Log user claims

mocsharp · mocsharp · commit 7bbdcef5e914 · 2022-12-01T15:12:18.000-08:00
Signed-off-by: Victor Chang &lt;vicchang@nvidia.com&gt;
diff --git a/src/Authentication/Configurations/AuthenticationOptions.cs b/src/Authentication/Configurations/AuthenticationOptions.cs
@@ -24,10 +24,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations
 {
     public class AuthenticationOptions
     {
-        [ConfigurationKeyName("BypassAuthentication")]
+        [ConfigurationKeyName("bypassAuthentication")]
         public bool? BypassAuthentication { get; set; }
 
-        [ConfigurationKeyName("OpenId")]
+        [ConfigurationKeyName("openId")]
         public OpenIdOptions? OpenId { get; set; }
 
         public bool BypassAuth(ILogger logger)
diff --git a/src/Authentication/Configurations/ClaimMappings.cs b/src/Authentication/Configurations/ClaimMappings.cs
@@ -20,10 +20,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations
 {
     public class ClaimMappings
     {
-        [ConfigurationKeyName("UserClaims")]
+        [ConfigurationKeyName("userClaims")]
         public List<ClaimMapping>? UserClaims { get; set; }
 
-        [ConfigurationKeyName("AdminClaims")]
+        [ConfigurationKeyName("adminClaims")]
         public List<ClaimMapping>? AdminClaims { get; set; }
     }
 
@@ -32,8 +32,8 @@ public class ClaimMapping
         [ConfigurationKeyName("claim")]
         public string Claim { get; set; } = string.Empty;
 
-        [ConfigurationKeyName("role")]
-        public string Role { get; set; } = string.Empty;
+        [ConfigurationKeyName("roles")]
+        public List<string> Roles { get; set; } = new List<string>();
 
         [ConfigurationKeyName("endpoints")]
         public List<string>? Endpoints { get; set; } = default;
diff --git a/src/Authentication/Configurations/OpenIdOptions.cs b/src/Authentication/Configurations/OpenIdOptions.cs
@@ -20,19 +20,19 @@ namespace Monai.Deploy.Security.Authentication.Configurations
 {
     public class OpenIdOptions
     {
-        [ConfigurationKeyName("ServerRealm")]
+        [ConfigurationKeyName("realm")]
         public string? ServerRealm { get; set; }
 
-        [ConfigurationKeyName("ServerRealmKey")]
+        [ConfigurationKeyName("realmKey")]
         public string? ServerRealmKey { get; set; }
 
-        [ConfigurationKeyName("ClientId")]
+        [ConfigurationKeyName("clientId")]
         public string? ClientId { get; set; }
 
-        [ConfigurationKeyName("ClaimMappings")]
+        [ConfigurationKeyName("claimMappings")]
         public ClaimMappings? Claims { get; set; }
 
-        [ConfigurationKeyName("Audiences")]
+        [ConfigurationKeyName("audiences")]
         public IList<string>? Audiences { get; set; }
     }
 }
diff --git a/src/Authentication/Extensions/HttpContextExtension.cs b/src/Authentication/Extensions/HttpContextExtension.cs
@@ -27,33 +27,46 @@ public static class HttpContextExtension
         /// <summary>
         /// Gets endpoints specified in config for roles in claims.
         /// </summary>
-        /// <param name="httpcontext"></param>
+        /// <param name="httpContext"></param>
         /// <param name="requiredClaims"></param>
         /// <returns></returns>
-        public static List<string> GetValidEndpoints(this HttpContext httpcontext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
+        public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
         {
             Guard.Against.Null(adminClaims);
             Guard.Against.Null(userClaims);
 
+            foreach (var claim in httpContext.User.Claims)
+            {
+                logger.UserClaimFound(claim.Type, claim.Value);
+
+            }
+
             foreach (var claim in adminClaims!)
             {
-                if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
+                foreach (var role in claim.Roles)
                 {
-                    logger.UserClaimFound(claim.Claim, claim.Role);
-                    return new List<string> { "all" };
+                    logger.CheckingUserClaim(claim.Claim, role);
+                    if (httpContext.User.HasClaim(claim.Claim, role))
+                    {
+                        return new List<string> { "*" };
+                    }
                 }
             }
 
+            var endpoints = new List<string>();
             foreach (var claim in userClaims!)
             {
-                if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
+                foreach (var role in claim.Roles)
                 {
-                    logger.UserClaimFound(claim.Claim, claim.Role);
-                    return claim.Endpoints!;
+                    logger.CheckingUserClaim(claim.Claim, role);
+                    if (httpContext.User.HasClaim(claim.Claim, role))
+                    {
+                        endpoints.AddRange(claim.Endpoints!);
+                    }
                 }
             }
 
