Merge branch 'master' into publish

Author: agile.zhou

CHANGELOG.md

@@ -1,7 +1,10 @@
 # Change log
 ------------------------------
-[Unreleased]
-* Introduced dynamic role management with CRUD APIs and UI allowing custom permission assignments.
+[1.11.2]
+* Fixbug #228
+
+[1.11.1]
+* Role base access control
 
 [1.10.0]
 * Use publish timeline virtual id to compare the version between client. To enable this feature the client should use version >=1.8.0 .

src/AgileConfig.Server.Apisite/AgileConfig.Server.Apisite.csproj

@@ -3,11 +3,11 @@
 	<PropertyGroup>
 		<TargetFramework>net10.0</TargetFramework>
 		<AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
-		<AssemblyVersion>1.11.2</AssemblyVersion>
-		<Version>1.11.2</Version>
-		<PackageVersion>1.11.2</PackageVersion>
+		<AssemblyVersion>1.11.3</AssemblyVersion>
+		<Version>1.11.3</Version>
+		<PackageVersion>1.11.3</PackageVersion>
 		<DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
-		<FileVersion>1.11.2</FileVersion>
+		<FileVersion>1.11.3</FileVersion>
 		<Authors>kklldog</Authors>
 		<Company>kklldog</Company>
 	</PropertyGroup>

src/AgileConfig.Server.Apisite/Controllers/api/ConfigController.cs

@@ -1,17 +1,18 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using AgileConfig.Server.Apisite.Controllers.api.Models;
+using AgileConfig.Server.Apisite.Controllers.api.Models;
 using AgileConfig.Server.Apisite.Filters;
 using AgileConfig.Server.Apisite.Metrics;
 using AgileConfig.Server.Apisite.Models;
 using AgileConfig.Server.Apisite.Models.Mapping;
+using AgileConfig.Server.Common;
 using AgileConfig.Server.Data.Entity;
 using AgileConfig.Server.IService;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Caching.Memory;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
 
 // For more information on enabling Web API for empty projects, visit https://go.microsoft.com/fwlink/?LinkID=397860
 
@@ -54,6 +55,14 @@ public async Task<ActionResult<List<ApiConfigVM>>> GetAppConfig(string appId, [F
     {
         ArgumentException.ThrowIfNullOrEmpty(appId);
 
+        var idInHeader = Encrypt.UnboxBasicAuth(HttpContext.Request).Item1;
+
+        if (appId != idInHeader)
+        {
+            await Response.WriteAsync("The AppId does not match the ID in Basic Authentication.");
+            return BadRequest();
+        }
+
         var app = await _appService.GetAsync(appId);
         if (!app.Enabled) return NotFound();
 

src/AgileConfig.Server.Common/AgileConfig.Server.Common.csproj

@@ -6,8 +6,6 @@
 
   <ItemGroup>
 	<FrameworkReference Include="Microsoft.AspNetCore.App" />
-	<PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
   </ItemGroup>
 

src/AgileConfig.Server.Common/Encrypt.cs

@@ -1,7 +1,9 @@
 using System;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading;
+using Microsoft.AspNetCore.Http;
 
 namespace AgileConfig.Server.Common;
 
@@ -15,4 +17,43 @@ public static string Md5(string txt)
         var hashBytes = Md5Instance.Value.ComputeHash(inputBytes);
         return Convert.ToHexString(hashBytes);
     }
+
+    public static (string, string) UnboxBasicAuth(HttpRequest httpRequest)
+    {
+        var authorization = httpRequest.Headers["Authorization"];
+        if (string.IsNullOrEmpty(authorization)) return ("", "");
+        var authStr = authorization.First();
+        // Remove the "Basic " prefix.
+        if (!authStr.StartsWith("Basic "))
+        {
+            return ("", "");
+            ;
+        }
+
+        authStr = authStr.Substring(6, authStr.Length - 6);
+        byte[] base64Decode = null;
+        try
+        {
+            base64Decode = Convert.FromBase64String(authStr);
+        }
+        catch
+        {
+            return ("", "");
+        }
+
+        var base64Str = Encoding.UTF8.GetString(base64Decode);
+
+        if (string.IsNullOrEmpty(base64Str)) return ("", "");
+
+        var appId = "";
+        var sec = "";
+
+
+        var baseAuthArr = base64Str.Split(':');
+
+        if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
+        if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
+
+        return (appId, sec);
+    }
 }

src/AgileConfig.Server.Service/AppBasicAuthService.cs

@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Text;
 using System.Threading.Tasks;
+using AgileConfig.Server.Common;
 using AgileConfig.Server.IService;
 using Microsoft.AspNetCore.Http;
 
