public async Task When_JwsPayload_Cannot_Be_Extracted_Then_NotAuthorized_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
var ticket = new TicketLineParameter
{
Scopes = new List <string>
{
"read",
"create",
"update"
}
};
var authorizationPolicies = new List <Policy>
{
new Policy
{
Scopes = new List <string>
{
"read",
"create",
"update"
},
Claims = new List <Claim>
{
new Claim
{
Type = "name"
},
new Claim
{
Type = "email"
}
}
}
};
var claimTokenParameters = new ClaimTokenParameter
{
Format = "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken",
Token = "token"
};
_jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <string>()))
.Returns(Task.FromResult((JwsPayload)null));
// ACT
var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet
{
Id = "resourceid",
AuthPolicies = authorizationPolicies
}, ticket, claimTokenParameters);
// ASSERT
Assert.False(result.IsValid);
var error = result.AuthorizationPoliciesResult.First();
Assert.True(error.Type == AuthorizationPolicyResultEnum.NeedInfo);
}
public static GetTokenViaTicketIdParameter ToTokenIdGrantTypeParameter(this TokenRequest request)
{
return(new()
{
ClaimToken = new ClaimTokenParameter
{
Token = request.claim_token,
Format = request.claim_token_format
},
ClientId = request.client_id,
ClientAssertion = request.client_assertion,
ClientAssertionType = request.client_assertion_type,
ClientSecret = request.client_secret,
Pct = request.pct,
Rpt = request.rpt,
Ticket = request.ticket
});
}
public async Task When_There_Is_No_Access_Token_Passed_Then_NeedInfo_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
var ticket = new TicketLineParameter
{
Scopes = new List <string>
{
"read",
"create",
"update"
}
};
var authorizationPolicies = new List <Policy>
{
new Policy
{
Scopes = new List <string>
{
"read",
"create",
"update"
},
Claims = new List <Claim>
{
new Claim
{
Type = "name"
},
new Claim
{
Type = "email"
}
}
}
};
var claimTokenParameter = new ClaimTokenParameter
{
Format = "bad_format",
Token = "token"
};
// ACT
var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet
{
Id = "resourceid",
AuthPolicies = authorizationPolicies
}, ticket, claimTokenParameter);
// ASSERT
Assert.False(result.IsValid);
var error = result.AuthorizationPoliciesResult.First();
Assert.True(error.Type == AuthorizationPolicyResultEnum.NeedInfo);
var errorDetails = error.ErrorDetails as Dictionary <string, object>;
Assert.NotNull(errorDetails);
Assert.True(errorDetails.ContainsKey(Constants.ErrorDetailNames.RequestingPartyClaims));
var requestingPartyClaims = errorDetails[Constants.ErrorDetailNames.RequestingPartyClaims] as Dictionary <string, object>;
Assert.NotNull(requestingPartyClaims);
Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RequiredClaims));
Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RedirectUser));
var requiredClaims = requestingPartyClaims[Constants.ErrorDetailNames.RequiredClaims] as List <Dictionary <string, string> >;
Assert.NotNull(requiredClaims);
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "name")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "name")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "email")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "email")));
}
public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
// 2. Try to authenticate the client.
var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate);
var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName);
var client = authResult.Client;
if (client == null)
{
throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
}
if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket));
}
// 3. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 4. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter);
if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied);
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(grantedToken);
}
public async Task <AuthorizationPolicyResult> IsAuthorized(
Ticket validTicket,
Client client,
ClaimTokenParameter claimTokenParameter,
CancellationToken cancellationToken)
{
if (validTicket.Lines.Length == 0)
{
throw new ArgumentException(nameof(validTicket.Lines));
}
var handler = new JwtSecurityTokenHandler();
var validationParameters = await client.CreateValidationParameters(_jwksStore, cancellationToken : cancellationToken).ConfigureAwait(false);
var requester = handler.ValidateToken(claimTokenParameter.Token, validationParameters, out _);
var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId).ToArray();
var resources = await _resourceSetRepository.Get(cancellationToken, resourceIds).ConfigureAwait(false);
if (resources.Length == 0 || resources.Length != resourceIds.Length)
{
return(new AuthorizationPolicyResult(AuthorizationPolicyResultKind.NotAuthorized, requester));
}
AuthorizationPolicyResult?validationResult = null;
foreach (var ticketLine in validTicket.Lines)
{
var ticketLineParameter = new TicketLineParameter(
client.ClientId,
ticketLine.Scopes,
validTicket.IsAuthorizedByRo);
var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
validationResult = await Validate(
ticketLineParameter,
resource,
claimTokenParameter.Format,
requester,
cancellationToken)
.ConfigureAwait(false);
switch (validationResult.Result)
{
case AuthorizationPolicyResultKind.RequestSubmitted:
await _eventPublisher.Publish(
new AuthorizationRequestSubmitted(
Id.Create(),
validTicket.Id,
client.ClientId,
requester.Claims.Select(claim => new ClaimData {
Type = claim.Type, Value = claim.Value
}),
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
return(validationResult);
case AuthorizationPolicyResultKind.Authorized:
break;
case AuthorizationPolicyResultKind.NotAuthorized:
case AuthorizationPolicyResultKind.NeedInfo:
default:
{
await _eventPublisher.Publish(
new AuthorizationPolicyNotAuthorized(
Id.Create(),
validTicket.Id,
DateTimeOffset.UtcNow))
.ConfigureAwait(false);
return(validationResult);
}
}
}
return(validationResult !);
}
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
{
// 1. Check parameters.
