Hub joining: implement additional joining token for authenticated/non authenticated

webprofusion-chrisc · webprofusion-chrisc · commit 3fdbcecd192d · 2025-03-28T18:05:59.000+08:00
diff --git a/src/Certify.Client/ManagementServerClient.cs b/src/Certify.Client/ManagementServerClient.cs
@@ -28,13 +28,17 @@ public class ManagementServerClient : IManagementServerClient
         private string _hubUri = "";
 
         private ManagedInstanceInfo _instanceInfo;
-        private ClientSecret _clientSecret;
+        private string _joiningToken = default;
 
-        public ManagementServerClient(string hubUri, ClientSecret clientSecret, ManagedInstanceInfo instanceInfo)
+        public ManagementServerClient(string hubUri, ManagedInstanceInfo instanceInfo)
         {
             _hubUri = $"{hubUri}";
             _instanceInfo = instanceInfo;
-            _clientSecret = clientSecret;
+        }
+
+        public void SetJoiningToken(string joiningToken)
+        {
+            _joiningToken = joiningToken;
         }
 
         private void Log(string msg)
@@ -76,6 +80,7 @@ public async Task ConnectAsync()
                 };
 
                 opts.UseStatefulReconnect = true;
+                opts.AccessTokenProvider = () => Task.FromResult(_joiningToken ?? "");
 
             })
             .WithAutomaticReconnect()
@@ -91,6 +96,7 @@ public async Task ConnectAsync()
 
             _connection.Closed += async (error) =>
             {
+                // if we are disconnected, wait a random amount of time and try to reconnect
                 await Task.Delay(new Random().Next(0, 5) * 1000);
                 await _connection.StartAsync();
             };
diff --git a/src/Certify.Core/Certify.Core.csproj b/src/Certify.Core/Certify.Core.csproj
@@ -44,6 +44,7 @@
         <NoWarn>1701;1702;CA1068</NoWarn>
     </PropertyGroup>
     <ItemGroup>
+        <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.7.0" />
         <PackageReference Include="Polly" Version="8.5.2" />
         <PackageReference Include="Serilog.Extensions.Logging" Version="9.0.1" />
         <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
diff --git a/src/Certify.Core/Management/CertifyManager/CertifyManager.ManagementHub.cs b/src/Certify.Core/Management/CertifyManager/CertifyManager.ManagementHub.cs
@@ -1,4 +1,4 @@
-using System;
+﻿using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
@@ -11,6 +11,7 @@
 using Certify.Models.Hub;
 using Certify.Shared;
 using Certify.Shared.Core.Utils;
+using Microsoft.IdentityModel.JsonWebTokens;
 
 namespace Certify.Management
 {
@@ -21,6 +22,7 @@ public partial class CertifyManager
         private bool _isHubConnectionErrorLogged = false;
         private ClientSecret _mgmtHubJoiningSecret;
         private const string _mgmtHubJoiningCredId = "_ManagementHubJoiningKey";
+        private string _mgmtHubJoiningToken = default!;
 
         public async Task<ActionResult> CheckManagementHubConnectionStatus()
         {
@@ -40,6 +42,8 @@ public async Task<ActionResult> JoinManagementHub(string url, ClientSecret clien
 
             if (check.IsSuccess)
             {
+                _mgmtHubJoiningToken = check.Result.JoiningToken;
+
                 _serverConfig = SharedUtils.ServiceConfigManager.GetAppServiceConfig();
                 var hubEndpoint = check.Result.HubEndpoint;
 
@@ -119,32 +123,84 @@ public void SetDirectManagementClient(IManagementServerClient client)
             _managementServerClient = client;
         }
 
