UDT-010: Infraestructura de Auditoría y Trazabilidad — Closes #6 #14
@@ -2,6 +2,7 @@ using System.IdentityModel.Tokens.Jwt;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Common;
|
||||
|
||||
namespace SIGCM2.Api.Authorization;
|
||||
@@ -12,21 +13,25 @@ namespace SIGCM2.Api.Authorization;
|
||||
/// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
|
||||
/// and succeeds if at least one required permission matches (OR semantics).
|
||||
/// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
|
||||
/// UDT-010: emits SecurityEvent 'permission.denied' on rejection.
|
||||
/// </summary>
|
||||
public sealed class PermissionAuthorizationHandler
|
||||
: AuthorizationHandler<RequirePermissionAttribute>
|
||||
{
|
||||
private readonly IRolPermisoRepository _rolPermisoRepo;
|
||||
private readonly IUsuarioRepository _usuarioRepo;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
private readonly ILogger<PermissionAuthorizationHandler> _logger;
|
||||
|
||||
public PermissionAuthorizationHandler(
|
||||
IRolPermisoRepository rolPermisoRepo,
|
||||
IUsuarioRepository usuarioRepo,
|
||||
ISecurityEventLogger security,
|
||||
ILogger<PermissionAuthorizationHandler> logger)
|
||||
{
|
||||
_rolPermisoRepo = rolPermisoRepo;
|
||||
_usuarioRepo = usuarioRepo;
|
||||
_security = security;
|
||||
_logger = logger;
|
||||
}
|
||||
|
||||
@@ -83,8 +88,17 @@ public sealed class PermissionAuthorizationHandler
|
||||
}
|
||||
|
||||
// 8. Stash required permission for ForbiddenProblemDetailsHandler
|
||||
var requiredPermission = requirement.PermissionCodes[0];
|
||||
if (context.Resource is HttpContext httpContext)
|
||||
httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];
|
||||
httpContext.Items["RequiredPermission"] = requiredPermission;
|
||||
|
||||
// 9. Emit SecurityEvent for the denial
|
||||
var endpoint = (context.Resource as HttpContext)?.Request?.Path.Value;
|
||||
var method = (context.Resource as HttpContext)?.Request?.Method;
|
||||
await _security.LogAsync("permission.denied", "failure",
|
||||
actorUserId: userId,
|
||||
failureReason: $"missing_permission:{requiredPermission}",
|
||||
metadata: new { permissionRequired = requiredPermission, endpoint, method });
|
||||
|
||||
context.Fail(new AuthorizationFailureReason(this,
|
||||
$"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));
|
||||
|
||||
@@ -2,6 +2,7 @@ using Microsoft.Extensions.Logging;
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Common;
|
||||
using SIGCM2.Domain.Entities;
|
||||
using SIGCM2.Domain.Exceptions;
|
||||
@@ -19,6 +20,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
private readonly IClientContext _clientContext;
|
||||
private readonly AuthOptions _authOptions;
|
||||
private readonly IRolPermisoRepository _rolPermisoRepository;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
private readonly ILogger<LoginCommandHandler> _logger;
|
||||
|
||||
public LoginCommandHandler(
|
||||
@@ -30,6 +32,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
IClientContext clientContext,
|
||||
AuthOptions authOptions,
|
||||
IRolPermisoRepository rolPermisoRepository,
|
||||
ISecurityEventLogger security,
|
||||
ILogger<LoginCommandHandler> logger)
|
||||
{
|
||||
_repository = repository;
|
||||
@@ -40,6 +43,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
_clientContext = clientContext;
|
||||
_authOptions = authOptions;
|
||||
_rolPermisoRepository = rolPermisoRepository;
|
||||
_security = security;
|
||||
_logger = logger;
|
||||
}
|
||||
|
||||
@@ -47,12 +51,30 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
{
|
||||
var usuario = await _repository.GetByUsernameAsync(command.Username);
|
||||
|
||||
// Deliberately vague — never reveal which check failed
|
||||
if (usuario is null || !usuario.Activo)
|
||||
// Deliberately vague to the client — never reveal which check failed.
|
||||
// Internally, SecurityEvent captures the precise FailureReason for ops.
