Query tracks and update tracks with least privileges.

Author: Revsgaard

src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs

@@ -16,7 +16,7 @@
 
 namespace FoxIDs.Controllers
 {
-    [TenantScopeAuthorize]
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.AnyTrack)]
     public class TTrackController : ApiController
     {
         private readonly FoxIDsControlSettings settings;
@@ -53,6 +53,7 @@ public TTrackController(FoxIDsControlSettings settings, TelemetryScopedLogger lo
             {
                 if (!ModelState.TryValidateRequiredParameter(name, nameof(name))) return BadRequest(ModelState);
                 name = name?.ToLower();
+                HttpContext.TenantScopeGrantAccessToTrackName(name);
 
                 var mTrack = await tenantDataRepository.GetTrackByNameAsync(new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = name});
                 return Ok(mapper.Map<Api.Track>(mTrack));
@@ -81,6 +82,7 @@ public TTrackController(FoxIDsControlSettings settings, TelemetryScopedLogger lo
             {
                 if (!await ModelState.TryValidateObjectAsync(track)) return BadRequest(ModelState);
                 track.Name = await GetTrackNameAsync(track.Name);
+                HttpContext.TenantScopeGrantAccessToTrackName(track.Name);
 
                 if (track.Name == Constants.Routes.ControlSiteName || track.Name == Constants.Routes.HealthController)
                 {
@@ -131,6 +133,7 @@ public TTrackController(FoxIDsControlSettings settings, TelemetryScopedLogger lo
             {
                 if (!await ModelState.TryValidateObjectAsync(track)) return BadRequest(ModelState);
                 track.Name = await GetTrackNameAsync(track.Name);
+                HttpContext.TenantScopeGrantAccessToTrackName(track.Name);
 
                 var trackIdKey = new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = track.Name };
                 var mTrack = await tenantDataRepository.GetTrackByNameAsync(trackIdKey);
@@ -180,6 +183,7 @@ public async Task<IActionResult> DeleteTrack(string name)
             {
                 if (!ModelState.TryValidateRequiredParameter(name, nameof(name))) return BadRequest(ModelState);
                 name = name?.ToLower();
+                HttpContext.TenantScopeGrantAccessToTrackName(name);
 
                 var trackIdKey = new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = name };
                 var mTrack = await tenantDataRepository.GetTrackByNameAsync(trackIdKey);

src/FoxIDs.Control/Controllers/Tracks/TTrackResourceSettingController.cs

@@ -6,7 +6,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using System.Threading.Tasks;
-using System.Net;
 using FoxIDs.Logic;
 using FoxIDs.Infrastructure.Security;
 

src/FoxIDs.Control/Controllers/Tracks/TTracksController.cs

@@ -14,7 +14,7 @@
 
 namespace FoxIDs.Controllers
 {
-    [TenantScopeAuthorize]
+    [TenantScopeAuthorize(Constants.ControlApi.Segment.AnyTrack)]
     public class TTracksController : ApiController
     {
         private const string dataType = Constants.Models.DataType.Track;
@@ -41,11 +41,7 @@ public TTracksController(TelemetryScopedLogger logger, IMapper mapper, ITenantDa
         {
             try
             {
-                var idKey = new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName };
-                (var mTracks, var nextPaginationToken) = filterName.IsNullOrWhiteSpace() ? 
-                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType), paginationToken: paginationToken) : 
-                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType) && 
-                        (p.Name.Contains(filterName, StringComparison.CurrentCultureIgnoreCase) || p.DisplayName.Contains(filterName, StringComparison.CurrentCultureIgnoreCase)), paginationToken: paginationToken);
+                (var mTracks, var nextPaginationToken) = await GetFilterTrackInternalAsync(filterName, paginationToken);
 
