Merge pull request #5490 from cisagov/feature/CSET-3493

User Settings changes for external authentication

Author: itsmostafa

CSETWebApi/CSETWeb_Api/CSETWebCore.Business/AssessmentIO/Import/Importer.cs

@@ -173,7 +173,7 @@ public int RunImportManualPortion(bool overwriteAssessment)
                         refreshContact.Phone = originalContact.Phone;
                         refreshContact.Title = originalContact.Title;
                         //If they have removed this assessment on enterprise and this contact is being re-added, they are demoted to a user role. 
-                        refreshContact.AssessmentRoleId = 1;
+                        refreshContact.AssessmentRoleId = Constants.Constants.UserRoleUser;
 
                         _context.ASSESSMENT_CONTACTS.Add(refreshContact);
                         _context.SaveChanges();

CSETWebApi/CSETWeb_Api/CSETWebCore.Constants/Constants.cs

@@ -15,6 +15,9 @@ public static class Constants
 
         public static string AssesmentUser = "ASSESS_USER";
 
+        public static int UserRoleUser = 1;
+        public static int UserRoleAdmin = 2;
+
         public static string Token_TimezoneOffsetKey = "tzoffset";
         public static string Token_UserId = "userid";
         public static string Token_AccessKey = "acckey";

CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/TokenManager.cs

@@ -586,7 +586,7 @@ public void AuthorizeAdminRole()
             var myAdminConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.UserId == userId
                     && ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 2)
+                    && ac.AssessmentRoleId == Constants.Constants.UserRoleAdmin)
                     .ToList();
 
             if (myAdminConnections.Count() == 0)
@@ -608,13 +608,13 @@ public bool AmILastAdminWithUsers(int assessmentId)
 
             var adminConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 2)
+                    && ac.AssessmentRoleId == Constants.Constants.UserRoleAdmin)
                     .ToList();
 
 
             var userConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 1)
+                    && ac.AssessmentRoleId == Constants.Constants.UserRoleUser)
                     .ToList();
 
             // Return a boolean indicating whether I am the last Admin and there is more than one User

CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/UserAuthentication.cs

@@ -277,7 +277,7 @@ public async Task<LoginResponse> AuthenticateStandalone(Login login, ITokenManag
                         FirstName = name,
                         LastName = "",
                         PrimaryEmail = primaryEmailSO,
-                        AssessmentRoleId = 2, // Admin role
+                        AssessmentRoleId = Constants.Constants.UserRoleAdmin, // Admin role
                         Invited = true
                     };
 
@@ -419,9 +419,34 @@ public async Task<LoginResponse> ExchangeToken(ClaimsPrincipal user, string tzOf
             var email = user.FindFirstValue("email") ?? user.FindFirstValue(ClaimTypes.Email)
                 ?? throw new InvalidOperationException("Email claim not found in token.");
 
+           
+
             // Locate the CSET user record via the email claim
-            var dbUser = _context.USERS.FirstOrDefault(x => x.PrimaryEmail == email) 
-                ?? throw new UnauthorizedAccessException($"User email '{email}' is not registered in CSET.");
+            var dbUser = _context.USERS.FirstOrDefault(x => x.PrimaryEmail == email);
+
+
+            // if the user is not yet defined in CSET, create them
+            if (!String.IsNullOrEmpty(email) && dbUser == null)
+            {
+                var givenName = user.FindFirstValue(ClaimTypes.GivenName);
+                var surname = user.FindFirstValue(ClaimTypes.Surname);
+
+                dbUser = new USERS { 
+                    PrimaryEmail = email, 
+                    FirstName = givenName, 
+                    LastName = surname 
+                };
+                _context.USERS.Add(dbUser);
+                _context.SaveChanges();
+
+
+                var dbUserRole = new USER_ROLES { 
+                    RoleId = Constants.Constants.UserRoleUser, 
+                    UserId = dbUser.UserId 
+                };
+                _context.USER_ROLES.Add(dbUserRole);
+                _context.SaveChanges();
+            }
 
