diff --git a/src/Authentication/Configurations/AuthenticationOptions.cs b/src/Authentication/Configurations/AuthenticationOptions.cs index 6aee72c..32fba93 100644 --- a/src/Authentication/Configurations/AuthenticationOptions.cs +++ b/src/Authentication/Configurations/AuthenticationOptions.cs @@ -24,10 +24,10 @@ namespace Monai.Deploy.Security.Authentication.Configurations { public class AuthenticationOptions { - [ConfigurationKeyName("BypassAuthentication")] + [ConfigurationKeyName("bypassAuthentication")] public bool? BypassAuthentication { get; set; } - [ConfigurationKeyName("OpenId")] + [ConfigurationKeyName("openId")] public OpenIdOptions? OpenId { get; set; } public bool BypassAuth(ILogger logger) @@ -42,26 +42,58 @@ public bool BypassAuth(ILogger logger) if (OpenId is null) { - throw new InvalidOperationException("OpenId configuration is invalid."); + throw new InvalidOperationException("openId configuration is invalid."); } - if (OpenId.Claims is null || OpenId.Claims.RequiredUserClaims!.IsNullOrEmpty() || OpenId.Claims.RequiredAdminClaims!.IsNullOrEmpty()) + if (string.IsNullOrWhiteSpace(OpenId.ClientId)) { - throw new InvalidOperationException("No claims defined for OpenId."); + throw new InvalidOperationException("No clientId defined for OpenId."); } - if (string.IsNullOrWhiteSpace(OpenId.ClientId)) + if (string.IsNullOrWhiteSpace(OpenId.RealmKey)) { - throw new InvalidOperationException("No ClientId defined for OpenId."); + throw new InvalidOperationException("No realmKey defined for OpenId."); } - if (string.IsNullOrWhiteSpace(OpenId.ServerRealmKey)) + if (string.IsNullOrWhiteSpace(OpenId.Realm)) { - throw new InvalidOperationException("No ServerRealmKey defined for OpenId."); + throw new InvalidOperationException("No realm defined for OpenId."); } - if (string.IsNullOrWhiteSpace(OpenId.ServerRealm)) + if (OpenId.Claims is null || OpenId.Claims.UserClaims!.IsNullOrEmpty() || OpenId.Claims.AdminClaims!.IsNullOrEmpty()) { - throw new InvalidOperationException("No ServerRealm defined for OpenId."); + throw new InvalidOperationException("No claimMappings defined for OpenId."); } + ValidateClaims(OpenId.Claims.UserClaims!, true); + ValidateClaims(OpenId.Claims.AdminClaims!, false); + return false; } + + private void ValidateClaims(List claims, bool validateEndpoints) + { + foreach (var claim in claims) + { + if (string.IsNullOrWhiteSpace(claim.ClaimType)) + { + throw new InvalidOperationException("Value for claimType is invalid."); + } + + if (claim.ClaimValues.IsNullOrEmpty()) + { + throw new InvalidOperationException("Value for claimType is invalid."); + } + + foreach (var claimValue in claim.ClaimValues) + { + if (string.IsNullOrWhiteSpace(claimValue)) + { + throw new InvalidOperationException($"Invalid claimValue for {claim.ClaimType}."); + } + } + + if (validateEndpoints && claim.Endpoints.IsNullOrEmpty()) + { + throw new InvalidOperationException("Value for claimType is invalid."); + } + } + } } } diff --git a/src/Authentication/Configurations/Claims.cs b/src/Authentication/Configurations/ClaimMappings.cs similarity index 57% rename from src/Authentication/Configurations/Claims.cs rename to src/Authentication/Configurations/ClaimMappings.cs index 057ec06..9e4b94b 100644 --- a/src/Authentication/Configurations/Claims.cs +++ b/src/Authentication/Configurations/ClaimMappings.cs @@ -18,21 +18,24 @@ namespace Monai.Deploy.Security.Authentication.Configurations { - public class Claims + public class ClaimMappings { - [ConfigurationKeyName("RequiredUserClaims")] - public List? RequiredUserClaims { get; set; } + [ConfigurationKeyName("userClaims")] + public List? UserClaims { get; set; } - [ConfigurationKeyName("RequiredAdminClaims")] - public List? RequiredAdminClaims { get; set; } + [ConfigurationKeyName("adminClaims")] + public List? AdminClaims { get; set; } } - public class Claim + public class ClaimMapping { - [ConfigurationKeyName("user_roles")] - public string? UserRoles { get; set; } + [ConfigurationKeyName("claimType")] + public