Merge pull request #71 from Virtual-Finland-Development/VFD-264-vahvennetaan-tuotannon-palvelujen-kayttooikeudet

lsipii · web-flow · commit 86aabca48115 · 2023-08-31T07:09:54.000+03:00
Protect the users API endpoint with web ACL
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/ProductizerController.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/Productizer/ProductizerController.cs
@@ -13,6 +13,7 @@ namespace VirtualFinland.UserAPI.Activities.Productizer;
 
 [ApiController]
 [Authorize]
+[Authorize(Policy = "RequestFromDataspace")]
 [ProducesResponseType(StatusCodes.Status401Unauthorized)]
 [Produces("application/json")]
 public class ProductizerController : ControllerBase
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/User/UserController.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Activities/User/UserController.cs
@@ -11,6 +11,7 @@ namespace VirtualFinland.UserAPI.Activities.User;
 
 [ApiController]
 [Authorize]
+[Authorize(Policy = "RequestFromAccessFinland")]
 [ProducesResponseType(StatusCodes.Status401Unauthorized)]
 [Produces("application/json")]
 public class UserController : ApiControllerBase
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/Constants.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Helpers/Constants.cs
@@ -11,6 +11,8 @@ public static class Web
     public static class Security
     {
         public static string ResolvePolicyFromTokenIssuer => "ResolvePolicyFromTokenIssuer";
+        public static string RequestFromAccessFinland => "RequestFromAccessFinland";
+        public static string RequestFromDataspace => "RequestFromDataspace";
     }
 
     public static class Headers
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Program.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Program.cs
@@ -14,6 +14,8 @@
 using VirtualFinland.UserAPI.Middleware;
 using VirtualFinland.UserAPI.Helpers.Extensions;
 using VirtualFinland.UserAPI.Security.Extensions;
+using VirtualFinland.UserAPI.Security.AccessRequirements;
+using VirtualFinland.UserAPI.Security.Configurations;
 
 Log.Logger = new LoggerConfiguration()
     .WriteTo.Console()
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessConfig.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessConfig.cs
@@ -0,0 +1,9 @@
+
+namespace VirtualFinland.UserAPI.Security.AccessRequirements;
+
+public sealed class RequestAccessConfig
+{
+    public string HeaderName { get; init; } = default!;
+    public List<string> AccessKeys { get; init; } = default!;
+    public bool IsEnabled { get; init; } = default!;
+}
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessRequirement.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/AccessRequirements/RequestAccessRequirement.cs
@@ -0,0 +1,41 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+
+namespace VirtualFinland.UserAPI.Security.AccessRequirements;
+
+public class RequestAccessRequirement : AuthorizationHandler<RequestAccessRequirement>, IAuthorizationRequirement
+{
+    private readonly RequestAccessConfig _config;
+    public RequestAccessRequirement(RequestAccessConfig config)
+    {
+        _config = config;
+    }
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RequestAccessRequirement requirement)
+    {
+        if (!_config.IsEnabled)
+            context.Succeed(requirement);
+
+        if (context.Resource is DefaultHttpContext httpContext &&
+            httpContext.Request.Headers.TryGetValue(_config.HeaderName, out var apiKeyHeader))
+        {
+            string apiKey = apiKeyHeader.ToString();
+            if (IsValidApiKey(apiKey))
+            {
+                context.Succeed(requirement);
+            }
+        }
+        return Task.CompletedTask;
+    }
+
+    private bool IsValidApiKey(string apiKey)
+    {
+        foreach (var accessKey in _config.AccessKeys)
+        {
+            if (accessKey == "") continue;
+            if (apiKey == accessKey)
+                return true;
+        }
+        return false;
+    }
+}
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/ApplicationSecurity.cs
@@ -28,13 +28,10 @@ public JwtTokenResult ParseJwtToken(string token)
 
         // Resolve the security feature by token issuer (must be enabled) // @TODO: ensure the security feature is loaded before this
         var tokenIssuer = parsedToken.Issuer;
-        var securityFeature = _features.Find(o => o.Issuer == tokenIssuer);
-        if (securityFeature == null) throw new NotAuthorizedException("The given token issuer is not valid");
+        var securityFeature = _features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");
 
