From ed9c5b97310fc733cd6d46b5eddff389c134e039 Mon Sep 17 00:00:00 2001 From: Charles d'Avernas Date: Mon, 14 Oct 2024 14:56:16 +0200 Subject: [PATCH] fix(Runner): Moved the IOAuth2TokenManager and its implementation from the Infrastructure project to the runner's fix(Runner): Fixed the OAuth2TokenManager to not validate access token issuer name fix(Api): Added environment variable based configuration of the API's JwT issuer, its signing key and its name validation Signed-off-by: Charles d'Avernas --- .../AuthenticationPolicyOptions.cs | 19 +++++++++++++++++++ .../JwtBearerAuthenticationOptions.cs | 5 +++++ .../Synapse.Api.Application.csproj | 2 +- .../Synapse.Api.Client.Core.csproj | 2 +- .../Synapse.Api.Client.Http.csproj | 2 +- .../Synapse.Api.Http/Synapse.Api.Http.csproj | 2 +- src/api/Synapse.Api.Server/Program.cs | 2 +- .../Synapse.Api.Server.csproj | 2 +- src/cli/Synapse.Cli/Synapse.Cli.csproj | 2 +- ...re.Infrastructure.Containers.Docker.csproj | 2 +- ...nfrastructure.Containers.Kubernetes.csproj | 2 +- .../Synapse.Core.Infrastructure.csproj | 2 +- src/core/Synapse.Core/Synapse.Core.csproj | 2 +- src/core/Synapse.Core/SynapseDefaults.cs | 18 +++++++++++++++--- .../Synapse.Correlator.csproj | 2 +- .../Synapse.Operator/Synapse.Operator.csproj | 2 +- .../Interfaces/IOAuth2TokenManager.cs | 2 +- .../Services/OAuth2TokenManager.cs | 6 ++---- .../Synapse.Runner/Synapse.Runner.csproj | 2 +- .../Synapse.Runtime.Abstractions.csproj | 2 +- .../Synapse.Runtime.Docker.csproj | 2 +- .../Synapse.Runtime.Kubernetes.csproj | 2 +- .../Synapse.Runtime.Native.csproj | 2 +- 23 files changed, 60 insertions(+), 26 deletions(-) rename src/{core/Synapse.Core.Infrastructure => runner/Synapse.Runner}/Services/Interfaces/IOAuth2TokenManager.cs (96%) rename src/{core/Synapse.Core.Infrastructure => runner/Synapse.Runner}/Services/OAuth2TokenManager.cs (98%) diff --git a/src/api/Synapse.Api.Application/Configuration/AuthenticationPolicyOptions.cs b/src/api/Synapse.Api.Application/Configuration/AuthenticationPolicyOptions.cs index 882e46165..67ac4f9bb 100644 --- a/src/api/Synapse.Api.Application/Configuration/AuthenticationPolicyOptions.cs +++ b/src/api/Synapse.Api.Application/Configuration/AuthenticationPolicyOptions.cs @@ -45,6 +45,25 @@ public AuthenticationPolicyOptions() this.Jwt ??= new(); this.Jwt.Audience = env; } + env = Environment.GetEnvironmentVariable(SynapseDefaults.EnvironmentVariables.Api.Authentication.Jwt.SigningKey); + if (!string.IsNullOrWhiteSpace(env)) + { + this.Jwt ??= new(); + this.Jwt.SigningKey = env; + } + env = Environment.GetEnvironmentVariable(SynapseDefaults.EnvironmentVariables.Api.Authentication.Jwt.Issuer); + if (!string.IsNullOrWhiteSpace(env)) + { + this.Jwt ??= new(); + this.Jwt.Issuer = env; + } + env = Environment.GetEnvironmentVariable(SynapseDefaults.EnvironmentVariables.Api.Authentication.Jwt.ValidateIssuer); + if (!string.IsNullOrWhiteSpace(env)) + { + if (!bool.TryParse(env, out var validateIssuer)) throw new Exception($"Failed to parse the specified value '{env}' into a boolean"); + this.Jwt ??