feat(security): AutoLoginAuthenticationHandler — all-roles system-wide dev auto-login
This commit is contained in:
Joseph Doherty
@@ -3,8 +3,8 @@
|
|||||||
"designDoc": "docs/plans/2026-06-16-disable-login-design.md",
|
"designDoc": "docs/plans/2026-06-16-disable-login-design.md",
|
||||||
"branch": "feature/disable-login",
|
"branch": "feature/disable-login",
|
||||||
"tasks": [
|
"tasks": [
|
||||||
{"id": 62, "ref": "DL-1", "subject": "AuthDisableLoginOptions + Roles.All", "class": "small", "status": "pending"},
|
{"id": 62, "ref": "DL-1", "subject": "AuthDisableLoginOptions + Roles.All", "class": "small", "status": "completed", "commits": ["72691e5"]},
|
||||||
{"id": 63, "ref": "DL-2", "subject": "AutoLoginAuthenticationHandler + tests", "class": "high-risk", "status": "pending", "blockedBy": [62]},
|
{"id": 63, "ref": "DL-2", "subject": "AutoLoginAuthenticationHandler + tests", "class": "high-risk", "status": "completed", "blockedBy": [62]},
|
||||||
{"id": 64, "ref": "DL-3", "subject": "Wire flag into AddSecurity + Host + startup warning", "class": "standard", "status": "pending", "blockedBy": [62, 63]},
|
{"id": 64, "ref": "DL-3", "subject": "Wire flag into AddSecurity + Host + startup warning", "class": "standard", "status": "pending", "blockedBy": [62, 63]},
|
||||||
{"id": 65, "ref": "DL-4", "subject": "Docs + dev config note", "class": "trivial", "status": "pending", "blockedBy": [64]}
|
{"id": 65, "ref": "DL-4", "subject": "Docs + dev config note", "class": "trivial", "status": "pending", "blockedBy": [64]}
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -0,0 +1,60 @@
|
|||||||
|
using System.Security.Claims;
|
||||||
|
using System.Text.Encodings.Web;
|
||||||
|
using Microsoft.AspNetCore.Authentication;
|
||||||
|
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||||
|
using Microsoft.Extensions.Logging;
|
||||||
|
using Microsoft.Extensions.Options;
|
||||||
|
|
||||||
|
namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Auth handler used ONLY when <see cref="AuthDisableLoginOptions.DisableLogin"/> is true.
|
||||||
|
/// Registered under the cookie scheme name, it authenticates EVERY request as the configured
|
||||||
|
/// dev user with all <see cref="Roles.All"/> roles, system-wide — no credential check, no cookie.
|
||||||
|
/// The minted principal mirrors a real login (it reuses <see cref="SessionClaimBuilder"/>).
|
||||||
|
/// Dev/test ONLY.
|
||||||
|
/// </summary>
|
||||||
|
public sealed class AutoLoginAuthenticationHandler
|
||||||
|
: AuthenticationHandler<AuthenticationSchemeOptions>, IAuthenticationSignInHandler
|
||||||
|
{
|
||||||
|
private readonly AuthDisableLoginOptions _opts;
|
||||||
|
private readonly TimeProvider _clock;
|
||||||
|
|
||||||
|
/// <summary>Initializes the handler with the scheme plumbing, the disable-login options, and the clock.</summary>
|
||||||
|
public AutoLoginAuthenticationHandler(
|
||||||
|
IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||||
|
ILoggerFactory logger,
|
||||||
|
UrlEncoder encoder,
|
||||||
|
IOptions<AuthDisableLoginOptions> disableLoginOptions,
|
||||||
|
TimeProvider clock)
|
||||||
|
: base(options, logger, encoder)
|
||||||
|
{
|
||||||
|
_opts = disableLoginOptions.Value;
|
||||||
|
_clock = clock;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>No-op: auto-login writes no cookie, so an explicit sign-in has nothing to persist.</summary>
|
||||||
|
public Task SignInAsync(ClaimsPrincipal user, AuthenticationProperties? properties) => Task.CompletedTask;
|
||||||
|
|
||||||
|
/// <summary>No-op: there is no auth cookie to clear; the next request re-authenticates via this handler.</summary>
|
||||||
|
public Task SignOutAsync(AuthenticationProperties? properties) => Task.CompletedTask;
|
||||||
|
|
||||||
|
/// <inheritdoc />
|
||||||
|
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||||
|
{
|
||||||
|
var user = string.IsNullOrWhiteSpace(_opts.User) ? "multi-role" : _opts.User;
|
||||||
|
|
||||||
|
// All roles, system-wide (no site-scope claims). Reuse the canonical builder so the
|
||||||
|
// principal is shape-identical to a real all-roles system-wide login.
