Update the administration website to manage federation entities

Author: habarthierry-hue

src/IdServer/SimpleIdServer.IdServer.Domains/TranslatableConverter.cs

@@ -68,6 +68,8 @@ public override void Write(Utf8JsonWriter writer, T value, JsonSerializerOptions
                 writer.WriteNumber(prop.Item2, (double)obj);
             else if (propertyType == typeof(DateTime))
                 writer.WriteString(prop.Item2, (DateTime)obj);
+            else if (propertyType == typeof(DateTime?) && obj != null)
+                writer.WriteString(prop.Item2, (DateTime)obj);
             else if (TryGetEnumType(propertyType, out Type resultType))
                 writer.WriteString(prop.Item2, Enum.GetName(resultType, obj));
             else if (propertyType.GetInterfaces().Any(i => i.IsGenericType && i.GetGenericTypeDefinition() == typeof(IEnumerable<>)))

src/IdServer/SimpleIdServer.IdServer.Federation/Apis/FederationEntity/AddTrustedAnchorRequest.cs

@@ -0,0 +1,11 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using Newtonsoft.Json;
+
+namespace SimpleIdServer.IdServer.Federation.Apis.FederationEntity;
+
+public class AddTrustedAnchorRequest
+{
+    [JsonProperty("url")]
+    public string Url { get; set; } = null!;
+}

src/IdServer/SimpleIdServer.IdServer.Federation/Apis/FederationEntity/FederationEntitiesController.cs

