GraeJones01
37b08ef012
All checks were successful
Management / build-deploy (push) Successful in 6m39s
328 lines
13 KiB
C#
328 lines
13 KiB
C#
using Management.Data;
|
|
using Microsoft.IdentityModel.Protocols;
|
|
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using System.IdentityModel.Tokens.Jwt;
|
|
using System.Security.Claims;
|
|
using System.Text.Json;
|
|
|
|
namespace Management.Security;
|
|
|
|
/// <summary>
|
|
/// Authentication middleware for Management API.
|
|
///
|
|
/// Auth paths:
|
|
/// - /api/onboarding/* → JWT (Entra, any staff role)
|
|
/// - /api/monitoring/* → JWT (Entra, Staff.Admin or Staff.Tech role)
|
|
/// - /api/admin/* → JWT (Entra, Staff.Admin role only)
|
|
/// - /api/registration/*→ JWT (Entra, Staff.Admin role only)
|
|
/// - /api/staff/* → JWT (Entra, Staff.Admin role only)
|
|
/// - /api/test/* → Anonymous
|
|
/// - /api/documents/* → JWT (Entra, Staff.Admin or Staff.Tech role)
|
|
/// - /api/help/* → Anonymous
|
|
///
|
|
/// App Role values (defined in Entra portal on the staff app registration):
|
|
/// Staff.Admin → full platform access
|
|
/// Staff.Tech → monitoring/health only
|
|
/// </summary>
|
|
public sealed class ClientAuthMiddleware
|
|
{
|
|
private readonly RequestDelegate _next;
|
|
private readonly ILogger<ClientAuthMiddleware> _logger;
|
|
private readonly IConfiguration _config;
|
|
|
|
private static readonly HashSet<string> _anonymousExact = new(StringComparer.OrdinalIgnoreCase)
|
|
{
|
|
"/", "/health"
|
|
};
|
|
|
|
private static readonly string[] _anonymousPrefixes = { "/swagger", "/api/test", "/api/help" };
|
|
private static readonly string[] _jwtOnlyPrefixes = { "/api/onboarding" };
|
|
private static readonly string[] _staffRequiredPrefixes = { "/api/monitoring", "/api/documents" }; // Admin or Tech
|
|
private static readonly string[] _adminRequiredPrefixes = { "/api/admin", "/api/registration", "/api/staff" }; // Admin only
|
|
|
|
private static ConfigurationManager<OpenIdConnectConfiguration>? _oidcConfigManager;
|
|
private static readonly object _oidcLock = new();
|
|
|
|
public ClientAuthMiddleware(RequestDelegate next, ILogger<ClientAuthMiddleware> logger, IConfiguration config)
|
|
{
|
|
_next = next;
|
|
_logger = logger;
|
|
_config = config;
|
|
}
|
|
|
|
public async Task InvokeAsync(HttpContext context, ClientContext clientContext, SqlService sql)
|
|
{
|
|
var path = (context.Request.Path.Value ?? "").ToLowerInvariant();
|
|
var corrId = EnsureCorrelationId(context);
|
|
|
|
// Anonymous paths
|
|
if (IsAnonymousPath(path))
|
|
{
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
// Dev bypass
|
|
if (TryDevBypass(context, clientContext))
|
|
{
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
// JWT-only paths (onboarding)
|
|
if (IsJwtOnlyPath(path))
|
|
{
|
|
if (await TryJwtAuthAsync(context, clientContext))
|
|
{
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
context.Response.StatusCode = 401;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Valid Entra authentication required" });
|
|
return;
|
|
}
|
|
|
|
// Staff-required paths (Admin or Tech role) — monitoring/health
|
|
// Try session auth (client session tokens for CIAM users).
|
|
// then fall back to direct JWT for service-to-service calls.
