2026-04-13 21:36:02 -03:00
|
|
|
using System.Security.Cryptography;
|
|
|
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
2026-04-14 13:28:36 -03:00
|
|
|
using Microsoft.AspNetCore.Http;
|
2026-04-13 21:36:02 -03:00
|
|
|
using Microsoft.Extensions.Configuration;
|
|
|
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
|
|
|
using Microsoft.Extensions.Options;
|
|
|
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
|
using SIGCM2.Application.Abstractions;
|
|
|
|
|
using SIGCM2.Application.Abstractions.Persistence;
|
|
|
|
|
using SIGCM2.Application.Abstractions.Security;
|
2026-04-16 13:28:37 -03:00
|
|
|
using SIGCM2.Application.Audit;
|
2026-04-14 13:28:36 -03:00
|
|
|
using SIGCM2.Application.Auth;
|
|
|
|
|
using SIGCM2.Infrastructure.Http;
|
2026-04-13 21:36:02 -03:00
|
|
|
using SIGCM2.Infrastructure.Messaging;
|
|
|
|
|
using SIGCM2.Infrastructure.Persistence;
|
|
|
|
|
using SIGCM2.Infrastructure.Security;
|
|
|
|
|
|
|
|
|
|
namespace SIGCM2.Infrastructure;
|
|
|
|
|
|
|
|
|
|
public static class DependencyInjection
|
|
|
|
|
{
|
|
|
|
|
public static IServiceCollection AddInfrastructure(
|
|
|
|
|
this IServiceCollection services,
|
|
|
|
|
IConfiguration configuration)
|
|
|
|
|
{
|
|
|
|
|
// Database
|
|
|
|
|
var connectionString = configuration.GetConnectionString("SqlServer")
|
|
|
|
|
?? throw new InvalidOperationException("Missing ConnectionStrings:SqlServer");
|
|
|
|
|
services.AddSingleton(new SqlConnectionFactory(connectionString));
|
|
|
|
|
services.AddScoped<IUsuarioRepository, UsuarioRepository>();
|
2026-04-14 13:28:36 -03:00
|
|
|
services.AddScoped<IRefreshTokenRepository, RefreshTokenRepository>();
|
2026-04-15 12:50:24 -03:00
|
|
|
services.AddScoped<IRolRepository, RolRepository>();
|
2026-04-15 15:39:25 -03:00
|
|
|
services.AddScoped<IPermisoRepository, PermisoRepository>();
|
|
|
|
|
services.AddScoped<IRolPermisoRepository, RolPermisoRepository>();
|
2026-04-13 21:36:02 -03:00
|
|
|
|
|
|
|
|
// JWT Options — bound lazily via IOptions so tests can override via ConfigureWebHost
|
|
|
|
|
services.Configure<JwtOptions>(configuration.GetSection("Jwt"));
|
|
|
|
|
// Also expose as JwtOptions directly for convenience (resolves via IOptions<JwtOptions>)
|
|
|
|
|
services.AddSingleton<JwtOptions>(sp => sp.GetRequiredService<IOptions<JwtOptions>>().Value);
|
|
|
|
|
|
2026-04-14 13:28:36 -03:00
|
|
|
// AuthOptions (Application layer) — populated from the same Jwt config section
|
|
|
|
|
services.AddSingleton<AuthOptions>(sp =>
|
|
|
|
|
{
|
|
|
|
|
var opts = sp.GetRequiredService<JwtOptions>();
|
|
|
|
|
return new AuthOptions
|
|
|
|
|
{
|
|
|
|
|
AccessTokenMinutes = opts.AccessTokenMinutes,
|
|
|
|
|
RefreshTokenDays = opts.RefreshTokenDays,
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
2026-04-13 21:36:02 -03:00
|
|
|
// RSA key pair — loaded lazily as singletons from the fully-resolved JwtOptions
|
|
|
|
|
services.AddSingleton<RSA>(sp =>
|
|
|
|
|
{
|
|
|
|
|
var opts = sp.GetRequiredService<JwtOptions>();
|
|
|
|
|
return RsaKeyLoader.LoadPrivateKey(opts);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
services.AddSingleton<RsaSecurityKey>(sp =>
|
|
|
|
|
{
|
|
|
|
|
var opts = sp.GetRequiredService<JwtOptions>();
|
|
|
|
|
return new RsaSecurityKey(RsaKeyLoader.LoadPublicKey(opts));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
services.AddScoped<IJwtService>(sp =>
|
|
|
|
|
new JwtService(sp.GetRequiredService<RSA>(), sp.GetRequiredService<JwtOptions>()));
|
|
|
|
|
services.AddScoped<IPasswordHasher, BcryptPasswordHasher>();
|
2026-04-14 13:28:36 -03:00
|
|
|
services.AddSingleton<IRefreshTokenGenerator, RefreshTokenGenerator>();
|
|
|
|
|
services.AddHttpContextAccessor();
|
|
|
|
|
services.AddScoped<IClientContext, ClientContext>();
|
2026-04-13 21:36:02 -03:00
|
|
|
|
2026-04-16 13:28:37 -03:00
|
|
|
// UDT-010: Audit options (SanitizedKeys blacklist) — overridable via appsettings "Audit".
