Issue #8 : add grpc authentication and scope authorization

Merge PR #62 : Issue #7 implement local api key admin cli
Verified with dotnet build src\\MxGateway.sln and dotnet test src\\MxGateway.sln.
2026-04-26 17:01:59 -04:00 · 2026-04-26 17:02:09 -04:00 · 2026-04-26 16:56:52 -04:00 · 2026-04-26 16:56:12 -04:00
29 changed files with 1499 additions and 25 deletions
@@ -612,6 +612,15 @@ hashes the presented secret, and compares the stored and presented hashes with
 results distinguish malformed credentials, missing keys, revoked keys, missing
 pepper configuration, and hash mismatch for internal authorization handling.
 `GatewayGrpcAuthorizationInterceptor` enforces this authentication model for
 public gRPC calls. Missing, malformed, revoked, unknown, or mismatched keys fail
 with `Unauthenticated`. Authenticated calls missing the scope required by the
 RPC fail with `PermissionDenied`. The interceptor applies to unary calls and
 server-streaming calls and stores the authenticated `ApiKeyIdentity` in
 `IGatewayRequestIdentityAccessor` for the duration of the request handler.
 `Authentication:Mode` set to `Disabled` bypasses API-key verification for local
 development only.
 Recommended scopes:
 - `session:open`
@@ -631,6 +640,23 @@ gRPC admin API. It should initialize the auth database, create keys, list keys
 without secrets, revoke keys, rotate keys, and print raw secrets only once at
 creation.
 `MxGateway.Server` exposes local API-key administration as an `apikey`
 subcommand before the web host starts:
 ```bash
 MxGateway.Server apikey init-db --sqlite-path C:\ProgramData\MxGateway\gateway-auth.db
 MxGateway.Server apikey create-key --key-id operator01 --display-name Operator --scopes session:open,events:read
 MxGateway.Server apikey list-keys --json
 MxGateway.Server apikey revoke-key --key-id operator01
 MxGateway.Server apikey rotate-key --key-id operator01 --json
 ```
 The subcommands accept `--sqlite-path`, `--pepper`, and `--json`. `--pepper`
 sets the local `MxGateway:ApiKeyPepper` configuration value for the command
 process; deployments should normally provide the pepper through the configured
 secret source. `create-key` and `rotate-key` print the full raw API key exactly
 once. `list-keys` never prints raw secrets or `secret_hash` values.
 SQLite auth storage should use startup migrations with a `schema_version` table.
 Migrations should run inside transactions and fail startup if the database
 schema is newer than the running binary understands.
@@ -660,6 +686,20 @@ Commands requiring authorization:
 - worker shutdown diagnostics,
 - metadata queries if they expose sensitive plant structure.
 Current gRPC scope mapping:
 - `OpenSession` requires `session:open`.
 - `CloseSession` requires `session:close`.
 - `StreamEvents` and `DrainEvents` require `events:read`.
 - read-style MXAccess commands such as `Register`, `AddItem`, `Advise`, and
  `Ping` require `invoke:read`.
 - `Write` and `Write2` require `invoke:write`.
 - `WriteSecured`, `WriteSecured2`, and `AuthenticateUser` require
  `invoke:secure`.
 - metadata commands such as `ArchestrAUserToId`, `GetSessionState`, and
  `GetWorkerInfo` require `metadata:read`.
 - `ShutdownWorker` requires `admin`.
 ### Worker IPC
 Named pipes should be local only. Pipe ACLs should restrict access to:
@@ -802,6 +842,9 @@ workers and fake transports.
 Focused tests:
 - session state transitions,
 - gRPC API-key authentication for unary and streaming calls,
 - gRPC scope mapping for sessions, invokes, events, metadata, and admin
  commands,
 - worker startup failures,
 - protocol version mismatch,
 - malformed frame handling,
@@ -566,9 +566,13 @@ Because each client owns one worker, a crash or leak affects only that session.
 External gateway:
 - use TLS for remote gRPC if crossing machine boundaries,
- authenticate clients with Windows auth, mTLS, or a deployment-specific token,
+- authenticate v1 gRPC clients with `authorization: Bearer
- authorize access to commands that can write, authenticate users, or alter
+  mxgw_<key-id>_<secret>` API-key metadata,
-  runtime state.
+- reject missing or invalid API keys with gRPC `Unauthenticated`,
 - reject valid keys that lack the required session, invoke, event, metadata, or
  admin scope with gRPC `PermissionDenied`,
 - authorize access to commands that can write, authenticate users, expose
  metadata, stream events, or alter runtime state.
 Internal worker IPC:
@@ -3,6 +3,7 @@ using MxGateway.Server.Configuration;
 using MxGateway.Server.Diagnostics;
 using MxGateway.Server.Metrics;
 using MxGateway.Server.Security.Authentication;
 using MxGateway.Server.Security.Authorization;
 using MxGateway.Server.Workers;
 namespace MxGateway.Server;
@@ -26,6 +27,7 @@ public static class GatewayApplication
        builder.Services.AddGatewayConfiguration();
        builder.Services.AddSqliteAuthStore();
        builder.Services.AddGatewayGrpcAuthorization();
        builder.Services.AddHealthChecks();
        builder.Services.AddSingleton<GatewayMetrics>();
        builder.Services.AddWorkerProcessLauncher();
@@ -5,6 +5,7 @@
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Grpc.AspNetCore" Version="2.76.0" />
    <PackageReference Include="Microsoft.Data.Sqlite" Version="10.0.7" />
  </ItemGroup>
@@ -1,7 +1,43 @@
 using MxGateway.Server;
 using MxGateway.Server.Configuration;
 using MxGateway.Server.Security.Authentication;
-var app = GatewayApplication.Build(args);
+ApiKeyAdminParseResult apiKeyAdminCommand = ApiKeyAdminCommandLineParser.Parse(args);
 if (apiKeyAdminCommand.IsApiKeyCommand)
 {
    if (apiKeyAdminCommand.Command is null)
    {
        await Console.Error.WriteLineAsync(apiKeyAdminCommand.Error);
        return 2;
    }
    WebApplicationBuilder builder = GatewayApplication.CreateBuilder([]);
    ApplyApiKeyAdminOverrides(builder.Configuration, apiKeyAdminCommand.Command);
    await using WebApplication cliApp = builder.Build();
    await using AsyncServiceScope scope = cliApp.Services.CreateAsyncScope();
    ApiKeyAdminCliRunner runner = scope.ServiceProvider.GetRequiredService<ApiKeyAdminCliRunner>();
    return await runner.RunAsync(apiKeyAdminCommand.Command, Console.Out, CancellationToken.None);
 }
 WebApplication app = GatewayApplication.Build(args);
 app.Run();
 return 0;
 static void ApplyApiKeyAdminOverrides(IConfiguration configuration, ApiKeyAdminCommand command)
 {
    if (!string.IsNullOrWhiteSpace(command.SqlitePath))
    {
        configuration[$"{GatewayOptions.SectionName}:Authentication:SqlitePath"] = command.SqlitePath;
    }
    if (!string.IsNullOrWhiteSpace(command.Pepper))
    {
        configuration["MxGateway:ApiKeyPepper"] = command.Pepper;
    }
 }
 public partial class Program;
@@ -0,0 +1,180 @@
 using System.Text.Json;
 namespace MxGateway.Server.Security.Authentication;
 public sealed class ApiKeyAdminCliRunner(
    IAuthStoreMigrator migrator,
    IApiKeyAdminStore adminStore,
    IApiKeyAuditStore auditStore,
    IApiKeySecretHasher hasher)
 {
    private static readonly JsonSerializerOptions JsonOptions = new()
    {
        WriteIndented = true
    };
    public async Task<int> RunAsync(
        ApiKeyAdminCommand command,
        TextWriter output,
        CancellationToken cancellationToken)
    {
        ApiKeyAdminOutput result = command.Kind switch
        {
            ApiKeyAdminCommandKind.InitDb => await InitDbAsync(cancellationToken).ConfigureAwait(false),
            ApiKeyAdminCommandKind.CreateKey => await CreateKeyAsync(command, cancellationToken).ConfigureAwait(false),
            ApiKeyAdminCommandKind.ListKeys => await ListKeysAsync(cancellationToken).ConfigureAwait(false),
            ApiKeyAdminCommandKind.RevokeKey => await RevokeKeyAsync(command, cancellationToken).ConfigureAwait(false),
            ApiKeyAdminCommandKind.RotateKey => await RotateKeyAsync(command, cancellationToken).ConfigureAwait(false),
            _ => throw new InvalidOperationException($"Unsupported API key command '{command.Kind}'.")
