Joseph Doherty
8fe7f46df6
Spike outcome: the shared ILdapAuthService (ZB.MOM.WW.Auth.Abstractions, an external
NuGet package) exposes ONLY AuthenticateAsync(username, password, ct) — no passwordless
service-account group-search. A live LDAP group re-query for an active session therefore
requires a new lib method and is OUT OF SCOPE (cannot modify the external package).
Implemented the always-achievable layers (cookie-only; no embedded JWT for cookie principals):
- /auth/login now stores the user's raw LDAP groups (one zb:group claim each) plus a
zb:lastrolerefresh anchor (login time, UTC), seeding the LastActivity idle anchor too.
- SessionClaimBuilder: single shared DRY claim-builder used by BOTH /auth/login AND the
refresh path, so the two claim shapes cannot drift (canonical identity/role/scope claims
with nameType/roleType pinned, plus the M2.19 group + refresh-anchor additions).
- CookieSessionValidator (TimeProvider-injected, unit-testable) + a thin
CookieAuthenticationEvents.OnValidatePrincipal adapter:
* idle-timeout: a session past IdleTimeoutMinutes (default 30) is RejectPrincipal+SignOut;
consistent with the cookie ExpireTimeSpan+SlidingExpiration window (same value).
* role refresh WITHOUT LDAP: when older than RoleRefreshThresholdMinutes (new option,
default 15) the DB-backed RoleMapper re-runs on the STORED groups, claims are rebuilt
via the shared builder, the anchor advances, principal is replaced + cookie renewed.
Revoked DB mappings drop the user's roles mid-session.
* fail-soft: any refresh error KEEPS the existing principal (no sign-out, never throws)
— mirrors the documented "LDAP failure: active sessions continue with current roles".
- Documented residual limitation in Component-Security.md: central role-mapping/scope
changes apply within ~15 min without LDAP; live directory group-membership changes are
picked up only at next login (needs a passwordless group-search on the external
ZB.MOM.WW.Auth.Ldap lib — tracked follow-up).
Tests (Security.Tests, all green): CookieSessionValidatorTests + SessionClaimBuilderParityTests
— idle reject/keep, LDAP-free remap-from-stored-groups, revoked-roles loss, sub-threshold
no-refresh, refresh-throws-keeps-session, and login/refresh claim-parity.
232 lines
11 KiB
C#
232 lines
11 KiB
C#
using System.Security.Claims;
|
|
using Microsoft.Extensions.Logging;
|
|
using Microsoft.Extensions.Options;
|
|
using ZB.MOM.WW.Auth.Abstractions.Roles;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.Security;
|
|
|
|
/// <summary>
|
|
/// The outcome of a single cookie <c>OnValidatePrincipal</c> evaluation. The thin
|
|
/// <c>OnValidatePrincipal</c> lambda translates this into the matching
|
|
/// <c>CookieValidatePrincipalContext</c> calls (<c>RejectPrincipal</c> /
|
|
/// <c>ReplacePrincipal</c> + <c>ShouldRenew</c>); the decision itself is computed by
|
|
/// <see cref="CookieSessionValidator"/> so it is unit-testable in isolation.
|
|
/// </summary>
|
|
/// <param name="Action">What the caller must do with the principal.</param>
|
|
/// <param name="Principal">The replacement principal when <paramref name="Action"/> is <see cref="SessionValidationAction.Replace"/>; otherwise <c>null</c>.</param>
|
|
public readonly record struct SessionValidationResult(
|
|
SessionValidationAction Action,
|
|
ClaimsPrincipal? Principal)
|
|
{
|
|
/// <summary>Keep the existing principal unchanged.</summary>
|
|
public static SessionValidationResult Keep { get; } = new(SessionValidationAction.Keep, null);
|
|
|
|
/// <summary>Reject the principal (idle-timed-out) — the caller signs the user out.</summary>
|
|
public static SessionValidationResult Reject { get; } = new(SessionValidationAction.Reject, null);
|
|
|
|
/// <summary>Replace the principal with a refreshed one and renew the cookie.</summary>
|
|
/// <param name="principal">The rebuilt principal.</param>
|
|
/// <returns>A replace result carrying <paramref name="principal"/>.</returns>
|
|
public static SessionValidationResult Replace(ClaimsPrincipal principal) =>
|
|
new(SessionValidationAction.Replace, principal);
|
|
}
|
|
|
|
/// <summary>The action a cookie session validation requires of the caller.</summary>
|
|
public enum SessionValidationAction
|
|
{
|
|
/// <summary>Leave the principal as-is (no idle timeout, no refresh due, or a refresh error we swallow).</summary>
|
|
Keep,
|
|
|
|
/// <summary>The session is idle-timed-out; reject + sign out.</summary>
|
|
Reject,
|
|
|
|
/// <summary>The role mapping was refreshed; replace the principal and renew the cookie.</summary>
|
|
Replace,
|
|
}
|
|
|
|
/// <summary>
|
|
/// M2.19 (#15): the unit-testable core of the cookie <c>OnValidatePrincipal</c> event.