|
|
|
|
|
services.Configure<AuditOptions>(configuration.GetSection(AuditOptions.SectionName));
|
feat(api): audit context middleware + scoped impl (UDT-010 B4)
Wires the request-scoped audit context per design #D-2:
Middleware pipeline in Program.cs:
app.UseCors()
app.UseMiddleware<CorrelationIdMiddleware>() // PRE-AUTH
app.UseAuthentication()
app.UseMiddleware<AuditActorMiddleware>() // POST-AUTH
app.UseAuthorization()
app.MapControllers()
SIGCM2.Api/Middleware/CorrelationIdMiddleware.cs:
- Preserves client-sent X-Correlation-Id header when a valid GUID, otherwise
generates Guid.NewGuid(). Stores in HttpContext.Items (audit:correlationId).
- Captures Ip (Connection.RemoteIpAddress) + UserAgent header into Items.
- Echoes the correlation id back via response header (OnStarting + immediate
set — immediate set makes unit testing against DefaultHttpContext reliable).
SIGCM2.Api/Middleware/AuditActorMiddleware.cs:
- Reads JWT 'sub' claim from authenticated HttpContext.User, parses to int,
stores as audit:actorUserId. Anonymous / non-numeric sub leaves it unset.
SIGCM2.Infrastructure/Audit/AuditContext.cs (IAuditContext scoped impl):
- Reads Items entries via IHttpContextAccessor. Returns null / Guid.Empty
when no HttpContext is available (jobs, tests without middleware).
- ActorRoleId intentionally null for now — rol code → id resolution is
deferred; the logger may resolve it at persist time in a later batch.
DI registration (Infrastructure/DependencyInjection.cs):
- services.AddScoped<IAuditContext, AuditContext>()
Tests (Strict TDD):
- CorrelationIdMiddlewareTests (6): generates/preserves/handles-malformed
correlation id, sets response header, captures ip/ua, calls next.
- AuditActorMiddlewareTests (5): authenticated/anonymous/no-sub/non-numeric/
calls-next.
- AuditContextTests (7): reads from Items, null-http-context defaults,
ActorRoleId currently null.
Suite: 355/355 Application.Tests + 141/141 Api.Tests = 496/496 passing.
Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-AUD-3/9, design#D-2, tasks#B4}
2026-04-16 13:32:13 -03:00
|
|
|
services.AddScoped<IAuditContext, SIGCM2.Infrastructure.Audit.AuditContext>();
|
2026-04-16 13:28:37 -03:00
|
|
|
|
2026-04-13 21:36:02 -03:00
|
|
|
// Dispatcher
|
|
|
|
|
services.AddScoped<IDispatcher, Dispatcher>();
|
|
|
|
|
|
|
|
|
|
// JWT Bearer authentication
|
|
|
|
|
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
|
|
|
|
.AddJwtBearer();
|
|
|
|
|
|
2026-04-15 11:03:15 -03:00
|
|
|
// Post-configure JWT Bearer — wire RSA public key + validation params from resolved options.
|
|
|
|
|
// MapInboundClaims=false: preserve JWT claim names as-is ("sub", "rol", etc.).
|
|
|
|
|
// Without this, the middleware maps "sub" → ClaimTypes.NameIdentifier and breaks User.FindFirst("sub").
|
2026-04-13 21:36:02 -03:00
|
|
|
services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
|
|
|
|
|
.PostConfigure<RsaSecurityKey, JwtOptions>((jwtBearerOpts, rsaKey, jwtOpts) =>
|
|
|
|
|
{
|
2026-04-15 11:03:15 -03:00
|
|
|
jwtBearerOpts.MapInboundClaims = false;
|
2026-04-13 21:36:02 -03:00
|
|
|
jwtBearerOpts.TokenValidationParameters = new TokenValidationParameters
|
|
|
|
|
{
|
|
|
|
|
ValidateIssuerSigningKey = true,
|
|
|
|
|
IssuerSigningKey = rsaKey,
|
|
|
|
|
ValidateIssuer = true,
|
|
|
|
|
ValidIssuer = jwtOpts.Issuer,
|
|
|
|
|
ValidateAudience = true,
|
|
|
|
|
ValidAudience = jwtOpts.Audience,
|
|
|
|
|
ValidateLifetime = true,
|
2026-04-15 10:47:48 -03:00
|
|
|
ClockSkew = TimeSpan.Zero,
|
2026-04-15 11:03:15 -03:00
|
|
|
RoleClaimType = "rol",
|
|
|
|
|
NameClaimType = "name"
|
2026-04-13 21:36:02 -03:00
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return services;
|
|
|
|
|
}
|
|
|
|
|
}
|