if (parameter == null)
{
throw new ArgumentNullException(nameof(parameter));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
}
if (string.IsNullOrWhiteSpace(parameter.Ticket))
{
throw new ArgumentNullException(nameof(parameter.Ticket));
}
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
// 2. Retrieve the ticket.
var json = JsonConvert.SerializeObject(parameter);
_umaServerEventSource.StartGettingAuthorization(json);
var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false);
if (ticket == null)
{
throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
}
// 3. Check the ticket.
if (ticket.ExpirationDateTime < DateTime.UtcNow)
{
throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
}
_umaServerEventSource.CheckAuthorizationPolicy(json);
var claimTokenParameter = new ClaimTokenParameter
{
Token = parameter.ClaimToken,
Format = parameter.ClaimTokenFormat
};
// 4. Check the authorization.
var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false);
if (!authorizationResult.IsValid)
{
_umaServerEventSource.RequestIsNotAuthorized(json);
return(new GetTokenByTicketIdResponse
{
IsValid = false,
ResourceValidationResult = authorizationResult
});
}
// 5. Generate a granted token.
var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false);
await _tokenStore.AddToken(grantedToken);
await _ticketStore.RemoveAsync(ticket.Id);
return(new GetTokenByTicketIdResponse
{
IsValid = true,
GrantedToken = grantedToken
});
}
public async Task When_There_Is_No_Access_Token_Passed_Then_NeedInfo_Is_Returned()
{
// ARRANGE
const string configurationUrl = "http://localhost/configuration";
InitializeFakeObjects();
var ticket = new TicketLineParameter("client_id")
{
Scopes = new List <string>
{
"read",
"create",
"update"
}
};
var authorizationPolicy = new Policy
{
Rules = new List <PolicyRule>
{
new PolicyRule
{
ClientIdsAllowed = new List <string>
{
"client_id"
},
Scopes = new List <string>
{
"read",
"create",
"update"
},
Claims = new List <Claim>
{
new Claim
{
Type = "name"
},
new Claim
{
Type = "email"
}
},
OpenIdProvider = configurationUrl
}
}
};
var claimTokenParameter = new ClaimTokenParameter
{
Format = "bad_format",
Token = "token"
};
// ACT
var result = await _basicAuthorizationPolicy.Execute(ticket, authorizationPolicy, claimTokenParameter);
// ASSERT
Assert.True(result.Type == AuthorizationPolicyResultEnum.NeedInfo);
var errorDetails = result.ErrorDetails as Dictionary <string, object>;
Assert.NotNull(errorDetails);
Assert.True(errorDetails.ContainsKey(Constants.ErrorDetailNames.RequestingPartyClaims));
var requestingPartyClaims = errorDetails[Constants.ErrorDetailNames.RequestingPartyClaims] as Dictionary <string, object>;
Assert.NotNull(requestingPartyClaims);
Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RequiredClaims));
Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RedirectUser));
var requiredClaims = requestingPartyClaims[Constants.ErrorDetailNames.RequiredClaims] as List <Dictionary <string, string> >;
Assert.NotNull(requiredClaims);
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "name")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "name")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "email")));
Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "email")));
}
private async Task <AuthorizationPolicyResult> Validate(TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter)
{
if (resource.Policies == null || !resource.Policies.Any())
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
foreach (var authorizationPolicy in resource.Policies)
{
var result = await _basicAuthorizationPolicy.Execute(ticketLineParameter, authorizationPolicy, claimTokenParameter);
if (result.Type == AuthorizationPolicyResultEnum.Authorized)
{
return(result);
}
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
public async Task <ResourceValidationResult> IsAuthorized(string openidProvider, Ticket validTicket, ClaimTokenParameter claimTokenParameter)
{
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
if (validTicket == null)
{
throw new ArgumentNullException(nameof(validTicket));
}
if (validTicket.Lines == null || !validTicket.Lines.Any())
{
throw new ArgumentNullException(nameof(validTicket.Lines));
}
var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId);
var resources = await _resourceSetRepository.Get(resourceIds);
if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count())
{
throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist);
}
ResourceValidationResult validationResult = null;
foreach (var ticketLine in validTicket.Lines)
{
var ticketLineParameter = new TicketLineParameter(ticketLine.Scopes);
if (validTicket.Audiences != null && validTicket.Audiences.Any())
{
ticketLineParameter.ClientId = validTicket.Audiences.First();
}
var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
validationResult = await Validate(openidProvider, ticketLineParameter, resource, claimTokenParameter).ConfigureAwait(false);
