public async override Task <AuthenticationState> GetAuthenticationStateAsync()
{
try
{
if (this.memoryStorage.AuthenticationData == null)
{
string authDataUrl = this.Options.ProviderOptions.AuthenticationDataUrl + "/.auth/me";
AuthenticationData data = await this.HttpClient.GetFromJsonAsync <AuthenticationData>(authDataUrl);
this.memoryStorage.SetAuthenticationData(data);
}
ClientPrincipal principal = this.memoryStorage.AuthenticationData.ClientPrincipal;
if (principal == null)
{
return(new AuthenticationState(new ClaimsPrincipal()));
}
principal.UserRoles = principal.UserRoles.Except(new string[] { "anonymous" }, StringComparer.CurrentCultureIgnoreCase);
var identity = new ClaimsIdentity(principal.IdentityProvider);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, principal.UserId));
identity.AddClaim(new Claim(ClaimTypes.Name, principal.UserDetails));
identity.AddClaims(principal.UserRoles.Select(r => new Claim(ClaimTypes.Role, r)));
return(new AuthenticationState(new ClaimsPrincipal(identity)));
}
catch
{
this.memoryStorage.SetAuthenticationData(null);
return(new AuthenticationState(new ClaimsPrincipal(new ClaimsIdentity())));
}
}
public static ClaimsPrincipal Parse(HttpRequest req)
{
var principal = new ClientPrincipal();
if (req.Headers.TryGetValue("x-ms-client-principal", out var header))
{
var data = header[0];
var decoded = Convert.FromBase64String(data);
var json = Encoding.ASCII.GetString(decoded);
principal = JsonSerializer.Deserialize <ClientPrincipal>(json, new JsonSerializerOptions {
PropertyNameCaseInsensitive = true
});
}
principal.UserRoles = principal.UserRoles?.Except(new string[] { "anonymous" }, StringComparer.CurrentCultureIgnoreCase);
if (!principal.UserRoles?.Any() ?? true)
{
return(new ClaimsPrincipal(new ClaimsIdentity()));
}
var identity = new ClaimsIdentity(principal.IdentityProvider);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, principal.UserId));
identity.AddClaim(new Claim(ClaimTypes.Name, principal.UserDetails));
identity.AddClaims(principal.UserRoles.Select(r => new Claim(ClaimTypes.Role, r)));
return(new ClaimsPrincipal(identity));
}
private void ManagerAuthenticator(ClientConnection connection)
{
Logger.Finest("Authenticating against the owner node");
var ss = _client.GetSerializationService();
string uuid = null;
string ownerUuid = null;
if (_principal != null)
{
uuid = _principal.GetUuid();
ownerUuid = _principal.GetOwnerUuid();
}
ClientMessage request;
if (_credentials is UsernamePasswordCredentials)
{
var usernamePasswordCr = (UsernamePasswordCredentials)_credentials;
request = ClientAuthenticationCodec.EncodeRequest(usernamePasswordCr.GetUsername(),
usernamePasswordCr.GetPassword(), uuid, ownerUuid, true, ClientTypes.Csharp,
_client.GetSerializationService().GetVersion(), VersionUtil.GetDllVersion());
}
else
{
var data = ss.ToData(_credentials);
request = ClientAuthenticationCustomCodec.EncodeRequest(data, uuid, ownerUuid, false, ClientTypes.Csharp,
_client.GetSerializationService().GetVersion(), VersionUtil.GetDllVersion());
}
IClientMessage response;
try
{
var invocationService = (ClientInvocationService)_client.GetInvocationService();
response = ThreadUtil.GetResult(invocationService.InvokeOnConnection(request, connection));
}
catch (Exception e)
{
throw ExceptionUtil.Rethrow(e);
}
var result = ClientAuthenticationCodec.DecodeResponse(response);
if (result.address == null)
{
throw new HazelcastException("Could not resolve address for owner node.");
}
var member = new Member(result.address, result.ownerUuid);
_principal = new ClientPrincipal(result.uuid, result.ownerUuid);
connection.Member = member;
connection.SetOwner();
connection.ConnectedServerVersionStr = result.serverHazelcastVersion;
}
public bool CanUserAccessList(ClientPrincipal principal, string listId)
{
var list = _cloudTable.ExecuteQuery(new TableQuery <TodoListEntity>().Where(TableQuery.GenerateFilterCondition("RowKey", QueryComparisons.Equal, listId))).FirstOrDefault();
if (list == null)
{
throw new Exception("Could not find list");
}
return(list.PartitionKey == principal.UserId);
}
public bool CanUserAccessList(ClientPrincipal principal, string listId, ShareRole requiredRole = ShareRole.View)
{
var list = GetEntitiesForRowKey(listId).FirstOrDefault();
if (list == null)
{
throw new Exception("Could not find list");
}
