first commit

Author: derisen

3-Authorization-II/2-call-api-b2c/API/TodoListAPI.Tests/ConfigurationTests.cs

@@ -1,6 +1,5 @@
 using System;
 using Xunit;
-using System.Text.RegularExpressions;
 using Microsoft.Extensions.Configuration;
 
 namespace TodoListAPI.Tests
@@ -20,23 +19,27 @@ public static IConfiguration InitConfiguration()
  public void ShouldNotContainClientId()
  {
  var myConfiguration = ConfigurationTests.InitConfiguration();
- string clientId = myConfiguration.GetSection("AzureAdB2C")["ClientId"];
+ var clientId = myConfiguration.GetSection("AzureAd")["ClientId"];
 
- string pattern = @"(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}";
- var regex = new Regex(pattern);
- Assert.Matches(regex, clientId);
+ Assert.True(Guid.TryParse(clientId, out var theGuid));
  }
 
  [Fact]
- public void ShouldNotContainDomain()
+ public void ShouldNotContainTenantId()
  {
  var myConfiguration = ConfigurationTests.InitConfiguration();
- string domain = myConfiguration.GetSection("AzureAdB2C")["Domain"];
+ var tenantId = myConfiguration.GetSection("AzureAd")["TenantId"];
+
+ Assert.True(Guid.TryParse(tenantId, out var theGuid));
+ }
 
- string pattern = @"(^http[s]?:\/\/|[a-z]*\.[a-z]{3}\.[a-z]{2})|([a-z]*\.[a-z]{3}$)";
- var regex = new Regex(pattern);
+ [Fact]
+ public void ShouldNotContainDomain()
+ {
+ var myConfiguration = ConfigurationTests.InitConfiguration();
+ var domain = $"https://{myConfiguration.GetSection("AzureAd")["Domain"]}";
 
- Assert.Matches(regex, domain);
+ Assert.True(Uri.TryCreate(domain, UriKind.Absolute, out var uri));
  }
  }
 }

3-Authorization-II/2-call-api-b2c/API/TodoListAPI.Tests/TodoListAPI.Tests.csproj

@@ -1,11 +1,17 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
  <PropertyGroup>
- <TargetFramework>netcoreapp3.1</TargetFramework>
+ <TargetFramework>net6.0</TargetFramework>
 
  <IsPackable>false</IsPackable>
  </PropertyGroup>
 
+ <ItemGroup>
+ <Content Include="..\TodoListAPI\appsettings.json" Link="appsettings.json">
+ <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+ </Content>
+ </ItemGroup>
+
  <ItemGroup>
  <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.17" />
  <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="3.1.17" />
@@ -21,10 +27,4 @@
  </PackageReference>
  </ItemGroup>
 
- <ItemGroup>
- <None Update="appsettings.json">
- <CopyToOutputDirectory>Always</CopyToOutputDirectory>
- </None>
- </ItemGroup>
-
 </Project>

3-Authorization-II/2-call-api-b2c/API/TodoListAPI.Tests/appsettings.json

@@ -3,29 +3,29 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 16
 VisualStudioVersion = 16.0.31005.135
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI.Tests", "TodoListAPI.Tests\TodoListAPI.Tests.csproj", "{ED40B596-FC4A-4BBF-948B-68D0BAE70299}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI", "TodoListAPI\TodoListAPI.csproj", "{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI", "TodoListAPI\TodoListAPI.csproj", "{C82EE059-1ABB-4B5A-9907-770EF562F946}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI.Tests", "TodoListAPI.Tests\TodoListAPI.Tests.csproj", "{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}"
 EndProject
 Global
 GlobalSection(SolutionConfigurationPlatforms) = preSolution
 Debug|Any CPU = Debug|Any CPU
 Release|Any CPU = Release|Any CPU
 EndGlobalSection
 GlobalSection(ProjectConfigurationPlatforms) = postSolution
-{ED40B596-FC4A-4BBF-948B-68D0BAE70299}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-{ED40B596-FC4A-4BBF-948B-68D0BAE70299}.Debug|Any CPU.Build.0 = Debug|Any CPU
-{ED40B596-FC4A-4BBF-948B-68D0BAE70299}.Release|Any CPU.ActiveCfg = Release|Any CPU
-{ED40B596-FC4A-4BBF-948B-68D0BAE70299}.Release|Any CPU.Build.0 = Release|Any CPU
-{C82EE059-1ABB-4B5A-9907-770EF562F946}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-{C82EE059-1ABB-4B5A-9907-770EF562F946}.Debug|Any CPU.Build.0 = Debug|Any CPU
-{C82EE059-1ABB-4B5A-9907-770EF562F946}.Release|Any CPU.ActiveCfg = Release|Any CPU
-{C82EE059-1ABB-4B5A-9907-770EF562F946}.Release|Any CPU.Build.0 = Release|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Release|Any CPU.Build.0 = Release|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Debug|Any CPU.Build.0 = Debug|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Release|Any CPU.ActiveCfg = Release|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Release|Any CPU.Build.0 = Release|Any CPU
 EndGlobalSection
 GlobalSection(SolutionProperties) = preSolution
 HideSolutionNode = FALSE
 EndGlobalSection
 GlobalSection(ExtensibilityGlobals) = postSolution
-SolutionGuid = {10F069FB-DCC7-48B6-9575-4B6C47FFD4C8}
+SolutionGuid = {44AB506D-AF3A-4AE5-90E9-CFECC92533A6}
 EndGlobalSection
 EndGlobal

