public void IdentityBasicOperatorTest()
{
// rule DTO
var car = new CarDTO
{
Make = "Ford",
Year = 2010,
Model = "Expedition",
AskingPrice = 10000.0000m,
SellingPrice = 9000.0000m
};
// programatic mix in of claims rule and rule against the DTO user
var carRule1 = new Rule("Year", "2010", "GreaterThanOrEqual");
var claimRule = new Rule("@User", "S-1-5-21-2493390151-660934664-2262481224-513", "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid");
var re = new IdentityRuleEngine();
// Compile the rules as a seperate step
Expression<Func<CarDTO, IClaimsPrincipal, bool>> carRule1Expression = re.GetExpression<CarDTO>(carRule1);
Expression<Func<CarDTO, IClaimsPrincipal, bool>> claimRuleExpression = re.GetExpression<CarDTO>(claimRule);
Expression<Func<CarDTO, IClaimsPrincipal, bool>> compositeRule = carRule1Expression.Or(claimRuleExpression);
// invoke the rules as a third step
IClaimsPrincipal id = new ClaimsPrincipal(System.Threading.Thread.CurrentPrincipal);
Assert.AreEqual(true,compositeRule.Compile()(car,id));
}
public static bool CheckAccess(ClaimsPrincipal principal, string action, params string[] resources)
{
var context = CreateAuthorizationContext(
principal,
action,
resources);
return CheckAccess(context);
}
private static void MockUserPrincipal(HttpContextBase httpContext, string userName)
{
var claimsIdentity = new ClaimsIdentity(AuthenticationTypes.Federation, ClaimTypes.Name, ClaimTypes.Role);
claimsIdentity.Claims.Add(new Claim(ClaimTypes.Name, userName));
var claimsPrincipal = new ClaimsPrincipal(new[] { claimsIdentity });
httpContext.User = (IPrincipal)claimsPrincipal;
FormsAuthentication.SetAuthCookie(userName, true);
}
protected void _login_Authenticate(object sender, AuthenticateEventArgs e)
{
FormsAuthentication.SetAuthCookie(_login.UserName, false);
var claims = new List<Claim>();
claims.Add(new Claim(System.IdentityModel.Claims.ClaimTypes.Name, _login.UserName));
List<ClaimsIdentity> identity = new List<ClaimsIdentity>();
identity.Add(new ClaimsIdentity(claims,"UserName"));
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentityCollection(identity));
var querystring = Request.QueryString.ToString();
HttpContext.Current.Response.Redirect("/mysts.ashx?"+ querystring);
}
/// <summary>
/// Checks the authorization policy.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <param name="principal">The principal.</param>
/// <returns>true when authorized, otherwise false</returns>
public static bool CheckAccess(string resource, string action, ClaimsPrincipal principal)
{
Contract.Requires(!String.IsNullOrEmpty(resource));
Contract.Requires(!String.IsNullOrEmpty(action));
Contract.Requires(principal != null);
var context = new AuthorizationContext(principal, resource, action);
return AuthorizationManager.CheckAccess(context);
}
private bool CheckOwnership(int id, ClaimsPrincipal principal)
{
var oldConsultant = _repository.GetAll().FirstOrDefault(c => c.ID == id);
if (oldConsultant == null)
{
return true;
}
// check if client is allowed to update consultant
// only the record creator can update
return oldConsultant.Owner.Equals(principal.Identity.Name);
}
public void TestCreateToReadyMultiplePotentialOwners()
{
IdentityId initiatorId = new IdentityId();
IdentityId potentialOwnerOne = new IdentityId();
IdentityId potentialOwnerTwo = new IdentityId();
IdentityId businessAdminId = new IdentityId();
IPrincipal initiator = new ClaimsPrincipal(initiatorId.GetIdentity());
_mapStorage[potentialOwnerOne.Id] = new Account(potentialOwnerOne, "s-1-2-3-4-5", "auth", AccountType.User);
_mapStorage[potentialOwnerTwo.Id] = new Account(potentialOwnerTwo, "s-1-2-3-4-5", "auth", AccountType.User);
_mapStorage[businessAdminId.Id] = new Account(businessAdminId, "s-55-2-3-4-5", "auth", AccountType.User);
ILoggingService loggingService = SetupLoggerMock(new List<TaskHistoryEvent> {
new TaskHistoryEvent{
Event = "Create",
OldStatus = TaskStatus.None,
NewStatus = TaskStatus.Created,
OldPriority = Priority.Normal,
NewPriority = Priority.Normal,
Comment = "",
TimeStamp = DateTime.UtcNow,
UserId = initiator.Identity.GetMappedId()}
});
Thread.CurrentPrincipal = initiator;
Task task = new Task(new TaskId(), TaskStatus.Created, string.Empty,
string.Empty, Priority.Normal, false,
DateTime.UtcNow, initiator.Identity,