                 var response = new Api.PaginationResponse<Api.Track>
                 {
@@ -68,5 +64,30 @@ await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataTyp
                 throw;
             }
         }
+
+        private async Task<(IReadOnlyCollection<Track> mTracks, string nextPaginationToken)> GetFilterTrackInternalAsync(string filterName, string paginationToken)
+        {
+            var idKey = new Track.IdKey { TenantName = RouteBinding.TenantName };
+
+            if (HttpContext.GetTenantScopeAccessToAnyTrack())
+            {
+                return filterName.IsNullOrWhiteSpace() ?
+                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType), paginationToken: paginationToken) :
+                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType) &&
+                        (p.Name.Contains(filterName, StringComparison.CurrentCultureIgnoreCase) || p.DisplayName.Contains(filterName, StringComparison.CurrentCultureIgnoreCase)), paginationToken: paginationToken);
+            }
+
+            var accessToTrackNames = HttpContext.GetTenantScopeAccessToTrackNames();
+            if (accessToTrackNames?.Count() > 0)
+            {
+                return filterName.IsNullOrWhiteSpace() ?
+                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType) && accessToTrackNames.Any(at => at == p.Name), paginationToken: paginationToken) :
+                    await tenantDataRepository.GetListAsync<Track>(idKey, whereQuery: p => p.DataType.Equals(dataType) && accessToTrackNames.Any(at => at == p.Name) &&
+                        (p.Name.Contains(filterName, StringComparison.CurrentCultureIgnoreCase) || p.DisplayName.Contains(filterName, StringComparison.CurrentCultureIgnoreCase)), paginationToken: paginationToken);
+
+            }
+
+            return (new List<Track>(), null);
+        }
     }
 }

src/FoxIDs.Control/Extensions/TenantScopeAuthorizeExtension.cs

@@ -0,0 +1,44 @@
+using Microsoft.AspNetCore.Http;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace FoxIDs
+{
+    public static class TenantScopeAuthorizeExtension
+    {
+        public static bool GetTenantScopeAccessToAnyTrack(this HttpContext httpContext)
+        {
+            return httpContext.Items.ContainsKey(Constants.ControlApi.AccessToAnyTrackKey);
+        }
+
+        public static IEnumerable<string> GetTenantScopeAccessToTrackNames(this HttpContext httpContext)
+        {
+            if (httpContext.Items.ContainsKey(Constants.ControlApi.AccessToTrackNamesKey))
+            {
+                return httpContext.Items[Constants.ControlApi.AccessToTrackNamesKey] as IEnumerable<string>;
+            }
+            return null;
+        }
+
+        public static void TenantScopeGrantAccessToTrackName(this HttpContext httpContext, string trackName)
+        {
+            if (httpContext.GetTenantScopeAccessToAnyTrack())
+            {
+                return;
+            }
+
+            var accessToTrackNames = httpContext.GetTenantScopeAccessToTrackNames();
+            if (accessToTrackNames?.Count() > 0)
+            {
+                if (accessToTrackNames.Any(at => at == trackName))
+                {
+                    return;
+                }
+
+            }
+
+            throw new UnauthorizedAccessException($"Users scope and role do not grant access to the {trackName} track.");
+        }
+    }
+}

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>1.17.4</Version>
+		<Version>1.17.5</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>FoxIDs</Company>