@@ -0,0 +1,125 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using SimpleIdServer.IdServer.Api;
+using SimpleIdServer.IdServer.Exceptions;
+using SimpleIdServer.IdServer.Helpers;
+using SimpleIdServer.IdServer.Jwt;
+using SimpleIdServer.IdServer.Stores;
+using SimpleIdServer.OpenidFederation.Clients;
+using SimpleIdServer.OpenidFederation.Stores;
+using System.Net;
+using System.Text.Json;
+
+namespace SimpleIdServer.IdServer.Federation.Apis.FederationEntity;
+
+public class FederationEntitiesController : BaseController
+{
+    private readonly IFederationEntityStore _federationEntityStore;
+    private readonly ITransactionBuilder _transactionBuilder;
+    private readonly ILogger<FederationEntitiesController> _logger;
+    private readonly IdServer.Helpers.IHttpClientFactory _httpClientFactory;
+
+    public FederationEntitiesController(
+        IFederationEntityStore federationEntityStore,
+        ITransactionBuilder transactionBuilder,
+        ILogger<FederationEntitiesController> logger,
+        IdServer.Helpers.IHttpClientFactory httpClientFactory,
+        ITokenRepository tokenRepository, 
+        IJwtBuilder jwtBuilder) : base(tokenRepository, jwtBuilder)
+    {
+        _federationEntityStore = federationEntityStore;
+        _transactionBuilder = transactionBuilder;
+        _logger = logger;
+        _httpClientFactory = httpClientFactory;
+    }
+
+    [HttpPost]
+    public async Task<IActionResult> AddTrustAnchor([FromRoute] string prefix, [FromBody] AddTrustedAnchorRequest request, CancellationToken cancellationToken)
+    {
+        prefix = prefix ?? Constants.DefaultRealm;
+        try
+        {
+            await CheckAccessToken(prefix, IdServerFederationConstants.StandardScopes.FederationEntities.Name);
+            if (request == null) throw new OAuthException(ErrorCodes.INVALID_REQUEST, IdServer.Resources.Global.InvalidIncomingRequest);
+            if (string.IsNullOrWhiteSpace(request.Url)) throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(IdServer.Resources.Global.MissingParameter, "url"));
+            var federationEntity = await _federationEntityStore.GetByUrl(prefix, request.Url, cancellationToken);
+            if (federationEntity != null) throw new OAuthException(ErrorCodes.INVALID_REQUEST, Resources.Global.FederationEntityAlreadyExists);
+            using(var resolver = TrustChainResolver.New(_httpClientFactory.GetHttpClient()))
+            {
+                using (var transaction = _transactionBuilder.Build())
+                {
+                    var openidFederation = await resolver.ResolveOpenidFederation(request.Url, cancellationToken);
+                    if (openidFederation == null) throw new OAuthException(ErrorCodes.INVALID_REQUEST, Resources.Global.OpenidFederationCannotBeResolved);
+                    federationEntity = new SimpleIdServer.OpenidFederation.Domains.FederationEntity
+                    {
+                        Id = Guid.NewGuid().ToString(),
+                        IsSubordinate = false,
+                        Realm = prefix,
+                        Sub = request.Url,
+                        CreateDateTime = DateTime.UtcNow
+                    };
+                    _federationEntityStore.Add(federationEntity);
+                    await transaction.Commit(cancellationToken);
+                    return new ContentResult
+                    {
+                        Content = JsonSerializer.Serialize(federationEntity),
+                        ContentType = "application/json",
+                        StatusCode = (int)HttpStatusCode.Created
+                    };
+                }
+            }
+        }
+        catch(InvalidOperationException ex)
+        {
+            _logger.LogError(ex.ToString());
+            return BuildError(ex);
+        }
+        catch (OAuthException ex)
+        {
+            _logger.LogError(ex.ToString());
+            return BuildError(ex);
+        }
+    }
+
+    [HttpDelete]
+    public async Task<IActionResult> Delete([FromRoute] string prefix, string id, CancellationToken cancellationToken)
+    {
+        prefix = prefix ?? Constants.DefaultRealm;
+        try
+        {
+            using (var transaction = _transactionBuilder.Build())
+            {
+                await CheckAccessToken(prefix, IdServerFederationConstants.StandardScopes.FederationEntities.Name);
+                var federationEntity = await _federationEntityStore.Get(id, cancellationToken);
+                if (federationEntity == null) throw new OAuthException(HttpStatusCode.NotFound, ErrorCodes.INVALID_REQUEST, Resources.Global.FederationEntityUnknown);
+                _federationEntityStore.Remove(federationEntity);
+                await transaction.Commit(cancellationToken);
+                return NoContent();
+            }
+        }
+        catch (OAuthException ex)
+        {
+            _logger.LogError(ex.ToString());
+            return BuildError(ex);
+        }
+    }
+
+    [HttpPost]
+    public async Task<IActionResult> SearchFederationEntities([FromRoute] string prefix, [FromBody] SearchRequest request, CancellationToken cancellationToken)
+    {
+        prefix = prefix ?? Constants.DefaultRealm;
+        try
+        {
+            await CheckAccessToken(prefix, IdServerFederationConstants.StandardScopes.FederationEntities.Name);
+            var result = await _federationEntityStore.Search(prefix, request, cancellationToken);
+            return new OkObjectResult(result);
+        }
+        catch (OAuthException ex)
+        {
+            _logger.LogError(ex.ToString());
+            return BuildError(ex);
+        }
+    }
+}

src/IdServer/SimpleIdServer.IdServer.Federation/IdServerFederationConstants.cs

@@ -0,0 +1,28 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using SimpleIdServer.IdServer.Domains;
+using static SimpleIdServer.IdServer.Constants;
+
+namespace SimpleIdServer.IdServer.Federation;
+
+public static class IdServerFederationConstants
+{
+    public static class StandardScopes
+    {
+        public static Scope FederationEntities = new Scope
+        {
+            Id = Guid.NewGuid().ToString(),
+            Type = ScopeTypes.APIRESOURCE,
+            Name = "federation_entities",
+            Realms = new List<Domains.Realm>
+            {
+                StandardRealms.Master
+            },
+            Protocol = ScopeProtocols.OAUTH,
+            IsExposedInConfigurationEdp = true,
+            CreateDateTime = DateTime.UtcNow,
+            UpdateDateTime = DateTime.UtcNow
+        };
+    }
+}