return(list.PartitionKey == principal.UserId || _todoListMemberService.CanUserAccessList(listId, principal.UserId, requiredRole));
}
public ClientPrincipal GetClientPrincipalFromRequest(HttpRequest req)
{
var principle = new ClientPrincipal
{
IdentityProvider = "ThopDevsSuperSecretAuth",
UserId = "ThopDev",
UserDetails = "ThopDev"
};
_userService.InsertIfNotExists(principle);
return(principle);
}
public static string GetClientPrincipal(HttpRequest req)
{
var principal = new ClientPrincipal();
if (req.Headers.TryGetValue("x-ms-client-principal", out var header))
{
var data = header[0];
var decoded = Convert.FromBase64String(data);
var json = Encoding.ASCII.GetString(decoded);
principal = JsonConvert.DeserializeObject <ClientPrincipal>(json);
}
return(principal.UserDetails);
}
public override async Task <AuthenticationState> GetAuthenticationStateAsync()
{
ClientPrincipal principal = _testMode ? await GetTestUserPrincipal() : await GetUserPrincipal();
var identity = new ClaimsIdentity(principal.IdentityProvider);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, principal.UserId));
identity.AddClaim(new Claim(ClaimTypes.Name, principal.UserDetails));
identity.AddClaims(principal.UserRoles.Select(r => new Claim(ClaimTypes.Role, r)));
var user = new ClaimsPrincipal(identity);
return(new AuthenticationState(user));
}
public void TestAnonymousUserIsNotAuthorized()
{
var clientPrincipal = new ClientPrincipal
{
IdentityProvider = "google",
UserId = "foo",
UserDetails = "foo bar",
UserRoles = new List <string> {
"anonymous",
}
};
var isAuthorized = StaticWebAppsAuth.IsAuthorized(clientPrincipal, "foo");
Assert.False(isAuthorized);
}
public void TestNotAuthorizedToAccessResourceNotOwnedByTheAuthenticatedUser()
{
var clientPrincipal = new ClientPrincipal
{
IdentityProvider = "google",
UserId = "bar",
UserDetails = "foo bar",
UserRoles = new List <string>
{
"anonymous",
"user",
}
};
var isAuthorized = StaticWebAppsAuth.IsAuthorized(clientPrincipal, "foo");
Assert.False(isAuthorized);
}
private static async Task <ClientPrincipal> ParseAsync(HttpRequest request)
{
var principal = new ClientPrincipal();
if (request.Headers.TryGetValue("x-ms-client-principal", out var header))
{
var data = header[0];
var decoded = Convert.FromBase64String(data);
var json = Encoding.ASCII.GetString(decoded);
principal = JsonConvert.DeserializeObject <ClientPrincipal>(json);
}
principal.UserRoles = principal.UserRoles?.Except(new string[] { "anonymous" }, StringComparer.CurrentCultureIgnoreCase);
return(await Task.FromResult(principal));
}
public static ClaimsPrincipal Parse(HttpRequest req, ApiKey[] apiKeys)
{
var principal = new ClientPrincipal();
Microsoft.Extensions.Primitives.StringValues header;
if (req.Headers.TryGetValue(ClientPrincipalHeader, out header) || req.Headers.TryGetValue(ClientPrincipalHeader.ToUpperInvariant(), out header))
{
var data = header[0];
var decoded = Convert.FromBase64String(data);
var json = Encoding.ASCII.GetString(decoded);
principal = JsonSerializer.Deserialize <ClientPrincipal>(json, new JsonSerializerOptions {
PropertyNameCaseInsensitive = true
});
}
else if (TryGetApiKey(req, out var apiKeyValue))
{
var apiKey = apiKeys.FirstOrDefault(k => string.Equals(k.Key, apiKeyValue));
if (apiKey != null)
{
principal.IdentityProvider = "API Key";
principal.UserDetails = apiKey.Name;
principal.UserId = apiKey.UserId;
principal.UserRoles = apiKey.Roles;
}
}
principal !.UserRoles = principal.UserRoles?.Except(new string[] { "anonymous" }, StringComparer.OrdinalIgnoreCase) ?? Array.Empty <string>();
if (!principal.UserRoles?.Any() ?? true)
{
return(new ClaimsPrincipal());
}
var identity = new ClaimsIdentity(principal.IdentityProvider);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, principal.UserId));
identity.AddClaim(new Claim(ClaimTypes.Name, principal.UserDetails));
identity.AddClaims(principal.UserRoles !.Select(r => new Claim(ClaimTypes.Role, r)));
return(new ClaimsPrincipal(identity));
}
public static ClaimsPrincipal ParseClaims(string json)
{
AuthenticationData data = JsonSerializer.Deserialize <AuthenticationData>(json);
ClientPrincipal principal = data.ClientPrincipal;
principal.UserRoles = principal.UserRoles.Except(new string[] { "anonymous" }, StringComparer.CurrentCultureIgnoreCase);
if (!principal.UserRoles.Any())
{
return(new ClaimsPrincipal());
}
var identity = new ClaimsIdentity(principal.IdentityProvider);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, principal.UserId));
