Merge pull request #63 from mo-esmp/feature/dashboard-auth

Implementing dashboard authorization filter.

Author: mo-esmp

.gitignore

@@ -349,3 +349,5 @@ MigrationBackup/
 # Ionide (cross platform F# VS Code tools) working folder
 .ionide/
 nuget.exe
+
+.vshistory/

README.md

@@ -58,45 +58,45 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 }
 ```
 
-## Authorization: configuration
+## Options
+Options can be found in the [UIOptions](src/Serilog.Ui.Web/Extensions/UiOptions.cs) class.
+`internal` properties can generally be set via extension methods, see [SerilogUiOptionBuilderExtensions](src/Serilog.Ui.Web/Extensions/SerilogUiOptionBuilderExtensions.cs)
+
+### Authorization
 
-By default serilog-ui allows access to the log page only for local requests. In order to give appropriate rights for production use, you need to configure authorization. You can secure the log page by allowing specific users or roles to view logs:
+By default serilog-ui allows access to the log page only for local requests. In order to give appropriate rights for production use, you need to configure authorization. You can add your own implementations of the `IUiAuthorizationFilter` interface, whose Authorize method is used to allow or prohibit a request. The first step is to provide your own implementation.:
 
 ```csharp
-public void ConfigureServices(IServiceCollection services)
+public void Configure(IApplicationBuilder appBuilder)
 {
-    services.AddSerilogUi(options => options
-        .EnableAuthorization(authOptions =>
+    appBuilder.UseSerilogUi(options =>
+    {
+        options.Authorization.AuthenticationType = AuthenticationType.Jwt;
+        options.Authorization.Filters = new[]
         {
-            authOption.AuthenticationType = AuthenticationType.Jwt; // or AuthenticationType.Cookie
-            authOptions.Usernames = new[] { "User1", "User2" };
-            authOptions.Roles = new[] { "AdminRole" };
-        })
-        .UseSqlServer(Configuration.GetConnectionString("DefaultConnection"), "LogTableName"));
+            new CustomAuthorizeFilter()
+        };
+    });
     // ...
 }
 ```
-Only `User1` and `User2` or users with `AdminRole` role can view logs.
 
 If you set `AuthenticationType` to `Jwt`, you can set a jwt token and an `Authorization` header will be added to the request and for `Cookie` just login into you website and no extra step is required.
 
-To disable anonymous access for local requests, (e.g. for testing authentication locally) set `AlwaysAllowLocalRequests` to `false`.
-
-To disable authorization on production, set `Enabled` to false.
+Here is an example of how you can implement your own authentication and authorization:
 
 ``` csharp
-services.AddSerilogUi(options => options
-    .EnableAuthorization(authOption =>
+public class CustomAuthorizeFilter : IUiAuthorizationFilter
+{
+    public bool Authorize(DashboardContext context)
     {
-        authOption.AlwaysAllowLocalRequests = false; // disable anonymous access on local
-        authOption.Enabled = false; // disable authorization access check on production
-    })
-    .UseSqlServer(Configuration.GetConnectionString("DefaultConnection"), "Logs"));
-```
+        var httpContext = context.GetHttpContext();
 
-## Options
-Options can be found in the [UIOptions](src/Serilog.Ui.Web/Extensions/UiOptions.cs) class.
-`internal` properties can generally be set via extension methods, see [SerilogUiOptionBuilderExtensions](src/Serilog.Ui.Web/Extensions/SerilogUiOptionBuilderExtensions.cs)
+        // Allow all authenticated users to see the Dashboard (potentially dangerous).
+        return httpContext.User.Identity?.IsAuthenticated ?? false;
+    }
+}
+```
 
 ### Log page URL
 

samples/SampleWebApp/Authentication/SerilogUiCustomAuthFilter.cs

@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Http;
+using Serilog.Ui.Web.Authorization;
+
+namespace SampleWebApp.Authentication;
+
+public class SerilogUiCustomAuthFilter : IUiAuthorizationFilter
+{
+    public bool Authorize(HttpContext httpContext)
+    {
+        return httpContext.User.Identity is { IsAuthenticated: true };
+    }
+}

