API clients now pulled from database. Full OIDC flow now implemented

Author: nref-dan

src/Database/api/Procedures/Authorisation.GetAccessClients.sql

@@ -15,4 +15,4 @@ select
 	SecretKey,
 	IsAdministratorApp
 from AccessClient
-where (@ClientId = null or ClientId = @ClientId);
+where (@ClientId is null or ClientId = @ClientId);

src/OpenPerpetuum.Api/Authorisation/ApplicationContext.cs

@@ -1,28 +1,27 @@
 using AspNet.Security.OpenIdConnect.Primitives;
 using AspNet.Security.OpenIdConnect.Server;
-using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Caching.Memory;
+using OpenPerpetuum.Api.Configuration;
 using OpenPerpetuum.Core.Authorisation.Models;
-using OpenPerpetuum.Core.Authorisation.Queries;
-using OpenPerpetuum.Core.Foundation.Processing;
 using System;
+using System.Collections.ObjectModel;
 using System.Linq;
-using System.Threading;
 using System.Threading.Tasks;
 
 namespace OpenPerpetuum.Api.Authorisation
 {
 	// Note: This class is *always* a singleton. Don't inject scoped dependencies
 	public sealed class AuthorisationProvider : OpenIdConnectServerProvider
 	{
-		private readonly ApplicationContext dbContext;
+		private readonly IMemoryCache dbContext;
 
-		public AuthorisationProvider(ApplicationContext dbContext)
+		public AuthorisationProvider(IMemoryCache dbContext)
 		{
 			this.dbContext = dbContext;
 		}
 
 		// Implement OnValidateAuthorizationRequest to support interactive flows (code/implicit/hybrid).
-		public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
+		public override Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
 		{
 			/* This method must run in a 'time-constant' fashion.
 			 * Even when authorisation has failed at a certain point
@@ -32,17 +31,18 @@ public override async Task ValidateAuthorizationRequest(ValidateAuthorizationReq
 			 * authorisation process, the more of the process you get correct, the longer it will take to return.
 			 * Ideally, the time to return should always stay the same.
 			 */
+			
 			bool isError = false;
 
 			if (!context.Request.IsAuthorizationCodeFlow())
 			{
 				context.Reject(
 					error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
 					description: "Only authorisation code flow is supported by this server");
-				return; // Given that this is a protocol error I'm not too fussed about the early return
+				return Task.FromResult(0); // Given that this is a protocol error I'm not too fussed about the early return
 			}
 
-			AccessClientModel accessClient = await GetApplicationAsync(context.ClientId, context.HttpContext.RequestAborted) ?? AccessClientModel.DefaultValue;
+			AccessClientModel accessClient = GetApplication(context.ClientId) ?? AccessClientModel.DefaultValue;
 
 			if (Equals(accessClient.ClientId, Guid.Empty))
 			{
@@ -68,7 +68,7 @@ public override async Task ValidateAuthorizationRequest(ValidateAuthorizationReq
 			if (!isError)
 				context.Validate();
 
-			return;
+			return Task.FromResult(0);
 		}
 
 		// Implement OnValidateTokenRequest to support flows using the token endpoint
@@ -85,16 +85,19 @@ public override Task ValidateTokenRequest(ValidateTokenRequestContext context)
 			return Task.FromResult(0);
 		}
 
-		private async Task<AccessClientModel> GetApplicationAsync(string identifier, CancellationToken cancellationToken)
+		private AccessClientModel GetApplication(string identifier)
 		{
 			if (string.IsNullOrWhiteSpace(identifier))
 				return null;
 
 			if (!Guid.TryParse(identifier, out Guid clientId))
 				clientId = Guid.Empty;
 
+			if (!dbContext.TryGetValue(CacheKeys.AccessClients, out ReadOnlyCollection<AccessClientModel> applications) || applications == null || applications.Count == 0)
+				return AccessClientModel.DefaultValue;
+
 			// Retrieve the application details corresponding to the requested client_id.
-			return await dbContext.Applications.Where(application => application.ClientId == clientId).SingleOrDefaultAsync(cancellationToken);
+			return applications.SingleOrDefault(ap => ap.ClientId == clientId) ?? AccessClientModel.DefaultValue;
 		}
 	}
 }

src/OpenPerpetuum.Api/Authorisation/AuthorisationProvider.cs

@@ -0,0 +1,7 @@
+namespace OpenPerpetuum.Api.Configuration
+{
+	public static class CacheKeys
+	{
+		public const string AccessClients = "AccessClients";
+	}
+}

src/OpenPerpetuum.Api/Configuration/CacheKeys.cs

@@ -1,39 +1,40 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Security.Claims;
-using System.Threading;
-using System.Threading.Tasks;
-using AspNet.Security.OpenIdConnect.Extensions;
+using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Primitives;
 using AspNet.Security.OpenIdConnect.Server;
 using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.DependencyInjection;
-using OpenPerpetuum.Api.Authorisation;
+using OpenPerpetuum.Api.Configuration;
 using OpenPerpetuum.Api.DependencyInstallers;
 using OpenPerpetuum.Api.Models.Authorisation;
 using OpenPerpetuum.Core.Authorisation.Models;
 using OpenPerpetuum.Core.Authorisation.Queries;
 using OpenPerpetuum.Core.Foundation.Processing;
 using OpenPerpetuum.Core.Foundation.Security;
+using System;
+using System.Collections.Generic;
+using System.Collections.ObjectModel;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading;
+using System.Threading.Tasks;
 
 namespace OpenPerpetuum.Api.Controllers
 {
 	public class AuthorisationController : ApiControllerBase
 	{
-		private readonly ApplicationContext dbContext;
+		private readonly IMemoryCache cache;
 
