Add auth to other instances

Author: jasontaylordev

src/ServiceControl.Audit/App.config

@@ -25,6 +25,24 @@ These settings are only here so that we can debug ServiceControl while developin
 	<!-- options are any comma separated combination of NLog,Seq,Otlp -->
 	<add key="ServiceControl.Audit/LoggingProviders" value="NLog,Seq"/>
 	<add key="ServiceControl.Audit/SeqAddress" value="http://localhost:5341"/>
+
+    <!-- Authentication Settings (JWT with OpenID Connect) -->
+    <!-- Uncomment and configure to enable authentication -->
+    <!-- Leaving 'Authentication.Enabled' commented out defaults authentication to 'false'-->
+    <!-- <add key="ServiceControl/Authentication.Enabled" value="false" />
+    <add key="ServiceControl/Authentication.Authority" value="" />
+    <add key="ServiceControl/Authentication.Audience" value="" /> -->
+    <!-- Optional Authentication Settings (defaults shown) -->
+    <!--<add key="ServiceControl/Authentication.ValidateIssuer" value="true" />
+    <add key="ServiceControl/Authentication.ValidateAudience" value="true" />
+    <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
+    <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
+    <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />-->
+    <!-- ServicePulse Authentication Settings -->
+    <!-- <add key="ServiceControl/Authentication.ServicePulse.Enabled" value="false" />
+    <add key="ServiceControl/Authentication.ServicePulse.ClientId" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.Authority" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.ApiScope" value="" /> -->
   </appSettings>
   <connectionStrings>
     <!-- DEVS - Pick a transport connection string to match chosen transport above -->

src/ServiceControl.Audit/Infrastructure/Hosting/Commands/RunCommand.cs

@@ -3,6 +3,7 @@
     using System.Threading.Tasks;
     using Microsoft.AspNetCore.Builder;
     using NServiceBus;
+    using ServiceControl.Hosting.Auth;
     using Settings;
     using WebApi;
 
@@ -15,6 +16,8 @@ public override async Task Execute(HostArguments args, Settings settings)
             assemblyScanner.ExcludeAssemblies("ServiceControl.Plugin");
 
             var hostBuilder = WebApplication.CreateBuilder();
+
+            hostBuilder.AddServiceControlAuthentication(settings.OpenIdConnectSettings);
             hostBuilder.AddServiceControlAudit((_, __) =>
             {
                 //Do nothing. The transports in NSB 8 are designed to handle broker outages. Audit ingestion will be paused when broker is unavailable.
@@ -24,6 +27,8 @@ public override async Task Execute(HostArguments args, Settings settings)
 
             var app = hostBuilder.Build();
             app.UseServiceControlAudit();
+            app.UseServiceControlAuthentication(authenticationEnabled: settings.OpenIdConnectSettings.Enabled);
+
             await app.RunAsync(settings.RootUrl);
         }
     }

src/ServiceControl.Audit/Infrastructure/Settings/Settings.cs

@@ -17,6 +17,8 @@ public Settings(string transportType = null, string persisterType = null, Loggin
         {
             LoggingSettings = loggingSettings ?? new(SettingsRootNamespace);
 
+            OpenIdConnectSettings = new OpenIdConnectSettings(SettingsRootNamespace, ValidateConfiguration);
+
             // Overwrite the instance name if it is specified in ENVVAR, reg, or config file -- LEGACY SETTING NAME
             InstanceName = SettingsReader.Read(SettingsRootNamespace, "InternalQueueName", InstanceName);
 
@@ -92,6 +94,8 @@ void LoadAuditQueueInformation()
 
         public LoggingSettings LoggingSettings { get; }
 
+        public OpenIdConnectSettings OpenIdConnectSettings { get; }
+
         //HINT: acceptance tests only
         public Func<MessageContext, bool> MessageFilter { get; set; }
 