        };
        await WriteOutputAsync(command, result, output).ConfigureAwait(false);
        return 0;
    }
    private async Task<ApiKeyAdminOutput> InitDbAsync(CancellationToken cancellationToken)
    {
        await migrator.MigrateAsync(cancellationToken).ConfigureAwait(false);
        await AppendAuditAsync(null, "init-db", null, cancellationToken).ConfigureAwait(false);
        return new ApiKeyAdminOutput("init-db", "initialized", null, []);
    }
    private async Task<ApiKeyAdminOutput> CreateKeyAsync(
        ApiKeyAdminCommand command,
        CancellationToken cancellationToken)
    {
        await migrator.MigrateAsync(cancellationToken).ConfigureAwait(false);
        string keyId = Required(command.KeyId);
        string secret = ApiKeySecretGenerator.Generate();
        string apiKey = FormatApiKey(keyId, secret);
        await adminStore.CreateAsync(
                new ApiKeyCreateRequest(
                    KeyId: keyId,
                    KeyPrefix: $"mxgw_{keyId}",
                    SecretHash: hasher.HashSecret(secret),
                    DisplayName: Required(command.DisplayName),
                    Scopes: command.Scopes,
                    CreatedUtc: DateTimeOffset.UtcNow),
                cancellationToken)
            .ConfigureAwait(false);
        await AppendAuditAsync(keyId, "create-key", null, cancellationToken).ConfigureAwait(false);
        return new ApiKeyAdminOutput("create-key", "created", apiKey, []);
    }
    private async Task<ApiKeyAdminOutput> ListKeysAsync(CancellationToken cancellationToken)
    {
        await migrator.MigrateAsync(cancellationToken).ConfigureAwait(false);
        IReadOnlyList<ApiKeyRecord> keys = await adminStore.ListAsync(cancellationToken).ConfigureAwait(false);
        await AppendAuditAsync(null, "list-keys", null, cancellationToken).ConfigureAwait(false);
        return new ApiKeyAdminOutput(
            "list-keys",
            "ok",
            null,
            keys.Select(ToListedKey).ToArray());
    }
    private async Task<ApiKeyAdminOutput> RevokeKeyAsync(
        ApiKeyAdminCommand command,
        CancellationToken cancellationToken)
    {
        await migrator.MigrateAsync(cancellationToken).ConfigureAwait(false);
        string keyId = Required(command.KeyId);
        bool revoked = await adminStore.RevokeAsync(keyId, DateTimeOffset.UtcNow, cancellationToken)
            .ConfigureAwait(false);
        await AppendAuditAsync(keyId, "revoke-key", revoked ? "revoked" : "not-found-or-already-revoked", cancellationToken)
            .ConfigureAwait(false);
        return new ApiKeyAdminOutput("revoke-key", revoked ? "revoked" : "not-found-or-already-revoked", null, []);
    }
    private async Task<ApiKeyAdminOutput> RotateKeyAsync(
        ApiKeyAdminCommand command,
        CancellationToken cancellationToken)
    {
        await migrator.MigrateAsync(cancellationToken).ConfigureAwait(false);
        string keyId = Required(command.KeyId);
        string secret = ApiKeySecretGenerator.Generate();
        string apiKey = FormatApiKey(keyId, secret);
        bool rotated = await adminStore.RotateAsync(keyId, hasher.HashSecret(secret), DateTimeOffset.UtcNow, cancellationToken)
            .ConfigureAwait(false);
        await AppendAuditAsync(keyId, "rotate-key", rotated ? "rotated" : "not-found", cancellationToken)
            .ConfigureAwait(false);
        return new ApiKeyAdminOutput("rotate-key", rotated ? "rotated" : "not-found", rotated ? apiKey : null, []);
    }
    private static async Task WriteOutputAsync(
        ApiKeyAdminCommand command,
        ApiKeyAdminOutput result,
        TextWriter output)
    {
        if (command.Json)
        {
            await output.WriteLineAsync(JsonSerializer.Serialize(result, JsonOptions)).ConfigureAwait(false);
            return;
        }
        await output.WriteLineAsync($"{result.Command}: {result.Status}").ConfigureAwait(false);
        if (result.ApiKey is not null)
        {
            await output.WriteLineAsync($"API key: {result.ApiKey}").ConfigureAwait(false);
        }
        foreach (ApiKeyAdminListedKey key in result.Keys)
        {
            string revoked = key.RevokedUtc is null ? "active" : "revoked";
            await output.WriteLineAsync($"{key.KeyId}\t{key.DisplayName}\t{revoked}\t{string.Join(',', key.Scopes)}")
                .ConfigureAwait(false);
        }
    }
    private async Task AppendAuditAsync(
        string? keyId,
        string eventType,
        string? details,
        CancellationToken cancellationToken)
    {
        await auditStore.AppendAsync(
                new ApiKeyAuditEntry(
                    KeyId: keyId,
                    EventType: eventType,
                    RemoteAddress: null,
                    Details: details),
                cancellationToken)
            .ConfigureAwait(false);
    }
    private static ApiKeyAdminListedKey ToListedKey(ApiKeyRecord key)
    {
        return new ApiKeyAdminListedKey(
            KeyId: key.KeyId,
            KeyPrefix: key.KeyPrefix,
            DisplayName: key.DisplayName,
            Scopes: key.Scopes,
            CreatedUtc: key.CreatedUtc,
            LastUsedUtc: key.LastUsedUtc,
            RevokedUtc: key.RevokedUtc);
    }
    private static string FormatApiKey(string keyId, string secret)
    {
        return $"mxgw_{keyId}_{secret}";
    }
    private static string Required(string? value)
    {
        return value ?? throw new InvalidOperationException("Required command value was not provided.");
    }
 }
@@ -0,0 +1,10 @@
 namespace MxGateway.Server.Security.Authentication;
 public sealed record ApiKeyAdminCommand(
    ApiKeyAdminCommandKind Kind,
    bool Json,
    string? SqlitePath,
    string? Pepper,
    string? KeyId,
    string? DisplayName,
    IReadOnlySet<string> Scopes);
@@ -0,0 +1,10 @@
 namespace MxGateway.Server.Security.Authentication;
 public enum ApiKeyAdminCommandKind
 {
    InitDb,
    CreateKey,
    ListKeys,
    RevokeKey,
    RotateKey
 }
@@ -0,0 +1,159 @@
 namespace MxGateway.Server.Security.Authentication;
 public static class ApiKeyAdminCommandLineParser
 {
    public static ApiKeyAdminParseResult Parse(IReadOnlyList<string> args)
    {
        if (args.Count == 0 || !string.Equals(args[0], "apikey", StringComparison.OrdinalIgnoreCase))
        {
            return ApiKeyAdminParseResult.NotApiKeyCommand();
        }
        if (args.Count < 2)
        {
            return ApiKeyAdminParseResult.Fail("Missing apikey subcommand.");
        }
        if (!TryParseKind(args[1], out ApiKeyAdminCommandKind kind))
        {
            return ApiKeyAdminParseResult.Fail($"Unknown apikey subcommand '{args[1]}'.");
        }
        Dictionary<string, string?> options = new(StringComparer.OrdinalIgnoreCase);
        bool json = false;
        for (int index = 2; index < args.Count; index++)
        {
            string arg = args[index];
            if (string.Equals(arg, "--json", StringComparison.OrdinalIgnoreCase))
            {
                json = true;
                continue;
            }
            if (!arg.StartsWith("--", StringComparison.Ordinal))
            {
                return ApiKeyAdminParseResult.Fail($"Unexpected argument '{arg}'.");
            }
            string name = arg[2..];
            string? value;
            int equalsIndex = name.IndexOf('=', StringComparison.Ordinal);