         // Resolve user id
-        var userId = securityFeature.ResolveTokenUserId(parsedToken);
-        if (userId == null) throw new NotAuthorizedException("The given token claim is not valid");
-
+        var userId = securityFeature.ResolveTokenUserId(parsedToken) ?? throw new NotAuthorizedException("The given token claim is not valid");
         return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer };
     }
 }
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Configurations/TestBedConsentProviderConfig.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Configurations/TestBedConsentProviderConfig.cs
@@ -27,9 +27,9 @@ public class TestBedConsentProviderConfig : IConsentProviderConfig
 
     public TestBedConsentProviderConfig(IConfiguration configuration)
     {
-        _jwksJsonUrl = configuration["Security:Testbed:ConsentJwksJsonUrl"];
-        Issuer = configuration["Security:Testbed:ConsentIssuer"];
-        ConsentVerifyUrl = configuration["Security:Testbed:ConsentVerifyUrl"];
+        _jwksJsonUrl = configuration["Security:Authorization:Testbed:ConsentJwksJsonUrl"];
+        Issuer = configuration["Security:Authorization:Testbed:ConsentIssuer"];
+        ConsentVerifyUrl = configuration["Security:Authorization:Testbed:ConsentVerifyUrl"];
     }
 
     public async void LoadPublicKeys()
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Extensions/ConsentServiceProviderExtensions.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Extensions/ConsentServiceProviderExtensions.cs
@@ -15,7 +15,7 @@ public static IServiceCollection RegisterConsentServiceProviders(this IServiceCo
         var testBedConsentProviderConfig = new TestBedConsentProviderConfig(configuration);
         services.AddSingleton<IConsentProviderConfig>(testBedConsentProviderConfig);
 
-        if (configuration.GetValue<bool>("Security:Testbed:IsEnabled"))
+        if (configuration.GetValue<bool>("Security:Authorization:Testbed:IsEnabled"))
         {
             testBedConsentProviderConfig.LoadPublicKeys();
         }
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Extensions/SecurityFeatureServiceExtensions.cs b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/Security/Extensions/SecurityFeatureServiceExtensions.cs
@@ -2,6 +2,7 @@
 using Microsoft.Net.Http.Headers;
 using VirtualFinland.UserAPI.Exceptions;
 using VirtualFinland.UserAPI.Helpers;
+using VirtualFinland.UserAPI.Security.AccessRequirements;
 using VirtualFinland.UserAPI.Security.Features;
 using VirtualFinland.UserAPI.Security.Models;
 
@@ -19,19 +20,15 @@ public static IServiceCollection RegisterSecurityFeatures(this IServiceCollectio
     {
         var features = new List<ISecurityFeature>();
 
-        var securityConfigurations = configuration.GetSection("Security").Get<Dictionary<string, SecurityFeatureOptions>>();
+        var securityConfigurations = configuration.GetSection("Security:Authorization").Get<Dictionary<string, SecurityFeatureOptions>>();
         var enabledSecurityFeatureNames = securityConfigurations.Where(x => x.Value.IsEnabled).Select(x => x.Key).ToArray();
         if (!enabledSecurityFeatureNames.Any()) throw new ArgumentException("No security features enabled");
 
-        // Map security feature name to correct class
+        // Dynamically map security feature name to correct class
         foreach (var securityFeatureName in enabledSecurityFeatureNames)
         {
-            var securityFeatureType = Type.GetType($"VirtualFinland.UserAPI.Security.Features.{securityFeatureName}SecurityFeature");
-            if (securityFeatureType is null) throw new ArgumentException($"Security feature {securityFeatureName} not found");
-
-            var securityFeature = Activator.CreateInstance(securityFeatureType, securityConfigurations[securityFeatureName]) as ISecurityFeature;
-            if (securityFeature is null) throw new ArgumentException($"Security feature {securityFeatureName} not found");
-
+            var securityFeatureType = Type.GetType($"VirtualFinland.UserAPI.Security.Features.{securityFeatureName}SecurityFeature") ?? throw new ArgumentException($"Security feature {securityFeatureName} not found");
+            var securityFeature = Activator.CreateInstance(securityFeatureType, securityConfigurations[securityFeatureName]) as ISecurityFeature ?? throw new ArgumentException($"Security feature {securityFeatureName} not found");
             features.Add(securityFeature);
         }
 
