feat/active directory feature with integration gateway

rashed99mm · rashed99mm · commit 30e0ca9f0b2d · 2026-05-20T12:32:15.000+03:00
diff --git a/backend/src/CCE.Api.External/appsettings.Development.json b/backend/src/CCE.Api.External/appsettings.Development.json
@@ -77,6 +77,10 @@
     "CommunicationGateway": {
       "BaseUrl": "http://localhost:3001",
       "TimeoutSeconds": 30
+    },
+    "AdminAuthGateway": {
+      "BaseUrl": "http://localhost:3001",
+      "TimeoutSeconds": 30
     }
   }
 }
diff --git a/backend/src/CCE.Api.External/appsettings.Production.json b/backend/src/CCE.Api.External/appsettings.Production.json
@@ -77,6 +77,10 @@
     "CommunicationGateway": {
       "BaseUrl": "https://cce-mocks.bonto.run",
       "TimeoutSeconds": 30
+    },
+    "AdminAuthGateway": {
+      "BaseUrl": "https://cce-mocks.bonto.run",
+      "TimeoutSeconds": 30
     }
   }
 }
diff --git a/backend/src/CCE.Api.Internal/Endpoints/AdminAuthEndpoints.cs b/backend/src/CCE.Api.Internal/Endpoints/AdminAuthEndpoints.cs
@@ -0,0 +1,35 @@
+using CCE.Api.Common.Extensions;
+using CCE.Application.Identity.Auth.AdLogin;
+using MediatR;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+
+namespace CCE.Api.Internal.Endpoints;
+
+public static class AdminAuthEndpoints
+{
+    public static IEndpointRouteBuilder MapAdminAuthEndpoints(this IEndpointRouteBuilder app)
+    {
+        var auth = app.MapGroup("/api/auth").WithTags("Auth");
+
+        auth.MapPost("/ad-login", async (
+            AdLoginRequest body,
+            HttpContext ctx,
+            IMediator mediator,
+            CancellationToken ct) =>
+        {
+            var result = await mediator.Send(new AdLoginCommand(
+                body.Username,
+                body.Password,
+                ctx.Connection.RemoteIpAddress?.ToString(),
+                ctx.Request.Headers.UserAgent.ToString()), ct).ConfigureAwait(false);
+
+            return result.ToHttpResult();
+        })
+        .AllowAnonymous()
+        .WithName("InternalAdLogin");
+
+        return app;
+    }
+}
diff --git a/backend/src/CCE.Api.Internal/Program.cs b/backend/src/CCE.Api.Internal/Program.cs
@@ -59,8 +59,9 @@
 
 app.UseCceOpenApi(apiTag: "internal");
 
