API: implement client id/secret access check for all endpoints

Author: webprofusion-chrisc

src/Certify.Server/Certify.Server.Hub.Api/Controllers/internal/ApiControllerBase.cs

@@ -42,6 +42,12 @@ internal async Task<bool> IsAuthorized(ICertifyInternalApiClient internalApiClie
                 return false;
             }
 
+            /// if check does not specify security principle use the current user
+            if (check.SecurityPrincipleId == null)
+            {
+                check.SecurityPrincipleId = CurrentAuthContext.UserId;
+            }
+
             return await internalApiClient.CheckSecurityPrincipleHasAccess(check, CurrentAuthContext);
         }
 
@@ -56,6 +62,47 @@ internal async Task<bool> IsAuthorized(ICertifyInternalApiClient internalApiClie
         {
             return await internalApiClient.CheckApiTokenHasAccess(token, check, CurrentAuthContext);
         }
+
+        internal async Task<Models.Config.ActionResult> CheckRequestAuthorized(ICertifyInternalApiClient internalApiClient, AccessCheck check)
+        {
+            // check for authorization bearer token first
+
+            var currenAuthContextCheckOK = await IsAuthorized(internalApiClient, check);
+
+            if (currenAuthContextCheckOK)
+            {
+                return new Models.Config.ActionResult("Authorized by bearer token", true);
+            }
+
+            // check for access token in request headers
+            var accessToken = GetAccessTokenFromRequest();
+
+            if (accessToken == null)
+            {
+                return new Models.Config.ActionResult("X-Client-ID or X-Client-Secret HTTP header missing in request", false);
+            }
+
+            return await IsAccessTokenAuthorized(internalApiClient, accessToken, check);
+        }
+
+        internal AccessToken? GetAccessTokenFromRequest()
+        {
+            var clientId = Request.Headers["X-Client-ID"];
+            var secret = Request.Headers["X-Client-Secret"];
+
+            if (string.IsNullOrWhiteSpace(clientId) || string.IsNullOrWhiteSpace(secret))
+            {
+                return null;
+            }
+            else
+            {
+                return new AccessToken
+                {
+                    ClientId = clientId,
+                    Secret = secret
+                };
+            }
+        }
         /// <summary>
         /// Get the corresponding auth context to pass to the backend service
         /// </summary>

src/Certify.Server/Certify.Server.Hub.Api/Controllers/v1/CertificateController.cs

@@ -1,6 +1,5 @@
-using System.Net;
+using System.Net;
 using System.Text;
-using System.Text.Unicode;
 using Certify.Client;
 using Certify.Models.Hub;
 using Certify.Models.Reporting;
@@ -53,48 +52,11 @@ public CertificateController(ILogger<CertificateController> logger, ICertifyInte
         [ProducesResponseType(typeof(FileContentResult), 200)]
         public async Task<IActionResult> Download(string instanceId, string managedCertId, string format)
         {
-            var accessPermitted = false;
+            var accessCheck = await CheckRequestAuthorized(_client, new AccessCheck(default!, ResourceTypes.Certificate, StandardResourceActions.CertificateDownload));
 
-            if (CurrentAuthContext != null)
+            if (!accessCheck.IsSuccess)
             {
-                // auth based on JWT identity
-                var authCheckOK = await IsAuthorized(_client, new AccessCheck(CurrentAuthContext.UserId, ResourceTypes.Certificate, StandardResourceActions.CertificateDownload));
-                if (!authCheckOK)
-                {
-                    return Problem(detail: "Identity not authorized for this action", statusCode: (int)HttpStatusCode.Unauthorized);
-                }
-                else
-                {
-                    accessPermitted = true;
-                }
-            }
-            else
-            {
-                // auth based on client id and client secret
-                // check token and access control before allowing download
-                var clientId = Request.Headers["X-Client-ID"];
-                var secret = Request.Headers["X-Client-Secret"];
-
-                if (string.IsNullOrWhiteSpace(clientId) || string.IsNullOrWhiteSpace(secret))
-                {
-                    return Problem(detail: "X-Client-ID or X-Client-Secret HTTP header missing in request", statusCode: (int)HttpStatusCode.Unauthorized);
-                }
-
-                var accessPermittedResult = await IsAccessTokenAuthorized(_client, new AccessToken { ClientId = clientId, Secret = secret }, new AccessCheck(default!, ResourceTypes.Certificate, StandardResourceActions.CertificateDownload));
-
-                if (accessPermittedResult.IsSuccess)
-                {
-                    accessPermitted = true;
-                }
-                else
-                {
-                    return Problem(detail: accessPermittedResult.Message, statusCode: (int)HttpStatusCode.Unauthorized);
-                }
-            }
-
-            if (!accessPermitted)
-            {
-                return Unauthorized();
+                return Problem(detail: accessCheck.Message, statusCode: (int)HttpStatusCode.Unauthorized);
             }
 