null, null, null)
{
LoggingService = loggingService
};
Assert.AreEqual(TaskStatus.Created, task.Status);
task.PotentialOwners.Add(potentialOwnerOne.GetIdentity());
task.PotentialOwners.Add(potentialOwnerTwo.GetIdentity());
task.BusinessAdministrators.Add(businessAdminId.GetIdentity());
Assert.IsNotNull(task);
Assert.AreEqual(TaskStatus.Created, task.Status);
IPrincipal businessAdmin = new ClaimsPrincipal(businessAdminId.GetIdentity());
Thread.CurrentPrincipal = businessAdmin;
task.Activate();
Assert.AreEqual(TaskStatus.Ready, task.Status);
Assert.IsNull(task.ActualOwner);
Assert.IsNotNull(task.History);
Assert.AreEqual(2, task.History.Count());
TaskHistoryEvent history = task.History.ElementAt(0);
Assert.IsNotNull(history);
Assert.AreEqual(TaskStatus.None, history.OldStatus);
Assert.AreEqual(TaskStatus.Created, history.NewStatus);
Assert.AreEqual(initiator.Identity.GetMappedId(), history.UserId);
history = task.History.ElementAt(1);
Assert.IsNotNull(history);
}
private static void WriteCookie(AMSAdmin user, string timeOffsetValue)
{
SessionAuthenticationModule sam = (SessionAuthenticationModule)
HttpContext.Current.ApplicationInstance.Modules["SessionAuthenticationModule"];
IClaimsPrincipal principal =
new ClaimsPrincipal(new GenericPrincipal(new GenericIdentity(user.LogonName), null));
principal.Identities[0].Claims.Add(new Claim("TimeOffset", timeOffsetValue));
principal.Identities[0].Claims.Add(new Claim("AMSAdminID", user.UserID));
principal.Identities[0].Claims.Add(new Claim("AMSAdminName", user.Name));
SessionSecurityToken token = sam.CreateSessionSecurityToken(principal, null, DateTime.Now, DateTime.Now.AddMinutes(60), false);
sam.WriteSessionTokenToCookie(token);
}
public override bool CheckAccess(OperationContext operationContext)
{
int index = operationContext.RequestContext.RequestMessage.Headers.FindHeader("Security", WSSecurity10Constants.Namespace);
if (index < 0)
{
return false;
}
var securityHeader = operationContext.RequestContext.RequestMessage.Headers.GetReaderAtHeader(index);
var configuration = new ServiceConfiguration(true);
securityHeader.Read();
if (!configuration.SecurityTokenHandlers.CanReadToken(securityHeader))
return false;
if (configuration.ServiceCertificate != null)
{
SecurityToken xtoken;
using (var xprovider = new X509SecurityTokenProvider(configuration.ServiceCertificate))
{
xtoken = xprovider.GetToken(new TimeSpan(10, 1, 1));
}
var outOfBandTokens = new Collection<SecurityToken>();
outOfBandTokens.Add(xtoken);
configuration.SecurityTokenHandlers[typeof(EncryptedSecurityToken)].Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(new ReadOnlyCollection<SecurityToken>(outOfBandTokens), false);
}
SecurityToken token = configuration.SecurityTokenHandlers.ReadToken(securityHeader);
if (configuration.CertificateValidationMode == X509CertificateValidationMode.None)
{
configuration.CertificateValidator = X509CertificateValidator.None;
}
var claimsCollection = configuration.SecurityTokenHandlers.ValidateToken(token);
IClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsCollection);
SetPrincipal(operationContext, claimsPrincipal);
return true;
}
public void TestCreateState()
{
IdentityId initiatorId = new IdentityId();
IPrincipal initiator = new ClaimsPrincipal(initiatorId.GetIdentity());
Task task = new Task(new TaskId(), TaskStatus.Created, string.Empty,
string.Empty, Priority.Normal, false,
DateTime.UtcNow, initiator.Identity,
null, null, null);
Thread.CurrentPrincipal = initiator;
Assert.IsNotNull(task);
Assert.AreEqual(TaskStatus.Created, task.Status);
Assert.IsNull(task.ActualOwner);
Assert.IsNotNull(task.Initiator);
Assert.AreEqual(initiator.Identity, task.Initiator);
Assert.AreEqual(Priority.Normal, task.Priority);
Assert.AreEqual(TaskStatus.Created, task.Status);
}
public void IdentityTupleBasicOperatorTest()
{
// rule DTO
var car = new CarDTO
{
Make = "Ford",
Year = 2010,
Model = "Expedition",
AskingPrice = 10000.0000m,
SellingPrice = 9000.0000m
};
var salesperson = new SalesPersonDTO
{
State = "PA",
IsManager = true,
MaximumDiscount = 1000.0000m
};
// programatic mix in of claims rule and rule against the DTO for Car and SalesPerson
var carRule1 = new Rule("Year", "2010", "GreaterThanOrEqual","CarDTO");
