Update to allow rolesclaim to be set in configuration

#175
microsoft · Nov 8, 2018 · 8911f32 · 8911f32
1 parent 67dfe76
commit 8911f32
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 7 deletions.
diff --git a/src/Microsoft.Health.Fhir.Api/Modules/SecurityModule.cs b/src/Microsoft.Health.Fhir.Api/Modules/SecurityModule.cs
@@ -3,6 +3,7 @@
 // Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
 // -------------------------------------------------------------------------------------------------
 
+using System.IdentityModel.Tokens.Jwt;
 using EnsureThat;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
@@ -33,6 +34,9 @@ public void Load(IServiceCollection services)
 
             services.AddSingleton<IAuthorizationPolicyProvider, AuthorizationPolicyProvider>();
 
+            // Set the token handler to not do auto inbound mapping. (e.g. "roles" -> "http://schemas.microsoft.com/ws/2008/06/identity/claims/role")
+            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
+
             if (_securityConfiguration.Enabled)
             {
                 services.AddAuthentication(options =>

diff --git a/...oft.Health.Fhir.Core.UnitTests/Features/Security/RoleBasedAuthorizationPolicyUnitTests.cs b/...oft.Health.Fhir.Core.UnitTests/Features/Security/RoleBasedAuthorizationPolicyUnitTests.cs
@@ -81,7 +81,7 @@ public static IEnumerable<object[]> GetIncompatibleRoleDataForAction(ResourceAct
 
         private static ClaimsPrincipal GetClaimsPrincipalForRoles(params string[] roles)
         {
-            var claimsId = new ClaimsIdentity(roles.Select(r => new Claim(ClaimTypes.Role, r)));
+            var claimsId = new ClaimsIdentity(roles.Select(r => new Claim("roles", r)));
             return new ClaimsPrincipal(new List<ClaimsIdentity> { claimsId });
         }
 

diff --git a/src/Microsoft.Health.Fhir.Core/Configs/AuthorizationConfiguration.cs b/src/Microsoft.Health.Fhir.Core/Configs/AuthorizationConfiguration.cs
@@ -13,7 +13,7 @@ namespace Microsoft.Health.Fhir.Core.Configs
 {
     public class AuthorizationConfiguration
     {
-        public const string RolesClaim = "roles";
+        public string RolesClaim { get; set; } = "roles";
 
         public bool Enabled { get; set; }
 

diff --git a/...icrosoft.Health.Fhir.Core/Features/Security/Authorization/RoleBasedAuthorizationPolicy.cs b/...icrosoft.Health.Fhir.Core/Features/Security/Authorization/RoleBasedAuthorizationPolicy.cs
@@ -16,11 +16,13 @@ public class RoleBasedAuthorizationPolicy : IAuthorizationPolicy
     {
         private readonly Dictionary<string, Role> _roles;
         private readonly Dictionary<string, IEnumerable<ResourceAction>> _roleNameToResourceActions;
+        private AuthorizationConfiguration _authorizationConfiguration;
 
         public RoleBasedAuthorizationPolicy(AuthorizationConfiguration authorizationConfiguration)
         {
             EnsureArg.IsNotNull(authorizationConfiguration, nameof(authorizationConfiguration));
 
+            _authorizationConfiguration = authorizationConfiguration;
             _roles = authorizationConfiguration.Roles.ToDictionary(r => r.Name, StringComparer.InvariantCultureIgnoreCase);
             _roleNameToResourceActions = _roles.Select(kvp => KeyValuePair.Create(kvp.Key, kvp.Value.ResourcePermissions.Select(rp => rp.Actions).SelectMany(x => x))).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
         }
@@ -41,7 +43,7 @@ public bool HasPermission(ClaimsPrincipal user, ResourceAction action)
         private IEnumerable<ResourceAction> GetRolesAndActions(ClaimsPrincipal user)
         {
             var roles = user.Claims
-                .Where(claim => (claim.Type == ClaimTypes.Role || claim.Type == AuthorizationConfiguration.RolesClaim) && _roles.ContainsKey(claim.Value))
+                .Where(claim => claim.Type == _authorizationConfiguration.RolesClaim && _roles.ContainsKey(claim.Value))
                 .Select(claim => _roles[claim.Value]);
 
             var actions = roles.Select(r => _roleNameToResourceActions[r.Name]).SelectMany(x => x).Distinct();

diff --git a/src/Microsoft.Health.Fhir.Web/DevelopmentIdentityProviderRegistrationExtensions.cs b/src/Microsoft.Health.Fhir.Web/DevelopmentIdentityProviderRegistrationExtensions.cs
@@ -34,6 +34,9 @@ public static IServiceCollection AddDevelopmentIdentityProvider(this IServiceCol
             EnsureArg.IsNotNull(services, nameof(services));
             EnsureArg.IsNotNull(configuration, nameof(configuration));
 
+            var authorizationConfiguration = new AuthorizationConfiguration();
+            configuration.GetSection("FhirServer:Security:Authorization").Bind(authorizationConfiguration);
+
             var developmentIdentityProviderConfiguration = new DevelopmentIdentityProviderConfiguration();
             configuration.GetSection("DevelopmentIdentityProvider").Bind(developmentIdentityProviderConfiguration);
             services.AddSingleton(Options.Create(developmentIdentityProviderConfiguration));
@@ -46,9 +49,9 @@ public static IServiceCollection AddDevelopmentIdentityProvider(this IServiceCol
                     {
                         new ApiResource(
                         DevelopmentIdentityProviderConfiguration.Audience,
-                        claimTypes: new List<string>() { ClaimTypes.Role, ClaimTypes.Name, ClaimTypes.NameIdentifier })
+                        claimTypes: new List<string>() { authorizationConfiguration.RolesClaim, ClaimTypes.Name, ClaimTypes.NameIdentifier })
                         {
-                            UserClaims = { AuthorizationConfiguration.RolesClaim },
+                            UserClaims = { authorizationConfiguration.RolesClaim },
                         },
                     })
                     .AddTestUsers(developmentIdentityProviderConfiguration.Users?.Select(user =>
@@ -58,7 +61,7 @@ public static IServiceCollection AddDevelopmentIdentityProvider(this IServiceCol
                             Password = user.Id,
                             IsActive = true,
                             SubjectId = user.Id,
-                            Claims = user.Roles.Select(r => new Claim(AuthorizationConfiguration.RolesClaim, r)).ToList(),
+                            Claims = user.Roles.Select(r => new Claim(authorizationConfiguration.RolesClaim, r)).ToList(),
                         }).ToList())
                     .AddInMemoryClients(
                         developmentIdentityProviderConfiguration.ClientApplications.Select(
@@ -77,7 +80,7 @@ public static IServiceCollection AddDevelopmentIdentityProvider(this IServiceCol
                                     AllowedScopes = { DevelopmentIdentityProviderConfiguration.Audience },
 
                                     // app roles that the client app may have
-                                    Claims = applicationConfiguration.Roles.Select(r => new Claim(AuthorizationConfiguration.RolesClaim, r)).Concat(new[] { new Claim("appid", applicationConfiguration.Id) }).ToList(),
+                                    Claims = applicationConfiguration.Roles.Select(r => new Claim(authorizationConfiguration.RolesClaim, r)).Concat(new[] { new Claim("appid", applicationConfiguration.Id) }).ToList(),
 
                                     ClientClaimsPrefix = string.Empty,
                                 }));