string ClaimType { get; set; } = string.Empty; + + [ConfigurationKeyName("claimValues")] + public List ClaimValues { get; set; } = new List(); [ConfigurationKeyName("endpoints")] - public List? Endpoints { get; set; } + public List? Endpoints { get; set; } = default; } } diff --git a/src/Authentication/Configurations/OpenIdOptions.cs b/src/Authentication/Configurations/OpenIdOptions.cs index df77d49..1dcb088 100644 --- a/src/Authentication/Configurations/OpenIdOptions.cs +++ b/src/Authentication/Configurations/OpenIdOptions.cs @@ -14,25 +14,32 @@ * limitations under the License. */ +using System.Security.Claims; using Microsoft.Extensions.Configuration; namespace Monai.Deploy.Security.Authentication.Configurations { public class OpenIdOptions { - [ConfigurationKeyName("ServerRealm")] - public string? ServerRealm { get; set; } + [ConfigurationKeyName("realm")] + public string? Realm { get; set; } - [ConfigurationKeyName("ServerRealmKey")] - public string? ServerRealmKey { get; set; } + [ConfigurationKeyName("realmKey")] + public string? RealmKey { get; set; } - [ConfigurationKeyName("ClientId")] + [ConfigurationKeyName("clientId")] public string? ClientId { get; set; } - [ConfigurationKeyName("Claims")] - public Claims? Claims { get; set; } + [ConfigurationKeyName("claimMappings")] + public ClaimMappings? Claims { get; set; } - [ConfigurationKeyName("Audiences")] + [ConfigurationKeyName("audiences")] public IList? Audiences { get; set; } + + [ConfigurationKeyName("roleClaimType")] + public string RoleClaimType { get; set; } = ClaimTypes.Role; + + [ConfigurationKeyName("clearDefaultRoleMappigns")] + public bool ClearDefaultRoleMappigns { get; set; } = true; } } diff --git a/src/Authentication/Extensions/AuthKeys.cs b/src/Authentication/Extensions/AuthKeys.cs index 799dbdc..65af5df 100644 --- a/src/Authentication/Extensions/AuthKeys.cs +++ b/src/Authentication/Extensions/AuthKeys.cs @@ -25,6 +25,5 @@ public static class AuthKeys // Configuration Keys public const string OpenId = "OpenId"; - public const string UserRoles = "user_roles"; } } diff --git a/src/Authentication/Extensions/HttpContextExtension.cs b/src/Authentication/Extensions/HttpContextExtension.cs index 610bd8e..adc6188 100644 --- a/src/Authentication/Extensions/HttpContextExtension.cs +++ b/src/Authentication/Extensions/HttpContextExtension.cs @@ -16,6 +16,9 @@ using Ardalis.GuardClauses; using Microsoft.AspNetCore.Http; +using Microsoft.Extensions.Logging; +using Monai.Deploy.Security.Authentication.Middleware; +using Monai.Deploy.WorkflowManager.Logging; namespace Monai.Deploy.Security.Authentication.Extensions { @@ -24,32 +27,46 @@ public static class HttpContextExtension /// /// Gets endpoints specified in config for roles in claims. /// - /// + /// /// /// - public static List GetValidEndpoints(this HttpContext httpcontext, List adminClaims, List userClaims) + public static List GetValidEndpoints(this HttpContext httpContext, ILogger logger, List adminClaims, List userClaims) { Guard.Against.Null(adminClaims); Guard.Against.Null(userClaims); + foreach (var claim in httpContext.User.Claims) + { + logger.UserClaimFound(claim.Type, claim.Value); + + } + foreach (var claim in adminClaims!) { - if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!)) + foreach (var role in claim.ClaimValues) { - return new List { "all" }; + logger.CheckingUserClaim(claim.ClaimType, role); + if (httpContext.User.HasClaim(claim.ClaimType, role)) + { + return new List { "*" }; + } } } + var endpoints = new List(); foreach (var claim in userClaims!) { - if (httpcontext.User.HasClaim(AuthKeys.UserRoles, claim.UserRoles!)) + foreach (var role in claim.ClaimValues) { - return claim.Endpoints!; + logger.CheckingUserClaim(claim.ClaimType, role); + if (httpContext.User.HasClaim(claim.ClaimType, role)) + { + endpoints.AddRange(claim.Endpoints!); + } } - } - return new List(); + return endpoints.Distinct().ToList(); } } } diff --git a/src/Authentication/Extensions/MonaiAuthenticationExtensions.cs