 
             // Build response object

CSETWebApi/CSETWeb_Api/CSETWebCore.Model/Auth/AuthSettings.cs

@@ -12,6 +12,10 @@ public class AuthSettings
         public OidcSettings OIDC { get; set; }
     }
 
+    /// <summary>
+    /// Represents the configuration settings required for integrating an application 
+    /// with an OpenID Connect (OIDC) identity provider. 
+    /// </summary>
     public class OidcSettings
     {
         /// <summary>
@@ -30,18 +34,41 @@ public class OidcSettings
         /// </summary>
         public string PostLogoutRedirectUri { get; set; } = string.Empty;
 
+
+        /// <summary>
+        /// The base URL of the OIDC identity provider (the realm/tenant issuer URL). 
+        /// The app will use this to discover provider endpoints via 
+        /// {issuer}/.well-known/openid-configuration.
+        /// </summary>
+        public string Issuer { get; set; } = string.Empty;
+
+        /// <summary>
+        /// The base URL used by the application to interact with the OIDC identity provider. 
+        /// It serves as the starting point for discovering metadata and endpoints (e.g., authorization, 
+        /// token, and user information endpoints) via the OIDC discovery document. 
+        /// Typically, this matches the Issuer value but is explicitly included for configuration purposes.
+        /// </summary>
+        public string Authority { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Identifies the client ID of the application registered with the OIDC provider. 
+        /// This value must match the "aud" (audience) claim in the token to validate it.
+        /// </summary>
+        public string Audience { get; set; } = string.Empty;
+
+
         /// <summary>
         /// Space-separated list of OAuth 2.0 scopes to request. 
         /// openid is required; profile and email are standard optional scopes.
         /// </summary>
         public string Scope { get; set; } = string.Empty;
 
         /// <summary>
-        ///The base URL of the OIDC identity provider (the realm/tenant issuer URL). 
-        ///The app will use this to discover provider endpoints via 
-        ///{issuer}/.well-known/openid-configuration.
+        /// Specifies the claim name in the token that should be used to 
+        /// identify the username.  Defaults to "preferred_username" if not specified.
         /// </summary>
-        public string Issuer { get; set; } = string.Empty;
+        public string ClaimUsernameProperty { get; set; } = string.Empty;
+
 
         /// <summary>
         /// When true, enforces that all endpoint URLs in the discovery document 
@@ -57,22 +84,11 @@ public class OidcSettings
         /// </summary>
         public bool RequireHttps { get; set; } = true;
 
+
         /// <summary>
         /// When true, logs verbose OIDC debug output to the browser console. 
         /// Useful during development and troubleshooting. Should be false in production.
         /// </summary>
         public bool ShowDebugInformation { get; set; } = false;
-
-        /// <summary>
-        /// Identifies the client ID of the application registered with the OIDC provider. 
-        /// This value must match the "aud" (audience) claim in the token to validate it.
-        /// </summary>
-        public string Audience { get; set; } = string.Empty;
-
-        /// <summary>
-        /// Specifies the claim name in the token that should be used to 
-        /// identify the username.  Defaults to "preferred_username" if not specified.
-        /// </summary>
-        public string ClaimUsernameProperty { get; set; } = string.Empty;
     }
 }

CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Startup.cs

@@ -70,6 +70,7 @@
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.OpenApi.Models;
 using Newtonsoft.Json;
+using NLog;
 using System;
 using System.IO;
 using System.Linq;
@@ -143,24 +144,24 @@ public void ConfigureServices(IServiceCollection services)
             // Configure OIDC authentication if configured to do so
             var authSettings = Configuration.GetSection("Auth").Get<AuthSettings>();
 