-app.MapAuthEndpoints(CCE.Application.Identity.Auth.Common.LocalAuthApi.Internal);
-app.MapIdentityEndpoints();
+        app.MapAuthEndpoints(CCE.Application.Identity.Auth.Common.LocalAuthApi.Internal);
+        app.MapAdminAuthEndpoints();
+        app.MapIdentityEndpoints();
 app.MapExpertEndpoints();
 app.MapAssetEndpoints();
 app.MapResourceEndpoints();
diff --git a/backend/src/CCE.Api.Internal/appsettings.Development.json b/backend/src/CCE.Api.Internal/appsettings.Development.json
@@ -64,6 +64,10 @@
     "CommunicationGateway": {
       "BaseUrl": "http://localhost:3001",
       "TimeoutSeconds": 30
+    },
+    "AdminAuthGateway": {
+      "BaseUrl": "http://localhost:3001",
+      "TimeoutSeconds": 30
     }
   }
 }
diff --git a/backend/src/CCE.Api.Internal/appsettings.Production.json b/backend/src/CCE.Api.Internal/appsettings.Production.json
@@ -64,6 +64,10 @@
     "CommunicationGateway": {
       "BaseUrl": "https://cce-mocks.bonto.run",
       "TimeoutSeconds": 30
+    },
+    "AdminAuthGateway": {
+      "BaseUrl": "https://cce-mocks.bonto.run",
+      "TimeoutSeconds": 30
     }
   }
 }
diff --git a/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommand.cs b/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommand.cs
@@ -0,0 +1,12 @@
+using CCE.Application.Common;
+using CCE.Application.Identity.Auth.Common;
+using MediatR;
+
+namespace CCE.Application.Identity.Auth.AdLogin;
+
+public sealed record AdLoginCommand(
+    string Username,
+    string Password,
+    string? Ip,
+    string? UserAgent)
+    : IRequest<Response<AuthTokenDto>>;
diff --git a/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommandHandler.cs b/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommandHandler.cs
@@ -0,0 +1,36 @@
+using CCE.Application.Common;
+using CCE.Application.Identity.Auth.Common;
+using CCE.Application.Messages;
+using MediatR;
+
+namespace CCE.Application.Identity.Auth.AdLogin;
+
+internal sealed class AdLoginCommandHandler
+    : IRequestHandler<AdLoginCommand, Response<AuthTokenDto>>
+{
+    private readonly IAuthService _auth;
+    private readonly MessageFactory _msg;
+
+    public AdLoginCommandHandler(IAuthService auth, MessageFactory msg)
+    {
+        _auth = auth;
+        _msg = msg;
+    }
+
+    public async Task<Response<AuthTokenDto>> Handle(AdLoginCommand request, CancellationToken ct)
+    {
+        var dto = await _auth.AdLoginAsync(
+            request.Username,
+            request.Password,
+            request.Ip,
+            request.UserAgent,
+            ct).ConfigureAwait(false);
+
+        if (dto is null)
+        {
+            return _msg.InvalidCredentials<AuthTokenDto>();
+        }
+
+        return _msg.Ok(dto, "AD_LOGIN_SUCCESS");
+    }
+}
diff --git a/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommandValidator.cs b/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginCommandValidator.cs
@@ -0,0 +1,17 @@
+using FluentValidation;
+
+namespace CCE.Application.Identity.Auth.AdLogin;
+
+public sealed class AdLoginCommandValidator : AbstractValidator<AdLoginCommand>
+{
+    public AdLoginCommandValidator()
+    {
+        RuleFor(x => x.Username)
+            .NotEmpty()
+            .WithMessage("Username is required.");
+
+        RuleFor(x => x.Password)
+            .NotEmpty()
+            .WithMessage("Password is required.");
+    }
+}
diff --git a/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginRequest.cs b/backend/src/CCE.Application/Identity/Auth/AdLogin/AdLoginRequest.cs
@@ -0,0 +1,5 @@
+namespace CCE.Application.Identity.Auth.AdLogin;
+
+public sealed record AdLoginRequest(
+    string Username,
+    string Password);
diff --git a/backend/src/CCE.Application/Identity/Auth/Common/IAuthService.cs b/backend/src/CCE.Application/Identity/Auth/Common/IAuthService.cs
@@ -17,4 +17,6 @@ public interface IAuthService
     Task ForgotPasswordAsync(string email, CancellationToken ct);
 
     Task<string?> ResetPasswordAsync(string email, string encodedToken, string newPassword, string? ip, CancellationToken ct);
+
+    Task<AuthTokenDto?> AdLoginAsync(string username, string password, string? ip, string? userAgent, CancellationToken ct);
 }
diff --git a/backend/src/CCE.Domain/Identity/User.cs b/backend/src/CCE.Domain/Identity/User.cs
@@ -75,6 +75,31 @@ public static User CreateStubFromEntraId(System.Guid objectId, string email, str
         };
     }
 
