OpenIddict implementation, role section, override scope and role key

Eits-Ian · Eits-Ian · commit a23ffc1580e2 · 2021-02-07T18:09:06.000Z
"ScopeKey": "oi_scp" to enable OpenIddict
"RequiredRole": [ "User" ]
diff --git a/src/Ocelot/Authorization/IRolesAuthorizer.cs b/src/Ocelot/Authorization/IRolesAuthorizer.cs
@@ -0,0 +1,11 @@
+﻿using System.Collections.Generic;
+using System.Security.Claims;
+using Ocelot.Responses;
+
+namespace Ocelot.Authorization
+{
+    public interface IRolesAuthorizer
+    {
+        Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeRequiredRole, string roleKey);
+    }
+}
diff --git a/src/Ocelot/Authorization/IScopesAuthorizer.cs b/src/Ocelot/Authorization/IScopesAuthorizer.cs
@@ -7,6 +7,6 @@ namespace Ocelot.Authorization
 
     public interface IScopesAuthorizer
     {
-        Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes);
+        Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes, string scopeKey);
     }
 }
diff --git a/src/Ocelot/Authorization/Middleware/AuthorizationMiddleware.cs b/src/Ocelot/Authorization/Middleware/AuthorizationMiddleware.cs
@@ -13,18 +13,22 @@ public class AuthorizationMiddleware : OcelotMiddleware
         private readonly RequestDelegate _next;
         private readonly IClaimsAuthorizer _claimsAuthorizer;
         private readonly IScopesAuthorizer _scopesAuthorizer;
+        private readonly IRolesAuthorizer _rolesAuthorizer;
 
         public AuthorizationMiddleware(RequestDelegate next,
             IClaimsAuthorizer claimsAuthorizer,
             IScopesAuthorizer scopesAuthorizer,
+            IRolesAuthorizer rolesAuthorizer, 
             IOcelotLoggerFactory loggerFactory)
             : base(loggerFactory.CreateLogger<AuthorizationMiddleware>())
         {
             _next = next;
             _claimsAuthorizer = claimsAuthorizer;
             _scopesAuthorizer = scopesAuthorizer;
         }
-
+        // Note roles is a duplicate of scopes - should refactor based on type
+        // Note scopes and roles are processed as OR
+        // todo create logic to process policies that we use in the API
         public async Task Invoke(HttpContext httpContext)
         {
             var downstreamRoute = httpContext.Items.DownstreamRoute();
@@ -33,7 +37,7 @@ public async Task Invoke(HttpContext httpContext)
             {
                 Logger.LogInformation("route is authenticated scopes must be checked");
 
-                var authorized = _scopesAuthorizer.Authorize(httpContext.User, downstreamRoute.AuthenticationOptions.AllowedScopes);
+                var authorized = _scopesAuthorizer.Authorize(httpContext.User, downstreamRoute.AuthenticationOptions.AllowedScopes, downstreamRoute.AuthenticationOptions.ScopeKey);
 
                 if (authorized.IsError)
                 {
@@ -56,6 +60,33 @@ public async Task Invoke(HttpContext httpContext)
                 }
             }
 