= new(); + this.Jwt.ValidateIssuer = validateIssuer; + } env = Environment.GetEnvironmentVariable(SynapseDefaults.EnvironmentVariables.Api.Authentication.Oidc.Authority); if (!string.IsNullOrWhiteSpace(env)) { diff --git a/src/api/Synapse.Api.Application/Configuration/JwtBearerAuthenticationOptions.cs b/src/api/Synapse.Api.Application/Configuration/JwtBearerAuthenticationOptions.cs index fe9ca9c9f..07ac3b5b6 100644 --- a/src/api/Synapse.Api.Application/Configuration/JwtBearerAuthenticationOptions.cs +++ b/src/api/Synapse.Api.Application/Configuration/JwtBearerAuthenticationOptions.cs @@ -42,6 +42,11 @@ public class JwtBearerAuthenticationOptions /// public virtual string? Issuer { get; set; } + /// + /// Gets/sets a boolean indicating whether or not to validate the issuer of JWT tokens + /// + public virtual bool ValidateIssuer { get; set; } = true; + /// /// Gets the configured issuer signing key /// diff --git a/src/api/Synapse.Api.Application/Synapse.Api.Application.csproj b/src/api/Synapse.Api.Application/Synapse.Api.Application.csproj index 44250cc39..8306de75f 100644 --- a/src/api/Synapse.Api.Application/Synapse.Api.Application.csproj +++ b/src/api/Synapse.Api.Application/Synapse.Api.Application.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/api/Synapse.Api.Client.Core/Synapse.Api.Client.Core.csproj b/src/api/Synapse.Api.Client.Core/Synapse.Api.Client.Core.csproj index ce5b69ae6..700f1d557 100644 --- a/src/api/Synapse.Api.Client.Core/Synapse.Api.Client.Core.csproj +++ b/src/api/Synapse.Api.Client.Core/Synapse.Api.Client.Core.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/api/Synapse.Api.Client.Http/Synapse.Api.Client.Http.csproj b/src/api/Synapse.Api.Client.Http/Synapse.Api.Client.Http.csproj index ad092f464..2671ffc8c 100644 --- a/src/api/Synapse.Api.Client.Http/Synapse.Api.Client.Http.csproj +++ b/src/api/Synapse.Api.Client.Http/Synapse.Api.Client.Http.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/api/Synapse.Api.Http/Synapse.Api.Http.csproj b/src/api/Synapse.Api.Http/Synapse.Api.Http.csproj index 265777fe2..f81bf9047 100644 --- a/src/api/Synapse.Api.Http/Synapse.Api.Http.csproj +++ b/src/api/Synapse.Api.Http/Synapse.Api.Http.csproj @@ -8,7 +8,7 @@ Library True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/api/Synapse.Api.Server/Program.cs b/src/api/Synapse.Api.Server/Program.cs index 39612b88d..1fd3ae6ce 100644 --- a/src/api/Synapse.Api.Server/Program.cs +++ b/src/api/Synapse.Api.Server/Program.cs @@ -75,7 +75,7 @@ ValidAudience = applicationOptions.Authentication.Jwt.Audience, ValidateAudience = !string.IsNullOrWhiteSpace(applicationOptions.Authentication.Jwt.Audience), ValidIssuer = applicationOptions.Authentication.Jwt.Issuer, - ValidateIssuer = !string.IsNullOrWhiteSpace(applicationOptions.Authentication.Jwt.Issuer), + ValidateIssuer = applicationOptions.Authentication.Jwt.ValidateIssuer, IssuerSigningKey = applicationOptions.Authentication.Jwt.GetSigningKey() }; }); diff --git a/src/api/Synapse.Api.Server/Synapse.Api.Server.csproj b/src/api/Synapse.Api.Server/Synapse.Api.Server.csproj index 2f9270ca0..92583633a 100644 --- a/src/api/Synapse.Api.Server/Synapse.Api.Server.csproj +++ b/src/api/Synapse.Api.Server/Synapse.Api.Server.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/cli/Synapse.Cli/Synapse.Cli.csproj b/src/cli/Synapse.Cli/Synapse.Cli.csproj index 2498ef361..8c7caedbc 100644 --- a/src/cli/Synapse.Cli/Synapse.Cli.csproj +++ b/src/cli/Synapse.Cli/Synapse.Cli.csproj @@ -8,7 +8,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core.Infrastructure.Containers.Docker/Synapse.Core.Infrastructure.Containers.Docker.csproj b/src/core/Synapse.Core.Infrastructure.Containers.Docker/Synapse.Core.Infrastructure.Containers.Docker.csproj index 088ce0ae0..c96400e94 100644 --- a/src/core/Synapse.Core.Infrastructure.Containers.Docker/Synapse.Core.Infrastructure.Containers.Docker.csproj +++ b/src/core/Synapse.Core.Infrastructure.Containers.Docker/Synapse.Core.Infrastructure.Containers.Docker.