samples/SampleWebApp/SampleWebApp.csproj

@@ -25,10 +25,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <ProjectReference Include="..\..\src\Serilog.Ui.ElasticSearchProvider\Serilog.Ui.ElasticSearchProvider.csproj" />
-    <ProjectReference Include="..\..\src\Serilog.Ui.MongoDbProvider\Serilog.Ui.MongoDbProvider.csproj" />
     <ProjectReference Include="..\..\src\Serilog.Ui.MsSqlServerProvider\Serilog.Ui.MsSqlServerProvider.csproj" />
-    <ProjectReference Include="..\..\src\Serilog.Ui.PostgreSqlProvider\Serilog.Ui.PostgreSqlProvider.csproj" />
     <ProjectReference Include="..\..\src\Serilog.Ui.Web\Serilog.Ui.Web.csproj" />
   </ItemGroup>
 

samples/SampleWebApp/Startup.cs

@@ -7,6 +7,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.IdentityModel.Tokens;
+using SampleWebApp.Authentication;
 using SampleWebApp.Authentication.Jwt;
 using SampleWebApp.Data;
 using Serilog.Ui.MsSqlServerProvider;
@@ -39,11 +40,6 @@ public void ConfigureServices(IServiceCollection services)
             services.AddRazorPages();
 
             services.AddSerilogUi(options => options
-                .EnableAuthorization(authOption =>
-                {
-                    authOption.AuthenticationType = AuthenticationType.Jwt;
-                    authOption.Usernames = new[] { "[email protected]" };
-                })
                 .UseSqlServer(Configuration.GetConnectionString("DefaultConnection"), "Logs"));
 
             services.AddSwaggerGen();
@@ -60,16 +56,17 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             else
             {
                 app.UseExceptionHandler("/Home/Error");
-                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+                // The default HSTS value is 30 days. You may want to change this for production
+                // scenarios, see https://aka.ms/aspnetcore-hsts.
                 app.UseHsts();
             }
             app.UseHttpsRedirection();
             app.UseStaticFiles();
 
             app.UseSwagger();
 
-            // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.),
-            // specifying the Swagger JSON endpoint.
+            // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.), specifying the Swagger
+            // JSON endpoint.
             app.UseSwaggerUI(c =>
             {
                 c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
@@ -79,11 +76,16 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseAuthentication();
             app.UseAuthorization();
-            app.UseSerilogUi(x =>
+            app.UseSerilogUi(options =>
             {
-                x.RoutePrefix = "serilog-ui";
-                x.HomeUrl = "/#Test";
-                x.InjectJavascript("/js/serilog-ui/custom.js");
+                options.RoutePrefix = "serilog-ui";
+                options.HomeUrl = "/#Test";
+                options.InjectJavascript("/js/serilog-ui/custom.js");
+                options.Authorization = new AuthorizationOptions
+                {
+                    AuthenticationType = AuthenticationType.Jwt,
+                    Filters = new[] { new SerilogUiCustomAuthFilter() }
+                };
             });
 
             app.UseEndpoints(endpoints =>

samples/SampleWebApp/appsettings.json

@@ -1,14 +1,14 @@
 {
   "ConnectionStrings": {
-    "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=aspnet-SampleWebApp-93B544DE-DDCF-47C1-AD8A-BC87C4D6B954;Trusted_Connection=True;MultipleActiveResultSets=true"
+    "DefaultConnection": "Server=(local);Database=aspnet-SampleWebApp-93B544DE-DDCF-47C1-AD8A-BC87C4D6B954;Trusted_Connection=True;MultipleActiveResultSets=true;TrustServerCertificate=True"
   },
 
   "AllowedHosts": "*",
 
   "Jwt": {
     "Audience": "SampleClient",
     "Issuer": "http://localhost:5000",
-    "SecretKey": "Th!$P@ssw0rd",
+    "SecretKey": "Th!$AlongP@ssw0rdForJwt",
     "ExpireDays": "30"
   },
 

src/Serilog.Ui.Web/Authorization/IUiAuthorizationFilter.cs

@@ -0,0 +1,9 @@
+using Microsoft.AspNetCore.Http;
+
+namespace Serilog.Ui.Web.Authorization
+{
+    public interface IUiAuthorizationFilter
+    {
+        bool Authorize(HttpContext httpContext);
+    }
+}

src/Serilog.Ui.Web/Authorization/LocalRequestsOnlyAuthorizationFilter.cs

@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Http;
+
+namespace Serilog.Ui.Web.Authorization
+{
+    public class LocalRequestsOnlyAuthorizationFilter : IUiAuthorizationFilter
+    {
+        public bool Authorize(HttpContext httpContext)
+        {
+            return httpContext.Request.IsLocal();
+        }
+    }
+}

