From d1d97884322827e8d0e9778079fea93ea698f3aa Mon Sep 17 00:00:00 2001
From: Norbert Bietsch <nb@axuno.net>
Date: Wed, 27 Jan 2021 23:12:01 +0100
Subject: [PATCH] Added authorization key for cron controller

---
 .../Credentials.Development.json              | 31 ++++++++++++---
 .../Configuration/Credentials.Production.json | 26 +++++++++++--
 League/Configuration/Credentials.json         | 22 +----------
 League/Controllers/Cron.cs                    | 39 +++++++++++++++----
 League/League.csproj                          |  4 +-
 5 files changed, 82 insertions(+), 40 deletions(-)

diff --git a/League/Configuration/Credentials.Development.json b/League/Configuration/Credentials.Development.json
index d218b04b..12af2f18 100644
--- a/League/Configuration/Credentials.Development.json
+++ b/League/Configuration/Credentials.Development.json
@@ -1,7 +1,26 @@
 {
-  "ConnectionStrings": {
-    "TestOrgConnectionString": "Server=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=Path-To-File.mdf;Database=TestOrg;Integrated Security=SSPI;Connection Timeout=50;Pooling=true;MultipleActiveResultSets=true",
-    "OtherOrgConnectionString": "Server=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=Path-To-File.mdf;Database=OtherOrg;Integrated Security=SSPI;Connection Timeout=50;Pooling=true;MultipleActiveResultSets=true",
-    "AugsburgConnectionString": "Server=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=Path-To-File.mdf;Database=LeagueA_Copy;Integrated Security=SSPI;Connection Timeout=50;Pooling=true;MultipleActiveResultSets=true"
-  }
-}
\ No newline at end of file
+    "ConnectionStrings": {
+        "TestOrgConnectionString": "Server=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=Path-To-File.mdf;Database=TestOrg;Integrated Security=SSPI;Connection Timeout=50;Pooling=true;MultipleActiveResultSets=true",
+        "OtherOrgConnectionString": "Server=(LocalDB)\\MSSQLLocalDB;AttachDbFilename=Path-To-File.mdf;Database=OtherOrg;Integrated Security=SSPI;Connection Timeout=50;Pooling=true;MultipleActiveResultSets=true",
+    },
+    "GoogleConfiguration": {
+        "WebApiKey": "**enter-key-here**",
+        "ServiceApiKey": "**enter-key-here**",
+        "AnalyticsTrackingId": "**enter-key-here**"
+    },
+    "SocialLogins": {
+        "Facebook": {
+            "AppId": "**enter-key-here**",
+            "AppSecret": "**enter-key-here**"
+        },
+        "Google": {
+            "ClientId": "**enter-key-here**",
+            "ClientSecret": "**enter-key-here**"
+        },
+        "Microsoft": {
+            "ClientId": "**enter-key-here**",
+            "ClientSecret": "**enter-key-here**"
+        }
+    },
+    "ScheduledTaskKey": "**app-internal-key**"
+}
diff --git a/League/Configuration/Credentials.Production.json b/League/Configuration/Credentials.Production.json
index 4fe840a5..c5f14f65 100644
--- a/League/Configuration/Credentials.Production.json
+++ b/League/Configuration/Credentials.Production.json
@@ -1,5 +1,25 @@
 {
-  "ConnectionStrings": {
-    "leagueConnectionString": "Server=127.0.0.1;User Id=user;Password=password;Integrated Security=false;Connection Timeout=15;Pooling=true;MultipleActiveResultSets=true"
-  }
+    "ConnectionStrings": {
+        "leagueConnectionString": "Server=127.0.0.1;User Id=user;Password=password;Integrated Security=false;Connection Timeout=15;Pooling=true;MultipleActiveResultSets=true"
+    },
+    "GoogleConfiguration": {
+        "WebApiKey": "**enter-key-here**",
+        "ServiceApiKey": "**enter-key-here**",
+        "AnalyticsTrackingId": "**enter-key-here**"
+    },
+    "SocialLogins": {
+        "Facebook": {
+            "AppId": "**enter-key-here**",
+            "AppSecret": "**enter-key-here**"
+        },
+        "Google": {
+            "ClientId": "**enter-key-here**",
+            "ClientSecret": "**enter-key-here**"
+        },
+        "Microsoft": {
+            "ClientId": "**enter-key-here**",
+            "ClientSecret": "**enter-key-here**"
+        }
+    },
+    "ScheduledTaskKey": "**app-internal-key**"
 }
\ No newline at end of file
diff --git a/League/Configuration/Credentials.json b/League/Configuration/Credentials.json
index b2bbca11..9e26dfee 100644
--- a/League/Configuration/Credentials.json
+++ b/League/Configuration/Credentials.json
@@ -1,21 +1 @@
-{
-  "GoogleConfiguration": {
-    "WebApiKey": "**enter-key-here**",
-    "ServiceApiKey": "**enter-key-here**",
-    "AnalyticsTrackingId": "**enter-key-here**"
-  },
-  "SocialLogins": {
-    "Facebook": {
-      "AppId": "**enter-key-here**",
-      "AppSecret": "**enter-key-here**"
-    },
-    "Google": {
-      "ClientId": "**enter-key-here**",
-      "ClientSecret": "**enter-key-here**"
-    },
-    "Microsoft": {
-      "ClientId": "**enter-key-here**",
-      "ClientSecret": "**enter-key-here**"
-    }
-  }
-}
\ No newline at end of file
+{}
\ No newline at end of file
diff --git a/League/Controllers/Cron.cs b/League/Controllers/Cron.cs
index 3a76003e..983186b5 100644
--- a/League/Controllers/Cron.cs
+++ b/League/Controllers/Cron.cs
@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Logging;
 using TournamentManager.MultiTenancy;
 