var claimRule = new Rule("@User", "S-1-5-21-2493390151-660934664-2262481224-513", "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid");
var salePersonRule1 = new Rule("State", "PA", "Equals","SalesPersonDTO");
var salePersonRule2 = new Rule("IsManager", "true", "Equals", "SalesPersonDTO");
var re = new IdentityTupleRuleEngine();
// build Some Expressions
Expression<Func<CarDTO, SalesPersonDTO,IClaimsPrincipal, bool>> carRule1Expression = re.GetExpression<CarDTO,SalesPersonDTO>(carRule1);
Expression<Func<CarDTO, SalesPersonDTO, IClaimsPrincipal, bool>> claimRuleExpression = re.GetExpression<CarDTO, SalesPersonDTO>(claimRule);
Expression<Func<CarDTO, SalesPersonDTO, IClaimsPrincipal, bool>> sp1Expression = re.GetExpression<CarDTO, SalesPersonDTO>(salePersonRule1);
Expression<Func<CarDTO, SalesPersonDTO, IClaimsPrincipal, bool>> sp2Expression = re.GetExpression<CarDTO, SalesPersonDTO>(salePersonRule2);
Expression<Func<CarDTO, SalesPersonDTO, IClaimsPrincipal, bool>> coumpoundExpr =
carRule1Expression.Or(claimRuleExpression).Or(sp1Expression).Or(sp2Expression);
IClaimsPrincipal id = new ClaimsPrincipal(System.Threading.Thread.CurrentPrincipal);
Assert.AreEqual(true, coumpoundExpr.Compile()(car,salesperson,id));
}
public override bool CheckAccess(OperationContext operationContext)
{
HttpRequestMessageProperty httpRequestMessage;
object httpRequestMessageObject;
if (operationContext.RequestContext.RequestMessage.Properties.TryGetValue(HttpRequestMessageProperty.Name, out httpRequestMessageObject))
{
httpRequestMessage = httpRequestMessageObject as HttpRequestMessageProperty;
if (string.IsNullOrEmpty(httpRequestMessage.Headers["Authorization"]))
{
return false;
}
if (!httpRequestMessage.Headers["Authorization"].StartsWith("Bearer "))
{
return false;
}
string jwt = httpRequestMessage.Headers["Authorization"].Split(' ')[1];
if (string.IsNullOrEmpty(jwt))
{
return false;
}
var key = Convert.FromBase64String(SymmetricKey.Replace("_", "/").Replace("-", "+"));
Dictionary<string, object> json = JWT.JsonWebToken.DecodeToObject(jwt, key, verify: true, checkExpiration: true, audience: AllowedAudience, issuer: AllowedIssuer) as Dictionary<string, object>;
var claims = json.Where(kv => kv.Value != null)
.Select(c => new Claim(c.Key, c.Value.ToString())).ToList();
claims.Add(new Claim(ClaimTypes.Name, GetClaimWithFallback(claims, "name", "sub")));
IClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity[] { new ClaimsIdentity(claims) });
SetPrincipal(operationContext, claimsPrincipal);
return true;
}
return false;
}
public void IdentityLoadFromFile()
{
// rule DTO
var car = new CarDTO
{
Make = "Ford",
Year = 2010,
Model = "Expedition",
AskingPrice = 10000.0000m,
SellingPrice = 9000.0000m
};
var re = new IdentityRuleEngine();
// Load all rules applied to the user type.
XmlDocument xd = new XmlDocument();
xd.Load(@"C:\development\RuleEngine\TinyTuleEngineUnitTest\IdentityRuleEngineTest\RuleSetBasicIdentity.xml");
re.LoadRulesFromElementList<CarDTO>(xd, "/rules/rule");
Func<CarDTO, IClaimsPrincipal, bool> fordSaleApprover = re.GetRule<CarDTO>("FordSaleApprover").Compile();
IClaimsPrincipal id = new ClaimsPrincipal(System.Threading.Thread.CurrentPrincipal);
Assert.AreEqual(true, fordSaleApprover(car, id));
}
public GridController(UserManager <AppUser> userManager, ApplicationDbContext appDbContext, IHttpContextAccessor httpContextAccessor)
{
_caller = httpContextAccessor.HttpContext.User;
_appDbContext = appDbContext;
}
public static string GetUsername(this ClaimsPrincipal user)
{
return(user.FindFirst(ClaimTypes.Name)?.Value);
}
public static List <string> ClaimRoles(this ClaimsPrincipal claimsPrincipal)
{
return(claimsPrincipal.Claims(ClaimTypes.Role));
}
public string GetUserName(ClaimsPrincipal claims)
{
return GetClaimValue(claims, "user");
}
public static AuthorizationContext CreateAuthorizationContext(ClaimsPrincipal principal, string action, params string[] resources)
{
var actionClaims = new Collection<Claim>
{
new Claim(ActionType, action)
};
var resourceClaims = new Collection<Claim>();
if (resources != null && resources.Length > 0)
{
resources.ToList().ForEach(ar => resourceClaims.Add(new Claim(ResourceType, ar)));
}
return new AuthorizationContext(
principal,
resourceClaims,
actionClaims);
}
public async Task <IActionResult> Login(string username, string password)
