ums/src/apps/ums.api/Ums.Application/Identity/Auth/AuthMethodResolverService.cs at main · beyondnetcode/ums · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
using Ums.Application.Configuration.Services;
using Ums.Domain.Configuration.AppConfiguration;
using Ums.Domain.Identity;
using Ums.Domain.Identity.Auth;

namespace Ums.Application.Identity.Auth;

/// <summary>
/// Resolves the authentication method for a tenant.
/// Reads AUTH_USE_EXTERNAL_IDP from the in-memory IConfigurationProvider
/// (zero DB hits per request - the provider loads once and caches in memory).
///
/// - missing configuration → failure
/// - false → AuthMethod.Local()
/// - true + active IDP → AuthMethod.Idp(provider)
/// - true + no active IDP:
///   - ExternalApi     → Result.Failure("AUTH_011")
///   - InternalPreview → AuthMethod(Type = IDP, Provider = null)
/// </summary>
public sealed class AuthMethodResolverService : IAuthMethodResolver
{
    private readonly IConfigurationProvider _config;
    private readonly ITenantRepository      _tenantRepo;

    public AuthMethodResolverService(IConfigurationProvider config, ITenantRepository tenantRepo)
    {
        _config     = config;
        _tenantRepo = tenantRepo;
    }

    public async Task<Result<AuthMethod>> ResolveAsync(
        Guid tenantId,
        AuthAccessScope scope,
        CancellationToken cancellationToken = default)
    {
        if (scope == AuthAccessScope.PortalManagement)
        {
            return Result<AuthMethod>.Success(AuthMethod.Local());
        }

        var configured = _config.GetWithPrecedence(AppConfigurationCodes.AuthUseExternalIdp, tenantId);
        if (configured is null)
        {
            return Result<AuthMethod>.Failure(
                $"REQUIRED_PARAMETER_NOT_CONFIGURED: Parameter '{AppConfigurationCodes.AuthUseExternalIdp}' is not configured for tenant '{tenantId}'.");
        }

        if (!bool.TryParse(configured.Props.Value.GetValue(), out var useExternalIdp))
        {
            return Result<AuthMethod>.Failure(
                $"INVALID_PARAMETER_VALUE: Parameter '{AppConfigurationCodes.AuthUseExternalIdp}' must be a boolean value for tenant '{tenantId}'.");
        }

        if (!useExternalIdp)
            return Result<AuthMethod>.Success(AuthMethod.Local());

        // IDP mode — find the active identity provider for this tenant
        var tenant = await _tenantRepo.GetByIdAsync(tenantId, cancellationToken);
        if (tenant is null)
            return Result<AuthMethod>.Failure($"AUTH_002: Tenant {tenantId} not found.");

        var activeIdp = tenant.IdentityProviders.FirstOrDefault(p => p.IsActive);
        if (activeIdp is null)
        {
            if (scope == AuthAccessScope.InternalPreview)
            {
                return Result<AuthMethod>.Success(new AuthMethod(AuthMethodType.IDP));
            }

            return Result<AuthMethod>.Failure(
                "AUTH_011: Tenant is configured for external IDP authentication " +
                "but has no active Identity Provider. Configure and activate an IDP first.");
        }

        return Result<AuthMethod>.Success(AuthMethod.Idp(activeIdp));
    }
}