-            return new List<string>();
+            return endpoints.Distinct().ToList();
         }
     }
 }
diff --git a/src/Authentication/Logging.cs b/src/Authentication/Logging.cs
@@ -29,7 +29,10 @@ public static partial class Log
         [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")]
         public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions);
 
-        [LoggerMessage(EventId = 500003, Level = LogLevel.Debug, Message = "User claim {claim}={value}.")]
+        [LoggerMessage(EventId = 500003, Level = LogLevel.Trace, Message = "User claim {claim}={value}.")]
         public static partial void UserClaimFound(this ILogger logger, string? claim, string? value);
+
+        [LoggerMessage(EventId = 500004, Level = LogLevel.Trace, Message = "Checking user claim {claim}={value}.")]
+        public static partial void CheckingUserClaim(this ILogger logger, string? claim, string? value);
     }
 }
diff --git a/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs b/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs
@@ -57,7 +57,7 @@ public async Task InvokeAsync(HttpContext httpContext)
                 {
                     _logger.UserAccessingController(httpContext.User.Identity.Name, controller);
                     var validEndpoints = httpContext.GetValidEndpoints(_logger, _options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);
-                    var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("all");
+                    var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("*");
 
                     if (result is false)
                     {
diff --git a/src/Authentication/Tests/test.auth.json b/src/Authentication/Tests/test.auth.json
@@ -1,28 +1,28 @@
 ﻿{
   "MonaiDeployAuthentication": {
-    "BypassAuthentication": false,
-    "OpenId": {
-      "ServerRealm": "TEST-REALM",
-      "ServerRealmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
-      "Audiences": [ "monai-app" ],
-      "ClientId": "monai-app-test",
-      "ClaimMappings": {
-        "UserClaims": [
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
           {
             "claim": "user_roles",
-            "role": "role-with-test",
+            "roles": [ "role-with-test" ],
             "endpoints": [ "test" ]
           },
           {
             "claim": "user_roles",
-            "roles": "role-without-test",
+            "roles": [ "role-without-test" ],
             "endpoints": [ "no-test" ]
           }
         ],
-        "AdminClaims": [
+        "adminClaims": [
           {
             "claim": "user_roles",
-            "role": "monai-role-admin"
+            "roles": [ "monai-role-admin" ]
           }
         ]
       }
diff --git a/src/Authentication/example.json b/src/Authentication/example.json
@@ -10,18 +10,19 @@
         "UserClaims": [
           {
             "claim": "user_roles",
-            "role": "monai-deploy-user",
+            "roles": [ "monai-deploy-user" ],
             "endpoints": [ "test" ]
           },
           {
-            "user_roles": "pacs-admins",
+            "user_roles": "user_roles",
+            "roles": [ "pacs-admins" ],
             "endpoints": [ "config" ]
           }
         ],
         "AdminClaims": [
           {
             "claim": "user_roles",
-            "role": "monai-role-admin"
+            "role": [ "monai-role-admin" ]
           }
         ]
       }

