Merge branch 'main' into VFD-289-aurora-rds-postgresql-serverless-v-2-pystytys

Author: lsipii

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/ProductizerController.cs

@@ -13,6 +13,7 @@ namespace VirtualFinland.UserAPI.Activities.Productizer;
 
 [ApiController]
 [Authorize]
+[Authorize(Policy = "RequestFromDataspace")]
 [ProducesResponseType(StatusCodes.Status401Unauthorized)]
 [Produces("application/json")]
 public class ProductizerController : ControllerBase
@@ -83,7 +84,7 @@ public async Task<IActionResult> GetPersonBasicInformation()
 
         var result = await _mediator.Send(new GetPersonBasicInformation.Query(userId));
 
-        if (!ProductizerProfileValidator.IsPersonBasicInformationCreated(result)) return NotFound();
+        if (!ProductizerProfileValidator.IsPersonBasicInformationCreated(result)) throw new NotFoundException("Person not found");
 
         return Ok(result);
     }
@@ -121,7 +122,7 @@ public async Task<IActionResult> GetPersonJobApplicantInformation()
 
         var result = await _mediator.Send(new GetJobApplicantProfile.Query(userId));
 
-        if (!ProductizerProfileValidator.IsJobApplicantProfileCreated(result)) return NotFound();
+        if (!ProductizerProfileValidator.IsJobApplicantProfileCreated(result)) throw new NotFoundException("Job applicant profile not found");
 
         return Ok(result);
     }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/User/UserController.cs

@@ -11,6 +11,7 @@ namespace VirtualFinland.UserAPI.Activities.User;
 
 [ApiController]
 [Authorize]
+[Authorize(Policy = "RequestFromAccessFinland")]
 [ProducesResponseType(StatusCodes.Status401Unauthorized)]
 [Produces("application/json")]
 public class UserController : ApiControllerBase

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Data/UsersDBContext.cs

@@ -8,14 +8,17 @@ namespace VirtualFinland.UserAPI.Data;
 public class UsersDbContext : DbContext
 {
     private readonly bool _isTesting;
+    private readonly IAuditInterceptor _auditInterceptor;
 
-    public UsersDbContext(DbContextOptions options) : base(options)
+    public UsersDbContext(DbContextOptions options, IAuditInterceptor auditInterceptor) : base(options)
     {
+        _auditInterceptor = auditInterceptor;
     }
 
-    public UsersDbContext(DbContextOptions options, bool isTesting) : base(options)
+    public UsersDbContext(DbContextOptions options, IAuditInterceptor auditInterceptor, bool isTesting) : base(options)
     {
         _isTesting = isTesting;
+        _auditInterceptor = auditInterceptor;
     }
 
     public DbSet<ExternalIdentity> ExternalIdentities => Set<ExternalIdentity>();
@@ -32,7 +35,7 @@ public UsersDbContext(DbContextOptions options, bool isTesting) : base(options)
 
     protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
     {
-        optionsBuilder.AddInterceptors(new AuditInterceptor());
+        optionsBuilder.AddInterceptors(_auditInterceptor);
     }
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/AuditInterceptor.cs

@@ -1,15 +1,27 @@
 using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.ChangeTracking;
 using Microsoft.EntityFrameworkCore.Diagnostics;
 using VirtualFinland.UserAPI.Models.UsersDatabase;
 
 namespace VirtualFinland.UserAPI.Helpers;
 
+public interface IAuditInterceptor : IInterceptor
+{
+}
+
+
 /// <summary>
 ///     Interceptor used to automatically set created and modified property values on classes that inherit from
 ///     <see cref="Auditable" /> abstract class
 /// </summary>
-public class AuditInterceptor : SaveChangesInterceptor
+public class AuditInterceptor : SaveChangesInterceptor, IAuditInterceptor
 {
+    private readonly ILogger<IAuditInterceptor> _logger;
+    public AuditInterceptor(ILogger<IAuditInterceptor> logger) : base()
+    {
+        _logger = logger;
+    }
+
     public override ValueTask<InterceptionResult<int>> SavingChangesAsync(
         DbContextEventData eventData,
         InterceptionResult<int> result,
@@ -18,24 +30,53 @@ public override ValueTask<InterceptionResult<int>> SavingChangesAsync(
         if (eventData.Context is null)
             throw new ArgumentNullException(nameof(eventData), $"{nameof(eventData)} is null");
 
-        var insertedEntries = eventData.Context.ChangeTracker
-            .Entries()
-            .Where(x => x.State == EntityState.Added)
-            .Select(x => x.Entity);
+        foreach (var entry in eventData.Context.ChangeTracker.Entries())
+        {
+            switch (entry.State)
+            {
+                case EntityState.Added:
+                case EntityState.Modified:
+                case EntityState.Deleted:
+                    if (entry.Entity is Auditable)
+                    {
+                        _logger.LogInformation("@{AuditLog}", _CreateAuditLog(entry));
+                    }
+                    break;
+            }
+        }
+
+        return base.SavingChangesAsync(eventData, result, cancellationToken);
+    }
 