|
||||||
|
var mapping = new RoleMappingResult(Roles.All, [], IsSystemWideDeployment: true);
|
||||||
|
var principal = SessionClaimBuilder.Build(
|
||||||
|
username: user,
|
||||||
|
displayName: user,
|
||||||
|
groups: [],
|
||||||
|
mapping: mapping,
|
||||||
|
refreshTimestamp: _clock.GetUtcNow());
|
||||||
|
|
||||||
|
var ticket = new AuthenticationTicket(principal, Scheme.Name);
|
||||||
|
return Task.FromResult(AuthenticateResult.Success(ticket));
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,73 @@
|
|||||||
|
using System.Security.Claims;
|
||||||
|
using System.Text.Encodings.Web;
|
||||||
|
using Microsoft.AspNetCore.Authentication;
|
||||||
|
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||||
|
using Microsoft.AspNetCore.Http;
|
||||||
|
using Microsoft.Extensions.Logging.Abstractions;
|
||||||
|
using Microsoft.Extensions.Options;
|
||||||
|
using ZB.MOM.WW.ScadaBridge.Security;
|
||||||
|
using ZB.MOM.WW.ScadaBridge.Security.Auth;
|
||||||
|
using Xunit;
|
||||||
|
|
||||||
|
namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
|
||||||
|
|
||||||
|
public class AutoLoginAuthenticationHandlerTests
|
||||||
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Minimal <see cref="IOptionsMonitor{T}"/> stub for the scheme options the base
|
||||||
|
/// <see cref="AuthenticationHandler{TOptions}"/> resolves during InitializeAsync. This
|
||||||
|
/// test project deliberately carries no mocking library, so the seam is hand-rolled.
|
||||||
|
/// </summary>
|
||||||
|
private sealed class StubOptionsMonitor : IOptionsMonitor<AuthenticationSchemeOptions>
|
||||||
|
{
|
||||||
|
private readonly AuthenticationSchemeOptions _value = new();
|
||||||
|
public AuthenticationSchemeOptions CurrentValue => _value;
|
||||||
|
public AuthenticationSchemeOptions Get(string? name) => _value;
|
||||||
|
public IDisposable? OnChange(Action<AuthenticationSchemeOptions, string?> listener) => null;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static async Task<AutoLoginAuthenticationHandler> CreateAsync(string user = "multi-role")
|
||||||
|
{
|
||||||
|
var schemeOptions = new StubOptionsMonitor();
|
||||||
|
var opts = Options.Create(new AuthDisableLoginOptions { DisableLogin = true, User = user });
|
||||||
|
|
||||||
|
var handler = new AutoLoginAuthenticationHandler(
|
||||||
|
schemeOptions, NullLoggerFactory.Instance, UrlEncoder.Default, opts, TimeProvider.System);
|
||||||
|
|
||||||
|
await handler.InitializeAsync(
|
||||||
|
new AuthenticationScheme(
|
||||||
|
CookieAuthenticationDefaults.AuthenticationScheme, null, typeof(AutoLoginAuthenticationHandler)),
|
||||||
|
new DefaultHttpContext());
|
||||||
|
return handler;
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task Authenticate_GrantsAllRoles_SystemWide_AsConfiguredUser()
|
||||||
|
{
|
||||||
|
var handler = await CreateAsync("multi-role");
|
||||||
|
var result = await handler.AuthenticateAsync();
|
||||||
|
|
||||||
|
Assert.True(result.Succeeded);
|
||||||
|
var p = result.Principal!;
|
||||||
|
Assert.Equal("multi-role", p.Identity!.Name);
|
||||||
|
foreach (var role in Roles.All)
|
||||||
|
Assert.True(p.IsInRole(role), $"expected role {role}");
|
||||||
|
Assert.Empty(p.FindAll(JwtTokenService.SiteIdClaimType)); // system-wide => no scope claims
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task Authenticate_BlankUser_FallsBackToMultiRole()
|
||||||
|
{
|
||||||
|
var handler = await CreateAsync(" ");
|
||||||
|
var result = await handler.AuthenticateAsync();
|
||||||
|
Assert.Equal("multi-role", result.Principal!.Identity!.Name);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task SignInAndSignOut_AreNoOps_DoNotThrow()
|
||||||
|
{
|
||||||
|
var handler = await CreateAsync();
|
||||||
|
await handler.SignInAsync(new ClaimsPrincipal(), null);
|
||||||
|
await handler.SignOutAsync(null);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user