src/IdServer/SimpleIdServer.IdServer.Federation/Resources/Global.Designer.cs

@@ -123,6 +123,12 @@
   <data name="ClientRegistrationTypesMustBeSpecified" xml:space="preserve">
     <value>the client_registration_types must be specified by the RP entity statement</value>
   </data>
+  <data name="FederationEntityAlreadyExists" xml:space="preserve">
+    <value>federation entity already exists</value>
+  </data>
+  <data name="FederationEntityUnknown" xml:space="preserve">
+    <value>the federation entity doesn't exist</value>
+  </data>
   <data name="InvalidIssuer" xml:space="preserve">
     <value>the issuer is not valid</value>
   </data>
@@ -138,4 +144,7 @@
   <data name="OnlyFollowingAuthMethodsAreSupported" xml:space="preserve">
     <value>only the following authentication methods {0} are supported</value>
   </data>
+  <data name="OpenidFederationCannotBeResolved" xml:space="preserve">
+    <value>the openid-federation cannot be resolved</value>
+  </data>
 </root>

src/IdServer/SimpleIdServer.IdServer.Federation/Resources/Global.resx

@@ -23,6 +23,15 @@ public static WebApplication UseOpenidFederation(this WebApplication webApplicat
             webApplication.SidMapControllerRoute("federationRegistration",
                 pattern: (usePrefix ? "{prefix}/" : string.Empty) + OpenidFederationConstants.EndPoints.FederationRegistration,
                 defaults: new { controller = "FederationRegistration", action = "Post" });
+            webApplication.SidMapControllerRoute("addFederationEntity",
+                pattern: (usePrefix ? "{prefix}/" : string.Empty) + OpenidFederationConstants.EndPoints.FederationEntities + "/trustanchors",
+                defaults: new { controller = "FederationEntities", action = "AddTrustAnchor" });
+            webApplication.SidMapControllerRoute("searchFederationEntities",
+                pattern: (usePrefix ? "{prefix}/" : string.Empty) + OpenidFederationConstants.EndPoints.FederationEntities + "/.search",
+                defaults: new { controller = "FederationEntities", action = "SearchFederationEntities" });
+            webApplication.SidMapControllerRoute("removeFederationEntity",
+                pattern: (usePrefix ? "{prefix}/" : string.Empty) + OpenidFederationConstants.EndPoints.FederationEntities + "/{id}",
+                defaults: new { controller = "FederationEntities", action = "Delete" });
             if (federationOpts.IsFederationEnabled)
             {
                 webApplication.SidMapControllerRoute("federationFetch",

src/IdServer/SimpleIdServer.IdServer.Federation/WebApplicationExtensions.cs

@@ -3,7 +3,7 @@
 
 using System.Text.Json.Serialization;
 
-namespace SimpleIdServer.IdServer.Stores;
+namespace SimpleIdServer.IdServer.Helpers;
 
 public class SearchRequest
 {

…erver.IdServer/Stores/SearchParameter.cs …Server.IdServer.Helpers/SearchRequest.cssrc/IdServer/SimpleIdServer.IdServer/Stores/SearchParameter.cs renamed to src/IdServer/SimpleIdServer.IdServer.Helpers/SearchRequest.cs src/IdServer/SimpleIdServer.IdServer/Stores/SearchParameter.cs renamed to src/IdServer/SimpleIdServer.IdServer.Helpers/SearchRequest.cs

@@ -1,9 +1,8 @@
 // Copyright (c) SimpleIdServer. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
-using System.Collections.Generic;
 using System.Text.Json.Serialization;
 
-namespace SimpleIdServer.IdServer.Stores;
+namespace SimpleIdServer.IdServer.Helpers;
 
 public class SearchResult<TContent>
 {

…IdServer.IdServer/Stores/SearchResult.cs …dServer.IdServer.Helpers/SearchResult.cssrc/IdServer/SimpleIdServer.IdServer/Stores/SearchResult.cs renamed to src/IdServer/SimpleIdServer.IdServer.Helpers/SearchResult.cs src/IdServer/SimpleIdServer.IdServer/Stores/SearchResult.cs renamed to src/IdServer/SimpleIdServer.IdServer.Helpers/SearchResult.cs