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core.Infrastructure.Containers.Kubernetes/Synapse.Core.Infrastructure.Containers.Kubernetes.csproj b/src/core/Synapse.Core.Infrastructure.Containers.Kubernetes/Synapse.Core.Infrastructure.Containers.Kubernetes.csproj index 2e38e722c..5ee026c87 100644 --- a/src/core/Synapse.Core.Infrastructure.Containers.Kubernetes/Synapse.Core.Infrastructure.Containers.Kubernetes.csproj +++ b/src/core/Synapse.Core.Infrastructure.Containers.Kubernetes/Synapse.Core.Infrastructure.Containers.Kubernetes.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core.Infrastructure/Synapse.Core.Infrastructure.csproj b/src/core/Synapse.Core.Infrastructure/Synapse.Core.Infrastructure.csproj index 48737cd95..143e7a7b5 100644 --- a/src/core/Synapse.Core.Infrastructure/Synapse.Core.Infrastructure.csproj +++ b/src/core/Synapse.Core.Infrastructure/Synapse.Core.Infrastructure.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core/Synapse.Core.csproj b/src/core/Synapse.Core/Synapse.Core.csproj index 66f5f6f02..fb1f01a7c 100644 --- a/src/core/Synapse.Core/Synapse.Core.csproj +++ b/src/core/Synapse.Core/Synapse.Core.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core/SynapseDefaults.cs b/src/core/Synapse.Core/SynapseDefaults.cs index 4e6e81045..f40ad3bd9 100644 --- a/src/core/Synapse.Core/SynapseDefaults.cs +++ b/src/core/Synapse.Core/SynapseDefaults.cs @@ -440,18 +440,30 @@ public static class Jwt { /// - /// Gets the prefix for all JWT Bearer related environment variables + /// Gets the prefix for all JWT related environment variables /// public const string Prefix = Authentication.Prefix + "JWT_"; /// - /// Gets the name of the environment variables used to specify the JWT Bearer authority to use + /// Gets the name of the environment variables used to specify the JWT authority to use /// public const string Authority = Prefix + "AUTHORITY"; /// - /// Gets the name of the environment variables used to specify the JWT Bearer audience + /// Gets the name of the environment variables used to specify the JWT audience /// public const string Audience = Prefix + "AUDIENCE"; + /// + /// Gets the name of the environment variables used to configure the key used to verify the signature of JWT tokens + /// + public const string SigningKey = Prefix + "SIGNING_KEY"; + /// + /// Gets the name of the environment variables used to configure the expected issuer of JWT tokens + /// + public const string Issuer = Prefix + "ISSUER"; + /// + /// Gets the name of the environment variables used to configure whether or not to validate the issuer of JWT tokens + /// + public const string ValidateIssuer = Prefix + "VALIDATE_ISSUER"; } diff --git a/src/correlator/Synapse.Correlator/Synapse.Correlator.csproj b/src/correlator/Synapse.Correlator/Synapse.Correlator.csproj index f6b5b7f4f..6fdb0a7b8 100644 --- a/src/correlator/Synapse.Correlator/Synapse.Correlator.csproj +++ b/src/correlator/Synapse.Correlator/Synapse.Correlator.csproj @@ -8,7 +8,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/operator/Synapse.Operator/Synapse.Operator.csproj b/src/operator/Synapse.Operator/Synapse.Operator.csproj index 6bd2ff3f2..ca66e494c 100644 --- a/src/operator/Synapse.Operator/Synapse.Operator.csproj +++ b/src/operator/Synapse.Operator/Synapse.Operator.csproj @@ -8,7 +8,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/core/Synapse.Core.Infrastructure/Services/Interfaces/IOAuth2TokenManager.cs b/src/runner/Synapse.Runner/Services/Interfaces/IOAuth2TokenManager.cs similarity index 96% rename from src/core/Synapse.Core.Infrastructure/Services/Interfaces/IOAuth2TokenManager.cs rename to