Access control: add access token admin methods, update role checks

Author: webprofusion-chrisc

src/Certify.Client/CertifyApiClient.cs

@@ -751,7 +751,7 @@ public async Task<List<SecurityPrinciple>> GetAccessSecurityPrinciples(AuthConte
 
         public async Task<Certify.Models.Config.ActionResult> CheckApiTokenHasAccess(AccessToken token, AccessCheck check, AuthContext authContext = null)
         {
-            var result = await PostAsync("access/checkapitoken", new AccessTokenCheck { Check = check, Token = token }, authContext);
+            var result = await PostAsync("access/apitoken/check", new AccessTokenCheck { Check = check, Token = token }, authContext);
             return JsonConvert.DeserializeObject<ActionResult>(await result.Content.ReadAsStringAsync());
         }
 

src/Certify.Core/Management/Access/AccessControl.cs

@@ -55,7 +55,7 @@ public async Task<bool> IsInitialized()
             }
         }
 
-        public async Task<List<Role>> GetRoles()
+        public async Task<List<Role>> GetRoles(string contextUserId)
         {
             return await _store.GetItems<Role>(nameof(Role));
         }
@@ -453,24 +453,52 @@ public string HashPassword(string password, string saltString = null)
             return hashed;
         }
 
-        public async Task AddRole(Role r)
+        public async Task<bool> AddRole(string contextUserId, Role r)
         {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to add an role action without being in required role.", contextUserId);
+                return false;
+            }
+
             await _store.Add(nameof(Role), r);
+            return true;
         }
 
-        public async Task AddAssignedRole(AssignedRole r)
+        public async Task<bool> AddAssignedRole(string contextUserId, AssignedRole r)
         {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to add an assigned role without being in required role.", contextUserId);
+                return false;
+            }
+
             await _store.Add(nameof(AssignedRole), r);
+            return true;
         }
 
-        public async Task AddAssignedAccessToken(AssignedAccessToken t)
+        public async Task<bool> AddAssignedAccessToken(string contextUserId, AssignedAccessToken t)
         {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to add an assigned access token without being in required role.", contextUserId);
+                return false;
+            }
+
             await _store.Add(nameof(AssignedAccessToken), t);
+            return true;
         }
 
-        public async Task AddResourceAction(ResourceAction action)
+        public async Task<bool> AddResourceAction(string contextUserId, ResourceAction action)
         {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to add a resource action without being in required role.", contextUserId);
+                return false;
+            }
+
             await _store.Add(nameof(ResourceAction), action);
+            return true;
         }
 
         public async Task<List<AssignedRole>> GetAssignedRoles(string contextUserId, string id)
@@ -491,7 +519,6 @@ public async Task<RoleStatus> GetSecurityPrincipleRoleStatus(string contextUserI
             if (id != contextUserId && !await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
             {
                 await AuditWarning("User {contextUserId} attempted to read role status role for [{id}] without being in required role.", contextUserId, id);
-
             }
 
             var allAssignedRoles = await _store.GetItems<AssignedRole>(nameof(AssignedRole));
@@ -570,6 +597,30 @@ await GetSecurityPrincipleByUsername(contextUserId, passwordCheck.Username) :
             }
         }
 
+        public async Task<List<AccessToken>> GetAccessTokens(string contextUserId)
+        {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to list access tokens without being in required role.", contextUserId);
+                return [];
+            }
+
+            return await _store.GetItems<AccessToken>(nameof(AccessToken));
+        }
+
+        public async Task<bool> AddAccessToken(string contextUserId, AccessToken a)
+        {
+            if (!await IsPrincipleInRole(contextUserId, contextUserId, StandardRoles.Administrator.Id))
+            {
+                await AuditWarning("User {contextUserId} attempted to add an access token without being in required role.", contextUserId);
+                return false;
+            }
+
+            await _store.Add(nameof(AccessToken), a);
+
+            return true;
+        }
+
         public string GetSHA256Hash(string val)
         {
             using (var sha256Hash = SHA256.Create())

src/Certify.Core/Management/Access/IAccessControl.cs

@@ -16,7 +16,7 @@ public interface IAccessControl
         /// Get the list of standard roles built-in to the system
         /// </summary>
         /// <returns></returns>
-        Task<List<Role>> GetRoles();
+        Task<List<Role>> GetRoles(string contextUserId);
         Task<bool> IsSecurityPrincipleAuthorised(string contextUserId, AccessCheck check);
         Task<Models.Config.ActionResult> IsAccessTokenAuthorised(string contextUserId, AccessToken accessToken, AccessCheck check);
         Task<bool> IsPrincipleInRole(string contextUserId, string id, string roleId);
@@ -27,9 +27,12 @@ public interface IAccessControl
         Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordUpdate passwordUpdate);
         Task<SecurityPrincipleCheckResponse> CheckSecurityPrinciplePassword(string contextUserId, SecurityPrinciplePasswordCheck passwordCheck);
 