@@ -51,6 +48,12 @@ public static IServiceCollection RegisterSecurityFeatures(this IServiceCollectio
         services.AddAuthorization(options =>
         {
             foreach (var securityFeature in features) securityFeature.BuildAuthorization(options);
+
+            // Add special policies
+            options.AddPolicy(Constants.Security.RequestFromAccessFinland, policy =>
+                policy.Requirements.Add(new RequestAccessRequirement(configuration.GetSection("Security:Access:AccessFinland").Get<RequestAccessConfig>())));
+            options.AddPolicy(Constants.Security.RequestFromDataspace, policy =>
+                policy.Requirements.Add(new RequestAccessRequirement(configuration.GetSection("Security:Access:Dataspace").Get<RequestAccessConfig>())));
         });
 
         authenticationBuilder.AddPolicyScheme(Constants.Security.ResolvePolicyFromTokenIssuer, Constants.Security.ResolvePolicyFromTokenIssuer,
@@ -68,7 +71,7 @@ private static string GetSecurityPolicySchemeName(IHeaderDictionary headers, IEn
         var authorizationHeader = headers[HeaderNames.Authorization].FirstOrDefault();
 
         if (string.IsNullOrEmpty(authorizationHeader) || !authorizationHeader.StartsWith("Bearer "))
-            throw new NotAuthorizedException("Invalid token provided");
+            throw new NotAuthorizedException("No token provided");
 
         var token = authorizationHeader["Bearer ".Length..].Trim();
 
@@ -78,11 +81,7 @@ private static string GetSecurityPolicySchemeName(IHeaderDictionary headers, IEn
 
         var issuer = jwtHandler.ReadJwtToken(token).Issuer;
 