            if (equalsIndex >= 0)
            {
                value = name[(equalsIndex + 1)..];
                name = name[..equalsIndex];
            }
            else
            {
                if (index + 1 >= args.Count || args[index + 1].StartsWith("--", StringComparison.Ordinal))
                {
                    return ApiKeyAdminParseResult.Fail($"Option '--{name}' requires a value.");
                }
                value = args[++index];
            }
            options[name] = value;
        }
        string? keyId = GetOption(options, "key-id");
        string? displayName = GetOption(options, "display-name");
        IReadOnlySet<string> scopes = ParseScopes(GetOption(options, "scopes"));
        string? validationError = Validate(kind, keyId, displayName);
        if (validationError is not null)
        {
            return ApiKeyAdminParseResult.Fail(validationError);
        }
        return ApiKeyAdminParseResult.Success(new ApiKeyAdminCommand(
            Kind: kind,
            Json: json,
            SqlitePath: GetOption(options, "sqlite-path"),
            Pepper: GetOption(options, "pepper"),
            KeyId: keyId,
            DisplayName: displayName,
            Scopes: scopes));
    }
    private static bool TryParseKind(string value, out ApiKeyAdminCommandKind kind)
    {
        switch (value.ToLowerInvariant())
        {
            case "init-db":
                kind = ApiKeyAdminCommandKind.InitDb;
                return true;
            case "create-key":
                kind = ApiKeyAdminCommandKind.CreateKey;
                return true;
            case "list-keys":
                kind = ApiKeyAdminCommandKind.ListKeys;
                return true;
            case "revoke-key":
                kind = ApiKeyAdminCommandKind.RevokeKey;
                return true;
            case "rotate-key":
                kind = ApiKeyAdminCommandKind.RotateKey;
                return true;
            default:
                kind = default;
                return false;
        }
    }
    private static string? Validate(ApiKeyAdminCommandKind kind, string? keyId, string? displayName)
    {
        if (kind is ApiKeyAdminCommandKind.CreateKey or ApiKeyAdminCommandKind.RevokeKey or ApiKeyAdminCommandKind.RotateKey
            && string.IsNullOrWhiteSpace(keyId))
        {
            return $"Subcommand '{KindName(kind)}' requires --key-id.";
        }
        if (!string.IsNullOrWhiteSpace(keyId) && !IsValidKeyId(keyId))
        {
            return "API key id may contain only letters, numbers, periods, and hyphens.";
        }
        if (kind == ApiKeyAdminCommandKind.CreateKey && string.IsNullOrWhiteSpace(displayName))
        {
            return "Subcommand 'create-key' requires --display-name.";
        }
        return null;
    }
    private static string KindName(ApiKeyAdminCommandKind kind)
    {
        return kind switch
        {
            ApiKeyAdminCommandKind.InitDb => "init-db",
            ApiKeyAdminCommandKind.CreateKey => "create-key",
            ApiKeyAdminCommandKind.ListKeys => "list-keys",
            ApiKeyAdminCommandKind.RevokeKey => "revoke-key",
            ApiKeyAdminCommandKind.RotateKey => "rotate-key",
            _ => kind.ToString()
        };
    }
    private static bool IsValidKeyId(string keyId)
    {
        return keyId.All(character =>
            char.IsAsciiLetterOrDigit(character)
            || character is '.' or '-');
    }
    private static string? GetOption(Dictionary<string, string?> options, string name)
    {
        return options.TryGetValue(name, out string? value) ? value : null;
    }
    private static IReadOnlySet<string> ParseScopes(string? scopes)
    {
        return new HashSet<string>(
            (scopes ?? string.Empty)
                .Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries),
            StringComparer.Ordinal);
    }
 }
@@ -0,0 +1,10 @@
 namespace MxGateway.Server.Security.Authentication;
 public sealed record ApiKeyAdminListedKey(
    string KeyId,
    string KeyPrefix,
    string DisplayName,
    IReadOnlySet<string> Scopes,
    DateTimeOffset CreatedUtc,
    DateTimeOffset? LastUsedUtc,
    DateTimeOffset? RevokedUtc);
@@ -0,0 +1,7 @@
 namespace MxGateway.Server.Security.Authentication;
 public sealed record ApiKeyAdminOutput(
    string Command,
    string Status,
    string? ApiKey,
    IReadOnlyList<ApiKeyAdminListedKey> Keys);
@@ -0,0 +1,22 @@
 namespace MxGateway.Server.Security.Authentication;
 public sealed record ApiKeyAdminParseResult(
    bool IsApiKeyCommand,
    ApiKeyAdminCommand? Command,
    string? Error)
 {
    public static ApiKeyAdminParseResult NotApiKeyCommand()
    {
        return new ApiKeyAdminParseResult(false, null, null);
    }
    public static ApiKeyAdminParseResult Success(ApiKeyAdminCommand command)
    {
        return new ApiKeyAdminParseResult(true, command, null);
    }
    public static ApiKeyAdminParseResult Fail(string error)
    {
        return new ApiKeyAdminParseResult(true, null, error);
    }
 }
@@ -0,0 +1,9 @@
 namespace MxGateway.Server.Security.Authentication;
 public sealed record ApiKeyCreateRequest(
    string KeyId,
    string KeyPrefix,
    byte[] SecretHash,
    string DisplayName,
    IReadOnlySet<string> Scopes,
    DateTimeOffset CreatedUtc);
@@ -0,0 +1,26 @@
 using Microsoft.Data.Sqlite;
 namespace MxGateway.Server.Security.Authentication;
 public static class ApiKeyRecordReader
 {
    public static ApiKeyRecord Read(SqliteDataReader reader)
    {
        return new ApiKeyRecord(
            KeyId: reader.GetString(0),
            KeyPrefix: reader.GetString(1),
            SecretHash: (byte[])reader["secret_hash"],
            DisplayName: reader.GetString(3),
            Scopes: ApiKeyScopeSerializer.Deserialize(reader.GetString(4)),
            CreatedUtc: DateTimeOffset.Parse(reader.GetString(5), System.Globalization.CultureInfo.InvariantCulture),
            LastUsedUtc: ReadNullableDateTimeOffset(reader, 6),
            RevokedUtc: ReadNullableDateTimeOffset(reader, 7));
    }
    private static DateTimeOffset? ReadNullableDateTimeOffset(SqliteDataReader reader, int ordinal)
    {
        return reader.IsDBNull(ordinal)
            ? null
            : DateTimeOffset.Parse(reader.GetString(ordinal), System.Globalization.CultureInfo.InvariantCulture);
    }
 }
@@ -0,0 +1,17 @@
 using System.Security.Cryptography;
 namespace MxGateway.Server.Security.Authentication;
 public static class ApiKeySecretGenerator
 {
    public static string Generate()
    {
        Span<byte> bytes = stackalloc byte[32];
        RandomNumberGenerator.Fill(bytes);
        return Convert.ToBase64String(bytes)
            .TrimEnd('=')
            .Replace('+', '-')
            .Replace('/', '_');
    }
 }
@@ -7,9 +7,11 @@ public static class AuthStoreServiceCollectionExtensions
        services.AddSingleton<IApiKeyParser, ApiKeyParser>();
        services.AddSingleton<IApiKeySecretHasher, ApiKeySecretHasher>();
        services.AddSingleton<IApiKeyVerifier, ApiKeyVerifier>();
        services.AddSingleton<ApiKeyAdminCliRunner>();
        services.AddSingleton<AuthSqliteConnectionFactory>();
        services.AddSingleton<IAuthStoreMigrator, SqliteAuthStoreMigrator>();
        services.AddSingleton<IApiKeyStore, SqliteApiKeyStore>();
        services.AddSingleton<IApiKeyAdminStore, SqliteApiKeyAdminStore>();
