Access: fix scoped assigned role references, optionally always apply upgrades

Author: webprofusion-chrisc

src/Certify.Core/Management/Access/AccessControl.cs

@@ -251,6 +251,7 @@ public async Task<bool> IsSecurityPrincipleAuthorised(string contextUserId, Acce
             // TODO: cache results for performance based on last update of access control config, which will be largely static
 
             // get all assigned roles (all users)
+            // assigned roles are assigned to a security principle (user) and include a specified role plus any restrictions on resource types or identifiers
             var allAssignedRoles = await _store.GetItems<AssignedRole>(nameof(AssignedRole));
 
             // get all defined roles
@@ -262,10 +263,10 @@ public async Task<bool> IsSecurityPrincipleAuthorised(string contextUserId, Acce
             // get the assigned roles for this specific security principle
             var spAssignedRoles = allAssignedRoles.Where(a => a.SecurityPrincipleId == check.SecurityPrincipleId);
 
-            // if scoped assigned role ID specified (access token check etc), reduce scope of assigned roles to check
+            // if scoped AssignedRole.ID (not just the roleID) specified (access token check etc), reduce scope of assigned roles to check
             if (check.ScopedAssignedRoles?.Any() == true)
             {
-                spAssignedRoles = spAssignedRoles.Where(a => check.ScopedAssignedRoles.Contains(a.RoleId));
+                spAssignedRoles = spAssignedRoles.Where(a => check.ScopedAssignedRoles.Contains(a.Id));
             }
 
             // get all role definitions included in the principles assigned roles 
@@ -407,7 +408,7 @@ public async Task<bool> UpdateSecurityPrinciplePassword(string contextUserId, Se
 
             var updated = false;
 
-            var principle = await GetSecurityPrinciple(contextUserId, passwordUpdate.SecurityPrincipleId);
+            var principle = await GetSecurityPrinciple(contextUserId, passwordUpdate.SecurityPrincipleId, includePassword: true);
 
             if (IsPasswordValid(passwordUpdate.Password, principle.Password))
             {

src/Certify.Core/Management/CertifyManager/CertifyManager.Maintenance.cs

@@ -1,11 +1,10 @@
-using System;
+using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
-using Certify.Core.Management.Access;
 using Certify.Models;
 using Certify.Models.Config;
 using Certify.Models.Hub;
@@ -25,7 +24,7 @@ private async Task UpgradeSettings()
             var systemVersion = Util.GetAppVersion().ToString();
             var previousVersion = CoreAppSettings.Current.CurrentServiceVersion;
 
-            if (CoreAppSettings.Current.CurrentServiceVersion != systemVersion)
+            if (CoreAppSettings.Current.CurrentServiceVersion != systemVersion || Environment.GetEnvironmentVariable("CERTIFY_UPGRADE_SETTINGS") == "true")
             {
                 _tc?.TrackEvent("ServiceUpgrade", new Dictionary<string, string> {
                     { "previousVersion", previousVersion },
@@ -48,90 +47,11 @@ private async Task UpgradeSettings()
 
                 if (CoreAppSettings.Current.IsManagementHubService)
                 {
-                    if (await accessControl.IsInitialized() == false)
-                    {
-                        await BootstrapAdminUserAndRoles(accessControl);
-                    }
-                    else
-                    {
-                        await UpdateStandardRoles(accessControl);
-                    }
+                    await AccessControlConfig.ConfigureStandardUsersAndRoles(accessControl);
                 }
             }
         }
 