b/src/Authentication/Extensions/MonaiAuthenticationExtensions.cs index fa6fdf3..7a9d25e 100644 --- a/src/Authentication/Extensions/MonaiAuthenticationExtensions.cs +++ b/src/Authentication/Extensions/MonaiAuthenticationExtensions.cs @@ -14,10 +14,10 @@ * limitations under the License. */ +using System.IdentityModel.Tokens.Jwt; using System.Text; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.JwtBearer; -using Microsoft.AspNetCore.Authorization; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; @@ -49,53 +49,39 @@ public static IServiceCollection AddMonaiAuthentication( return services; } - services.AddAuthentication(options => + if (configurations.Value.OpenId?.ClearDefaultRoleMappigns ?? false) { - options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; - options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; - }) - .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options => - { - options.Authority = configurations.Value.OpenId!.ServerRealm; - options.Audience = configurations.Value.OpenId!.ServerRealm; - options.RequireHttpsMetadata = false; + JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("role"); + JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("roles"); + } - options.TokenValidationParameters = new TokenValidationParameters + services + .AddAuthentication(options => { - IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.ServerRealmKey!)), - ValidIssuer = configurations.Value.OpenId.ServerRealm, - ValidAudiences = configurations.Value.OpenId.Audiences, - ValidateIssuerSigningKey = true, - ValidateIssuer = true, - ValidateLifetime = true, - ValidateAudience = true, - }; - }); - - services.AddAuthorization(options => - { - if (configurations.Value.OpenId!.Claims!.RequiredAdminClaims!.Any()) + options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; + options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; + }) + .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, AuthKeys.OpenId, options => { - AddPolicy(options, configurations.Value.OpenId!.Claims!.RequiredAdminClaims!, AuthKeys.AdminPolicyName); - } + options.Authority = configurations.Value.OpenId!.Realm; + options.Audience = configurations.Value.OpenId!.Realm; + options.RequireHttpsMetadata = false; - if (configurations.Value.OpenId!.Claims!.RequiredUserClaims!.Any()) - { - AddPolicy(options, configurations.Value.OpenId!.Claims!.RequiredUserClaims!, AuthKeys.UserPolicyName); - } - }); + options.TokenValidationParameters = new TokenValidationParameters + { + IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configurations.Value.OpenId!.RealmKey!)), + RoleClaimType = configurations.Value.OpenId.RoleClaimType, + ValidIssuer = configurations.Value.OpenId.Realm, + ValidAudiences = configurations.Value.OpenId.Audiences, + ValidateIssuerSigningKey = true, + ValidateIssuer = true, + ValidateLifetime = true, + ValidateAudience = true, + }; + }); + services.AddAuthorization(); return services; } - - private static void AddPolicy(AuthorizationOptions options, List claims, string policyName) - { - foreach (var dict in claims) - { - options.AddPolicy(policyName, policy => policy - .RequireAuthenticatedUser() - .RequireClaim("user_roles", dict.UserRoles!)); - } - } } } diff --git a/src/Authentication/Logging.cs b/src/Authentication/Logging.cs index ab0f411..2766669 100644 --- a/src/Authentication/Logging.cs +++ b/src/Authentication/Logging.cs @@ -20,7 +20,19 @@ namespace Monai.Deploy.WorkflowManager.Logging { public static partial class Log { - [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "BYpass authentication.")] + [LoggerMessage(EventId = 500000, Level = LogLevel.Information, Message = "Bypass authentication.")] public static partial void BypassAuthentication(this ILogger logger); + + [LoggerMessage(EventId = 500001, Level = LogLevel.Debug, Message = "User '{user}' attempting to access controller '{controller}'.")] + public static partial void UserAccessingController(this ILogger logger, string? user, string