if (!validationResult.IsValid)
{
_umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id);
return(validationResult);
}
}
return(validationResult);
}
private Task <ResourceValidationResult> Validate(string openidProvider, TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter)
{
return(_basicAuthorizationPolicy.Execute(openidProvider, resource, ticketLineParameter, claimTokenParameter));
}
private async Task <AuthorizationPolicyResult> ExecuteAuthorizationPolicyRule(TicketLineParameter ticketLineParameter, PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter)
{
// 1. Check can access to the scope
if (ticketLineParameter.Scopes.Any(s => !authorizationPolicy.Scopes.Contains(s)))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
// 2. Check clients are correct
var clientAuthorizationResult = CheckClients(authorizationPolicy, ticketLineParameter);
if (clientAuthorizationResult != null &&
clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
return(clientAuthorizationResult);
}
// 3. Check claims are correct
var claimAuthorizationResult = await CheckClaims(authorizationPolicy, claimTokenParameter).ConfigureAwait(false);
if (claimAuthorizationResult != null && claimAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
return(claimAuthorizationResult);
}
// 4. Check the resource owner consent is needed
if (authorizationPolicy.IsResourceOwnerConsentNeeded && !ticketLineParameter.IsAuthorizedByRo)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestSubmitted
});
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
public async Task <AuthorizationPolicyResult> Execute(TicketLineParameter ticketLineParameter, Policy authorizationPolicy, ClaimTokenParameter claimTokenParameter)
{
if (ticketLineParameter == null)
{
throw new ArgumentNullException(nameof(ticketLineParameter));
}
if (authorizationPolicy == null)
{
throw new ArgumentNullException(nameof(authorizationPolicy));
}
if (authorizationPolicy.Rules == null ||
!authorizationPolicy.Rules.Any())
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
AuthorizationPolicyResult result = null;
foreach (var rule in authorizationPolicy.Rules)
{
result = await ExecuteAuthorizationPolicyRule(ticketLineParameter, rule, claimTokenParameter);
if (result.Type == AuthorizationPolicyResultEnum.Authorized)
{
return(result);
}
}
return(result);
}
private async Task <AuthorizationPolicyResult> CheckClaims(PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter)
{
if (authorizationPolicy.Claims == null ||
!authorizationPolicy.Claims.Any())
{
return(null);
}
if (claimTokenParameter == null || claimTokenParameter.Format != Constants.IdTokenType)
{
return(GetNeedInfoResult(authorizationPolicy.Claims, authorizationPolicy.OpenIdProvider));
}
var idToken = claimTokenParameter.Token;
var jwsPayload = await _jwtTokenParser.UnSign(idToken, authorizationPolicy).ConfigureAwait(false);
if (jwsPayload == null)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
foreach (var claim in authorizationPolicy.Claims)
{
var payload = jwsPayload
.FirstOrDefault(j => j.Key == claim.Type);
if (payload.Equals(default(KeyValuePair <string, object>)))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
if (claim.Type == SimpleIdentityServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Role)
{
IEnumerable <string> roles = null;
if (payload.Value is string)
{
roles = payload.Value.ToString().Split(',');
}
else
{
var arr = payload.Value as object[];
var jArr = payload.Value as JArray;
if (arr != null)
{
roles = arr.Select(c => c.ToString());
}
if (jArr != null)
{
roles = jArr.Select(c => c.ToString());
}
}
if (roles == null || !roles.Any(v => claim.Value == v))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
}
else
{
if (payload.Value.ToString() != claim.Value)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
}
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
public async Task When_ResourceOwnerConsent_Is_Required_Then_RequestSubmitted_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
var ticket = new TicketLineParameter
{
Scopes = new List <string>
{
"read"
}
};
var authorizationPolicies = new List <Policy>
{
new Policy
{
Scopes = new List <string>
{
"read"
},
Claims = new List <Claim>
{
new Claim
{
Type = "name",
Value = "name"
}
}
}
};
_jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <string>()))
.Returns(Task.FromResult(new JwsPayload
{
{ "sub", "subject" },
{ "name", "bad_name" }
}));
var claimTokenParameter = new ClaimTokenParameter
{
Format = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
Token = "token"
};
_pendingRequestRepositorySub.Setup(v => v.Get(It.IsAny <string>(), It.IsAny <string>())).Returns(() =>
{
IEnumerable <PendingRequest> r = new List <PendingRequest>();
return(Task.FromResult(r));
});
// ACT
var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet
{
Id = "resourceid",
