Fix personal access token published scopes (#29)

SwissLife-OSS · Nov 25, 2021 · 2ab0cd3 · 2ab0cd3
1 parent b05c313
commit 2ab0cd3
Show file tree

Hide file tree

Showing 10 changed files with 45 additions and 14 deletions.
diff --git a/...ntityServer/test/IdentityServer.Store.Mongo.Tests/IdentityServer.Store.Mongo.Tests.csproj b/...ntityServer/test/IdentityServer.Store.Mongo.Tests/IdentityServer.Store.Mongo.Tests.csproj
@@ -8,7 +8,7 @@
   <ItemGroup>
     <PackageReference Include="FluentAssertions" Version="5.10.3" />
     <PackageReference Include="Snapshooter.Xunit" Version="0.5.8" />
-    <PackageReference Include="Squadron.Mongo" Version="0.9.0" />
+    <PackageReference Include="Squadron.Mongo" Version="0.13.0" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

diff --git a/src/Server/src/Abstractions/Model/PersonalAccessToken.cs b/src/Server/src/Abstractions/Model/PersonalAccessToken.cs
@@ -46,7 +46,7 @@ public bool IsInServerGroup(IdentityServerGroup serverGroup)
         /// <summary>
         /// The scoped that are allowed to be requested with the access token
         /// </summary>
-        public ICollection<string> AllowedScopes { get; set; }
+        public ICollection<Guid> AllowedScopes { get; set; }
 
         /// <summary>
         /// The clients that are allowed to request this access token

diff --git a/src/Server/src/Api.Host/IdOpsSeeder.cs b/src/Server/src/Api.Host/IdOpsSeeder.cs
@@ -64,10 +64,11 @@ public async Task StartAsync(CancellationToken cancellationToken)
                     _environments.Select(e => new Environment { Id = e.EnvId, Name = e.EnvName }),
                     cancellationToken: cancellationToken);
 
+                var colorRandomize = new Random();
                 await _idOpsDbContext.Tenants.InsertManyAsync(
                     _tenants.Select(tenant => new Tenant
                     {
-                        Color = "#14299c",
+                        Color = $"#{colorRandomize.Next(0x1000000):X6}",
                         Description = $"{tenant} tenant",
                         Id = tenant,
                         RoleMappings = _environments
@@ -76,7 +77,15 @@ public async Task StartAsync(CancellationToken cancellationToken)
                                 EnvironmentId = e.EnvId,
                                 ClaimValue = "IdOps.Admin",
                                 Role = "IdOps.Admin"
-                            }).ToArray()
+                            }).ToArray(),
+                        Modules = new List<TenantModule>
+                        {
+                            new()
+                            {
+                                Name = "PersonalAccessTokens",
+                                Settings = new []{ new TenantSetting { Name = "Sources", Value = "Local" } }
+                            }
+                        }
                     }), cancellationToken: cancellationToken);
 
                 await _idOpsDbContext.IdentityServerGroups.InsertOneAsync(
@@ -111,6 +120,28 @@ public async Task StartAsync(CancellationToken cancellationToken)
                         Tenants = _tenants,
                     }, cancellationToken: cancellationToken);
 
+                await _idOpsDbContext.IdentityResources.InsertOneAsync(
+                    new IdentityResource
+                    {
+                        Name = "openid",
+                        DisplayName = "Your user identifier",
+                        UserClaims = new[] {"sub"},
+                        IdentityServerGroupId = _groupId,
+                        Tenants = _tenants,
+                        ShowInDiscoveryDocument = true,
+                        Enabled = true,
+                        Required = true,
+                    }, cancellationToken: cancellationToken);
+
+                await _idOpsDbContext.ApiScopes.InsertManyAsync(
+                    _tenants.Select(tenant => new ApiScope
+                    {
+                        Name = "api.read",
+                        Tenant = tenant,
+                        DisplayName = "Read access",
+                        Enabled = true
+                    }), cancellationToken: cancellationToken);
+
                 await _idOpsDbContext.ClientTemplates.InsertManyAsync(
                     _tenants.Select(tenant => new ClientTemplate
                     {

diff --git a/src/Server/src/Core/Data/PersonalAccessToken/Builder/PersonalAccessTokenBuilder.cs b/src/Server/src/Core/Data/PersonalAccessToken/Builder/PersonalAccessTokenBuilder.cs
@@ -8,7 +8,7 @@ namespace IdOps.Builder
     public class PersonalAccessTokenBuilder
     {
         private readonly List<HashedToken> _tokens = new();
-        private readonly HashSet<string> _allowedScopes = new();
+        private readonly HashSet<Guid> _allowedScopes = new();
         private readonly HashSet<Guid> _allowedApplications = new();
         private readonly List<IdOpsClaimExtension> _claimExtensions = new();
 