controller); + + [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")] + public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions); + + [LoggerMessage(EventId = 500003, Level = LogLevel.Trace, Message = "User claim {claim}={value}.")] + public static partial void UserClaimFound(this ILogger logger, string? claim, string? value); + + [LoggerMessage(EventId = 500004, Level = LogLevel.Trace, Message = "Checking user claim {claim}={value}.")] + public static partial void CheckingUserClaim(this ILogger logger, string? claim, string? value); } } diff --git a/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs b/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs index b9f2de7..9b2fc1e 100644 --- a/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs +++ b/src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs @@ -21,6 +21,7 @@ using Microsoft.Extensions.Options; using Monai.Deploy.Security.Authentication.Configurations; using Monai.Deploy.Security.Authentication.Extensions; +using Monai.Deploy.WorkflowManager.Logging; namespace Monai.Deploy.Security.Authentication.Middleware { @@ -40,37 +41,39 @@ public EndpointAuthorizationMiddleware(RequestDelegate next, IOptions e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("all"); + _logger.UserAccessingController(httpContext.User.Identity.Name, controller); + var validEndpoints = httpContext.GetValidEndpoints(_logger, _options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!); + var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("*"); if (result is false) { - httpcontext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + _logger.UserAccessDenied(httpContext.User.Identity.Name, string.Join(',', validEndpoints)); + httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; - await httpcontext.Response.CompleteAsync().ConfigureAwait(false); + await httpContext.Response.CompleteAsync().ConfigureAwait(false); return; } } - await _next(httpcontext).ConfigureAwait(false); + await _next(httpContext).ConfigureAwait(false); } else { - httpcontext.Response.StatusCode = (int)HttpStatusCode.Unauthorized; + httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized; } } } diff --git a/src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs b/src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs index 518ddd4..9668f20 100644 --- a/src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs +++ b/src/Authentication/Tests/EndpointAuthorizationMiddlewareTest.cs @@ -28,6 +28,14 @@ public partial class EndpointAuthorizationMiddlewareTest [Theory] [InlineData("test.noauth.json")] [InlineData("test.emptyopenid.json")] + [InlineData("test.auth-noclaims.json")] + [InlineData("test.auth-noclientid.json")] + [InlineData("test.auth-norealm.json")] + [InlineData("test.auth-norealmkey.json")] + [InlineData("test.auth-noclaimtype.json")] + [InlineData("test.auth-noclaimvalues.json")] + [InlineData("test.auth-whitespaceclaimvalues.json")] + [InlineData("test.auth-noendpoints.json")] public async Task GivenConfigurationFilesIsBad_ExpectExceptionToBeThrown(string configFile) { await Assert.ThrowsAsync(async () => @@ -109,6 +117,23 @@ public async Task GivenConfigurationFileWithOpenIdConfigured_WhenUserIsAuthentic Assert.Equal(HttpStatusCode.Forbidden, responseMessage.StatusCode); } + [Theory] + [InlineData("role-with-test")] + public async Task GivenConfigurationFileWithOpenIdConfigured_WhenUserProvidesAnExpiredToken_ExpectToDenyRequest(string role) + { + using var host = await new HostBuilder().ConfigureWebHost(SetupWebServer("test.auth.json")).StartAsync().ConfigureAwait(false); + + var server = host.GetTestServer(); + server.BaseAddress = new Uri("https://example.com/"); + + var token = MockJwtTokenHandler.GenerateJwtToken(role, -5); + + var client = server.CreateClient(); + client.DefaultRequestHeaders.Add("Authorization", $"{JwtBearerDefaults.AuthenticationScheme} {token}"); + var responseMessage = await client.GetAsync("api/Test").ConfigureAwait(false); + + Assert.Equal(HttpStatusCode.Unauthorized, responseMessage.StatusCode); + } private