Merge pull request #5 from eclipse-mnestix/init

hofermo · web-flow · commit cab34810380b · 2025-06-04T09:03:53.000+02:00
refactor: change the header for API-KEY
diff --git a/compose.yml b/compose.yml
@@ -43,6 +43,7 @@ services:
     ports:
       - '5064:5064'
     environment:
+      ServerUrls ServerUrls: 'http://mnestix-proxy:5065/repo/'
       # API key authorization
       CustomerEndpointsSecurity__ApiKey: ${MNESTIX_BACKEND_API_KEY:-verySecureApiKey}
       # Connection to Repository Service:
@@ -103,6 +104,8 @@ services:
     profiles: ['', 'basyx', 'tests']
     depends_on:
       - mongodb
+    ports:
+      - '8081:8081'
     environment:
       # MongoDb configuration for Basyx Repository
       BASYX__BACKEND: MongoDB
diff --git a/mnestix-proxy.Tests/TestMockService/DownstreamService.cs b/mnestix-proxy.Tests/TestMockService/DownstreamService.cs
@@ -28,7 +28,7 @@ private void StartServer()
                                   {
                                       var path = context.Request.Path.Value?.ToLowerInvariant();
 
-                                      if (path != null && path.StartsWith("/test-endpoint"))
+                                      if (path != null && path.StartsWith("/api/test-endpoint"))
                                       {
                                           context.Response.StatusCode = 200;
                                           await context.Response.WriteAsync("Mnestix Api called!");
diff --git a/mnestix-proxy/Authentication/ApiKeyAuthentication/ApiKeyRequirementHandler.cs b/mnestix-proxy/Authentication/ApiKeyAuthentication/ApiKeyRequirementHandler.cs
@@ -53,6 +53,6 @@ private void SucceedRequirementIfApiKeyPresentAndValid(AuthorizationHandlerConte
             _httpContextAccessor.HttpContext?.Request.Method, 
             _httpContextAccessor.HttpContext?.Request.Path);
         context.Fail(new AuthorizationFailureReason(this,
-            "For all methods except 'GET' you need a valid ApiKey in your header."));
+            "For all methods except 'GET' you need a valid X-API-KEY in your header."));
     }
 }
diff --git a/mnestix-proxy/Authentication/ApiKeyAuthentication/AuthorizationMiddlewareResultHandler.cs b/mnestix-proxy/Authentication/ApiKeyAuthentication/AuthorizationMiddlewareResultHandler.cs
@@ -0,0 +1,46 @@
+﻿using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.AspNetCore.Authorization;
+
+namespace mnestix_proxy.Authentication.ApiKeyAuthentication
+{
+    public class CustomAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
+    {
+        private readonly AuthorizationMiddlewareResultHandler _defaultHandler = new();
+
+        public async Task HandleAsync(RequestDelegate next, HttpContext context,
+            AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
+        {
+            if (authorizeResult.Forbidden)
+            {
+                context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                context.Response.ContentType = "application/json";
+
+                var message = "Forbidden";
+                if (authorizeResult.AuthorizationFailure?.FailureReasons?.Any() == true)
+                {
+                    message = authorizeResult.AuthorizationFailure.FailureReasons
+                        .Select(r => r.Message)
+                        .FirstOrDefault() ?? message;
+                }
+
+                await context.Response.WriteAsJsonAsync(new { error = message });
+                return;
+            }
+
+            if (authorizeResult.Challenged)
+            {
+                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                context.Response.ContentType = "application/json";
+
+                await context.Response.WriteAsJsonAsync(new
+                {
+                    error = "Unauthorized: You must provide valid authentication credentials."
+                });
+                return;
+            }
+
+            await _defaultHandler.HandleAsync(next, context, policy, authorizeResult);
+        }
+    }
+
+}
diff --git a/mnestix-proxy/Authentication/ApplicationBuilderAuthExtensions.cs b/mnestix-proxy/Authentication/ApplicationBuilderAuthExtensions.cs
@@ -0,0 +1,20 @@
+﻿using Microsoft.Extensions.Configuration;
+
+namespace mnestix_proxy.Authentication
+{
+    public static class ApplicationBuilderAuthExtensions
+    {
+        public static IApplicationBuilder UseMnestixConfiguredAuth(this IApplicationBuilder app, IConfiguration configuration)
+        {
+            var openIdEnabled = configuration.GetSection("OpenId").GetValue("EnableOpenIdAuth", false);
+            var azureAdEnabled = configuration.GetSection("AzureAd").GetValue("EnableAzureAdAuth", false);
+
+            if (openIdEnabled || azureAdEnabled) {
+                app.UseAuthentication();
+                app.UseAuthorization();
+            }
+
+            return app;
+        }
+    }
+}
diff --git a/mnestix-proxy/Authentication/AuthenticationServicesRegistration.cs b/mnestix-proxy/Authentication/AuthenticationServicesRegistration.cs
@@ -1,6 +1,8 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.Identity.Web;
 using Microsoft.IdentityModel.Tokens;
+using mnestix_proxy.Authentication.ApiKeyAuthentication;
 
 namespace mnestix_proxy.Authentication;
 
