Merge Hotfixes from 2.3 (#883)

CGI-FR · Jul 1, 2022 · 8d9b86c · 8d9b86c
1 parent 34bbc42
commit 8d9b86c
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 5 deletions.
diff --git a/src/AzureIoTHub.Portal/Server/ConfigHandler.cs b/src/AzureIoTHub.Portal/Server/ConfigHandler.cs
@@ -15,12 +15,19 @@ public abstract class ConfigHandler
         internal const string DPSConnectionStringKey = "IoTDPS:ConnectionString";
         internal const string DPSServiceEndpointKey = "IoTDPS:ServiceEndpoint";
         internal const string DPSIDScopeKey = "IoTDPS:IDScope";
+        internal const string UseSecurityHeadersKey = "UseSecurityHeaders";
 
         internal const string OIDCScopeKey = "OIDC:Scope";
         internal const string OIDCAuthorityKey = "OIDC:Authority";
         internal const string OIDCMetadataUrlKey = "OIDC:MetadataUrl";
         internal const string OIDCClientIdKey = "OIDC:ClientId";
         internal const string OIDCApiClientIdKey = "OIDC:ApiClientId";
+        internal const string OIDCValidateIssuerKey = "OIDC:ValidateIssuer";
+        internal const string OIDCValidateAudienceKey = "OIDC:ValidateAudience";
+        internal const string OIDCValidateLifetimeKey = "OIDC:ValidateLifetime";
+        internal const string OIDCValidateIssuerSigningKeyKey = "OIDC:ValidateIssuerSigningKey";
+        internal const string OIDCValidateActorKey = "OIDC:ValidateActor";
+        internal const string OIDCValidateTokenReplayKey = "OIDC:ValidateTokenReplay";
 
         internal const string IsLoRaFeatureEnabledKey = "LoRaFeature:Enabled";
 
@@ -57,6 +64,8 @@ internal static ConfigHandler Create(IWebHostEnvironment env, IConfiguration con
 
         internal abstract string StorageAccountConnectionString { get; }
 
+        internal abstract bool UseSecurityHeaders { get; }
+
         internal abstract string OIDCScope { get; }
 
         internal abstract string OIDCApiClientId { get; }
@@ -67,6 +76,18 @@ internal static ConfigHandler Create(IWebHostEnvironment env, IConfiguration con
 
         internal abstract string OIDCAuthority { get; }
 
+        internal abstract bool OIDCValidateIssuer { get; }
+
+        internal abstract bool OIDCValidateAudience { get; }
+
+        internal abstract bool OIDCValidateLifetime { get; }
+
+        internal abstract bool OIDCValidateIssuerSigningKey { get; }
+
+        internal abstract bool OIDCValidateActor { get; }
+
+        internal abstract bool OIDCValidateTokenReplay { get; }
+
         internal abstract bool IsLoRaEnabled { get; }
 
         internal abstract string StorageAccountBlobContainerName { get; }

diff --git a/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs b/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs
@@ -30,6 +30,8 @@ internal DevelopmentConfigHandler(IConfiguration config)
 
         internal override string StorageAccountConnectionString => this.config[StorageAccountConnectionStringKey];
 
+        internal override bool UseSecurityHeaders => this.config.GetValue(UseSecurityHeadersKey, true);
+
         internal override string OIDCScope => this.config[OIDCScopeKey];
 
         internal override string OIDCAuthority => this.config[OIDCAuthorityKey];
@@ -40,6 +42,18 @@ internal DevelopmentConfigHandler(IConfiguration config)
 
         internal override string OIDCApiClientId => this.config[OIDCApiClientIdKey];
 
+        internal override bool OIDCValidateIssuer => this.config.GetValue(OIDCValidateIssuerKey, true);
+
+        internal override bool OIDCValidateAudience => this.config.GetValue(OIDCValidateAudienceKey, true);
+
+        internal override bool OIDCValidateLifetime => this.config.GetValue(OIDCValidateLifetimeKey, true);
+
+        internal override bool OIDCValidateIssuerSigningKey => this.config.GetValue(OIDCValidateIssuerSigningKeyKey, true);
+
+        internal override bool OIDCValidateActor => this.config.GetValue(OIDCValidateActorKey, false);
+
+        internal override bool OIDCValidateTokenReplay => this.config.GetValue(OIDCValidateTokenReplayKey, false);
+
         internal override bool IsLoRaEnabled => bool.Parse(this.config[IsLoRaFeatureEnabledKey] ?? "true");
 
         internal override string StorageAccountBlobContainerName => this.config[StorageAccountBlobContainerNameKey];

diff --git a/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs b/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs
@@ -30,6 +30,8 @@ internal ProductionConfigHandler(IConfiguration config)
 
         internal override string StorageAccountConnectionString => this.config.GetConnectionString(StorageAccountConnectionStringKey);
 