-        var feature = features.SingleOrDefault(securityFeature => securityFeature.Issuer == issuer);
-
-        if (feature is null)
-            throw new NotAuthorizedException("Invalid token provided");
-
+        var feature = features.SingleOrDefault(securityFeature => securityFeature.Issuer == issuer) ?? throw new NotAuthorizedException("Invalid token provider");
         return feature.GetSecurityPolicySchemeName();
     }
 }
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.dev.json b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.dev.json
@@ -22,16 +22,18 @@
     ]
   },
   "Security": {
-    "SuomiFi": {
-      "AuthorizationJwksJsonUrl": "https://virtual-finland-development-auth-files.s3.eu-north-1.amazonaws.com/dev/.well-known/jwks.json",
-      "Issuer": "virtual-finland/authentication-gw/suomifi",
-      "IsEnabled": true
-    },
-    "Testbed": {
-      "IsEnabled": true
-    },
-    "Sinuna": {
-      "IsEnabled": true
+    "Authorization": {
+      "SuomiFi": {
+        "AuthorizationJwksJsonUrl": "https://virtual-finland-development-auth-files.s3.eu-north-1.amazonaws.com/dev/.well-known/jwks.json",
+        "Issuer": "virtual-finland/authentication-gw/suomifi",
+        "IsEnabled": true
+      },
+      "Testbed": {
+        "IsEnabled": true
+      },
+      "Sinuna": {
+        "IsEnabled": true
+      }
     }
   }
 }
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.json b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.json
@@ -7,24 +7,43 @@
   },
   "AllowedHosts": "*",
   "Security": {
-    "Testbed": {
-      "Domain": "login.testbed.fi",
-      "Issuer": "https://login.testbed.fi",
-      "Audience": "https://login.testbed.fi",
-      "OpenIDConfigurationURL": "https://login.testbed.fi/.well-known/openid-configuration",
-      "ConsentJwksJsonUrl": "https://consent.testbed.fi/.well-known/jwks.json",
-      "ConsentIssuer": "https://consent.testbed.fi",
-      "ConsentVerifyUrl": "https://consent.testbed.fi/Consent/Verify",
-      "IsEnabled": false
+    "Access": {
+      "AccessFinland": {
+        "HeaderName": "x-api-key",
+        "AccessKeys": [
+          "secret"
+        ],
+        "IsEnabled": true
+      },
+      "Dataspace": {
+        "HeaderName": "user-agent",
+        "AccessKeys": [
+          "Access Finland - MVP Application",
+          "Virtual Finland - Testbed API"
+        ],
+        "IsEnabled": true
+      }
     },
-    "Sinuna": {
-      "OpenIDConfigurationURL": "https://login.iam.qa.sinuna.fi/oxauth/.well-known/openid-configuration",
-      "IsEnabled": false
-    },
-    "SuomiFi": {
-      "AuthorizationJwksJsonUrl": "http://localhost:4078/auth/saml2/suomifi/.well-known/jwks.json",
-      "Issuer": "virtual-finland/authentication-gw/suomifi",
-      "IsEnabled": false
+    "Authorization": {
+      "Testbed": {
+        "Domain": "login.testbed.fi",
+        "Issuer": "https://login.testbed.fi",
+        "Audience": "https://login.testbed.fi",
+        "OpenIDConfigurationURL": "https://login.testbed.fi/.well-known/openid-configuration",
+        "ConsentJwksJsonUrl": "https://consent.testbed.fi/.well-known/jwks.json",
+        "ConsentIssuer": "https://consent.testbed.fi",
+        "ConsentVerifyUrl": "https://consent.testbed.fi/Consent/Verify",
+        "IsEnabled": false
+      },
+      "Sinuna": {
+        "OpenIDConfigurationURL": "https://login.iam.qa.sinuna.fi/oxauth/.well-known/openid-configuration",
+        "IsEnabled": false
+      },
+      "SuomiFi": {
+        "AuthorizationJwksJsonUrl": "http://localhost:4078/auth/saml2/suomifi/.well-known/jwks.json",
+        "Issuer": "virtual-finland/authentication-gw/suomifi",
+        "IsEnabled": false
+      }
     }
   },
   "ConnectionStrings": {
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.local.json b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.local.json
@@ -19,14 +19,16 @@
   },
   "CodesetApiBaseUrl": "http://localhost:3166/resources",
   "Security": {
-    "Testbed": {
-      "IsEnabled": true
-    },
-    "Sinuna": {
-      "IsEnabled": true
-    },
-    "SuomiFi": {
-      "IsEnabled": true
+    "Authorization": {
+      "Testbed": {
+        "IsEnabled": true
+      },
+      "Sinuna": {
+        "IsEnabled": true
+      },
+      "SuomiFi": {
+        "IsEnabled": true
+      }
     }
   }
 }
diff --git a/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.staging.json b/VirtualFinland.UserAPI/src/VirtualFinland.UsersAPI/appsettings.staging.json
@@ -22,12 +22,14 @@
     ]
   },
   "Security": {
-    "SuomiFi": {
-      "AuthorizationJwksJsonUrl": "https://virtual-finland-development-auth-files.s3.eu-north-1.amazonaws.com/staging/.well-known/jwks.json",
-      "Issuer": "virtual-finland/authentication-gw/suomifi"
-    },
-    "Sinuna": {
-      "IsEnabled": true
+    "Authorization": {
+      "SuomiFi": {
+        "AuthorizationJwksJsonUrl": "https://virtual-finland-development-auth-files.s3.eu-north-1.amazonaws.com/staging/.well-known/jwks.json",
+        "Issuer": "virtual-finland/authentication-gw/suomifi"
+      },
+      "Sinuna": {
+        "IsEnabled": true
+      }
     }
   }
 }
diff --git a/VirtualFinland.UsersAPI.Deployment/Common/Models/StackSetup.cs b/VirtualFinland.UsersAPI.Deployment/Common/Models/StackSetup.cs
@@ -8,4 +8,7 @@ public record StackSetup
     public bool IsProductionEnvironment;
     public string Environment = default!;
     public string ProjectName = default!;
+    public string Organization = default!;
+    public string Region = default!;
+    public string GetInfrastructureStackName() => $"{Organization}/infrastructure/{Environment}";
 }
diff --git a/VirtualFinland.UsersAPI.Deployment/Features/DatabaseMigratorLambda.cs b/VirtualFinland.UsersAPI.Deployment/Features/DatabaseMigratorLambda.cs
@@ -87,8 +87,6 @@ public DatabaseMigratorLambda(Config config, StackSetup stackSetup, VpcSetup vpc
         };
 