src/runner/Synapse.Runner/Services/Interfaces/IOAuth2TokenManager.cs index d80ab41db..a37cee687 100644 --- a/src/core/Synapse.Core.Infrastructure/Services/Interfaces/IOAuth2TokenManager.cs +++ b/src/runner/Synapse.Runner/Services/Interfaces/IOAuth2TokenManager.cs @@ -13,7 +13,7 @@ using ServerlessWorkflow.Sdk.Models.Authentication; -namespace Synapse.Core.Infrastructure.Services; +namespace Synapse.Runner.Services; /// /// Defines the fundamentals of a service used to manage s diff --git a/src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs b/src/runner/Synapse.Runner/Services/OAuth2TokenManager.cs similarity index 98% rename from src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs rename to src/runner/Synapse.Runner/Services/OAuth2TokenManager.cs index 534210008..81a1a6044 100644 --- a/src/core/Synapse.Core.Infrastructure/Services/OAuth2TokenManager.cs +++ b/src/runner/Synapse.Runner/Services/OAuth2TokenManager.cs @@ -12,18 +12,15 @@ // limitations under the License. using IdentityModel.Client; -using Microsoft.Extensions.Logging; using Microsoft.IdentityModel.JsonWebTokens; using Microsoft.IdentityModel.Tokens; -using Neuroglia.Serialization; -using ServerlessWorkflow.Sdk; using ServerlessWorkflow.Sdk.Models.Authentication; using System.Collections.Concurrent; using System.Net.Mime; using System.Security.Claims; using System.Text; -namespace Synapse.Core.Infrastructure.Services; +namespace Synapse.Runner.Services; /// /// Represents the default implementation of the interface @@ -69,6 +66,7 @@ public virtual async Task GetTokenAsync(OAuth2AuthenticationSchemeD Address = configuration.Authority!.OriginalString, Policy = new() { + ValidateIssuerName = false, RequireHttps = false } }; diff --git a/src/runner/Synapse.Runner/Synapse.Runner.csproj b/src/runner/Synapse.Runner/Synapse.Runner.csproj index eea3fb617..1dd203dd5 100644 --- a/src/runner/Synapse.Runner/Synapse.Runner.csproj +++ b/src/runner/Synapse.Runner/Synapse.Runner.csproj @@ -8,7 +8,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/runtime/Synapse.Runtime.Abstractions/Synapse.Runtime.Abstractions.csproj b/src/runtime/Synapse.Runtime.Abstractions/Synapse.Runtime.Abstractions.csproj index 2209a85a3..3bd37b912 100644 --- a/src/runtime/Synapse.Runtime.Abstractions/Synapse.Runtime.Abstractions.csproj +++ b/src/runtime/Synapse.Runtime.Abstractions/Synapse.Runtime.Abstractions.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/runtime/Synapse.Runtime.Docker/Synapse.Runtime.Docker.csproj b/src/runtime/Synapse.Runtime.Docker/Synapse.Runtime.Docker.csproj index cd6260e94..26b419b93 100644 --- a/src/runtime/Synapse.Runtime.Docker/Synapse.Runtime.Docker.csproj +++ b/src/runtime/Synapse.Runtime.Docker/Synapse.Runtime.Docker.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/runtime/Synapse.Runtime.Kubernetes/Synapse.Runtime.Kubernetes.csproj b/src/runtime/Synapse.Runtime.Kubernetes/Synapse.Runtime.Kubernetes.csproj index 82fb2cfc4..47adfd0ba 100644 --- a/src/runtime/Synapse.Runtime.Kubernetes/Synapse.Runtime.Kubernetes.csproj +++ b/src/runtime/Synapse.Runtime.Kubernetes/Synapse.Runtime.Kubernetes.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors diff --git a/src/runtime/Synapse.Runtime.Native/Synapse.Runtime.Native.csproj b/src/runtime/Synapse.Runtime.Native/Synapse.Runtime.Native.csproj index 803c2782c..26b905a1f 100644 --- a/src/runtime/Synapse.Runtime.Native/Synapse.Runtime.Native.csproj +++ b/src/runtime/Synapse.Runtime.Native/Synapse.Runtime.Native.csproj @@ -7,7 +7,7 @@ en True 1.0.0 - alpha3.1 + alpha3.2 $(VersionPrefix) $(VersionPrefix) The Synapse Authors