        services.AddSingleton<IApiKeyAuditStore, SqliteApiKeyAuditStore>();
        services.AddHostedService<AuthStoreMigrationHostedService>();
@@ -0,0 +1,16 @@
 namespace MxGateway.Server.Security.Authentication;
 public interface IApiKeyAdminStore
 {
    Task CreateAsync(ApiKeyCreateRequest request, CancellationToken cancellationToken);
    Task<IReadOnlyList<ApiKeyRecord>> ListAsync(CancellationToken cancellationToken);
    Task<bool> RevokeAsync(string keyId, DateTimeOffset revokedUtc, CancellationToken cancellationToken);
    Task<bool> RotateAsync(
        string keyId,
        byte[] secretHash,
        DateTimeOffset rotatedUtc,
        CancellationToken cancellationToken);
 }
@@ -0,0 +1,116 @@
 using Microsoft.Data.Sqlite;
 namespace MxGateway.Server.Security.Authentication;
 public sealed class SqliteApiKeyAdminStore(AuthSqliteConnectionFactory connectionFactory) : IApiKeyAdminStore
 {
    public async Task CreateAsync(ApiKeyCreateRequest request, CancellationToken cancellationToken)
    {
        await using SqliteConnection connection = connectionFactory.CreateConnection();
        await connection.OpenAsync(cancellationToken).ConfigureAwait(false);
        await using SqliteCommand command = connection.CreateCommand();
        command.CommandText = """
            INSERT INTO api_keys (
                key_id,
                key_prefix,
                secret_hash,
                display_name,
                scopes,
                created_utc,
                last_used_utc,
                revoked_utc)
            VALUES (
                $key_id,
                $key_prefix,
                $secret_hash,
                $display_name,
                $scopes,
                $created_utc,
                NULL,
                NULL);
            """;
        AddCreateParameters(command, request);
        await command.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
    }
    public async Task<IReadOnlyList<ApiKeyRecord>> ListAsync(CancellationToken cancellationToken)
    {
        await using SqliteConnection connection = connectionFactory.CreateConnection();
        await connection.OpenAsync(cancellationToken).ConfigureAwait(false);
        await using SqliteCommand command = connection.CreateCommand();
        command.CommandText = """
            SELECT key_id, key_prefix, secret_hash, display_name, scopes, created_utc, last_used_utc, revoked_utc
            FROM api_keys
            ORDER BY key_id;
            """;
        List<ApiKeyRecord> records = [];
        await using SqliteDataReader reader = await command.ExecuteReaderAsync(cancellationToken)
            .ConfigureAwait(false);
        while (await reader.ReadAsync(cancellationToken).ConfigureAwait(false))
        {
            records.Add(ApiKeyRecordReader.Read(reader));
        }
        return records;
    }
    public async Task<bool> RevokeAsync(string keyId, DateTimeOffset revokedUtc, CancellationToken cancellationToken)
    {
        await using SqliteConnection connection = connectionFactory.CreateConnection();
        await connection.OpenAsync(cancellationToken).ConfigureAwait(false);
        await using SqliteCommand command = connection.CreateCommand();
        command.CommandText = """
            UPDATE api_keys
            SET revoked_utc = $revoked_utc
            WHERE key_id = $key_id AND revoked_utc IS NULL;
            """;
        command.Parameters.AddWithValue("$key_id", keyId);
        command.Parameters.AddWithValue("$revoked_utc", revokedUtc.ToString("O"));
        int rows = await command.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
        return rows > 0;
    }
    public async Task<bool> RotateAsync(
        string keyId,
        byte[] secretHash,
        DateTimeOffset rotatedUtc,
        CancellationToken cancellationToken)
    {
        await using SqliteConnection connection = connectionFactory.CreateConnection();
        await connection.OpenAsync(cancellationToken).ConfigureAwait(false);
        await using SqliteCommand command = connection.CreateCommand();
        command.CommandText = """
            UPDATE api_keys
            SET secret_hash = $secret_hash,
                last_used_utc = NULL,
                revoked_utc = NULL
            WHERE key_id = $key_id;
            """;
        command.Parameters.AddWithValue("$key_id", keyId);
        command.Parameters.Add("$secret_hash", SqliteType.Blob).Value = secretHash;
        int rows = await command.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
        return rows > 0;
    }
    private static void AddCreateParameters(SqliteCommand command, ApiKeyCreateRequest request)
    {
        command.Parameters.AddWithValue("$key_id", request.KeyId);
        command.Parameters.AddWithValue("$key_prefix", request.KeyPrefix);
        command.Parameters.Add("$secret_hash", SqliteType.Blob).Value = request.SecretHash;
        command.Parameters.AddWithValue("$display_name", request.DisplayName);
        command.Parameters.AddWithValue("$scopes", ApiKeyScopeSerializer.Serialize(request.Scopes));
        command.Parameters.AddWithValue("$created_utc", request.CreatedUtc.ToString("O"));
    }
 }
@@ -61,26 +61,6 @@ public sealed class SqliteApiKeyStore(AuthSqliteConnectionFactory connectionFact
            return null;
        }
-        return ReadApiKeyRecord(reader);
+        return ApiKeyRecordReader.Read(reader);
    }
    private static ApiKeyRecord ReadApiKeyRecord(SqliteDataReader reader)
    {
        return new ApiKeyRecord(
            KeyId: reader.GetString(0),
            KeyPrefix: reader.GetString(1),
            SecretHash: (byte[])reader["secret_hash"],
            DisplayName: reader.GetString(3),
            Scopes: ApiKeyScopeSerializer.Deserialize(reader.GetString(4)),
            CreatedUtc: DateTimeOffset.Parse(reader.GetString(5), System.Globalization.CultureInfo.InvariantCulture),
            LastUsedUtc: ReadNullableDateTimeOffset(reader, 6),
            RevokedUtc: ReadNullableDateTimeOffset(reader, 7));
    }
    private static DateTimeOffset? ReadNullableDateTimeOffset(SqliteDataReader reader, int ordinal)
    {
        return reader.IsDBNull(ordinal)
            ? null
            : DateTimeOffset.Parse(reader.GetString(ordinal), System.Globalization.CultureInfo.InvariantCulture);
    }
 }
@@ -0,0 +1,74 @@
 using Grpc.Core;
 using Grpc.Core.Interceptors;
 using Microsoft.Extensions.Options;
 using MxGateway.Server.Configuration;
 using MxGateway.Server.Security.Authentication;
 namespace MxGateway.Server.Security.Authorization;
 public sealed class GatewayGrpcAuthorizationInterceptor(
    IApiKeyVerifier apiKeyVerifier,
    GatewayGrpcScopeResolver scopeResolver,
    IGatewayRequestIdentityAccessor identityAccessor,
    IOptions<GatewayOptions> options) : Interceptor
 {
    public override async Task<TResponse> UnaryServerHandler<TRequest, TResponse>(
        TRequest request,
        ServerCallContext context,
        UnaryServerMethod<TRequest, TResponse> continuation)
    {
        ApiKeyIdentity? identity = await AuthenticateAndAuthorizeAsync(request, context).ConfigureAwait(false);
        IDisposable? identityScope = identity is null ? null : identityAccessor.Push(identity);
        using (identityScope)
        {
            return await continuation(request, context).ConfigureAwait(false);
        }
    }
    public override async Task ServerStreamingServerHandler<TRequest, TResponse>(