+    /// <summary>
+    /// Factory for stub User rows created on first AD login via the integration gateway.
+    /// Profile fields default to empty; operator/admin should prompt for completion.
+    /// </summary>
+    public static User CreateStubFromAd(
+        string email,
+        string? firstName,
+        string? lastName,
+        string? displayName)
+    {
+        return new User
+        {
+            Id = System.Guid.NewGuid(),
+            Email = email,
+            UserName = email,
+            NormalizedEmail = email.ToUpperInvariant(),
+            NormalizedUserName = email.ToUpperInvariant(),
+            EmailConfirmed = true,
+            FirstName = firstName ?? displayName ?? string.Empty,
+            LastName = lastName ?? string.Empty,
+            JobTitle = string.Empty,
+            OrganizationName = string.Empty,
+        };
+    }
+
     public static User RegisterLocal(
         string firstName,
         string lastName,
diff --git a/backend/src/CCE.Infrastructure/DependencyInjection.cs b/backend/src/CCE.Infrastructure/DependencyInjection.cs
@@ -134,6 +134,7 @@ public static IServiceCollection AddInfrastructure(
         // Singleton because all impls are stateless + thread-safe.
         services.Configure<EmailOptions>(configuration.GetSection(EmailOptions.SectionName));
         services.AddExternalApiClient<ICommunicationGatewayClient>("CommunicationGateway");
+        services.AddExternalApiClient<CCE.Integration.AdminAuth.IAdminAuthGatewayClient>("AdminAuthGateway");
         services.AddSingleton<IEmailSender>(sp =>
         {
             var opts = sp.GetRequiredService<IOptions<EmailOptions>>();
diff --git a/backend/src/CCE.Infrastructure/Identity/AdRoleMapper.cs b/backend/src/CCE.Infrastructure/Identity/AdRoleMapper.cs
@@ -0,0 +1,19 @@
+namespace CCE.Infrastructure.Identity;
+
+public static class AdRoleMapper
+{
+    public static string? ToCceRole(string adGroup)
+    {
+        return adGroup switch
+        {
+            "CCE-SuperAdmins" => "cce-super-admin",
+            "CCE-Admins" => "cce-admin",
+            "CCE-ContentManagers" => "cce-content-manager",
+            "CCE-StateRepresentatives" => "cce-state-representative",
+            "CCE-Reviewers" => "cce-reviewer",
+            "CCE-Experts" => "cce-expert",
+            "CCE-Users" => "cce-user",
+            _ => null,
+        };
+    }
+}
diff --git a/backend/src/CCE.Infrastructure/Identity/AuthService.cs b/backend/src/CCE.Infrastructure/Identity/AuthService.cs
@@ -2,6 +2,7 @@
 using CCE.Application.Identity.Auth.Common;
 using CCE.Domain.Common;
 using CCE.Domain.Identity;
+using CCE.Integration.AdminAuth;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 
@@ -18,6 +19,7 @@ public sealed class AuthService : IAuthService
     private readonly ISystemClock _clock;
     private readonly IOptions<LocalAuthOptions> _options;
     private readonly IPasswordResetEmailSender _emailSender;
+    private readonly IAdminAuthGatewayClient _adGateway;
 
     public AuthService(
         UserManager<User> userManager,
@@ -27,7 +29,8 @@ public AuthService(
         ICceDbContext db,
         ISystemClock clock,
         IOptions<LocalAuthOptions> options,
-        IPasswordResetEmailSender emailSender)
+        IPasswordResetEmailSender emailSender,
+        IAdminAuthGatewayClient adGateway)
     {
         _userManager = userManager;
         _roleManager = roleManager;
@@ -37,6 +40,7 @@ public AuthService(
         _clock = clock;
         _options = options;
         _emailSender = emailSender;
+        _adGateway = adGateway;
     }
 
     public async Task<AuthTokenDto?> LoginAsync(string email, string password, LocalAuthApi api, string? ip, string? userAgent, CancellationToken ct)
@@ -152,6 +156,70 @@ public async Task ForgotPasswordAsync(string email, CancellationToken ct)
         return null;
     }
 