@@ -67,7 +67,7 @@ public PersonalAccessTokenBuilder SetEnvironment(Guid? environmentId)
             return this;
         }
 
-        public PersonalAccessTokenBuilder SetAllowedScopes(IEnumerable<string> allowedScopes)
+        public PersonalAccessTokenBuilder SetAllowedScopes(IEnumerable<Guid> allowedScopes)
         {
             foreach (var allowedClient in allowedScopes)
             {

diff --git a/src/Server/src/Core/Data/PersonalAccessToken/PersonalAccessTokenMessageFactory.cs b/src/Server/src/Core/Data/PersonalAccessToken/PersonalAccessTokenMessageFactory.cs
@@ -27,7 +27,7 @@ public PersonalAccessTokenMessageFactory(IIdentityServerGroupService identitySer
                             new IdOpsHashedToken(x.Id, x.Token, x.ExpiresAt, x.CreatedAt, false))
                         .ToList(),
                     CreatedAt = token.CreatedAt,
-                    AllowedScopes = token.AllowedScopes,
+                    AllowedScopes = context.GetAllowedScopes(token.AllowedScopes),
                     ClaimExtensions = token.ClaimsExtensions
                         .Select(x => new ClaimExtension(x.Type, x.Value))
                         .ToArray(),

diff --git a/src/Server/src/Core/Data/PersonalAccessToken/Requests/CreatePersonalAccessTokenRequest.cs b/src/Server/src/Core/Data/PersonalAccessToken/Requests/CreatePersonalAccessTokenRequest.cs
@@ -29,6 +29,6 @@ public record CreatePersonalAccessTokenRequest(
         string Source,
         string HashAlgorithm,
         IReadOnlyList<Guid> AllowedApplicationIds,
-        IReadOnlyList<string> AllowedScopes,
+        IReadOnlyList<Guid> AllowedScopes,
         IReadOnlyList<ClaimsExtensionRequest> ClaimsExtensions) : ITenantInput;
 }
diff --git a/src/Server/src/Core/Data/PersonalAccessToken/Requests/UpdatePersonalAccessTokenRequest.cs b/src/Server/src/Core/Data/PersonalAccessToken/Requests/UpdatePersonalAccessTokenRequest.cs
@@ -8,7 +8,7 @@ public record UpdatePersonalAccessTokenRequest(
         Guid Id,
         string? UserName,
         string? Source,
-        ICollection<string>? AllowedScopes,
+        ICollection<Guid>? AllowedScopes,
         ICollection<Guid>? AllowedApplicationIds,
         ICollection<IdOpsClaimExtension>? ClaimsExtensions)
     {

diff --git a/src/Server/test/GraphQL.Tests/GraphQL.Tests.csproj b/src/Server/test/GraphQL.Tests/GraphQL.Tests.csproj
@@ -15,7 +15,7 @@
     <PackageReference Include="Moq" Version="4.16.1" />
     <PackageReference Include="Snapshooter.Xunit" Version="0.7.1" />
     <PackageReference Include="xunit" Version="2.4.1" />
-    <PackageReference Include="Squadron.Mongo" Version="0.10.0" />
+    <PackageReference Include="Squadron.Mongo" Version="0.13.0" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>

diff --git a/src/Server/test/GraphQL.Tests/__snapshots__/schema.graphql b/src/Server/test/GraphQL.Tests/__snapshots__/schema.graphql
@@ -421,7 +421,7 @@ type PersonalAccessToken implements IResource {
   environmentId: Uuid!
   tokens: [HashedToken!]!
   createdAt: DateTime!
-  allowedScopes: [String!]!
+  allowedScopes: [Uuid!]!
   allowedApplicationIds: [Uuid!]!
   source: String!
   hashAlgorithm: String!
@@ -782,7 +782,7 @@ input CreatePersonalAccessTokenInput {
   source: String!
   hashAlgorithm: String!
   allowedApplicationIds: [Uuid!]!
-  allowedScopes: [String!]!
+  allowedScopes: [Uuid!]!
   claimsExtensions: [ClaimsExtensionRequestInput!]!
 }
 
@@ -1109,7 +1109,7 @@ input UpdatePersonalAccessTokenInput {
   id: Uuid!
   userName: String
   source: String
-  allowedScopes: [String!]
+  allowedScopes: [Uuid!]
   allowedApplicationIds: [Uuid!]
   claimsExtensions: [IdOpsClaimExtensionInput!]
 }

diff --git a/src/Server/test/Host.Tests/Host.Tests.csproj b/src/Server/test/Host.Tests/Host.Tests.csproj
@@ -10,7 +10,7 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="5.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.TestHost" Version="5.0.2" />
 
-    <PackageReference Include="Squadron.Mongo" Version="0.9.0" />
+    <PackageReference Include="Squadron.Mongo" Version="0.13.0" />
     <PackageReference Include="xunit" Version="2.4.1" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>