Original file line number	Diff line number	Diff line change
`@@ -24,10 +24,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations`
`24`	`24`	`{`
`25`	`25`	`public class AuthenticationOptions`
`26`	`26`	`{`
`27`		`- [ConfigurationKeyName("BypassAuthentication")]`
	`27`	`+ [ConfigurationKeyName("bypassAuthentication")]`
`28`	`28`	`public bool? BypassAuthentication { get; set; }`
`29`	`29`
`30`		`- [ConfigurationKeyName("OpenId")]`
	`30`	`+ [ConfigurationKeyName("openId")]`
`31`	`31`	`public OpenIdOptions? OpenId { get; set; }`
`32`	`32`
`33`	`33`	`public bool BypassAuth(ILogger logger)`
Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations`
`20`	`20`	`{`
`21`	`21`	`public class ClaimMappings`
`22`	`22`	`{`
`23`		`- [ConfigurationKeyName("UserClaims")]`
	`23`	`+ [ConfigurationKeyName("userClaims")]`
`24`	`24`	`public List<ClaimMapping>? UserClaims { get; set; }`
`25`	`25`
`26`		`- [ConfigurationKeyName("AdminClaims")]`
	`26`	`+ [ConfigurationKeyName("adminClaims")]`
`27`	`27`	`public List<ClaimMapping>? AdminClaims { get; set; }`
`28`	`28`	`}`
`29`	`29`
`@@ -32,8 +32,8 @@ public class ClaimMapping`
`32`	`32`	`[ConfigurationKeyName("claim")]`
`33`	`33`	`public string Claim { get; set; } = string.Empty;`
`34`	`34`
`35`		`- [ConfigurationKeyName("role")]`
`36`		`- public string Role { get; set; } = string.Empty;`
	`35`	`+ [ConfigurationKeyName("roles")]`
	`36`	`+ public List<string> Roles { get; set; } = new List<string>();`
`37`	`37`
`38`	`38`	`[ConfigurationKeyName("endpoints")]`
`39`	`39`	`public List<string>? Endpoints { get; set; } = default;`
Original file line number	Diff line number	Diff line change
`@@ -20,19 +20,19 @@ namespace Monai.Deploy.Security.Authentication.Configurations`
`20`	`20`	`{`
`21`	`21`	`public class OpenIdOptions`
`22`	`22`	`{`
`23`		`- [ConfigurationKeyName("ServerRealm")]`
	`23`	`+ [ConfigurationKeyName("realm")]`
`24`	`24`	`public string? ServerRealm { get; set; }`
`25`	`25`
`26`		`- [ConfigurationKeyName("ServerRealmKey")]`
	`26`	`+ [ConfigurationKeyName("realmKey")]`
`27`	`27`	`public string? ServerRealmKey { get; set; }`
`28`	`28`
`29`		`- [ConfigurationKeyName("ClientId")]`
	`29`	`+ [ConfigurationKeyName("clientId")]`
`30`	`30`	`public string? ClientId { get; set; }`
`31`	`31`
`32`		`- [ConfigurationKeyName("ClaimMappings")]`
	`32`	`+ [ConfigurationKeyName("claimMappings")]`
`33`	`33`	`public ClaimMappings? Claims { get; set; }`
`34`	`34`
`35`		`- [ConfigurationKeyName("Audiences")]`
	`35`	`+ [ConfigurationKeyName("audiences")]`
`36`	`36`	`public IList<string>? Audiences { get; set; }`
`37`	`37`	`}`
`38`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,33 +27,46 @@ public static class HttpContextExtension`
`27`	`27`	`/// <summary>`
`28`	`28`	`/// Gets endpoints specified in config for roles in claims.`
`29`	`29`	`/// </summary>`
`30`		`- /// <param name="httpcontext"></param>`
	`30`	`+ /// <param name="httpContext"></param>`
`31`	`31`	`/// <param name="requiredClaims"></param>`
`32`	`32`	`/// <returns></returns>`
`33`		`- public static List<string> GetValidEndpoints(this HttpContext httpcontext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)`
	`33`	`+ public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)`
`34`	`34`	`{`
`35`	`35`	`Guard.Against.Null(adminClaims);`
`36`	`36`	`Guard.Against.Null(userClaims);`
`37`	`37`
	`38`	`+ foreach (var claim in httpContext.User.Claims)`
	`39`	`+ {`
	`40`	`+ logger.UserClaimFound(claim.Type, claim.Value);`
	`41`	`+`
	`42`	`+ }`
	`43`	`+`
`38`	`44`	`foreach (var claim in adminClaims!)`
`39`	`45`	`{`
`40`		`- if (httpcontext.User.HasClaim(claim.Claim, claim.Role))`
	`46`	`+ foreach (var role in claim.Roles)`
`41`	`47`	`{`
`42`		`- logger.UserClaimFound(claim.Claim, claim.Role);`
`43`		`- return new List<string> { "all" };`
	`48`	`+ logger.CheckingUserClaim(claim.Claim, role);`
	`49`	`+ if (httpContext.User.HasClaim(claim.Claim, role))`
	`50`	`+ {`
	`51`	`+ return new List<string> { "*" };`
	`52`	`+ }`
`44`	`53`	`}`
`45`	`54`	`}`
`46`	`55`
	`56`	`+ var endpoints = new List<string>();`