             // default to PFX output
@@ -143,7 +105,15 @@ public async Task<IActionResult> Download(string instanceId, string managedCertI
                     Response.Headers.Append("ETag", managedCert.CertificateThumbprintHash.ToLowerInvariant());
                 }
 
-                return new FileContentResult(exportResult.Result, "application/x-pkcs12") { FileDownloadName = "certificate.pfx" };
+                if (format == "pfx")
+                {
+                    return new FileContentResult(exportResult.Result, "application/x-pkcs12") { FileDownloadName = "certificate.pfx" };
+                }
+                else
+                {
+                    // for PEM formats, return as text/plain
+                    return new FileContentResult(exportResult.Result, "text/plain") { FileDownloadName = $"{format}.pem" };
+                }
             }
             else
             {

src/Certify.Server/Certify.Server.Hub.Api/Controllers/v1/SystemController.cs

@@ -105,15 +105,16 @@ public async Task<IActionResult> CheckJoining(bool? register = false)
 
             // auth based on client id and client secret
             // check token and access control before allowing download
-            var clientId = Request.Headers["X-Client-ID"];
-            var secret = Request.Headers["X-Client-Secret"];
-            var hubAssignedInstanceId = Request.Headers["X-Certify-HubAssignedId"];
 
-            if (string.IsNullOrWhiteSpace(clientId) || string.IsNullOrWhiteSpace(secret))
+            var accessCheck = await CheckRequestAuthorized(_client, new AccessCheck(default!, ResourceTypes.ManagedInstance, StandardResourceActions.ManagementHubInstanceJoin));
+
+            if (!accessCheck.IsSuccess)
             {
-                return Problem(detail: "X-Client-ID or X-Client-Secret HTTP header missing in request", statusCode: (int)HttpStatusCode.Unauthorized);
+                return Problem(detail: accessCheck.Message, statusCode: (int)HttpStatusCode.Unauthorized);
             }
 
+            var hubAssignedInstanceId = Request.Headers["X-Certify-HubAssignedId"];
+
             // if hub assigned instance id is provided we will either check the supplied hub assigned instance id or create a new one
 
             // check if we know this instance, if so, check the supplied hub assigned instance ID
@@ -144,40 +145,32 @@ public async Task<IActionResult> CheckJoining(bool? register = false)
                 return Problem(detail: "X-Certify-HubAssignedId HTTP header missing in request", statusCode: (int)HttpStatusCode.Unauthorized);
             }
 
-            var accessPermittedResult = await IsAccessTokenAuthorized(_client, new AccessToken { ClientId = clientId, Secret = secret }, new AccessCheck(default!, ResourceTypes.ManagedInstance, StandardResourceActions.ManagementHubInstanceJoin));
+            var joiningInfo = new HubJoiningInfo();
 
-            if (accessPermittedResult.IsSuccess)
-            {
-                var joiningInfo = new HubJoiningInfo();
-
-                var versionInfo = await _client.GetAppVersion();
+            var versionInfo = await _client.GetAppVersion();
 
-                joiningInfo.Version = new Models.Hub.VersionInfo
-                {
-                    Version = versionInfo,
-                    Product = "Certify Management Hub",
-                };
+            joiningInfo.Version = new Models.Hub.VersionInfo
+            {
+                Version = versionInfo,
+                Product = "Certify Management Hub",
+            };
 
-                joiningInfo.HubEndpoint = "api/internal/managementhub";
-                joiningInfo.Message = "Joining OK";
+            joiningInfo.HubEndpoint = "api/internal/managementhub";
+            joiningInfo.Message = "Joining OK";
 
-                var _config = HttpContext.RequestServices.GetRequiredService<IConfiguration>();
-                var jwtService = new Hub.Api.Services.JwtService(_config);
+            var _config = HttpContext.RequestServices.GetRequiredService<IConfiguration>();
+            var jwtService = new Hub.Api.Services.JwtService(_config);
 
-                var additionalClaims = new List<Claim>
+            var additionalClaims = new List<Claim>
                 {
                     new Claim("hub-assigned-id", Guid.NewGuid().ToString())
                 };
 
