feat: Implementa autenticação baseada em API-KEY

tglima · tglima · commit 951532cfca47 · 2023-11-27T16:27:08.000-03:00
diff --git a/Controllers/HealthCheckController.cs b/Controllers/HealthCheckController.cs
@@ -1,10 +1,6 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text.Json.Nodes;
-using System.ComponentModel;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using System.Text.Json.Serialization;
+using System.Text.Json.Nodes;
 using WebApi.Helpers;
 
 
@@ -14,6 +10,7 @@ namespace webapi.Controllers
     [Route("/")]
     public class HealthCheckController : ControllerBase
     {
+        [AllowAnonymous]
         [HttpGet("health-check")]
         public IActionResult Check()
         {
diff --git a/Helpers/SwaggerAllowAnonymousOperationFilter.cs b/Helpers/SwaggerAllowAnonymousOperationFilter.cs
@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Authorization;
+using Swashbuckle.AspNetCore.SwaggerGen;
+using Microsoft.OpenApi.Models;
+
+namespace WebApi.Helpers
+{
+    public class SwaggerAllowAnonymousOperationFilter : IOperationFilter
+    {
+        public void Apply(OpenApiOperation operation, OperationFilterContext context)
+        {
+            var noAuthRequired = context.ApiDescription.CustomAttributes().Any(attr => attr.GetType() == typeof(AllowAnonymousAttribute));
+
+            if (noAuthRequired) return;
+
+            operation.Security = new List<OpenApiSecurityRequirement>
+            {
+                new OpenApiSecurityRequirement
+                {
+                    {
+                        new OpenApiSecurityScheme
+                        {
+                            Reference = new OpenApiReference
+                            {
+                                Type = ReferenceType.SecurityScheme,
+                                Id = Constant.API_KEY
+                            },
+                            In = ParameterLocation.Header
+                        },
+                        new List<string>()
+                    }
+                }
+            };
+        }
+    }
+}
diff --git a/Middlewares/ApiKeyMiddleware.cs b/Middlewares/ApiKeyMiddleware.cs
@@ -0,0 +1,77 @@
+using Microsoft.AspNetCore.Authorization;
+using WebApi.Models.API;
+using WebApi.Models.DTO;
+using WebApi.Helpers;
+using WebApi.Services;
+
+namespace WebApi.Middlewares
+{
+
+    public static class ApiKeyValidationMiddlewareExtensions
+    {
+        public static IApplicationBuilder UseApiKeyValidationMiddleware(this IApplicationBuilder builder)
+        {
+            return builder.UseMiddleware<ApiKeyValidationMiddleware>();
+        }
+    }
+
+    public class ApiKeyValidationMiddleware
+    {
+        private readonly RequestDelegate _next;
+
+        public ApiKeyValidationMiddleware(RequestDelegate next)
+        {
+            _next = next;
+        }
+
+        public async Task InvokeAsync(HttpContext context, LogService logService)
+        {
+
+            var respFail = new DefRespFail(Constant.MsgStatus401)
+            {
+                CodeEvent = logService.LogDTO.CodeEvent,
+            };
+
+            var returnDTO = new ReturnDTO
+            {
+                NmMethod = "ValidateApiKey",
+                StatusCode = StatusCodeApi.UNNAUTHORIZED,
+                Returnbject = respFail
+            };
+
+
+            if (context.GetEndpoint()?.Metadata.GetMetadata<IAllowAnonymous>() == null)
+            {
+
+                if (!context.Request.Headers.TryGetValue(Constant.API_KEY, out var extractedApiKey))
+                {
+                    returnDTO.Info.Add("Api Key was not provided");
+                    context.Response.StatusCode = 401;
+                    logService.LogDTO.Methods.Add(returnDTO);
+                    context.Response.ContentType = "application/json";
+                    await context.Response.WriteAsJsonAsync(respFail);
+                    return;
+                }
+
+                var apiKeyFromEnv = Environment.GetEnvironmentVariable("API_KEY");
+                apiKeyFromEnv = string.IsNullOrEmpty(apiKeyFromEnv) ? string.Empty : apiKeyFromEnv;
+                string[] listApiKeyValid = apiKeyFromEnv.Split(';');
+
+                if (!Array.Exists(listApiKeyValid, e => e.Equals(extractedApiKey)))
+                {
+                    returnDTO.Info.Add("Unauthorized client");
+                    context.Response.StatusCode = 401;
+                    logService.LogDTO.Methods.Add(returnDTO);
+                    context.Response.ContentType = "application/json";
+                    await context.Response.WriteAsJsonAsync(respFail);
+                    return;
+                }
+
+                logService.LogDTO.ApiKey = extractedApiKey;
+            }
+
+            await _next(context);
+
+        }
+    }
+}
diff --git a/Program.cs b/Program.cs
@@ -4,6 +4,7 @@
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerUI;
 using WebApi.Helpers;
+using WebApi.Middlewares;
 using WebApi.Services;
 
 var nuVersion = AppHelper.GetNuVersion();
@@ -32,40 +33,24 @@
 builder.Services.AddSwaggerGen(o =>
 {
 
-
     o.EnableAnnotations();
     o.SwaggerDoc(nuVersion, new OpenApiInfo { Title = nmApplication, Version = nuVersion });
-    o.AddSecurityDefinition("API-KEY", new OpenApiSecurityScheme
+    o.AddSecurityDefinition(Constant.API_KEY, new OpenApiSecurityScheme
     {
         In = ParameterLocation.Header,
         Description = "Chave de acesso individual disponibilizado para acessar a API",
-        Name = "API-KEY",
+        Name = Constant.API_KEY,
         Type = SecuritySchemeType.ApiKey,
         Scheme = "ApiKeyScheme"
     });
 
-    o.AddSecurityRequirement(new OpenApiSecurityRequirement
-    {
-        {
-            new OpenApiSecurityScheme
-            {
-                Reference = new OpenApiReference
-                {
-                    Type = ReferenceType.SecurityScheme,
-                    Id = "ApiKey"
-                },
-                In = ParameterLocation.Header
-            },
-            new List<string>()
-        }
-    });
+    o.OperationFilter<SwaggerAllowAnonymousOperationFilter>();
 
     o.CustomSchemaIds(x => x.GetCustomAttributes(false).OfType<DisplayNameAttribute>().FirstOrDefault()?.DisplayName ?? x.Name);
 
     var xmlPath = Path.Combine(AppContext.BaseDirectory, $"{Assembly.GetExecutingAssembly().GetName().Name}.xml");
     o.IncludeXmlComments(xmlPath);
 
-
 });
 
 #endregion
@@ -111,4 +96,6 @@
 
 app.MapControllers();
 
+app.UseApiKeyValidationMiddleware();
+
 app.Run();