src/FoxIDs.Control/Infrastructure/Security/BaseAuthorizationRequirement.cs

@@ -6,12 +6,16 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 
 namespace FoxIDs.Infrastructure.Security
 {
     public abstract class BaseAuthorizationRequirement<Tar, Tsc> : AuthorizationHandler<Tar>, IAuthorizationRequirement where Tar : IAuthorizationRequirement where Tsc : BaseScopeAuthorizeAttribute
     {
+        private static Regex accessToTracksRegex = new Regex(@"((?::track\[(?<track>[\w-]+)\])|(?::track\[(?<trackget>[\w-]+)\].read)|(?::track\[(?<trackpost>[\w-]+)\].create)|(?::track\[(?<trackput>[\w-]+)\].update)|(?::track\[(?<trackdelete>[\w-]+)\].delete))$", RegexOptions.Compiled);
+        protected bool supportAccessToTracks = false;
+
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, Tar requirement)
         {
             if (context.User != null && context.Resource is HttpContext httpContext)
@@ -31,10 +35,12 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
                         var userRoles = context.User.Claims.Where(c => string.Equals(c.Type, JwtClaimTypes.Role, StringComparison.OrdinalIgnoreCase)).Select(c => c.Value).ToList();
                         if (userScopes?.Count() > 0 && userRoles?.Count > 0)
                         {
-                            (var acceptedScopes, var acceptedRoles) = GetAcceptedScopesAndRoles(scopeAuthorizeAttribute.Segments, httpContext.GetRouteBinding().TrackName, httpContext.Request?.Method);
+                            var accessToTrackNames = GetAccessToTracks(userScopes, userRoles, httpContext.Request?.Method);
+                            (var acceptedScopes, var acceptedRoles) = GetAcceptedScopesAndRoles(scopeAuthorizeAttribute.Segments, httpContext.GetRouteBinding().TrackName, httpContext.Request?.Method, accessToTrackNames);
 
                             if (userScopes.Where(us => acceptedScopes.Any(s => s.Equals(us, StringComparison.Ordinal))).Any() && userRoles.Where(ur => acceptedRoles.Any(r => r.Equals(ur, StringComparison.Ordinal))).Any())
                             {
+                                AddAccessToTracksRequestItems(httpContext, userScopes.Where(us => acceptedScopes.Any(s => s.Equals(us, StringComparison.Ordinal))), userRoles.Where(ur => acceptedRoles.Any(r => r.Equals(ur, StringComparison.Ordinal))), httpContext.Request?.Method);
                                 context.Succeed(requirement);
                             }
                             else
@@ -60,7 +66,7 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             return Task.CompletedTask;
         }
 
-        protected abstract (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod);
+        protected abstract (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod, IEnumerable<string> accessToTrackNames = null);
 