        TRequest request,
        IServerStreamWriter<TResponse> responseStream,
        ServerCallContext context,
        ServerStreamingServerMethod<TRequest, TResponse> continuation)
    {
        ApiKeyIdentity? identity = await AuthenticateAndAuthorizeAsync(request, context).ConfigureAwait(false);
        IDisposable? identityScope = identity is null ? null : identityAccessor.Push(identity);
        using (identityScope)
        {
            await continuation(request, responseStream, context).ConfigureAwait(false);
        }
    }
    private async Task<ApiKeyIdentity?> AuthenticateAndAuthorizeAsync<TRequest>(
        TRequest request,
        ServerCallContext context)
        where TRequest : class
    {
        if (options.Value.Authentication.Mode == AuthenticationMode.Disabled)
        {
            return null;
        }
        string? authorizationHeader = context.RequestHeaders.GetValue("authorization");
        ApiKeyVerificationResult verificationResult = await apiKeyVerifier
            .VerifyAsync(authorizationHeader, context.CancellationToken)
            .ConfigureAwait(false);
        if (!verificationResult.Succeeded || verificationResult.Identity is null)
        {
            throw new RpcException(new Status(
                StatusCode.Unauthenticated,
                "Missing or invalid API key."));
        }
        string requiredScope = scopeResolver.ResolveRequiredScope(request);
        if (!verificationResult.Identity.Scopes.Contains(requiredScope))
        {
            throw new RpcException(new Status(
                StatusCode.PermissionDenied,
                $"API key is missing required scope '{requiredScope}'."));
        }
        return verificationResult.Identity;
    }
 }
@@ -0,0 +1,40 @@
 using MxGateway.Contracts.Proto;
 namespace MxGateway.Server.Security.Authorization;
 public sealed class GatewayGrpcScopeResolver
 {
    public string ResolveRequiredScope(object request)
    {
        return request switch
        {
            OpenSessionRequest => GatewayScopes.SessionOpen,
            CloseSessionRequest => GatewayScopes.SessionClose,
            StreamEventsRequest => GatewayScopes.EventsRead,
            MxCommandRequest commandRequest => ResolveCommandScope(commandRequest.Command?.Kind ?? MxCommandKind.Unspecified),
            _ => GatewayScopes.Admin
        };
    }
    private static string ResolveCommandScope(MxCommandKind kind)
    {
        return kind switch
        {
            MxCommandKind.Write or
            MxCommandKind.Write2 => GatewayScopes.InvokeWrite,
            MxCommandKind.WriteSecured or
            MxCommandKind.WriteSecured2 or
            MxCommandKind.AuthenticateUser => GatewayScopes.InvokeSecure,
            MxCommandKind.ArchestraUserToId or
            MxCommandKind.GetSessionState or
            MxCommandKind.GetWorkerInfo => GatewayScopes.MetadataRead,
            MxCommandKind.DrainEvents => GatewayScopes.EventsRead,
            MxCommandKind.ShutdownWorker => GatewayScopes.Admin,
            _ => GatewayScopes.InvokeRead
        };
    }
 }
@@ -0,0 +1,38 @@
 using MxGateway.Server.Security.Authentication;
 namespace MxGateway.Server.Security.Authorization;
 public sealed class GatewayRequestIdentityAccessor : IGatewayRequestIdentityAccessor
 {
    private readonly AsyncLocal<ApiKeyIdentity?> currentIdentity = new();
    public ApiKeyIdentity? Current => currentIdentity.Value;
    public IDisposable Push(ApiKeyIdentity identity)
    {
        ArgumentNullException.ThrowIfNull(identity);
        ApiKeyIdentity? previousIdentity = currentIdentity.Value;
        currentIdentity.Value = identity;
        return new IdentityScope(this, previousIdentity);
    }
    private sealed class IdentityScope(
        GatewayRequestIdentityAccessor accessor,
        ApiKeyIdentity? previousIdentity) : IDisposable
    {
        private bool disposed;
        public void Dispose()
        {
            if (disposed)
            {
                return;
            }
            accessor.currentIdentity.Value = previousIdentity;
            disposed = true;
        }
    }
 }
@@ -0,0 +1,13 @@
 namespace MxGateway.Server.Security.Authorization;
 public static class GatewayScopes
 {
    public const string SessionOpen = "session:open";
    public const string SessionClose = "session:close";
    public const string InvokeRead = "invoke:read";
    public const string InvokeWrite = "invoke:write";
    public const string InvokeSecure = "invoke:secure";
    public const string EventsRead = "events:read";
    public const string MetadataRead = "metadata:read";
    public const string Admin = "admin";
 }
@@ -0,0 +1,16 @@
 using Grpc.Core.Interceptors;
 namespace MxGateway.Server.Security.Authorization;
 public static class GrpcAuthorizationServiceCollectionExtensions
 {
    public static IServiceCollection AddGatewayGrpcAuthorization(this IServiceCollection services)
    {
        services.AddSingleton<GatewayGrpcScopeResolver>();
        services.AddSingleton<IGatewayRequestIdentityAccessor, GatewayRequestIdentityAccessor>();
        services.AddSingleton<GatewayGrpcAuthorizationInterceptor>();
        services.AddGrpc(options => options.Interceptors.Add<GatewayGrpcAuthorizationInterceptor>());
        return services;
    }
 }
@@ -0,0 +1,10 @@
 using MxGateway.Server.Security.Authentication;
 namespace MxGateway.Server.Security.Authorization;
 public interface IGatewayRequestIdentityAccessor
 {
    ApiKeyIdentity? Current { get; }
    IDisposable Push(ApiKeyIdentity identity);
 }
@@ -0,0 +1,242 @@
 using System.Text.Json;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using MxGateway.Server.Configuration;
 using MxGateway.Server.Security.Authentication;
 namespace MxGateway.Tests.Security.Authentication;
 public sealed class ApiKeyAdminCliRunnerTests
 {
    [Fact]
    public async Task CreateKeyAsync_CreatesAuthenticatingKeyAndAudits()
    {
        await using ServiceProvider services = BuildServices(CreateTempDatabasePath());
        ApiKeyAdminCliRunner runner = services.GetRequiredService<ApiKeyAdminCliRunner>();
        StringWriter output = new();
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.CreateKey,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: "operator01",
                DisplayName: "Operator",
                Scopes: new HashSet<string>(StringComparer.Ordinal) { "session:open", "events:read" }),
            output,
            CancellationToken.None);
        string apiKey = ReadApiKey(output.ToString());
        IApiKeyVerifier verifier = services.GetRequiredService<IApiKeyVerifier>();
        ApiKeyVerificationResult verification = await verifier.VerifyAsync($"Bearer {apiKey}", CancellationToken.None);
        Assert.True(verification.Succeeded);
        Assert.NotNull(verification.Identity);
        Assert.Equal("operator01", verification.Identity.KeyId);
        Assert.Contains("session:open", verification.Identity.Scopes);
        IReadOnlyList<ApiKeyAuditRecord> auditRecords = await services
            .GetRequiredService<IApiKeyAuditStore>()
            .ListRecentAsync(10, CancellationToken.None);
        Assert.Contains(auditRecords, record => record.EventType == "create-key" && record.KeyId == "operator01");
    }
    [Fact]
    public async Task ListKeysAsync_DoesNotPrintRawSecret()
    {