+        private JsonWebTokenHandler _joiningTokenHandler = new JsonWebTokenHandler();
         private async Task EnsureMgmtHubConnection()
         {
+            // check we have a current non-expired joining token
+            if (!string.IsNullOrWhiteSpace(_mgmtHubJoiningToken))
+            {
+                // check jwt has not expired
+
+                var validation = await _joiningTokenHandler.ValidateTokenAsync(_mgmtHubJoiningToken, new Microsoft.IdentityModel.Tokens.TokenValidationParameters
+                {
+                    ValidateLifetime = true,
+                    ValidateAudience = false,
+                    ValidateIssuer = false,
+                    ValidateIssuerSigningKey = false
+                });
+
+                if (!validation.IsValid)
+                {
+                    // token has expired, will need a new one
+                    _mgmtHubJoiningToken = null;
+                }
+            }
+
             // connect/reconnect to management hub if enabled
             if (_managementServerClient == null || !_managementServerClient.IsConnected())
             {
                 var mgmtHubUri = string.Empty;
+                var api = string.Empty;
+                var endpoint = string.Empty;
+                var defaultEnpoint = "api/internal/managementhub";
 
                 // construct hub api url and status hub api endpoint
                 if (Environment.GetEnvironmentVariable("CERTIFY_MANAGEMENT_HUB") != null)
                 {
-                    var api = Environment.GetEnvironmentVariable("CERTIFY_MANAGEMENT_HUB");
+                    api = Environment.GetEnvironmentVariable("CERTIFY_MANAGEMENT_HUB");
 
-                    if (api.EndsWith("api/internal/managementhub"))
+                    if (api.EndsWith(defaultEnpoint))
                     {
                         mgmtHubUri = api;
+
+                        endpoint = defaultEnpoint;
+                        api = api.Replace(defaultEnpoint, "");
                     }
                     else
                     {
-                        var endpoint = Environment.GetEnvironmentVariable("CERTIFY_MANAGEMENT_HUB_ENDPOINT") ?? "api/internal/managementhub";
+                        endpoint = Environment.GetEnvironmentVariable("CERTIFY_MANAGEMENT_HUB_ENDPOINT") ?? defaultEnpoint;
                         mgmtHubUri = $"{api.Trim('/')}/{endpoint.Trim('/')}";
                     }
                 }
                 else
                 {
-                    mgmtHubUri = $"{_serverConfig.ManagementServerHubAPI.Trim('/')}/{_serverConfig.ManagementServerHubEndpoint.Trim('/')}";
+                    api = _serverConfig.ManagementServerHubAPI.Trim('/');
+                    endpoint = _serverConfig.ManagementServerHubEndpoint.Trim('/');
+                    mgmtHubUri = $"{api}/{endpoint}";
+                }
+
+                if (string.IsNullOrWhiteSpace(_mgmtHubJoiningToken))
+                {
+                    if (_mgmtHubJoiningSecret == null)
+                    {
+                        var secret = await _credentialsManager.GetUnlockedCredential(_mgmtHubJoiningCredId);
+                        if (secret != null)
+                        {
+                            _mgmtHubJoiningSecret = JsonSerializer.Deserialize<ClientSecret>(secret, JsonOptions.DefaultJsonSerializerOptions);
+                        }
+                    }
 
+                    // acquire new token
+                    var check = await CheckManagementHubCredentials(api, _mgmtHubJoiningSecret);
+                    if (check.IsSuccess)
+                    {
+                        _mgmtHubJoiningToken = check.Result.JoiningToken;
+                    }
+                    else
+                    {
+                        _serviceLog.Error($"Failed to acquire new hub joining token using current joining key: {check.Message}");
+                        return;
+                    }
                 }
 
                 if (!string.IsNullOrWhiteSpace(mgmtHubUri))
@@ -192,16 +248,8 @@ private async Task StartManagementHubConnection(string hubUri)
                 _managementServerClient.OnConnectionReconnecting -= _managementServerClient_OnConnectionReconnecting;
             }
 