`47`	`57`	`foreach (var claim in userClaims!)`
`48`	`58`	`{`
`49`		`- if (httpcontext.User.HasClaim(claim.Claim, claim.Role))`
	`59`	`+ foreach (var role in claim.Roles)`
`50`	`60`	`{`
`51`		`- logger.UserClaimFound(claim.Claim, claim.Role);`
`52`		`- return claim.Endpoints!;`
	`61`	`+ logger.CheckingUserClaim(claim.Claim, role);`
	`62`	`+ if (httpContext.User.HasClaim(claim.Claim, role))`
	`63`	`+ {`
	`64`	`+ endpoints.AddRange(claim.Endpoints!);`
	`65`	`+ }`
`53`	`66`	`}`
`54`	`67`	`}`
`55`	`68`
`56`		`- return new List<string>();`
	`69`	`+ return endpoints.Distinct().ToList();`
`57`	`70`	`}`
`58`	`71`	`}`
`59`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,10 @@ public static partial class Log`
`29`	`29`	`[LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")]`
`30`	`30`	`public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions);`
`31`	`31`
`32`		`- [LoggerMessage(EventId = 500003, Level = LogLevel.Debug, Message = "User claim {claim}={value}.")]`
	`32`	`+ [LoggerMessage(EventId = 500003, Level = LogLevel.Trace, Message = "User claim {claim}={value}.")]`
`33`	`33`	`public static partial void UserClaimFound(this ILogger logger, string? claim, string? value);`
	`34`	`+`
	`35`	`+ [LoggerMessage(EventId = 500004, Level = LogLevel.Trace, Message = "Checking user claim {claim}={value}.")]`
	`36`	`+ public static partial void CheckingUserClaim(this ILogger logger, string? claim, string? value);`
`34`	`37`	`}`
`35`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ public async Task InvokeAsync(HttpContext httpContext)`
`57`	`57`	`{`
`58`	`58`	`_logger.UserAccessingController(httpContext.User.Identity.Name, controller);`
`59`	`59`	`var validEndpoints = httpContext.GetValidEndpoints(_logger, _options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);`
`60`		`- var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) \|\| validEndpoints.Contains("all");`
	`60`	`+ var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) \|\| validEndpoints.Contains("*");`
`61`	`61`
`62`	`62`	`if (result is false)`
`63`	`63`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1,28 +1,28 @@`
`1`	`1`	`{`
`2`	`2`	`"MonaiDeployAuthentication": {`
`3`		`- "BypassAuthentication": false,`
`4`		`- "OpenId": {`
`5`		`- "ServerRealm": "TEST-REALM",`
`6`		`- "ServerRealmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",`
`7`		`- "Audiences": [ "monai-app" ],`
`8`		`- "ClientId": "monai-app-test",`
`9`		`- "ClaimMappings": {`
`10`		`- "UserClaims": [`
	`3`	`+ "bypassAuthentication": false,`
	`4`	`+ "openId": {`
	`5`	`+ "realm": "TEST-REALM",`
	`6`	`+ "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",`
	`7`	`+ "audiences": [ "monai-app" ],`
	`8`	`+ "clientId": "monai-app-test",`
	`9`	`+ "claimMappings": {`
	`10`	`+ "userClaims": [`
`11`	`11`	`{`
`12`	`12`	`"claim": "user_roles",`
`13`		`- "role": "role-with-test",`
	`13`	`+ "roles": [ "role-with-test" ],`
`14`	`14`	`"endpoints": [ "test" ]`
`15`	`15`	`},`
`16`	`16`	`{`
`17`	`17`	`"claim": "user_roles",`
`18`		`- "roles": "role-without-test",`
	`18`	`+ "roles": [ "role-without-test" ],`
`19`	`19`	`"endpoints": [ "no-test" ]`
`20`	`20`	`}`
`21`	`21`	`],`
`22`		`- "AdminClaims": [`
	`22`	`+ "adminClaims": [`
`23`	`23`	`{`
`24`	`24`	`"claim": "user_roles",`
`25`		`- "role": "monai-role-admin"`
	`25`	`+ "roles": [ "monai-role-admin" ]`
`26`	`26`	`}`
`27`	`27`	`]`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,18 +10,19 @@`
`10`	`10`	`"UserClaims": [`
`11`	`11`	`{`
`12`	`12`	`"claim": "user_roles",`
`13`		`- "role": "monai-deploy-user",`
	`13`	`+ "roles": [ "monai-deploy-user" ],`
`14`	`14`	`"endpoints": [ "test" ]`
`15`	`15`	`},`
`16`	`16`	`{`
`17`		`- "user_roles": "pacs-admins",`
	`17`	`+ "user_roles": "user_roles",`
	`18`	`+ "roles": [ "pacs-admins" ],`
`18`	`19`	`"endpoints": [ "config" ]`
`19`	`20`	`}`
`20`	`21`	`],`
`21`	`22`	`"AdminClaims": [`
`22`	`23`	`{`
`23`	`24`	`"claim": "user_roles",`
`24`		`- "role": "monai-role-admin"`
	`25`	`+ "role": [ "monai-role-admin" ]`
`25`	`26`	`}`
`26`	`27`	`]`
`27`	`28`	`}`