        await using ServiceProvider services = BuildServices(CreateTempDatabasePath());
        ApiKeyAdminCliRunner runner = services.GetRequiredService<ApiKeyAdminCliRunner>();
        string apiKey = await CreateKeyAsync(runner, "operator01");
        StringWriter listOutput = new();
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.ListKeys,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: null,
                DisplayName: null,
                Scopes: new HashSet<string>(StringComparer.Ordinal)),
            listOutput,
            CancellationToken.None);
        string listJson = listOutput.ToString();
        Assert.Contains("operator01", listJson, StringComparison.Ordinal);
        Assert.DoesNotContain(apiKey, listJson, StringComparison.Ordinal);
        Assert.DoesNotContain(ApiKeySecret(apiKey), listJson, StringComparison.Ordinal);
        Assert.DoesNotContain("secret_hash", listJson, StringComparison.OrdinalIgnoreCase);
    }
    [Fact]
    public async Task RevokeKeyAsync_RevokedKeyFailsVerificationAndAudits()
    {
        await using ServiceProvider services = BuildServices(CreateTempDatabasePath());
        ApiKeyAdminCliRunner runner = services.GetRequiredService<ApiKeyAdminCliRunner>();
        string apiKey = await CreateKeyAsync(runner, "operator01");
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.RevokeKey,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: "operator01",
                DisplayName: null,
                Scopes: new HashSet<string>(StringComparer.Ordinal)),
            TextWriter.Null,
            CancellationToken.None);
        ApiKeyVerificationResult verification = await services
            .GetRequiredService<IApiKeyVerifier>()
            .VerifyAsync($"Bearer {apiKey}", CancellationToken.None);
        Assert.False(verification.Succeeded);
        Assert.Equal(ApiKeyVerificationFailure.KeyRevoked, verification.Failure);
        IReadOnlyList<ApiKeyAuditRecord> auditRecords = await services
            .GetRequiredService<IApiKeyAuditStore>()
            .ListRecentAsync(10, CancellationToken.None);
        Assert.Contains(auditRecords, record => record.EventType == "revoke-key" && record.KeyId == "operator01");
    }
    [Fact]
    public async Task RotateKeyAsync_PrintsNewSecretOnceAndInvalidatesOldSecret()
    {
        await using ServiceProvider services = BuildServices(CreateTempDatabasePath());
        ApiKeyAdminCliRunner runner = services.GetRequiredService<ApiKeyAdminCliRunner>();
        string oldApiKey = await CreateKeyAsync(runner, "operator01");
        StringWriter rotateOutput = new();
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.RotateKey,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: "operator01",
                DisplayName: null,
                Scopes: new HashSet<string>(StringComparer.Ordinal)),
            rotateOutput,
            CancellationToken.None);
        string rotateJson = rotateOutput.ToString();
        string newApiKey = ReadApiKey(rotateJson);
        Assert.NotEqual(oldApiKey, newApiKey);
        Assert.Equal(1, CountOccurrences(rotateJson, newApiKey));
        IApiKeyVerifier verifier = services.GetRequiredService<IApiKeyVerifier>();
        ApiKeyVerificationResult oldVerification = await verifier.VerifyAsync($"Bearer {oldApiKey}", CancellationToken.None);
        ApiKeyVerificationResult newVerification = await verifier.VerifyAsync($"Bearer {newApiKey}", CancellationToken.None);
        Assert.False(oldVerification.Succeeded);
        Assert.Equal(ApiKeyVerificationFailure.SecretMismatch, oldVerification.Failure);
        Assert.True(newVerification.Succeeded);
    }
    [Fact]
    public async Task CreateKeyAsync_PrintsRawSecretExactlyOnce()
    {
        await using ServiceProvider services = BuildServices(CreateTempDatabasePath());
        ApiKeyAdminCliRunner runner = services.GetRequiredService<ApiKeyAdminCliRunner>();
        StringWriter output = new();
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.CreateKey,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: "operator01",
                DisplayName: "Operator",
                Scopes: new HashSet<string>(StringComparer.Ordinal)),
            output,
            CancellationToken.None);
        string json = output.ToString();
        string apiKey = ReadApiKey(json);
        Assert.Equal(1, CountOccurrences(json, apiKey));
        Assert.Equal(1, CountOccurrences(json, ApiKeySecret(apiKey)));
    }
    private static async Task<string> CreateKeyAsync(ApiKeyAdminCliRunner runner, string keyId)
    {
        StringWriter output = new();
        await runner.RunAsync(
            new ApiKeyAdminCommand(
                Kind: ApiKeyAdminCommandKind.CreateKey,
                Json: true,
                SqlitePath: null,
                Pepper: null,
                KeyId: keyId,
                DisplayName: "Operator",
                Scopes: new HashSet<string>(StringComparer.Ordinal) { "session:open" }),
            output,
            CancellationToken.None);
        return ReadApiKey(output.ToString());
    }
    private static ServiceProvider BuildServices(string databasePath)
    {
        IConfigurationRoot configuration = new ConfigurationBuilder()
            .AddInMemoryCollection(
                new Dictionary<string, string?>
                {
                    ["MxGateway:Authentication:SqlitePath"] = databasePath,
                    ["MxGateway:ApiKeyPepper"] = "test-pepper"
                })
            .Build();
        ServiceCollection services = new();
        services.AddSingleton<IConfiguration>(configuration);
        services.AddGatewayConfiguration();
        services.AddSqliteAuthStore();
        return services.BuildServiceProvider(validateScopes: true);
    }
    private static string CreateTempDatabasePath()
    {
        string directory = Path.Combine(Path.GetTempPath(), "mxgateway-auth-cli-tests", Guid.NewGuid().ToString("N"));
        Directory.CreateDirectory(directory);
        return Path.Combine(directory, "gateway-auth.db");
    }
    private static string ReadApiKey(string json)
    {
        using JsonDocument document = JsonDocument.Parse(json);
        return document.RootElement.GetProperty("ApiKey").GetString()
            ?? throw new InvalidOperationException("API key was not present in command output.");
    }
    private static string ApiKeySecret(string apiKey)
    {
        string[] parts = apiKey.Split('_', 3);
        return parts[2];
    }
    private static int CountOccurrences(string value, string pattern)
    {
        int count = 0;
        int index = 0;
        while ((index = value.IndexOf(pattern, index, StringComparison.Ordinal)) >= 0)
        {
            count++;
            index += pattern.Length;
        }
        return count;
    }
 }
@@ -0,0 +1,70 @@
 using MxGateway.Server.Security.Authentication;
 namespace MxGateway.Tests.Security.Authentication;
 public sealed class ApiKeyAdminCommandLineParserTests
 {
    [Fact]
    public void Parse_NonApiKeyCommand_ReturnsNotApiKeyCommand()
    {
        ApiKeyAdminParseResult result = ApiKeyAdminCommandLineParser.Parse(["--urls=http://localhost:5000"]);
        Assert.False(result.IsApiKeyCommand);
        Assert.Null(result.Command);
    }
    [Fact]
    public void Parse_CreateKeyCommand_ReturnsOptions()
    {
        ApiKeyAdminParseResult result = ApiKeyAdminCommandLineParser.Parse(
            [