+        internal override bool UseSecurityHeaders => this.config.GetValue(UseSecurityHeadersKey, true);
+
         internal override string OIDCScope => this.config[OIDCScopeKey];
 
         internal override string OIDCAuthority => this.config[OIDCAuthorityKey];
@@ -40,6 +42,18 @@ internal ProductionConfigHandler(IConfiguration config)
 
         internal override string OIDCApiClientId => this.config[OIDCApiClientIdKey];
 
+        internal override bool OIDCValidateIssuer => this.config.GetValue(OIDCValidateIssuerKey, true);
+
+        internal override bool OIDCValidateAudience => this.config.GetValue(OIDCValidateAudienceKey, true);
+
+        internal override bool OIDCValidateLifetime => this.config.GetValue(OIDCValidateLifetimeKey, true);
+
+        internal override bool OIDCValidateIssuerSigningKey => this.config.GetValue(OIDCValidateIssuerSigningKeyKey, true);
+
+        internal override bool OIDCValidateActor => this.config.GetValue(OIDCValidateActorKey, false);
+
+        internal override bool OIDCValidateTokenReplay => this.config.GetValue(OIDCValidateTokenReplayKey, false);
+
         internal override bool IsLoRaEnabled => bool.Parse(this.config[IsLoRaFeatureEnabledKey] ?? "true");
 
         internal override string StorageAccountBlobContainerName => this.config[StorageAccountBlobContainerNameKey];

diff --git a/src/AzureIoTHub.Portal/Server/Startup.cs b/src/AzureIoTHub.Portal/Server/Startup.cs
@@ -87,10 +87,12 @@ public void ConfigureServices(IServiceCollection services)
                     opts.MetadataAddress = configuration.OIDCMetadataUrl;
                     opts.Audience = configuration.OIDCApiClientId;
 
-                    opts.TokenValidationParameters.ValidateIssuer = true;
-                    opts.TokenValidationParameters.ValidateAudience = true;
-                    opts.TokenValidationParameters.ValidateLifetime = true;
-                    opts.TokenValidationParameters.ValidateIssuerSigningKey = true;
+                    opts.TokenValidationParameters.ValidateIssuer = configuration.OIDCValidateIssuer;
+                    opts.TokenValidationParameters.ValidateAudience = configuration.OIDCValidateAudience;
+                    opts.TokenValidationParameters.ValidateLifetime = configuration.OIDCValidateLifetime;
+                    opts.TokenValidationParameters.ValidateIssuerSigningKey = configuration.OIDCValidateIssuerSigningKey;
+                    opts.TokenValidationParameters.ValidateActor = configuration.OIDCValidateActor;
+                    opts.TokenValidationParameters.ValidateTokenReplay = configuration.OIDCValidateTokenReplay;
                 });
 
             _ = services.AddSingleton(configuration);
@@ -275,11 +277,24 @@ public async void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             ArgumentNullException.ThrowIfNull(env, nameof(env));
             ArgumentNullException.ThrowIfNull(app, nameof(app));
 
+            var configuration = app.ApplicationServices.GetService<ConfigHandler>();
+
             // Use problem details
             _ = app.UseProblemDetails();
             app.UseIfElse(IsApiRequest, UseApiExceptionMiddleware, UseUIExceptionMiddleware);
 
-            _ = app.UseSecurityHeaders();
+            if (configuration.UseSecurityHeaders)
+            {
+                _ = app.UseSecurityHeaders(opts =>
+                {
+                    _ = opts.AddContentSecurityPolicy(csp =>
+                    {
+                        _ = csp.AddFrameAncestors()
+                            .Self()
+                            .From(configuration.OIDCMetadataUrl);
+                    });
+                });
+            }
 
             if (env.IsDevelopment())
             {