+    public async Task<AuthTokenDto?> AdLoginAsync(string username, string password, string? ip, string? userAgent, CancellationToken ct)
+    {
+        var gatewayResponse = await _adGateway.LoginAsync(
+            new AdAuthRequest(username, password), ct).ConfigureAwait(false);
+
+        if (!"success".Equals(gatewayResponse.Status, StringComparison.OrdinalIgnoreCase))
+        {
+            return null;
+        }
+
+        var email = gatewayResponse.Email!;
+        var user = await _userManager.FindByEmailAsync(email).ConfigureAwait(false);
+
+        if (user is null)
+        {
+            user = User.CreateStubFromAd(
+                email,
+                gatewayResponse.FirstName,
+                gatewayResponse.LastName,
+                gatewayResponse.DisplayName);
+
+            var createResult = await _userManager.CreateAsync(user).ConfigureAwait(false);
+            if (!createResult.Succeeded)
+            {
+                return null;
+            }
+        }
+
+        await SyncAdRolesAsync(user, gatewayResponse.Groups).ConfigureAwait(false);
+
+        return await IssueAndBuildDtoAsync(user, LocalAuthApi.Internal, ip, userAgent, null, ct).ConfigureAwait(false);
+    }
+
+    private async Task SyncAdRolesAsync(User user, IReadOnlyList<string>? adGroups)
+    {
+        if (adGroups is null || adGroups.Count == 0)
+        {
+            return;
+        }
+
+        var currentRoles = await _userManager.GetRolesAsync(user).ConfigureAwait(false);
+        var desiredRoles = adGroups
+            .Select(static g => AdRoleMapper.ToCceRole(g))
+            .OfType<string>()
+            .Distinct()
+            .ToList();
+
+        var rolesToAdd = desiredRoles.Except(currentRoles).ToList();
+        var rolesToRemove = currentRoles.Except(desiredRoles).ToList();
+
+        foreach (var role in rolesToAdd)
+        {
+            if (!await _userManager.IsInRoleAsync(user, role!).ConfigureAwait(false))
+            {
+                await _userManager.AddToRoleAsync(user, role!).ConfigureAwait(false);
+            }
+        }
+
+        foreach (var role in rolesToRemove)
+        {
+            await _userManager.RemoveFromRoleAsync(user, role).ConfigureAwait(false);
+        }
+    }
+
     private async Task<AuthTokenDto> IssueAndBuildDtoAsync(User user, LocalAuthApi api, string? ip, string? userAgent, Guid? tokenFamilyId, CancellationToken ct)
     {
         var issued = await _tokenService.IssueAsync(user, api, ct).ConfigureAwait(false);
diff --git a/backend/src/CCE.Integration/AdminAuth/AdAuthRequest.cs b/backend/src/CCE.Integration/AdminAuth/AdAuthRequest.cs
@@ -0,0 +1,5 @@
+namespace CCE.Integration.AdminAuth;
+
+public sealed record AdAuthRequest(
+    string Username,
+    string Password);
diff --git a/backend/src/CCE.Integration/AdminAuth/AdAuthResponse.cs b/backend/src/CCE.Integration/AdminAuth/AdAuthResponse.cs
@@ -0,0 +1,10 @@
+namespace CCE.Integration.AdminAuth;
+
+public sealed record AdAuthResponse(
+    string Status,
+    string? Email = null,
+    string? FirstName = null,
+    string? LastName = null,
+    string? DisplayName = null,
+    IReadOnlyList<string>? Groups = null,
+    string? Error = null);
diff --git a/backend/src/CCE.Integration/AdminAuth/IAdminAuthGatewayClient.cs b/backend/src/CCE.Integration/AdminAuth/IAdminAuthGatewayClient.cs
@@ -0,0 +1,9 @@
+using Refit;
+
+namespace CCE.Integration.AdminAuth;
+
+public interface IAdminAuthGatewayClient
+{
+    [Post("/integrationgateway/auth/ad/login")]
+    Task<AdAuthResponse> LoginAsync([Body] AdAuthRequest request, CancellationToken cancellationToken = default);
+}

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,10 @@`
`77`	`77`	`"CommunicationGateway": {`
`78`	`78`	`"BaseUrl": "http://localhost:3001",`
`79`	`79`	`"TimeoutSeconds": 30`
	`80`	`+ },`
	`81`	`+ "AdminAuthGateway": {`
	`82`	`+ "BaseUrl": "http://localhost:3001",`
	`83`	`+ "TimeoutSeconds": 30`
`80`	`84`	`}`
`81`	`85`	`}`
`82`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,10 @@`
`64`	`64`	`"CommunicationGateway": {`
`65`	`65`	`"BaseUrl": "http://localhost:3001",`
`66`	`66`	`"TimeoutSeconds": 30`
	`67`	`+ },`
	`68`	`+ "AdminAuthGateway": {`
	`69`	`+ "BaseUrl": "http://localhost:3001",`
	`70`	`+ "TimeoutSeconds": 30`
`67`	`71`	`}`
`68`	`72`	`}`
`69`	`73`	`}`