backend autorisatie

Klantinteractie-Servicesysteem · Jan 9, 2025 · 2a748b4 · 2a748b4
1 parent be78da5
commit 2a748b4
Showing 1 changed file with 37 additions and 9 deletions.
diff --git a/Kiss.Bff/Extern/Vacs/VacsProxyConfig.cs b/Kiss.Bff/Extern/Vacs/VacsProxyConfig.cs
@@ -1,22 +1,38 @@
 using System.Net.Http.Headers;
+using Microsoft.AspNetCore.Authorization;
 using Yarp.ReverseProxy.Transforms;
 
 namespace Kiss.Bff.Vacs
 {
     public static class VacsExtensions
     {
         public static IServiceCollection AddVacsProxy(this IServiceCollection services, string destination, string token, string objectTypeUrl, string typeVersion)
-            => services.AddSingleton(new VacsProxyConfig(destination, token, objectTypeUrl, typeVersion))
-            .AddSingleton<IKissProxyRoute>(s => s.GetRequiredService<VacsProxyConfig>());
+        {
+            return services.AddSingleton<IKissProxyRoute>(s =>
+            {
+                var authorizationService = s.GetRequiredService<IAuthorizationService>();
+                var policyProvider = s.GetRequiredService<IAuthorizationPolicyProvider>();
+
+                return new VacsProxyConfig(destination, token, objectTypeUrl, typeVersion, authorizationService, policyProvider);
+            });
+        }
     }
 
     public class VacsProxyConfig : IKissProxyRoute
     {
-        public VacsProxyConfig(string destination, string token, string objectTypeUrl, string typeVersion)
+        private readonly IAuthorizationService _authorizationService;
+        private readonly IAuthorizationPolicyProvider _policyProvider;
+        private readonly string _token;
+
+        public VacsProxyConfig(string destination, string token, string objectTypeUrl, string typeVersion,
+            IAuthorizationService authorizationService,
+            IAuthorizationPolicyProvider policyProvider)
         {
             Destination = destination;
             ObjectTypeUrl = objectTypeUrl;
             TypeVersion = typeVersion ?? "1";
+            _authorizationService = authorizationService;
+            _policyProvider = policyProvider;
             _token = token;
         }
 
@@ -26,21 +42,33 @@ public VacsProxyConfig(string destination, string token, string objectTypeUrl, s
         public string ObjectTypeUrl { get; }
         public string TypeVersion { get; }
 
-        private readonly string _token;
-
-        public ValueTask ApplyRequestTransform(RequestTransformContext context)
+        public async ValueTask ApplyRequestTransform(RequestTransformContext context)
         {
-            ApplyHeaders(context.ProxyRequest.Headers, context.HttpContext.User);
+            var policy = await _policyProvider.GetPolicyAsync(Policies.RedactiePolicy);
+            if (policy == null)
+            {
+                context.HttpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
+                return;
+            }
+
+            var authResult = await _authorizationService.AuthorizeAsync(context.HttpContext.User, null, policy);
+            if (!authResult.Succeeded)
+            {
+                context.HttpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
+                return;
+            }
+
+            ApplyHeaders(context.ProxyRequest.Headers);
+
             var request = context.HttpContext.Request;
             var isObjectsEndpoint = request.Path.Value?.AsSpan().TrimEnd('/').EndsWith("objects") ?? false;
             if (request.Method == HttpMethods.Get && isObjectsEndpoint)
             {
                 context.Query.Collection["type"] = new(ObjectTypeUrl);
             }
-            return new();
         }
 
-        public void ApplyHeaders(HttpRequestHeaders headers, System.Security.Claims.ClaimsPrincipal user)
+        public void ApplyHeaders(HttpRequestHeaders headers)
         {
             headers.Authorization = new AuthenticationHeaderValue("Token", _token);
             headers.Add("Content-Crs", "EPSG:4326");