src/ServiceControl.Hosting/Auth/HostApplicationBuilderExtensions.cs

@@ -0,0 +1,41 @@
+namespace ServiceControl.Hosting.Auth
+{
+    using System;
+    using Microsoft.Extensions.DependencyInjection;
+    using Microsoft.Extensions.Hosting;
+    using ServiceControl.Infrastructure;
+
+    public static class HostApplicationBuilderExtensions
+    {
+        public static void AddServiceControlAuthentication(this IHostApplicationBuilder hostBuilder, OpenIdConnectSettings oidcSettings)
+        {
+            if (!oidcSettings.Enabled)
+            {
+                return;
+            }
+
+            hostBuilder.Services.AddAuthentication(options =>
+            {
+                options.DefaultScheme = "Bearer";
+                options.DefaultChallengeScheme = "Bearer";
+            })
+            .AddJwtBearer("Bearer", options =>
+            {
+                options.Authority = oidcSettings.Authority;
+                // Configure token validation parameters
+                options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+                {
+                    ValidateIssuer = oidcSettings.ValidateIssuer,
+                    ValidateAudience = oidcSettings.ValidateAudience,
+                    ValidateLifetime = oidcSettings.ValidateLifetime,
+                    ValidateIssuerSigningKey = oidcSettings.ValidateIssuerSigningKey,
+                    ValidAudience = oidcSettings.Audience,
+                    ClockSkew = TimeSpan.FromMinutes(5) // Allow 5 minutes clock skew
+                };
+                options.RequireHttpsMetadata = oidcSettings.RequireHttpsMetadata;
+                // Don't map inbound claims to legacy Microsoft claim types
+                options.MapInboundClaims = false;
+            });
+        }
+    }
+}

src/ServiceControl.Hosting/Auth/WebApplicationExtensions.cs

@@ -0,0 +1,21 @@
+namespace ServiceControl.Hosting.Auth
+{
+    using Microsoft.AspNetCore.Builder;
+
+    public static class WebApplicationExtensions
+    {
+        public static void UseServiceControlAuthentication(this WebApplication app, bool authenticationEnabled = false)
+        {
+            if (authenticationEnabled)
+            {
+                app.UseAuthentication();
+                app.UseAuthorization();
+                app.MapControllers().RequireAuthorization();
+            }
+            else
+            {
+                app.MapControllers();
+            }
+        }
+    }
+}

src/ServiceControl.Hosting/ServiceControl.Hosting.csproj

@@ -5,8 +5,18 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
     <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" />
     <PackageReference Include="NLog.Extensions.Logging" />
   </ItemGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\ServiceControl.Infrastructure\ServiceControl.Infrastructure.csproj" />
+  </ItemGroup>
+
 </Project>

