Added security to other Web API apps

JMayrbaeurl · Jan 3, 2022 · 4a8e6b0 · 4a8e6b0
1 parent f65bcab
commit 4a8e6b0
Show file tree

Hide file tree

Showing 13 changed files with 115 additions and 60 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,13 @@ The REST API operation `PostAASXPackage`of the AASX File Server Interface has so
 If a valid download link (URL) to an AASX package file is provided in the parameter `fileName` and the parameter `file` is null, than the 
 server will download the file directly to the storage. 
 
+### Configuration
+- Azure Blob storage configuration: Use `AASX_FILESERVICE_BLOBSTORAGEURL` in Application Settings to configure the url of the target
+storage. E.g. `https://aasxstoragejm.blob.core.windows.net/`. By default a container titled `aasxfiles` will be used to store the aasx
+packages. This can be changed by specifying another value in the Application settings for `AASX_FILESERVICE_CONTAINERNAME`. 
+- Security: Beside the generic security setup (Azure AD App registration) the role `Storage Blob Data Contributor` has to be assigned 
+to the AASX File server. E.g. by leveraging its Managed Identity of the App service.
+
 ## AAS Discovery server
 TBD
 

diff --git a/src/aas-api-webapp-aasxfile/AAS WebApp AASX File Server.csproj b/src/aas-api-webapp-aasxfile/AAS WebApp AASX File Server.csproj
@@ -11,6 +11,7 @@
 
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Extensions.Azure" Version="1.1.1" />
+		<PackageReference Include="Microsoft.Identity.Web" Version="1.*" />
 		<PackageReference Include="Swashbuckle.AspNetCore" Version="5.5.1" />
 		<PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="5.5.1" />
 		<PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="5.5.1" />

diff --git a/src/aas-api-webapp-aasxfile/Controllers/AASXFileServerInterfaceApi.cs b/src/aas-api-webapp-aasxfile/Controllers/AASXFileServerInterfaceApi.cs
@@ -27,6 +27,7 @@ namespace AAS.API.WebApp.Controllers
     /// <summary>
     /// 
     /// </summary>
+    [Authorize]
     [ApiController]
     public class AASXFileServerInterfaceApiController : ControllerBase
     {
@@ -46,7 +47,7 @@ public AASXFileServerInterfaceApiController(ILogger<AASXFileServerInterfaceApiCo
         /// <param name="packageId">The Package Id (BASE64-URL-encoded)</param>
         /// <response code="204">Deleted successfully</response>
         [HttpDelete]
-        [Route("/packages/{packageId}")]
+        [Route("api/v1/packages/{packageId}")]
         [ValidateModelState]
         [SwaggerOperation("DeleteAASXByPackageId")]
         public virtual IActionResult DeleteAASXByPackageId([FromRoute][Required]string packageId)
@@ -70,7 +71,7 @@ public virtual IActionResult DeleteAASXByPackageId([FromRoute][Required]string p
         /// <param name="packageId">The package Id (BASE64-URL-encoded)</param>
         /// <response code="200">Requested AASX package</response>
         [HttpGet]
-        [Route("/packages/{packageId}")]
+        [Route("api/v1/packages/{packageId}")]
         [ValidateModelState]
         [SwaggerOperation("GetAASXByPackageId")]
         [SwaggerResponse(statusCode: 200, type: typeof(byte[]), description: "Requested AASX package")]
@@ -104,7 +105,7 @@ public virtual IActionResult GetAASXByPackageId([FromRoute][Required]string pack
         /// <param name="aasId">The Asset Administration Shell’s unique id (BASE64-URL-encoded)</param>
         /// <response code="200">Requested package list</response>
         [HttpGet]
-        [Route("/packages")]
+        [Route("api/v1/packages")]
         [ValidateModelState]
         [SwaggerOperation("GetAllAASXPackageIds")]
         [SwaggerResponse(statusCode: 200, type: typeof(List<PackageDescription>), description: "Requested package list")]
@@ -128,7 +129,7 @@ public virtual IActionResult GetAllAASXPackageIds([FromQuery]string aasId)
         /// <param name="aasxPackage"></param>
         /// <response code="201">AASX package stored successfully</response>
         [HttpPost]
-        [Route("/packages")]
+        [Route("api/v1/packages")]
         [ValidateModelState]
         [SwaggerOperation("PostAASXPackage")]
         [SwaggerResponse(statusCode: 201, type: typeof(PackageDescription), description: "AASX package stored successfully")]
@@ -153,7 +154,7 @@ public virtual IActionResult PostAASXPackage([FromBody] PackagesBody aasxPackage
         /// <param name="packageId">The Package Id (BASE64-URL-encoded)</param>
         /// <response code="204">AASX package updated successfully</response>
         [HttpPut]
-        [Route("/packages/{packageId}")]
+        [Route("api/v1/packages/{packageId}")]
         [ValidateModelState]
         [SwaggerOperation("PutAASXByPackageId")]
         [SwaggerResponse(statusCode: 204, type: typeof(PackageDescription), description: "AASX package updated successfully")]