|
|
if (IsStaffRequiredPath(path))
|
|
{
|
|
var staffAuthed = await TrySessionAuthAsync(context, clientContext, sql)
|
|
|| await TryJwtAuthAsync(context, clientContext);
|
|
if (staffAuthed)
|
|
{
|
|
if (!clientContext.IsStaff)
|
|
{
|
|
context.Response.StatusCode = 403;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Staff access required" });
|
|
return;
|
|
}
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
context.Response.StatusCode = 401;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Valid staff authentication required" });
|
|
return;
|
|
}
|
|
|
|
// Admin-required paths (Admin role only)
|
|
if (IsAdminRequiredPath(path))
|
|
{
|
|
var adminAuthed = await TrySessionAuthAsync(context, clientContext, sql)
|
|
|| await TryJwtAuthAsync(context, clientContext);
|
|
if (adminAuthed)
|
|
{
|
|
if (!clientContext.IsAdmin)
|
|
{
|
|
context.Response.StatusCode = 403;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Admin access required" });
|
|
return;
|
|
}
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
context.Response.StatusCode = 401;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Valid admin authentication required" });
|
|
return;
|
|
}
|
|
|
|
// Default: require session
|
|
if (await TrySessionAuthAsync(context, clientContext, sql))
|
|
{
|
|
await _next(context);
|
|
return;
|
|
}
|
|
|
|
context.Response.StatusCode = 401;
|
|
await context.Response.WriteAsJsonAsync(new { ok = false, error = "Valid session required" });
|
|
}
|
|
|
|
private static bool IsAnonymousPath(string path) =>
|
|
_anonymousExact.Contains(path) || _anonymousPrefixes.Any(p => path.StartsWith(p, StringComparison.OrdinalIgnoreCase));
|
|
|
|
private static bool IsJwtOnlyPath(string path) =>
|
|
_jwtOnlyPrefixes.Any(p => path.StartsWith(p, StringComparison.OrdinalIgnoreCase));
|
|
|
|
private static bool IsStaffRequiredPath(string path) =>
|
|
_staffRequiredPrefixes.Any(p => path.StartsWith(p, StringComparison.OrdinalIgnoreCase));
|
|
|
|
private static bool IsAdminRequiredPath(string path) =>
|
|
_adminRequiredPrefixes.Any(p => path.StartsWith(p, StringComparison.OrdinalIgnoreCase));
|
|
|
|
private static string EnsureCorrelationId(HttpContext context)
|
|
{
|
|
if (!context.Request.Headers.TryGetValue("X-Correlation-Id", out var existing) || string.IsNullOrWhiteSpace(existing.FirstOrDefault()))
|
|
{
|
|
var id = Guid.NewGuid().ToString("N");
|
|
context.Request.Headers["X-Correlation-Id"] = id;
|
|
return id;
|
|
}
|
|
return existing.First()!;
|
|
}
|
|
|
|
private bool TryDevBypass(HttpContext context, ClientContext clientContext)
|
|
{
|
|
var env = _config["ASPNETCORE_ENVIRONMENT"] ?? Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
|
|
var allowBypass = _config.GetValue<bool>("Auth:AllowDevBypass");
|
|
|
|
if (!string.Equals(env, "Development", StringComparison.OrdinalIgnoreCase) && !allowBypass)
|
|
return false;
|
|
|
|
if (!context.Request.Headers.TryGetValue("X-Dev-ClientId", out var devClientId))
|
|
return false;
|
|
|
|
var clientId = devClientId.FirstOrDefault();
|
|
if (string.IsNullOrWhiteSpace(clientId))
|
|
return false;
|
|
|
|
clientContext.ClientId = clientId;
|
|
clientContext.IsDevBypass = true;
|
|
clientContext.Role = "Admin";
|
|
return true;
|
|
}
|
|
|
|
private async Task<bool> TrySessionAuthAsync(HttpContext context, ClientContext clientContext, SqlService sql)
|
|
{
|
|
string? token = context.Request.Headers["X-Session-Token"].FirstOrDefault();
|
|
|
|
if (string.IsNullOrWhiteSpace(token))
|
|
{
|
|
var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
|
|
if (!string.IsNullOrWhiteSpace(authHeader) && authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
|
|
token = authHeader["Bearer ".Length..].Trim();
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(token))
|
|
return false;
|
|
|
|
try
|
|
{
|
|
var rqst = JsonSerializer.Serialize(new { sessionToken = token });
|
|
var validateProc = "dbo.spClientSession"; // Staff use JWT Bearer; only client sessions exist
|
|
var resp = await sql.ExecProcAsync(validateProc, "validate", rqst, ct: context.RequestAborted);
|
|
|
|
if (string.IsNullOrWhiteSpace(resp))
|
|
return false;
|
|
|
|
using var doc = JsonDocument.Parse(resp);
|
|
var root = doc.RootElement;
|
|
|
|
if (root.TryGetProperty("ok", out var okProp) && okProp.ValueKind == JsonValueKind.True)
|
|
{
|
|
var data = root.TryGetProperty("data", out var dataProp) ? dataProp : root;