+            if (!IsOptionsHttpMethod(httpContext) && IsAuthenticatedRoute(downstreamRoute))
+            {
+                Logger.LogInformation("route and scope is authenticated role must be checked");
+
+                var authorizedRole = _rolesAuthorizer.Authorize(httpContext.User, downstreamRoute.AuthenticationOptions.RequiredRole, downstreamRoute.AuthenticationOptions.RoleKey);
+
+                if (authorizedRole.IsError)
+                {
+                    Logger.LogWarning("error authorizing user roles");
+
+                    httpContext.Items.UpsertErrors(authorizedRole.Errors);
+                    return;
+                }
+
+                if (IsAuthorized(authorizedRole))
+                {
+                    Logger.LogInformation("user has the required role and is authorized calling next authorization checks");
+                }
+                else
+                {
+                    Logger.LogWarning("user does not have the required role and is not authorized setting pipeline error");
+
+                    httpContext.Items.SetError(new UnauthorizedError(
+                        $"{httpContext.User.Identity.Name} unable to access {downstreamRoute.UpstreamPathTemplate.OriginalValue}"));
+                }
+            }
+
             if (!IsOptionsHttpMethod(httpContext) && IsAuthorizedRoute(downstreamRoute))
             {
                 Logger.LogInformation("route is authorized");
diff --git a/src/Ocelot/Authorization/RolesAuthorizer.cs b/src/Ocelot/Authorization/RolesAuthorizer.cs
@@ -0,0 +1,47 @@
+﻿using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using Ocelot.Infrastructure.Claims.Parser;
+using Ocelot.Responses;
+
+namespace Ocelot.Authorization
+{
+    public class RolesAuthorizer : IRolesAuthorizer
+    {
+        private readonly IClaimsParser _claimsParser;
+
+        public RolesAuthorizer(IClaimsParser claimsParser)
+        {
+            _claimsParser = claimsParser;
+        }
+
+        public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeRequiredRole, string roleKey)
+        {
+            if (routeRequiredRole == null || routeRequiredRole.Count == 0)
+            {
+                return new OkResponse<bool>(true);
+            }
+
+            roleKey ??= "role";
+
+            var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, roleKey);
+
+            if (values.IsError)
+            {
+                return new ErrorResponse<bool>(values.Errors);
+            }
+
+            var userRoles = values.Data;
+
+            var matchedRoles = routeRequiredRole.Intersect(userRoles).ToList(); // Note this is an OR
+
+            if (matchedRoles.Count == 0)
+            {
+                return new ErrorResponse<bool>(
+                    new ScopeNotAuthorizedError($"no one user role: '{string.Join(",", userRoles)}' match with some allowed role: '{string.Join(",", routeRequiredRole)}'"));
+            }
+
+            return new OkResponse<bool>(true);
+        }
+    }
+}
diff --git a/src/Ocelot/Authorization/ScopesAuthorizer.cs b/src/Ocelot/Authorization/ScopesAuthorizer.cs
@@ -10,21 +10,21 @@ namespace Ocelot.Authorization
     public class ScopesAuthorizer : IScopesAuthorizer
     {
         private readonly IClaimsParser _claimsParser;
-        private readonly string _scope = "scope";
 
         public ScopesAuthorizer(IClaimsParser claimsParser)
         {
             _claimsParser = claimsParser;
         }
 
-        public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes)
+        public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes, string scopeKey)
         {
             if (routeAllowedScopes == null || routeAllowedScopes.Count == 0)
             {
                 return new OkResponse<bool>(true);
             }
 
-            var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, _scope);
+            scopeKey ??= "scope";
+            var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, scopeKey);
 
             if (values.IsError)
             {
diff --git a/src/Ocelot/Configuration/AuthenticationOptions.cs b/src/Ocelot/Configuration/AuthenticationOptions.cs
@@ -4,13 +4,21 @@ namespace Ocelot.Configuration
 {
     public class AuthenticationOptions
     {
-        public AuthenticationOptions(List<string> allowedScopes, string authenticationProviderKey)
+        public AuthenticationOptions(List<string> allowedScopes, List<string> requiredRole, string authenticationProviderKey, string scopeKey, string roleKey, string policyName)
         {
+            PolicyName = policyName;
             AllowedScopes = allowedScopes;
+            RequiredRole = requiredRole;
             AuthenticationProviderKey = authenticationProviderKey;
+            ScopeKey = scopeKey;
+            RoleKey = roleKey;
         }
 
         public List<string> AllowedScopes { get; private set; }
         public string AuthenticationProviderKey { get; private set; }
+        public List<string> RequiredRole { get; private set; }
+        public string ScopeKey { get; private set; }
+        public string RoleKey { get; private set; }
+        public string PolicyName { get; private set; }
     }
-}
+}
diff --git a/src/Ocelot/Configuration/Builder/AuthenticationOptionsBuilder.cs b/src/Ocelot/Configuration/Builder/AuthenticationOptionsBuilder.cs
@@ -5,12 +5,23 @@ namespace Ocelot.Configuration.Builder
     public class AuthenticationOptionsBuilder
     {
         private List<string> _allowedScopes = new List<string>();
+        private List<string> _requiredRole = new List<string>();
         private string _authenticationProviderKey;
+        private string _roleKey;
+        private string _scopeKey;
+        private string _policyName;
+
 
         public AuthenticationOptionsBuilder WithAllowedScopes(List<string> allowedScopes)
         {
             _allowedScopes = allowedScopes;
             return this;
+        }
+
+        public AuthenticationOptionsBuilder WithRequiredRole(List<string> requiredRole)
+        {
+            _requiredRole = requiredRole;
+            return this;
         }
 
         public AuthenticationOptionsBuilder WithAuthenticationProviderKey(string authenticationProviderKey)
@@ -19,9 +30,25 @@ public AuthenticationOptionsBuilder WithAuthenticationProviderKey(string authent
             return this;
         }
 