AuthPolicies = authorizationPolicies,
AcceptPendingRequest = true
}, ticket, claimTokenParameter);
// ASSERT
Assert.False(result.IsValid);
var error = result.AuthorizationPoliciesResult.First();
Assert.True(error.Type == AuthorizationPolicyResultEnum.RequestSubmitted);
}
public async Task When_Claims_Are_Not_Corred_Then_NotAuthorized_Is_Returned()
{
// ARRANGE
const string configurationUrl = "http://localhost/configuration";
InitializeFakeObjects();
var ticket = new TicketLineParameter("client_id")
{
Scopes = new List <string>
{
"read",
"create",
"update"
}
};
var authorizationPolicy = new Policy
{
Rules = new List <PolicyRule>
{
new PolicyRule
{
ClientIdsAllowed = new List <string>
{
"client_id"
},
Scopes = new List <string>
{
"read",
"create",
"update"
},
Claims = new List <Claim>
{
new Claim
{
Type = "name",
Value = "name"
},
new Claim
{
Type = "email",
Value = "email"
}
},
OpenIdProvider = configurationUrl
}
}
};
var claimTokenParameter = new ClaimTokenParameter
{
Format = "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken",
Token = "token"
};
_jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <PolicyRule>()))
.Returns(Task.FromResult(new JwsPayload
{
{
"name", "bad_name"
}
}));
// ACT
var result = await _basicAuthorizationPolicy.Execute(ticket, authorizationPolicy, claimTokenParameter);
// ASSERT
Assert.True(result.Type == AuthorizationPolicyResultEnum.NeedInfo);
}
public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter)
{
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
if (resource == null)
{
throw new ArgumentNullException(nameof(resource));
}
if (ticketLineParameter == null)
{
throw new ArgumentNullException(nameof(ticketLineParameter));
}
JwsPayload jwsPayload = null;
string subject = null;
if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType)
{
var idToken = claimTokenParameter.Token;
jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false);
var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null)
{
subject = subjectClaim.Value.ToString();
}
}
var validationsResult = new List <AuthorizationPolicyResult>();
var policies = resource.AuthPolicies;
if (policies != null && policies.Any())
{
foreach (var policy in policies)
{
if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s)))
{
validationsResult.Add(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized,
Policy = policy,
ErrorDetails = "the scope is not valid"
});
continue;
}
var clientAuthorizationResult = CheckClients(policy, ticketLineParameter);
if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
validationsResult.Add(clientAuthorizationResult);
continue;
}
var validationResult = CheckClaims(openidProvider, policy, jwsPayload);
validationsResult.Add(validationResult);
}
}
var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized);
if (vr != null)
{
return(new ResourceValidationResult
{
IsValid = true
});
}
if (!resource.AcceptPendingRequest)
{
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = validationsResult
});
}
if (!string.IsNullOrWhiteSpace(subject))
{
var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false);
var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s)));
if (pendingRequest == null)
{
await _pendingRequestRepository.Add(new PendingRequest
{
Id = Guid.NewGuid().ToString(),
CreateDateTime = DateTime.UtcNow,
ResourceId = resource.Id,
IsConfirmed = false,
RequesterSubject = subject,
Scopes = ticketLineParameter.Scopes
}).ConfigureAwait(false);
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestSubmitted,
ErrorDetails = "a request has been submitted"
}
}
});
}
}
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestNotConfirmed,
ErrorDetails = "the request is not confirmed by the resource owner"
}
}
});
}
public async Task <AuthorizationPolicyResult> IsAuthorized(Ticket validTicket, string clientId, ClaimTokenParameter claimTokenParameter)
{
if (validTicket == null)
{
throw new ArgumentNullException(nameof(validTicket));
}
if (string.IsNullOrWhiteSpace(clientId))
{
throw new ArgumentNullException(nameof(clientId));
}
if (validTicket.Lines == null || !validTicket.Lines.Any())
{
throw new ArgumentNullException(nameof(validTicket.Lines));
}
var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId);
var resources = await _resourceSetRepository.Get(resourceIds);
if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count())
{
throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist);
}
AuthorizationPolicyResult validationResult = null;
foreach (var ticketLine in validTicket.Lines)
{
var ticketLineParameter = new TicketLineParameter(clientId, ticketLine.Scopes, validTicket.IsAuthorizedByRo);
var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
validationResult = await Validate(ticketLineParameter, resource, claimTokenParameter);
if (validationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id);
return(validationResult);
}
}
return(validationResult);
}
