Change configuration structure

mocsharp · mocsharp · commit efe5bd80618b · 2022-12-01T13:59:39.000-08:00
Signed-off-by: Victor Chang &lt;vicchang@nvidia.com&gt;
diff --git a/src/Authentication/Configurations/AuthenticationOptions.cs b/src/Authentication/Configurations/AuthenticationOptions.cs
@@ -44,7 +44,7 @@ public bool BypassAuth(ILogger logger)
             {
                 throw new InvalidOperationException("OpenId configuration is invalid.");
             }
-            if (OpenId.Claims is null || OpenId.Claims.RequiredUserClaims!.IsNullOrEmpty() || OpenId.Claims.RequiredAdminClaims!.IsNullOrEmpty())
+            if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty())
             {
                 throw new InvalidOperationException("No claims defined for OpenId.");
             }
diff --git a/src/Authentication/Configurations/ClaimMappings.cs b/src/Authentication/Configurations/ClaimMappings.cs
@@ -18,21 +18,24 @@
 
 namespace Monai.Deploy.Security.Authentication.Configurations
 {
-    public class Claims
+    public class ClaimMappings
     {
-        [ConfigurationKeyName("RequiredUserClaims")]
-        public List<Claim>? RequiredUserClaims { get; set; }
+        [ConfigurationKeyName("UserClaims")]
+        public List<ClaimMapping>? UserClaims { get; set; }
 
-        [ConfigurationKeyName("RequiredAdminClaims")]
-        public List<Claim>? RequiredAdminClaims { get; set; }
+        [ConfigurationKeyName("AdminClaims")]
+        public List<ClaimMapping>? AdminClaims { get; set; }
     }
 
-    public class Claim
+    public class ClaimMapping
     {
-        [ConfigurationKeyName("user_roles")]
-        public string? UserRoles { get; set; }
+        [ConfigurationKeyName("claim")]
+        public string Claim { get; set; } = string.Empty;
+
+        [ConfigurationKeyName("role")]
+        public string Role { get; set; } = string.Empty;
 
         [ConfigurationKeyName("endpoints")]
-        public List<string>? Endpoints { get; set; }
+        public List<string>? Endpoints { get; set; } = default;
     }
 }
diff --git a/src/Authentication/Configurations/OpenIdOptions.cs b/src/Authentication/Configurations/OpenIdOptions.cs
@@ -29,8 +29,8 @@ public class OpenIdOptions
         [ConfigurationKeyName("ClientId")]
         public string? ClientId { get; set; }
 
-        [ConfigurationKeyName("Claims")]
-        public Claims? Claims { get; set; }
+        [ConfigurationKeyName("ClaimMappings")]
+        public ClaimMappings? Claims { get; set; }
 
         [ConfigurationKeyName("Audiences")]
         public IList<string>? Audiences { get; set; }
diff --git a/src/Authentication/Extensions/AuthKeys.cs b/src/Authentication/Extensions/AuthKeys.cs
@@ -25,6 +25,5 @@ public static class AuthKeys
 
         // Configuration Keys
         public const string OpenId = "OpenId";
-        public const string UserRoles = "user_roles";
     }
 }
diff --git a/src/Authentication/Extensions/HttpContextExtension.cs b/src/Authentication/Extensions/HttpContextExtension.cs
@@ -27,22 +27,22 @@ public static class HttpContextExtension
         /// <param name="httpcontext"></param>
         /// <param name="requiredClaims"></param>
         /// <returns></returns>
-        public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.Claim> adminClaims, List<Configurations.Claim> userClaims)
+        public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
         {
             Guard.Against.Null(adminClaims);
             Guard.Against.Null(userClaims);
 
             foreach (var claim in adminClaims!)
             {
-                if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))
+                if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
                 {
                     return new List<string> { "all" };
                 }
             }
 
             foreach (var claim in userClaims!)
             {
-                if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))
+                if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
                 {
                     return claim.Endpoints!;
                 }
diff --git a/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs b/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs
@@ -56,7 +56,7 @@ public async Task InvokeAsync(HttpContext httpcontext)
                 if (httpcontext.GetRouteValue("controller") is string controller)
                 {
                     _logger.UserAccessingController(httpcontext.User.Identity.Name, controller);
-                    var validEndpoints = httpcontext.GetValidEndpoints(_options.Value.OpenId!.Claims!.RequiredAdminClaims!, _options.Value.OpenId!.Claims!.RequiredUserClaims!);
+                    var validEndpoints = httpcontext.GetValidEndpoints(_options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);
                     var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("all");
 
