microsoft · MattMcL4475 · Oct 4, 2023 · Oct 4, 2023 · Oct 4, 2023 · Oct 5, 2023
diff --git a/src/TesApi.Web/Extensions/ServiceCollectionExtensions.cs b/src/TesApi.Web/Extensions/ServiceCollectionExtensions.cs
@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System.Linq;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Mvc.Authorization;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
+using Newtonsoft.Json.Converters;
+using Newtonsoft.Json.Serialization;
+using TesApi.Web.Options;
+
+namespace TesApi.Web.Extensions
+{
+    public static class ServiceCollectionExtensions
+    {
+        public static IServiceCollection ConfigureAuthenticationAndControllers(this IServiceCollection services, IConfiguration configuration)
+        {
+            var authenticationOptions = new AuthenticationOptions();
+            configuration.GetSection(AuthenticationOptions.SectionName).Bind(authenticationOptions);
+            var isAuthConfigured = authenticationOptions?.Providers?.Any() == true;
+
+            if (isAuthConfigured)
+            {
+                var authBuilder = services.AddAuthentication(options =>
+                {
+                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
+                    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+                });
+
+                foreach (var provider in authenticationOptions.Providers)
+                {
+                    authBuilder
+                        .AddJwtBearer(provider.Name, options =>
+                        {
+                            options.Authority = provider.Authority;
+                            options.Audience = provider.ClientId; // ClientId and Audience are synonymous
+                        })
+                        .AddOpenIdConnect(options =>
+                        {
+                            options.Authority = provider.Authority; // $"https://login.microsoftonline.com/{provider.TenantId}/v2.0";
+                            options.MetadataAddress = $"{options.Authority.TrimStart('/')}/.well-known/openid-configuration";
+                            options.ClientId = provider.ClientId; // Same as audience
+                            options.ResponseType = OpenIdConnectResponseType.Code;
+                            options.SaveTokens = false; // TODO in the future can use this to make authorized calls to Azure Storage
+                            options.TokenValidationParameters = new TokenValidationParameters
+                            {
+                                ValidateIssuer = true,
+                                ValidIssuer = provider.Authority,
+                                ValidateAudience = true,
+                                ValidAudience = provider.ClientId
+                            };
+                        });
+                }
+
+                services.AddAuthorization();
+            }
+
+            services.AddControllers(options =>
+            {
+                options.Filters.Add<Controllers.OperationCancelledExceptionFilter>();
+
+                if (isAuthConfigured)
+                {
+                    // Adds authorization to all controllers and operations
+                    // TODO might want to expose ServiceInfo with the Authority and MetadataAddress and Audience
+                    options.Filters.Add(new AuthorizeFilter());
+                }
+            })
+            .AddNewtonsoftJson(opts =>
+            {
+                opts.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
+                opts.SerializerSettings.Converters.Add(new StringEnumConverter(new CamelCaseNamingStrategy()));
+            });
+
+            return services;
+        }
+    }
+}
diff --git a/src/TesApi.Web/Options/AuthenticationOptions.cs b/src/TesApi.Web/Options/AuthenticationOptions.cs
@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace TesApi.Web.Options
+{
+    public class AuthenticationOptions
+    {
+        public const string SectionName = "Authentication";
+        public AuthenticationProviderOptions[] Providers { get; set; }
+    }
+}
diff --git a/src/TesApi.Web/Options/AuthenticationProviderOptions.cs b/src/TesApi.Web/Options/AuthenticationProviderOptions.cs
@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace TesApi.Web.Options
+{
+    public class AuthenticationProviderOptions
+    {
+        public string Name { get; set; }
+        public string Authority { get; set; }
+        public string ClientId { get; set; }
+    }
+}
diff --git a/src/TesApi.Web/Startup.cs b/src/TesApi.Web/Startup.cs
@@ -3,24 +3,24 @@
 
 using System;
 using System.IO;
+using System.Linq;
 using System.Reflection;
 using Azure.Core;
 using Azure.Identity;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
-using Microsoft.Extensions.Caching.Memory;
+using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Newtonsoft.Json.Converters;
-using Newtonsoft.Json.Serialization;
 using Tes.ApiClients;
 using Tes.ApiClients.Options;
 using Tes.Models;
 using Tes.Repository;
 using TesApi.Filters;
+using TesApi.Web.Extensions;
 using TesApi.Web.Management;
 using TesApi.Web.Management.Batch;
 using TesApi.Web.Management.Configuration;
@@ -75,6 +75,7 @@ public void ConfigureServices(IServiceCollection services)
                     .Configure<BatchSchedulingOptions>(configuration.GetSection(BatchSchedulingOptions.SectionName))
                     .Configure<StorageOptions>(configuration.GetSection(StorageOptions.SectionName))
                     .Configure<MarthaOptions>(configuration.GetSection(MarthaOptions.SectionName))
+                    .ConfigureAuthenticationAndControllers(configuration)
 
