Skip to content

Commit b1055a1

Browse files
MWClayson-NHSMWClayson-NHS
committed
permissions bypass
1 parent c5641d0 commit b1055a1

3 files changed

Lines changed: 29 additions & 9 deletions

File tree

application/CohortManager/src/Functions/Shared/Common/Authentication/CIS2AuthMiddleware.cs

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
11
namespace Common;
22

33
using System.Net;
4+
using System.Runtime.CompilerServices;
45
using Microsoft.Azure.Functions.Worker;
56
using Microsoft.Azure.Functions.Worker.Http;
67
using Microsoft.Azure.Functions.Worker.Middleware;
78
using Microsoft.Extensions.Logging;
9+
using Microsoft.Extensions.Options;
810

911
public class Cis2AuthMiddleware : IFunctionsWorkerMiddleware
1012
{
@@ -13,19 +15,22 @@ public class Cis2AuthMiddleware : IFunctionsWorkerMiddleware
1315
private readonly ICreateResponse _createResponse;
1416
private readonly IAuthenticationService _authService;
1517
private readonly ICis2UserService _cis2UserService;
18+
private readonly AuthConfig _authConfig;
1619

17-
public Cis2AuthMiddleware(ILogger<Cis2AuthMiddleware> logger, ICreateResponse createResponse, IAuthenticationService authService, ICis2UserService cis2UserService)
20+
public Cis2AuthMiddleware(ILogger<Cis2AuthMiddleware> logger, ICreateResponse createResponse, IAuthenticationService authService, ICis2UserService cis2UserService, IOptions<AuthConfig> authConfig)
1821
{
1922
_logger = logger;
2023
_createResponse = createResponse;
2124
_authService = authService;
2225
_cis2UserService = cis2UserService;
26+
_authConfig = authConfig.Value;
2327
}
2428

2529
public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
2630
{
27-
if(!context.RequiresAuthentication())
31+
if(_authConfig.ByPassAuthentication || !context.RequiresAuthentication())
2832
{
33+
_logger.LogInformation("Authentication is bypassed or not required for this endpoint, skipping authentication.");
2934
await next(context);
3035
return;
3136
}

application/CohortManager/src/Functions/Shared/Common/Authentication/Config/AuthConfig.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ public class AuthConfig
1010
public required string AuthClientId { get; init; }
1111
[Required, Url]
1212
public required string UserInfoUrl { get; init; }
13-
public bool RequireAuthentication { get; init; } = true;
13+
public bool ByPassAuthentication { get; init; } = false;
1414

1515
}
1616

application/CohortManager/src/Functions/Shared/Common/Authentication/PermissionsMiddleware.cs

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,36 +1,52 @@
11
namespace Common;
22

3-
43
using Microsoft.Azure.Functions.Worker;
54
using Microsoft.Azure.Functions.Worker.Http;
65
using Microsoft.Azure.Functions.Worker.Middleware;
76
using Microsoft.Extensions.Logging;
7+
using Microsoft.Extensions.Options;
88

99
public class PermissionsMiddleware : IFunctionsWorkerMiddleware
1010
{
1111
private readonly ICreateResponse _createResponse;
1212
private readonly IRoleManager _roleManager;
1313
private readonly ILogger<PermissionsMiddleware> _logger;
14+
private readonly AuthConfig _authConfig;
1415

15-
public PermissionsMiddleware(ICreateResponse createResponse, IRoleManager roleManager, ILogger<PermissionsMiddleware> logger)
16+
public PermissionsMiddleware(ICreateResponse createResponse, IRoleManager roleManager, ILogger<PermissionsMiddleware> logger, IOptions<AuthConfig> authConfig)
1617
{
1718
_createResponse = createResponse;
1819
_roleManager = roleManager;
1920
_logger = logger;
21+
_authConfig = authConfig.Value;
2022
}
2123

2224
public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
2325
{
26+
if(_authConfig.ByPassAuthentication)
27+
{
28+
_logger.LogInformation("Authentication is bypassed, skipping permissions check.");
29+
await next(context);
30+
return;
31+
}
32+
2433
if (!context.RequiresAuthentication())
2534
{
35+
_logger.LogInformation("No authentication required for this endpoint, skipping permissions check.");
36+
await next(context);
37+
return;
38+
}
39+
var requiredRoles = context.GetRequiredRoles();
40+
41+
if(requiredRoles.Length == 0)
42+
{
43+
_logger.LogInformation("No specific roles required for this endpoint, skipping permissions check.");
2644
await next(context);
2745
return;
2846
}
2947

3048
var req = await context.GetHttpRequestDataAsync();
3149
var user = (Cis2User)context.Items["Cis2User"]!;
32-
var requiredRoles = context.GetRequiredRoles();
33-
3450
if (requiredRoles.Length == 0 || requiredRoles.Any(role => _roleManager.ValidateRole(user, role)))
3551
{
3652
await next(context);
@@ -43,8 +59,7 @@ public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next
4359

4460
private async Task HandleUnauthorizedAsync(FunctionContext context, HttpRequestData request, string logMessage, string responseMessage)
4561
{
46-
var logger = context.GetLogger<PermissionsMiddleware>();
47-
logger.LogWarning("Authorization Error: {LogMessage}", logMessage);
62+
_logger.LogWarning("Permissions Error: {LogMessage}", logMessage);
4863
var response = await _createResponse.CreateHttpResponseWithBodyAsync(System.Net.HttpStatusCode.Forbidden, request, responseMessage);
4964
context.GetInvocationResult().Value = response;
5065
}

0 commit comments

Comments
 (0)