                "apikey",
                "create-key",
                "--key-id",
                "operator01",
                "--display-name",
                "Operator",
                "--scopes",
                "session:open,events:read",
                "--sqlite-path",
                "auth.db",
                "--pepper",
                "pepper",
                "--json"
            ]);
        Assert.True(result.IsApiKeyCommand);
        Assert.Null(result.Error);
        Assert.NotNull(result.Command);
        Assert.Equal(ApiKeyAdminCommandKind.CreateKey, result.Command.Kind);
        Assert.True(result.Command.Json);
        Assert.Equal("operator01", result.Command.KeyId);
        Assert.Equal("Operator", result.Command.DisplayName);
        Assert.Equal("auth.db", result.Command.SqlitePath);
        Assert.Equal("pepper", result.Command.Pepper);
        Assert.Contains("session:open", result.Command.Scopes);
        Assert.Contains("events:read", result.Command.Scopes);
    }
    [Fact]
    public void Parse_CreateKeyWithoutDisplayName_ReturnsError()
    {
        ApiKeyAdminParseResult result = ApiKeyAdminCommandLineParser.Parse(
            ["apikey", "create-key", "--key-id", "operator01"]);
        Assert.True(result.IsApiKeyCommand);
        Assert.Null(result.Command);
        Assert.Contains("--display-name", result.Error, StringComparison.Ordinal);
    }
    [Fact]
    public void Parse_KeyIdWithUnderscore_ReturnsError()
    {
        ApiKeyAdminParseResult result = ApiKeyAdminCommandLineParser.Parse(
            ["apikey", "revoke-key", "--key-id", "operator_01"]);
        Assert.True(result.IsApiKeyCommand);
        Assert.Null(result.Command);
        Assert.Contains("letters, numbers, periods, and hyphens", result.Error, StringComparison.Ordinal);
    }
 }
@@ -0,0 +1,267 @@
 using Grpc.Core;
 using Microsoft.Extensions.Options;
 using MxGateway.Contracts.Proto;
 using MxGateway.Server.Configuration;
 using MxGateway.Server.Security.Authentication;
 using MxGateway.Server.Security.Authorization;
 namespace MxGateway.Tests.Security.Authorization;
 public sealed class GatewayGrpcAuthorizationInterceptorTests
 {
    [Fact]
    public async Task UnaryServerHandler_MissingApiKey_ReturnsUnauthenticated()
    {
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(ApiKeyVerificationResult.Fail(
                ApiKeyVerificationFailure.MissingOrMalformedCredentials)),
            new GatewayRequestIdentityAccessor());
        RpcException exception = await Assert.ThrowsAsync<RpcException>(
            () => interceptor.UnaryServerHandler(
                new OpenSessionRequest(),
                new TestServerCallContext([]),
                (_, _) => Task.FromResult(new OpenSessionReply())));
        Assert.Equal(StatusCode.Unauthenticated, exception.StatusCode);
        Assert.DoesNotContain("secret", exception.Status.Detail, StringComparison.OrdinalIgnoreCase);
    }
    [Fact]
    public async Task UnaryServerHandler_InvalidApiKey_DoesNotExposeRawCredentialInStatus()
    {
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(ApiKeyVerificationResult.Fail(ApiKeyVerificationFailure.SecretMismatch)),
            new GatewayRequestIdentityAccessor());
        RpcException exception = await Assert.ThrowsAsync<RpcException>(
            () => interceptor.UnaryServerHandler(
                new OpenSessionRequest(),
                ContextWithAuthorization("Bearer mxgw_operator01_super-secret"),
                (_, _) => Task.FromResult(new OpenSessionReply())));
        Assert.Equal(StatusCode.Unauthenticated, exception.StatusCode);
        Assert.DoesNotContain("super-secret", exception.Status.Detail, StringComparison.Ordinal);
    }
    [Fact]
    public async Task UnaryServerHandler_ValidApiKeyMissingScope_ReturnsPermissionDenied()
    {
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(SuccessWithScopes(GatewayScopes.EventsRead)),
            new GatewayRequestIdentityAccessor());
        RpcException exception = await Assert.ThrowsAsync<RpcException>(
            () => interceptor.UnaryServerHandler(
                new OpenSessionRequest(),
                ContextWithAuthorization("Bearer mxgw_operator01_secret"),
                (_, _) => Task.FromResult(new OpenSessionReply())));
        Assert.Equal(StatusCode.PermissionDenied, exception.StatusCode);
        Assert.Contains(GatewayScopes.SessionOpen, exception.Status.Detail, StringComparison.Ordinal);
    }
    [Fact]
    public async Task UnaryServerHandler_ValidApiKeyWithScope_SetsRequestIdentity()
    {
        GatewayRequestIdentityAccessor identityAccessor = new();
        ApiKeyIdentity? identitySeenByHandler = null;
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(SuccessWithScopes(GatewayScopes.SessionOpen)),
            identityAccessor);
        OpenSessionReply reply = await interceptor.UnaryServerHandler(
            new OpenSessionRequest(),
            ContextWithAuthorization("Bearer mxgw_operator01_secret"),
            (_, _) =>
            {
                identitySeenByHandler = identityAccessor.Current;
                return Task.FromResult(new OpenSessionReply { SessionId = "session-1" });
            });
        Assert.Equal("session-1", reply.SessionId);
        Assert.NotNull(identitySeenByHandler);
        Assert.Equal("operator01", identitySeenByHandler.KeyId);
        Assert.Null(identityAccessor.Current);
    }
    [Fact]
    public async Task ServerStreamingServerHandler_ValidApiKeyMissingScope_ReturnsPermissionDenied()
    {
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(SuccessWithScopes(GatewayScopes.SessionOpen)),
            new GatewayRequestIdentityAccessor());
        RpcException exception = await Assert.ThrowsAsync<RpcException>(
            () => interceptor.ServerStreamingServerHandler(
                new StreamEventsRequest(),
                new TestServerStreamWriter<MxEvent>(),
                ContextWithAuthorization("Bearer mxgw_operator01_secret"),
                (_, _, _) => Task.CompletedTask));
        Assert.Equal(StatusCode.PermissionDenied, exception.StatusCode);
        Assert.Contains(GatewayScopes.EventsRead, exception.Status.Detail, StringComparison.Ordinal);
    }
    [Fact]
    public async Task ServerStreamingServerHandler_ValidApiKeyWithScope_AllowsStream()
    {
        GatewayRequestIdentityAccessor identityAccessor = new();
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            new FakeApiKeyVerifier(SuccessWithScopes(GatewayScopes.EventsRead)),
            identityAccessor);
        TestServerStreamWriter<MxEvent> streamWriter = new();
        await interceptor.ServerStreamingServerHandler(
            new StreamEventsRequest(),
            streamWriter,
            ContextWithAuthorization("Bearer mxgw_operator01_secret"),
            async (_, writer, _) =>
            {
                Assert.Equal("operator01", identityAccessor.Current?.KeyId);
                await writer.WriteAsync(new MxEvent { SessionId = "session-1" });
            });
        MxEvent eventMessage = Assert.Single(streamWriter.Messages);
        Assert.Equal("session-1", eventMessage.SessionId);
        Assert.Null(identityAccessor.Current);
    }
    [Fact]
    public async Task UnaryServerHandler_AuthenticationDisabled_SkipsApiKeyVerification()
    {
        GatewayRequestIdentityAccessor identityAccessor = new();
