RE1-T116 PR#351 fixes

ucswift · ucswift · commit ffb5e50d14e5 · 2026-04-30T11:57:16.000-07:00
diff --git a/Providers/Resgrid.Providers.Claims/ResgridClaimTypes.cs b/Providers/Resgrid.Providers.Claims/ResgridClaimTypes.cs
@@ -24,6 +24,13 @@ public static class Data
 			public const string TimeZone = "TimeZone";
 			public const string DisplayName = "DisplayName";
 			public const string UserId = "UserId";
+
+			/// <summary>
+			/// Claim added to service-account tokens (client_credentials, system API keys)
+			/// so downstream controllers can identify them as non-user principals that bypass
+			/// per-user authorization checks and support cross-department operation.
+			/// </summary>
+			public const string ServiceAccount = "ServiceAccount";
 		}
 
 		public static class Resources
diff --git a/Web/Resgrid.Web.Services/Controllers/v4/ConnectController.cs b/Web/Resgrid.Web.Services/Controllers/v4/ConnectController.cs
@@ -255,44 +255,54 @@ public async Task<IActionResult> Token()
 				}
 
 				// First, check system-level credentials (timing-safe comparison)
-				if (Config.SecurityConfig.SystemLoginCredentials.ContainsKey(request.ClientId) &&
-					FixedTimeSecretEquals(Config.SecurityConfig.SystemLoginCredentials[request.ClientId], request.ClientSecret))
-				{
-					audit.Successful = true;
-					await _systemAuditsService.SaveSystemAuditAsync(audit);
+			if (Config.SecurityConfig.SystemLoginCredentials.ContainsKey(request.ClientId) &&
+				FixedTimeSecretEquals(Config.SecurityConfig.SystemLoginCredentials[request.ClientId], request.ClientSecret))
+			{
+				audit.Successful = true;
+				await _systemAuditsService.SaveSystemAuditAsync(audit);
 
-					// Create a system-level service principal with all claims
-					var identity = new ClaimsIdentity(
-						OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
-						Claims.Name,
-						Claims.Role);
+				// Create a system-level service principal with all claims
+				var identity = new ClaimsIdentity(
+					OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
+					Claims.Name,
+					Claims.Role);
 
-					identity.AddClaim(new Claim(Claims.Subject, $"system_{request.ClientId}")
-						.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
-					identity.AddClaim(new Claim(Claims.Name, request.ClientId)
-						.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
+				identity.AddClaim(new Claim(Claims.Subject, $"system_{request.ClientId}")
+					.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
+				identity.AddClaim(new Claim(Claims.Name, $"System Account ({request.ClientId})")
+					.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
+				identity.AddClaim(new Claim(ClaimTypes.PrimarySid, $"system_{request.ClientId}")
+					.SetDestinations(Destinations.AccessToken));
+				identity.AddClaim(new Claim(ClaimTypes.PrimaryGroupSid, "0")
+					.SetDestinations(Destinations.AccessToken));
+				identity.AddClaim(new Claim(ClaimTypes.GivenName, "SMTP Relay System")
+					.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
+				identity.AddClaim(new Claim(ResgridClaimTypes.Data.DisplayName, "SMTP Relay System")
+					.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
+				identity.AddClaim(new Claim(ResgridClaimTypes.Data.ServiceAccount, "true")
+					.SetDestinations(Destinations.AccessToken, Destinations.IdentityToken));
 
-					// Add all resource claims for full access
-					AddAllResourceClaims(identity);
+				// Add all resource claims for full access
+				AddAllResourceClaims(identity);
 
-					var principal = new ClaimsPrincipal(identity);
+				var principal = new ClaimsPrincipal(identity);
 
-					principal.SetScopes(new[]
-					{
-						Scopes.OpenId,
-						Scopes.Email,
-						Scopes.Profile
-					}.Intersect(request.GetScopes()));
+				principal.SetScopes(new[]
+				{
+					Scopes.OpenId,
+					Scopes.Email,
+					Scopes.Profile
+				}.Intersect(request.GetScopes()));
 
-					principal.SetAccessTokenLifetime(TimeSpan.FromMinutes(OidcConfig.AccessTokenExpiryMinutes));
+				principal.SetAccessTokenLifetime(TimeSpan.FromMinutes(OidcConfig.AccessTokenExpiryMinutes));
 
-					return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
-				}
+				return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+			}
 