-            if (authSettings.OIDC?.Issuer != null)
+            if (authSettings.OIDC?.Authority != null)
             {
                 authBuilder.AddJwtBearer("OIDC", options =>
                 {
-                    options.Authority = authSettings.OIDC.Issuer;
+                    options.Authority = authSettings.OIDC.Authority;
                     options.Audience = authSettings.OIDC.Audience;
-                    options.RequireHttpsMetadata = !_env.IsDevelopment();
+                    options.RequireHttpsMetadata = authSettings.OIDC.RequireHttps;
 
                     options.Events = new JwtBearerEvents
                     {
                         OnAuthenticationFailed = ctx =>
                         {
-                            Console.WriteLine($"OIDC auth failed: {ctx.Exception}");
+                            LogManager.GetCurrentClassLogger().Error($"OIDC auth failed: {ctx.Exception}");
                             return Task.CompletedTask;
                         },
                         OnTokenValidated = ctx =>
                         {
-                            Console.WriteLine("OIDC token validated successfully");
+                            LogManager.GetCurrentClassLogger().Error("OIDC token validated successfully");
                             return Task.CompletedTask;
                         }
                     };

CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/appsettings.json

@@ -38,19 +38,24 @@
     ]
   },
   "Auth": {
-    "x_____OIDC": {
-      "Note": "rename this section to 'oidc' to enable external authentication",
+    "disabled_OIDC": {
+      "Note": "rename this section key to 'OIDC' to enable external authentication",
+
       "ClientId": "cset-local",
       "RedirectUri": "https://{your-application-host}/callback",
       "PostLogoutRedirectUri": "http://{your-application-host}",
-      "Scope": "openid profile email",
+
       "Issuer": "https://{oidc-provider-host}/realms/{realm}",
+      "Authority": "https://{oidc-provider-host}/realms/{realm}",
+      "Audience": "account",
+
+      "Scope": "openid profile email",
+      "ClaimUsernameProperty": "preferred_username",
+
       "StrictDiscoveryDocumentValidation": false,
       "RequireHttps": false,
-      "ShowDebugInformation": true,
 
-      "Audience": "account",
-      "ClaimUsernameProperty": "preferred_username"
+      "ShowDebugInformation": true
     }
   }
 }

CSETWebApi/CSETWeb_Api/DuplicateAssessments/MockTokenManager.cs

@@ -547,7 +547,7 @@ public void AuthorizeAdminRole()
             var myAdminConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.UserId == userId
                     && ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 2)
+                    && ac.AssessmentRoleId == Constants.UserRoleAdmin)
                     .ToList();
 
             if (myAdminConnections.Count() == 0)
@@ -569,13 +569,13 @@ public bool AmILastAdminWithUsers(int assessmentId)
 
             var adminConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 2)
+                    && ac.AssessmentRoleId == Constants.UserRoleAdmin)
                     .ToList();
 
 
             var userConnections = _context.ASSESSMENT_CONTACTS.Where(
                     ac => ac.Assessment_Id == assessmentId
-                    && ac.AssessmentRoleId == 1)
+                    && ac.AssessmentRoleId == Constants.UserRoleAdmin)
                     .ToList();
 
             // Return a boolean indicating whether I am the last Admin and there is more than one User

CSETWebNg/src/app/callback/callback.component.ts

@@ -48,6 +48,9 @@ export class CallbackComponent implements OnInit {
 
 
       const accessToken = this.authExtSvc.oauthService.getAccessToken();
+      const idToken = this.authExtSvc.oauthService.getIdToken();
+      sessionStorage.setItem('oidc-token', accessToken);
+      sessionStorage.setItem('oidc-id-token', idToken);
 
 
       // Send token to your backend

CSETWebNg/src/app/dialogs/change-password/change-password.component.ts

@@ -147,7 +147,7 @@ export class ChangePasswordComponent implements OnInit {
     // if canceling out of a change TEMP password, navigate back to the login
     // but if cancelling out of a NON-TEMP password change, don't do anything.
     if (this.warning && this.message === this.msgChangeTempPw) {
-      this.auth.logout();
+      this.auth.logOut();
     }
   }