3-Authorization-II/2-call-api-b2c/API/TodoListAPI.sln

@@ -1,14 +1,14 @@
-using System;
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.EntityFrameworkCore;
-using TodoListAPI.Models;
-using System.Security.Claims;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
+using TodoListAPI.Models;
 
 namespace TodoListAPI.Controllers
 {
@@ -17,70 +17,98 @@ namespace TodoListAPI.Controllers
  [ApiController]
  public class TodoListController : ControllerBase
  {
- // The Web API will only accept tokens 1) for users, and 
- // 2) having the demo.read scope for this API
- static readonly string[] scopeRequiredByApi = new string[] { "demo.read" };
+ private readonly TodoContext _TodoListContext;
+ private readonly IHttpContextAccessor _contextAccessor;
+ private ClaimsPrincipal _currentPrincipal;
 
- private readonly TodoContext _context;
+ /// <summary>
+ /// We store the object id of the user/app derived from the presented Access token
+ /// </summary>
+ private string _currentPrincipalId = string.Empty;
 
- public TodoListController(TodoContext context)
+ public TodoListController(TodoContext context, IHttpContextAccessor contextAccessor)
  {
- _context = context;
+ _TodoListContext = context;
+ _contextAccessor = contextAccessor;
+
+ // We seek the details of the user/app represented by the access token presented to this API, This can be empty unless authN succeeded
+ // If a user signed-in, the value will be the unique identifier of the user.
+ _currentPrincipal = GetCurrentClaimsPrincipal();
+
+ if (!IsAppOnlyToken() && _currentPrincipal != null)
+ {
+ _currentPrincipalId = _currentPrincipal.GetObjectId();
+ PopulateDefaultToDos(_currentPrincipalId);
+ }
+ }
+
+ // GET: api/todolist/getAll
+ [HttpGet]
+ [Route("getAll")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
+ public async Task<ActionResult<IEnumerable<TodoItem>>> GetAll()
+ {
+ return await _TodoListContext.TodoItems.ToListAsync();
  }
 
  // GET: api/TodoItems
  [HttpGet]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- string owner = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
- return await _context.TodoItems.Where(item => item.Owner == owner).ToListAsync();
+ /// <summary>
+ /// The 'oid' (object id) is the only claim that should be used to uniquely identify
+ /// a user in an Azure AD tenant. The token might have one or more of the following claim,
+ /// that might seem like a unique identifier, but is not and should not be used as such:
+ ///
+ /// - upn (user principal name): might be unique amongst the active set of users in a tenant
+ /// but tend to get reassigned to new employees as employees leave the organization and others
+ /// take their place or might change to reflect a personal change like marriage.
+ ///
+ /// - email: might be unique amongst the active set of users in a tenant but tend to get reassigned
+ /// to new employees as employees leave the organization and others take their place.
+ /// </summary>
+ return await _TodoListContext.TodoItems.Where(x => x.Owner == _currentPrincipalId).ToListAsync();
  }
 
  // GET: api/TodoItems/5
  [HttpGet("{id}")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Read")]
  public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- 
- var todoItem = await _context.TodoItems.FindAsync(id);
-
- if (todoItem == null)
- {
- return NotFound();
- }
-
- return todoItem;
+ return await _TodoListContext.TodoItems.FirstOrDefaultAsync(t => t.Id == id && t.Owner == _currentPrincipalId);
  }
 