-		public AuthorisationController(ICoreContext coreContext, ApplicationContext context) : base(coreContext)
+		public AuthorisationController(ICoreContext coreContext, IMemoryCache cache) : base(coreContext)
 		{
-			dbContext = context;
+			this.cache = cache;
 		}
 
 		[Authorize, HttpGet("~/connect/authorise")]
-		public async Task<IActionResult> Authorise(CancellationToken cancellationToken)
+		public IActionResult Authorise(CancellationToken cancellationToken)
 		{
 			// Extract the auth request from the context
 			var response = HttpContext.GetOpenIdConnectResponse();
@@ -54,7 +55,7 @@ public async Task<IActionResult> Authorise(CancellationToken cancellationToken)
 					ErrorDescription = "Internal error"
 				});
 
-			AccessClientModel accessClient = await GetApplicationAsync(request.ClientId, cancellationToken) ?? AccessClientModel.DefaultValue;
+			AccessClientModel accessClient = GetApplication(request.ClientId) ?? AccessClientModel.DefaultValue;
 
 			if (accessClient.ClientId == Guid.Empty)
 				return View("Error", new ErrorViewModel
@@ -68,7 +69,7 @@ public async Task<IActionResult> Authorise(CancellationToken cancellationToken)
 
 		[Authorize, FormValueRequired("submit.Accept")]
 		[HttpPost("~/connect/authorise"), ValidateAntiForgeryToken]
-		public async Task<IActionResult> Accept(CancellationToken cancellationToken)
+		public IActionResult Accept(CancellationToken cancellationToken)
 		{
 			var response = HttpContext.GetOpenIdConnectResponse();
 			if (response != null)
@@ -104,7 +105,7 @@ public async Task<IActionResult> Accept(CancellationToken cancellationToken)
 					OpenIdConnectConstants.Destinations.AccessToken,
 					OpenIdConnectConstants.Destinations.IdentityToken));
 
-			var application = await GetApplicationAsync(request.ClientId, cancellationToken);
+			var application = GetApplication(request.ClientId);
 			if (application == null)
 			{
 				return View("Error", new OpenIdConnectResponse
@@ -229,16 +230,19 @@ await HttpContext.SignInAsync(
 			return Redirect(viewModel.ReturnUrl);
 		}
 
-		protected virtual async Task<AccessClientModel> GetApplicationAsync(string identifier, CancellationToken cancellationToken)
+		private AccessClientModel GetApplication(string identifier)
 		{
 			if (string.IsNullOrWhiteSpace(identifier))
 				return null;
 
 			if (!Guid.TryParse(identifier, out Guid clientId))
 				clientId = Guid.Empty;
 
+			if (!cache.TryGetValue(CacheKeys.AccessClients, out ReadOnlyCollection<AccessClientModel> applications) || applications == null || applications.Count == 0)
+				return AccessClientModel.DefaultValue;
+
 			// Retrieve the application details corresponding to the requested client_id.
-			return await dbContext.Applications.Where(application => application.ClientId == clientId).SingleOrDefaultAsync(cancellationToken);
+			return applications.SingleOrDefault(ap => ap.ClientId == clientId) ?? AccessClientModel.DefaultValue;
 		}
 	}
 }

src/OpenPerpetuum.Api/Controllers/AuthorisationController.cs

@@ -11,6 +11,7 @@
 using Microsoft.AspNetCore.Mvc.ViewFeatures.Internal;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -20,15 +21,19 @@
 using OpenPerpetuum.Api.Configuration;
 using OpenPerpetuum.Api.DependencyInstallers;
 using OpenPerpetuum.Core.Authorisation.Models;
+using OpenPerpetuum.Core.Authorisation.Queries;
 using OpenPerpetuum.Core.DataServices;
 using OpenPerpetuum.Core.Extensions;
+using OpenPerpetuum.Core.Foundation.Processing;
 using SimpleInjector;
 using SimpleInjector.Integration.AspNetCore.Mvc;
 using SimpleInjector.Lifestyles;
 using System;
 using System.Collections.Generic;
+using System.Collections.ObjectModel;
 using System.Linq;
 using System.Net;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace OpenPerpetuum.Api
@@ -55,15 +60,11 @@ public void ConfigureServices(IServiceCollection services)
             services.AddOptions();
 			services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
 
