From 2b63c74af93d263e6879abb947b0db80a1cf57b4 Mon Sep 17 00:00:00 2001
From: Matasx <matasx@seznam.cz>
Date: Sun, 8 Dec 2024 15:10:43 +0100
Subject: [PATCH] #563 Allow to use multiple authentication methods (#575)

---
 .../GenHTTP.Modules.Authentication.csproj     |  10 +-
 .../Multi/MultiAuthenticationConcern.cs       |  83 +++++++
 .../MultiAuthenticationConcernBuilder.cs      |  88 ++++++++
 Modules/Authentication/MultiAuthentication.cs |  16 ++
 .../MultiAuthenticationTests.cs               | 202 ++++++++++++++++++
 5 files changed, 394 insertions(+), 5 deletions(-)
 create mode 100644 Modules/Authentication/Multi/MultiAuthenticationConcern.cs
 create mode 100644 Modules/Authentication/Multi/MultiAuthenticationConcernBuilder.cs
 create mode 100644 Modules/Authentication/MultiAuthentication.cs
 create mode 100644 Testing/Acceptance/Modules/Authentication/MultiAuthenticationTests.cs

diff --git a/Modules/Authentication/GenHTTP.Modules.Authentication.csproj b/Modules/Authentication/GenHTTP.Modules.Authentication.csproj
index 172a01b4..f8d018b7 100644
--- a/Modules/Authentication/GenHTTP.Modules.Authentication.csproj
+++ b/Modules/Authentication/GenHTTP.Modules.Authentication.csproj
@@ -14,7 +14,7 @@
         <Version>9.3.0</Version>
 
         <Authors>Andreas Nägeli</Authors>
-        <Company/>
+        <Company />
 
         <PackageLicenseFile>LICENSE</PackageLicenseFile>
         <PackageProjectUrl>https://genhttp.org/</PackageProjectUrl>
@@ -35,20 +35,20 @@
 
     <ItemGroup>
 
-        <None Include="..\..\LICENSE" Pack="true" PackagePath="\"/>
-        <None Include="..\..\Resources\icon.png" Pack="true" PackagePath="\"/>
+        <None Include="..\..\LICENSE" Pack="true" PackagePath="\" />
+        <None Include="..\..\Resources\icon.png" Pack="true" PackagePath="\" />
 
     </ItemGroup>
 
     <ItemGroup>
 
-        <ProjectReference Include="..\..\API\GenHTTP.Api.csproj"/>
+        <ProjectReference Include="..\..\API\GenHTTP.Api.csproj" />
 
         <ProjectReference Include="..\Reflection\GenHTTP.Modules.Reflection.csproj" />
         
         <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.2.1" />
 
-        <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All"/>
+        <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
 
