feat: E2E Authentication (#1877)

* Use JWT Auth against API Frontend

* Fix unit test

* back end auth and adding workgroups to bearer token

* adding auth extension

* Authentication

* Update auth

* Update Config stuff

* sonar qube issues

* remove jwt override and update tsconfig

* re add missing session object

* Adding Access Token Headers

* adding role objects

* fix web tests

* Add user info tfvar to env varibles

* fix headers

* Role Manager

* Sonar Cloud issues

* data attributes and test fix

* add attribute to all functions

* permissions bypass

* register permissions middleware

* Sonar qube

* update docker compose

* update tf config

* add unit tests

* Addressing Copilot Comments

Author: MWClayson-NHS

Directory.Packages.props

@@ -27,9 +27,11 @@
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.12.0" />
     <PackageVersion Include="Microsoft.Extensions.Options.DataAnnotations" Version="9.0.6" />
     <PackageVersion Include="Microsoft.Identity.Client" Version="4.74.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.12.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.17.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="8.17.0" />
     <PackageVersion Include="Hl7.Fhir.R4" Version="5.11.4" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.12.1" />
+    <PackageVersion Include="System.Configuration.ConfigurationManager" Version="10.0.5" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.17.0" />
     <PackageVersion Include="Microsoft.Extensions.Hosting" Version="9.0.6" />
     <PackageVersion Include="System.Linq.Dynamic.Core" Version="1.7.1" />
     <PackageVersion Include="ParquetSharp" Version="17.0.0-beta1" />

application/CohortManager/compose.core.yaml

@@ -247,6 +247,9 @@ services:
       - ExceptionManagementDataServiceURL=http://exception-management-data-service:7911/api/ExceptionManagementDataService/
       - GPPracticeDataServiceURL=http://gppractice-data-service:7999/api/GPPracticeDataService/
       - AcceptableLatencyThresholdMs=500
+      - BypassAuthentication=true
+      - AuthClientId=MockClientId-123
+      - UserInfoUrl=http://wiremock:8080/userinfo
 
   # Screening Validation Service
   static-validation:

application/CohortManager/src/Functions/DemographicServices/DemographicDurableFunction/DemographicDurableFunction.csproj

@@ -16,7 +16,6 @@
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" />
     <PackageReference Include="Contrib.Grpc.Core.M1" />
     <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" />
-        <PackageReference Include="Contrib.Grpc.Core.M1" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" />
   </ItemGroup>
   <ItemGroup>

application/CohortManager/src/Functions/Functions.sln

@@ -155,6 +155,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MappingUtilitiesTests", "..
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpClientFunctionTests", "..\..\..\..\tests\UnitTests\SharedTests\HttpClientFunctionTests\HttpClientFunctionTests.csproj", "{0D98B37C-3F9D-46D0-B1D6-EBF2BE14A5B3}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthenticationTests", "..\..\..\..\tests\UnitTests\SharedTests\AuthenticationTests\AuthenticationTests.csproj", "{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}"
+EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HttpParserTests", "..\..\..\..\tests\UnitTests\SharedTests\HttpParserTests\HttpParserTests.csproj", "{E85D4E82-FBE0-42F1-8513-D5B2F515ADCD}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FileNameParserTests", "..\..\..\..\tests\UnitTests\SharedTests\FileNameParserTests\FileNameParserTests.csproj", "{5B21A7B3-0B5C-4036-BB86-6C4629EE2983}"
@@ -1005,6 +1007,18 @@ Global
 		{0D98B37C-3F9D-46D0-B1D6-EBF2BE14A5B3}.Release|x64.Build.0 = Release|Any CPU
 		{0D98B37C-3F9D-46D0-B1D6-EBF2BE14A5B3}.Release|x86.ActiveCfg = Release|Any CPU
 		{0D98B37C-3F9D-46D0-B1D6-EBF2BE14A5B3}.Release|x86.Build.0 = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|x64.Build.0 = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Debug|x86.Build.0 = Debug|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|x64.ActiveCfg = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|x64.Build.0 = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|x86.ActiveCfg = Release|Any CPU
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55}.Release|x86.Build.0 = Release|Any CPU
 		{E85D4E82-FBE0-42F1-8513-D5B2F515ADCD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{E85D4E82-FBE0-42F1-8513-D5B2F515ADCD}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E85D4E82-FBE0-42F1-8513-D5B2F515ADCD}.Debug|x64.ActiveCfg = Debug|Any CPU
@@ -1587,6 +1601,7 @@ Global
 		{5F23FBB7-8794-4F38-8F93-244643F8523B} = {A1000001-0001-0001-0001-000000000005}
 		{4AB81A2E-7D29-4401-B865-FCA1C133544F} = {A1000001-0001-0001-0001-000000000005}
 		{0D98B37C-3F9D-46D0-B1D6-EBF2BE14A5B3} = {A1000001-0001-0001-0001-000000000005}
+		{9B8A2D7E-2DB2-4B97-A90C-68EA513A6C55} = {A1000001-0001-0001-0001-000000000005}
 		{E85D4E82-FBE0-42F1-8513-D5B2F515ADCD} = {A1000001-0001-0001-0001-000000000005}
 		{5B21A7B3-0B5C-4036-BB86-6C4629EE2983} = {A1000001-0001-0001-0001-000000000005}
 		{2423447D-FAF7-4356-BBE1-8B0A9F5DD86E} = {A1000001-0001-0001-0001-000000000005}

application/CohortManager/src/Functions/Shared/Common/Authentication/AuthHelper.cs

