Add azure-deploy workflow

Author: abergs

.github/workflows/azure-deploy.yml

@@ -0,0 +1,64 @@
+name: Deploy to Azure
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'Demo/**'
+      - 'Src/**'
+      - '.github/workflows/azure-deploy.yml'
+
+env:
+  # Setting these variables allows .NET CLI to use rich color codes in console output
+  TERM: xterm
+  DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: true
+  # Skip boilerplate output
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_NOLOGO: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install .NET
+        uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4.3.0
+        with:
+          dotnet-version: "8.0.x"
+
+      - name: Run restore
+        run: dotnet restore Demo/Demo.csproj
+
+      - name: Run build
+        run: >
+          dotnet build Demo/Demo.csproj
+          --no-restore
+          --configuration Release
+
+      - name: Run tests
+        run: >
+          dotnet test Tests/Fido2.Tests/Fido2.Tests.csproj
+          --configuration Release
+          --logger "trx;LogFileName=test-results.trx"
+
+      - name: Publish application
+        run: >
+          dotnet publish Demo/Demo.csproj
+          --no-restore
+          --no-build
+          --configuration Release
+          --output ./publish
+
+      - name: Deploy to Azure Web App
+        uses: azure/webapps-deploy@v3
+        with:
+          package: ./publish
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}