|
||||
if (usuario is null)
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: null, attemptedUsername: command.Username,
|
||||
failureReason: "user_not_found");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
if (!usuario.Activo)
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: usuario.Id, attemptedUsername: command.Username,
|
||||
failureReason: "user_inactive");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
|
||||
if (!_hasher.Verify(command.Password, usuario.PasswordHash))
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: usuario.Id, attemptedUsername: command.Username,
|
||||
failureReason: "invalid_password");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
|
||||
var accessToken = _jwtService.GenerateAccessToken(usuario);
|
||||
|
||||
@@ -83,6 +105,8 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
var effective = PermisoResolver.Resolve(rolPermisos, overrides);
|
||||
var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();
|
||||
|
||||
await _security.LogAsync("login", "success", actorUserId: usuario.Id);
|
||||
|
||||
return new LoginResponseDto(
|
||||
AccessToken: accessToken,
|
||||
RefreshToken: rawRefresh, // raw to client — never stored
|
||||
|
||||
@@ -1,15 +1,18 @@
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Audit;
|
||||
|
||||
namespace SIGCM2.Application.Auth.Logout;
|
||||
|
||||
public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, LogoutResponseDto>
|
||||
{
|
||||
private readonly IRefreshTokenRepository _refreshRepo;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
|
||||
public LogoutCommandHandler(IRefreshTokenRepository refreshRepo)
|
||||
public LogoutCommandHandler(IRefreshTokenRepository refreshRepo, ISecurityEventLogger security)
|
||||
{
|
||||
_refreshRepo = refreshRepo;
|
||||
_security = security;
|
||||
}
|
||||
|
||||
public async Task<LogoutResponseDto> Handle(LogoutCommand command)
|
||||
@@ -17,6 +20,7 @@ public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, Logout
|
||||
// Revoke all active tokens for the user across all families.
|
||||
// Idempotent: 0 rows affected is not an error.
|
||||
await _refreshRepo.RevokeAllActiveForUserAsync(command.UsuarioId, DateTime.UtcNow);
|
||||
await _security.LogAsync("logout", "success", actorUserId: command.UsuarioId);
|
||||
return new LogoutResponseDto(true, "Sesión cerrada correctamente");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Domain.Entities;
|
||||
using SIGCM2.Domain.Exceptions;
|
||||
using SIGCM2.Domain.Security;
|
||||
@@ -15,6 +16,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
private readonly IRefreshTokenGenerator _refreshGenerator;
|
||||
private readonly IClientContext _clientCtx;
|
||||
private readonly AuthOptions _authOptions;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
|
||||
public RefreshCommandHandler(
|
||||
IRefreshTokenRepository refreshRepo,
|
||||
@@ -22,7 +24,8 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
IJwtService jwt,
|
||||
IRefreshTokenGenerator refreshGenerator,
|
||||
IClientContext clientCtx,
|
||||
AuthOptions authOptions)
|
||||
AuthOptions authOptions,
|
||||
ISecurityEventLogger security)
|
||||
{
|
||||
_refreshRepo = refreshRepo;
|
||||
_usuarioRepo = usuarioRepo;
|
||||
@@ -30,6 +33,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
_refreshGenerator = refreshGenerator;
|
||||
_clientCtx = clientCtx;
|
||||
_authOptions = authOptions;
|
||||
_security = security;
|
||||
}
|
||||
|
||||
public async Task<RefreshResponseDto> Handle(RefreshCommand command)
|
||||
@@ -62,23 +66,44 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
if (stored.IsRevoked)
|
||||
{
|
||||
await _refreshRepo.RevokeFamilyAsync(stored.FamilyId, now);
|
||||
await _security.LogAsync("refresh.reuse_detected", "failure",
|
||||
actorUserId: stored.UsuarioId,
|
||||
failureReason: "token_reused",
|
||||
metadata: new { familyId = stored.FamilyId });
|
||||
throw new TokenReuseDetectedException();
|
||||
}
|
||||
|
||||
// 5. Absolute expiration check
|
||||
if (stored.IsExpired(now))
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "token_expired");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 6. UsuarioId must match access token's sub claim
|
||||
if (stored.UsuarioId != accessUserId)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "sub_mismatch");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 7. Load current user (so access token has up-to-date claims)
|
||||
var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId)
|
||||
?? throw new InvalidRefreshTokenException();
|
||||
var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId);
|
||||
if (usuario is null)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "user_not_found");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
