Implement optional service windows auth

Author: webprofusion-chrisc

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Certify.Server.Core.csproj

@@ -9,6 +9,7 @@
     </PropertyGroup>
     <ItemGroup>
         <PackageReference Include="Microsoft.AspNet.SignalR.Client" Version="2.4.3" />
+        <PackageReference Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />
         <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" Version="9.0.3" />
         <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" Version="9.0.3" />
         <PackageReference Include="Polly" Version="8.5.2" />

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Controllers/ControllerBase.cs

@@ -1,33 +1,71 @@
 using System.Diagnostics;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
 
 namespace Certify.Service.Controllers
 {
-    public class CustomAuthCheckAttribute : AuthorizeAttribute
+    public class ServiceAuthSchemeOptions : AuthenticationSchemeOptions { }
+    public class ServiceAuthSchemeHandler : AuthenticationHandler<ServiceAuthSchemeOptions>
     {
-        /* protected override bool IsAuthorized(HttpActionContext actionContext)
-         {
- #if DEBUG_NO_AUTH
-     return true;
- #endif
-             var user = actionContext.RequestContext.Principal as System.Security.Principal.WindowsPrincipal;
-             if (user.IsInRole(WindowsBuiltInRole.Administrator))
-             {
-                 return true;
-             }
+        public ServiceAuthSchemeHandler(
+            IOptionsMonitor<ServiceAuthSchemeOptions> options,
+            ILoggerFactory logger,
+            UrlEncoder encoder) : base(options, logger, encoder)
+        {
+        }
+
+        protected async override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            // provide and an artificial default identify when this auth scheme is used (for non-window auth)
+            var claims = new[] { new Claim(ClaimTypes.Name, "service_user") };
+            var principal = new ClaimsPrincipal(new ClaimsIdentity(claims));
+            var ticket = new AuthenticationTicket(principal, this.Scheme.Name);
+            return AuthenticateResult.Success(ticket);
+        }
+    }
+
+    public class ClaimsTransformer : IClaimsTransformation
+    {
+        private bool _requireWindowsAuth;
+        public ClaimsTransformer(bool requireWindowsAuth = true)
+        {
+            _requireWindowsAuth = requireWindowsAuth;
+        }
+        public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
+        {
+            var ci = (ClaimsIdentity)principal.Identity;
 
-             if (user.IsInRole(WindowsBuiltInRole.PowerUser))
-             {
-                 return true;
-             }
+            if (_requireWindowsAuth)
+            {
+                // on windows, add group claims for the user
 
-             return false;
-         }*/
+                var isAdmin = ci.Claims
+                    .Where(x => x.Type == ClaimTypes.GroupSid || x.Type == ClaimTypes.PrimaryGroupSid)
+                    .Any(x => x.Value == "S-1-5-32-544"); //Administrator group
+
+                if (isAdmin)
+                {
+                    var roleClaim = new Claim(ClaimTypes.Role, "service_admin");
+                    ci.AddClaim(roleClaim);
+                }
+            }
+            else
+            {
+                // auto enable role for the current identity
+                var roleClaim = new Claim(ClaimTypes.Role, "service_admin");
+                ci.AddClaim(roleClaim);
+            }
+
+            return Task.FromResult(principal);
+        }
     }
 
     [ApiController]
-    //   [CustomAuthCheck]
+    [Authorize(Policy = "CertifyServiceAuth")]
     public class ControllerBase : Controller
     {
         internal void DebugLog(string msg = null,

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Program.cs

@@ -4,7 +4,8 @@
 
 builder.Services.AddWindowsService();
 builder.Services.AddHostedService<WindowsBackgroundService>();
-builder.Configuration.AddJsonFile("appsettings-core.json", optional: false, reloadOnChange: true);
+builder.Configuration.AddJsonFile("appsettings-core.json", optional: true, reloadOnChange: true);
+builder.Configuration.AddJsonFile("appsettings-core.Development.json", optional: true, reloadOnChange: true);
 
 builder.AddServiceDefaults();
 

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Properties/launchSettings.json

@@ -15,9 +15,21 @@
       "launchBrowser": false,
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",
-        "ASPNETCORE_URLS": "http://127.0.0.2:9695",
+        "ASPNETCORE_URLS": "http://127.0.0.2:9696",
         "CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
-        "CERTIFY_ENABLE_MANAGEMENT_HUB": "true"
+        "CERTIFY_ENABLE_MANAGEMENT_HUB": "true",
+        "CERTIFY_SERVICE_AUTH_MODE": "none"
+      }
+    },
+    "Certify.Server.Core (windows auth)": {
+      "commandName": "Project",
+      "launchBrowser": false,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "ASPNETCORE_URLS": "http://127.0.0.2:9696",
+        "CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
+        "CERTIFY_ENABLE_MANAGEMENT_HUB": "true",
+        "CERTIFY_SERVICE_AUTH_MODE": "windows"
       }
     },
     "IIS Express": {