-            if (_mgmtHubJoiningSecret == null)
-            {
-                var secret = await _credentialsManager.GetUnlockedCredential(_mgmtHubJoiningCredId);
-                if (secret != null)
-                {
-                    _mgmtHubJoiningSecret = JsonSerializer.Deserialize<ClientSecret>(secret, JsonOptions.DefaultJsonSerializerOptions);
-                }
-            }
-
-            _managementServerClient = new ManagementServerClient(hubUri, _mgmtHubJoiningSecret, instanceInfo);
+            _managementServerClient = new ManagementServerClient(hubUri, instanceInfo);
+            _managementServerClient.SetJoiningToken(_mgmtHubJoiningToken);
 
             try
             {
diff --git a/src/Certify.Models/Hub/HubInfo.cs b/src/Certify.Models/Hub/HubInfo.cs
@@ -7,6 +7,11 @@ public class HubInfo
         public string HubEndpoint { get; set; } = default!;
 
         public string Message { get; set; } = default!;
+
+        /// <summary>
+        /// if set, provides the authenticated caller with a JWT joining token for use in subsequent hub communication
+        /// </summary>
+        public string JoiningToken { get; set; } = default!;
     }
 
     public class HubHealth
diff --git a/src/Certify.Models/Hub/ManagedInstanceInfo.cs b/src/Certify.Models/Hub/ManagedInstanceInfo.cs
@@ -16,6 +16,7 @@ public class ManagedInstanceInfo
         public DateTimeOffset LastReported { get; set; }
 
         public string ConnectionStatus { get; set; } = string.Empty;
+        public bool IsAuthenticated { get; set; }
     }
 
     public class ConnectionStatus
diff --git a/src/Certify.Models/Providers/IManagementServerClient.cs b/src/Certify.Models/Providers/IManagementServerClient.cs
@@ -12,10 +12,12 @@ public interface IManagementServerClient
         event Func<InstanceCommandRequest, Task<InstanceCommandResult>> OnGetCommandResult;
         event Func<ManagedInstanceItems> OnGetInstanceItems;
 
+        void SetJoiningToken(string joiningToken);
+
         Task ConnectAsync();
         Task Disconnect();
         bool IsConnected();
         void SendInstanceInfo(Guid commandId, bool isCommandResponse = true);
         void SendNotificationToManagementHub(string msgCommandType, object updateMsg);
     }
-}
+}
diff --git a/src/Certify.Models/Shared/Json.cs b/src/Certify.Models/Shared/Json.cs
@@ -4,6 +4,8 @@ namespace Certify.Shared
 {
     public class JsonOptions
     {
-        public static JsonSerializerOptions DefaultJsonSerializerOptions = new() { PropertyNameCaseInsensitive = true };
+        private static readonly JsonSerializerOptions _defaultJsonSerializerOptions = new() { PropertyNameCaseInsensitive = true };
+
+        public static JsonSerializerOptions DefaultJsonSerializerOptions => _defaultJsonSerializerOptions;
     }
 }
diff --git a/src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Certify.Server.Core.csproj b/src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Certify.Server.Core.csproj
@@ -9,7 +9,6 @@
     </PropertyGroup>
     <ItemGroup>
         <PackageReference Include="Microsoft.AspNet.SignalR.Client" Version="2.4.3" />
-        <PackageReference Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />
         <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" Version="9.0.3" />
         <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" Version="9.0.3" />
         <PackageReference Include="Polly" Version="8.5.2" />
diff --git a/src/Certify.Server/Certify.Server.Hub.Api/Controllers/v1/SystemController.cs b/src/Certify.Server/Certify.Server.Hub.Api/Controllers/v1/SystemController.cs
@@ -32,6 +32,7 @@ public SystemController(ILogger<SystemController> logger, ICertifyInternalApiCli
             _logger = logger;
             _client = client;
             _mgmtAPI = mgmtApi;
+
         }
 
         /// <summary>
@@ -117,6 +118,11 @@ public async Task<IActionResult> CheckJoining()
                 hubInfo.HubEndpoint = "api/internal/managementhub";
                 hubInfo.Message = "Joining OK";
 