  // PUT: api/TodoItems/5
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPut("{id}")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
  public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
- if (id != todoItem.Id)
+ if (id != todoItem.Id || !_TodoListContext.TodoItems.Any(x => x.Id == id))
  {
- return BadRequest();
+ return NotFound();
  }
 
- _context.Entry(todoItem).State = EntityState.Modified;
-
- try
+ if (_TodoListContext.TodoItems.Any(x => x.Id == id && x.Owner == _currentPrincipalId))
  {
- await _context.SaveChangesAsync();
- }
- catch (DbUpdateConcurrencyException)
- {
- if (!TodoItemExists(id))
+ _TodoListContext.Entry(todoItem).State = EntityState.Modified;
+
+ try
  {
- return NotFound();
+ await _TodoListContext.SaveChangesAsync();
  }
- else
+ catch (DbUpdateConcurrencyException)
  {
- throw;
+ if (!_TodoListContext.TodoItems.Any(e => e.Id == id))
+ {
+ return NotFound();
+ }
+ else
+ {
+ throw;
+ }
  }
  }
 
@@ -91,40 +119,83 @@ public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPost]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
  public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- string owner = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
- todoItem.Owner = owner;
+ todoItem.Owner = _currentPrincipalId;
  todoItem.Status = false;
 
- _context.TodoItems.Add(todoItem);
- await _context.SaveChangesAsync();
+ _TodoListContext.TodoItems.Add(todoItem);
+ await _TodoListContext.SaveChangesAsync();
 
  return CreatedAtAction("GetTodoItem", new { id = todoItem.Id }, todoItem);
  }
 
  // DELETE: api/TodoItems/5
  [HttpDelete("{id}")]
+ [RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes:Write")]
  public async Task<ActionResult<TodoItem>> DeleteTodoItem(int id)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ TodoItem todoItem = await _TodoListContext.TodoItems.FindAsync(id);
 
- var todoItem = await _context.TodoItems.FindAsync(id);
  if (todoItem == null)
  {
  return NotFound();
  }
 
- _context.TodoItems.Remove(todoItem);
- await _context.SaveChangesAsync();
+ if (_TodoListContext.TodoItems.Any(x => x.Id == id && x.Owner == _currentPrincipalId))
+ {
+ _TodoListContext.TodoItems.Remove(todoItem);
+ await _TodoListContext.SaveChangesAsync();
+ }
+
+ return NoContent();
+ }
+
+ private async void PopulateDefaultToDos(string _currentPrincipalId)
+ {
+ //Pre - populate with sample data
+ if (_TodoListContext.TodoItems.Count() == 0 && !string.IsNullOrEmpty(_currentPrincipalId))
+ {
+ _TodoListContext.TodoItems.Add(new TodoItem() { Owner = $"{_currentPrincipalId}", Description = "Pick up groceries", Status = false });
+ _TodoListContext.TodoItems.Add(new TodoItem() { Owner = $"{_currentPrincipalId}", Description = "Finish invoice report", Status = false });
+
+ await _TodoListContext.SaveChangesAsync();
+ }
+ }
+
+ /// <summary>
+ /// returns the current claimsPrincipal (user/Client app) dehydrated from the Access token
+ /// </summary>
+ /// <returns></returns>
+ private ClaimsPrincipal GetCurrentClaimsPrincipal()
+ {
+ // Irrespective of whether a user signs in or not, the AspNet security middleware dehydrates 
+ // the claims in the HttpContext.User.Claims collection
+ if (_contextAccessor.HttpContext != null && _contextAccessor.HttpContext.User != null)
+ {
+ return _contextAccessor.HttpContext.User;
+ }
 
- return todoItem;
+ return null;
  }
 
- private bool TodoItemExists(int id)
+ /// <summary>
+ /// Indicates of the AT presented was for an app-only token or not.
+ /// </summary>
+ /// <returns></returns>
+ private bool IsAppOnlyToken()
  {
- return _context.TodoItems.Any(e => e.Id == id);
+ // Add in the optional 'idtyp' claim to check if the access token is coming from an application or user.
+ //
+ // See: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
+
+ if (GetCurrentClaimsPrincipal() != null)
+ {
+ return GetCurrentClaimsPrincipal().Claims.Any(c => c.Type == "idtyp" && c.Value == "app");
+ }
+
+ return false;
  }
  }
-}
+}