{
if (string.IsNullOrEmpty(username))
{
ViewData["LoginResult"] = "Please enter username.";
return(View());
}
if (string.IsNullOrEmpty(password))
{
ViewData["LoginResult"] = "Please enter password.";
return(View());
}
AbstractUserDto checkUser = new UserDto();
checkUser = await _userEntity.SignInUser(username, password);
if (checkUser == null || checkUser.Id <= 0)
{
ViewData["LoginResult"] = "Wrong username/password. Try again.";
return(View());
}
if (checkUser.Username == username &&
checkUser.Password == password &&
checkUser.IsActive == 1)
{
var userIdentity = new ClaimsIdentity("Identity");
userIdentity.Label = "Identity";
userIdentity.AddClaim(new Claim(ClaimTypes.Name, checkUser.Username));
userIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, checkUser.Id.ToString()));
userIdentity.AddClaim(new Claim(ClaimTypes.Country, ""));
userIdentity.AddClaim(new Claim(ClaimTypes.Email, checkUser.Email));
userIdentity.AddClaim(new Claim(ClaimTypes.Spn, checkUser.Image));
userIdentity.AddClaim(new Claim(ClaimTypes.Role, "User"));
if (checkUser.IsAdmin == 1)
{
userIdentity.AddClaim(new Claim(ClaimTypes.Role, "Admin"));
}
ClaimsPrincipal principal = new ClaimsPrincipal(userIdentity);
await HttpContext.SignInAsync(principal);
}
else
{
ViewData["LoginResult"] = "We are unable to log you in. Please contact administrators.";
return(View());
}
return(RedirectPermanent("/"));
}
public static List <string> Claims(this ClaimsPrincipal claimsPrincipal, string claimType)
{
var result = claimsPrincipal.FindAll(claimType).Select(x => x.Value).ToList();
return(result);
}
public static int GetUserId(this ClaimsPrincipal user)
{
// NameIdentifier -> represents the NameId property
return(int.Parse(user.FindFirst(ClaimTypes.NameIdentifier)?.Value));
}
public PolicyTagHelper(IAuthorizationService authService, IHttpContextAccessor httpContextAccessor)
{
_authService = authService;
_principal = httpContextAccessor.HttpContext.User;
}
public bool UserIsLoggedIn(ClaimsPrincipal user)
{
return(true);
}
public static string GetStoreId(this ClaimsPrincipal principal)
{
return(principal.Claims.Where(c => c.Type == Claims.OwnStore).Select(c => c.Value).FirstOrDefault());
}
public static string GetSubjectClaim(this ClaimsPrincipal claimsPrincipal) => claimsPrincipal.Claims.SingleOrDefault(c => c.Type == "sub")?.Value;
public int GetUserID(ClaimsPrincipal user)
{
var userID = UserManager.GetUserId(user);
return(int.Parse(userID));
}
public bool IsAdmin(ClaimsPrincipal claims)
{
return GetClaimValue(claims, "is_admin") == "true";
}
public async Task <UserSM> GetUserAsync(ClaimsPrincipal principal)
{
var applicationUser = await _userManager.GetUserAsync(principal);
return(Mapper.Map <UserSM>(applicationUser));
}
public Task SignInAsync(HttpContext context, string scheme, ClaimsPrincipal principal, AuthenticationProperties properties)
{
throw new System.NotImplementedException();
}
public Task <AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName) => Task.FromResult(AuthorizationResult.Failed());
/// <summary>
/// Searches the 'Authorization' header for a 'Bearer' token.
/// </summary>
/// <returns></returns>
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
string token = null;
try
{
// Give application opportunity to find from a different location, adjust, or reject token
var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options);
// event can set the token
await Events.MessageReceived(messageReceivedContext);
if (messageReceivedContext.Result != null)
{
return(messageReceivedContext.Result);
}
// If application retrieved token from somewhere else, use that.
token = messageReceivedContext.Token;
if (string.IsNullOrEmpty(token))
{
string authorization = Request.Headers["Authorization"];
// If no authorization header found, nothing to process further
if (string.IsNullOrEmpty(authorization))
{
return(AuthenticateResult.NoResult());
}
if (authorization.StartsWith("FakeBearer ", StringComparison.OrdinalIgnoreCase))
{
token = authorization.Substring("FakeBearer ".Length).Trim();
}
// If no token found, no further work possible
if (string.IsNullOrEmpty(token))
{
return(AuthenticateResult.NoResult());
}
}
var tokenFromBase64 = Convert.FromBase64String(token);
