Fix build and code structure improvements. New but essential UI functionality. CI improvements. Documentation improvements. AI module improvements.

2025-12-26 21:54:17 +02:00
parent 335ff7da16
commit c2b9cd8d1f
3717 changed files with 264714 additions and 48202 deletions
--- a/src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs
+++ b/src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs
@@ -0,0 +1,99 @@
+using System.Text.Json;
+using StellaOps.Router.Common.Models;
+using StellaOps.Router.Gateway;
+
+namespace StellaOps.Gateway.WebService.Authorization;
+
+public sealed class AuthorizationMiddleware
+{
+    private readonly RequestDelegate _next;
+    private readonly IEffectiveClaimsStore _claimsStore;
+    private readonly ILogger<AuthorizationMiddleware> _logger;
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        WriteIndented = false
+    };
+
+    public AuthorizationMiddleware(
+        RequestDelegate next,
+        IEffectiveClaimsStore claimsStore,
+        ILogger<AuthorizationMiddleware> logger)
+    {
+        _next = next;
+        _claimsStore = claimsStore;
+        _logger = logger;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (!context.Items.TryGetValue(RouterHttpContextKeys.EndpointDescriptor, out var endpointObj) ||
+            endpointObj is not EndpointDescriptor endpoint)
+        {
+            await _next(context);
+            return;
+        }
+
+        var effectiveClaims = _claimsStore.GetEffectiveClaims(
+            endpoint.ServiceName,
+            endpoint.Method,
+            endpoint.Path);
+
+        if (effectiveClaims.Count == 0)
+        {
+            await _next(context);
+            return;
+        }
+
+        foreach (var required in effectiveClaims)
+        {
+            var userClaims = context.User.Claims;
+            var hasClaim = required.Value == null
+                ? userClaims.Any(c => c.Type == required.Type)
+                : userClaims.Any(c => c.Type == required.Type && c.Value == required.Value);
+
+            if (!hasClaim)
+            {
+                _logger.LogWarning(
+                    "Authorization failed for {Method} {Path}: user lacks claim {ClaimType}={ClaimValue}",
+                    endpoint.Method,
+                    endpoint.Path,
+                    required.Type,
+                    required.Value ?? "(any)");
+
+                await WriteForbiddenAsync(context, endpoint, required);
+                return;
+            }
+        }
+
+        await _next(context);
+    }
+
+    private static Task WriteForbiddenAsync(
+        HttpContext context,
+        EndpointDescriptor endpoint,
+        ClaimRequirement required)
+    {
+        context.Response.StatusCode = StatusCodes.Status403Forbidden;
+        context.Response.ContentType = "application/json; charset=utf-8";
+
+        var payload = new AuthorizationFailureResponse(
+            Error: "forbidden",
+            Message: "Authorization failed: missing required claim",
+            RequiredClaimType: required.Type,
+            RequiredClaimValue: required.Value,
+            Service: endpoint.ServiceName,
+            Version: endpoint.Version);
+
+        return JsonSerializer.SerializeAsync(context.Response.Body, payload, JsonOptions, context.RequestAborted);
+    }
+
+    private sealed record AuthorizationFailureResponse(
+        string Error,
+        string Message,
+        string RequiredClaimType,
+        string? RequiredClaimValue,
+        string Service,
+        string Version);
+}