Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,8 @@ public static async Task AssertAuthConfigurationResponse(
string expectedClientId = null,
string expectedAuthority = null,
string expectedAudience = null,
string expectedApiScopes = null)
string expectedApiScopes = null,
bool expectedRoleBasedAuthorizationEnabled = false)
{
Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.OK),
"Authentication configuration endpoint should return 200 OK");
Expand All @@ -120,6 +121,11 @@ public static async Task AssertAuthConfigurationResponse(
"Response should contain 'enabled' property");
Assert.That(enabledProperty.GetBoolean(), Is.EqualTo(expectedEnabled),
$"'enabled' should be {expectedEnabled}");

Assert.That(root.TryGetProperty("role_based_authorization_enabled", out var roleBasedAuthorizationEnabledProperty), Is.True,
"Response should contain 'role_based_authorization_enabled' property");
Assert.That(roleBasedAuthorizationEnabledProperty.GetBoolean(), Is.EqualTo(expectedRoleBasedAuthorizationEnabled),
$"'role_based_authorization_enabled' should be {expectedRoleBasedAuthorizationEnabled}");
}

// Note: API uses snake_case JSON serialization (client_id, api_scopes)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ await OpenIdConnectAssertions.AssertAuthConfigurationResponse(
expectedEnabled: true,
expectedClientId: TestClientId,
expectedAudience: TestAudience,
expectedApiScopes: TestApiScopes);
expectedApiScopes: TestApiScopes,
expectedRoleBasedAuthorizationEnabled: true);
}

[Test]
Expand Down
7 changes: 7 additions & 0 deletions src/ServiceControl.Infrastructure/OpenIdConnectSettings.cs
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,13 @@ public OpenIdConnectSettings(SettingsRootNamespace rootNamespace, bool validateC

void Validate(bool requireServicePulseSettings)
{
if (!Enabled && RoleBasedAuthorizationEnabled)
{
var message = "Authentication.RoleBasedAuthorizationEnabled cannot be true when Authentication.Enabled is false. Role-based authorization requires authentication to be enabled.";
logger.LogCritical(message);
throw new Exception(message);
}

if (Enabled)
{
ValidateRequiredSettings(requireServicePulseSettings);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ public void TearDown()
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_VALIDATELIFETIME", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_VALIDATEISSUERSIGNINGKEY", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_REQUIREHTTPSMETADATA", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_ROLEBASEDAUTHORIZATIONENABLED", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_CLIENTID", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_APISCOPES", null);
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_SERVICEPULSE_AUTHORITY", null);
Expand All @@ -49,6 +50,7 @@ public void Should_have_correct_defaults()
Assert.That(settings.ValidateLifetime, Is.True);
Assert.That(settings.ValidateIssuerSigningKey, Is.True);
Assert.That(settings.RequireHttpsMetadata, Is.True);
Assert.That(settings.RoleBasedAuthorizationEnabled, Is.False);
Assert.That(settings.ServicePulseClientId, Is.Null);
Assert.That(settings.ServicePulseApiScopes, Is.Null);
Assert.That(settings.ServicePulseAuthority, Is.Null);
Expand Down Expand Up @@ -265,6 +267,16 @@ public void Should_succeed_without_service_pulse_settings_when_not_required()
}
}

[Test]
public void Should_throw_when_role_based_authorization_enabled_without_authentication_enabled()
{
Environment.SetEnvironmentVariable("SERVICECONTROL_AUTHENTICATION_ROLEBASEDAUTHORIZATIONENABLED", "true");

var ex = Assert.Throws<Exception>(() => new OpenIdConnectSettings(TestNamespace, validateConfiguration: true, requireServicePulseSettings: false));

Assert.That(ex.Message, Does.Contain("RoleBasedAuthorizationEnabled cannot be true when Authentication.Enabled is false"));
}

[Test]
public void Should_not_validate_when_disabled()
{
Expand Down
2 changes: 2 additions & 0 deletions src/ServiceControl/Authentication/AuthenticationController.cs
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ public ActionResult<AuthConfig> Configuration()
var info = new AuthConfig
{
Enabled = settings.OpenIdConnectSettings.Enabled,
RoleBasedAuthorizationEnabled = settings.OpenIdConnectSettings.RoleBasedAuthorizationEnabled,
ClientId = settings.OpenIdConnectSettings.ServicePulseClientId,
Authority = settings.OpenIdConnectSettings.ServicePulseAuthority,
Audience = settings.OpenIdConnectSettings.Audience,
Expand All @@ -34,6 +35,7 @@ public ActionResult<AuthConfig> Configuration()
public class AuthConfig
{
public bool Enabled { get; set; }
public bool RoleBasedAuthorizationEnabled { get; set; }
public string ClientId { get; set; }
public string Authority { get; set; }
public string Audience { get; set; }
Expand Down
Loading