-                joiningInfo.JoiningToken = jwtService.GenerateSecurityToken($"{clientId}", additionalClaims: additionalClaims);
-                joiningInfo.HubAssignedInstanceId = hubAssignedInstanceId!;
+            joiningInfo.JoiningToken = jwtService.GenerateSecurityToken($"{Request.Headers["X-Client-ID"]}", additionalClaims: additionalClaims);
+            joiningInfo.HubAssignedInstanceId = hubAssignedInstanceId!;
+
+            return new OkObjectResult(joiningInfo);
 
-                return new OkObjectResult(joiningInfo);
-            }
-            else
-            {
-                return Problem(detail: accessPermittedResult.Message, statusCode: (int)HttpStatusCode.Unauthorized);
-            }
         }
     }
 }

src/Certify.Server/Certify.Server.HubService/Program.cs

@@ -1,5 +1,4 @@
-using System.Reflection;
-using System.Runtime.InteropServices;
+using System.Runtime.InteropServices;
 using Certify.Client;
 using Certify.Management;
 using Certify.Models;
@@ -144,11 +143,8 @@
 
 builder.Services.AddEndpointsApiExplorer();
 
-// Register the Swagger generator, defining 1 or more Swagger documents
-// https://docs.microsoft.com/en-us/aspnet/core/tutorials/getting-started-with-swashbuckle?view=aspnetcore-3.1&tabs=visual-studio
 builder.Services.AddSwaggerGen(c =>
 {
-
     // docs UI will be available at /docs
 
     c.SwaggerDoc("v1", new OpenApiInfo
@@ -160,16 +156,6 @@
 
     c.UseAllOfToExtendReferenceSchemas();
 
-    /* c.DocInclusionPredicate((docName, apiDesc) =>
-     {
-         if (!apiDesc.TryGetMethodInfo(out MethodInfo methodInfo))
-         {
-             return false;
-         }
-
-         return methodInfo.DeclaringType.Namespace.StartsWith("Certify.Server.Hub.Api.Controllers");
-     });*/
-
     // use the actual method names as the generated operation id
     c.CustomOperationIds(e =>
         $"{e.ActionDescriptor.RouteValues["action"]}"
@@ -186,7 +172,23 @@
         Type = SecuritySchemeType.Http
     });
 
-    // set security requirement
+    // add custom security definitions for client ID and client secret
+    c.AddSecurityDefinition("X-Client-ID", new OpenApiSecurityScheme
+    {
+        Description = "Client ID header",
+        Name = "X-Client-ID",
+        In = ParameterLocation.Header,
+        Type = SecuritySchemeType.ApiKey
+    });
+    c.AddSecurityDefinition("X-Client-Secret", new OpenApiSecurityScheme
+    {
+        Description = "Client Secret header",
+        Name = "X-Client-Secret",
+        In = ParameterLocation.Header,
+        Type = SecuritySchemeType.ApiKey
+    });
+
+    // Add security requirements: either Bearer OR (X-Client-ID AND X-Client-Secret)
     c.AddSecurityRequirement(new OpenApiSecurityRequirement
     {
         {
@@ -201,8 +203,26 @@
         }
     });
 
+    c.AddSecurityRequirement(new OpenApiSecurityRequirement
+    {
+        {
+            new OpenApiSecurityScheme
+            {
+                Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "X-Client-ID" }
+            },
+            new List<string>()
+        },
+        {
+            new OpenApiSecurityScheme
+            {
+                Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "X-Client-Secret" }
+            },
+            new List<string>()
+        }
+    });
+
     // Set the comments path for the Swagger JSON and UI.
-    var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
+    var xmlFile = $"Certify.Server.Hub.Api.xml";
     var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
     c.IncludeXmlComments(xmlPath);
 

src/Certify.SourceGenerators/PublicAPISourceGenerator.cs

@@ -146,10 +146,14 @@ public partial class {config.PublicAPIController}Controller
                 foreach (var perm in config.RequiredPermissions)
                 {
                     fragment += $@"
-                        if (!await IsAuthorized(_client, ""{perm.ResourceType}"" , ""{perm.Action}""))
-                        {{
-                            return Unauthorized();
-                        }}
+
+                            var accessCheck = await CheckRequestAuthorized(_client, new AccessCheck(default!,  ""{perm.ResourceType}"" ,""{perm.Action}""));
+
+                            if (!accessCheck.IsSuccess)
+                            {{
+                                return Problem(detail: accessCheck.Message, statusCode: (int)System.Net.HttpStatusCode.Unauthorized);
+                            }}
+                      
                     ";
                 }