/*
* dbMango
*
* Copyright 2025 Deutsche Bank AG
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
using System.Diagnostics.CodeAnalysis;
// ReSharper disable AutoPropertyCanBeMadeGetOnly.Global
namespace Rms.Service.Bootstrap.Security;
///
/// Settings for Oidc
///
[SuppressMessage("ReSharper", "AutoPropertyCanBeMadeGetOnly.Global")]
public class OidcSettings
{
///
/// Client ID (application ID)
///
public string ClientId { get; set; } = "";
///
/// Additional ClientIds to accept while validating JWTs.
/// Works only when user access token passed thru the request headers.
/// I.e. for use withing API servers.
///
public string[] ValidClientIds { get; set; } = [];
///
/// Application secret
///
public string Secret { get; set; } = "";
///
/// Well-known OAuth configuration URL
/// If supplied the config will be cached there.
///
public string ConfigUrl { get; set; } = "";
///
/// If configuration can't be loaded from it will be loaded from this
/// file instead (if exists).
///
public string? ConfigCacheFile { get; set; }
///
/// Force different protocol on redirection URL. Useful if you are running in Docker container
/// under service mesh where SSL termination happening on the Egress gateway.
///
public string? ForceRedirectUrlProtocol { get; set; }
///
/// Force different port on redirection URL. Useful if you are running in Docker container
/// under service mesh where SSL termination happening on the Egress gateway.
///
public int ForceRedirectUrlPort { get; set; }
}
///
/// Ldap settings
///
public class LdapSettings
{
///
/// AD server URL in form of ldaps://xxx.com
///
public string Url { get; set; } = "";
public string Username { get; set; } = "";
public string Password { get; set; } = "";
public string EntryPoint { get; set; } = "";
public Dictionary RoleGroupMapping { get; set; } = new();
}
///
/// Security related settings
///
[SuppressMessage("ReSharper", "CollectionNeverUpdated.Global")]
public class SecuritySettings
{
///
/// X.509 server (my) certificate file name.
/// If empty no certificate will be used for server (http server in a service mesh).
///
public string CertificateFileName { get; set; } = "";
///
/// X.509 server (my) certificate password.
/// If empty no certificate will be used for server (http server in a service mesh).
///
public string CertificatePassword { get; set; } = "";
///
/// Predefined roles definition. This can be loaded from dbEntitlements
///
public Dictionary Roles { get; set; } = new();
///
/// Secret to be used to issue JWT tokens.
/// This property must be either encrypted or generated at the startup.
///
public string Secret { get; set; } = "";
///
/// Inactive user will be logged off after this time span
///
public TimeSpan LogoffIdlePeriod { get; set; } = TimeSpan.FromMinutes(15);
///
/// Configuration for Oidc.
///
public OidcSettings Oidc { get; set; } = new ();
///
/// If certificate-based authentication is in use issuer with this name
/// must be present in the certificate chain.
///
public HashSet CASubjectToAccept { get; set; } = [];
///
/// Client certificate CN to be access granted.
///
public HashSet ClientCertWhiteList { get; set; } = [];
///
/// LDAP settings
///
public LdapSettings Ldap { get; set; } = new();
}