chore: gateway

Author: ychung-mot

gateway/strdata-dev.yaml

@@ -1,9 +1,9 @@
 services:
 - name: strdata
-  host: strdss-dev-backend.b0471a-dev.svc
+  host: dev.strdata.gov.bc.ca
   tags: [ns.strdata]
-  port: 8080
-  protocol: http
+  port: 443
+  protocol: https
   retries: 0
   routes:
   - name: strdata

helm/main/values-dev.yaml

@@ -20,6 +20,8 @@ global:
     'BCEID_CACHE_LIFESPAN': '600'
     'GEOCODER_URL': 'https://geocodertst.api.gov.bc.ca'
     'ADDRESS_SCORE': '90'
+    'APS_AUTHORITY': 'https://dev.loginproxy.gov.bc.ca/auth/realms/apigw'
+    'APS_GW_JWT_JWKS_URL': 'https://aps-jwks-upstream-jwt.api.gov.bc.ca/certs'
 
 nameOverride: strdss-dev
 fullnameOverride: strdss-dev

helm/main/values-prod.yaml

@@ -20,6 +20,8 @@ global:
     'BCEID_CACHE_LIFESPAN': '600'
     'GEOCODER_URL': 'https://geocoder.api.gov.bc.ca'
     'ADDRESS_SCORE': '90'
+    'APS_AUTHORITY': 'https://loginproxy.gov.bc.ca/auth/realms/apigw'
+    'APS_GW_JWT_JWKS_URL': 'https://aps-jwks-upstream-jwt.api.gov.bc.ca/certs'
 
 nameOverride: strdss-prod
 fullnameOverride: strdss-prod

helm/main/values-test.yaml

@@ -20,7 +20,9 @@ global:
     'BCEID_CACHE_LIFESPAN': '600'
     'GEOCODER_URL': 'https://geocodertst.api.gov.bc.ca'
     'ADDRESS_SCORE': '90'
-    
+    'APS_AUTHORITY': 'https://test.loginproxy.gov.bc.ca/auth/realms/apigw'
+    'APS_GW_JWT_JWKS_URL': 'https://aps-jwks-upstream-jwt.api.gov.bc.ca/certs'
+
 nameOverride: strdss-test
 fullnameOverride: strdss-test
 

helm/main/values-uat.yaml

@@ -20,7 +20,9 @@ global:
     'BCEID_CACHE_LIFESPAN': '600'
     'GEOCODER_URL': 'https://geocodertst.api.gov.bc.ca'
     'ADDRESS_SCORE': '90'
-    
+    'APS_AUTHORITY': 'https://test.loginproxy.gov.bc.ca/auth/realms/apigw'
+    'APS_GW_JWT_JWKS_URL': 'https://aps-jwks-upstream-jwt.api.gov.bc.ca/certs'
+
 nameOverride: strdss-uat
 fullnameOverride: strdss-uat
 