Dictionary <string, dynamic> tokenDecoded = JsonConvert.DeserializeObject <Dictionary <string, dynamic> >(Encoding.UTF8.GetString(tokenFromBase64));
ClaimsIdentity id = new ClaimsIdentity("Identity.Application", "name", "role");
foreach (var td in tokenDecoded)
{
if (td.Key == "sub")
{
id.AddClaim(new Claim("sub", td.Value.ToString()));
if (!tokenDecoded.Any(c => c.Key == "name"))
{
id.AddClaim(new Claim("name", td.Value.ToString()));
}
}
else
{
if (td.Value is string)
{
id.AddClaim(new Claim(td.Key, td.Value));
}
else if (td.Value is IEnumerable)
{
foreach (string subValue in td.Value)
{
id.AddClaim(new Claim(td.Key, subValue));
}
}
else
{
throw new Exception("Unknown type");
}
}
}
ClaimsPrincipal principal = new ClaimsPrincipal(id);
var tokenValidatedContext = new TokenValidatedContext(Context, Scheme, Options)
{
Principal = principal
};
await Events.TokenValidated(tokenValidatedContext);
if (tokenValidatedContext.Result != null)
{
return(tokenValidatedContext.Result);
}
if (Options.SaveToken)
{
tokenValidatedContext.Properties.StoreTokens(new[]
{
new AuthenticationToken {
Name = "access_token", Value = token
}
});
}
tokenValidatedContext.Success();
return(tokenValidatedContext.Result);
}
catch (Exception ex)
{
var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options)
{
Exception = ex
};
await Events.AuthenticationFailed(authenticationFailedContext);
if (authenticationFailedContext.Result != null)
{
return(authenticationFailedContext.Result);
}
throw;
}
}
public Task <AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable <IAuthorizationRequirement> requirements) => Task.FromResult(AuthorizationResult.Failed());
public virtual string CreateSessionToken(ClaimsPrincipal principal)
{
var handler = Configuration.SessionToken.SecurityTokenHandler;
var descriptor = new SecurityTokenDescriptor
{
AppliesToAddress = Configuration.SessionToken.Audience.AbsoluteUri,
TokenIssuerName = Configuration.SessionToken.IssuerName,
SigningCredentials = new HmacSigningCredentials(Configuration.SessionToken.SigningKey),
Subject = principal.Identities.First()
};
var token = handler.CreateToken(descriptor);
return handler.WriteToken(token);
}
public void TestSuspendedToReversedActualOwner()
{
IdentityId actualId = new IdentityId();
ILoggingService loggingService = SetupLoggerMock(new List<TaskHistoryEvent>());
Task task = new Task(
new TaskId(), TaskStatus.Reserved, string.Empty,
string.Empty, Priority.Normal, false,
DateTime.UtcNow, new IdentityId().GetIdentity(),
DateTime.UtcNow, null, actualId.GetIdentity())
{
LoggingService = loggingService
};
IPrincipal actualOwner = new ClaimsPrincipal(actualId.GetIdentity());
Thread.CurrentPrincipal = actualOwner;
task.Suspend();
Assert.AreEqual(TaskStatus.Suspended, task.Status);
Assert.AreEqual(actualId.GetIdentity(), task.ActualOwner);
task.Resume();
Assert.AreEqual(TaskStatus.Reserved, task.Status);
Assert.AreEqual(actualId.GetIdentity(), task.ActualOwner);
Assert.IsNotNull(task.History);
Assert.AreEqual(2, task.History.Count());
TaskHistoryEvent history = task.History.ElementAt(0);
Assert.IsNotNull(history);
Assert.AreEqual(TaskStatus.Reserved, history.OldStatus);
Assert.AreEqual(TaskStatus.Suspended, history.NewStatus);
Assert.AreEqual(actualId, history.UserId);
history = task.History.ElementAt(1);
Assert.IsNotNull(history);
Assert.AreEqual(TaskStatus.Suspended, history.OldStatus);
Assert.AreEqual(TaskStatus.Reserved, history.NewStatus);
Assert.AreEqual(actualId, history.UserId);
}
private readonly ClaimsPrincipal _claimsPrincipal; public GlobalRouting(ClaimsPrincipal claimsPrincipal)
{
_claimsPrincipal = claimsPrincipal;
}
/// <summary>
/// Check if the user is a member if the group
/// </summary>
/// <param name="user"></param>
/// <param name="group"></param>
/// <returns></returns>
public static bool IsInGroup(this ClaimsPrincipal user, string group)
{
return(user.HasClaim(c => c.Type == ClaimTypes.GroupSid && c.Value.Equals(group, StringComparison.OrdinalIgnoreCase)));
}
/// <summary>
/// Creates a ClaimsPrincipal from the specified user data, sets the current HTTP context and thread principal
/// and writes a session cookie from the resulting SessionSecurityToken using the specified parameters.
/// </summary>
/// <param name="user">The user data that will be used to create the claims for the ClaimsPrincipal.
