Add test cases

Signed-off-by: Victor Chang <vicchang@nvidia.com>

Author: mocsharp

src/Authentication/Configurations/AuthenticationOptions.cs

@@ -44,10 +44,6 @@ public bool BypassAuth(ILogger logger)
             {
                 throw new InvalidOperationException("openId configuration is invalid.");
             }
-            if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty())
-            {
-                throw new InvalidOperationException("No claimMappings defined for OpenId.");
-            }
             if (string.IsNullOrWhiteSpace(OpenId.ClientId))
             {
                 throw new InvalidOperationException("No clientId defined for OpenId.");
@@ -60,8 +56,44 @@ public bool BypassAuth(ILogger logger)
             {
                 throw new InvalidOperationException("No realm defined for OpenId.");
             }
+            if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty())
+            {
+                throw new InvalidOperationException("No claimMappings defined for OpenId.");
+            }
+
+            ValidateClaims(OpenId.Claims.UserClaims!, true);
+            ValidateClaims(OpenId.Claims.AdminClaims!, false);
 
             return false;
         }
+
+        private void ValidateClaims(List<ClaimMapping> claims, bool validateEndpoints)
+        {
+            foreach (var claim in claims)
+            {
+                if (string.IsNullOrWhiteSpace(claim.ClaimType))
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+
+                if (claim.ClaimValues.IsNullOrEmpty())
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+
+                foreach (var claimValue in claim.ClaimValues)
+                {
+                    if (string.IsNullOrWhiteSpace(claimValue))
+                    {
+                        throw new InvalidOperationException($"Invalid claimValue for {claim.ClaimType}.");
+                    }
+                }
+
+                if (validateEndpoints && claim.Endpoints.IsNullOrEmpty())
+                {
+                    throw new InvalidOperationException("Value for claimType is invalid.");
+                }
+            }
+        }
     }
 }

src/Authentication/Configurations/OpenIdOptions.cs

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+using System.Security.Claims;
 using Microsoft.Extensions.Configuration;
 
 namespace Monai.Deploy.Security.Authentication.Configurations
@@ -36,6 +37,9 @@ public class OpenIdOptions
         public IList<string>? Audiences { get; set; }
 
         [ConfigurationKeyName("roleClaimType")]
-        public string RoleClaimType { get; set; } = "roles";
+        public string RoleClaimType { get; set; } = ClaimTypes.Role;
+
+        [ConfigurationKeyName("clearDefaultRoleMappigns")]
+        public bool ClearDefaultRoleMappigns { get; set; } = true;
     }
 }

src/Authentication/Extensions/MonaiAuthenticationExtensions.cs

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+using System.IdentityModel.Tokens.Jwt;
 using System.Text;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
@@ -48,29 +49,36 @@ public static IServiceCollection AddMonaiAuthentication(
                 return services;
             }
 
-            services.AddAuthentication(options =>
+            if (configurations.Value.OpenId?.ClearDefaultRoleMappigns ?? false)
             {
-                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
-                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
-            })
-            .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options =>
-            {
-                options.Authority = configurations.Value.OpenId!.Realm;
-                options.Audience = configurations.Value.OpenId!.Realm;
-                options.RequireHttpsMetadata = false;
+                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("role");
+                JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("roles");
+            }
 
-                options.TokenValidationParameters = new TokenValidationParameters
+            services
+                .AddAuthentication(options =>
                 {
-                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.RealmKey!)),
-                    RoleClaimType = configurations.Value.OpenId.RoleClaimType,
-                    ValidIssuer = configurations.Value.OpenId.Realm,
-                    ValidAudiences = configurations.Value.OpenId.Audiences,
-                    ValidateIssuerSigningKey = true,
-                    ValidateIssuer = true,
-                    ValidateLifetime = true,
-                    ValidateAudience = true,
-                };
-            });
+                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+                })
+                .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options =>
+                {
+                    options.Authority = configurations.Value.OpenId!.Realm;
+                    options.Audience = configurations.Value.OpenId!.Realm;
+                    options.RequireHttpsMetadata = false;
+
+                    options.TokenValidationParameters = new TokenValidationParameters
+                    {
+                        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.RealmKey!)),
+                        RoleClaimType = configurations.Value.OpenId.RoleClaimType,
+                        ValidIssuer = configurations.Value.OpenId.Realm,
+                        ValidAudiences = configurations.Value.OpenId.Audiences,
+                        ValidateIssuerSigningKey = true,
+                        ValidateIssuer = true,
+                        ValidateLifetime = true,
+                        ValidateAudience = true,
+                    };
+                });
 
             services.AddAuthorization();
             return services;

src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs

@@ -32,6 +32,10 @@ public partial class EndpointAuthorizationMiddlewareTest
         [InlineData("test.auth-noclientid.json")]
         [InlineData("test.auth-norealm.json")]
         [InlineData("test.auth-norealmkey.json")]
+        [InlineData("test.auth-noclaimtype.json")]
+        [InlineData("test.auth-noclaimvalues.json")]
+        [InlineData("test.auth-whitespaceclaimvalues.json")]
+        [InlineData("test.auth-noendpoints.json")]
         public async Task GivenConfigurationFilesIsBad_ExpectExceptionToBeThrown(string configFile)
         {
             await Assert.ThrowsAsync<InvalidOperationException>(async () =>

src/Authentication/Tests/test.auth-noclaimtype.json

@@ -0,0 +1,27 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "",
+            "claimValues": [ "role-with-test" ],
+            "endpoints": [ "test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "",
+            "claimValues": [ "monai-role-admin" ]
+          }
+        ]
+      }
+    }
+  }
+}

src/Authentication/Tests/test.auth-noclaimvalues.json

@@ -0,0 +1,25 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "endpoints": [ "test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+          }
+        ]
+      }
+    }
+  }
+}

src/Authentication/Tests/test.auth-noendpoints.json

@@ -0,0 +1,26 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "role-with-test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ "monai-role-admin" ]
+          }
+        ]
+      }
+    }
+  }
+}

src/Authentication/Tests/test.auth-whitespaceclaimvalues.json

@@ -0,0 +1,27 @@
+{
+  "MonaiDeployAuthentication": {
+    "bypassAuthentication": false,
+    "openId": {
+      "realm": "TEST-REALM",
+      "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
+      "audiences": [ "monai-app" ],
+      "roleClaimType": "roles",
+      "clientId": "monai-app-test",
+      "claimMappings": {
+        "userClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ " " ],
+            "endpoints": [ "test" ]
+          }
+        ],
+        "adminClaims": [
+          {
+            "claimType": "user_roles",
+            "claimValues": [ " " ]
+          }
+        ]
+      }
+    }
+  }
+}