|
|
/// Enforces the idle timeout and refreshes the session's role/scope claims from the
|
|
/// STORED LDAP group claims via the DB-backed <see cref="RoleMapper"/> — <b>without any
|
|
/// LDAP call</b> — picking up central role-mapping (and scope-rule) changes mid-session.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// <b>Idle timeout</b> (default <see cref="SecurityOptions.IdleTimeoutMinutes"/> = 30):
|
|
/// computed from the <see cref="JwtTokenService.LastActivityClaimType"/> anchor. This is
|
|
/// the explicit, deterministic counterpart to the cookie middleware's
|
|
/// <c>ExpireTimeSpan</c> + <c>SlidingExpiration</c> window — both use the SAME idle
|
|
/// timeout value, so the explicit check never contradicts the cookie window. A
|
|
/// not-timed-out session has its last-activity anchor advanced to "now" (genuine
|
|
/// request = activity), mirroring the sliding renew.
|
|
/// </para>
|
|
/// <para>
|
|
/// <b>Role refresh</b> (default <see cref="SecurityOptions.RoleRefreshThresholdMinutes"/>
|
|
/// = 15): when the elapsed time since <see cref="JwtTokenService.LastRoleRefreshClaimType"/>
|
|
/// exceeds the threshold, the stored groups are re-mapped and the principal is rebuilt via
|
|
/// <see cref="SessionClaimBuilder"/> (identical shape to <c>/auth/login</c>). If the DB
|
|
/// mapping revoked the user's roles, the rebuilt principal reflects the loss.
|
|
/// </para>
|
|
/// <para>
|
|
/// <b>Failure policy</b>: a refresh error (e.g. the mapper throws because the DB is
|
|
/// unreachable) NEVER signs the user out and NEVER throws out of validation — it returns
|
|
/// <see cref="SessionValidationResult.Keep"/>, mirroring the documented "LDAP failure:
|
|
/// active sessions continue with current roles" stance. Only the explicit idle-timeout
|
|
/// path rejects.
|
|
/// </para>
|
|
/// </remarks>
|
|
public sealed class CookieSessionValidator
|
|
{
|
|
private readonly IGroupRoleMapper<string> _roleMapper;
|
|
private readonly SecurityOptions _options;
|
|
private readonly TimeProvider _timeProvider;
|
|
private readonly ILogger<CookieSessionValidator> _logger;
|
|
|
|
/// <summary>Initializes the validator.</summary>
|
|
/// <param name="roleMapper">The DB-backed group→role mapping seam (no LDAP) used for the mid-session refresh.</param>
|
|
/// <param name="options">Security options carrying the idle and role-refresh thresholds.</param>
|
|
/// <param name="timeProvider">Clock source; injected so tests can advance time deterministically.</param>
|
|
/// <param name="logger">Logger instance.</param>
|
|
public CookieSessionValidator(
|
|
IGroupRoleMapper<string> roleMapper,
|
|
IOptions<SecurityOptions> options,
|
|
TimeProvider timeProvider,
|
|
ILogger<CookieSessionValidator> logger)
|
|
{
|
|
_roleMapper = roleMapper ?? throw new ArgumentNullException(nameof(roleMapper));
|
|
_options = (options ?? throw new ArgumentNullException(nameof(options))).Value;
|
|
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
|
|
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Evaluates a cookie principal: enforces the idle timeout, then refreshes the
|
|
/// role/scope claims from the stored LDAP groups when the role-refresh interval has
|
|
/// elapsed. Never throws.
|
|
/// </summary>
|
|
/// <param name="principal">The current cookie principal under validation.</param>
|
|
/// <param name="ct">Cancellation token (the request-aborted token in the pipeline).</param>
|
|
/// <returns>The action the caller must take and any replacement principal.</returns>
|
|
public async Task<SessionValidationResult> ValidateAsync(ClaimsPrincipal? principal, CancellationToken ct = default)
|
|
{
|
|
// An unauthenticated / null principal is left to the rest of the pipeline.
|
|
if (principal?.Identity is not { IsAuthenticated: true })
|
|
{
|
|
return SessionValidationResult.Keep;
|
|
}
|
|
|
|
var now = _timeProvider.GetUtcNow();
|
|
|
|
// 1) Idle-timeout enforcement — the only path that rejects. A missing/unparsable
|
|
// last-activity anchor is treated as timed-out (fail-closed): a session we
|
|
// cannot age must not be kept alive forever.
|
|
if (IsIdleTimedOut(principal, now))
|
|
{
|
|
_logger.LogInformation(
|
|
"Cookie session for {Username} rejected: past the {IdleTimeout}-minute idle timeout.",
|
|
principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value ?? "(unknown)",
|
|
_options.IdleTimeoutMinutes);
|
|
return SessionValidationResult.Reject;
|
|
}
|
|
|
|
// 2) Role-mapping refresh — best-effort. Any failure keeps the existing session.