-				// Second, try department-level credentials via department code + shared secret
-				var department = await _departmentsService.GetDepartmentByNameAsync(request.ClientId);
+			// Second, try department-level credentials via department code + shared secret
+			var department = await _departmentsService.GetDepartmentByNameAsync(request.ClientId);
 
-				if (department == null)
+			if (department == null)
 				{
 					await _systemAuditsService.SaveSystemAuditAsync(audit);
 
diff --git a/Web/Resgrid.Web.Services/Controllers/v4/UnitsController.cs b/Web/Resgrid.Web.Services/Controllers/v4/UnitsController.cs
@@ -277,7 +277,7 @@ public async Task<ActionResult<UnitResult>> GetUnitByName(string name, [FromQuer
 				return result;
 			}
 
-			if (!await _authorizationService.CanUserViewUnitViaMatrixAsync(unit.UnitId, UserId, DepartmentId))
+			if (!IsSystemApiKeyRequest && !await _authorizationService.CanUserViewUnitViaMatrixAsync(unit.UnitId, UserId, DepartmentId))
 			{
 				ResponseHelper.PopulateV4ResponseNotFound(result);
 				return result;
diff --git a/Web/Resgrid.Web.Services/Controllers/v4/V4AuthenticatedApiControllerbaseSystemAuth.cs b/Web/Resgrid.Web.Services/Controllers/v4/V4AuthenticatedApiControllerbaseSystemAuth.cs
@@ -1,5 +1,7 @@
-﻿using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc;
 using System.Linq;
+using System.Security.Claims;
+using Resgrid.Providers.Claims;
 using Resgrid.Web.ServicesCore.Helpers;
 
 namespace Resgrid.Web.Services.Controllers.v4
@@ -41,10 +43,12 @@ public class V4AuthenticatedApiControllerbaseSystemAuth : ControllerBase
 		protected string TimeZone => ClaimsAuthorizationHelper.GetTimeZone();
 
 		/// <summary>
-		/// Returns true if the current request was authenticated via the SystemApiKey scheme.
+		/// Returns true if the current request was authenticated via the SystemApiKey scheme
+		/// or carries a service-account marker claim set by the ConnectController client_credentials flow.
 		/// </summary>
 		protected bool IsSystemApiKeyRequest =>
-			HttpContext.User.Identities.Any(i => i.AuthenticationType == "SystemApiKey");
+			HttpContext.User.Identities.Any(i => i.AuthenticationType == "SystemApiKey") ||
+			HttpContext.User.HasClaim(ResgridClaimTypes.Data.ServiceAccount, "true");
 
 		/// <summary>
 		/// Returns the effective department ID for the current request.
diff --git a/Web/Resgrid.Web.Services/Middleware/SystemApiKeyAuthHandler.cs b/Web/Resgrid.Web.Services/Middleware/SystemApiKeyAuthHandler.cs
@@ -65,7 +65,8 @@ protected override Task<AuthenticateResult> HandleAuthenticateAsync()
 				// Data claims
 				new Claim(ResgridClaimTypes.Data.TimeZone, "UTC"),
 				new Claim(ResgridClaimTypes.Data.DisplayName, "SMTP Relay"),
-				new Claim(ResgridClaimTypes.Data.UserId, "smtp_relay_system")
+				new Claim(ResgridClaimTypes.Data.UserId, "smtp_relay_system"),
+				new Claim(ResgridClaimTypes.Data.ServiceAccount, "true")
 			};
 
 			// Add all resource claims for full cross-department access
diff --git a/Web/Resgrid.Web.Services/Resgrid.Web.Services.xml b/Web/Resgrid.Web.Services/Resgrid.Web.Services.xml

Original file line number	Diff line number	Diff line change
`@@ -277,7 +277,7 @@ public async Task<ActionResult<UnitResult>> GetUnitByName(string name, [FromQuer`
`277`	`277`	`return result;`
`278`	`278`	`}`
`279`	`279`
`280`		`- if (!await _authorizationService.CanUserViewUnitViaMatrixAsync(unit.UnitId, UserId, DepartmentId))`
	`280`	`+ if (!IsSystemApiKeyRequest && !await _authorizationService.CanUserViewUnitViaMatrixAsync(unit.UnitId, UserId, DepartmentId))`
`281`	`281`	`{`
`282`	`282`	`ResponseHelper.PopulateV4ResponseNotFound(result);`
`283`	`283`	`return result;`