server/StrDss.Api/Authentication/ApsJwtBearerEvents.cs

@@ -0,0 +1,121 @@
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+using StrDss.Common;
+using StrDss.Model;
+using StrDss.Service;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Cryptography;
+
+namespace StrDss.Api.Authentication
+{
+    public class ApsJwtBearerEvents : JwtBearerEvents
+    {
+        private ICurrentUser _currentUser;
+        private IUserService _userService;
+        private IRoleService _roleService;
+        private readonly ILogger<StrDssLogger> _logger;
+        private readonly IMemoryCacheService _memoryCache;
+
+        public ApsJwtBearerEvents(ICurrentUser currentUser, IUserService userService, IRoleService roleService, ILogger<StrDssLogger> logger, IMemoryCacheService memoryCache) : base()
+        {
+            _currentUser = currentUser;
+            _userService = userService;
+            _roleService = roleService;
+            _logger = logger;
+            _memoryCache = memoryCache;
+        }
+
+        public override async Task TokenValidated(TokenValidatedContext context)
+        {
+            _currentUser.LoadApsSession(context!.Principal!);
+
+            var (user, permissions) = await _userService.GetUserByGuidAsync(_currentUser.UserGuid);
+
+            if (user == null)
+            {
+                var errorMessage = $"{_currentUser.DisplayName} is not registered.";
+                context.Response.StatusCode = 401;
+                context.Fail($"Unauthorized: {errorMessage}");
+                return;
+            }
+
+            _currentUser.Id = user.UserIdentityId;
+            _currentUser.IsActive = user.IsEnabled;
+            _currentUser.AccessRequestStatus = user.AccessRequestStatusCd;
+            _currentUser.AccessRequestRequired = _currentUser.AccessRequestStatus == AccessRequestStatuses.Denied;
+            _currentUser.OrganizationType = user.RepresentedByOrganization?.OrganizationType ?? "";
+            _currentUser.OrganizationId = user.RepresentedByOrganizationId ?? 0;
+            _currentUser.OrganizationName = user.RepresentedByOrganization?.OrganizationNm ?? "";
+            _currentUser.TermsAcceptanceDtm = user.TermsAcceptanceDtm;
+
+            if (user.IsEnabled)
+            {
+                _currentUser.Permissions = permissions;
+
+                foreach (var permission in permissions)
+                {
+                    _currentUser.AddClaim(context!.Principal!, StrDssClaimTypes.Permission, permission);
+                }
+            }
+
+            if (!context.Request.Headers.TryGetValue("GW-JWT", out var jwtToken))
+            {
+                _logger.LogWarning($"{_currentUser.UserName}: GW-JWT is missing");
+                context.Response.StatusCode = 401;
+                context.Fail("Unauthorized");
+                return;
+            }
+
+            var publicKey = await _memoryCache.GetPublicKeyAsync(false);
+            var gwJwt = jwtToken.ToString();
+
+            if (gwJwt.IsEmpty())
+            {
+                _logger.LogWarning($"{_currentUser.UserName}: GW-JWT is empty");
+                context.Response.StatusCode = 401;
+                context.Fail("Unauthorized");
+                return;
+            }
+
+            if (!ValidateJwtToken(gwJwt, publicKey))
+            {
+                publicKey = await _memoryCache.GetPublicKeyAsync(true);
+
+                if (!ValidateJwtToken(gwJwt, publicKey))
+                {
+                    _logger.LogWarning($"{_currentUser.UserName}: GW-JWT is invalid");
+                    context.Response.StatusCode = 401;
+                    context.Fail("Unauthorized");
+                    return;
+                }
+            }
+        }
+
+        private static bool ValidateJwtToken(string jwtToken, JsonWebKey publicKey)
+        {
+            var validationParameters = new TokenValidationParameters
+            {
+                ValidateIssuer = false,
+                ValidateAudience = false,
+                IssuerSigningKey = new RsaSecurityKey(new RSAParameters
+                {
+                    Modulus = Base64UrlEncoder.DecodeBytes(publicKey.N),
+                    Exponent = Base64UrlEncoder.DecodeBytes(publicKey.E)
+                }),
+                ValidateLifetime = true,
+            };
+
+            var handler = new JwtSecurityTokenHandler();
+            try
+            {
+                SecurityToken validatedToken;
+                handler.ValidateToken(jwtToken, validationParameters, out validatedToken);
+                return true;
+            }
+            catch (SecurityTokenException)
+            {
+                return false;
+            }
+        }
+    }
+}

server/StrDss.Api/Program.cs

@@ -96,6 +96,8 @@
 builder.Services.AddHttpClients(builder.Configuration);
 builder.Services.AddBceidSoapClient(builder.Configuration);
 
+builder.Services.AddMemoryCache();
+
 var mappingConfig = new MapperConfiguration(cfg =>
 {
     cfg.AddProfile(new EntityToModelProfile());
@@ -108,8 +110,9 @@
 builder.Services.AddSingleton(mapper);
 
 builder.Services.AddScoped<KcJwtBearerEvents>();
+builder.Services.AddScoped<ApsJwtBearerEvents>();
 
-//var strDssAuthScheme = "str_dss";
+var apsAuthScheme = "aps";
 
 //Authentication
 builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
@@ -127,12 +130,26 @@
             ValidAlgorithms = new List<string>() { "RS256" },
         };
     })
+    .AddJwtBearer(apsAuthScheme, options =>
+    {
+        options.Authority = builder.Configuration.GetValue<string>("APS_AUTHORITY");
+        options.IncludeErrorDetails = true;
+        options.EventsType = typeof(ApsJwtBearerEvents);
+        options.RequireHttpsMetadata = !builder.Environment.IsDevelopment();
+        options.TokenValidationParameters = new TokenValidationParameters
+        {
+            ValidateIssuerSigningKey = true,
+            ValidateIssuer = false,
+            ValidateAudience = false,
+            ValidAlgorithms = new List<string>() { "RS256" },
+        };
+    })
 ;
 