@@ -103,7 +103,8 @@ public class IdServerConfiguration
             SimpleIdServer.IdServer.Constants.StandardScopes.CredentialInstances,
             SimpleIdServer.IdServer.Constants.StandardScopes.DeferredCreds,
             UniversityDegreeScope,
-            CtWalletScope
+            CtWalletScope,
+            SimpleIdServer.IdServer.Federation.IdServerFederationConstants.StandardScopes.FederationEntities
         };
 
         public static ICollection<User> Users => new List<User>
@@ -158,7 +159,8 @@ public class IdServerConfiguration
                     SimpleIdServer.IdServer.Constants.StandardScopes.CertificateAuthorities,
                     SimpleIdServer.IdServer.Constants.StandardScopes.Clients,
                     SimpleIdServer.IdServer.Constants.StandardScopes.Realms, 
-                    SimpleIdServer.IdServer.Constants.StandardScopes.Groups).Build(),
+                    SimpleIdServer.IdServer.Constants.StandardScopes.Groups,
+                    SimpleIdServer.IdServer.Federation.IdServerFederationConstants.StandardScopes.FederationEntities).Build(),
             ClientBuilder.BuildTraditionalWebsiteClient("swaggerClient", "password", null, "https://localhost:5001/swagger/oauth2-redirect.html", "https://localhost:5001/(.*)/swagger/oauth2-redirect.html", "http://localhost").AddScope(
                 SimpleIdServer.IdServer.Constants.StandardScopes.Provisioning, 
                 SimpleIdServer.IdServer.Constants.StandardScopes.Users, 
@@ -173,7 +175,8 @@ public class IdServerConfiguration
                 SimpleIdServer.IdServer.Constants.StandardScopes.CertificateAuthorities,
                 SimpleIdServer.IdServer.Constants.StandardScopes.Clients, 
                 SimpleIdServer.IdServer.Constants.StandardScopes.Realms,
-                SimpleIdServer.IdServer.Constants.StandardScopes.Groups).Build(),
+                SimpleIdServer.IdServer.Constants.StandardScopes.Groups,
+                SimpleIdServer.IdServer.Federation.IdServerFederationConstants.StandardScopes.FederationEntities).Build(),
             ClientBuilder.BuildTraditionalWebsiteClient("postman", "password", null, "http://localhost").EnableClientGrantType().AddScope(
                 SimpleIdServer.IdServer.Constants.StandardScopes.Provisioning,
                 SimpleIdServer.IdServer.Constants.StandardScopes.Users,
@@ -188,7 +191,8 @@ public class IdServerConfiguration
                 SimpleIdServer.IdServer.Constants.StandardScopes.CertificateAuthorities,
                 SimpleIdServer.IdServer.Constants.StandardScopes.Clients,
                 SimpleIdServer.IdServer.Constants.StandardScopes.Realms,
-                SimpleIdServer.IdServer.Constants.StandardScopes.Groups).Build(),
+                SimpleIdServer.IdServer.Constants.StandardScopes.Groups,
+                SimpleIdServer.IdServer.Federation.IdServerFederationConstants.StandardScopes.FederationEntities).Build(),
             WsClientBuilder.BuildWsFederationClient("urn:website").SetClientName("NAME").Build(),
             ClientBuilder.BuildUserAgentClient("oauth", "password", null, "https://oauth.tools/callback/code")
                 .AddScope(SimpleIdServer.IdServer.Constants.StandardScopes.OpenIdScope, SimpleIdServer.IdServer.Constants.StandardScopes.Profile)
@@ -272,7 +276,8 @@ public class IdServerConfiguration
                 Id  = Guid.NewGuid().ToString(),
                 IsSubordinate = false,
                 Realm = IdServer.Constants.DefaultRealm,
-                Sub = "http://localhost:7000"
+                Sub = "http://localhost:7000",
+                CreateDateTime = DateTime.UtcNow
             }
         };
     }