                     .AddMemoryCache(o => o.ExpirationScanFrequency = TimeSpan.FromHours(12))
                     .AddSingleton<ICache<TesTaskDatabaseItem>, TesRepositoryCache<TesTaskDatabaseItem>>()
@@ -84,14 +85,6 @@ public void ConfigureServices(IServiceCollection services)
                     .AddSingleton<IBatchPoolFactory, BatchPoolFactory>()
                     .AddSingleton(CreateBatchPoolManagerFromConfiguration)
 
-                    .AddControllers(options => options.Filters.Add<Controllers.OperationCancelledExceptionFilter>())
-                        .AddNewtonsoftJson(opts =>
-                        {
-                            opts.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
-                            opts.SerializerSettings.Converters.Add(new StringEnumConverter(new CamelCaseNamingStrategy()));
-                        })
-                    .Services
-
                     .AddSingleton(CreateStorageAccessProviderFromConfiguration)
                     .AddSingleton<IAzureProxy>(sp => ActivatorUtilities.CreateInstance<CachingWithRetriesAzureProxy>(sp, (IAzureProxy)sp.GetRequiredService(typeof(AzureProxy))))
                     .AddSingleton<IRepository<TesTask>>(sp => ActivatorUtilities.CreateInstance<RepositoryRetryHandler<TesTask>>(sp, (IRepository<TesTask>)sp.GetRequiredService(typeof(TesTaskPostgreSqlRepository))))
@@ -264,37 +257,51 @@ BatchAccountResourceInformation CreateBatchAccountResourceInformation(IServicePr
         /// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         /// </summary>
         /// <param name="app">An Microsoft.AspNetCore.Builder.IApplicationBuilder for the app to configure.</param>
-        public void Configure(IApplicationBuilder app)
-            => app.UseRouting()
-                .UseEndpoints(endpoints =>
-                {
-                    endpoints.MapControllers();
-                })
-
-                .UseHttpsRedirection()
-
-                .UseDefaultFiles()
-                .UseStaticFiles()
-                .UseSwagger(c =>
-                {
-                    c.RouteTemplate = "swagger/{documentName}/openapi.json";
-                })
-                .UseSwaggerUI(c =>
-                {
-                    c.SwaggerEndpoint($"/swagger/{tesVersion}/openapi.json", "Task Execution Service");
-                })
-
-                .IfThenElse(hostingEnvironment.IsDevelopment(),
+        public void Configure(IApplicationBuilder app) => app
+            .UseForwardedHeaders(new ForwardedHeadersOptions
+            {
+                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
+            })
+            .UseDefaultFiles()
+            .UseStaticFiles()
+            .UseSwagger(c =>
+            {
+                c.RouteTemplate = "swagger/{documentName}/openapi.json";
+            })
+            .UseSwaggerUI(c =>
+            {
+                c.SwaggerEndpoint($"/swagger/{tesVersion}/openapi.json", "Task Execution Service");
+            })
+            .UseRouting()
+            .UseEndpoints(endpoints =>
+            {
+                endpoints.MapControllers();
+            })
+            .IfThenElse(app
+                .ApplicationServices
+                .GetRequiredService<IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions>>()
+                ?.Value
+                ?.Schemes
+                ?.Any() == true,
                     s =>
                     {
-                        var r = s.UseDeveloperExceptionPage();
-                        logger.LogInformation("Configuring for Development environment");
+                        app.UseAuthentication();
+                        app.UseAuthorization();
                     },
-                    s =>
-                    {
-                        var r = s.UseHsts();
-                        logger.LogInformation("Configuring for Production environment");
-                    });
+                    s => { })
+            .IfThenElse(hostingEnvironment.IsDevelopment(),
+                s =>
+                {
+                    s.UseDeveloperExceptionPage();
+                    logger.LogInformation("Configuring for Development environment");
+                },
+                s =>
+                {
+                    s.UseHttpsRedirection();
+                    s.UseHsts();
+                    logger.LogInformation("Configuring for Production environment");
+                });
+
     }
 
     internal static class BooleanMethodSelectorExtensions

diff --git a/src/TesApi.Web/TesApi.Web.csproj b/src/TesApi.Web/TesApi.Web.csproj
@@ -17,6 +17,8 @@
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.4.0" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.15.0" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.21.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.11" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="7.0.11" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="7.0.3" />
     <PackageReference Include="Microsoft.Azure.Management.ApplicationInsights" Version="0.3.0-preview" />
     <PackageReference Include="Microsoft.Azure.Management.Batch" Version="15.0.0" />

diff --git a/src/deploy-tes-on-azure/scripts/helm/templates/service.yaml b/src/deploy-tes-on-azure/scripts/helm/templates/service.yaml
@@ -43,6 +43,7 @@ metadata:
     nginx.ingress.kubernetes.io/auth-type: basic 
     nginx.ingress.kubernetes.io/auth-secret: tes-basic-auth 
     nginx.ingress.kubernetes.io/auth-realm: "Authentication required"
+    nginx.ingress.kubernetes.io/proxy-set-headers: "X-Real-IP $remote_addr, X-Forwarded-For $proxy_add_x_forwarded_for, X-Forwarded-Proto $scheme"
 spec:
   ingressClassName: nginx
   tls: