Merge pull request #288 from microsoft/dev

reworked adapter authorization +resetdemo
microsoft · Oct 19, 2021 · 94b58dd · 94b58dd
2 parents f4f3871 + 533546c
commit 94b58dd
Show file tree

Hide file tree

Showing 95 changed files with 2,098 additions and 1,267 deletions.
diff --git a/deploy/bicep/main.bicep b/deploy/bicep/main.bicep
@@ -159,6 +159,4 @@ output configServiceImport object = {
   'Endpoint:Orchestrator:AuthCode': orchestrator.outputs.key
   'Encryption:KeyStorage': storage_wj.outputs.connectionString
   'Audit:ConnectionString': storage_wj.outputs.connectionString
-  'Adapter:Session:Storage:ConnectoinString': storage_wj.outputs.connectionString
-  'Adapter:Token:Storage:ConnectionString': storage_wj.outputs.connectionString
 }
diff --git a/openapi/openapi.json b/openapi/openapi.json
@@ -1069,16 +1069,15 @@
         "operationId": "GetDeploymentScope",
         "parameters": [
           {
-            "name": "deploymentScopeId",
+            "name": "organizationId",
             "in": "path",
             "required": true,
             "schema": {
-              "type": "string",
-              "nullable": true
+              "type": "string"
             }
           },
           {
-            "name": "organizationId",
+            "name": "deploymentScopeId",
             "in": "path",
             "required": true,
             "schema": {
@@ -1133,16 +1132,15 @@
         "operationId": "UpdateDeploymentScope",
         "parameters": [
           {
-            "name": "deploymentScopeId",
+            "name": "organizationId",
             "in": "path",
             "required": true,
             "schema": {
-              "type": "string",
-              "nullable": true
+              "type": "string"
             }
           },
           {
-            "name": "organizationId",
+            "name": "deploymentScopeId",
             "in": "path",
             "required": true,
             "schema": {
@@ -1206,16 +1204,15 @@
         "operationId": "DeleteDeploymentScope",
         "parameters": [
           {
-            "name": "deploymentScopeId",
+            "name": "organizationId",
             "in": "path",
             "required": true,
             "schema": {
-              "type": "string",
-              "nullable": true
+              "type": "string"
             }
           },
           {
-            "name": "organizationId",
+            "name": "deploymentScopeId",
             "in": "path",
             "required": true,
             "schema": {
@@ -1263,13 +1260,13 @@
         }
       }
     },
-    "/orgs/{organizationId}/scopes/{deploymentScopeId}/authorize": {
-      "put": {
+    "/orgs/{organizationId}/scopes/{deploymentScopeId}/authorize/initialize": {
+      "get": {
         "tags": [
-          "DeploymentScopes"
+          "DeploymentScopesAuthorization"
         ],
-        "summary": "Authorize an existing Deployment Scope.",
-        "operationId": "AuthorizeDeploymentScope",
+        "summary": "Initialize a new authorization session for a deployment scope.",
+        "operationId": "InitializeAuthorization",
         "parameters": [
           {
             "name": "organizationId",
@@ -1288,33 +1285,9 @@
             }
           }
         ],
-        "requestBody": {
-          "content": {
-            "application/json-patch+json": {
-              "schema": {
-                "$ref": "#/components/schemas/DeploymentScope"
-              }
-            },
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/DeploymentScope"
-              }
-            },
-            "text/json": {
-              "schema": {
-                "$ref": "#/components/schemas/DeploymentScope"
-              }
-            },
-            "application/*+json": {
-              "schema": {
-                "$ref": "#/components/schemas/DeploymentScope"
-              }
-            }
-          }
-        },
         "responses": {
           "200": {
-            "description": "The DeploymentScope was updated.",
+            "description": "Returns the DeploymentScope that was initialized for an authorization session",
             "content": {
               "application/json": {
                 "schema": {
@@ -1333,16 +1306,6 @@
               }
             }
           },
-          "404": {
-            "description": "A DeploymentScope with the id provided was not found.",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResult"
-                }
-              }
-            }
-          },
           "401": {
             "description": "Unauthorized"
           },

diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml
@@ -662,13 +662,12 @@ paths:
       summary: Gets a Deployment Scope.
       operationId: GetDeploymentScope
       parameters:
-        - name: deploymentScopeId
+        - name: organizationId
           in: path
           required: true
           schema:
             type: string
-            nullable: true
-        - name: organizationId
+        - name: deploymentScopeId
           in: path
           required: true
           schema:
@@ -702,13 +701,12 @@ paths:
       summary: Updates an existing Deployment Scope.
       operationId: UpdateDeploymentScope
       parameters:
-        - name: deploymentScopeId
+        - name: organizationId
           in: path
           required: true
           schema:
             type: string
-            nullable: true
-        - name: organizationId
+        - name: deploymentScopeId
           in: path
           required: true
           schema:
@@ -747,13 +745,12 @@ paths:
       summary: Deletes a Deployment Scope.
       operationId: DeleteDeploymentScope
       parameters:
-        - name: deploymentScopeId
+        - name: organizationId
           in: path
           required: true
           schema:
             type: string
-            nullable: true
-        - name: organizationId
+        - name: deploymentScopeId
           in: path
           required: true
           schema:
@@ -781,12 +778,12 @@ paths:
           description: Unauthorized
         '403':
           description: Forbidden
-  '/orgs/{organizationId}/scopes/{deploymentScopeId}/authorize':
-    put:
+  '/orgs/{organizationId}/scopes/{deploymentScopeId}/authorize/initialize':
+    get:
       tags:
-        - DeploymentScopes
-      summary: Authorize an existing Deployment Scope.
-      operationId: AuthorizeDeploymentScope
+        - DeploymentScopesAuthorization
+      summary: Initialize a new authorization session for a deployment scope.
+      operationId: InitializeAuthorization
       parameters:
         - name: organizationId
           in: path
@@ -798,23 +795,9 @@ paths:
           required: true
           schema:
             type: string
-      requestBody:
-        content:
-          application/json-patch+json:
-            schema:
-              $ref: '#/components/schemas/DeploymentScope'
-          application/json:
-            schema:
-              $ref: '#/components/schemas/DeploymentScope'
-          text/json:
-            schema:
-              $ref: '#/components/schemas/DeploymentScope'
-          application/*+json:
-            schema:
-              $ref: '#/components/schemas/DeploymentScope'
       responses:
         '200':
-          description: The DeploymentScope was updated.
+          description: Returns the DeploymentScope that was initialized for an authorization session
           content:
             application/json:
               schema:
@@ -825,12 +808,6 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorResult'
-        '404':
-          description: A DeploymentScope with the id provided was not found.
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResult'
         '401':
           description: Unauthorized
         '403':

diff --git a/src/GlobalExtensions.cs b/src/GlobalExtensions.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Reflection;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.RegularExpressions;
@@ -10,6 +11,20 @@ namespace TeamCloud
 {
     internal static class GlobalExtensions
     {
+        internal static string ToHexString(this byte[] bytes)
+        {
+            var builder = new StringBuilder(bytes.Length * 2);
+
+            foreach (byte b in bytes)
+                builder.AppendFormat("{0:x2}", b);
+
+            return builder.ToString();
+        }
+
+        internal static bool HasCustomAttribute<T>(this MemberInfo memberInfo, bool inherit)
+            where T: Attribute
+            => memberInfo is null ? throw new ArgumentNullException(nameof(memberInfo)) : memberInfo.GetCustomAttributes(typeof(T), inherit).Any();
+
         internal static void Add(this List<Task> tasks, Func<Task> callback)
         {
             if (tasks is null)