+                var _config = HttpContext.RequestServices.GetRequiredService<IConfiguration>();
+                var jwtService = new Hub.Api.Services.JwtService(_config);
+
+                hubInfo.JoiningToken = jwtService.GenerateSecurityToken($"clientId:{clientId}");
+
                 return new OkObjectResult(hubInfo);
             }
             else
diff --git a/src/Certify.Server/Certify.Server.Hub.Api/Services/JwtService.cs b/src/Certify.Server/Certify.Server.Hub.Api/Services/JwtService.cs
@@ -1,4 +1,4 @@
-﻿using System.Security.Claims;
+using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
 using Microsoft.IdentityModel.JsonWebTokens;
@@ -26,7 +26,7 @@ public JwtService(IConfiguration config)
         {
             _secret = config.GetSection("JwtSettings").GetSection("secret").Value ?? "";
             _issuer = config.GetSection("JwtSettings").GetSection("issuer").Value ?? "";
-            _expDate = config.GetSection("JwtSettings").GetSection("expirationInDays").Value ?? DateTimeOffset.Now.AddDays(1).ToString();
+            _expDate = config.GetSection("JwtSettings").GetSection("expirationInDays").Value ?? "1";
         }
 
         /// <summary>
@@ -61,7 +61,7 @@ public string GenerateSecurityToken(string identifier, double? expiryMinutes)
                     new Claim(ClaimTypes.Sid, identifier)
                 }),
                 Issuer = _issuer,
-                Expires = expiryMinutes != null ? DateTime.UtcNow.AddHours((double)expiryMinutes) : DateTime.UtcNow.AddDays(double.Parse(_expDate)), //token expiry could be role specific - e.g. 1 yr vs 1 month
+                Expires = expiryMinutes != null ? DateTime.UtcNow.AddMinutes((double)expiryMinutes) : DateTime.UtcNow.AddDays(double.Parse(_expDate)), //token expiry could be role specific - e.g. 1 yr vs 1 month
                 SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
             };
 
diff --git a/src/Certify.Server/Certify.Server.Hub.Api/SignalR/ManagementHub/InstanceManagementHub.cs b/src/Certify.Server/Certify.Server.Hub.Api/SignalR/ManagementHub/InstanceManagementHub.cs
@@ -1,4 +1,5 @@
-﻿using Certify.Management;
+﻿using System.Security.Claims;
+using Certify.Management;
 using Certify.Models.Hub;
 using Certify.Models.Reporting;
 using Certify.Shared;
@@ -19,19 +20,21 @@ public class InstanceManagementHub : Hub<IInstanceManagementHub>, IInstanceManag
         private ILogger<InstanceManagementHub> _logger;
         private IHubContext<UserInterfaceStatusHub> _uiStatusHub;
         private ICertifyManager? _certifyManager;
-        private readonly string _localInstanceId;
+        private IConfiguration _config;
+        private readonly string _localInstanceId = default!;
         private bool _hasLocalInstance => _certifyManager != null;
 
         /// <summary>
         /// Set up instance management hub
         /// </summary>
         /// <param name="stateProvider"></param>
         /// <param name="logger"></param>
-        public InstanceManagementHub(IInstanceManagementStateProvider stateProvider, ILogger<InstanceManagementHub> logger, IHubContext<UserInterfaceStatusHub> uiStatusHub, ICertifyManager? certifyManager = null)
+        public InstanceManagementHub(IInstanceManagementStateProvider stateProvider, ILogger<InstanceManagementHub> logger, IHubContext<UserInterfaceStatusHub> uiStatusHub, IConfiguration config, ICertifyManager? certifyManager = null)
         {
             _stateProvider = stateProvider;
             _logger = logger;
             _uiStatusHub = uiStatusHub;
+            _config = config;
             _certifyManager = certifyManager;
 
             // If we have a local certify manager, register it as a special local instance
@@ -41,29 +44,57 @@ public InstanceManagementHub(IInstanceManagementStateProvider stateProvider, ILo
                 // Create a unique local instance connection id
                 _localInstanceId = _certifyManager!.GetManagedInstanceInfo().InstanceId;
             }
+
+            _config = config;
         }
 