identity.AddClaim(new Claim(ClaimTypes.Name, principal.UserDetails));
identity.AddClaims(principal.UserRoles.Select(r => new Claim(ClaimTypes.Role, r)));
return(new ClaimsPrincipal(identity));
}
private void Authenticate(ClientConnection connection, bool isOwnerConnection)
{
if (Logger.IsFinestEnabled())
{
Logger.Finest(string.Format("Authenticating against the {0} node", isOwnerConnection?"owner":"non-owner"));
}
string uuid = null;
string ownerUuid = null;
if (ClientPrincipal != null)
{
uuid = ClientPrincipal.GetUuid();
ownerUuid = ClientPrincipal.GetOwnerUuid();
}
var ss = _client.GetSerializationService();
ClientMessage request;
var credentials = _credentialsFactory.NewCredentials();
LastCredentials = credentials;
if (credentials.GetType() == typeof(UsernamePasswordCredentials))
{
var usernamePasswordCr = (UsernamePasswordCredentials)credentials;
request = ClientAuthenticationCodec.EncodeRequest(usernamePasswordCr.Username, usernamePasswordCr.Password, uuid,
ownerUuid, isOwnerConnection, ClientTypes.Csharp, ss.GetVersion(), VersionUtil.GetDllVersion());
}
else
{
var data = ss.ToData(credentials);
request = ClientAuthenticationCustomCodec.EncodeRequest(data, uuid, ownerUuid, isOwnerConnection,
ClientTypes.Csharp, ss.GetVersion(), VersionUtil.GetDllVersion());
}
IClientMessage response;
try
{
var invocationService = (ClientInvocationService)_client.GetInvocationService();
response = ThreadUtil.GetResult(invocationService.InvokeOnConnection(request, connection), _heartbeatTimeout);
}
catch (Exception e)
{
var ue = ExceptionUtil.Rethrow(e);
Logger.Finest("Member returned an exception during authentication.", ue);
throw ue;
}
var result = ClientAuthenticationCodec.DecodeResponse(response);
if (result.address == null)
{
throw new HazelcastException("Could not resolve address for member.");
}
switch (result.status)
{
case AuthenticationStatus.Authenticated:
if (isOwnerConnection)
{
var member = new Member(result.address, result.ownerUuid);
ClientPrincipal = new ClientPrincipal(result.uuid, result.ownerUuid);
connection.Member = member;
connection.SetOwner();
connection.ConnectedServerVersionStr = result.serverHazelcastVersion;
}
else
{
var member = _client.GetClientClusterService().GetMember(result.address);
if (member == null)
{
throw new HazelcastException(string.Format("Node with address '{0}' was not found in the member list",
result.address));
}
connection.Member = member;
}
break;
case AuthenticationStatus.CredentialsFailed:
throw new AuthenticationException("Invalid credentials! Principal: " + ClientPrincipal);
case AuthenticationStatus.SerializationVersionMismatch:
throw new InvalidOperationException("Server serialization version does not match to client");
default:
throw new AuthenticationException("Authentication status code not supported. status: " + result.status);
}
}
public void InsertIfNotExists(ClientPrincipal clientPrincipal)
{
InsertIfNotExists(_mapper.Map <UserEntity>(clientPrincipal));
}
private void ManagerAuthenticator(ClientConnection connection)
{
Logger.Finest("Authenticating against the owner node");
var ss = _client.GetSerializationService();
string uuid = null;
string ownerUuid = null;
if (_principal != null)
{
uuid = _principal.GetUuid();
ownerUuid = _principal.GetOwnerUuid();
}
ClientMessage request;
if (_credentials is UsernamePasswordCredentials)
{
var usernamePasswordCr = (UsernamePasswordCredentials) _credentials;
request = ClientAuthenticationCodec.EncodeRequest(usernamePasswordCr.GetUsername(),
usernamePasswordCr.GetPassword(), uuid, ownerUuid, true,
ClientTypes.Csharp, _client.GetSerializationService().GetVersion());
}
else
{
var data = ss.ToData(_credentials);
request = ClientAuthenticationCustomCodec.EncodeRequest(data, uuid, ownerUuid, false,
ClientTypes.Csharp, _client.GetSerializationService().GetVersion());
}
connection.Init();
IClientMessage response;
try
{
var invocationService = (ClientInvocationService) _client.GetInvocationService();
response = ThreadUtil.GetResult(invocationService.InvokeOnConnection(request, connection));
}
catch (Exception e)
{
throw ExceptionUtil.Rethrow(e);
}
var result = ClientAuthenticationCodec.DecodeResponse(response);
var member = new Member(result.address, result.ownerUuid);
_principal = new ClientPrincipal(result.uuid, result.ownerUuid);
connection.SetRemoteMember(member);
}