@@ -0,0 +1,43 @@
+namespace Common;
+
+using System.Text.Json;
+using Microsoft.Azure.Functions.Worker;
+
+public static class AuthHelper
+{
+    public static bool TryGetIdTokenFromHeaders(FunctionContext context, out string token)
+    {
+        return TryGetBearerTokenFromHeaders(context, "Authorization", out token);
+    }
+
+    public static bool TryGetAccessTokenFromHeaders(FunctionContext context, out string accessToken)
+    {
+        return TryGetBearerTokenFromHeaders(context, "X-Access-Token", out accessToken);
+    }
+
+    private static bool TryGetBearerTokenFromHeaders(FunctionContext context, string headerName, out string token)
+    {
+        token = null!;
+
+        context.BindingContext.BindingData.TryGetValue("Headers", out var headersObj);
+
+        if(headersObj is not string headersStr)
+        {
+            return false;
+        }
+
+        var headers = JsonSerializer.Deserialize<Dictionary<string, string>>(headersStr);
+        if(headers == null)
+        {
+            return false;
+        }
+
+        if(!headers.TryGetValue(headerName, out var authHeader) || !authHeader.StartsWith("Bearer "))
+        {
+            return false;
+        }
+
+        token = authHeader.Substring("Bearer ".Length).Trim();
+        return true;
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/AuthenticationAttribute.cs

@@ -0,0 +1,20 @@
+namespace Common;
+
+[AttributeUsage(AttributeTargets.Method)]
+public class AuthenticationAttribute : Attribute
+{
+    public Role[]? Roles { get; }
+    public bool RequiresAuthentication => Roles != null && Roles.Length > 0;
+    public AuthenticationAttribute(Role role)
+    {
+        Roles = new[] { role };
+    }
+    public AuthenticationAttribute(Role[] roles)
+    {
+        Roles = roles;
+    }
+    public AuthenticationAttribute()
+    {
+        Roles = null;
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/Cis2UserService.cs

@@ -0,0 +1,42 @@
+namespace Common;
+
+using System.Runtime.CompilerServices;
+using System.Text.Json;
+using Hl7.FhirPath.Sprache;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+public class Cis2UserService : ICis2UserService
+{
+    private readonly ILogger<Cis2UserService> _logger;
+    private readonly IHttpClientFunction _httpClient;
+    private readonly AuthConfig _authConfig;
+
+    public Cis2UserService(ILogger<Cis2UserService> logger, IHttpClientFunction httpClient, IOptions<AuthConfig> authConfig)
+    {
+        _logger = logger;
+        _httpClient = httpClient;
+        _authConfig = authConfig.Value;
+    }
+
+    public async Task<Cis2User?> GetUserFromToken(string token)
+    {
+        try{
+            _httpClient.SetBearerToken(token);
+            var response = await _httpClient.SendGetOrThrowAsync(_authConfig.UserInfoUrl);
+            if(response == null)
+            {
+                _logger.LogError("Failed to get user info from token, response is null");
+                return null;
+            }
+            var cis2User = JsonSerializer.Deserialize<Cis2User>(response);
+
+            return cis2User;
+        }
+        catch(Exception ex)
+        {
+            _logger.LogError(ex, "Failed to get user info from token, message: {Message}", ex.Message);
+            return null;
+        }
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/Config/AuthConfig.cs

@@ -0,0 +1,16 @@
+namespace Common;
+
+using System.ComponentModel.DataAnnotations;
+
+public class AuthConfig
+{
+    [Required, Url]
+    public required string AuthMetaDataUrl { get; init; }
+    [Required]
+    public required string AuthClientId { get; init; }
+    [Required, Url]
+    public required string UserInfoUrl { get; init; }
+    public bool ByPassAuthentication { get; init; } = false;
+
+}
+

application/CohortManager/src/Functions/Shared/Common/Authentication/Config/RoleConfig.cs

@@ -0,0 +1,11 @@
+namespace Common;
+
+using System.ComponentModel.DataAnnotations;
+
+public class RoleConfig
+{
+    [Required]
+    public required string CohortManagerUserWorkgroupId { get; init; }
+    [Required]
+    public required string CohortManagerDummyGpRemovalWorkgroupId { get; init; }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/IAuthenticationService.cs

@@ -0,0 +1,8 @@
+namespace Common;
+
+using Microsoft.Azure.Functions.Worker.Http;
+
+public interface IAuthenticationService
+{
+    Task<bool> ValidateTokenAsync(string token);
+}