/// Array values are converted to multiple claims with the same key.</param>
/// <param name="context">An application defined context string.</param>
/// <param name="domain">The domain used for the session cookie.</param>
/// <param name="path">The virtual path used for the session cookie.</param>
/// <param name="requireSsl">Indicates if the session cookie should only be used with SSL.</param>
/// <param name="httpOnly">Indicates whether the session cookie should be hidden from client script.</param>
/// <param name="cookieName">Indicates the name of the session cookie.</param>
/// <param name="sessionCookieLifetime">The lifetime for the sesion cookie. A null value indicates no expiration.</param>
/// <param name="persistent">Indicates if the user agent should persist the session cookie. </param>
public virtual void CreateSessionCookie(
IEnumerable<KeyValuePair<string, object>> user,
string context = null,
string domain = null,
string path = null,
bool requireSsl = false,
bool httpOnly = true,
string cookieName = null,
TimeSpan? sessionCookieLifetime = null,
bool persistent = false)
{
if (!string.IsNullOrEmpty(domain))
{
this.CookieHandler.Domain = domain;
}
if (!string.IsNullOrEmpty(path))
{
this.CookieHandler.Path = path;
}
if (!string.IsNullOrEmpty(cookieName))
{
this.CookieHandler.Name = cookieName;
}
this.CookieHandler.RequireSsl = requireSsl;
this.CookieHandler.HideFromClientScript = httpOnly;
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, user.First(a => a.Key == "name").Value.ToString()),
new Claim(
ClaimTypes.NameIdentifier,
user.First(a => a.Key == "user_id").Value.ToString()),
new Claim(
"http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",
user.First(a => a.Key == "connection").Value.ToString())
};
foreach (var attribute in user)
{
var claimType = attribute.Key;
if (attribute.Value != null && attribute.Value.GetType().IsArray)
{
// Attribute contains an array of values (e.g.: "group" => [ "sales", "producers" ])
foreach (var subattribute in attribute.Value as IEnumerable)
{
claims.Add(new Claim(claimType, subattribute.ToString()));
}
}
else
{
claims.Add(
new Claim(claimType, attribute.Value != null ? attribute.Value.ToString() : string.Empty));
}
}
var principal = new ClaimsPrincipal(new ClaimsIdentity[] { new ClaimsIdentity(claims, "Auth0") });
this.OnBeforeCreateCookie(new BeforeCreateCookieEventArgs { Principal = principal });
var session = this.CreateSessionSecurityToken(
principal,
context,
DateTime.UtcNow,
sessionCookieLifetime.HasValue
? DateTime.UtcNow.Add(sessionCookieLifetime.Value)
: DateTime.MaxValue.ToUniversalTime(),
persistent);
this.AuthenticateSessionSecurityToken(session, true);
}
public static string GetUsername(this ClaimsPrincipal user)
{
// Name -> represents the unique name property
return(user.FindFirst(ClaimTypes.Name)?.Value);
}
public UserApp(ClaimsPrincipal principal)
: base(principal)
{
}
/// <summary>
/// Checks the authorization policy. Will throw a SecurityException when check fails.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <param name="principal">The principal.</param>
public static void DemandAccess(string resource, string action, ClaimsPrincipal principal)
{
Contract.Requires(!String.IsNullOrEmpty(resource));
Contract.Requires(!String.IsNullOrEmpty(action));
Contract.Requires(principal != null);
if (!CheckAccess(resource, action, principal))
{
throw new SecurityException(string.Format("Demand for action: {0} for resource {1} failed", action, resource));
}
}
public override void Authenticated(ClaimsPrincipal principal)
{
_context.User = principal;
_tcs.TrySetResult(true);
}
public static IPrincipal GetOWinPrincipalUserFromCookiesValue(string cookiesValue, string authType)
{
IPrincipal user = null;
cookiesValue = cookiesValue.Replace('-', '+').Replace('_', '/');
var padding = 3 - ((cookiesValue.Length + 3) % 4);
if (padding != 0)
{
cookiesValue = cookiesValue + new string('=', padding);
}
var bytes = Convert.FromBase64String(cookiesValue);
bytes = System.Web.Security.MachineKey.Unprotect(bytes,
"Microsoft.Owin.Security.Cookies.CookieAuthenticationMiddleware",
authType, "v1");
using (var memory = new MemoryStream(bytes))
{
using (var compression = new GZipStream(memory,
CompressionMode.Decompress))
{
using (var reader = new BinaryReader(compression))
{
reader.ReadInt32();
string authenticationType = reader.ReadString();
reader.ReadString();
reader.ReadString();
int count = reader.ReadInt32();
var claims = new Claim[count];
for (int index = 0; index != count; ++index)
{
string type = reader.ReadString();
type = type == "\0" ? ClaimTypes.Name : type;
string value = reader.ReadString();
string valueType = reader.ReadString();
valueType = valueType == "\0" ?
"http://www.w3.org/2001/XMLSchema#string" :
valueType;
string issuer = reader.ReadString();
issuer = issuer == "\0" ? "LOCAL AUTHORITY" : issuer;
string originalIssuer = reader.ReadString();
originalIssuer = originalIssuer == "\0" ?