src/Serilog.Ui.Web/Extensions/ApplicationBuilderExtensions.cs

@@ -1,23 +1,22 @@
 using Microsoft.AspNetCore.Builder;
-using Microsoft.Extensions.DependencyInjection;
 using System;
 
 namespace Serilog.Ui.Web
 {
     /// <summary>
-    ///     Contains extensions for configuring routing on an <see cref="IApplicationBuilder"/>.
+    ///   Contains extensions for configuring routing on an <see cref="IApplicationBuilder"/>.
     /// </summary>
     public static class ApplicationBuilderExtensions
     {
         /// <summary>
-        ///     Adds a <see cref="SerilogUiMiddleware"/> middleware to the specified <see cref="IApplicationBuilder"/>.
+        ///   Adds a <see cref="SerilogUiMiddleware"/> middleware to the specified <see cref="IApplicationBuilder"/>.
         /// </summary>
         /// <param name="applicationBuilder">
-        ///     The <see cref="IApplicationBuilder"/> to add the middleware to.
+        ///   The <see cref="IApplicationBuilder"/> to add the middleware to.
         /// </param>
-        /// <param name="options"> The options to configure SerilogUI dashboard. </param>
-        /// <returns> IApplicationBuilder. </returns>
-        /// <exception cref="ArgumentNullException"> throw if applicationBuilder if null </exception>
+        /// <param name="options">The options to configure Serilog UI dashboard.</param>
+        /// <returns>IApplicationBuilder.</returns>
+        /// <exception cref="ArgumentNullException">throw if applicationBuilder if null</exception>
         public static IApplicationBuilder UseSerilogUi(this IApplicationBuilder applicationBuilder, Action<UiOptions> options = null)
         {
             if (applicationBuilder == null)
@@ -26,12 +25,6 @@ public static IApplicationBuilder UseSerilogUi(this IApplicationBuilder applicat
             var uiOptions = new UiOptions();
             options?.Invoke(uiOptions);
 
-            var scope = applicationBuilder.ApplicationServices.CreateScope();
-            var authOptions = scope.ServiceProvider.GetService<AuthorizationOptions>();
-            uiOptions.AuthType = authOptions.AuthenticationType.ToString();
-
-            scope.Dispose();
-
             return applicationBuilder.UseMiddleware<SerilogUiMiddleware>(uiOptions);
         }
     }

src/Serilog.Ui.Web/Extensions/AuthorizationOptions.cs

@@ -1,41 +1,27 @@
-using System.Collections.Generic;
+using Serilog.Ui.Web.Authorization;
+using System.Collections.Generic;
 
 namespace Serilog.Ui.Web
 {
     /// <summary>
-    ///     The options to be used by SerilogUI to log access authorization.
+    ///   The options to be used by SerilogUI to log access authorization.
     /// </summary>
     public class AuthorizationOptions
     {
         /// <summary>
-        ///     Gets or sets the type of the authentication.
+        ///   Gets or sets the type of the authentication.
         /// </summary>
-        /// <value> The type of the authentication. </value>
-        public AuthenticationType AuthenticationType { get; set; }
+        /// <value>The type of the authentication.</value>
+        public AuthenticationType AuthenticationType { get; set; } = AuthenticationType.Cookie;
 
         /// <summary>
-        ///     Gets or sets the authorized usernames.
+        ///   Gets or sets the authorized usernames.
         /// </summary>
-        /// <value> The usernames. </value>
-        public IEnumerable<string> Usernames { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the authorized roles.
-        /// </summary>
-        /// <value> The roles. </value>
-        public IEnumerable<string> Roles { get; set; }
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether this <see cref="AuthorizationOptions"/> is enabled.
-        /// </summary>
-        /// <value> <c> true </c> if enabled; otherwise, <c> false </c>. </value>
-        public bool Enabled { get; set; } = true;
-
-        /// <summary>
-        ///     Whether to always allow local requests, defaults to <c>true</c>.
-        /// </summary>
-        /// <value> <c> true </c> if enabled; otherwise, <c> false </c>. </value>
-        public bool AlwaysAllowLocalRequests { get; set; } = true;
+        /// <value>The usernames.</value>
+        public IEnumerable<IUiAuthorizationFilter> Filters { get; set; } = new List<IUiAuthorizationFilter>()
+        {
+            new LocalRequestsOnlyAuthorizationFilter()
+        };
     }
 
     public enum AuthenticationType