Feature to secure grains with authentication

[jan-johansson-mr]

Hi,

Orleans have kind of a support for securing grains via use of RequestContext, and filters, that enables to piggy back out-of-band data in the calls between the client and grains. I've been sketching on some infrastructure for Orleans to present a familiar feel to how security is used with ASP.NET Core.

There are some caveats for the proposal, and I'd love your feedback. See at the end of this text.

First off, to enable security with the client side, we have the following pattern

using var host = new HostBuilder()
	.UseOrleansClient(builder =>
	{
		builder.AddAuthentication();
		builder.UseLocalhostClustering();
	})
	.UseConsoleLifetime()
	.Build();

The extension function AddAuthentication adds necessary plumbing with RequestContext and OutgoingGrainCallFilter.

Then, on the host side, there is this pattern

var builder = Host
	.CreateDefaultBuilder(arguments)
	.UseConsoleLifetime();

builder.UseOrleans(siloBuilder =>
{
	siloBuilder.AddAuthentication(options =>
	{
		options.AddPolicy("write", policy =>
		{
			policy.AddClaimTypeRequirement("sub");  // "sub" claim type required
			policy.AddClaimTypeValuesRequirement("access", "write");  // "access" claim type required with "write" permission for "write" policy
		});
		options.AddPolicy("read", policy =>
		{
			policy.AddClaimTypeRequirement("sub");
			policy.AddClaimTypeValuesRequirement("access", "read", "write");  // "access" claim type required with "read" or "write" permission for "read" policy
		});
	});
	siloBuilder.UseLocalhostClustering();
	siloBuilder.AddMemoryGrainStorage("memory");
	siloBuilder.ConfigureServices(services =>
	{
		services.AddScoped<IClaimsTransformation, ClaimsTestTransformation>();
	});
});

Where AddAuthentication adds the nescessary plumbing with RequestContext and IncomingGrainCallFilter.

Notice the services.AddScoped<IClaimsTransformation, ClaimsTestTransformation>() line, that adds the optional plugin of a claims transformer. The transformer can be usefull if there is a need to take the payload from RequestContext and transform to fullblown authentication context with the Silo.

The grain interface is decorated with a SecurityContextAttribute, to help filter out grains that are using the security feature, like this

[SecurityContext]
public interface ITestGrain : IGrainWithGuidKey
{
	Task DoWork();
}

The Silo host grain is then secured by the look and feel of the old good Authentication attribute, like this

internal class TestGrain : ITestGrain
{
	[Authorize("write")]
	public Task DoWork()
	{
		return Task.CompletedTask;
	}
}

Where the policy is plugged in from the policy statements at the silo builder section.

I've minimized the payload with the sketchy implementation, to only flow through three types

• sub (from OAuth where sub identifies some user by unique identity)
• name (as name is a standard attribute with claims identity)
• role (as role is a standard attribute with claims identity)

Here is the code that gets the values needed to populate RequestContext before putting the values on the wire

static IEnumerable<(string type, string value)> GetTypeValueClaims(ClaimsIdentity claimsIdentity)
{
	var nameClaim = claimsIdentity.FindFirst(claimsIdentity.NameClaimType);

	if (nameClaim is not null)
	{
		yield return (ClaimTypes.Name, nameClaim.Value);
	}

	var roleClaim = claimsIdentity.FindFirst(claimsIdentity.RoleClaimType);

	if (roleClaim is not null)
	{
		yield return (ClaimTypes.Role, roleClaim.Value);
	}

	var subjectClaim = claimsIdentity.FindFirst(claim => claim.Type == "sub");

	if (subjectClaim is not null)
	{
		yield return (subjectClaim.Type, subjectClaim.Value);
	}
}

And then vice versa the code that picks the values up

static IEnumerable<Claim> RetrieveClaims()
{
	if (RequestContext.Get(ClaimTypes.Name) is string name)
	{
		yield return new Claim(ClaimTypes.Name, name);
	}

	if (RequestContext.Get(ClaimTypes.Role) is string role)
	{
		yield return new Claim(ClaimTypes.Role, role);
	}

	if (RequestContext.Get(SubjectClaim) is string subject)
	{
		yield return new Claim(SubjectClaim, subject);
	}
}

There is a type introduced, named ISecurityContext, that flows with the client and host, containing an IPrincipal, the same pattern as used by ASP.NET Core with Http context and User property to flow the principal.

The ISecurityContext is available with dependency injection, and opens up the following with the grain

private readonly ISecurityContext _securityContext;

public TestGrain(ISecurityContext securityContext)
{
	_securityContext = securityContext;
}

[Authorize("write")]
public Task DoWork()
{
	if (_securityContext.Principal?.IsInRole("admin") ?? false)
	{
		Console.WriteLine("User is an admin");
	}

	Console.WriteLine($"name: {_securityContext.Principal?.Identity?.Name ?? "<no name>"}");

	return Task.CompletedTask;
}

The sketchy solution works really well in my testbed. However, there are some stuff that I'm not quite sure about yet

• Should Authorize attribute from ASP.NET be used? This requires a dependency to ASP.NET core packages into Orleans. Another solution is to mimic what ASP.NET offers, with the attribute, to cut this dependecy
• Should there be a façade to IClaimsTransfomer, so again, one can have the option of plugging in the transformer, but not have the dependency to ASP.NET Core

One tenet on this sketchy solution is to minimize RequestContext payload as much as possible, to avoid crunching too much, hence only flow a minimum set of data (possibly only "sub") and leave it to the transformer to do the heavy lifting once the grain has received the call.

Another tenet is to use ClaimsPrincipal, to have an already established framwork powering this solution.

Yeah, that's it, thanks!