Joseph Doherty
d312dfb139
DisableLogin only swapped the cookie auth scheme (AutoLoginAuthenticationHandler), which covers the interactive UI. The CLI authenticates POST /management, the audit REST endpoints, and the SignalR debug-stream hub with HTTP Basic, and each ran its own hardcoded Basic->LDAP check that ignored DisableLogin. In a login-disabled (e.g. no-LDAP) deployment that locked the CLI out: every call returned 401 AUTH_FAILED. Add ManagementAuthenticator, which centralizes the management/CLI auth flow: when ScadaBridge:Security:Auth:DisableLogin is true it synthesizes the same dev principal as AutoLoginAuthenticationHandler (configured user, all roles, system-wide) and bypasses Basic->LDAP; otherwise the unchanged Basic->LDAP flow runs. Wired into ManagementEndpoints (delegates), AuditEndpoints (delegates), and DebugStreamHub (bypass branch). +6 unit tests; ManagementService.Tests green (140).
133 lines
6.6 KiB
C#
133 lines
6.6 KiB
C#
using System.Text;
|
|
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Options;
|
|
using ZB.MOM.WW.Auth.Abstractions.Ldap;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
|
|
using ZB.MOM.WW.ScadaBridge.Security;
|
|
using ZB.MOM.WW.ScadaBridge.Security.Auth;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.ManagementService;
|
|
|
|
/// <summary>
|
|
/// Shared HTTP-Basic → LDAP authentication for the management/CLI surfaces
|
|
/// (<see cref="ManagementEndpoints"/>, <see cref="AuditEndpoints"/>, and the debug-stream hub).
|
|
/// Centralising the flow here means the dev/test <c>DisableLogin</c> bypass is applied
|
|
/// <em>identically</em> on every CLI-facing surface.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// <para>
|
|
/// <c>ScadaBridge:Security:Auth:DisableLogin</c> swaps the <em>cookie</em> authentication
|
|
/// scheme for <c>AutoLoginAuthenticationHandler</c>, which lets the interactive browser UI
|
|
/// in without credentials. The CLI does not use cookies — it authenticates the
|
|
/// <c>POST /management</c> (and audit REST) surfaces with HTTP Basic, which run their own
|
|
/// manual Basic → LDAP check. That check is independent of the cookie scheme, so without the
|
|
/// bypass below the CLI is locked out of a login-disabled deployment whenever LDAP is not in
|
|
/// use (the bind fails and every call returns <c>401 AUTH_FAILED</c>).
|
|
/// </para>
|
|
/// <para>
|
|
/// The bypass mirrors <c>AutoLoginAuthenticationHandler</c> exactly: the configured dev user
|
|
/// (default <c>multi-role</c>) with ALL <see cref="Roles.All"/> roles, system-wide (empty
|
|
/// <see cref="AuthenticatedUser.PermittedSiteIds"/>). The startup <c>AUTH DISABLED</c> warning
|
|
/// (emitted by <c>AddSecurity</c>) already announces this posture. Dev/test ONLY.
|
|
/// </para>
|
|
/// </remarks>
|
|
public static class ManagementAuthenticator
|
|
{
|
|
/// <summary>Outcome of <see cref="AuthenticateAsync"/>: exactly one of the two fields is set.</summary>
|
|
/// <param name="User">The authenticated principal on success; otherwise <see langword="null"/>.</param>
|
|
/// <param name="Failure">The 401 <see cref="IResult"/> to return on failure; otherwise <see langword="null"/>.</param>
|
|
public readonly record struct AuthOutcome(AuthenticatedUser? User, IResult? Failure);
|
|
|
|
/// <summary>
|
|
/// When <c>ScadaBridge:Security:Auth:DisableLogin</c> is true, returns the synthesized dev
|
|
/// principal (configured user, ALL roles, system-wide) that mirrors the cookie-scheme
|
|
/// <c>AutoLoginAuthenticationHandler</c> — so the Basic-Auth CLI surfaces are reachable in a
|
|
/// login-disabled (e.g. no-LDAP) deployment. Returns <see langword="null"/> when the flag is
|
|
/// off, in which case the caller must fall back to real Basic → LDAP authentication.
|
|
/// Dev/test ONLY.
