Custom allow list options for IP based 2fa selection

ministryofjustice · Jun 9, 2024 · 58b8544 · 58b8544
1 parent 599ee30
commit 58b8544
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 6 deletions.
diff --git a/src/Infrastructure/DependencyInjection.cs b/src/Infrastructure/DependencyInjection.cs
@@ -164,13 +164,21 @@ private static IServiceCollection AddAuthenticationService(
         IConfiguration configuration
     )
     {
+
+        services.Configure<AllowlistOptions>(configuration.GetSection(nameof(AllowlistOptions)));
+
         services
             .AddIdentityCore<ApplicationUser>()
             .AddRoles<ApplicationRole>()
             .AddEntityFrameworkStores<ApplicationDbContext>()
-            .AddSignInManager()
+            //.AddSignInManager()
             .AddClaimsPrincipalFactory<ApplicationUserClaimsPrincipalFactory>()
             .AddDefaultTokenProviders();
+
+       services.AddScoped<SignInManager<ApplicationUser>, CustomSigninManager<ApplicationUser>>();
+       services.AddScoped<ISecurityStampValidator, SecurityStampValidator<ApplicationUser>>();
+
+
         services.Configure<IdentityOptions>(options =>
         {
             var identitySettings = configuration

diff --git a/src/Infrastructure/Services/Identity/AllowlistOptions.cs b/src/Infrastructure/Services/Identity/AllowlistOptions.cs
@@ -0,0 +1,6 @@
+namespace Cfo.Cats.Infrastructure.Services.Identity;
+
+public class AllowlistOptions
+{
+    public List<string> AllowedIPs { get; set; } = new();
+}
diff --git a/src/Infrastructure/Services/Identity/CustomSigninManager.cs b/src/Infrastructure/Services/Identity/CustomSigninManager.cs
@@ -0,0 +1,33 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+
+namespace Cfo.Cats.Infrastructure.Services.Identity;
+
+public class CustomSigninManager<TUser>(UserManager<TUser> userManager, IHttpContextAccessor contextAccessor, IUserClaimsPrincipalFactory<TUser> claimsFactory, IOptions<IdentityOptions> optionsAccessor, ILogger<SignInManager<TUser>> logger, IAuthenticationSchemeProvider schemes, IUserConfirmation<TUser> confirmation, IHttpContextAccessor httpContextAccessor, IOptions<AllowlistOptions> allowlistOptions)
+    : SignInManager<TUser>(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes, confirmation)
+    where TUser : class
+{
+    public override async Task<SignInResult> PasswordSignInAsync(string userName, string password, bool isPersistent, bool lockoutOnFailure)
+    {
+        var user = await UserManager.FindByNameAsync(userName);
+
+        if (user == null)
+        {
+            return SignInResult.Failed;
+        }
+
+        var ipAddress = httpContextAccessor.HttpContext!.Connection.RemoteIpAddress?.ToString();
+        if (string.IsNullOrWhiteSpace(ipAddress) == false && allowlistOptions.Value.AllowedIPs.Contains(ipAddress))
+        {
+            var result = await CheckPasswordSignInAsync(user, password, lockoutOnFailure);
+            if (result.Succeeded)
+            {
+                await SignInAsync(user, isPersistent);
+            }
+            return result;
+        }
+        return await base.PasswordSignInAsync(userName, password, isPersistent, lockoutOnFailure);
+    }
+
+
+}
diff --git a/src/Server.UI/appsettings.Development.json b/src/Server.UI/appsettings.Development.json
@@ -1,7 +1,8 @@
 {
-/*  "DatabaseSettings": {
-    "DbProvider": "sqlite",
-    "ConnectionString": "Data Source=./cats.db;"
-  },*/
-  "DetailedErrors": true
+  "DetailedErrors": true,
+  "AllowlistOptions": {
+    "AllowedIPs": [
+      "::1"
+    ]
+  }
 }
diff --git a/src/Server.UI/appsettings.json b/src/Server.UI/appsettings.json
@@ -49,5 +49,10 @@
     "ApiKey": "",
     "SmsTemplate": "",
     "EmailTemplate": ""
+  },
+  "AllowlistOptions": {
+    "AllowedIPs": [
+
+    ]
   }
 }