current.md

@@ -0,0 +1,254 @@
+# Current MDS (Metadata Service) Implementation
+
+## Architecture Overview
+
+The current MDS implementation follows a clean separation of concerns:
+
+- **`IMetadataRepository`** - Handles all complexity (JWT validation, cert chains, HTTP calls, FIDO spec compliance)
+- **`IMetadataService`** - Simple caching wrapper around repositories
+- **Registration API** - Builder pattern for configuration
+
+## Core Interfaces
+
+### IMetadataService
+
+```csharp
+public interface IMetadataService
+{
+    /// <summary>
+    /// Gets the metadata payload entry by a guid asynchronously.
+    /// </summary>
+    /// <param name="aaguid">The Authenticator Attestation GUID.</param>
+    /// <param name="cancellationToken">The <see cref="CancellationToken"/> used to propagate notifications that the operation should be canceled.</param>
+    /// <returns>Returns the entry; Otherwise <c>null</c>.</returns>
+    Task<MetadataBLOBPayloadEntry?> GetEntryAsync(Guid aaguid, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Gets a value indicating whether the internal access token is valid.
+    /// </summary>
+    /// <returns>
+    /// Returns <c>true</c> if access token is valid, or <c>false</c> if the access token is equal to an invalid token value.
+    /// </returns>
+    bool ConformanceTesting();
+}
+```
+
+### IMetadataRepository
+
+```csharp
+public interface IMetadataRepository
+{
+    Task<MetadataBLOBPayload> GetBLOBAsync(CancellationToken cancellationToken = default);
+
+    Task<MetadataStatement?> GetMetadataStatementAsync(MetadataBLOBPayload blob, MetadataBLOBPayloadEntry entry, CancellationToken cancellationToken = default);
+}
+```
+
+## Current Implementations
+
+### Repository Implementations
+
+#### 1. Fido2MetadataServiceRepository
+- **Purpose**: Official FIDO Alliance MDS3 service
+- **Features**: 
+  - JWT validation with certificate chain verification
+  - Downloads from `https://mds3.fidoalliance.org/`
+  - Validates against GlobalSign root certificate
+  - Handles CRL checking for revoked certificates
+- **Usage**: Production metadata from FIDO Alliance
+
+#### 2. ConformanceMetadataRepository  
+- **Purpose**: FIDO conformance testing
+- **Features**:
+  - Downloads from conformance test endpoints
+  - Uses fake root certificate for testing
+  - Supports multiple conformance endpoints
+- **Usage**: Conformance testing scenarios
+
+#### 3. FileSystemMetadataRepository
+- **Purpose**: Local filesystem cache/storage
+- **Features**:
+  - Loads metadata statements from local directory
+  - Creates fake entries with `NOT_FIDO_CERTIFIED` status
+  - No JWT validation (assumes pre-validated files)
+- **Usage**: Local development, caching, testing
+
+### Service Implementation
+
+#### DistributedCacheMetadataService
+- **Purpose**: Caching wrapper for repositories
+- **Features**:
+  - **L1 Cache**: IMemoryCache (1 hour default)
+  - **L2 Cache**: IDistributedCache (8 days default) 
+  - **L3 Source**: IMetadataRepository collection
+  - Graceful error handling with logging
+  - Respects `NextUpdate` field from BLOB payload
+  - Automatic cache invalidation based on timestamps
+
+**Cache Hierarchy:**
+1. Check memory cache
+2. Check distributed cache, refresh if expired
+3. Fetch from repositories
+4. Store in both cache layers
+
+## Current Registration API
+
+### Builder Interfaces
+
+```csharp
+public interface IFido2NetLibBuilder
+{
+    IServiceCollection Services { get; }
+}
+
+public interface IFido2MetadataServiceBuilder  
+{
+    IServiceCollection Services { get; }
+}
+
+public class Fido2NetLibBuilder : IFido2NetLibBuilder, IFido2MetadataServiceBuilder
+{
+    public IServiceCollection Services { get; }
+}
+```
+
+### Registration Methods
+
+```csharp
+public static class Fido2NetLibBuilderExtensions
+{
+    // Core FIDO2 registration
+    public static IFido2NetLibBuilder AddFido2(this IServiceCollection services, IConfiguration configuration);
+    public static IFido2NetLibBuilder AddFido2(this IServiceCollection services, Action<Fido2Configuration> setupAction);
+
+    // Metadata service registration (hardcoded to DistributedCacheMetadataService)
+    public static void AddCachedMetadataService(this IFido2NetLibBuilder builder, Action<IFido2MetadataServiceBuilder> configAction)
+    {
+        builder.Services.AddScoped<IMetadataService, DistributedCacheMetadataService>();
+        configAction(new Fido2NetLibBuilder(builder.Services));
+    }
+
+    // Repository registration methods (called within configAction above)
+    public static IFido2MetadataServiceBuilder AddFileSystemMetadataRepository(this IFido2MetadataServiceBuilder builder, string directoryPath);
+    public static IFido2MetadataServiceBuilder AddConformanceMetadataRepository(this IFido2MetadataServiceBuilder builder, HttpClient client = null, string origin = "");
+    public static IFido2MetadataServiceBuilder AddFidoMetadataRepository(this IFido2MetadataServiceBuilder builder, Action<IHttpClientBuilder> clientBuilder = null);
+}
+```
+
+## Current Usage Patterns
+
+### Default Usage (Demo Project)
+
+```csharp
+builder.Services.AddFido2(options =>
+{
+    options.ServerDomain = builder.Configuration["fido2:serverDomain"];
+    options.ServerName = "FIDO2 Test";
+    options.Origins = builder.Configuration.GetSection("fido2:origins").Get<HashSet<string>>();
+    options.TimestampDriftTolerance = builder.Configuration.GetValue<int>("fido2:timestampDriftTolerance");
+    options.MDSCacheDirPath = builder.Configuration["fido2:MDSCacheDirPath"];
+    options.BackupEligibleCredentialPolicy = builder.Configuration.GetValue<Fido2Configuration.CredentialBackupPolicy>("fido2:backupEligibleCredentialPolicy");
+    options.BackedUpCredentialPolicy = builder.Configuration.GetValue<Fido2Configuration.CredentialBackupPolicy>("fido2:backedUpCredentialPolicy");
+})
+.AddCachedMetadataService(config =>
+{
+    config.AddFidoMetadataRepository(httpClientBuilder =>
+    {
+        //TODO: any specific config you want for accessing the MDS
+    });
+});
+```
+
+### Multiple Repositories
+
+```csharp
+.AddCachedMetadataService(config =>
+{
+    config.AddFidoMetadataRepository();
+    config.AddFileSystemMetadataRepository("/local/cache/path");
+    config.AddConformanceMetadataRepository(httpClient, "https://example.com");
+});
+```
+
+### Service Dependencies
+
+The `DistributedCacheMetadataService` expects these services to be registered:
+- `IEnumerable<IMetadataRepository>` - All registered repositories
+- `IDistributedCache` - For L2 caching
+- `IMemoryCache` - For L1 caching  
+- `ILogger<DistributedCacheMetadataService>` - For logging
+- `ISystemClock` - For cache expiry calculations
+
+## Current Limitations
+
+### 1. Forced Service Implementation
+- `AddCachedMetadataService()` hardcodes `DistributedCacheMetadataService`
+- No way to register custom `IMetadataService` implementations
+- Cannot disable caching entirely
+
+### 2. Repository Registration Pattern
+- Repositories are registered inside service configuration
+- Conceptually backwards - services depend on repos, not vice versa
+- Cannot register repositories without registering a service
+
+### 3. Limited Flexibility
+- Cannot easily implement custom caching strategies
+- No way to compose different caching approaches
+- Testing scenarios require workarounds
+
+## Default Service Registration
+
+When no metadata service is configured, the system falls back to:
+
+```csharp
+// In Fido2NetLibBuilderExtensions.AddServices()
+services.AddSingleton<IMetadataService, NullMetadataService>(); //Default implementation if we choose not to enable MDS
+```
+
+The `NullMetadataService` provides no-op implementations:
+- `GetEntryAsync()` always returns `null`
+- `ConformanceTesting()` always returns `false`
+
+## Configuration Options
+
+### Cache Timing (DistributedCacheMetadataService)
+
+```csharp
+protected readonly TimeSpan _defaultMemoryCacheInterval = TimeSpan.FromHours(1);
+protected readonly TimeSpan _nextUpdateBufferPeriod = TimeSpan.FromHours(25);
+protected readonly TimeSpan _defaultDistributedCacheInterval = TimeSpan.FromDays(8);
+```
+
+### File Cache Location
+
+Controlled by `Fido2Configuration.MDSCacheDirPath` configuration value.
+
+### HTTP Client Configuration  
+
+`AddFidoMetadataRepository()` allows custom HTTP client configuration:
+
+```csharp
+config.AddFidoMetadataRepository(httpClientBuilder =>
+{
+    httpClientBuilder.ConfigureHttpClient(client =>
+    {
+        client.Timeout = TimeSpan.FromSeconds(30);
+    });
+});
+```
+
+## Key Strengths of Current Design
+
+1. **Clean Separation**: Repositories handle complexity, services handle caching
+2. **Extensible Repository Pattern**: Easy to add new metadata sources  
+3. **Layered Caching**: Memory + distributed cache with smart expiry
+4. **Error Resilience**: Graceful fallback between repositories
+5. **FIDO Compliant**: Full JWT validation and certificate verification
+6. **Production Ready**: Handles real-world scenarios (CRL checks, timeouts, etc.)
+
+## Areas for Improvement
+
+1. **Registration API**: Better expose the existing flexibility
+2. **Service Alternatives**: Easy way to use custom caching strategies
+3. **Repository Independence**: Decouple repository registration from service registration
+4. **Testing Support**: Easier ways to disable caching or use mock implementations