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Startup.cs

@@ -1,5 +1,10 @@
-using Certify.Management;
+using System.Runtime.InteropServices;
+using System.Security.Claims;
+using Certify.Management;
 using Certify.Models;
+using Certify.Service.Controllers;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Negotiate;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.ResponseCompression;
 using Microsoft.AspNetCore.SignalR;
@@ -49,6 +54,57 @@ public void ConfigureServices(IServiceCollection services)
                                   });
             });
 
+            // determine whether we require auth via Kerberos/windows auth, can be overridden by env var
+            var windowsAuthRequired = true;
+
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                // windows auth is required by default
+                if (Environment.GetEnvironmentVariable("CERTIFY_SERVICE_AUTH_MODE") == "none")
+                {
+                    windowsAuthRequired = false;
+                }
+                else if (Configuration["Service:AuthMode"] == "none")
+                {
+                    windowsAuthRequired = false;
+                }
+            }
+            else
+            {
+                // on non-windows platforms we don't support windows auth
+                windowsAuthRequired = false;
+            }
+
+            services
+                    .AddAuthentication(NegotiateDefaults.AuthenticationScheme)
+                    .AddScheme<ServiceAuthSchemeOptions, ServiceAuthSchemeHandler>("ServiceAuthScheme", opts => { }) // allow custom service auth when windows auth not used
+                    .AddNegotiate(); //add windows auth/kerberos
+
+            services.AddAuthorization(options =>
+            {
+                // add policy to require admin role claim
+
+                if (windowsAuthRequired)
+                {
+                    // when using windows auth we require the user to be in the admin group which we check via our ClaimsTransformer
+                    options.AddPolicy("CertifyServiceAuth", policy =>
+                    {
+                        policy.AddAuthenticationSchemes(NegotiateDefaults.AuthenticationScheme);
+                        policy.RequireAuthenticatedUser();
+                        policy.RequireClaim(ClaimTypes.Role, new[] { "service_admin" });
+                    });
+                }
+                else
+                {
+                    // when not using windows auth we use our custom service auth scheme
+                    options.AddPolicy("CertifyServiceAuth", policy =>
+                    {
+                        policy.AddAuthenticationSchemes("ServiceAuthScheme");
+                        policy.RequireClaim(ClaimTypes.Role, new[] { "service_admin" });
+                    });
+                }
+            });
+
 #if DEBUG
             services.AddEndpointsApiExplorer();
 
@@ -93,7 +149,7 @@ public void ConfigureServices(IServiceCollection services)
             });
 #endif
 
-            var useHttps = bool.Parse(Configuration["API:Service:UseHttps"]);
+            var useHttps = Configuration["API:Service:UseHttps"] != null ? bool.Parse(Configuration["API:Service:UseHttps"]) : false;
 
             if (useHttps)
             {
@@ -104,6 +160,9 @@ public void ConfigureServices(IServiceCollection services)
                 });
             }
 
+            // add claims transformation service, this is used to optionally check auth requirements
+            services.AddSingleton<IClaimsTransformation, ClaimsTransformer>(c => new ClaimsTransformer(windowsAuthRequired));
+
             // inject instance of certify manager
             var certifyManager = new Management.CertifyManager();
             certifyManager.Init().Wait();
@@ -148,7 +207,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             // set status report context provider
             certifyManager.SetStatusReporting(new Service.StatusHubReporting(statusHubContext));
 
-            var useHttps = bool.Parse(Configuration["API:Service:UseHttps"]);
+            var useHttps = Configuration["API:Service:UseHttps"] != null ? bool.Parse(Configuration["API:Service:UseHttps"]) : false;
 
             if (useHttps)
             {
@@ -157,10 +216,12 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseRouting();
 
-            app.UseCors();
-
+            // enable authentication middleware 
+            app.UseAuthentication();
             app.UseAuthorization();
 
+            app.UseCors();
+
             app.UseEndpoints(endpoints =>
             {
                 endpoints.MapHub<Service.StatusHub>("/api/status");

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/appsettings-core.Development.json

@@ -8,12 +8,14 @@
       "Microsoft.AspNetCore.Http.Connections": "Debug"
     }
   },
-  "API": {
-    "Service": {
-      "HttpPort": 9695,
-      "HttpsPort": 9443,
-      "UseHttps": false,
-      "BindingIP": "any"
+  "Service": {
+    "AuthMode": "windows"
+  },
+  "Kestrel": {
+    "Endpoints": {
+      "SvcHttpEndpoint": {
+        "Url": "http://127.0.0.2:9695"
+      }
     }
   }
 }

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/appsettings-core.json

@@ -8,13 +8,11 @@
       "Microsoft.AspNetCore.Http.Connections": "Debug"
     }
   },
-  "API": {
-    "Service": {
-      "HttpPort": 9696,
-      "HttpsPort": 9443,
-      "UseHttps": false,
-      "BindingIP": "any"
+  "Kestrel": {
+    "Endpoints": {
+      "SvcHttpEndpoint": {
+        "Url": "http://127.0.0.2:9696"
+      }
     }
   }
-  
 }