                     if (result is false)
diff --git a/src/Authentication/Tests/MockJwtTokenHandler.cs b/src/Authentication/Tests/MockJwtTokenHandler.cs
@@ -17,7 +17,6 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Text;
 using Microsoft.IdentityModel.Tokens;
-using Monai.Deploy.Security.Authentication.Extensions;
 using Claim = System.Security.Claims.Claim;
 
 namespace Monai.Deploy.Security.Authentication.Tests
@@ -30,7 +29,7 @@ public static class MockJwtTokenHandler
             public static SecurityKey SecurityKey { get; }
             public static SigningCredentials SigningCredentials { get; }
 
-            private static readonly JwtSecurityTokenHandler TokenHandler = new JwtSecurityTokenHandler();
+            private static readonly JwtSecurityTokenHandler TokenHandler = new();
 
             static MockJwtTokenHandler()
             {
@@ -40,7 +39,7 @@ static MockJwtTokenHandler()
 
             public static string GenerateJwtToken(string role)
             {
-                var claims = new[] { new Claim(AuthKeys.UserRoles, role) };
+                var claims = new[] { new Claim("user_roles", role) };
                 return TokenHandler.WriteToken(new JwtSecurityToken(Issuer, "monai-app", claims, null, DateTime.UtcNow.AddMinutes(20), SigningCredentials));
             }
         }
diff --git a/src/Authentication/Tests/test.auth.json b/src/Authentication/Tests/test.auth.json
@@ -6,19 +6,24 @@
       "ServerRealmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",
       "Audiences": [ "monai-app" ],
       "ClientId": "monai-app-test",
-      "Claims": {
-        "RequiredUserClaims": [
+      "ClaimMappings": {
+        "UserClaims": [
           {
-            "user_roles": "role-with-test",
+            "claim": "user_roles",
+            "role": "role-with-test",
             "endpoints": [ "test" ]
           },
           {
-            "user_roles": "role-without-test",
+            "claim": "user_roles",
+            "roles": "role-without-test",
             "endpoints": [ "no-test" ]
           }
         ],
-        "RequiredAdminClaims": [
-          { "user_roles": "monai-role-admin" }
+        "AdminClaims": [
+          {
+            "claim": "user_roles",
+            "role": "monai-role-admin"
+          }
         ]
       }
     }
diff --git a/src/Authentication/example.json b/src/Authentication/example.json
@@ -6,19 +6,23 @@
       "ServerRealmKey": "EncryptionKey",
       "ClientId": "monai-app",
       "Audiences": [ "monai-deploy" ],
-      "Claims": {
-        "RequiredUserClaims": [
+      "ClaimMappings": {
+        "UserClaims": [
           {
-            "user_roles": "monai-deploy-users",
-            "endpoints": [ "payloads", "workflows", "workflowinstances", "tasks" ]
+            "claim": "user_roles",
+            "role": "monai-deploy-user",
+            "endpoints": [ "test" ]
           },
           {
             "user_roles": "pacs-admins",
             "endpoints": [ "config" ]
           }
         ],
-        "RequiredAdminClaims": [
-          { "user_roles": "monai-role-admin" }
+        "AdminClaims": [
+          {
+            "claim": "user_roles",
+            "role": "monai-role-admin"
+          }
         ]
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ public bool BypassAuth(ILogger logger)`
`44`	`44`	`{`
`45`	`45`	`throw new InvalidOperationException("OpenId configuration is invalid.");`
`46`	`46`	`}`