         var appArtifactPath = Environment.GetEnvironmentVariable("DB_MIGRATOR_ARTIFACT_PATH") ?? config.Require("dbMigratorArtifactPath");
-        Pulumi.Log.Info($"DatabaseMigrationRunner artifact Path: {appArtifactPath}");
-
         var lambdaFunction = new Function($"{stackSetup.ProjectName}-DatabaseMigrationRunner-{stackSetup.Environment}", new FunctionArgs
         {
             Role = execRole.Arn,
diff --git a/VirtualFinland.UsersAPI.Deployment/Features/LambdaFunctionUrl.cs b/VirtualFinland.UsersAPI.Deployment/Features/LambdaFunctionUrl.cs
diff --git a/VirtualFinland.UsersAPI.Deployment/Features/UsersApiLambdaFunction.cs b/VirtualFinland.UsersAPI.Deployment/Features/UsersApiLambdaFunction.cs
diff --git a/VirtualFinland.UsersAPI.Deployment/Pulumi.mvp-staging.yaml b/VirtualFinland.UsersAPI.Deployment/Pulumi.mvp-staging.yaml
diff --git a/VirtualFinland.UsersAPI.Deployment/Pulumi.yaml b/VirtualFinland.UsersAPI.Deployment/Pulumi.yaml
diff --git a/VirtualFinland.UsersAPI.Deployment/UsersAPIStack.cs b/VirtualFinland.UsersAPI.Deployment/UsersAPIStack.cs

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ public static class Web`
`11`	`11`	`public static class Security`
`12`	`12`	`{`
`13`	`13`	`public static string ResolvePolicyFromTokenIssuer => "ResolvePolicyFromTokenIssuer";`
	`14`	`+ public static string RequestFromAccessFinland => "RequestFromAccessFinland";`
	`15`	`+ public static string RequestFromDataspace => "RequestFromDataspace";`
`14`	`16`	`}`
`15`	`17`
`16`	`18`	`public static class Headers`
Original file line number	Diff line number	Diff line change
`@@ -28,13 +28,10 @@ public JwtTokenResult ParseJwtToken(string token)`
`28`	`28`
`29`	`29`	`// Resolve the security feature by token issuer (must be enabled) // @TODO: ensure the security feature is loaded before this`
`30`	`30`	`var tokenIssuer = parsedToken.Issuer;`
`31`		`- var securityFeature = _features.Find(o => o.Issuer == tokenIssuer);`
`32`		`- if (securityFeature == null) throw new NotAuthorizedException("The given token issuer is not valid");`
	`31`	`+ var securityFeature = _features.Find(o => o.Issuer == tokenIssuer) ?? throw new NotAuthorizedException("The given token issuer is not valid");`
`33`	`32`
`34`	`33`	`// Resolve user id`
`35`		`- var userId = securityFeature.ResolveTokenUserId(parsedToken);`
`36`		`- if (userId == null) throw new NotAuthorizedException("The given token claim is not valid");`
`37`		`-`
	`34`	`+ var userId = securityFeature.ResolveTokenUserId(parsedToken) ?? throw new NotAuthorizedException("The given token claim is not valid");`
`38`	`35`	`return new JwtTokenResult { UserId = userId, Issuer = securityFeature.Issuer };`
`39`	`36`	`}`
`40`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,9 @@ public class TestBedConsentProviderConfig : IConsentProviderConfig`
`27`	`27`
`28`	`28`	`public TestBedConsentProviderConfig(IConfiguration configuration)`
`29`	`29`	`{`
`30`		`- _jwksJsonUrl = configuration["Security:Testbed:ConsentJwksJsonUrl"];`
`31`		`- Issuer = configuration["Security:Testbed:ConsentIssuer"];`
`32`		`- ConsentVerifyUrl = configuration["Security:Testbed:ConsentVerifyUrl"];`
	`30`	`+ _jwksJsonUrl = configuration["Security:Authorization:Testbed:ConsentJwksJsonUrl"];`
	`31`	`+ Issuer = configuration["Security:Authorization:Testbed:ConsentIssuer"];`
	`32`	`+ ConsentVerifyUrl = configuration["Security:Authorization:Testbed:ConsentVerifyUrl"];`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`public async void LoadPublicKeys()`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ public static IServiceCollection RegisterConsentServiceProviders(this IServiceCo`
`15`	`15`	`var testBedConsentProviderConfig = new TestBedConsentProviderConfig(configuration);`
`16`	`16`	`services.AddSingleton<IConsentProviderConfig>(testBedConsentProviderConfig);`
`17`	`17`
`18`		`- if (configuration.GetValue<bool>("Security:Testbed:IsEnabled"))`
	`18`	`+ if (configuration.GetValue<bool>("Security:Authorization:Testbed:IsEnabled"))`
`19`	`19`	`{`
`20`	`20`	`testBedConsentProviderConfig.LoadPublicKeys();`
`21`	`21`	`}`