|
|
try
|
|
{
|
|
var refreshed = await TryRefreshAsync(principal, now, ct).ConfigureAwait(false);
|
|
if (refreshed is not null)
|
|
{
|
|
return SessionValidationResult.Replace(refreshed);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
// SECURITY: never broaden access and never sign the user out on a transient
|
|
// refresh fault — keep the existing principal (current roles) and swallow.
|
|
_logger.LogWarning(
|
|
ex,
|
|
"Mid-session role refresh failed for {Username}; keeping existing session and roles.",
|
|
principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value ?? "(unknown)");
|
|
return SessionValidationResult.Keep;
|
|
}
|
|
|
|
return SessionValidationResult.Keep;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Returns true when the session's last-activity anchor is older than
|
|
/// <see cref="SecurityOptions.IdleTimeoutMinutes"/>. A missing/unparsable anchor is
|
|
/// treated as timed-out (fail-closed).
|
|
/// </summary>
|
|
/// <param name="principal">The cookie principal.</param>
|
|
/// <param name="now">The current instant.</param>
|
|
/// <returns><c>true</c> if the session has exceeded the idle window.</returns>
|
|
public bool IsIdleTimedOut(ClaimsPrincipal principal, DateTimeOffset now)
|
|
{
|
|
var claim = principal.FindFirst(JwtTokenService.LastActivityClaimType);
|
|
if (claim is null || !DateTimeOffset.TryParse(claim.Value, out var lastActivity))
|
|
{
|
|
return true;
|
|
}
|
|
|
|
return (now - lastActivity).TotalMinutes > _options.IdleTimeoutMinutes;
|
|
}
|
|
|
|
// Returns a rebuilt principal when a refresh occurred (role-refresh interval elapsed,
|
|
// OR last-activity needs advancing); null when nothing changed. The principal is
|
|
// rebuilt via SessionClaimBuilder so its shape is identical to /auth/login.
|
|
private async Task<ClaimsPrincipal?> TryRefreshAsync(ClaimsPrincipal principal, DateTimeOffset now, CancellationToken ct)
|
|
{
|
|
var roleRefreshDue = IsRoleRefreshDue(principal, now);
|
|
if (!roleRefreshDue)
|
|
{
|
|
// No mapping refresh due. We deliberately do NOT mint a new principal just to
|
|
// advance LastActivity: the cookie middleware's SlidingExpiration already
|
|
// renews the cookie window on activity, so the idle anchor only needs
|
|
// advancing when we are rebuilding the principal anyway (on a role refresh).
|
|
// This keeps the no-op request path allocation-free and avoids a cookie
|
|
// re-issue on every request.
|
|
return null;
|
|
}
|
|
|
|
var username = principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value;
|
|
var displayName = principal.FindFirst(JwtTokenService.DisplayNameClaimType)?.Value;
|
|
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(displayName))
|
|
{
|
|
// Malformed principal — cannot rebuild faithfully. Keep it (do not reject).
|
|
_logger.LogWarning("Cannot refresh role mapping: principal is missing username/display-name claims.");
|
|
return null;
|
|
}
|
|
|
|
var groups = SessionClaimBuilder.ReadGroups(principal);
|
|
|
|
// Re-run the DB-backed mapping on the STORED groups — NO LDAP call.
|
|
var mapping = await _roleMapper.MapAsync(groups, ct).ConfigureAwait(false);
|
|
var scope = mapping.Scope is RoleMappingResult mapped
|
|
? mapped
|
|
: new RoleMappingResult(mapping.Roles, [], IsSystemWideDeployment: false);
|
|
|
|
// Rebuild identically to /auth/login, advancing BOTH anchors: the role-refresh
|
|
// anchor (we just refreshed) and the idle anchor (this is a genuine request).
|
|
return SessionClaimBuilder.Build(username, displayName, groups, scope, now);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Returns true when the elapsed time since the last role refresh exceeds
|
|
/// <see cref="SecurityOptions.RoleRefreshThresholdMinutes"/>. A missing/unparsable
|
|
/// anchor is treated as due (refresh now and re-stamp the anchor).
|
|
/// </summary>
|
|
/// <param name="principal">The cookie principal.</param>
|
|
/// <param name="now">The current instant.</param>
|
|
/// <returns><c>true</c> if a role-mapping refresh is due.</returns>
|
|
public bool IsRoleRefreshDue(ClaimsPrincipal principal, DateTimeOffset now)
|
|
{
|
|
var claim = principal.FindFirst(JwtTokenService.LastRoleRefreshClaimType);
|
|
if (claim is null || !DateTimeOffset.TryParse(claim.Value, out var lastRefresh))
|
|
{
|
|
return true;
|
|
}
|
|
|
|
return (now - lastRefresh).TotalMinutes > _options.RoleRefreshThresholdMinutes;
|
|
}
|
|
}
|