diff --git a/src/aas-api-webapp-aasxfile/Startup.cs b/src/aas-api-webapp-aasxfile/Startup.cs
@@ -1,12 +1,15 @@
 using AAS.API.WebApp.Filters;
 using Azure.Identity;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Azure;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Web;
 using Microsoft.OpenApi.Models;
 using Newtonsoft.Json.Converters;
 using Newtonsoft.Json.Serialization;
@@ -37,6 +40,9 @@ public Startup(IWebHostEnvironment env, IConfiguration configuration)
         /// <param name="services"></param>
         public void ConfigureServices(IServiceCollection services)
         {
+            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+                .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));
+
             // Add framework services.
             services
                 .AddMvc(options =>
@@ -100,6 +106,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerF
             //TODO: Uncomment this if you need wwwroot folder
             // app.UseStaticFiles();
 
+            app.UseAuthentication();
             app.UseAuthorization();
 
             app.UseSwagger(options =>
@@ -120,7 +127,10 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerF
 
             app.UseEndpoints(endpoints =>
             {
-                endpoints.MapControllers();
+                if (env.IsDevelopment())
+                    endpoints.MapControllers().WithMetadata(new AllowAnonymousAttribute());
+                else
+                    endpoints.MapControllers();
             });
 
             if (env.IsDevelopment())

diff --git a/src/aas-api-webapp-aasxfile/appsettings.json b/src/aas-api-webapp-aasxfile/appsettings.json
@@ -1,4 +1,10 @@
 {
+  "AzureAd": {
+    "Instance": "https://login.microsoftonline.com/",
+    "Domain": "microsoft.onmicrosoft.com",
+    "ClientId": "b285565d-2793-4b48-9deb-73ac063a8ad6",
+    "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47"
+  },
   "Logging": {
     "LogLevel": {
       "Default": "Information",

diff --git a/src/aas-api-webapp-discovery/AAS WebApp Discovery.csproj b/src/aas-api-webapp-discovery/AAS WebApp Discovery.csproj
@@ -10,6 +10,7 @@
 	</PropertyGroup>
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Extensions.Azure" Version="1.1.1" />
+		<PackageReference Include="Microsoft.Identity.Web" Version="1.*" />
 		<PackageReference Include="Swashbuckle.AspNetCore" Version="5.5.1" />
 		<PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="5.5.1" />
 		<PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="5.5.1" />

diff --git a/src/aas-api-webapp-discovery/Controllers/AssetAdministrationShellBasicDiscoveryApi.cs b/src/aas-api-webapp-discovery/Controllers/AssetAdministrationShellBasicDiscoveryApi.cs
@@ -19,12 +19,14 @@
 using AAS.API.Discovery;
 using System.Web;
 using Microsoft.Extensions.Logging;
+using Microsoft.AspNetCore.Authorization;
 