-        private static async Task BootstrapAdminUserAndRoles(IAccessControl access)
-        {
-            // setup roles with policies
-            await UpdateStandardRoles(access);
-
-            var adminSp = new SecurityPrinciple
-            {
-                Id = "admin_01",
-                Description = "Primary default admin",
-                PrincipleType = SecurityPrincipleType.User,
-                Username = Environment.GetEnvironmentVariable("CERTIFY_ADMIN_DEFAULTUSERNAME") ?? "admin",
-                Password = Environment.GetEnvironmentVariable("CERTIFY_ADMIN_DEFAULTPWD") ?? "changeme!",
-                Provider = StandardIdentityProviders.INTERNAL
-            };
-
-            await access.AddSecurityPrinciple(adminSp.Id, adminSp, bypassIntegrityCheck: true);
-
-            // assign security principles to roles
-            var assignedRoles = new List<AssignedRole> {
-                 // administrator
-                 new AssignedRole{
-                     Id= Guid.NewGuid().ToString(),
-                     RoleId=StandardRoles.Administrator.Id,
-                     SecurityPrincipleId=adminSp.Id
-                 }
-            };
-
-            foreach (var r in assignedRoles)
-            {
-                // add roles and policy assignments to store
-                await access.AddAssignedRole(adminSp.Id, r, bypassIntegrityCheck: true);
-            }
-        }
-
-        /// <summary>
-        /// Add/update standard system roles, policies and resource actions
-        /// </summary>
-        /// <param name="access"></param>
-        /// <returns></returns>
-        private static async Task UpdateStandardRoles(IAccessControl access)
-        {
-            // setup roles with policies
-
-            var adminSvcPrinciple = "admin_01";
-
-            var actions = Policies.GetStandardResourceActions();
-
-            foreach (var action in actions)
-            {
-                await access.AddResourceAction(adminSvcPrinciple, action, bypassIntegrityCheck: true);
-            }
-
-            // setup policies with actions
-
-            var policies = Policies.GetStandardPolicies();
-
-            // add policies to store
-            foreach (var r in policies)
-            {
-                _ = await access.AddResourcePolicy(adminSvcPrinciple, r, bypassIntegrityCheck: true);
-            }
-
-            // setup roles with policies
-            var roles = Policies.GetStandardRoles();
-
-            foreach (var r in roles)
-            {
-                // add roles and policy assignments to store
-                await access.AddRole(adminSvcPrinciple, r, bypassIntegrityCheck: true);
-            }
-        }
-
         /// <summary>
         /// When called, perform daily cache cleanup, cert cleanup, diagnostics and maintenance
         /// </summary>

src/Certify.Models/Hub/AccessControl.cs

@@ -40,7 +40,7 @@ public class SecurityPrinciple : ConfigurationStoreItem
         public string? AuthKey { get; set; }
 
         public string AvatarUrl { get; set; } = string.Empty;
-        public bool IsBuiltIn { get; set; } = false;
+        public bool IsBuiltIn { get; set; }
     }
 
     /// <summary>
@@ -124,7 +124,7 @@ public class AssignedAccessToken : ConfigurationStoreItem
         public string SecurityPrincipleId { get; set; } = default!;
 
         /// <summary>
-        /// Optional list of Assigned Roles this access token is scoped to
+        /// Optional list of Assigned Roles this access token is scoped to. Note this is not the RoleID but the AssignedRoleID.
         /// </summary>
         public List<string> ScopedAssignedRoles { get; set; } = [];
 

src/Certify.Models/Hub/AccessControlConfig.cs

@@ -482,7 +482,8 @@ public static async Task ConfigureStandardUsersAndRoles(IAccessControl access)
                         }
                     },
                     ScopedAssignedRoles = new List<string> {
-                        StandardRoles.ManagedInstance.Id
+                        // scope assigned role is the id for AssignedRole (not the role id itself)
+                        assignedRoles.First(a=>a.RoleId==StandardRoles.ManagedInstance.Id).Id
                     },
                 };
 

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Controllers/AccessController.cs

@@ -122,7 +122,12 @@ public async Task<ICollection<AssignedAccessToken>> GetAssignedAccessTokens()
         {
             var accessControl = await _certifyManager.GetCurrentAccessControl();
 
-            token.AccessTokens?.ForEach(a => a.DateCreated = DateTime.UtcNow);
+            token.AccessTokens?.ForEach(a =>
+            {
+                a.DateCreated = DateTime.UtcNow;
+                a.Id = Guid.NewGuid().ToString();
+                a.Secret = Guid.NewGuid().ToString();
+            });
 
             var addResultOk = await accessControl.AddAssignedAccessToken(GetContextUserId(), token);
 

src/Certify.Server/Certify.Server.Core/Certify.Server.Core/Properties/launchSettings.json

@@ -16,9 +16,10 @@
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",
         "ASPNETCORE_URLS": "http://127.0.0.2:9696",
-        "CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
+        //"CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
         "CERTIFY_ENABLE_MANAGEMENT_HUB": "true",
-        "CERTIFY_SERVICE_AUTH_MODE": "none"
+        "CERTIFY_SERVICE_AUTH_MODE": "none",
+        "CERTIFY_UPGRADE_SETTINGS": "true"
       }
     },
     "Certify.Server.Core (windows auth)": {
@@ -27,9 +28,10 @@
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",
         "ASPNETCORE_URLS": "http://127.0.0.2:9696",
-        "CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
+        // "CERTIFY_MANAGEMENT_HUB": "https://localhost:44361/api/internal/managementhub",
         "CERTIFY_ENABLE_MANAGEMENT_HUB": "true",
-        "CERTIFY_SERVICE_AUTH_MODE": "windows"
+        "CERTIFY_SERVICE_AUTH_MODE": "windows",
+        "CERTIFY_UPGRADE_SETTINGS": "true"
       }
     },
     "IIS Express": {

src/Certify.Tests/Certify.Core.Tests.Integration/DataStores/AccessControlDataStoreTests.cs