-        Task AddRole(Role role);
-        Task AddAssignedRole(AssignedRole assignedRole);
-        Task AddResourceAction(ResourceAction action);
+        Task<bool> AddRole(string contextUserId, Role role);
+        Task<bool> AddAssignedRole(string contextUserId, AssignedRole assignedRole);
+        Task<bool> AddResourceAction(string contextUserId, ResourceAction action);
+
+        Task<List<AccessToken>> GetAccessTokens(string contextUserId);
+        Task<bool> AddAccessToken(string contextUserId, AccessToken token);
         Task<bool> IsInitialized();
     }
 }

src/Certify.Core/Management/CertifyManager/CertifyManager.Maintenance.cs

@@ -90,7 +90,7 @@ private static async Task BootstrapAdminUserAndRoles(IAccessControl access)
             foreach (var r in assignedRoles)
             {
                 // add roles and policy assignments to store
-                await access.AddAssignedRole(r);
+                await access.AddAssignedRole(adminSp.Id, r);
             }
         }
 
@@ -103,11 +103,13 @@ private static async Task UpdateStandardRoles(IAccessControl access)
         {
             // setup roles with policies
 
+            var adminSvcPrinciple = "admin_01";
+
             var actions = Policies.GetStandardResourceActions();
 
             foreach (var action in actions)
             {
-                await access.AddResourceAction(action);
+                await access.AddResourceAction(adminSvcPrinciple, action);
             }
 
             // setup policies with actions
@@ -126,7 +128,7 @@ private static async Task UpdateStandardRoles(IAccessControl access)
             foreach (var r in roles)
             {
                 // add roles and policy assignments to store
-                await access.AddRole(r);
+                await access.AddRole(adminSvcPrinciple, r);
             }
         }
 

src/Certify.Models/Hub/AccessControl.cs

@@ -109,6 +109,7 @@ public class AccessToken : ConfigurationStoreItem
         public string TokenType { get; set; } = default!;
         public string Secret { get; set; } = default!;
         public string ClientId { get; set; } = default!;
+
         public DateTimeOffset? DateCreated { get; set; }
         public DateTimeOffset? DateExpiry { get; set; }
         public DateTimeOffset? DateRevoked { get; set; }

src/Certify.Server/Certify.Server.Api.Public.Client/Certify.API.Public.cs

@@ -428,6 +428,178 @@ public virtual async System.Threading.Tasks.Task<RoleStatus> GetSecurityPrincipl
             }
         }
 
