Skip to content

Commit

Permalink
[automated] Merge branch 'production' => 'main' (#4398)
Browse files Browse the repository at this point in the history
  • Loading branch information
premun authored Jan 31, 2025
2 parents 9cda6b9 + a943257 commit 0e82034
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ public static async Task<bool> IsAuthenticated(this HttpContext context)
}

var authService = context.RequestServices.GetRequiredService<IAuthorizationService>();
AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.MsftAuthorizationPolicyName);
AuthorizationResult result = await authService.AuthorizeAsync(success.Ticket!.Principal, AuthenticationConfiguration.WebAuthorizationPolicyName);
if (!result.Succeeded)
{
context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,16 @@ namespace ProductConstructionService.Api.Configuration;

internal static class AuthenticationConfiguration
{
public const string EntraAuthorizationPolicyName = "Entra";
public const string MsftAuthorizationPolicyName = "msft";
public const string EntraAuthorizationSchemeName = "Entra";
public const string ApiAuthorizationPolicyName = "MsftApi";
public const string WebAuthorizationPolicyName = "MsftWeb";
public const string AdminAuthorizationPolicyName = "RequireAdminAccess";

public const string AccountSignInRoute = "/Account/SignIn";

public static readonly string[] AuthenticationSchemes =
[
EntraAuthorizationPolicyName,
EntraAuthorizationSchemeName,
OpenIdConnectDefaults.AuthenticationScheme,
];

Expand Down Expand Up @@ -54,7 +55,7 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf
var openIdAuth = services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme);

openIdAuth
.AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationPolicyName);
.AddMicrosoftIdentityWebApi(entraAuthConfig, EntraAuthorizationSchemeName);

openIdAuth
.AddMicrosoftIdentityWebApp(options =>
Expand Down Expand Up @@ -88,12 +89,21 @@ public static void ConfigureAuthServices(this IServiceCollection services, IConf

services
.AddAuthorizationBuilder()
.AddPolicy(MsftAuthorizationPolicyName, policy =>
.AddDefaultPolicy(WebAuthorizationPolicyName, policy =>
{
policy.AddAuthenticationSchemes(AuthenticationSchemes);
policy.RequireAuthenticatedUser();
policy.RequireRole(userRole);
})
.AddPolicy(ApiAuthorizationPolicyName, policy =>
{
// Cookie scheme for BarViz, Entra JWT for Darc and other clients
// The order matters here as the last scheme's Forbid() handler is used for processing authentication failures
// Since cookie scheme returns 200 with the auth exception in the body, Entra should be used instead as it 401s
policy.AddAuthenticationSchemes([CookieAuthenticationDefaults.AuthenticationScheme, EntraAuthorizationSchemeName]);
policy.RequireAuthenticatedUser();
policy.RequireRole(userRole);
})
.AddPolicy(AdminAuthorizationPolicyName, policy =>
{
policy.AddAuthenticationSchemes(AuthenticationSchemes);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ internal static async Task ConfigurePcs(
builder.Services.AddRazorPages(
options =>
{
options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.MsftAuthorizationPolicyName);
options.Conventions.AuthorizeFolder("/", AuthenticationConfiguration.WebAuthorizationPolicyName);
options.Conventions.AllowAnonymousToPage("/Error");
})
.AddGitHubWebHooks()
Expand Down Expand Up @@ -297,6 +297,8 @@ public static void ConfigureApi(this IApplicationBuilder app, bool isDevelopment
app.UseEndpoints(e =>
{
var controllers = e.MapControllers();
controllers.RequireAuthorization(AuthenticationConfiguration.ApiAuthorizationPolicyName);

if (isDevelopment)
{
controllers.AllowAnonymous();
Expand Down

0 comments on commit 0e82034

Please sign in to comment.