`47`		`- if (OpenId.Claims is null \|\| OpenId.Claims.RequiredUserClaims!.IsNullOrEmpty() \|\| OpenId.Claims.RequiredAdminClaims!.IsNullOrEmpty())`
	`47`	`+ if (OpenId.Claims is null \|\| OpenId.Claims.UserClaims!.IsNullOrEmpty() \|\| OpenId.Claims.AdminClaims!.IsNullOrEmpty())`
`48`	`48`	`{`
`49`	`49`	`throw new InvalidOperationException("No claims defined for OpenId.");`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,21 +18,24 @@`
`18`	`18`
`19`	`19`	`namespace Monai.Deploy.Security.Authentication.Configurations`
`20`	`20`	`{`
`21`		`- public class Claims`
	`21`	`+ public class ClaimMappings`
`22`	`22`	`{`
`23`		`- [ConfigurationKeyName("RequiredUserClaims")]`
`24`		`- public List<Claim>? RequiredUserClaims { get; set; }`
	`23`	`+ [ConfigurationKeyName("UserClaims")]`
	`24`	`+ public List<ClaimMapping>? UserClaims { get; set; }`
`25`	`25`
`26`		`- [ConfigurationKeyName("RequiredAdminClaims")]`
`27`		`- public List<Claim>? RequiredAdminClaims { get; set; }`
	`26`	`+ [ConfigurationKeyName("AdminClaims")]`
	`27`	`+ public List<ClaimMapping>? AdminClaims { get; set; }`
`28`	`28`	`}`
`29`	`29`
`30`		`- public class Claim`
	`30`	`+ public class ClaimMapping`
`31`	`31`	`{`
`32`		`- [ConfigurationKeyName("user_roles")]`
`33`		`- public string? UserRoles { get; set; }`
	`32`	`+ [ConfigurationKeyName("claim")]`
	`33`	`+ public string Claim { get; set; } = string.Empty;`
	`34`	`+`
	`35`	`+ [ConfigurationKeyName("role")]`
	`36`	`+ public string Role { get; set; } = string.Empty;`
`34`	`37`
`35`	`38`	`[ConfigurationKeyName("endpoints")]`
`36`		`- public List<string>? Endpoints { get; set; }`
	`39`	`+ public List<string>? Endpoints { get; set; } = default;`
`37`	`40`	`}`
`38`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,5 @@ public static class AuthKeys`
`25`	`25`
`26`	`26`	`// Configuration Keys`
`27`	`27`	`public const string OpenId = "OpenId";`
`28`		`- public const string UserRoles = "user_roles";`
`29`	`28`	`}`
`30`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,22 +27,22 @@ public static class HttpContextExtension`
`27`	`27`	`/// <param name="httpcontext"></param>`
`28`	`28`	`/// <param name="requiredClaims"></param>`
`29`	`29`	`/// <returns></returns>`
`30`		`- public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.Claim> adminClaims, List<Configurations.Claim> userClaims)`
	`30`	`+ public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)`
`31`	`31`	`{`
`32`	`32`	`Guard.Against.Null(adminClaims);`
`33`	`33`	`Guard.Against.Null(userClaims);`
`34`	`34`
`35`	`35`	`foreach (var claim in adminClaims!)`
`36`	`36`	`{`
`37`		`- if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))`
	`37`	`+ if (httpcontext.User.HasClaim(claim.Claim, claim.Role))`
`38`	`38`	`{`
`39`	`39`	`return new List<string> { "all" };`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`foreach (var claim in userClaims!)`
`44`	`44`	`{`
`45`		`- if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!))`
	`45`	`+ if (httpcontext.User.HasClaim(claim.Claim, claim.Role))`
`46`	`46`	`{`
`47`	`47`	`return claim.Endpoints!;`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public async Task InvokeAsync(HttpContext httpcontext)`
`56`	`56`	`if (httpcontext.GetRouteValue("controller") is string controller)`
`57`	`57`	`{`
`58`	`58`	`_logger.UserAccessingController(httpcontext.User.Identity.Name, controller);`
`59`		`- var validEndpoints = httpcontext.GetValidEndpoints(_options.Value.OpenId!.Claims!.RequiredAdminClaims!, _options.Value.OpenId!.Claims!.RequiredUserClaims!);`