+        /// <summary>
+        /// Get list of API access tokens [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual System.Threading.Tasks.Task<System.Collections.Generic.ICollection<AccessToken>> GetAccessTokensAsync()
+        {
+            return GetAccessTokensAsync(System.Threading.CancellationToken.None);
+        }
+
+        /// <param name="cancellationToken">A cancellation token that can be used by other objects or threads to receive notice of cancellation.</param>
+        /// <summary>
+        /// Get list of API access tokens [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual async System.Threading.Tasks.Task<System.Collections.Generic.ICollection<AccessToken>> GetAccessTokensAsync(System.Threading.CancellationToken cancellationToken)
+        {
+            var client_ = _httpClient;
+            var disposeClient_ = false;
+            try
+            {
+                using (var request_ = new System.Net.Http.HttpRequestMessage())
+                {
+                    request_.Method = new System.Net.Http.HttpMethod("GET");
+                    request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("text/plain"));
+
+                    var urlBuilder_ = new System.Text.StringBuilder();
+                    if (!string.IsNullOrEmpty(_baseUrl)) urlBuilder_.Append(_baseUrl);
+                    // Operation Path: "internal/v1/access/token"
+                    urlBuilder_.Append("internal/v1/access/token");
+
+                    PrepareRequest(client_, request_, urlBuilder_);
+
+                    var url_ = urlBuilder_.ToString();
+                    request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+                    PrepareRequest(client_, request_, url_);
+
+                    var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+                    var disposeResponse_ = true;
+                    try
+                    {
+                        var headers_ = new System.Collections.Generic.Dictionary<string, System.Collections.Generic.IEnumerable<string>>();
+                        foreach (var item_ in response_.Headers)
+                            headers_[item_.Key] = item_.Value;
+                        if (response_.Content != null && response_.Content.Headers != null)
+                        {
+                            foreach (var item_ in response_.Content.Headers)
+                                headers_[item_.Key] = item_.Value;
+                        }
+
+                        ProcessResponse(client_, response_);
+
+                        var status_ = (int)response_.StatusCode;
+                        if (status_ == 200)
+                        {
+                            var objectResponse_ = await ReadObjectResponseAsync<System.Collections.Generic.ICollection<AccessToken>>(response_, headers_, cancellationToken).ConfigureAwait(false);
+                            if (objectResponse_.Object == null)
+                            {
+                                throw new ApiException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+                            }
+                            return objectResponse_.Object;
+                        }
+                        else
+                        {
+                            var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+                            throw new ApiException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+                        }
+                    }
+                    finally
+                    {
+                        if (disposeResponse_)
+                            response_.Dispose();
+                    }
+                }
+            }
+            finally
+            {
+                if (disposeClient_)
+                    client_.Dispose();
+            }
+        }
+
+        /// <summary>
+        /// Add new access token [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual System.Threading.Tasks.Task<ActionResult> AddAccessTokenAsync(AccessToken body)
+        {
+            return AddAccessTokenAsync(body, System.Threading.CancellationToken.None);
+        }
+
+        /// <param name="cancellationToken">A cancellation token that can be used by other objects or threads to receive notice of cancellation.</param>
+        /// <summary>
+        /// Add new access token [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual async System.Threading.Tasks.Task<ActionResult> AddAccessTokenAsync(AccessToken body, System.Threading.CancellationToken cancellationToken)
+        {
+            var client_ = _httpClient;
+            var disposeClient_ = false;
+            try
+            {
+                using (var request_ = new System.Net.Http.HttpRequestMessage())
+                {
+                    var json_ = Newtonsoft.Json.JsonConvert.SerializeObject(body, JsonSerializerSettings);
+                    var content_ = new System.Net.Http.StringContent(json_);
+                    content_.Headers.ContentType = System.Net.Http.Headers.MediaTypeHeaderValue.Parse("application/json");
+                    request_.Content = content_;
+                    request_.Method = new System.Net.Http.HttpMethod("POST");
+                    request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("text/plain"));
+
+                    var urlBuilder_ = new System.Text.StringBuilder();
+                    if (!string.IsNullOrEmpty(_baseUrl)) urlBuilder_.Append(_baseUrl);
+                    // Operation Path: "internal/v1/access/token"
+                    urlBuilder_.Append("internal/v1/access/token");
+
+                    PrepareRequest(client_, request_, urlBuilder_);
+
+                    var url_ = urlBuilder_.ToString();
+                    request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+                    PrepareRequest(client_, request_, url_);
+
+                    var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+                    var disposeResponse_ = true;
+                    try
+                    {
+                        var headers_ = new System.Collections.Generic.Dictionary<string, System.Collections.Generic.IEnumerable<string>>();
+                        foreach (var item_ in response_.Headers)
+                            headers_[item_.Key] = item_.Value;
+                        if (response_.Content != null && response_.Content.Headers != null)
+                        {
+                            foreach (var item_ in response_.Content.Headers)
+                                headers_[item_.Key] = item_.Value;
+                        }
+
+                        ProcessResponse(client_, response_);
+
+                        var status_ = (int)response_.StatusCode;
+                        if (status_ == 200)
+                        {
+                            var objectResponse_ = await ReadObjectResponseAsync<ActionResult>(response_, headers_, cancellationToken).ConfigureAwait(false);
+                            if (objectResponse_.Object == null)
+                            {
+                                throw new ApiException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+                            }
+                            return objectResponse_.Object;
+                        }
+                        else
+                        {
+                            var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+                            throw new ApiException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+                        }
+                    }
+                    finally
+                    {
+                        if (disposeResponse_)
+                            response_.Dispose();
+                    }
+                }
+            }
+            finally
+            {
+                if (disposeClient_)
+                    client_.Dispose();
+            }
+        }
+
         /// <summary>
         /// Get list of available security principles [Generated]
         /// </summary>