From 8d9b86cda2a94aea62e44c410cd20700ad82abe7 Mon Sep 17 00:00:00 2001 From: Kevin BEAUGRAND <9513635+kbeaugrand@users.noreply.github.com> Date: Fri, 1 Jul 2022 09:04:27 +0200 Subject: [PATCH] Merge Hotfixes from 2.3 (#883) --- .../Server/ConfigHandler.cs | 21 ++++++++++++++++ .../Server/DevelopmentConfigHandler.cs | 14 +++++++++++ .../Server/ProductionConfigHandler.cs | 14 +++++++++++ src/AzureIoTHub.Portal/Server/Startup.cs | 25 +++++++++++++++---- 4 files changed, 69 insertions(+), 5 deletions(-) diff --git a/src/AzureIoTHub.Portal/Server/ConfigHandler.cs b/src/AzureIoTHub.Portal/Server/ConfigHandler.cs index c5831c6c6..232c1946a 100644 --- a/src/AzureIoTHub.Portal/Server/ConfigHandler.cs +++ b/src/AzureIoTHub.Portal/Server/ConfigHandler.cs @@ -15,12 +15,19 @@ public abstract class ConfigHandler internal const string DPSConnectionStringKey = "IoTDPS:ConnectionString"; internal const string DPSServiceEndpointKey = "IoTDPS:ServiceEndpoint"; internal const string DPSIDScopeKey = "IoTDPS:IDScope"; + internal const string UseSecurityHeadersKey = "UseSecurityHeaders"; internal const string OIDCScopeKey = "OIDC:Scope"; internal const string OIDCAuthorityKey = "OIDC:Authority"; internal const string OIDCMetadataUrlKey = "OIDC:MetadataUrl"; internal const string OIDCClientIdKey = "OIDC:ClientId"; internal const string OIDCApiClientIdKey = "OIDC:ApiClientId"; + internal const string OIDCValidateIssuerKey = "OIDC:ValidateIssuer"; + internal const string OIDCValidateAudienceKey = "OIDC:ValidateAudience"; + internal const string OIDCValidateLifetimeKey = "OIDC:ValidateLifetime"; + internal const string OIDCValidateIssuerSigningKeyKey = "OIDC:ValidateIssuerSigningKey"; + internal const string OIDCValidateActorKey = "OIDC:ValidateActor"; + internal const string OIDCValidateTokenReplayKey = "OIDC:ValidateTokenReplay"; internal const string IsLoRaFeatureEnabledKey = "LoRaFeature:Enabled"; @@ -57,6 +64,8 @@ internal static ConfigHandler Create(IWebHostEnvironment env, IConfiguration con internal abstract string StorageAccountConnectionString { get; } + internal abstract bool UseSecurityHeaders { get; } + internal abstract string OIDCScope { get; } internal abstract string OIDCApiClientId { get; } @@ -67,6 +76,18 @@ internal static ConfigHandler Create(IWebHostEnvironment env, IConfiguration con internal abstract string OIDCAuthority { get; } + internal abstract bool OIDCValidateIssuer { get; } + + internal abstract bool OIDCValidateAudience { get; } + + internal abstract bool OIDCValidateLifetime { get; } + + internal abstract bool OIDCValidateIssuerSigningKey { get; } + + internal abstract bool OIDCValidateActor { get; } + + internal abstract bool OIDCValidateTokenReplay { get; } + internal abstract bool IsLoRaEnabled { get; } internal abstract string StorageAccountBlobContainerName { get; } diff --git a/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs b/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs index c62dc5ae3..423de0d44 100644 --- a/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs +++ b/src/AzureIoTHub.Portal/Server/DevelopmentConfigHandler.cs @@ -30,6 +30,8 @@ internal DevelopmentConfigHandler(IConfiguration config) internal override string StorageAccountConnectionString => this.config[StorageAccountConnectionStringKey]; + internal override bool UseSecurityHeaders => this.config.GetValue(UseSecurityHeadersKey, true); + internal override string OIDCScope => this.config[OIDCScopeKey]; internal override string OIDCAuthority => this.config[OIDCAuthorityKey]; @@ -40,6 +42,18 @@ internal DevelopmentConfigHandler(IConfiguration config) internal override string OIDCApiClientId => this.config[OIDCApiClientIdKey]; + internal override bool OIDCValidateIssuer => this.config.GetValue(OIDCValidateIssuerKey, true); + + internal override bool OIDCValidateAudience => this.config.GetValue(OIDCValidateAudienceKey, true); + + internal override bool OIDCValidateLifetime => this.config.GetValue(OIDCValidateLifetimeKey, true); + + internal override bool OIDCValidateIssuerSigningKey => this.config.GetValue(OIDCValidateIssuerSigningKeyKey, true); + + internal override bool OIDCValidateActor => this.config.GetValue(OIDCValidateActorKey, false); + + internal override bool OIDCValidateTokenReplay => this.config.GetValue(OIDCValidateTokenReplayKey, false); + internal override bool IsLoRaEnabled => bool.Parse(this.config[IsLoRaFeatureEnabledKey] ?? "true"); internal override string StorageAccountBlobContainerName => this.config[StorageAccountBlobContainerNameKey]; diff --git a/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs b/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs index 7fb22b4ce..a4d331bdd 100644 --- a/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs +++ b/src/AzureIoTHub.Portal/Server/ProductionConfigHandler.cs @@ -30,6 +30,8 @@ internal ProductionConfigHandler(IConfiguration config) internal override string StorageAccountConnectionString => this.config.GetConnectionString(StorageAccountConnectionStringKey); + internal override bool UseSecurityHeaders => this.config.GetValue(UseSecurityHeadersKey, true); + internal override string OIDCScope => this.config[OIDCScopeKey]; internal override string OIDCAuthority => this.config[OIDCAuthorityKey]; @@ -40,6 +42,18 @@ internal ProductionConfigHandler(IConfiguration config) internal override string OIDCApiClientId => this.config[OIDCApiClientIdKey]; + internal override bool OIDCValidateIssuer => this.config.GetValue(OIDCValidateIssuerKey, true); + + internal override bool OIDCValidateAudience => this.config.GetValue(OIDCValidateAudienceKey, true); + + internal override bool OIDCValidateLifetime => this.config.GetValue(OIDCValidateLifetimeKey, true); + + internal override bool OIDCValidateIssuerSigningKey => this.config.GetValue(OIDCValidateIssuerSigningKeyKey, true); + + internal override bool OIDCValidateActor => this.config.GetValue(OIDCValidateActorKey, false); + + internal override bool OIDCValidateTokenReplay => this.config.GetValue(OIDCValidateTokenReplayKey, false); + internal override bool IsLoRaEnabled => bool.Parse(this.config[IsLoRaFeatureEnabledKey] ?? "true"); internal override string StorageAccountBlobContainerName => this.config[StorageAccountBlobContainerNameKey]; diff --git a/src/AzureIoTHub.Portal/Server/Startup.cs b/src/AzureIoTHub.Portal/Server/Startup.cs index 9de8848ec..2bdbe1229 100644 --- a/src/AzureIoTHub.Portal/Server/Startup.cs +++ b/src/AzureIoTHub.Portal/Server/Startup.cs @@ -87,10 +87,12 @@ public void ConfigureServices(IServiceCollection services) opts.MetadataAddress = configuration.OIDCMetadataUrl; opts.Audience = configuration.OIDCApiClientId; - opts.TokenValidationParameters.ValidateIssuer = true; - opts.TokenValidationParameters.ValidateAudience = true; - opts.TokenValidationParameters.ValidateLifetime = true; - opts.TokenValidationParameters.ValidateIssuerSigningKey = true; + opts.TokenValidationParameters.ValidateIssuer = configuration.OIDCValidateIssuer; + opts.TokenValidationParameters.ValidateAudience = configuration.OIDCValidateAudience; + opts.TokenValidationParameters.ValidateLifetime = configuration.OIDCValidateLifetime; + opts.TokenValidationParameters.ValidateIssuerSigningKey = configuration.OIDCValidateIssuerSigningKey; + opts.TokenValidationParameters.ValidateActor = configuration.OIDCValidateActor; + opts.TokenValidationParameters.ValidateTokenReplay = configuration.OIDCValidateTokenReplay; }); _ = services.AddSingleton(configuration); @@ -275,11 +277,24 @@ public async void Configure(IApplicationBuilder app, IWebHostEnvironment env) ArgumentNullException.ThrowIfNull(env, nameof(env)); ArgumentNullException.ThrowIfNull(app, nameof(app)); + var configuration = app.ApplicationServices.GetService(); + // Use problem details _ = app.UseProblemDetails(); app.UseIfElse(IsApiRequest, UseApiExceptionMiddleware, UseUIExceptionMiddleware); - _ = app.UseSecurityHeaders(); + if (configuration.UseSecurityHeaders) + { + _ = app.UseSecurityHeaders(opts => + { + _ = opts.AddContentSecurityPolicy(csp => + { + _ = csp.AddFrameAncestors() + .Self() + .From(configuration.OIDCMetadataUrl); + }); + }); + } if (env.IsDevelopment()) {