diff --git a/src/TeamCloud.API/Auth/AuthExtensions.cs b/src/TeamCloud.API/Auth/AuthExtensions.cs
@@ -9,8 +9,10 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
+using TeamCloud.API.Auth.Schemes;
 using TeamCloud.API.Services;
 using TeamCloud.Data;
 using TeamCloud.Model.Data;
@@ -117,6 +119,21 @@ internal static IServiceCollection AddTeamCloudAuthorization(this IServiceCollec
                                            ProjectUserRole.Admin.AuthPolicy(),
                                            UserRolePolicies.ScheduleWritePolicy);
                     });
+
+                    options.AddPolicy(AuthPolicies.AdapterAuthorizationInit, policy =>
+                    {
+                        policy.RequireRole(OrganizationUserRole.Owner.AuthPolicy(),
+                                           OrganizationUserRole.Admin.AuthPolicy());
+                    });
+
+                    options.AddPolicy(AuthPolicies.AdapterAuthorizationFlow, policy =>
+                    {
+                        policy.AddAuthenticationSchemes(AdapterAuthenticationDefaults.AuthenticationScheme);
+
+                        policy.RequireRole(OrganizationUserRole.Owner.AuthPolicy(),
+                                           OrganizationUserRole.Admin.AuthPolicy(),
+                                           OrganizationUserRole.Adapter.AuthPolicy());
+                    });
                 });
 
             return services;
@@ -145,7 +162,7 @@ internal static async Task<IEnumerable<Claim>> ResolveClaimsAsync(this HttpConte
                 return claims;
 
             var userRepository = httpContext.RequestServices
-                .GetRequiredService<IUserRepository>();
+                .GetRequiredService<TeamCloud.Data.IUserRepository>();
 
             var user = await userRepository
                 .GetAsync(organizationId, userId)

diff --git a/src/TeamCloud.API/Auth/AuthPolicies.cs b/src/TeamCloud.API/Auth/AuthPolicies.cs
@@ -22,7 +22,9 @@ public static class AuthPolicies
         public const string ProjectUserWrite = nameof(ProjectUserWrite);
 
         public const string ProjectComponentOwner = nameof(ProjectComponentOwner);
-
         public const string ProjectScheduleOwner = nameof(ProjectScheduleOwner);
+
+        public const string AdapterAuthorizationInit = nameof(AdapterAuthorizationInit);
+        public const string AdapterAuthorizationFlow = nameof(AdapterAuthorizationFlow);
     }
 }
diff --git a/src/TeamCloud.API/Auth/Schemes/AdapterAuthenticationDefaults.cs b/src/TeamCloud.API/Auth/Schemes/AdapterAuthenticationDefaults.cs
@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+
+namespace TeamCloud.API.Auth.Schemes
+{
+    public static class AdapterAuthenticationDefaults
+    {
+        public const string AuthenticationScheme = "Adapter";
+
+        public const string AuthenticationType = "Adapter";
+
+        public const string QueryParam = "ott";
+
+        public const string ClaimType = "ott";
+
+        public static readonly string CookiePrefix = CookieAuthenticationDefaults.CookiePrefix;
+    }
+}
diff --git a/src/TeamCloud.API/Auth/Schemes/AdapterAuthenticationExtensions.cs b/src/TeamCloud.API/Auth/Schemes/AdapterAuthenticationExtensions.cs
@@ -0,0 +1,24 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
+using System;
+using System.Diagnostics;
+
+namespace TeamCloud.API.Auth.Schemes
+{
+    public static class AdapterAuthenticationExtensions
+    {
+        public static AuthenticationBuilder AddAdapterAuthentication(this AuthenticationBuilder authenticationBuilder)
+        {
+            authenticationBuilder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<CookieAuthenticationOptions>, PostConfigureCookieAuthenticationOptions>());
+
+            return authenticationBuilder.AddScheme<CookieAuthenticationOptions, AdapterAuthenticationHandler>(AdapterAuthenticationDefaults.AuthenticationScheme, options =>
+            {
+                options.ExpireTimeSpan = TimeSpan.FromMinutes(5);
+                options.SlidingExpiration = true;
+            });
+        }
+    }
+}