+        public AuthenticationOptionsBuilder WithRoleKey(string roleKey)
+        {
+            _roleKey = roleKey;
+            return this;
+        }
+
+        public AuthenticationOptionsBuilder WithScopeKey(string scopeKey)
+        {
+            _scopeKey = scopeKey;
+            return this;
+        }
+        public AuthenticationOptionsBuilder WithPolicyName(string policyName)
+        {
+            _policyName = policyName;
+            return this;
+        }
         public AuthenticationOptions Build()
         {
-            return new AuthenticationOptions(_allowedScopes, _authenticationProviderKey);
+            return new AuthenticationOptions(_allowedScopes, _requiredRole, _authenticationProviderKey, _scopeKey, _roleKey, _policyName);
         }
     }
-}
+}
diff --git a/src/Ocelot/Configuration/Creator/AuthenticationOptionsCreator.cs b/src/Ocelot/Configuration/Creator/AuthenticationOptionsCreator.cs
@@ -6,7 +6,7 @@ public class AuthenticationOptionsCreator : IAuthenticationOptionsCreator
     {
         public AuthenticationOptions Create(FileRoute route)
         {
-            return new AuthenticationOptions(route.AuthenticationOptions.AllowedScopes, route.AuthenticationOptions.AuthenticationProviderKey);
+            return new AuthenticationOptions(route.AuthenticationOptions.AllowedScopes, route.AuthenticationOptions.RequiredRole, route.AuthenticationOptions.AuthenticationProviderKey, route.AuthenticationOptions.ScopeKey, route.AuthenticationOptions.RoleKey, route.AuthenticationOptions.PolicyName);
         }
     }
 }
diff --git a/src/Ocelot/Configuration/File/FileAuthenticationOptions.cs b/src/Ocelot/Configuration/File/FileAuthenticationOptions.cs
@@ -9,18 +9,35 @@ public class FileAuthenticationOptions
         public FileAuthenticationOptions()
         {
             AllowedScopes = new List<string>();
+            RequiredRole = new List<string>();
         }
 
         public string AuthenticationProviderKey { get; set; }
         public List<string> AllowedScopes { get; set; }
+        public List<string> RequiredRole { get; set; }
+        public string ScopeKey { get; set; }
+        public string RoleKey { get; set; }
+        public string PolicyName { get; set; }
 
         public override string ToString()
         {
             var sb = new StringBuilder();
             sb.Append($"{nameof(AuthenticationProviderKey)}:{AuthenticationProviderKey},{nameof(AllowedScopes)}:[");
             sb.AppendJoin(',', AllowedScopes);
             sb.Append("]");
+            sb.Append($",{nameof(RequiredRole)}:[");
+            sb.AppendJoin(',', RequiredRole);
+            sb.Append("]");
+            sb.Append($",{nameof(ScopeKey)}:[");
+            sb.AppendJoin(',', ScopeKey);
+            sb.Append("]");
+            sb.Append($",{nameof(RoleKey)}:[");
+            sb.AppendJoin(',', RoleKey);
+            sb.Append("]");
+            sb.Append($",{nameof(PolicyName)}:[");
+            sb.AppendJoin(',', PolicyName);
+            sb.Append("]");
             return sb.ToString();
         }
     }
-}
+}
diff --git a/test/Ocelot.UnitTests/Authorization/AuthorizationMiddlewareTests.cs b/test/Ocelot.UnitTests/Authorization/AuthorizationMiddlewareTests.cs
@@ -27,17 +27,19 @@ public class AuthorizationMiddlewareTests
         private readonly AuthorizationMiddleware _middleware;
         private RequestDelegate _next;
         private HttpContext _httpContext;
+        private readonly Mock<IRolesAuthorizer> _authRolesService;
 
         public AuthorizationMiddlewareTests()
         {
             _httpContext = new DefaultHttpContext();
             _authService = new Mock<IClaimsAuthorizer>();
             _authScopesService = new Mock<IScopesAuthorizer>();
+            _authRolesService = new Mock<IRolesAuthorizer>();
             _loggerFactory = new Mock<IOcelotLoggerFactory>();
             _logger = new Mock<IOcelotLogger>();
             _loggerFactory.Setup(x => x.CreateLogger<AuthorizationMiddleware>()).Returns(_logger.Object);
             _next = context => Task.CompletedTask;
-            _middleware = new AuthorizationMiddleware(_next, _authService.Object, _authScopesService.Object, _loggerFactory.Object);
+            _middleware = new AuthorizationMiddleware(_next, _authService.Object, _authScopesService.Object,_authRolesService.Object, _loggerFactory.Object);
         }
 