-			services
-				.AddEntityFrameworkInMemoryDatabase()
-				.AddDbContext<ApplicationContext>(options => options.UseInMemoryDatabase(nameof(ApplicationContext)));
-
             var openIdConnectConfig = Configuration.GetSection("OpenIdConnect").Get<OpenIdConnectConfiguration>();
 
 			services.Configure<OpenIdConnectConfiguration>(options => Configuration.GetSection("OpenIdConnect").Bind(options));
 			services.Configure<DataProviderConfiguration>(options => Configuration.GetSection("DataProviders").Bind(options));
-
+			
 			services.AddAuthentication(sharedOptions =>
 			{
 				sharedOptions.DefaultScheme = "ServerCookie";
@@ -136,14 +137,15 @@ public void ConfigureServices(IServiceCollection services)
 #endif
             }).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
 
+			services.AddMemoryCache();
 			services.AddDistributedMemoryCache();
 
             services.EnableSimpleInjectorCrossWiring(container);
             services.UseSimpleInjectorAspNetRequestScoping(container);
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IApplicationLifetime applicationLifetime)
         {
             // Event log is only support on Windows systems
             if (Environment.OSVersion.Platform == PlatformID.Win32NT)
@@ -171,23 +173,6 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerF
                 }
             });
 
-			using (AsyncScopedLifestyle.BeginScope(container))
-			{
-				var dbContext = container.GetRequiredService<ApplicationContext>();
-				dbContext.AddRange(new[]
-				{
-					AccessClientModel.DefaultValue,
-					new AccessClientModel
-					{
-						AdministratorContactAddress = "admin@email",
-						AdministratorName = "Development",
-						ClientId = Guid.Parse("8d24b83a-f04b-483d-8eb7-efd98ac91a9d"),
-						FriendlyName = "Development Postman Test",
-						RedirectUri = "https://www.getpostman.com/oauth2/callback"
-					}
-				});
-				dbContext.SaveChanges();
-			}
 			bool isDevMode = false, isHsts = false, isHttps = false;
 
             if (env.IsDevelopment())
@@ -209,6 +194,10 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerF
 			app.UseAuthentication();
 			app.UseStaticFiles();
 			app.UseMvc();
+			CancellationTokenSource tokenSource = new CancellationTokenSource();
+			Task.Run(() => RunPeriodically(() => PopulateApplications(container.GetRequiredService<IMemoryCache>(), container.GetRequiredService<IQueryProcessor>()), TimeSpan.FromMinutes(3), tokenSource.Token));
+
+			applicationLifetime.ApplicationStopping.Register(() => tokenSource.Cancel());
 
 			UriParser.Register(new GenericUriParser(GenericUriParserOptions.GenericAuthority), "pack", -1); // Don't fail with Azure packed claims
 
@@ -239,16 +228,21 @@ private void InitialiseContainer(IApplicationBuilder app, ILoggerFactory loggerF
 			container.RegisterPerpetuumApiTypes();
 		}
 
-        // This should stop the API from returning 302 redirects (attempts to present you a login page) for 401 Unauthorised
-        private static Func<RedirectContext<CookieAuthenticationOptions>, Task> ReplaceRedirector(HttpStatusCode statusCode, Func<RedirectContext<CookieAuthenticationOptions>, Task> existingRedirector) =>
-            context =>
-            {
-                if (context.Request.Path.StartsWithSegments("/api"))
-                {
-                    context.Response.StatusCode = (int)statusCode;
-                    return Task.CompletedTask;
-                }
-                return existingRedirector(context);
-            };
-    }
+		private async Task RunPeriodically(Action action, TimeSpan interval, CancellationToken token)
+		{
+			while(true)
+			{
+				action();
+				await Task.Delay(interval, token);
+			}
+		}
+
+		private void PopulateApplications(IMemoryCache dbContext, IQueryProcessor queryProcessor)
+		{
+			dbContext.Remove(CacheKeys.AccessClients);
+
+			ReadOnlyCollection<AccessClientModel> applications = queryProcessor.Process(new API_GetPermittedClientQuery { ClientId = null }) ?? new List<AccessClientModel>().AsReadOnly();
+			dbContext.Set(CacheKeys.AccessClients, applications);
+		}
+	}
 }

src/OpenPerpetuum.Api/Startup.cs

@@ -1,5 +1,6 @@
 using OpenPerpetuum.Core.DataServices.Database;
 using System;
+using System.Collections.Generic;
 using System.Collections.ObjectModel;
 
 namespace OpenPerpetuum.Core.Authorisation.DatabaseResults
@@ -53,7 +54,7 @@ public string Secret
 
 	internal class AccessClientsResult : DatabaseResult
 	{
-		public ReadOnlyCollection<AccessClientData> Clients => ((ResultSet<AccessClientData>)Results[0])?.Data;
+		public ReadOnlyCollection<AccessClientData> Clients => ((ResultSet<AccessClientData>)Results[0])?.Data ?? new List<AccessClientData>().AsReadOnly();
 
 		public AccessClientsResult()
 		{