static Action SetupWebServer(string configFile) => webBuilder => { diff --git a/src/Authentication/Tests/MockJwtTokenHandler.cs b/src/Authentication/Tests/MockJwtTokenHandler.cs index ece844c..5719ea5 100644 --- a/src/Authentication/Tests/MockJwtTokenHandler.cs +++ b/src/Authentication/Tests/MockJwtTokenHandler.cs @@ -17,7 +17,6 @@ using System.IdentityModel.Tokens.Jwt; using System.Text; using Microsoft.IdentityModel.Tokens; -using Monai.Deploy.Security.Authentication.Extensions; using Claim = System.Security.Claims.Claim; namespace Monai.Deploy.Security.Authentication.Tests @@ -30,7 +29,7 @@ public static class MockJwtTokenHandler public static SecurityKey SecurityKey { get; } public static SigningCredentials SigningCredentials { get; } - private static readonly JwtSecurityTokenHandler TokenHandler = new JwtSecurityTokenHandler(); + private static readonly JwtSecurityTokenHandler TokenHandler = new(); static MockJwtTokenHandler() { @@ -38,10 +37,10 @@ static MockJwtTokenHandler() SigningCredentials = new SigningCredentials(SecurityKey, SecurityAlgorithms.HmacSha256Signature); } - public static string GenerateJwtToken(string role) + public static string GenerateJwtToken(string role, int expiresInMinutes = 5) { - var claims = new[] { new Claim(AuthKeys.UserRoles, role) }; - return TokenHandler.WriteToken(new JwtSecurityToken(Issuer, "monai-app", claims, null, DateTime.UtcNow.AddMinutes(20), SigningCredentials)); + var claims = new[] { new Claim("user_roles", role) }; + return TokenHandler.WriteToken(new JwtSecurityToken(Issuer, "monai-app", claims, null, DateTime.UtcNow.AddMinutes(expiresInMinutes), SigningCredentials)); } } } diff --git a/src/Authentication/Tests/test.auth-noclaims.json b/src/Authentication/Tests/test.auth-noclaims.json new file mode 100644 index 0000000..65c04da --- /dev/null +++ b/src/Authentication/Tests/test.auth-noclaims.json @@ -0,0 +1,12 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test" + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-noclaimtype.json b/src/Authentication/Tests/test.auth-noclaimtype.json new file mode 100644 index 0000000..129c67d --- /dev/null +++ b/src/Authentication/Tests/test.auth-noclaimtype.json @@ -0,0 +1,27 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "", + "claimValues": [ "role-with-test" ], + "endpoints": [ "test" ] + } + ], + "adminClaims": [ + { + "claimType": "", + "claimValues": [ "monai-role-admin" ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-noclaimvalues.json b/src/Authentication/Tests/test.auth-noclaimvalues.json new file mode 100644 index 0000000..b749bef --- /dev/null +++ b/src/Authentication/Tests/test.auth-noclaimvalues.json @@ -0,0 +1,25 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "endpoints": [ "test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-noclientid.json b/src/Authentication/Tests/test.auth-noclientid.json new file mode 100644 index 0000000..72903b0 --- /dev/null +++ b/src/Authentication/Tests/test.auth-noclientid.json @@ -0,0 +1,31 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "role-with-test" ], + "endpoints": [ "test" ] + }, + { + "claimType": "user_roles", + "claimValues": [ "role-without-test" ], + "endpoints": [ "no-test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-noendpoints.json b/src/Authentication/Tests/test.auth-noendpoints.json new file mode 100644 index 0000000..53d0e3c --- /dev/null +++ b/src/Authentication/Tests/test.auth-noendpoints.json @@ -0,0 +1,26 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "role-with-test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-norealm.json b/src/Authentication/Tests/test.auth-norealm.json new file mode 100644 index 0000000..9e4a226 --- /dev/null +++ b/src/Authentication/Tests/test.auth-norealm.json @@ -0,0 +1,31 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "role-with-test" ], + "endpoints": [ "test" ] + }, + { + "claimType": "user_roles", + "claimValues": [ "role-without-test" ], + "endpoints": [ "no-test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-norealmkey.json b/src/Authentication/Tests/test.auth-norealmkey.json new file mode 100644 index 0000000..5a6e233 --- /dev/null +++ b/src/Authentication/Tests/test.auth-norealmkey.json @@ -0,0 +1,31 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "role-with-test" ], + "endpoints": [ "test" ] + }, + { + "claimType": "user_roles", + "claimValues": [ "role-without-test" ], + "endpoints": [ "no-test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth-whitespaceclaimvalues.json b/src/Authentication/Tests/test.auth-whitespaceclaimvalues.json new file mode 100644 index 0000000..c4187fe --- /dev/null +++ b/src/Authentication/Tests/test.auth-whitespaceclaimvalues.json @@ -0,0 +1,27 @@ +{ + "MonaiDeployAuthentication": { + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ + { + "claimType": "user_roles", + "claimValues": [ " " ], + "endpoints": [ "test" ] + } + ], + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ " " ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.auth.json b/src/Authentication/Tests/test.auth.json index 3fb1c0b..0c5fa81 100644 --- a/src/Authentication/Tests/test.auth.json +++ b/src/Authentication/Tests/test.auth.json @@ -1,26 +1,32 @@ { "MonaiDeployAuthentication": { - "BypassAuthentication": false, - "OpenId": { - "ServerRealm": "TEST-REALM", - "ServerRealmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", - "Audiences": [ "monai-app" ], - "ClientId": "monai-app-test", - "Claims": { - "RequiredUserClaims": [ + "bypassAuthentication": false, + "openId": { + "realm": "TEST-REALM", + "realmKey": "l9ZRlbMQBt9k1klUUrlWFuke8WbqnEde", + "audiences": [ "monai-app" ], + "roleClaimType": "roles", + "clientId": "monai-app-test", + "claimMappings": { + "userClaims": [ { - "user_roles": "role-with-test", + "claimType": "user_roles", + "claimValues": [ "role-with-test" ], "endpoints": [ "test" ] }, { - "user_roles": "role-without-test", + "claimType": "user_roles", + "claimValues": [ "role-without-test" ], "endpoints": [ "no-test" ] } ], - "RequiredAdminClaims": [ - { "user_roles": "monai-role-admin" } + "adminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } ] } } } -} +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.bypassd.json b/src/Authentication/Tests/test.bypassd.json index a1d2b3f..577ca21 100644 --- a/src/Authentication/Tests/test.bypassd.json +++ b/src/Authentication/Tests/test.bypassd.json @@ -2,4 +2,4 @@ "MonaiDeployAuthentication": { "BypassAuthentication": true } -} +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.emptyopenid.json b/src/Authentication/Tests/test.emptyopenid.json index 59817be..2265f8c 100644 --- a/src/Authentication/Tests/test.emptyopenid.json +++ b/src/Authentication/Tests/test.emptyopenid.json @@ -3,4 +3,4 @@ "BypassAuthentication": false, "OpenId": {} } -} +} \ No newline at end of file diff --git a/src/Authentication/Tests/test.noauth.json b/src/Authentication/Tests/test.noauth.json index 0f530c1..8593c62 100644 --- a/src/Authentication/Tests/test.noauth.json +++ b/src/Authentication/Tests/test.noauth.json @@ -1,2 +1,2 @@ { -} +} \ No newline at end of file diff --git a/src/Authentication/example.json b/src/Authentication/example.json index aed3e39..b21ca74 100644 --- a/src/Authentication/example.json +++ b/src/Authentication/example.json @@ -6,19 +6,24 @@ "ServerRealmKey": "EncryptionKey", "ClientId": "monai-app", "Audiences": [ "monai-deploy" ], - "Claims": { - "RequiredUserClaims": [ + "ClaimMappings": { + "UserClaims": [ { - "user_roles": "monai-deploy-users", - "endpoints": [ "payloads", "workflows", "workflowinstances", "tasks" ] + "claimType": "user_roles", + "claimValues": [ "monai-deploy-user" ], + "endpoints": [ "test" ] }, { - "user_roles": "pacs-admins", + "claimType": "user_roles", + "claimValues": [ "pacs-admins" ], "endpoints": [ "config" ] } ], - "RequiredAdminClaims": [ - { "user_roles": "monai-role-admin" } + "AdminClaims": [ + { + "claimType": "user_roles", + "claimValues": [ "monai-role-admin" ] + } ] } }