         [Fact]
diff --git a/test/Ocelot.UnitTests/Infrastructure/RoleAuthorizerTests.cs b/test/Ocelot.UnitTests/Infrastructure/RoleAuthorizerTests.cs
diff --git a/test/Ocelot.UnitTests/Infrastructure/ScopesAuthorizerTests.cs b/test/Ocelot.UnitTests/Infrastructure/ScopesAuthorizerTests.cs

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,6 @@ namespace Ocelot.Authorization`
`7`	`7`
`8`	`8`	`public interface IScopesAuthorizer`
`9`	`9`	`{`
`10`		`- Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes);`
	`10`	`+ Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes, string scopeKey);`
`11`	`11`	`}`
`12`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,21 +10,21 @@ namespace Ocelot.Authorization`
`10`	`10`	`public class ScopesAuthorizer : IScopesAuthorizer`
`11`	`11`	`{`
`12`	`12`	`private readonly IClaimsParser _claimsParser;`
`13`		`- private readonly string _scope = "scope";`
`14`	`13`
`15`	`14`	`public ScopesAuthorizer(IClaimsParser claimsParser)`
`16`	`15`	`{`
`17`	`16`	`_claimsParser = claimsParser;`
`18`	`17`	`}`
`19`	`18`
`20`		`- public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes)`
	`19`	`+ public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes, string scopeKey)`
`21`	`20`	`{`
`22`	`21`	`if (routeAllowedScopes == null \|\| routeAllowedScopes.Count == 0)`
`23`	`22`	`{`
`24`	`23`	`return new OkResponse<bool>(true);`
`25`	`24`	`}`
`26`	`25`
`27`		`- var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, _scope);`
	`26`	`+ scopeKey ??= "scope";`
	`27`	`+ var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, scopeKey);`
`28`	`28`
`29`	`29`	`if (values.IsError)`
`30`	`30`	`{`
Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,21 @@ namespace Ocelot.Configuration`
`4`	`4`	`{`
`5`	`5`	`public class AuthenticationOptions`
`6`	`6`	`{`
`7`		`- public AuthenticationOptions(List<string> allowedScopes, string authenticationProviderKey)`
	`7`	`+ public AuthenticationOptions(List<string> allowedScopes, List<string> requiredRole, string authenticationProviderKey, string scopeKey, string roleKey, string policyName)`
`8`	`8`	`{`
	`9`	`+ PolicyName = policyName;`
`9`	`10`	`AllowedScopes = allowedScopes;`
	`11`	`+ RequiredRole = requiredRole;`
`10`	`12`	`AuthenticationProviderKey = authenticationProviderKey;`
	`13`	`+ ScopeKey = scopeKey;`
	`14`	`+ RoleKey = roleKey;`
`11`	`15`	`}`
`12`	`16`
`13`	`17`	`public List<string> AllowedScopes { get; private set; }`
`14`	`18`	`public string AuthenticationProviderKey { get; private set; }`
	`19`	`+ public List<string> RequiredRole { get; private set; }`
	`20`	`+ public string ScopeKey { get; private set; }`
	`21`	`+ public string RoleKey { get; private set; }`
	`22`	`+ public string PolicyName { get; private set; }`
`15`	`23`	`}`
`16`		`-}`
	`24`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ public class AuthenticationOptionsCreator : IAuthenticationOptionsCreator`
`6`	`6`	`{`
`7`	`7`	`public AuthenticationOptions Create(FileRoute route)`
`8`	`8`	`{`
`9`		`- return new AuthenticationOptions(route.AuthenticationOptions.AllowedScopes, route.AuthenticationOptions.AuthenticationProviderKey);`
	`9`	`+ return new AuthenticationOptions(route.AuthenticationOptions.AllowedScopes, route.AuthenticationOptions.RequiredRole, route.AuthenticationOptions.AuthenticationProviderKey, route.AuthenticationOptions.ScopeKey, route.AuthenticationOptions.RoleKey, route.AuthenticationOptions.PolicyName);`
`10`	`10`	`}`
`11`	`11`	`}`
`12`	`12`	`}`