-        foreach (var insertedEntry in insertedEntries)
-            if (insertedEntry is Auditable auditableEntity)
-                auditableEntity.Created = DateTime.UtcNow;
+    private AuditLog _CreateAuditLog(EntityEntry entry)
+    {
+        var (primaryKeys, nonPrimaryKeys) = _GetLogMessageColumns(entry);
+        return new AuditLog
+        {
+            TableName = entry.Metadata.DisplayName(),
+            Action = entry.State.ToString(),
+            KeyValues = primaryKeys.Any() ? $"[{string.Join(", ", primaryKeys)}]" : "[]",
+            ChangedColumns = nonPrimaryKeys.Any() ? $"[{string.Join(", ", nonPrimaryKeys)}]" : "[]",
+            EventDate = DateTime.UtcNow
+        };
+    }
 
-        var modifiedEntries = eventData.Context.ChangeTracker
-            .Entries()
-            .Where(x => x.State == EntityState.Modified)
-            .Select(x => x.Entity);
+    private Tuple<List<string>, List<string>> _GetLogMessageColumns(EntityEntry entry)
+    {
+        var primaryKeys = entry.Properties.Where(property => property.Metadata.IsPrimaryKey())
+            .Select(property => $"{property.Metadata.Name} = {property.CurrentValue}");
+        var nonPrimaryKeys = entry.Properties.Where(property => !property.Metadata.IsPrimaryKey() && (entry.State != EntityState.Modified || property.IsModified))
+            .Select(property => property.Metadata.Name);
 
-        foreach (var modifiedEntry in modifiedEntries)
-            if (modifiedEntry is Auditable auditableEntity)
-                auditableEntity.Modified = DateTime.UtcNow;
+        return new Tuple<List<string>, List<string>>(primaryKeys.ToList(), nonPrimaryKeys.ToList());
+    }
 
-        return base.SavingChangesAsync(eventData, result, cancellationToken);
+    public record AuditLog
+    {
+        public string TableName { get; init; } = default!;
+        public string Action { get; init; } = default!;
+        public string KeyValues { get; init; } = default!;
+        public string ChangedColumns { get; init; } = default!;
+        public DateTime EventDate { get; init; } = default!;
     }
 }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/Constants.cs

@@ -11,6 +11,8 @@ public static class Web
     public static class Security
     {
         public static string ResolvePolicyFromTokenIssuer => "ResolvePolicyFromTokenIssuer";
+        public static string RequestFromAccessFinland => "RequestFromAccessFinland";
+        public static string RequestFromDataspace => "RequestFromDataspace";
     }
 
     public static class Headers

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Middleware/ErrorHandlerMiddleware.cs

@@ -10,11 +10,12 @@ public class ErrorHandlerMiddleware
     private readonly ILogger<ErrorHandlerMiddleware> _logger;
 
     /// <summary>
-    /// RFC7807 Problem Details
+    /// Dataspace error response details
     /// </summary>
-    private class ErrorResponseDetails : Microsoft.AspNetCore.Mvc.ProblemDetails
+    private class ErrorResponseDetails
     {
-        
+        public string Type { get; set; } = string.Empty;
+        public string Message { get; set; } = string.Empty;
     }
 
     public ErrorHandlerMiddleware(RequestDelegate next, ILogger<ErrorHandlerMiddleware> logger)
@@ -30,56 +31,54 @@ public async Task Invoke(HttpContext context)
         }
         catch (Exception error)
         {
-            _logger.LogError(error, "Request processing failure!");
+            if (error is not NotFoundException && error is not NotAuthorizedException)
+            {
+                _logger.LogError(error, "Request processing failure!");
+            }
+
             var response = context.Response;
             response.ContentType = "application/json";
-            Dictionary<string, List<string>> validationErrorDetails = new Dictionary<string, List<string>>();
 
-            switch(error)
+            ErrorResponseDetails errorResponseDetails = new()
+            {
+                Type = "",
+                Message = ""
+            };
+          
+            switch (error)
             {
                 case NotAuthorizedException:
                     // custom application error
                     response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                    errorResponseDetails.Type = "Unauthorized";
+                    errorResponseDetails.Message = error.Message ?? "Not authorized";
                     break;
                 case NotFoundException:
                     // not found error
                     response.StatusCode = (int)HttpStatusCode.NotFound;
+                    errorResponseDetails.Type = "NotFound";
+                    errorResponseDetails.Message = error.Message ?? "Not found";
                     break;
-                case BadRequestException e:
+                case BadRequestException:
                     // bad request error
                     response.StatusCode = (int)HttpStatusCode.BadRequest;
-
-                    e.ValidationErrors?.ForEach( o => validationErrorDetails.Add(o.Field, new List<string>() { o.Message }));
+                    errorResponseDetails.Type = "BadRequest";
+                    errorResponseDetails.Message = error.Message ?? "Bad request";
                     break;
                 default:
                     // unhandled error
                     response.StatusCode = (int)HttpStatusCode.InternalServerError;
+                    errorResponseDetails.Type = "InternalServerError";
+                    errorResponseDetails.Message = error.Message ?? "Internal Server Error";
                     break;
             }
 