         protected void AddScopeAndRole(List<string> acceptedScopes, List<string> acceptedRoles, string httpMethod, string scope, string role, string segment = "")
         {
@@ -93,5 +99,106 @@ protected void AddScopeAndRole(List<string> acceptedScopes, List<string> accepte
                 }
             }
         }
+
+        private IEnumerable<string> GetAccessToTracks(IEnumerable<string> userScopes, IEnumerable<string> userRoles, string httpMethod)
+        {
+            if (!supportAccessToTracks)
+            {
+                return null;
+            }
+
+            var accessToTrackNames = new List<string>();
+            accessToTrackNames.AddRange(GetAccessToTracks(userScopes, httpMethod));
+            accessToTrackNames.ConcatOnce(GetAccessToTracks(userRoles, httpMethod));
+            return accessToTrackNames;
+        }
+
+        private IEnumerable<string> GetAccessToTracks(IEnumerable<string> userScopesOrRole, string httpMethod)
+        {
+            foreach (var item in userScopesOrRole)
+            {
+                var itemMatch = accessToTracksRegex.Match(item);
+                if (itemMatch.Success)
+                {
+                    if (itemMatch.Groups["track"].Success)
+                    {
+                        yield return itemMatch.Groups["track"].Value;
+                    }
+
+                    if (httpMethod == HttpMethod.Get.Method)
+                    {
+                        if (itemMatch.Groups["trackget"].Success)
+                        {
+                            yield return itemMatch.Groups["trackget"].Value;
+                        }
+                    }
+                    else if (httpMethod == HttpMethod.Post.Method)
+                    {
+                        if (itemMatch.Groups["trackpost"].Success)
+                        {
+                            yield return itemMatch.Groups["trackpost"].Value;
+                        }
+
+                    }
+                    else if (httpMethod == HttpMethod.Put.Method)
+                    {
+                        if (itemMatch.Groups["trackput"].Success)
+                        {
+                            yield return itemMatch.Groups["trackput"].Value;
+                        }
+
+                    }
+                    else if (httpMethod == HttpMethod.Delete.Method)
+                    {
+                        if (itemMatch.Groups["trackdelete"].Success)
+                        {
+                            yield return itemMatch.Groups["trackdelete"].Value;
+                        }
+                    }
+                }
+            }
+        }
+
+        private void AddAccessToTracksRequestItems(HttpContext httpContext, IEnumerable<string> accessUserScopes, IEnumerable<string> accessUserRoles, string httpMethod)
+        {
+            if (!supportAccessToTracks)
+            {
+                return;
+            }
+
+            var scopesGrantAccessToAnyTrack = !accessToTracksRegex.Match(accessUserScopes.First()).Success;
+            var rolesGrantAccessToAnyTrack = !accessToTracksRegex.Match(accessUserRoles.First()).Success;
+
+            if (scopesGrantAccessToAnyTrack && rolesGrantAccessToAnyTrack)
+            {
+                httpContext.Items[Constants.ControlApi.AccessToAnyTrackKey] = true;
+                return;
+            }
+
+            var scopesGrantAccessToTrackNames = GetAccessToTracks(accessUserScopes, httpMethod);
+            var rolesGrantAccessToTrackNames = GetAccessToTracks(accessUserRoles, httpMethod);
+
+            var accessToTracks = GetLimitedGrantedAccessToTracks(scopesGrantAccessToAnyTrack, rolesGrantAccessToAnyTrack, scopesGrantAccessToTrackNames, rolesGrantAccessToTrackNames);
+            if (accessToTracks.Count() > 0)
+            {
+                httpContext.Items[Constants.ControlApi.AccessToTrackNamesKey] = accessToTracks;
+            }
+        }
+
+        private IEnumerable<string> GetLimitedGrantedAccessToTracks(bool scopesGrantAccessToAnyTrack, bool rolesGrantAccessToAnyTrack, IEnumerable<string> scopesGrantAccessToTrackNames, IEnumerable<string> rolesGrantAccessToTrackNames)
+        {
+            if (scopesGrantAccessToAnyTrack)
+            {
+                return rolesGrantAccessToTrackNames;
+            }
+            else if (rolesGrantAccessToAnyTrack)
+            {
+                return scopesGrantAccessToTrackNames;
+            }
+            else
+            {
+                return scopesGrantAccessToTrackNames.Where(us => rolesGrantAccessToTrackNames.Any(s => s.Equals(us, StringComparison.Ordinal)));
+            }
+        }
     }
 }

src/FoxIDs.Control/Infrastructure/Security/MasterAuthorizationRequirement.cs

@@ -1,11 +1,17 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 
 namespace FoxIDs.Infrastructure.Security
 {
     public class MasterAuthorizationRequirement : BaseAuthorizationRequirement<MasterAuthorizationRequirement, MasterScopeAuthorizeAttribute>
     {
-        protected override (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod)
+        protected override (List<string> acceptedScopes, List<string> acceptedRoles) GetAcceptedScopesAndRoles(IEnumerable<string> segments, string trackName, string httpMethod, IEnumerable<string> accessToTrackNames = null)
         {
+            if (accessToTrackNames != null)
+            {
+                throw new NotSupportedException("Access to track names not supported in master authorization.");
+            }
+
             var acceptedScopes = new List<string>();
             var acceptedRoles = new List<string>();
 
@@ -14,6 +20,11 @@ protected override (List<string> acceptedScopes, List<string> acceptedRoles) Get
 
             foreach (var segment in segments)
             {
+                if (segment == Constants.ControlApi.Segment.Basic || segment == Constants.ControlApi.Segment.AnyTrack)
+                {
+                    throw new NotSupportedException($"Segment {segment}' not supported in master authorization.");
+                }
+
                 var scope = $"{Constants.ControlApi.ResourceAndScope.Master}{segment}";
                 var role = $"{Constants.ControlApi.Access.Tenant}{segment}";
                 AddScopeAndRole(acceptedScopes, acceptedRoles, httpMethod, scope, role, segment);