if (!usuario.Activo)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: usuario.Id, failureReason: "user_inactive");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 8. Rotate: create new token, persist, then revoke old
|
||||
var newRaw = _refreshGenerator.Generate();
|
||||
@@ -90,6 +115,9 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
|
||||
// 9. Issue new access token
|
||||
var newAccess = _jwt.GenerateAccessToken(usuario);
|
||||
|
||||
await _security.LogAsync("refresh.issue", "success", actorUserId: usuario.Id);
|
||||
|
||||
return new RefreshResponseDto(newAccess, newRaw, _authOptions.AccessTokenMinutes * 60);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ using Microsoft.Extensions.Logging.Abstractions;
|
||||
using NSubstitute;
|
||||
using SIGCM2.Api.Authorization;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Domain.Entities;
|
||||
|
||||
namespace SIGCM2.Api.Tests.Authorization;
|
||||
@@ -18,6 +19,7 @@ public sealed class PermissionAuthorizationHandlerTests
|
||||
{
|
||||
private readonly IRolPermisoRepository _rolPermisoRepo = Substitute.For<IRolPermisoRepository>();
|
||||
private readonly IUsuarioRepository _usuarioRepo = Substitute.For<IUsuarioRepository>();
|
||||
private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
|
||||
private readonly PermissionAuthorizationHandler _handler;
|
||||
|
||||
public PermissionAuthorizationHandlerTests()
|
||||
@@ -29,6 +31,7 @@ public sealed class PermissionAuthorizationHandlerTests
|
||||
_handler = new PermissionAuthorizationHandler(
|
||||
_rolPermisoRepo,
|
||||
_usuarioRepo,
|
||||
_security,
|
||||
NullLogger<PermissionAuthorizationHandler>.Instance);
|
||||
}
|
||||
|
||||
|
||||
@@ -3,6 +3,7 @@ using NSubstitute;
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Auth;
|
||||
using SIGCM2.Application.Auth.Login;
|
||||
using SIGCM2.Domain.Entities;
|
||||
@@ -20,6 +21,7 @@ public class LoginCommandHandlerTests
|
||||
private readonly IRefreshTokenGenerator _refreshGenerator = Substitute.For<IRefreshTokenGenerator>();
|
||||
private readonly IClientContext _clientCtx = Substitute.For<IClientContext>();
|
||||
private readonly IRolPermisoRepository _rolPermisoRepo = Substitute.For<IRolPermisoRepository>();
|
||||
private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
|
||||
private readonly ILogger<LoginCommandHandler> _logger = Substitute.For<ILogger<LoginCommandHandler>>();
|
||||
private readonly AuthOptions _authOptions = new() { AccessTokenMinutes = 60, RefreshTokenDays = 7 };
|
||||
private readonly LoginCommandHandler _handler;
|
||||
@@ -42,7 +44,7 @@ public class LoginCommandHandlerTests
|
||||
_handler = new LoginCommandHandler(
|
||||
_repository, _hasher, _jwtService,
|
||||
_refreshRepo, _refreshGenerator, _clientCtx, _authOptions,
|
||||
_rolPermisoRepo, _logger);
|
||||
_rolPermisoRepo, _security, _logger);
|
||||
}
|
||||
|
||||
// Scenario: valid credentials → returns token response with usuario populated
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
using NSubstitute;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Auth.Logout;
|
||||
|
||||
namespace SIGCM2.Application.Tests.Auth.Logout;
|
||||
@@ -7,11 +8,12 @@ namespace SIGCM2.Application.Tests.Auth.Logout;
|
||||
public class LogoutCommandHandlerTests
|
||||
{
|
||||
private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
|
||||
private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
|
||||
private readonly LogoutCommandHandler _handler;
|
||||
|
||||
public LogoutCommandHandlerTests()
|
||||
{
|
||||
_handler = new LogoutCommandHandler(_refreshRepo);
|
||||
_handler = new LogoutCommandHandler(_refreshRepo, _security);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
|
||||
@@ -4,6 +4,7 @@ using NSubstitute.ExceptionExtensions;
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Auth;
|
||||
using SIGCM2.Application.Auth.Refresh;
|
||||
using SIGCM2.Domain.Entities;
|
||||
@@ -19,6 +20,7 @@ public class RefreshCommandHandlerTests
|
||||
private readonly IJwtService _jwtService = Substitute.For<IJwtService>();
|
||||
private readonly IRefreshTokenGenerator _generator = Substitute.For<IRefreshTokenGenerator>();
|
||||
private readonly IClientContext _clientCtx = Substitute.For<IClientContext>();
|
||||
private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
|
||||
private readonly AuthOptions _authOptions = new() { AccessTokenMinutes = 60, RefreshTokenDays = 7 };
|
||||
private readonly RefreshCommandHandler _handler;
|
||||
|
||||
@@ -34,7 +36,7 @@ public class RefreshCommandHandlerTests
|
||||
_generator.Generate().Returns("new_raw_token_value_xyz");
|
||||
|
||||
_handler = new RefreshCommandHandler(
|
||||
_refreshRepo, _usuarioRepo, _jwtService, _generator, _clientCtx, _authOptions);
|
||||
_refreshRepo, _usuarioRepo, _jwtService, _generator, _clientCtx, _authOptions, _security);
|
||||
}
|
||||
|
||||
// Helper: build an active stored RefreshToken with a matching principal
|
||||
|
||||
Reference in New Issue
Block a user