-            ErrorResponseDetails errorResponseDetails = validationErrorDetails?.Count == 0 ? new ErrorResponseDetails()
-            {
-                Type = "https://tools.ietf.org/html/rfc7231",
-                Title = error.Message,
-                Detail = error.Message,
-                Status = response.StatusCode,
-                Instance = response.HttpContext.Request.Path
-            } : new ErrorResponseDetails()
-            {
-                Type = "https://tools.ietf.org/html/rfc7231",
-                Title = error.Message,
-                Detail = error.Message,
-                Status = response.StatusCode,
-                Instance = response.HttpContext.Request.Path,
-                Extensions = { new KeyValuePair<string, object?>( "errors", validationErrorDetails)  }
-            };
-
             var result = JsonSerializer.Serialize(errorResponseDetails,
                 new JsonSerializerOptions
-            {
-                PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
-                WriteIndented = true
-            });
+                {
+                    PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+                    WriteIndented = true
+                });
             await response.WriteAsync(result);
         }
     }

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Program.cs

@@ -14,6 +14,7 @@
 using VirtualFinland.UserAPI.Middleware;
 using VirtualFinland.UserAPI.Helpers.Extensions;
 using VirtualFinland.UserAPI.Security.Extensions;
+using VirtualFinland.UserAPI.Helpers;
 
 Log.Logger = new LoggerConfiguration()
     .WriteTo.Console()
@@ -87,6 +88,7 @@
     : null;
 var dbConnectionString = databaseSecret ?? builder.Configuration.GetConnectionString("DefaultConnection");
 
+builder.Services.AddSingleton<IAuditInterceptor, AuditInterceptor>();
 builder.Services.AddDbContext<UsersDbContext>(options =>
 {
     options.UseNpgsql(dbConnectionString,
@@ -141,8 +143,9 @@
         .AllowAnyHeader());
 }
 
-app.UseMiddleware<ErrorHandlerMiddleware>();
+
 app.UseSerilogRequestLogging();
+app.UseMiddleware<ErrorHandlerMiddleware>();
 app.UseHttpsRedirection();
 app.UseAuthentication();
 app.UseAuthorization();

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessConfig.cs

@@ -0,0 +1,9 @@
+
+namespace VirtualFinland.UserAPI.Security.AccessRequirements;
+
+public sealed class RequestAccessConfig
+{
+    public string HeaderName { get; init; } = default!;
+    public List<string> AccessKeys { get; init; } = default!;
+    public bool IsEnabled { get; init; } = default!;
+}

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessRequirement.cs

@@ -0,0 +1,41 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+
+namespace VirtualFinland.UserAPI.Security.AccessRequirements;
+
+public class RequestAccessRequirement : AuthorizationHandler<RequestAccessRequirement>, IAuthorizationRequirement
+{
+    private readonly RequestAccessConfig _config;
+    public RequestAccessRequirement(RequestAccessConfig config)
+    {
+        _config = config;
+    }
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RequestAccessRequirement requirement)
+    {
+        if (!_config.IsEnabled)
+            context.Succeed(requirement);
+
+        if (context.Resource is DefaultHttpContext httpContext &&
+            httpContext.Request.Headers.TryGetValue(_config.HeaderName, out var apiKeyHeader))
+        {
+            string apiKey = apiKeyHeader.ToString();
+            if (IsValidApiKey(apiKey))
+            {
+                context.Succeed(requirement);
+            }
+        }
+        return Task.CompletedTask;
+    }
+
+    private bool IsValidApiKey(string apiKey)
+    {
+        foreach (var accessKey in _config.AccessKeys)
+        {
+            if (accessKey == "") continue;
+            if (apiKey == accessKey)
+                return true;
+        }
+        return false;
+    }
+}

VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs

@@ -28,13 +28,10 @@ public JwtTokenResult ParseJwtToken(string token)
 
         // Resolve the security feature by token issuer (must be enabled) // @TODO: ensure the security feature is loaded before this
         var tokenIssuer = parsedToken.Issuer;
-        var securityFeature = _features.Find(o => o.Issuer == tokenIssuer);
-        if (securityFeature == null) throw new NotAuthorizedException("The given token issuer is not valid");
+        var securityFeature = _features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");
 
         // Resolve user id
-        var userId = securityFeature.ResolveTokenUserId(parsedToken);
-        if (userId == null) throw new NotAuthorizedException("The given token claim is not valid");
-
+        var userId = securityFeature.ResolveTokenUserId(parsedToken) ?? throw new NotAuthorizedException("The given token claim is not valid");
         return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer };
     }
 }