|
|
|
|
clientContext.SessionId = data.TryGetProperty("sessionId", out var sid) ? sid.GetString() : null;
|
|
|
|
// Admin sessions return adminId; client sessions return clientId — handle both
|
|
var clientId = data.TryGetProperty("clientId", out var cid) ? cid.GetString() : null;
|
|
if (string.IsNullOrWhiteSpace(clientId))
|
|
clientId = data.TryGetProperty("adminId", out var aid) ? aid.GetString() : null;
|
|
clientContext.ClientId = clientId;
|
|
clientContext.PlatformClientId = clientId;
|
|
|
|
clientContext.ClientName = data.TryGetProperty("clientName", out var cn) ? cn.GetString() : null;
|
|
clientContext.UserId = data.TryGetProperty("userId", out var uid) ? uid.GetString() : null;
|
|
clientContext.Email = data.TryGetProperty("userEmail", out var ue) ? ue.GetString() : null;
|
|
clientContext.Role = data.TryGetProperty("role", out var role) ? role.GetString() : null;
|
|
|
|
// IsStaff is computed from Role in ClientContext — no assignment needed
|
|
|
|
return clientContext.IsAuthenticated;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
_logger.LogError(ex, "Session validation error");
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private async Task<bool> TryJwtAuthAsync(HttpContext context, ClientContext clientContext)
|
|
{
|
|
var authHeader = context.Request.Headers["Authorization"].FirstOrDefault();
|
|
if (string.IsNullOrWhiteSpace(authHeader) || !authHeader.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
|
|
return false;
|
|
|
|
var token = authHeader["Bearer ".Length..].Trim();
|
|
if (string.IsNullOrWhiteSpace(token))
|
|
return false;
|
|
|
|
var tenantId = _config["Auth:Staff:TenantId"];
|
|
var clientId = _config["Auth:Staff:ClientId"];
|
|
var instance = _config["Auth:Staff:Instance"] ?? "https://login.microsoftonline.com/";
|
|
|
|
if (string.IsNullOrWhiteSpace(tenantId) || string.IsNullOrWhiteSpace(clientId))
|
|
return false;
|
|
|
|
try
|
|
{
|
|
var handler = new JwtSecurityTokenHandler();
|
|
// Disable default claim type remapping so JWT claim names (roles, oid, etc.)
|
|
// are preserved as-is. Without this, "roles" is remapped to ClaimTypes.Role
|
|
// and FindAll("roles") returns empty — causing IsAdmin to be false.
|
|
handler.InboundClaimTypeMap.Clear();
|
|
|
|
var authority = $"{instance.TrimEnd('/')}/{tenantId}/v2.0";
|
|
var metadataAddress = $"{authority}/.well-known/openid-configuration";
|
|
|
|
var mgr = GetOrCreateConfigManager(metadataAddress);
|
|
var openIdConfig = await mgr.GetConfigurationAsync(context.RequestAborted);
|
|
|
|
var validationParams = new TokenValidationParameters
|
|
{
|
|
ValidateIssuer = true,
|
|
ValidIssuers = new[]
|
|
{
|
|
$"https://login.microsoftonline.com/{tenantId}/v2.0",
|
|
$"https://sts.windows.net/{tenantId}/"
|
|
},
|
|
ValidateAudience = true,
|
|
ValidAudiences = new[] { clientId, $"api://{clientId}" },
|
|
ValidateLifetime = true,
|
|
IssuerSigningKeys = openIdConfig.SigningKeys,
|
|
ClockSkew = TimeSpan.FromMinutes(5)
|
|
};
|
|
|
|
var principal = handler.ValidateToken(token, validationParams, out _);
|
|
|
|
// Map Entra App Role values to internal role names.
|
|
// Users with no recognized role get null — middleware rejects them.
|
|
var roles = principal.FindAll("roles").Select(c => c.Value).ToList();
|
|
var role = roles.Contains("Staff.Admin") ? "Admin"
|
|
: roles.Contains("Staff.Tech") ? "Tech"
|
|
: null; // no valid role assigned — reject
|
|
|
|
clientContext.ClientId = principal.FindFirstValue("oid")
|
|
?? principal.FindFirstValue(ClaimTypes.NameIdentifier);
|
|
clientContext.Email = principal.FindFirstValue("preferred_username")
|
|
?? principal.FindFirstValue(ClaimTypes.Email);
|
|
clientContext.ClientName = principal.FindFirstValue("name")
|
|
?? principal.FindFirstValue(ClaimTypes.Name);
|
|
clientContext.Role = role;
|
|
|
|
return clientContext.IsAuthenticated;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
_logger.LogWarning("JWT validation failed: {Message}", ex.Message);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private static ConfigurationManager<OpenIdConnectConfiguration> GetOrCreateConfigManager(string metadataAddress)
|
|
{
|
|
lock (_oidcLock)
|
|
{
|
|
_oidcConfigManager ??= new ConfigurationManager<OpenIdConnectConfiguration>(
|
|
metadataAddress, new OpenIdConnectConfigurationRetriever());
|
|
return _oidcConfigManager;
|
|
}
|
|
}
|
|
}
|