issuer : originalIssuer;
claims[index] = new Claim(type, value,
valueType, issuer, originalIssuer);
}
var identity = new ClaimsIdentity(claims, authenticationType,
ClaimTypes.Name, ClaimTypes.Role);
user = new ClaimsPrincipal(identity);
}
}
}
return(user);
}
public void UsersServiceMethodGetUserAuthenticationInfoShouldReturnTheAuthenticationInfoWithoutNameAndEmail()
{
// Arrange
var claims = new[]
{
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "WindowsLiveID") ,
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "user1")
};
IClaimsIdentity identity = new ClaimsIdentity(claims);
IClaimsPrincipal principal = new ClaimsPrincipal(new[] { identity });
var unitOfWorkMock = new Mock<IUnitOfWork>();
var repository = new UsersMemoryRepository();
var service = new UsersService(unitOfWorkMock.Object, repository);
// Act
var result = service.GetUserAuthenticationInfo(principal);
// Assert
Assert.IsNotNull(result);
}
public virtual ClaimsPrincipal Transform(string resource, ClaimsPrincipal incomingPrincipal)
{
if (Configuration.ClaimsAuthenticationManager != null)
{
return Configuration.ClaimsAuthenticationManager.Authenticate(resource, incomingPrincipal) as ClaimsPrincipal;
}
else
{
return incomingPrincipal;
}
}
public void UsersServiceMethodIsRegisteredReturnsTrueForAnExistingUser()
{
// Arrange
var claims = new[]
{
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "WindowsLiveID") ,
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "user1"),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "*****@*****.**")
};
IClaimsIdentity identity = new ClaimsIdentity(claims);
IClaimsPrincipal principal = new ClaimsPrincipal(new[] { identity });
var unitOfWorkMock = new Mock<IUnitOfWork>();
var repository = new UsersMemoryRepository();
var service = new UsersService(unitOfWorkMock.Object, repository);
// Act
var result = service.UserIsRegistered(principal);
// Assert
Assert.IsTrue(result);
}
protected virtual ClaimsPrincipal InvokeHandler(SecurityTokenHandlerCollection handlers, string tokenString)
{
SecurityTokenHandler handler = null;
if (handlers.Count == 1)
{
handler = handlers.First();
}
else
{
foreach (var h in handlers)
{
if (((IHttpSecurityTokenHandler)h).CanReadToken(tokenString))
{
handler = h;
break;
}
}
}
if (handler != null)
{
var token = ((IHttpSecurityTokenHandler)handler).ReadToken(tokenString);
var principal = new ClaimsPrincipal(handler.ValidateToken(token));
return principal;
}
throw new InvalidOperationException("No handler found");
}
protected virtual void SetPrincipal(ClaimsPrincipal principal)
{
if (principal.Identity.IsAuthenticated)
{
string name = "unknown";
if (!string.IsNullOrWhiteSpace(principal.Identity.Name))
{
name = principal.Identity.Name;
}
Tracing.Information(Area.HttpAuthentication, "Authentication successful for: " + name);
}
else
{
Tracing.Information(Area.HttpAuthentication, "Setting anonymous principal.");
}
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
}
public static string RetriveEmailFromPrincipal(this ClaimsPrincipal user)
{
return(user?.Claims?.FirstOrDefault(x => x.Type == ClaimTypes.Email).Value);
}
public static int GetUserId(this ClaimsPrincipal user)
{
var userId = int.Parse(user.FindFirst(ClaimTypes.NameIdentifier)?.Value);
return(userId);
}
public void UsersServiceMethodGFillUserAuthenticationInfoShouldFillTheAuthenticationInfo()
{
// Arrange
var claims = new[]
{
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "WindowsLiveID") ,
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "user1"),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "*****@*****.**"),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "user1"),
};
IClaimsIdentity identity = new ClaimsIdentity(claims);
IClaimsPrincipal principal = new ClaimsPrincipal(new[] { identity });
var user = new User { Name = "user1" };
var unitOfWorkMock = new Mock<IUnitOfWork>();
var repository = new UsersMemoryRepository();
var service = new UsersService(unitOfWorkMock.Object, repository);
// Act
service.FillAuthenticationInfo(user, principal);
// Assert
Assert.IsTrue(user.PartitionKey == "windowsliveid");
Assert.IsTrue(user.RowKey == "user1-windowsliveid");
Assert.IsTrue(user.UniqueIdentifier == "user1");
}
/// <summary>
/// Creates a <see cref="TokenResponseReceivedContext"/>
/// </summary>
public TokenResponseReceivedContext(HttpContext context, AuthenticationScheme scheme, OpenIdConnectOptions options, ClaimsPrincipal user, AuthenticationProperties properties)
: base(context, scheme, options, properties)
=> Principal = user;
private Task<HttpResponseMessage> SendSessionTokenResponse(ClaimsPrincipal principal)
{
var token = _authN.CreateSessionToken(principal);
var tokenResponse = _authN.CreateSessionTokenResponse(token);
return Task<HttpResponseMessage>.Factory.StartNew(() =>
{
var response = new HttpResponseMessage(HttpStatusCode.OK);
response.Content = new StringContent(tokenResponse, Encoding.UTF8, "application/json");
return response;
});
}
public GlobalRouting(ClaimsPrincipal claimsPrincipal)
{
_claimsPrincipal = claimsPrincipal;
}
/// <inheritDoc/>
public virtual LoginFormViewModel Authenticate(LoginFormViewModel input, HttpContextBase context)
{
User user;
UserLoggingReason result = SecurityManager.AuthenticateUser(
this.MembershipProvider,
input.UserName,
input.Password,
input.RememberMe,
out user);
var identity = ClaimsManager.GetCurrentIdentity();
if (user != null && identity != null && identity.OriginalIdentity is SitefinityIdentity)
{
IClaimsPrincipal cp = new ClaimsPrincipal(new[] { new ClaimsIdentity(identity.Claims) });
var wifCredentials = new FederatedServiceCredentials(FederatedAuthentication.ServiceConfiguration);
cp = wifCredentials.ClaimsAuthenticationManager.Authenticate(context.Request.RequestType, cp);
SitefinityClaimsAuthenticationModule.Current.AuthenticatePrincipalWithCurrentToken(cp, input.RememberMe);
}
if (result == UserLoggingReason.Unknown)
{
input.IncorrectCredentials = true;
}
else
{
string redirectUrl;
if (!this.TryResolveUrlFromUrlReferrer(context, out redirectUrl))
{
redirectUrl = this.GetPageUrl(this.LoginRedirectPageId);
}
input.RedirectUrlAfterLogin = redirectUrl;
if (result != UserLoggingReason.Success)
{
SFClaimsAuthenticationManager.ProcessRejectedUser(context, input.RedirectUrlAfterLogin);
}
}
return input;
}
private async Task <bool> ValidateSecurityStampAsync(UserManager <TUser> userManager, ClaimsPrincipal principal)
{
var user = await userManager.GetUserAsync(principal);
if (user == null)
{
return(false);
}
else if (!userManager.SupportsUserSecurityStamp)
{
return(true);
}
else
{
var principalStamp = principal.FindFirstValue(_options.ClaimsIdentity.SecurityStampClaimType);
var userStamp = await userManager.GetSecurityStampAsync(user);
return(principalStamp == userStamp);
}
}
/// <summary>
/// Executed when the authentication should be done.