@@ -176,7 +176,7 @@ public async Task TestStoreGeneralAccessControl(string storeType)
                 Assert.IsTrue(list.Any(), "Should have security principles in store");
 
                 // get updated sp so that password is hashed for comparison check
-                consumerSp = await access.GetSecurityPrinciple(adminSp.Id, consumerSp.Id);
+                consumerSp = await access.GetSecurityPrinciple(adminSp.Id, consumerSp.Id, includePassword: true);
 
                 Assert.IsTrue(access.IsPasswordValid("oldpassword", consumerSp.Password));
             }

src/Certify.Tests/Certify.Core.Tests.Unit/Tests/AccessControlTests.cs

@@ -414,7 +414,7 @@ public async Task TestUpdateSecurityPrinciplePassword()
             assignedRoles.ForEach(async r => await access.AddAssignedRole(contextUserId, r, bypassIntegrityCheck: true));
 
             // Validate password of SecurityPrinciple object returned by AccessControl.GetSecurityPrinciple() before update
-            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id);
+            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id, includePassword: true);
             var firstPasswordHashed = access.HashPassword(firstPassword, storedSecurityPrinciple.Password.Split('.')[1]);
             Assert.AreEqual(storedSecurityPrinciple.Password, firstPasswordHashed, $"Expected SecurityPrinciple returned by GetSecurityPrinciple() to match Password '{firstPasswordHashed}' of SecurityPrinciple passed into AddSecurityPrinciple()");
 
@@ -424,7 +424,7 @@ public async Task TestUpdateSecurityPrinciplePassword()
             Assert.IsTrue(securityPrincipleUpdated, $"Expected security principle password update for {adminSecurityPrinciples[0].Id} to succeed");
 
             // Validate password of SecurityPrinciple object returned by AccessControl.GetSecurityPrinciple() after update
-            storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id);
+            storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id, includePassword: true);
             var newPasswordHashed = access.HashPassword(newPassword, storedSecurityPrinciple.Password.Split('.')[1]);
 
             Assert.AreNotEqual(storedSecurityPrinciple.Password, firstPasswordHashed, $"Expected SecurityPrinciple returned by GetSecurityPrinciple() to not match previous Password '{firstPasswordHashed}' of SecurityPrinciple passed into AddSecurityPrinciple()");
@@ -445,7 +445,7 @@ public async Task TestUpdateSecurityPrinciplePasswordNoRoles()
             Assert.IsFalse(securityPrincipleUpdated, $"Expected security principle password update for {adminSecurityPrinciples[0].Id} to fail without roles");
 
             // Validate password of SecurityPrinciple object returned by AccessControl.GetSecurityPrinciple() after failed update
-            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id);
+            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id, includePassword: true);
             var firstPasswordHashed = access.HashPassword(firstPassword, storedSecurityPrinciple.Password.Split('.')[1]);
 
             Assert.AreEqual(storedSecurityPrinciple.Password, firstPasswordHashed, $"Expected SecurityPrinciple returned by GetSecurityPrinciple() to match Password '{firstPasswordHashed}' of SecurityPrinciple passed into AddSecurityPrinciple()");
@@ -481,7 +481,7 @@ public async Task TestUpdateSecurityPrinciplePasswordBadPassword()
             Assert.IsFalse(securityPrincipleUpdated, $"Expected security principle password update for {adminSecurityPrinciples[0].Id} to fail with wrong password");
 
             // Validate password of SecurityPrinciple object returned by AccessControl.GetSecurityPrinciple() after failed update
-            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id);
+            var storedSecurityPrinciple = await access.GetSecurityPrinciple(contextUserId, adminSecurityPrinciples[0].Id, includePassword: true);
             var firstPasswordHashed = access.HashPassword(firstPassword, storedSecurityPrinciple.Password.Split('.')[1]);
             Assert.AreEqual(storedSecurityPrinciple.Password, firstPasswordHashed, $"Expected SecurityPrinciple returned by GetSecurityPrinciple() to match Password '{firstPasswordHashed}' of SecurityPrinciple passed into AddSecurityPrinciple()");
         }