	`59`	`+ var validEndpoints = httpcontext.GetValidEndpoints(_options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);`
`60`	`60`	`var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) \|\| validEndpoints.Contains("all");`
`61`	`61`
`62`	`62`	`if (result is false)`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,6 @@`
`17`	`17`	`using System.IdentityModel.Tokens.Jwt;`
`18`	`18`	`using System.Text;`
`19`	`19`	`using Microsoft.IdentityModel.Tokens;`
`20`		`-using Monai.Deploy.Security.Authentication.Extensions;`
`21`	`20`	`using Claim = System.Security.Claims.Claim;`
`22`	`21`
`23`	`22`	`namespace Monai.Deploy.Security.Authentication.Tests`
`@@ -30,7 +29,7 @@ public static class MockJwtTokenHandler`
`30`	`29`	`public static SecurityKey SecurityKey { get; }`
`31`	`30`	`public static SigningCredentials SigningCredentials { get; }`
`32`	`31`
`33`		`- private static readonly JwtSecurityTokenHandler TokenHandler = new JwtSecurityTokenHandler();`
	`32`	`+ private static readonly JwtSecurityTokenHandler TokenHandler = new();`
`34`	`33`
`35`	`34`	`static MockJwtTokenHandler()`
`36`	`35`	`{`
`@@ -40,7 +39,7 @@ static MockJwtTokenHandler()`
`40`	`39`
`41`	`40`	`public static string GenerateJwtToken(string role)`
`42`	`41`	`{`
`43`		`- var claims = new[] { new Claim(AuthKeys.UserRoles, role) };`
	`42`	`+ var claims = new[] { new Claim("user_roles", role) };`
`44`	`43`	`return TokenHandler.WriteToken(new JwtSecurityToken(Issuer, "monai-app", claims, null, DateTime.UtcNow.AddMinutes(20), SigningCredentials));`
`45`	`44`	`}`
`46`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,19 +6,24 @@`
`6`	`6`	`"ServerRealmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde",`
`7`	`7`	`"Audiences": [ "monai-app" ],`
`8`	`8`	`"ClientId": "monai-app-test",`
`9`		`- "Claims": {`
`10`		`- "RequiredUserClaims": [`
	`9`	`+ "ClaimMappings": {`
	`10`	`+ "UserClaims": [`
`11`	`11`	`{`
`12`		`- "user_roles": "role-with-test",`
	`12`	`+ "claim": "user_roles",`
	`13`	`+ "role": "role-with-test",`
`13`	`14`	`"endpoints": [ "test" ]`
`14`	`15`	`},`
`15`	`16`	`{`
`16`		`- "user_roles": "role-without-test",`
	`17`	`+ "claim": "user_roles",`
	`18`	`+ "roles": "role-without-test",`
`17`	`19`	`"endpoints": [ "no-test" ]`
`18`	`20`	`}`
`19`	`21`	`],`
`20`		`- "RequiredAdminClaims": [`
`21`		`- { "user_roles": "monai-role-admin" }`
	`22`	`+ "AdminClaims": [`
	`23`	`+ {`
	`24`	`+ "claim": "user_roles",`
	`25`	`+ "role": "monai-role-admin"`
	`26`	`+ }`
`22`	`27`	`]`
`23`	`28`	`}`
`24`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,19 +6,23 @@`
`6`	`6`	`"ServerRealmKey": "EncryptionKey",`
`7`	`7`	`"ClientId": "monai-app",`
`8`	`8`	`"Audiences": [ "monai-deploy" ],`
`9`		`- "Claims": {`
`10`		`- "RequiredUserClaims": [`
	`9`	`+ "ClaimMappings": {`
	`10`	`+ "UserClaims": [`
`11`	`11`	`{`
`12`		`- "user_roles": "monai-deploy-users",`
`13`		`- "endpoints": [ "payloads", "workflows", "workflowinstances", "tasks" ]`
	`12`	`+ "claim": "user_roles",`
	`13`	`+ "role": "monai-deploy-user",`
	`14`	`+ "endpoints": [ "test" ]`
`14`	`15`	`},`
`15`	`16`	`{`
`16`	`17`	`"user_roles": "pacs-admins",`
`17`	`18`	`"endpoints": [ "config" ]`
`18`	`19`	`}`
`19`	`20`	`],`
`20`		`- "RequiredAdminClaims": [`
`21`		`- { "user_roles": "monai-role-admin" }`
	`21`	`+ "AdminClaims": [`
	`22`	`+ {`
	`23`	`+ "claim": "user_roles",`
	`24`	`+ "role": "monai-role-admin"`
	`25`	`+ }`
`22`	`26`	`]`
`23`	`27`	`}`
`24`	`28`	`}`