@@ -55,11 +57,7 @@ public static void AddAuthenticationServices(this IServiceCollection services, I
             services.AddMicrosoftIdentityWebApiAuthentication(configuration);
         }
         else {
-            services.AddAuthentication(options =>
-            {
-                options.DefaultAuthenticateScheme = null;
-                options.DefaultChallengeScheme = null;
-            });
+            services.AddSingleton<IAuthorizationMiddlewareResultHandler, CustomAuthorizationMiddlewareResultHandler>();
         }
     }
 }
diff --git a/mnestix-proxy/Program.cs b/mnestix-proxy/Program.cs
@@ -49,8 +49,9 @@ public static void Main(string[] args)
             // pipeline settings
             var app = builder.Build();
 
-            app.UseAuthentication();
-            app.UseAuthorization();
+            app.UseMnestixConfiguredAuth(builder.Configuration);
+
+            app.UseCors("allowAnything");
 
             app.MapReverseProxy(proxyPipeline =>
             {
diff --git a/mnestix-proxy/appsettings.json b/mnestix-proxy/appsettings.json
@@ -9,7 +9,7 @@
     "ApiKey": "9FB8BCDFAEE81367A1668E16BDC37"
   },
   "AzureAd": {
-    "EnableAzureAdAuth": "true",
+    "EnableAzureAdAuth": "false",
     "Instance": "https://login.microsoftonline.com/",
     "ClientId": "ffade4c2-76c8-44fd-9258-743d9cfc2289",
     "CallbackPath": "",
@@ -22,8 +22,8 @@
   },
   // if both OpenId and AzureAd are enabled OpenId will be used
   "OpenId": {
-    "EnableOpenIdAuth": "true",
-    "Issuer": "http://localhost:8080/realms/BaSyx",
+    "EnableOpenIdAuth": "false",
+    "Issuer": "http://localhost:8080/realms/Menstix",
     "ClientID": "mnestixApi-demo",
     "RequireHttpsMetadata": "false"
   },
@@ -39,16 +39,7 @@
         "AuthorizationPolicy": "customApiKeyToModifyValuesPolicy",
         "Match": {
           "Path": "api/{**catch-all}"
-        },
-        "Transforms": [
-          {
-            "PathPattern": "/{**catch-all}"
-          },
-          {
-            "ResponseHeader": "Access-Control-Allow-Origin",
-            "Set": "*"
-          }
-        ]
+        }
       },
       "EnvironmentRoute": {
         "ClusterId": "aasRepoCluster",

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ private void StartServer()`
`28`	`28`	`{`
`29`	`29`	`var path = context.Request.Path.Value?.ToLowerInvariant();`
`30`	`30`
`31`		`- if (path != null && path.StartsWith("/test-endpoint"))`
	`31`	`+ if (path != null && path.StartsWith("/api/test-endpoint"))`
`32`	`32`	`{`
`33`	`33`	`context.Response.StatusCode = 200;`
`34`	`34`	`await context.Response.WriteAsync("Mnestix Api called!");`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@ private void SucceedRequirementIfApiKeyPresentAndValid(AuthorizationHandlerConte`
`53`	`53`	`_httpContextAccessor.HttpContext?.Request.Method,`
`54`	`54`	`_httpContextAccessor.HttpContext?.Request.Path);`
`55`	`55`	`context.Fail(new AuthorizationFailureReason(this,`
`56`		`- "For all methods except 'GET' you need a valid ApiKey in your header."));`
	`56`	`+ "For all methods except 'GET' you need a valid X-API-KEY in your header."));`
`57`	`57`	`}`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,8 @@`
`1`	`1`	`using Microsoft.AspNetCore.Authentication.JwtBearer;`
	`2`	`+using Microsoft.AspNetCore.Authorization;`
`2`	`3`	`using Microsoft.Identity.Web;`
`3`	`4`	`using Microsoft.IdentityModel.Tokens;`
	`5`	`+using mnestix_proxy.Authentication.ApiKeyAuthentication;`
`4`	`6`
`5`	`7`	`namespace mnestix_proxy.Authentication;`
`6`	`8`
`@@ -55,11 +57,7 @@ public static void AddAuthenticationServices(this IServiceCollection services, I`
`55`	`57`	`services.AddMicrosoftIdentityWebApiAuthentication(configuration);`
`56`	`58`	`}`
`57`	`59`	`else {`
`58`		`- services.AddAuthentication(options =>`
`59`		`- {`
`60`		`- options.DefaultAuthenticateScheme = null;`
`61`		`- options.DefaultChallengeScheme = null;`
`62`		`- });`
	`60`	`+ services.AddSingleton<IAuthorizationMiddlewareResultHandler, CustomAuthorizationMiddlewareResultHandler>();`
`63`	`61`	`}`
`64`	`62`	`}`
`65`	`63`	`}`