src/ServiceControl.Infrastructure/OpenIdConnectSettings.cs

@@ -0,0 +1,153 @@
+namespace ServiceControl.Infrastructure;
+
+using System;
+using System.Text.Json.Serialization;
+using Microsoft.Extensions.Logging;
+using ServiceControl.Configuration;
+
+public class OpenIdConnectSettings
+{
+    readonly ILogger logger = LoggerUtil.CreateStaticLogger<OpenIdConnectSettings>();
+
+    public OpenIdConnectSettings(SettingsRootNamespace rootNamespace, bool validateConfiguration)
+    {
+        Enabled = SettingsReader.Read(rootNamespace, "Authentication.Enabled", false);
+
+        if (!Enabled)
+        {
+            return;
+        }
+
+        Authority = SettingsReader.Read<string>(rootNamespace, "Authentication.Authority");
+        Audience = SettingsReader.Read<string>(rootNamespace, "Authentication.Audience");
+        ValidateIssuer = SettingsReader.Read(rootNamespace, "Authentication.ValidateIssuer", true);
+        ValidateAudience = SettingsReader.Read(rootNamespace, "Authentication.ValidateAudience", true);
+        ValidateLifetime = SettingsReader.Read(rootNamespace, "Authentication.ValidateLifetime", true);
+        ValidateIssuerSigningKey = SettingsReader.Read(rootNamespace, "Authentication.ValidateIssuerSigningKey", true);
+        RequireHttpsMetadata = SettingsReader.Read(rootNamespace, "Authentication.RequireHttpsMetadata", true);
+        ServicePulseClientId = SettingsReader.Read<string>(rootNamespace, "Authentication.ServicePulse.ClientId");
+        ServicePulseApiScope = SettingsReader.Read<string>(rootNamespace, "Authentication.ServicePulse.ApiScope");
+        ServicePulseAuthority = SettingsReader.Read<string>(rootNamespace, "Authentication.ServicePulse.Authority");
+
+        if (validateConfiguration)
+        {
+            Validate();
+        }
+    }
+
+    [JsonPropertyName("enabled")]
+    public bool Enabled { get; }
+
+    [JsonPropertyName("authority")]
+    public string Authority { get; }
+
+    [JsonPropertyName("audience")]
+    public string Audience { get; }
+
+    [JsonPropertyName("validateIssuer")]
+    public bool ValidateIssuer { get; }
+
+    [JsonPropertyName("validateAudience")]
+    public bool ValidateAudience { get; }
+
+    [JsonPropertyName("validateLifetime")]
+    public bool ValidateLifetime { get; }
+
+    [JsonPropertyName("validateIssuerSigningKey")]
+    public bool ValidateIssuerSigningKey { get; }
+
+    [JsonPropertyName("requireHttpsMetadata")]
+    public bool RequireHttpsMetadata { get; }
+
+    [JsonPropertyName("servicePulseAuthority")]
+    public string ServicePulseAuthority { get; }
+
+    [JsonPropertyName("servicePulseClientId")]
+    public string ServicePulseClientId { get; }
+
+    [JsonPropertyName("servicePulseApiScope")]
+    public string ServicePulseApiScope { get; }
+
+    void Validate()
+    {
+        if (!Enabled)
+        {
+            return;
+        }
+
+        if (string.IsNullOrWhiteSpace(Authority))
+        {
+            var message = "Authentication.Authority is required when authentication is enabled. Please provide a valid OpenID Connect authority URL (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0)";
+            logger.LogCritical(message);
+            throw new Exception(message);
+        }
+
+        if (!Uri.TryCreate(Authority, UriKind.Absolute, out var authorityUri))
+        {
+            var message = $"Authentication.Authority must be a valid absolute URI. Current value: '{Authority}'";
+            logger.LogCritical(message);
+            throw new Exception(message);
+        }
+
+        if (RequireHttpsMetadata && authorityUri.Scheme != Uri.UriSchemeHttps)
+        {
+            var message = $"Authentication.Authority must use HTTPS when RequireHttpsMetadata is true. Current value: '{Authority}'. Either use HTTPS or set Authentication.RequireHttpsMetadata to false (not recommended for production)";
+            logger.LogCritical(message);
+            throw new Exception(message);
+        }
+
+        if (string.IsNullOrWhiteSpace(Audience))
+        {
+            var message = "Authentication.Audience is required when authentication is enabled. Please provide a valid audience identifier (typically your API identifier or client ID)";
+            logger.LogCritical(message);
+            throw new Exception(message);
+        }
+
+        if (!ValidateIssuer)
+        {
+            logger.LogWarning("Authentication.ValidateIssuer is set to false. This is not recommended for production environments as it may allow tokens from untrusted issuers");
+        }
+
+        if (!ValidateAudience)
+        {
+            logger.LogWarning("Authentication.ValidateAudience is set to false. This is not recommended for production environments as it may allow tokens intended for other applications");
+        }
+
+        if (!ValidateLifetime)
+        {
+            logger.LogWarning("Authentication.ValidateLifetime is set to false. This is not recommended as it may allow expired tokens to be accepted");
+        }
+
+        if (!ValidateIssuerSigningKey)
+        {
+            logger.LogWarning("Authentication.ValidateIssuerSigningKey is set to false. This is a serious security risk and should only be used in development environments");
+        }
+
+        if (string.IsNullOrWhiteSpace(ServicePulseClientId))
+        {
+            throw new Exception("Authentication.ServicePulse.ClientId is required when Authentication.ServicePulse.Enabled is true.");
+        }
+
+        if (string.IsNullOrWhiteSpace(ServicePulseApiScope))
+        {
+            throw new Exception("Authentication.ServicePulse.ApiScope is required when Authentication.ServicePulse.Enabled is true.");
+        }
+
+        if (ServicePulseAuthority != null && !Uri.TryCreate(ServicePulseAuthority, UriKind.Absolute, out _))
+        {
+            throw new Exception("Authentication.ServicePulse.Authority must be a valid absolute URI if provided.");
+        }
+
+        logger.LogInformation("Authentication configuration validated successfully");
+        logger.LogInformation("  Authority: {Authority}", Authority);
+        logger.LogInformation("  Audience: {Audience}", Audience);
+        logger.LogInformation("  ValidateIssuer: {ValidateIssuer}", ValidateIssuer);
+        logger.LogInformation("  ValidateAudience: {ValidateAudience}", ValidateAudience);
+        logger.LogInformation("  ValidateLifetime: {ValidateLifetime}", ValidateLifetime);
+        logger.LogInformation("  ValidateIssuerSigningKey: {ValidateIssuerSigningKey}", ValidateIssuerSigningKey);
+        logger.LogInformation("  RequireHttpsMetadata: {RequireHttpsMetadata}", RequireHttpsMetadata);
+        logger.LogInformation("  ServicePulseClientId: {ServicePulseClientId}", ServicePulseClientId);
+        logger.LogInformation("  ServicePulseAuthority: {ServicePulseAuthority}", ServicePulseAuthority);
+        logger.LogInformation("  ServicePulseApiScope: {ServicePulseApiScope}", ServicePulseApiScope);
+    }
+}