/// </summary>
/// <param name="sender">The sender.</param>
/// <param name="e">The event args.</param>
private void context_AuthenticateRequest(object sender, EventArgs e)
{
// Get the request.
var request = ((HttpApplication)sender).Request;
// The redirect back from the security token service is done using a POST method. Hence
// abort processing of the current request, if it was not sent using POST.
if (request.HttpMethod != "POST")
{
return;
}
// Check whether the request contains sign in data.
if (request.Form["wa"] != WSFederationConstants.Actions.SignIn ||
request.Form["wresult"].IsNullOrEmpty())
{
return;
}
// Otherwise, get the security token which is attached to the request, process it and
// convert it to a principal. First, set up the federatec authentication module.
var fam =
new WSFederationAuthenticationModule
{
ServiceConfiguration =
new ServiceConfiguration
{
AudienceRestriction = { AudienceMode = AudienceUriMode.Never },
CertificateValidationMode =
X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator(c => true),
IssuerNameRegistry = new X509CertificateIssuerNameRegistry()
}
};
// Prepare the decryption by injecting the certificate to the service token resolver.
var certificates =
new List<SecurityToken>
{
new X509SecurityToken(
this.Container.Resolve<ICertificateManager>().GetEncryptingCertificate())
};
var encryptedSecurityTokenHandler =
(from handler in fam.ServiceConfiguration.SecurityTokenHandlers
where handler is EncryptedSecurityTokenHandler
select handler).First() as EncryptedSecurityTokenHandler;
encryptedSecurityTokenHandler.Configuration.ServiceTokenResolver =
SecurityTokenResolver.CreateDefaultSecurityTokenResolver(certificates.AsReadOnly(), false);
// Get the security token from the request.
var securityToken = fam.GetSecurityToken(request);
// Validate the token and convert it to a collection of claims.
var claims = fam.ServiceConfiguration.SecurityTokenHandlers.ValidateToken(securityToken);
// Create a principal from the claims.
IClaimsPrincipal principal = new ClaimsPrincipal(claims);
// Set the current principal.
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;
}
//public FlightProfilesController(ATSEF_DBContext context, UserManager<AppUser> userManager, IHttpContextAccessor httpContextAccessor)
public FlightProfilesController(ATSEF_DBContext context, IHttpContextAccessor httpContextAccessor)
{
_caller = httpContextAccessor.HttpContext.User;
_context = context;
}
private static AuthorizationContext CreateAuthorizationContext(ClaimsPrincipal currentPrincipal, ResourceAction resourceAction)
{
var resourceClaim = new Claim(resourceAction.ResourceType, resourceAction.Resource);
var actionClaim = new Claim(resourceAction.ActionType, resourceAction.Action);
return new AuthorizationContext(
currentPrincipal,
new Collection<Claim> { resourceClaim },
new Collection<Claim> { actionClaim });
}
public static ClaimsPrincipal Create()
{
var anonId = new ClaimsIdentity();
var anonPrincipal = new ClaimsPrincipal(new ClaimsIdentityCollection(new ClaimsIdentity[]{anonId}));
return anonPrincipal;
}
private static void SetPrincipal()
{
var idPclaims = new List<Claim>
{
new Claim(ClaimTypes.Name, "Alice", ClaimValueTypes.String, "IdP"),
new Claim(ClaimTypes.Email, "*****@*****.**", ClaimValueTypes.String, "IdP"),
new Claim(ClaimTypes.Role, "Users", ClaimValueTypes.String, "IdP"),
new Claim(ClaimTypes.Role, "Marketing", ClaimValueTypes.String, "IdP"),
new Claim(ClaimTypes.Role, "Sales", ClaimValueTypes.String, "IdP"),
new Claim("http://www.thinktecture.com/claims/location", "Heidelberg", ClaimValueTypes.String, "IdP")
};
var authZclaims = new List<Claim>
{
new Claim(WSAuthorizationConstants.Action, "AddCustomer", ClaimValueTypes.String, "RSTS"),
new Claim(WSAuthorizationConstants.Action, "ChangeCustomer", ClaimValueTypes.String, "RSTS")
};
var idp = new ClaimsIdentity(idPclaims);
var authZ = new ClaimsIdentity(authZclaims);
var principal = new ClaimsPrincipal(new List<IClaimsIdentity> { idp, authZ });
Thread.CurrentPrincipal = principal;
}