@@ -23,41 +24,7 @@ public AppBasicAuthService(IAppService appService)
     /// <returns>Tuple of Application ID and secret extracted from the header.</returns>
     public (string, string) GetAppIdSecret(HttpRequest httpRequest)
     {
-        var authorization = httpRequest.Headers["Authorization"];
-        if (string.IsNullOrEmpty(authorization)) return ("", "");
-        var authStr = authorization.First();
-        // Remove the "Basic " prefix.
-        if (!authStr.StartsWith("Basic "))
-        {
-            return ("", "");
-            ;
-        }
-
-        authStr = authStr.Substring(6, authStr.Length - 6);
-        byte[] base64Decode = null;
-        try
-        {
-            base64Decode = Convert.FromBase64String(authStr);
-        }
-        catch
-        {
-            return ("", "");
-        }
-
-        var base64Str = Encoding.UTF8.GetString(base64Decode);
-
-        if (string.IsNullOrEmpty(base64Str)) return ("", "");
-
-        var appId = "";
-        var sec = "";
-
-
-        var baseAuthArr = base64Str.Split(':');
-
-        if (baseAuthArr.Length > 0) appId = baseAuthArr[0];
-        if (baseAuthArr.Length > 1) sec = baseAuthArr[1];
-
-        return (appId, sec);
+        return Encrypt.UnboxBasicAuth(httpRequest);
     }
 
     public async Task<bool> ValidAsync(HttpRequest httpRequest)

test/ApiSiteTests/TestApiConfigController.cs

@@ -1,24 +1,25 @@
-using System.Collections.Generic;
-using System.Threading.Tasks;
 using AgileConfig.Server.Apisite.Controllers;
 using AgileConfig.Server.Apisite.Controllers.api.Models;
 using AgileConfig.Server.Apisite.Metrics;
 using AgileConfig.Server.Apisite.Models;
 using AgileConfig.Server.Common.EventBus;
 using AgileConfig.Server.Data.Entity;
 using AgileConfig.Server.IService;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using Moq;
+using System.Collections.Generic;
+using System.Threading.Tasks;
 
 namespace ApiSiteTests;
 
 [TestClass]
 public class TestApiConfigController
 {
     [TestMethod]
-    public async Task TestGet()
+    public async Task GetAppConfig_WithValidApp_ReturnsConfigs()
     {
         App newApp()
         {
@@ -55,8 +56,6 @@ List<Config> newConfigs()
         }
 
         var configService = new Mock<IConfigService>();
-        //configService.Setup(s => s.GetPublishedConfigsAsync("001"))
-        //    .ReturnsAsync(newConfigs);
         configService.Setup(s => s.GetPublishedConfigsByAppIdWithInheritance(It.IsAny<string>(), It.IsAny<string>()))
             .ReturnsAsync(newConfigs);
 
@@ -65,20 +64,32 @@ List<Config> newConfigs()
         var eventBus = new Mock<ITinyEventBus>();
         var meterService = new Mock<IMeterService>();
 
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Headers["Authorization"] = "Basic MDAxOjE=";
+
         var ctrl = new AgileConfig.Server.Apisite.Controllers.api.ConfigController(
             configService.Object,
             appService.Object,
             memoryCache,
             meterService.Object,
             new ConfigController(configService.Object, appService.Object, userSErvice.Object, eventBus.Object)
         );
+        ctrl.ControllerContext = new ControllerContext
+        {
+            HttpContext = httpContext
+        };
+
         var act = await ctrl.GetAppConfig("001", new EnvString { Value = "DEV" });
 
         Assert.IsNotNull(act);
         Assert.IsNotNull(act.Value);
         Assert.IsInstanceOfType(act.Value, typeof(List<ApiConfigVM>));
         Assert.AreEqual(2, act.Value.Count);
+    }
 
+    [TestMethod]
+    public async Task GetAppConfig_WithDisabledApp_ReturnsNotFound()
+    {
         App newApp1()
         {
             return new App
@@ -87,17 +98,29 @@ App newApp1()
             };
         }
 
-        appService = new Mock<IAppService>();
+        var appService = new Mock<IAppService>();
         appService.Setup(s => s.GetAsync(It.IsAny<string>())).ReturnsAsync(newApp1);
+        var configService = new Mock<IConfigService>();
+        IMemoryCache memoryCache = null;
+        var userSErvice = new Mock<IUserService>();
+        var eventBus = new Mock<ITinyEventBus>();
+        var meterService = new Mock<IMeterService>();
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Headers["Authorization"] = "Basic MDAxOjE=";
 
-        ctrl = new AgileConfig.Server.Apisite.Controllers.api.ConfigController(
+        var ctrl = new AgileConfig.Server.Apisite.Controllers.api.ConfigController(
             configService.Object,
             appService.Object,
             memoryCache,
             meterService.Object,
             new ConfigController(configService.Object, appService.Object, userSErvice.Object, eventBus.Object)
         );
-        act = await ctrl.GetAppConfig("001", new EnvString { Value = "DEV" });
+        ctrl.ControllerContext = new ControllerContext
+        {
+            HttpContext = httpContext
+        };
+
+        var act = await ctrl.GetAppConfig("001", new EnvString { Value = "DEV" });
 
         Assert.IsNotNull(act);
         Assert.IsNull(act.Value);