@@ -19,7 +20,7 @@ public class Cron : AbstractController
     {
         private readonly ITenantContext _tenantContext;
         private readonly IAuthorizationService _authorizationService;
-        private readonly Axuno.Tools.DateAndTime.TimeZoneConverter _timeZoneConverter;
+        private readonly IConfiguration _configuration;
         private readonly ILogger<Cron> _logger;
         private readonly Axuno.BackgroundTask.IBackgroundQueue _queue;
         private readonly SendEmailTask _sendMailTask;
@@ -28,12 +29,12 @@ public class Cron : AbstractController
         private const int DoNotExecute = 0; // zero would mean a notification on the match day
         
         public Cron(TenantStore tenantStore, ITenantContext tenantContext, IAuthorizationService authorizationService,
-            Axuno.Tools.DateAndTime.TimeZoneConverter timeZoneConverter, Axuno.BackgroundTask.IBackgroundQueue queue,
+            IConfiguration configuration, Axuno.BackgroundTask.IBackgroundQueue queue,
             SendEmailTask sendMailTask, IMemoryCache cache, ILogger<Cron> logger)
         {
             _tenantContext = tenantContext;
             _authorizationService = authorizationService;
-            _timeZoneConverter = timeZoneConverter;
+            _configuration = configuration;
             _queue = queue;
             _sendMailTask = sendMailTask;
             _tenantStore = tenantStore;
@@ -41,9 +42,11 @@ public Cron(TenantStore tenantStore, ITenantContext tenantContext, IAuthorizatio
             _logger = logger;
         }
         
-        [HttpGet("/cron/automail/all")]
-        public async Task<ContentResult> RunAll()
+        [HttpGet("/cron/automail/all/{key}")]
+        public async Task<IActionResult> RunAll(string key)
         {
+            if(!IsAuthorized(key)) return StatusCode(Microsoft.AspNetCore.Http.StatusCodes.Status401Unauthorized, "Incorrect authorization key");
+            
             var urlSegments = new List<string>();
             foreach (var (_, tenant) in _tenantStore.GetTenants())
             {
@@ -81,9 +84,11 @@ public async Task<ContentResult> RunAll()
         }
         
         
-        [HttpGet("{organization:MatchingTenant}/cron/automail/{datetime?}")]
-        public ContentResult AutoMail(string? datetime)
+        [HttpGet("{organization:MatchingTenant}/cron/automail/{key}/{datetime?}")]
+        public IActionResult AutoMail(string key, string? datetime)
         {
+            if(!IsAuthorized(key)) return StatusCode(Microsoft.AspNetCore.Http.StatusCodes.Status401Unauthorized, "Incorrect authorization key");
+            
             var forceDate = datetime?.EndsWith("!") ?? false;
 
             if (datetime == null || !DateTime.TryParse(datetime.TrimEnd('!'), out var cronDateTime))
@@ -192,7 +197,7 @@ private async Task<ValueTuple<bool, string>> InvokeUrl(string urlSegmentValue)
             try
             {
                 url = Url.Action(nameof(AutoMail), nameof(Cron),
-                    new {organization = urlSegmentValue}, Uri.UriSchemeHttps);
+                    new {organization = urlSegmentValue, key = GetAuthKey() }, Uri.UriSchemeHttps);
 
                 await httpClient.GetAsync(url);
             }
@@ -205,5 +210,23 @@ private async Task<ValueTuple<bool, string>> InvokeUrl(string urlSegmentValue)
             _logger.LogInformation("Get request for {0} completed.", url);
             return (true, url);
         }
+
+        private bool IsAuthorized(string key)
+        {
+            if (key == GetAuthKey())
+            {
+                _logger.LogInformation("Scheduled task was authorized");
+                return true;
+            }
+            _logger.LogInformation("Scheduled task could not be authorized");
+            return false;
+        }
+
+        private string GetAuthKey()
+        {
+            var key = _configuration.GetSection("ScheduledTaskKey").Value;
+            if (string.IsNullOrWhiteSpace(key)) _logger.LogCritical("ScheduledTaskKey is null or whitespace");
+            return key;
+        }
     }
 }
\ No newline at end of file
diff --git a/League/League.csproj b/League/League.csproj
index a5da3bf7..cd77b2f2 100644
--- a/League/League.csproj
+++ b/League/League.csproj
@@ -6,8 +6,8 @@
 		<RootNamespace>League</RootNamespace>
 		<UserSecretsId>ceea2bf6-8147-49b9-be85-26fca01f9ed3</UserSecretsId>
 		<NeutralLanguage></NeutralLanguage>
-		<Version>4.5.0</Version>
-        <AssemblyVersion>4.5.0.0</AssemblyVersion>
+		<Version>4.5.1</Version>
+        <AssemblyVersion>4.5.1.0</AssemblyVersion>
 		<PackageId>Volleyball-League</PackageId>
 		<Authors>axuno gGmbH</Authors>
 		<Product>Volleyball-League</Product>