feat(security): AutoLoginAuthenticationHandler for dev login bypass
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,56 @@
|
||||
using System.Security.Claims;
|
||||
using System.Text.Encodings.Web;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using ZB.MOM.WW.Auth.AspNetCore; // ZbClaimTypes — same source AuthEndpoints mints claims from.
|
||||
|
||||
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// Auth handler used ONLY when <see cref="AuthDisableLoginOptions.DisableLogin"/> is true.
|
||||
/// Registered under the cookie scheme name, it authenticates EVERY request as the configured
|
||||
/// dev user with all <see cref="DevAuthRoles.All"/> roles — no credential check, no cookie.
|
||||
/// The minted principal mirrors the shape the real login (AuthEndpoints) produces.
|
||||
/// </summary>
|
||||
public sealed class AutoLoginAuthenticationHandler
|
||||
: AuthenticationHandler<AuthenticationSchemeOptions>
|
||||
{
|
||||
private readonly AuthDisableLoginOptions _opts;
|
||||
|
||||
/// <summary>Initializes the handler with the scheme plumbing and the disable-login options.</summary>
|
||||
/// <param name="options">The per-scheme authentication options monitor.</param>
|
||||
/// <param name="logger">The logger factory the base handler uses.</param>
|
||||
/// <param name="encoder">The URL encoder the base handler uses.</param>
|
||||
/// <param name="disableLoginOptions">The disable-login dev flag and configured username.</param>
|
||||
public AutoLoginAuthenticationHandler(
|
||||
IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||
ILoggerFactory logger,
|
||||
UrlEncoder encoder,
|
||||
IOptions<AuthDisableLoginOptions> disableLoginOptions)
|
||||
: base(options, logger, encoder)
|
||||
=> _opts = disableLoginOptions.Value;
|
||||
|
||||
/// <inheritdoc />
|
||||
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||
{
|
||||
var user = string.IsNullOrWhiteSpace(_opts.User) ? "multi-role-test" : _opts.User;
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
// ZbClaimTypes.Name = ClaimTypes.Name — populates Identity.Name canonically.
|
||||
new(ZbClaimTypes.Name, user),
|
||||
new(ZbClaimTypes.Username, user),
|
||||
new(ZbClaimTypes.DisplayName, user),
|
||||
};
|
||||
foreach (var role in DevAuthRoles.All)
|
||||
// ZbClaimTypes.Role = ClaimTypes.Role — framework [Authorize(Roles=...)] + IsInRole work.
|
||||
claims.Add(new Claim(ZbClaimTypes.Role, role));
|
||||
|
||||
var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var principal = new ClaimsPrincipal(identity);
|
||||
var ticket = new AuthenticationTicket(principal, Scheme.Name);
|
||||
return Task.FromResult(AuthenticateResult.Success(ticket));
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,64 @@
|
||||
using System.Text.Encodings.Web;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Shouldly;
|
||||
using Xunit;
|
||||
using ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||
|
||||
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
|
||||
|
||||
public class AutoLoginAuthenticationHandlerTests
|
||||
{
|
||||
private static async Task<AuthenticateResult> AuthenticateAsync(string user = "multi-role-test")
|
||||
{
|
||||
var schemeOpts = new StubOptionsMonitor<AuthenticationSchemeOptions>(new AuthenticationSchemeOptions());
|
||||
var disableOpts = Options.Create(new AuthDisableLoginOptions { DisableLogin = true, User = user });
|
||||
|
||||
var handler = new AutoLoginAuthenticationHandler(
|
||||
schemeOpts, NullLoggerFactory.Instance, UrlEncoder.Default, disableOpts);
|
||||
await handler.InitializeAsync(
|
||||
new AuthenticationScheme(
|
||||
CookieAuthenticationDefaults.AuthenticationScheme, null, typeof(AutoLoginAuthenticationHandler)),
|
||||
new DefaultHttpContext());
|
||||
return await handler.AuthenticateAsync();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Authenticates_as_configured_user_with_all_roles()
|
||||
{
|
||||
var result = await AuthenticateAsync();
|
||||
|
||||
result.Succeeded.ShouldBeTrue();
|
||||
result.Principal!.Identity!.IsAuthenticated.ShouldBeTrue();
|
||||
result.Principal.Identity.Name.ShouldBe("multi-role-test");
|
||||
foreach (var role in DevAuthRoles.All)
|
||||
result.Principal.IsInRole(role).ShouldBeTrue();
|
||||
// Satisfies the FleetAdmin (Administrator) + DriverOperator (Operator|Administrator) policies.
|
||||
result.Principal.IsInRole("Administrator").ShouldBeTrue();
|
||||
result.Principal.IsInRole("Operator").ShouldBeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Honours_configured_username()
|
||||
{
|
||||
var result = await AuthenticateAsync("custom-dev");
|
||||
result.Principal!.Identity!.Name.ShouldBe("custom-dev");
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Minimal <see cref="IOptionsMonitor{TOptions}"/> stub returning a fixed value for any
|
||||
/// name. The test project does not reference Moq, so the scheme-options monitor the base
|
||||
/// <see cref="AuthenticationHandler{TOptions}"/> needs is hand-rolled here.
|
||||
/// </summary>
|
||||
private sealed class StubOptionsMonitor<T>(T value) : IOptionsMonitor<T>
|
||||
{
|
||||
public T CurrentValue { get; } = value;
|
||||
|
||||
public T Get(string? name) => CurrentValue;
|
||||
|
||||
public IDisposable? OnChange(Action<T, string?> listener) => null;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user