-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathProgram.cs
More file actions
124 lines (104 loc) · 4.97 KB
/
Program.cs
File metadata and controls
124 lines (104 loc) · 4.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
using Microsoft.AspNetCore.Authorization;
using Serilog;
using WebApiWeatherDemoAuthnAutnzSwaggerUI.Authentication;
using WebApiWeatherDemoAuthnAutnzSwaggerUI.Authorization;
using WebApiWeatherDemoAuthnAutnzSwaggerUI.Endpoints;
var builder = WebApplication.CreateBuilder(args);
// Configure Serilog for structured logging (reads from appsettings.json)
builder.Host.UseSerilog((context, configuration) =>
configuration.ReadFrom.Configuration(context.Configuration));
// Add OpenAPI support for API documentation
builder.Services.AddOpenApi();
// Required for authorization handlers to access HTTP request information
builder.Services.AddHttpContextAccessor();
// Bind configuration options
builder.Services.Configure<IpAuthorizationOptions>(
builder.Configuration.GetSection("Authorization:IpPolicies"));
// Register our custom token validator (reads tokens from appsettings.json)
builder.Services.AddSingleton<IOpaqueTokenValidator, ConfigurationOpaqueTokenValidator>();
// Register custom authentication scheme for opaque bearer tokens
builder.Services.AddAuthentication("OpaqueToken")
.AddScheme<OpaqueTokenAuthenticationOptions, OpaqueTokenAuthenticationHandler>(
"OpaqueToken",
options => { });
// Configure authorization policies
builder.Services.AddAuthorizationBuilder()
// Basic authentication - any valid token (Identity only)
.AddPolicy("BearerTokenPolicy", policy =>
{
policy.AuthenticationSchemes.Add("OpaqueToken");
policy.RequireAuthenticatedUser();
})
// Same-host only - request must come from same machine (IP only, auto-populated)
.AddPolicy("SameHostPolicy", policy =>
{
policy.Requirements.Add(new IpAuthorizationRequirement("SameHost"));
})
// Partner1 - requires specific role + IP whitelist (Identity AND IP)
.AddPolicy("Partner1Policy", policy =>
{
policy.AuthenticationSchemes.Add("OpaqueToken");
policy.RequireAuthenticatedUser();
policy.RequireRole("Partner1");
policy.Requirements.Add(new IpAuthorizationRequirement("Partner1"));
})
// DataReader - requires role only (Identity only, no IP restriction)
.AddPolicy("DataReaderPolicy", policy =>
{
policy.AuthenticationSchemes.Add("OpaqueToken");
policy.RequireAuthenticatedUser();
policy.RequireRole("DataReader");
})
// DataWriter - requires role + IP whitelist (Identity AND IP)
.AddPolicy("DataWriterPolicy", policy =>
{
policy.AuthenticationSchemes.Add("OpaqueToken");
policy.RequireAuthenticatedUser();
policy.RequireRole("DataWriter");
policy.Requirements.Add(new IpAuthorizationRequirement("DataWriter"));
})
// OpenAPI access - flexible based on configuration
.AddPolicy("OpenApiPolicy", policy =>
{
policy.Requirements.Add(new IpAuthorizationRequirement("OpenApi"));
});
// Register custom authorization handlers
builder.Services.AddSingleton<IpAuthorizationHandler>();
builder.Services.AddSingleton<IAuthorizationHandler>(sp => sp.GetRequiredService<IpAuthorizationHandler>());
builder.Services.AddSingleton<IAuthorizationHandler, IpOrIdentityAuthorizationHandler>();
var app = builder.Build();
var logger = app.Services.GetRequiredService<ILogger<Program>>();
logger.LogInformation("-----------------------------");
logger.LogInformation("Starting application in {Environment}", app.Environment.EnvironmentName);
// Log HTTP requests with Serilog
app.UseSerilogRequestLogging();
// Enable Swagger UI in development or if explicitly enabled in config
if (app.Environment.IsDevelopment() || builder.Configuration.GetValue<bool>("OpenApi:Enabled"))
{
var openApiBuilder = app.MapOpenApi();
app.UseSwaggerUI();
// Apply OpenAPI protection
openApiBuilder.RequireAuthorization("OpenApiPolicy");
logger.LogInformation("OpenAPI endpoint protected with OpenApiPolicy");
// Compatibility shim: redirect Swagger UI's default discovery path to OpenAPI endpoint
// Swagger UI expects /swagger/v1/swagger.json but .NET 9 uses /openapi/v1.json
app.MapGet("/swagger/v1/swagger.json", (HttpContext ctx) =>
Results.Redirect($"{ctx.Request.PathBase}/openapi/v1.json"));
}
app.UseHttpsRedirection();
// Enable authentication and authorization middleware (order matters!)
app.UseAuthentication();
app.UseAuthorization();
// Map endpoint groups with different security requirements
app.MapPublicWeatherEndpoints(); // No authentication required
app.MapPrivateWeatherEndpoints(); // Requires valid bearer token
app.MapPrivateClient1WeatherEndpoints(); // Requires Partner1 role + IP whitelist
app.MapSameHostWeatherEndpoints(); // Only accessible from same machine
// Log application lifecycle events
app.Lifetime.ApplicationStarted.Register(() =>
logger.LogInformation("Application started and listening"));
app.Lifetime.ApplicationStopping.Register(() =>
logger.LogInformation("Application stopping"));
app.Lifetime.ApplicationStopped.Register(() =>
logger.LogInformation("Application stopped"));
app.Run();