        FakeApiKeyVerifier verifier = new(ApiKeyVerificationResult.Fail(
            ApiKeyVerificationFailure.MissingOrMalformedCredentials));
        GatewayGrpcAuthorizationInterceptor interceptor = CreateInterceptor(
            verifier,
            identityAccessor,
            AuthenticationMode.Disabled);
        OpenSessionReply reply = await interceptor.UnaryServerHandler(
            new OpenSessionRequest(),
            new TestServerCallContext([]),
            (_, _) => Task.FromResult(new OpenSessionReply { SessionId = "session-1" }));
        Assert.Equal("session-1", reply.SessionId);
        Assert.False(verifier.WasCalled);
        Assert.Null(identityAccessor.Current);
    }
    private static GatewayGrpcAuthorizationInterceptor CreateInterceptor(
        IApiKeyVerifier apiKeyVerifier,
        IGatewayRequestIdentityAccessor identityAccessor,
        AuthenticationMode authenticationMode = AuthenticationMode.ApiKey)
    {
        return new GatewayGrpcAuthorizationInterceptor(
            apiKeyVerifier,
            new GatewayGrpcScopeResolver(),
            identityAccessor,
            Options.Create(new GatewayOptions
            {
                Authentication = new AuthenticationOptions
                {
                    Mode = authenticationMode
                }
            }));
    }
    private static ApiKeyVerificationResult SuccessWithScopes(params string[] scopes)
    {
        return ApiKeyVerificationResult.Success(new ApiKeyIdentity(
            KeyId: "operator01",
            KeyPrefix: "mxgw_operator01",
            DisplayName: "Operator Key",
            Scopes: new HashSet<string>(scopes, StringComparer.Ordinal)));
    }
    private static TestServerCallContext ContextWithAuthorization(string authorizationHeader)
    {
        return new TestServerCallContext([new Metadata.Entry("authorization", authorizationHeader)]);
    }
    private sealed class FakeApiKeyVerifier(ApiKeyVerificationResult result) : IApiKeyVerifier
    {
        public bool WasCalled { get; private set; }
        public string? LastAuthorizationHeader { get; private set; }
        public Task<ApiKeyVerificationResult> VerifyAsync(
            string? authorizationHeader,
            CancellationToken cancellationToken)
        {
            WasCalled = true;
            LastAuthorizationHeader = authorizationHeader;
            return Task.FromResult(result);
        }
    }
    private sealed class TestServerStreamWriter<T> : IServerStreamWriter<T>
    {
        public List<T> Messages { get; } = [];
        public WriteOptions? WriteOptions { get; set; }
        public Task WriteAsync(T message)
        {
            Messages.Add(message);
            return Task.CompletedTask;
        }
    }
    private sealed class TestServerCallContext(
        Metadata requestHeaders,
        CancellationToken cancellationToken = default) : ServerCallContext
    {
        private readonly Metadata responseTrailers = [];
        private readonly Dictionary<object, object> userState = [];
        private Status status;
        private WriteOptions? writeOptions;
        protected override string MethodCore => "/mxaccess_gateway.v1.MxAccessGateway/Test";
        protected override string HostCore => "localhost";
        protected override string PeerCore => "ipv4:127.0.0.1:5000";
        protected override DateTime DeadlineCore => DateTime.UtcNow.AddMinutes(1);
        protected override Metadata RequestHeadersCore => requestHeaders;
        protected override CancellationToken CancellationTokenCore => cancellationToken;
        protected override Metadata ResponseTrailersCore => responseTrailers;
        protected override Status StatusCore
        {
            get => status;
            set => status = value;
        }
        protected override WriteOptions? WriteOptionsCore
        {
            get => writeOptions;
            set => writeOptions = value;
        }
        protected override AuthContext AuthContextCore { get; } = new(
            string.Empty,
            new Dictionary<string, List<AuthProperty>>(StringComparer.Ordinal));
        protected override IDictionary<object, object> UserStateCore => userState;
        protected override Task WriteResponseHeadersAsyncCore(Metadata responseHeaders)
        {
            return Task.CompletedTask;
        }
        protected override ContextPropagationToken CreatePropagationTokenCore(
            ContextPropagationOptions? options)
        {
            throw new NotSupportedException();
        }
    }
 }
@@ -0,0 +1,54 @@
 using MxGateway.Contracts.Proto;
 using MxGateway.Server.Security.Authorization;
 namespace MxGateway.Tests.Security.Authorization;
 public sealed class GatewayGrpcScopeResolverTests
 {
    [Theory]
    [InlineData(typeof(OpenSessionRequest), GatewayScopes.SessionOpen)]
    [InlineData(typeof(CloseSessionRequest), GatewayScopes.SessionClose)]
    [InlineData(typeof(StreamEventsRequest), GatewayScopes.EventsRead)]
    public void ResolveRequiredScope_KnownRpcRequest_ReturnsExpectedScope(
        Type requestType,
        string expectedScope)
    {
        GatewayGrpcScopeResolver resolver = new();
        object request = Activator.CreateInstance(requestType)!;
        string scope = resolver.ResolveRequiredScope(request);
        Assert.Equal(expectedScope, scope);
    }
    [Theory]
    [InlineData(MxCommandKind.Register, GatewayScopes.InvokeRead)]
    [InlineData(MxCommandKind.AddItem, GatewayScopes.InvokeRead)]
    [InlineData(MxCommandKind.Advise, GatewayScopes.InvokeRead)]
    [InlineData(MxCommandKind.Write, GatewayScopes.InvokeWrite)]
    [InlineData(MxCommandKind.Write2, GatewayScopes.InvokeWrite)]
    [InlineData(MxCommandKind.WriteSecured, GatewayScopes.InvokeSecure)]
    [InlineData(MxCommandKind.WriteSecured2, GatewayScopes.InvokeSecure)]
    [InlineData(MxCommandKind.AuthenticateUser, GatewayScopes.InvokeSecure)]
    [InlineData(MxCommandKind.ArchestraUserToId, GatewayScopes.MetadataRead)]
    [InlineData(MxCommandKind.GetSessionState, GatewayScopes.MetadataRead)]
    [InlineData(MxCommandKind.GetWorkerInfo, GatewayScopes.MetadataRead)]
    [InlineData(MxCommandKind.DrainEvents, GatewayScopes.EventsRead)]
    [InlineData(MxCommandKind.ShutdownWorker, GatewayScopes.Admin)]
    public void ResolveRequiredScope_InvokeCommand_ReturnsExpectedScope(
        MxCommandKind commandKind,
        string expectedScope)
    {
        GatewayGrpcScopeResolver resolver = new();
        string scope = resolver.ResolveRequiredScope(new MxCommandRequest
        {
            Command = new MxCommand
            {
                Kind = commandKind
            }
        });
        Assert.Equal(expectedScope, scope);
    }
 }
Author	SHA1	Message	Date
Joseph Doherty	fad0ac9948	Issue #8 : add grpc authentication and scope authorization	2026-04-26 17:01:59 -04:00
dohertj2	8ce327e6f4	Merge PR #62 : Issue #7 implement local api key admin cli Verified with dotnet build src\\MxGateway.sln and dotnet test src\\MxGateway.sln.	2026-04-26 17:02:09 -04:00
dohertj2	9cb2f1c5cd	Merge PR #61 : Issue #21 implement worker bootstrap and options Verified with dotnet build src\\MxGateway.sln, dotnet test src\\MxGateway.Worker.Tests\\MxGateway.Worker.Tests.csproj -p:Platform=x86, and dotnet test src\\MxGateway.sln --no-build.	2026-04-26 16:56:52 -04:00
Joseph Doherty	da9ffe0e11	Issue #7 : implement local api key admin cli	2026-04-26 16:56:12 -04:00