 namespace AAS.API.WebApp.Controllers
 { 
     /// <summary>
     /// 
     /// </summary>
+    [Authorize]
     [ApiController]
     public class AssetAdministrationShellBasicDiscoveryApiController : ControllerBase
     {
@@ -49,7 +51,7 @@ public AssetAdministrationShellBasicDiscoveryApiController(ILogger<AssetAdminist
         /// <param name="aasIdentifier">The Asset Administration Shell’s unique id (BASE64-URL-encoded)</param>
         /// <response code="204">Asset identifier key-value-pairs deleted successfully</response>
         [HttpDelete]
-        [Route("/lookup/shells/{aasIdentifier}")]
+        [Route("api/v1/lookup/shells/{aasIdentifier}")]
         [ValidateModelState]
         [SwaggerOperation("DeleteAllAssetLinksById")]
         public virtual IActionResult DeleteAllAssetLinksById([FromRoute][Required]string aasIdentifier)
@@ -71,7 +73,7 @@ public virtual IActionResult DeleteAllAssetLinksById([FromRoute][Required]string
         /// <param name="assetIds">The key-value-pair of an Asset identifier</param>
         /// <response code="200">Requested Asset Administration Shell ids</response>
         [HttpGet]
-        [Route("/lookup/shells")]
+        [Route("api/v1/lookup/shells")]
         [ValidateModelState]
         [SwaggerOperation("GetAllAssetAdministrationShellIdsByAssetLink")]
         [SwaggerResponse(statusCode: 200, type: typeof(List<string>), description: "Requested Asset Administration Shell ids")]
@@ -94,7 +96,7 @@ public virtual IActionResult GetAllAssetAdministrationShellIdsByAssetLink([FromQ
         /// <param name="aasIdentifier">The Asset Administration Shell’s unique id (BASE64-URL-encoded)</param>
         /// <response code="200">Requested Asset identifier key-value-pairs</response>
         [HttpGet]
-        [Route("/lookup/shells/{aasIdentifier}")]
+        [Route("api/v1/lookup/shells/{aasIdentifier}")]
         [ValidateModelState]
         [SwaggerOperation("GetAllAssetLinksById")]
         [SwaggerResponse(statusCode: 200, type: typeof(List<IdentifierKeyValuePair>), description: "Requested Asset identifier key-value-pairs")]
@@ -118,7 +120,7 @@ public virtual IActionResult GetAllAssetLinksById([FromRoute][Required] string a
         /// <param name="aasIdentifier">The Asset Administration Shell’s unique id (BASE64-URL-encoded)</param>
         /// <response code="201">Asset identifier key-value-pairs created successfully</response>
         [HttpPost]
-        [Route("/lookup/shells/{aasIdentifier}")]
+        [Route("api/v1/lookup/shells/{aasIdentifier}")]
         [ValidateModelState]
         [SwaggerOperation("PostAllAssetLinksById")]
         [SwaggerResponse(statusCode: 201, type: typeof(List<IdentifierKeyValuePair>), description: "Asset identifier key-value-pairs created successfully")]

diff --git a/src/aas-api-webapp-discovery/Startup.cs b/src/aas-api-webapp-discovery/Startup.cs
@@ -1,23 +1,19 @@
 using AAS.API.Discovery.Models;
 using AAS.API.Services.ADT;
 using AAS.API.WebApp.Filters;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
-using Microsoft.AspNetCore.HttpsPolicy;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Azure;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
+using Microsoft.Identity.Web;
 using Microsoft.OpenApi.Models;
 using Newtonsoft.Json.Converters;
 using Newtonsoft.Json.Serialization;
 using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Linq;
-using System.Threading.Tasks;
 
 namespace AAS.API.Discovery.Server
 {
@@ -47,6 +43,9 @@ public Startup(IWebHostEnvironment env, IConfiguration configuration)
         /// <param name="services"></param>
         public void ConfigureServices(IServiceCollection services)
         {
+            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+                .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));
+
             // Add framework services.
             services
                 .AddMvc(options =>
@@ -104,6 +103,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerF
             //TODO: Uncomment this if you need wwwroot folder
             //app.UseStaticFiles();
 
+            app.UseAuthentication();
             app.UseAuthorization();
 
             app.UseSwagger(options =>
@@ -124,7 +124,10 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerF
 
             app.UseEndpoints(endpoints =>
             {
-                endpoints.MapControllers();
+                if (env.IsDevelopment())
+                    endpoints.MapControllers().WithMetadata(new AllowAnonymousAttribute());
+                else
+                    endpoints.MapControllers();
             });
 
             if (env.IsDevelopment())

diff --git a/src/aas-api-webapp-discovery/appsettings.json b/src/aas-api-webapp-discovery/appsettings.json
@@ -1,4 +1,10 @@
 {
+  "AzureAd": {
+    "Instance": "https://login.microsoftonline.com/",
+    "Domain": "microsoft.onmicrosoft.com",
+    "ClientId": "b285565d-2793-4b48-9deb-73ac063a8ad6",
+    "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47"
+  },
   "Logging": {
     "LogLevel": {
       "Default": "Information",
@@ -7,5 +13,5 @@
     }
   },
   "AllowedHosts": "*",
-  "OPENAPI_JSON_VERSION_2" : false
+  "OPENAPI_JSON_VERSION_2": false
 }
diff --git a/src/aas-api-webapp-repository/AAS WebApp Repository.csproj b/src/aas-api-webapp-repository/AAS WebApp Repository.csproj
@@ -10,6 +10,7 @@
     <RootNamespace>AAS.API.Registry</RootNamespace>
   </PropertyGroup>
   <ItemGroup>
+	<PackageReference Include="Microsoft.Identity.Web" Version="1.*" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="5.5.1" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerGen" Version="5.5.1" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="5.5.1" />