Skip to content

Commit a943257

Browse files
oleksandr-didykpremun
authored andcommitted
Merged PR 47213: Fix missing authorization for API endpoints
Resolves https://dev.azure.com/dnceng/internal/_workitems/7374 Adds back authorization for `/api/*` endpoints that was accidentally removed with the BAR token removal in [82d66a](82d66a0#diff-063c785b35bfb14175032f6678838d7b6816789a51a057b9ae063ee42251f553L132-L137) ---- #### AI description (iteration 1) #### PR Classification Bug fix #### PR Summary This pull request addresses missing authorization for API endpoints by updating the authentication and authorization configurations. - `AuthenticationConfiguration.cs`: Added new policies for API and web authorization, updated existing policy names, and adjusted authentication schemes. - `ApiRedirection.cs`: Changed the authorization policy used in the redirection logic. - `PcsStartup.cs`: Updated folder authorization policy and enforced API authorization on controllers. Related work items: #7374
1 parent b8c959a commit a943257

File tree

3 files changed

+19
-7
lines changed

3 files changed

+19
-7
lines changed

src/ProductConstructionService/ProductConstructionService.Api/Configuration/ApiRedirection.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ public static async Task<bool> IsAuthenticated(this HttpContext context)
190190
}
191191

192192
var authService = context.RequestServices.GetRequiredService<IAuthorizationService>();
193-
AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.MsftAuthorizationPolicyName);
193+
AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.WebAuthorizationPolicyName);
194194
if (!result.Succeeded)
195195
{
196196
context.Response.StatusCode = (int)HttpStatusCode.Forbidden;

src/ProductConstructionService/ProductConstructionService.Api/Configuration/AuthenticationConfiguration.cs

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,16 @@ namespace ProductConstructionService.Api.Configuration;
99

1010
internal static class AuthenticationConfiguration
1111
{
12-
public const string EntraAuthorizationPolicyName = "Entra";
13-
public const string MsftAuthorizationPolicyName = "msft";
12+
public const string EntraAuthorizationSchemeName = "Entra";
13+
public const string ApiAuthorizationPolicyName = "MsftApi";
14+
public const string WebAuthorizationPolicyName = "MsftWeb";
1415
public const string AdminAuthorizationPolicyName = "RequireAdminAccess";
1516

1617
public const string AccountSignInRoute = "/Account/SignIn";
1718

1819
public static readonly string[] AuthenticationSchemes =
1920
[
20-
EntraAuthorizationPolicyName,
21+
EntraAuthorizationSchemeName,
2122
OpenIdConnectDefaults.AuthenticationScheme,
2223
];
2324

@@ -54,7 +55,7 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf
5455
var openIdAuth = services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);
5556

5657
openIdAuth
57-
.AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationPolicyName);
58+
.AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationSchemeName);
5859

5960
openIdAuth
6061
.AddMicrosoftIdentityWebApp(options =>
@@ -88,12 +89,21 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf
8889

8990
services
9091
.AddAuthorizationBuilder()
91-
.AddPolicy(MsftAuthorizationPolicyName, policy =>
92+
.AddDefaultPolicy(WebAuthorizationPolicyName, policy =>
9293
{
9394
policy.AddAuthenticationSchemes(AuthenticationSchemes);
9495
policy.RequireAuthenticatedUser();
9596
policy.RequireRole(userRole);
9697
})
98+
.AddPolicy(ApiAuthorizationPolicyName, policy =>
99+
{
100+
// Cookie scheme for BarViz, Entra JWT for Darc and other clients
101+
// The order matters here as the last scheme's Forbid() handler is used for processing authentication failures
102+
// Since cookie scheme returns 200 with the auth exception in the body, Entra should be used instead as it 401s
103+
policy.AddAuthenticationSchemes([CookieAuthenticationDefaults.AuthenticationScheme, EntraAuthorizationSchemeName]);
104+
policy.RequireAuthenticatedUser();
105+
policy.RequireRole(userRole);
106+
})
97107
.AddPolicy(AdminAuthorizationPolicyName, policy =>
98108
{
99109
policy.AddAuthenticationSchemes(AuthenticationSchemes);

src/ProductConstructionService/ProductConstructionService.Api/PcsStartup.cs

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -248,7 +248,7 @@ internal static async Task ConfigurePcs(
248248
builder.Services.AddRazorPages(
249249
options =>
250250
{
251-
options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.MsftAuthorizationPolicyName);
251+
options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.WebAuthorizationPolicyName);
252252
options.Conventions.AllowAnonymousToPage("/Error");
253253
})
254254
.AddGitHubWebHooks()
@@ -297,6 +297,8 @@ public static void ConfigureApi(this IApplicationBuilder app, bool isDevelopment
297297
app.UseEndpoints(e =>
298298
{
299299
var controllers = e.MapControllers();
300+
controllers.RequireAuthorization(AuthenticationConfiguration.ApiAuthorizationPolicyName);
301+
300302
if (isDevelopment)
301303
{
302304
controllers.AllowAnonymous();

0 commit comments

Comments
 (0)