionAttributeValuesList = device.ExtensionAttributes.GetType().GetProperties()
-                        .Where(p => correctCasingAttributes.Contains(p.Name))
+                        .Where(p => correctCasingAttributes.Any(ca => 
+                            string.Equals(char.ToUpperInvariant(ca[0]) + ca[1..], p.Name, StringComparison.Ordinal)))
                         .Select(p => p.GetValue(device.ExtensionAttributes, null)?.ToString())
                         .ToList();
 
@@ -374,7 +407,7 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
             _logger.LogTrace("SetExtensionAttributeValue Called");
 
             var lowerCasedExtensionAttribute = extensionAttributeName.ToLowerInvariant();
-            var correctCasingAttribute = lowerCasedExtensionAttribute.Substring(0, 9) + char.ToUpperInvariant(extensionAttributeName[9]) + extensionAttributeName.Substring(10);
+            var correctCasingAttribute = NormalizeExtensionAttributeName(extensionAttributeName);
             _logger.LogTrace("Correct casing for extension attribute {extensionAttribute} is {correctCasingAttribute}", extensionAttributeName, correctCasingAttribute);
 
             try
@@ -393,7 +426,14 @@ public async Task<IEnumerable<User>> GetUsers(int pagingNum)
                 _logger.LogTrace("Access token added to the request headers");
 
                 _logger.LogTrace("Adding the request body");
-                request.Content = new StringContent($"{{\"extensionAttributes\":{{\"{extensionAttributeName}\":\"{extensionAttributeValue}\"}}}}", System.Text.Encoding.UTF8, "application/json");
+                var jsonBody = new System.Text.Json.Nodes.JsonObject
+                {
+                    ["extensionAttributes"] = new System.Text.Json.Nodes.JsonObject
+                    {
+                        [extensionAttributeName] = extensionAttributeValue
+                    }
+                };
+                request.Content = new StringContent(jsonBody.ToJsonString(), System.Text.Encoding.UTF8, "application/json");
                 _logger.LogTrace("Request body added");
 
                 _logger.LogTrace("Sending the request");
@@ -815,7 +855,7 @@ public async Task<IEnumerable<string>> GetDeviceHWIdByComputerName(string comput
 
                 _logger.LogTrace("Building the request to the Microsoft Graph API (beta)");
                 var request = new HttpRequestMessage(HttpMethod.Get, 
-                    $"https://graph.microsoft.com/beta/devices?$filter=displayName eq '{computerName}'");
+                    $"https://graph.microsoft.com/beta/devices?$filter=displayName eq '{Uri.EscapeDataString(computerName)}'");
                 _logger.LogTrace("Request built");
 
                 _logger.LogTrace("Adding the access token to the request headers");

Nimbus.ExtensionAttributes.EntraAD.Helper/EntraADHelper.cs

@@ -1,18 +1,17 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.13.2" />
-    <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.4" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="9.0.4" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.0" />
     <PackageReference Include="Microsoft.Graph" Version="5.77.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.68.0" />
-    <PackageReference Include="System.Text.Json" Version="9.0.4" />
   </ItemGroup>
 
 </Project>

Nimbus.ExtensionAttributes.EntraAD.Helper/Nimbus.ExtensionAttributes.EntraAD.Helper.csproj

@@ -32,6 +32,14 @@ public IntuneHelper(ILogger<IIntuneHelper> logger, GraphServiceClient graphClien
             _logger.LogInformation("IntuneHelper initialized with authenticated REST API support.");
         }
 
+        /// <summary>
+        /// Escapes single quotes in OData filter values to prevent filter injection
+        /// </summary>
+        private static string EscapeODataFilterValue(string value)
+        {
+            return value.Replace("'", "''");
+        }
+
         #region Basic Device Information
         public async Task<ManagedDeviceCollectionResponse> GetIntuneDevices()
         {
@@ -93,7 +101,7 @@ public async Task<ManagedDeviceCollectionResponse> GetIntuneDevices()
                 _logger.LogDebug("Getting device details for device name: {DeviceName}", deviceName);
                 var devices = await _graphServiceClient.DeviceManagement.ManagedDevices.GetAsync(requestConfiguration =>
                 {
-                    requestConfiguration.QueryParameters.Filter = $"deviceName eq '{deviceName}'";
+                    requestConfiguration.QueryParameters.Filter = $"deviceName eq '{EscapeODataFilterValue(deviceName)}'";
                 });
 
                 return devices?.Value?.FirstOrDefault();
@@ -112,7 +120,7 @@ public async Task<ManagedDeviceCollectionResponse> GetIntuneDevices()
                 _logger.LogDebug("Getting device details for Entra device ID: {EntraDeviceId}", entraDeviceId);
                 var devices = await _graphServiceClient.DeviceManagement.ManagedDevices.GetAsync(requestConfiguration =>
                 {
-                    requestConfiguration.QueryParameters.Filter = $"azureADDeviceId eq '{entraDeviceId}'";
+                    requestConfiguration.QueryParameters.Filter = $"azureADDeviceId eq '{EscapeODataFilterValue(entraDeviceId)}'";
                 });
 
                 return devices?.Value?.FirstOrDefault();
@@ -360,7 +368,7 @@ public async Task<bool> IsBitLockerEnabled(string deviceId)
                 _logger.LogDebug("Finding device by serial number: {SerialNumber}", serialNumber);
                 var devices = await _graphServiceClient.DeviceManagement.ManagedDevices.GetAsync(requestConfiguration =>
                 {
-                    requestConfiguration.QueryParameters.Filter = $"serialNumber eq '{serialNumber}'";
+                    requestConfiguration.QueryParameters.Filter = $"serialNumber eq '{EscapeODataFilterValue(serialNumber)}'";
                 });
 
                 return devices?.Value?.FirstOrDefault();
@@ -379,7 +387,7 @@ public async Task<IEnumerable<ManagedDevice>> FindDevicesByUser(string userPrinc
                 _logger.LogDebug("Finding devices by user: {UserPrincipalName}", userPrincipalName);
                 var devices = await _graphServiceClient.DeviceManagement.ManagedDevices.GetAsync(requestConfiguration =>
                 {
-                    requestConfiguration.QueryParameters.Filter = $"userPrincipalName eq '{userPrincipalName}'";
+                    requestConfiguration.QueryParameters.Filter = $"userPrincipalName eq '{EscapeODataFilterValue(userPrincipalName)}'";
                 });
 
                 return devices?.Value ?? new List<ManagedDevice>();

Nimbus.ExtensionAttributes.Intune.Helper/IntuneHelper.cs

@@ -1,14 +1,14 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Http" Version="9.0.9" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="9.0.9" />
+    <PackageReference Include="Microsoft.Extensions.Http" Version="10.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.0" />
     <PackageReference Include="Microsoft.Graph" Version="5.77.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.68.0" />
     <PackageReference Include="Serilog" Version="4.2.0" />