|
|
/// </summary>
|
|
/// <param name="context">The current HTTP request context (used to resolve the options).</param>
|
|
/// <returns>The dev principal when login is disabled; otherwise <see langword="null"/>.</returns>
|
|
public static AuthenticatedUser? TryDisableLoginUser(HttpContext context)
|
|
{
|
|
var opts = context.RequestServices.GetService<IOptions<AuthDisableLoginOptions>>()?.Value;
|
|
if (opts is null || !opts.DisableLogin)
|
|
return null;
|
|
|
|
var user = string.IsNullOrWhiteSpace(opts.User) ? "multi-role" : opts.User;
|
|
return new AuthenticatedUser(user, user, Roles.All, Array.Empty<string>());
|
|
}
|
|
|
|
/// <summary>
|
|
/// Authenticates a management/CLI request. Honours the dev/test <c>DisableLogin</c> bypass
|
|
/// first (<see cref="TryDisableLoginUser"/>); otherwise decodes HTTP Basic Auth, binds
|
|
/// against LDAP, and resolves roles. Returns a populated <see cref="AuthenticatedUser"/> on
|
|
/// success, or an <see cref="IResult"/> carrying the 401 response on any failure.
|
|
/// </summary>
|
|
/// <param name="context">The HTTP request to authenticate.</param>
|
|
/// <returns>An <see cref="AuthOutcome"/> carrying either the user or the 401 failure result.</returns>
|
|
public static async Task<AuthOutcome> AuthenticateAsync(HttpContext context)
|
|
{
|
|
// Dev/test bypass: when login is disabled, the CLI surface auto-authenticates as the
|
|
// configured dev user — no credential check — mirroring the interactive cookie handler.
|
|
var bypass = TryDisableLoginUser(context);
|
|
if (bypass is not null)
|
|
return new AuthOutcome(bypass, null);
|
|
|
|
// 1. Decode Basic Auth
|
|
var authHeader = context.Request.Headers.Authorization.ToString();
|
|
if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
|
|
{
|
|
return new AuthOutcome(null, Results.Json(
|
|
new { error = "Authorization header required (Basic scheme).", code = "AUTH_FAILED" }, statusCode: 401));
|
|
}
|
|
|
|
string username, password;
|
|
try
|
|
{
|
|
var decoded = Encoding.UTF8.GetString(Convert.FromBase64String(authHeader["Basic ".Length..]));
|
|
var colon = decoded.IndexOf(':');
|
|
if (colon < 0) throw new FormatException();
|
|
username = decoded[..colon];
|
|
password = decoded[(colon + 1)..];
|
|
}
|
|
catch
|
|
{
|
|
return new AuthOutcome(null, Results.Json(
|
|
new { error = "Malformed Basic Auth header.", code = "AUTH_FAILED" }, statusCode: 401));
|
|
}
|
|
|
|
if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
|
|
{
|
|
return new AuthOutcome(null, Results.Json(
|
|
new { error = "Username and password are required.", code = "AUTH_FAILED" }, statusCode: 401));
|
|
}
|
|
|
|
// 2. LDAP authentication
|
|
var ldapAuth = context.RequestServices.GetRequiredService<ILdapAuthService>();
|
|
var authResult = await ldapAuth.AuthenticateAsync(username, password, context.RequestAborted);
|
|
if (!authResult.Succeeded)
|
|
{
|
|
return new AuthOutcome(null, Results.Json(
|
|
new { error = LdapAuthFailureMessages.ToMessage(authResult.Failure), code = "AUTH_FAILED" }, statusCode: 401));
|
|
}
|
|
|
|
// 3. Role resolution
|
|
var roleMapper = context.RequestServices.GetRequiredService<RoleMapper>();
|
|
var mappingResult = await roleMapper.MapGroupsToRolesAsync(authResult.Groups, context.RequestAborted);
|
|
|
|
var permittedSiteIds = mappingResult.IsSystemWideDeployment
|
|
? Array.Empty<string>()
|
|
: mappingResult.PermittedSiteIds.ToArray();
|
|
|
|
var resolvedUser = new AuthenticatedUser(
|
|
authResult.Username,
|
|
authResult.DisplayName,
|
|
mappingResult.Roles.ToArray(),
|
|
permittedSiteIds);
|
|
|
|
return new AuthOutcome(resolvedUser, null);
|
|
}
|
|
}
|