src/ServiceControl.Monitoring/App.config

@@ -22,6 +22,24 @@ These settings are only here so that we can debug ServiceControl while developin
 	<!-- options are any comma separated combination of NLog,Seq,Otlp -->
 	<add key="Monitoring/LoggingProviders" value="NLog,Seq"/>
 	<add key="Monitoring/SeqAddress" value="http://localhost:5341"/>
+	  
+    <!-- Authentication Settings (JWT with OpenID Connect) -->
+    <!-- Uncomment and configure to enable authentication -->
+    <!-- Leaving 'Authentication.Enabled' commented out defaults authentication to 'false'-->
+    <!-- <add key="ServiceControl/Authentication.Enabled" value="false" />
+    <add key="ServiceControl/Authentication.Authority" value="" />
+    <add key="ServiceControl/Authentication.Audience" value="" /> -->
+    <!-- Optional Authentication Settings (defaults shown) -->
+    <!--<add key="ServiceControl/Authentication.ValidateIssuer" value="true" />
+    <add key="ServiceControl/Authentication.ValidateAudience" value="true" />
+    <add key="ServiceControl/Authentication.ValidateLifetime" value="true" />
+    <add key="ServiceControl/Authentication.ValidateIssuerSigningKey" value="true" />
+    <add key="ServiceControl/Authentication.RequireHttpsMetadata" value="true" />-->
+    <!-- ServicePulse Authentication Settings -->
+    <!-- <add key="ServiceControl/Authentication.ServicePulse.Enabled" value="false" />
+    <add key="ServiceControl/Authentication.ServicePulse.ClientId" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.Authority" value="" />
+    <add key="ServiceControl/Authentication.ServicePulse.ApiScope" value="" /> -->
   </appSettings>
   <connectionStrings>
     <!-- DEVS - Pick a transport connection string to match chosen transport above -->

src/ServiceControl.Monitoring/Hosting/Commands/RunCommand.cs

@@ -5,6 +5,7 @@ namespace ServiceControl.Monitoring
     using Infrastructure.WebApi;
     using Microsoft.AspNetCore.Builder;
     using NServiceBus;
+    using ServiceControl.Hosting.Auth;
 
     class RunCommand : AbstractCommand
     {
@@ -13,11 +14,14 @@ public override async Task Execute(HostArguments args, Settings settings)
             var endpointConfiguration = new EndpointConfiguration(settings.InstanceName);
 
             var hostBuilder = WebApplication.CreateBuilder();
+            hostBuilder.AddServiceControlAuthentication(settings.OpenIdConnectSettings);
             hostBuilder.AddServiceControlMonitoring((_, __) => Task.CompletedTask, settings, endpointConfiguration);
             hostBuilder.AddServiceControlMonitoringApi();
 
             var app = hostBuilder.Build();
             app.UseServiceControlMonitoring();
+            app.UseServiceControlAuthentication(authenticationEnabled: settings.OpenIdConnectSettings.Enabled);
+
             await app.RunAsync(settings.RootUrl);
         }
     }

src/ServiceControl.Monitoring/Settings.cs

@@ -16,6 +16,8 @@ public Settings(LoggingSettings loggingSettings = null, string transportType = n
         {
             LoggingSettings = loggingSettings ?? new(SettingsRootNamespace);
 
+            OpenIdConnectSettings = new OpenIdConnectSettings(SettingsRootNamespace, false);
+
             // Overwrite the instance name if it is specified in ENVVAR, reg, or config file
             InstanceName = SettingsReader.Read(SettingsRootNamespace, "InstanceName", InstanceName);
 
@@ -49,6 +51,8 @@ public Settings(LoggingSettings loggingSettings = null, string transportType = n
 
         public LoggingSettings LoggingSettings { get; }
 
+        public OpenIdConnectSettings OpenIdConnectSettings { get; }
+
         public string InstanceName { get; init; } = DEFAULT_INSTANCE_NAME;
 
         public string TransportType { get; set; }