         /// <summary>
         /// Handle connection event from an instance using SignalR
         /// </summary>
         /// <returns></returns>
-        public override Task OnConnectedAsync()
+        public async override Task OnConnectedAsync()
         {
             _logger?.LogInformation("InstanceManagementHub: Remote instance connected to instance management hub..");
 
+            // validate jwt passed by joining instance
+            var isAuthenticated = false;
+
+            try
+            {
+                var accessToken = Context.GetHttpContext().Request.Headers[key: "Authorization"];
+
+                var joiningJwt = accessToken.ToString().Replace("Bearer ", "");
+                var jwtService = new Hub.Api.Services.JwtService(_config);
+                var claimsIdentity = await jwtService.ClaimsIdentityFromTokenAsync(joiningJwt, true);
+                var userId = claimsIdentity.FindFirst(ClaimTypes.Sid)?.Value;
+                isAuthenticated = true;
+
+            }
+            catch (Exception)
+            {
+                // could not validate jwt
+
+                return;
+            }
+
             // begin tracking connection 
-            _stateProvider.UpdateInstanceConnectionInfo(Context.ConnectionId, new ManagedInstanceInfo { InstanceId = string.Empty, ConnectionStatus = ConnectionStatus.Connected, LastReported = DateTimeOffset.Now });
+            _stateProvider.UpdateInstanceConnectionInfo(Context.ConnectionId, new ManagedInstanceInfo
+            {
+                InstanceId = string.Empty,
+                ConnectionStatus = ConnectionStatus.Connected,
+                LastReported = DateTimeOffset.Now,
+                IsAuthenticated = isAuthenticated
+            }
+            );
 
-            // at this stage we don't know which instance this is, we need to issue a command for it to identify itself before it can participate
+            // at this stage we don't know which instance id this is, we need to issue a command for it to identify itself before it can participate
             var request = new InstanceCommandRequest
             {
                 CommandId = Guid.NewGuid(),
                 CommandType = ManagementHubCommands.GetInstanceInfo
             };
 
             IssueCommandViaSignalR(request);
-
-            return base.OnConnectedAsync();
         }
 
         private void IssueCommandViaSignalR(InstanceCommandRequest cmd)
diff --git a/src/Certify.Server/Certify.Server.HubService/Services/DirectManagementServerClient.cs b/src/Certify.Server/Certify.Server.HubService/Services/DirectManagementServerClient.cs
@@ -37,7 +37,7 @@ public class DirectManagementServerClient : Client.IManagementServerClient
         private ICertifyManager _certifyManager;
         private IInstanceManagementHub _managementHub;
         private ManagedInstanceInfo _instanceInfo;
-
+        private string _joiningToken = default!;
         /// <summary>
         /// Initializes a new instance of the <see cref="DirectManagementServerClient"/> class.
         /// </summary>
@@ -95,5 +95,10 @@ public void SendNotificationToManagementHub(string msgCommandType, object update
             result.ObjectValue = updateMsg;
             _managementHub.ReceiveCommandResult(result);
         }
+
+        public void SetJoiningToken(string joiningToken)
+        {
+            _joiningToken = joiningToken;
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ public class ManagedInstanceInfo`
`16`	`16`	`public DateTimeOffset LastReported { get; set; }`
`17`	`17`
`18`	`18`	`public string ConnectionStatus { get; set; } = string.Empty;`
	`19`	`+ public bool IsAuthenticated { get; set; }`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`public class ConnectionStatus`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ namespace Certify.Shared`
`4`	`4`	`{`
`5`	`5`	`public class JsonOptions`
`6`	`6`	`{`
`7`		`- public static JsonSerializerOptions DefaultJsonSerializerOptions = new() { PropertyNameCaseInsensitive = true };`
	`7`	`+ private static readonly JsonSerializerOptions _defaultJsonSerializerOptions = new() { PropertyNameCaseInsensitive = true };`
	`8`	`+`
	`9`	`+ public static JsonSerializerOptions DefaultJsonSerializerOptions => _defaultJsonSerializerOptions;`
`8`	`10`	`}`
`9`	`11`	`}`