         <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.2.1" />
         
diff --git a/Modules/Authentication/Multi/MultiAuthenticationConcern.cs b/Modules/Authentication/Multi/MultiAuthenticationConcern.cs
new file mode 100644
index 00000000..af1682d5
--- /dev/null
+++ b/Modules/Authentication/Multi/MultiAuthenticationConcern.cs
@@ -0,0 +1,83 @@
+using GenHTTP.Api.Content;
+using GenHTTP.Api.Protocol;
+
+namespace GenHTTP.Modules.Authentication.Multi;
+
+public sealed class MultiAuthenticationConcern : IConcern
+{
+    #region Get-/Setters
+
+    public IHandler Content { get; }
+
+    private readonly IConcern[] _delegatingConcerns;
+
+    #endregion
+
+    #region Initialization
+
+    public MultiAuthenticationConcern(IHandler content, IConcern[] delegatingConcerns)
+    {
+        Content = content;
+        _delegatingConcerns = delegatingConcerns;
+    }
+
+    #endregion
+
+    #region Functionality
+
+    public async ValueTask<IResponse?> HandleAsync(IRequest request)
+    {
+        ResponseOrException? lastResponse = null;
+        foreach (var concern in _delegatingConcerns)
+        {
+            lastResponse?.Dispose();
+
+            try
+            {
+                lastResponse = new(await concern.HandleAsync(request));
+            }
+            catch (ProviderException e)
+            {
+                lastResponse = new(Exception: e);
+            }
+
+            if (lastResponse.Status != ResponseStatus.Unauthorized)
+            {
+                return lastResponse.Get();
+            }
+        }
+
+        return lastResponse?.Get() ??
+                     request.Respond()
+                            .Status(ResponseStatus.Unauthorized)
+                            .Build();
+    }
+
+    public ValueTask PrepareAsync() => Content.PrepareAsync();
+
+    #endregion
+
+    #region Helper structure
+
+    private sealed record ResponseOrException(IResponse? Response = null, ProviderException? Exception = null) : IDisposable
+    { 
+        public IResponse? Get()
+        {
+            if (Exception != null)
+            {
+                throw Exception;
+            }
+
+            return Response;
+        }
+
+        public void Dispose()
+        {
+            Response?.Dispose();
+        }
+
+        public ResponseStatus? Status => Exception?.Status ?? Response?.Status.KnownStatus;
+    }
+
+    #endregion
+}
diff --git a/Modules/Authentication/Multi/MultiAuthenticationConcernBuilder.cs b/Modules/Authentication/Multi/MultiAuthenticationConcernBuilder.cs
new file mode 100644
index 00000000..8eaaac08
--- /dev/null
+++ b/Modules/Authentication/Multi/MultiAuthenticationConcernBuilder.cs
@@ -0,0 +1,88 @@
+using GenHTTP.Api.Content;
+using GenHTTP.Api.Infrastructure;
+using GenHTTP.Modules.Authentication.ApiKey;
+using GenHTTP.Modules.Authentication.Basic;
+using GenHTTP.Modules.Authentication.Bearer;
+using GenHTTP.Modules.Authentication.ClientCertificate;
+
+namespace GenHTTP.Modules.Authentication.Multi;
+
+/// <summary>
+/// Builder for creating a multi-concern authentication handler.
+/// </summary>
+public sealed class MultiAuthenticationConcernBuilder : IConcernBuilder
+{
+    #region Fields
+
+    private readonly List<IConcernBuilder> _delegatingConcernsBuilders = [];
+
+    #endregion
+
+    #region Private add functionality
+
+    private MultiAuthenticationConcernBuilder AddIfNotNull(IConcernBuilder concernBuilder)
+    {
+        if (concernBuilder == null) return this;
+
+        _delegatingConcernsBuilders.Add(concernBuilder);
+        return this;
+    }
+
+    #endregion
+
+    #region Functionality
+
+    /// <summary>
+    /// Add nested API concern builder to this multi concern.
+    /// </summary>
+    /// <param name="apiKeyBuilder">Nested API key concern builder</param>
+    public MultiAuthenticationConcernBuilder Add(ApiKeyConcernBuilder apiKeyBuilder)
+        => AddIfNotNull(apiKeyBuilder);
+
+    /// <summary>
+    /// Add nested API concern builder to this multi concern.
+    /// </summary>
+    /// <param name="basicBuilder">Nested Basic concern builder</param>
+    public MultiAuthenticationConcernBuilder Add(BasicAuthenticationConcernBuilder basicBuilder)
+        => AddIfNotNull(basicBuilder);
+
+    /// <summary>
+    /// Add nested API concern builder to this multi concern.
+    /// </summary>
+    /// <param name="basicKnownUsersBuilder">Nested Basic Known Users concern builder</param>
+    public MultiAuthenticationConcernBuilder Add(BasicAuthenticationKnownUsersBuilder basicKnownUsersBuilder)
+        => AddIfNotNull(basicKnownUsersBuilder);
+
+    /// <summary>
+    /// Add nested API concern builder to this multi concern.
+    /// </summary>
+    /// <param name="bearerBuilder">Nested Bearer concern builder</param>
+    public MultiAuthenticationConcernBuilder Add(BearerAuthenticationConcernBuilder bearerBuilder)
+        => AddIfNotNull(bearerBuilder);
+
+    /// <summary>
+    /// Add nested API concern builder to this multi concern.
+    /// </summary>
+    /// <param name="clientCertificateBuilder">Nested Client Certificate concern builder</param>
+    public MultiAuthenticationConcernBuilder Add(ClientCertificateAuthenticationBuilder clientCertificateBuilder)
+        => AddIfNotNull(clientCertificateBuilder);
+
+    /// <summary>
+    /// Construct the multi concern.
+    /// </summary>
+    /// <param name="content"></param>
+    /// <returns></returns>
+    public IConcern Build(IHandler content)
+    {
+        var delegatingConcerns = _delegatingConcernsBuilders.Select(x => x.Build(content)).ToArray();
+        if (delegatingConcerns.Length == 0) throw new BuilderMissingPropertyException("Concerns");
+
+        return new MultiAuthenticationConcern(
+            content,
+            delegatingConcerns
+            );
+    }
+
+    #endregion
+
+}
diff --git a/Modules/Authentication/MultiAuthentication.cs b/Modules/Authentication/MultiAuthentication.cs
new file mode 100644
index 00000000..007ffe63
--- /dev/null
+++ b/Modules/Authentication/MultiAuthentication.cs
@@ -0,0 +1,16 @@
+using GenHTTP.Modules.Authentication.Multi;
+
+namespace GenHTTP.Modules.Authentication;
+
+public static class MultiAuthentication
+{
+    #region Builder
+
+    /// <summary>
+    /// Creates a authentication handler that will use
+    /// underlying handlers to authenticate the request.
+    /// </summary>
+    public static MultiAuthenticationConcernBuilder Create() => new();
+
+    #endregion
+}
diff --git a/Testing/Acceptance/Modules/Authentication/MultiAuthenticationTests.cs b/Testing/Acceptance/Modules/Authentication/MultiAuthenticationTests.cs
new file mode 100644
index 00000000..7e05f2fc
--- /dev/null
+++ b/Testing/Acceptance/Modules/Authentication/MultiAuthenticationTests.cs
@@ -0,0 +1,202 @@
+using GenHTTP.Api.Content;
+using GenHTTP.Api.Content.Authentication;
+using GenHTTP.Api.Infrastructure;
+using GenHTTP.Api.Protocol;
+using GenHTTP.Modules.Authentication;
+using GenHTTP.Modules.Authentication.Multi;
+using GenHTTP.Modules.Functional;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Text;
+
+namespace GenHTTP.Testing.Acceptance.Modules.Authentication;
+
+[TestClass]
+public sealed class MultiAuthenticationTests
+{
+    #region Supporting data structures
+
+    private const string ValidBearerToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
+
+    private class MockHandler : IHandler
+    {
+        public ValueTask<IResponse?> HandleAsync(IRequest request)
+        {
+            throw new NotImplementedException();
+        }
+
+        public ValueTask PrepareAsync()
+        {
+            throw new NotImplementedException();
+        }
+    }
+
+    #endregion
+
+    [TestMethod]
+    public void TestConcernFullBuild()
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create())
+            .Add(ApiKeyAuthentication.Create().Authenticator((_, _) => ValueTask.FromResult<IUser?>(null)))
+            .Add(BasicAuthentication.Create())
+            .Add(BasicAuthentication.Create((_, _) => ValueTask.FromResult<IUser?>(null)))
+            .Add(ClientCertificateAuthentication.Create())
+            ;
+
+        var concern = builder.Build(new MockHandler());
+
+        Assert.IsInstanceOfType<MultiAuthenticationConcern>(concern);
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestSingleBearerPass(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create().AllowExpired())
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", ValidBearerToken));
+
+        await response.AssertStatusAsync(HttpStatusCode.OK);
+
+        Assert.AreEqual("Secured", await response.GetContentAsync());
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestSingleBearerFail(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create().AllowExpired())
+            ;
+
+        using var response = await Execute(builder, engine);
+
+        await response.AssertStatusAsync(HttpStatusCode.Unauthorized);
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestSingleBasicPass(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BasicAuthentication.Create().Add("user", "pass"))
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes("user:pass"))));
+
+        await response.AssertStatusAsync(HttpStatusCode.OK);
+
+        Assert.AreEqual("Secured", await response.GetContentAsync());
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestSingleBasicFail(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BasicAuthentication.Create().Add("user", "pass"))
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes("user:invalidpass"))));
+
+        await response.AssertStatusAsync(HttpStatusCode.Unauthorized);
+        AssertBasicChallenge(response);
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestCombinedFirstPass(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create().AllowExpired())
+            .Add(BasicAuthentication.Create().Add("user", "pass"))
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", ValidBearerToken));
+
+        await response.AssertStatusAsync(HttpStatusCode.OK);
+
+        Assert.AreEqual("Secured", await response.GetContentAsync());
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestCombinedSecondPass(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create().AllowExpired())
+            .Add(BasicAuthentication.Create().Add("user", "pass"))
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes("user:pass"))));
+
+        await response.AssertStatusAsync(HttpStatusCode.OK);
+
+        Assert.AreEqual("Secured", await response.GetContentAsync());
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public async Task TestCombinedFail(TestEngine engine)
+    {
+        var builder = MultiAuthentication
+            .Create()
+            .Add(BearerAuthentication.Create().AllowExpired())
+            .Add(BasicAuthentication.Create().Add("user", "pass"))
+            ;
+
+        using var response = await Execute(builder, engine,
+            request => request.Headers.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes("user:invalidpass"))));
+
+        await response.AssertStatusAsync(HttpStatusCode.Unauthorized);
+        AssertBasicChallenge(response);
+    }
+
+    [TestMethod]
+    [MultiEngineTest]
+    public void TestEmpty(TestEngine engine)
+    {
+        var builder = MultiAuthentication.Create();
+
+        Assert.ThrowsException<BuilderMissingPropertyException>(() =>
+        {
+            using var response = Execute(builder, engine).GetAwaiter().GetResult();
+        });
+    }
+
+    private static void AssertBasicChallenge(HttpResponseMessage response)
+    {
+        Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault(x => x.Scheme == "Basic" && (x.Parameter?.StartsWith("realm") ?? false)));
+    }
+
+    private static async Task<HttpResponseMessage> Execute(MultiAuthenticationConcernBuilder builder, TestEngine engine, Action<HttpRequestMessage>? authAction = null)
+    {
+        var handler = Inline.Create()
+                            .Get(() => "Secured")
+                            .Add(builder);
+
+        await using var host = await TestHost.RunAsync(handler, engine: engine);
+
+        var request = host.GetRequest();
+
+        authAction?.Invoke(request);
+
+        return await host.GetResponseAsync(request);
+    }
+}