Add Authority Advisory AI and API Lifecycle Configuration
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings. - Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations. - Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration. - Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options. - Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations. - Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client. - Updated project file to include necessary package references for the new Issuer Directory Client library.
This commit is contained in:
master
@@ -0,0 +1,123 @@
|
||||
using System;
|
||||
using System.Net.Http;
|
||||
using System.Net.Http.Headers;
|
||||
using System.Threading;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
|
||||
namespace StellaOps.Auth.Client;
|
||||
|
||||
/// <summary>
|
||||
/// Delegating handler that attaches bearer credentials and tenant headers to outbound requests.
|
||||
/// </summary>
|
||||
internal sealed class StellaOpsBearerTokenHandler : DelegatingHandler
|
||||
{
|
||||
private readonly string clientName;
|
||||
private readonly IOptionsMonitor<StellaOpsApiAuthenticationOptions> apiAuthOptions;
|
||||
private readonly IOptionsMonitor<StellaOpsAuthClientOptions> authClientOptions;
|
||||
private readonly IStellaOpsTokenClient tokenClient;
|
||||
private readonly TimeProvider timeProvider;
|
||||
private readonly ILogger<StellaOpsBearerTokenHandler>? logger;
|
||||
private readonly SemaphoreSlim refreshLock = new(1, 1);
|
||||
|
||||
private StellaOpsTokenResult? cachedToken;
|
||||
|
||||
public StellaOpsBearerTokenHandler(
|
||||
string clientName,
|
||||
IOptionsMonitor<StellaOpsApiAuthenticationOptions> apiAuthOptions,
|
||||
IOptionsMonitor<StellaOpsAuthClientOptions> authClientOptions,
|
||||
IStellaOpsTokenClient tokenClient,
|
||||
TimeProvider? timeProvider,
|
||||
ILogger<StellaOpsBearerTokenHandler>? logger)
|
||||
{
|
||||
this.clientName = clientName ?? throw new ArgumentNullException(nameof(clientName));
|
||||
this.apiAuthOptions = apiAuthOptions ?? throw new ArgumentNullException(nameof(apiAuthOptions));
|
||||
this.authClientOptions = authClientOptions ?? throw new ArgumentNullException(nameof(authClientOptions));
|
||||
this.tokenClient = tokenClient ?? throw new ArgumentNullException(nameof(tokenClient));
|
||||
this.timeProvider = timeProvider ?? TimeProvider.System;
|
||||
this.logger = logger;
|
||||
}
|
||||
|
||||
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
|
||||
{
|
||||
var options = apiAuthOptions.Get(clientName);
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(options.Tenant))
|
||||
{
|
||||
request.Headers.Remove(options.TenantHeader);
|
||||
request.Headers.TryAddWithoutValidation(options.TenantHeader, options.Tenant);
|
||||
}
|
||||
|
||||
var token = await ResolveTokenAsync(options, cancellationToken).ConfigureAwait(false);
|
||||
if (!string.IsNullOrEmpty(token))
|
||||
{
|
||||
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
|
||||
}
|
||||
|
||||
return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
private async Task<string?> ResolveTokenAsync(StellaOpsApiAuthenticationOptions options, CancellationToken cancellationToken)
|
||||
{
|
||||
if (options.Mode == StellaOpsApiAuthMode.PersonalAccessToken)
|
||||
{
|
||||
return options.PersonalAccessToken;
|
||||
}
|
||||
|
||||
var buffer = GetRefreshBuffer(options);
|
||||
var now = timeProvider.GetUtcNow();
|
||||
var token = cachedToken;
|
||||
|
||||
if (token is not null && token.ExpiresAt - buffer > now)
|
||||
{
|
||||
return token.AccessToken;
|
||||
}
|
||||
|
||||
await refreshLock.WaitAsync(cancellationToken).ConfigureAwait(false);
|
||||
try
|
||||
{
|
||||
token = cachedToken;
|
||||
now = timeProvider.GetUtcNow();
|
||||
if (token is not null && token.ExpiresAt - buffer > now)
|
||||
{
|
||||
return token.AccessToken;
|
||||
}
|
||||
|
||||
StellaOpsTokenResult result = options.Mode switch
|
||||
{
|
||||
StellaOpsApiAuthMode.ClientCredentials => await tokenClient.RequestClientCredentialsTokenAsync(
|
||||
options.Scope,
|
||||
null,
|
||||
cancellationToken).ConfigureAwait(false),
|
||||
StellaOpsApiAuthMode.Password => await tokenClient.RequestPasswordTokenAsync(
|
||||
options.Username!,
|
||||
options.Password!,
|
||||
options.Scope,
|
||||
null,
|
||||
cancellationToken).ConfigureAwait(false),
|
||||
_ => throw new InvalidOperationException($"Unsupported authentication mode '{options.Mode}'.")
|
||||
};
|
||||
|
||||
cachedToken = result;
|
||||
logger?.LogDebug("Issued access token for client {ClientName}; expires at {ExpiresAt}.", clientName, result.ExpiresAt);
|
||||
return result.AccessToken;
|
||||
}
|
||||
finally
|
||||
{
|
||||
refreshLock.Release();
|
||||
}
|
||||
}
|
||||
|
||||
private TimeSpan GetRefreshBuffer(StellaOpsApiAuthenticationOptions options)
|
||||
{
|
||||
var authOptions = authClientOptions.CurrentValue;
|
||||
var buffer = options.RefreshBuffer;
|
||||
if (buffer <= TimeSpan.Zero)
|
||||
{
|
||||
return authOptions.ExpirationSkew;
|
||||
}
|
||||
|
||||
return buffer > authOptions.ExpirationSkew ? buffer : authOptions.ExpirationSkew;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user