 builder.Services.AddAuthorization(options =>
 {
     var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
-        JwtBearerDefaults.AuthenticationScheme);
+        JwtBearerDefaults.AuthenticationScheme, apsAuthScheme);
     defaultAuthorizationPolicyBuilder =
         defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
     options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();

server/StrDss.Data/Repositories/UserRepository.cs

@@ -13,6 +13,7 @@ public interface IUserRepository
         Task<PagedDto<UserListtDto>> GetUserListAsync(string status, string search, long? orgranizationId, int pageSize, int pageNumber, string orderBy, string direction);
         Task CreateUserAsync(UserCreateDto dto);
         Task<(UserDto? user, List<string> permissions)> GetUserAndPermissionsByGuidAsync(Guid guid);
+        Task<(UserDto? user, List<string> permissions)> GetUserAndPermissionsByDisplayNameAsync(string displayName);
         Task<UserDto?> GetUserById(long id);
         Task<UserDto?> GetUserByGuid(Guid guid);
         Task UpdateUserAsync(UserDto dto);
@@ -93,6 +94,30 @@ public async Task CreateUserAsync(UserCreateDto dto)
             return (user, permssions);
         }
 
+        public async Task<(UserDto? user, List<string> permissions)> GetUserAndPermissionsByDisplayNameAsync(string displayName)
+        {
+            var query = await _dbSet.AsNoTracking()
+                .Include(x => x.DssUserRoleAssignments)
+                .Include(x => x.RepresentedByOrganization)
+                .FirstOrDefaultAsync(x => x.DisplayNm == displayName);
+
+            if (query == null)
+                return (null, new List<string>());
+
+            var user = _mapper.Map<UserDto>(query);
+
+            var roles = query.DssUserRoleAssignments.Select(x => x.UserRoleCd).ToList();
+
+            var permssions = _dbContext.DssUserRoles
+                .Where(x => roles.Contains(x.UserRoleCd))
+                .SelectMany(x => x.DssUserRolePrivileges)
+                .ToLookup(x => x.UserPrivilegeCd)
+                .Select(x => x.First())
+                .Select(x => x.UserPrivilegeCd)
+                .ToList();
+
+            return (user, permssions);
+        }
         public async Task<UserDto?> GetUserById(long id)
         {
             var entity = await _dbSet.AsNoTracking()
@@ -215,6 +240,8 @@ public async Task CreateApsUserAsync(ApsUserCreateDto dto)
             dto.FamilyNm = dto.DisplayNm;
 
             var userEntity = _mapper.Map<DssUserIdentity>(dto);
+
+            userEntity.UserGuid = Guid.NewGuid();
 
             var roleCds = dto.RoleCds.Distinct();
 

server/StrDss.Hangfire/Program.cs

@@ -106,6 +106,8 @@
 var mapper = mappingConfig.CreateMapper();
 builder.Services.AddSingleton(mapper);
 
+builder.Services.AddMemoryCache();
+
 builder.Services
     .AddHangfire(configuration => configuration
         .SetDataCompatibilityLevel(CompatibilityLevel.Version_170)

server/StrDss.Model/CurrentUser.cs

@@ -26,6 +26,7 @@ public interface ICurrentUser
         public string OrganizationName { get; set; }
         public DateTime? TermsAcceptanceDtm { get; set; }
         void LoadUserSession(ClaimsPrincipal user);
+        void LoadApsSession(ClaimsPrincipal user);
         void AddClaim(ClaimsPrincipal user, string claimType, string value);
     }
 
@@ -87,6 +88,17 @@ public void LoadUserSession(ClaimsPrincipal user)
             FullName = CommonUtils.GetFullName(FirstName, LastName);
         }
 
+        public void LoadApsSession(ClaimsPrincipal user)
+        {
+            if (user == null)
+                return;
+
+            var textInfo = new CultureInfo("en-US", false).TextInfo;
+
+            IdentityProviderNm = StrDssIdProviders.Aps;
+            DisplayName = user.GetCustomClaim(StrDssClaimTypes.ClientId);
+        }
+
         public void AddClaim(ClaimsPrincipal user, string claimType, string value)
         {
             if (user == null || claimType.IsEmpty() || value.IsEmpty() || user.HasClaim(claimType, value)) return;