Set RoleClaimType override

Signed-off-by: Victor Chang <[email protected]>

Author: mocsharp

src/Authentication/Configurations/AuthenticationOptions.cs

@@ -42,23 +42,23 @@ public bool BypassAuth(ILogger logger)
 
             if (OpenId is null)
             {
-                throw new InvalidOperationException("OpenId configuration is invalid.");
+                throw new InvalidOperationException("openId configuration is invalid.");
             }
             if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty())
             {
-                throw new InvalidOperationException("No claims defined for OpenId.");
+                throw new InvalidOperationException("No claimMappings defined for OpenId.");
             }
             if (string.IsNullOrWhiteSpace(OpenId.ClientId))
             {
-                throw new InvalidOperationException("No ClientId defined for OpenId.");
+                throw new InvalidOperationException("No clientId defined for OpenId.");
             }
-            if (string.IsNullOrWhiteSpace(OpenId.ServerRealmKey))
+            if (string.IsNullOrWhiteSpace(OpenId.RealmKey))
             {
-                throw new InvalidOperationException("No ServerRealmKey defined for OpenId.");
+                throw new InvalidOperationException("No realmKey defined for OpenId.");
             }
-            if (string.IsNullOrWhiteSpace(OpenId.ServerRealm))
+            if (string.IsNullOrWhiteSpace(OpenId.Realm))
             {
-                throw new InvalidOperationException("No ServerRealm defined for OpenId.");
+                throw new InvalidOperationException("No realm defined for OpenId.");
             }
 
             return false;

src/Authentication/Configurations/ClaimMappings.cs

@@ -29,11 +29,11 @@ public class ClaimMappings
 
     public class ClaimMapping
     {
-        [ConfigurationKeyName("claim")]
-        public string Claim { get; set; } = string.Empty;
+        [ConfigurationKeyName("claimType")]
+        public string ClaimType { get; set; } = string.Empty;
 
-        [ConfigurationKeyName("roles")]
-        public List<string> Roles { get; set; } = new List<string>();
+        [ConfigurationKeyName("claimValues")]
+        public List<string> ClaimValues { get; set; } = new List<string>();
 
         [ConfigurationKeyName("endpoints")]
         public List<string>? Endpoints { get; set; } = default;

src/Authentication/Configurations/OpenIdOptions.cs

@@ -21,10 +21,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations
     public class OpenIdOptions
     {
         [ConfigurationKeyName("realm")]
-        public string? ServerRealm { get; set; }
+        public string? Realm { get; set; }
 
         [ConfigurationKeyName("realmKey")]
-        public string? ServerRealmKey { get; set; }
+        public string? RealmKey { get; set; }
 
         [ConfigurationKeyName("clientId")]
         public string? ClientId { get; set; }
@@ -34,5 +34,8 @@ public class OpenIdOptions
 
         [ConfigurationKeyName("audiences")]
         public IList<string>? Audiences { get; set; }
+
+        [ConfigurationKeyName("roleClaimType")]
+        public string RoleClaimType { get; set; } = "roles";
     }
 }

src/Authentication/Extensions/HttpContextExtension.cs

@@ -43,10 +43,10 @@ public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogg
 
             foreach (var claim in adminClaims!)
             {
-                foreach (var role in claim.Roles)
+                foreach (var role in claim.ClaimValues)
                 {
-                    logger.CheckingUserClaim(claim.Claim, role);
-                    if (httpContext.User.HasClaim(claim.Claim, role))
+                    logger.CheckingUserClaim(claim.ClaimType, role);
+                    if (httpContext.User.HasClaim(claim.ClaimType, role))
                     {
                         return new List<string> { "*" };
                     }
@@ -56,10 +56,10 @@ public static List<string> GetValidEndpoints(this HttpContext httpContext, ILogg
             var endpoints = new List<string>();
             foreach (var claim in userClaims!)
             {
-                foreach (var role in claim.Roles)
+                foreach (var role in claim.ClaimValues)
                 {
-                    logger.CheckingUserClaim(claim.Claim, role);
-                    if (httpContext.User.HasClaim(claim.Claim, role))
+                    logger.CheckingUserClaim(claim.ClaimType, role);
+                    if (httpContext.User.HasClaim(claim.ClaimType, role))
                     {
                         endpoints.AddRange(claim.Endpoints!);
                     }

src/Authentication/Extensions/MonaiAuthenticationExtensions.cs

@@ -55,14 +55,15 @@ public static IServiceCollection AddMonaiAuthentication(
             })
             .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options =>
             {
-                options.Authority = configurations.Value.OpenId!.ServerRealm;
-                options.Audience = configurations.Value.OpenId!.ServerRealm;
+                options.Authority = configurations.Value.OpenId!.Realm;
+                options.Audience = configurations.Value.OpenId!.Realm;
                 options.RequireHttpsMetadata = false;
 
                 options.TokenValidationParameters = new TokenValidationParameters
                 {
-                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.ServerRealmKey!)),
-                    ValidIssuer = configurations.Value.OpenId.ServerRealm,
+                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.RealmKey!)),
+                    RoleClaimType = configurations.Value.OpenId.RoleClaimType,
+                    ValidIssuer = configurations.Value.OpenId.Realm,
                     ValidAudiences = configurations.Value.OpenId.Audiences,
                     ValidateIssuerSigningKey = true,
                     ValidateIssuer = true,

src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs

@@ -28,6 +28,10 @@ public partial class EndpointAuthorizationMiddlewareTest
         [Theory]
         [InlineData("test.noauth.json")]
         [InlineData("test.emptyopenid.json")]
+        [InlineData("test.auth-noclaims.json")]
+        [InlineData("test.auth-noclientid.json")]
+        [InlineData("test.auth-norealm.json")]
+        [InlineData("test.auth-norealmkey.json")]
         public async Task GivenConfigurationFilesIsBad_ExpectExceptionToBeThrown(string configFile)
         {
             await Assert.ThrowsAsync<InvalidOperationException>(async () =>

src/Authentication/Tests/test.auth-noclaims.json

@@ -0,0 +1,12 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test"
+    }
+  }
+}

src/Authentication/Tests/test.auth-noclientid.json

@@ -0,0 +1,31 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-with-test" ],
+            "endpoints": [ "test" ]
+          },
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-without-test" ],
+            "endpoints": [ "no-test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "monai-role-admin" ]
+          }
+        ]
+      }
+    }
+  }
+}

src/Authentication/Tests/test.auth-norealm.json

@@ -0,0 +1,31 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-with-test" ],
+            "endpoints": [ "test" ]
+          },
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-without-test" ],
+            "endpoints": [ "no-test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "monai-role-admin" ]
+          }
+        ]
+      }
+    }
+  }
+}

src/Authentication/Tests/test.auth-norealmkey.json

@@ -0,0 +1,31 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-with-test" ],
+            "endpoints": [ "test" ]
+          },
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-without-test" ],
+            "endpoints": [ "no-test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "monai-role-admin" ]
+          }
+        ]
+      }
+    }
+  }
+}