public void When_Passing_Null_Parameter_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeFakeObjects();
// ACT & ASSERT
Assert.ThrowsAsync <ArgumentNullException>(() => _jwtTokenParser.UnSign(null));
Assert.ThrowsAsync <ArgumentNullException>(() => _jwtTokenParser.UnSign(string.Empty));
}
public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter)
{
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
if (resource == null)
{
throw new ArgumentNullException(nameof(resource));
}
if (ticketLineParameter == null)
{
throw new ArgumentNullException(nameof(ticketLineParameter));
}
JwsPayload jwsPayload = null;
string subject = null;
if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType)
{
var idToken = claimTokenParameter.Token;
jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false);
var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null)
{
subject = subjectClaim.Value.ToString();
}
}
var validationsResult = new List <AuthorizationPolicyResult>();
var policies = resource.AuthPolicies;
if (policies != null && policies.Any())
{
foreach (var policy in policies)
{
if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s)))
{
validationsResult.Add(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized,
Policy = policy,
ErrorDetails = "the scope is not valid"
});
continue;
}
var clientAuthorizationResult = CheckClients(policy, ticketLineParameter);
if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
validationsResult.Add(clientAuthorizationResult);
continue;
}
var validationResult = CheckClaims(openidProvider, policy, jwsPayload);
validationsResult.Add(validationResult);
}
}
var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized);
if (vr != null)
{
return(new ResourceValidationResult
{
IsValid = true
});
}
if (!resource.AcceptPendingRequest)
{
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = validationsResult
});
}
if (!string.IsNullOrWhiteSpace(subject))
{
var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false);
var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s)));
if (pendingRequest == null)
{
await _pendingRequestRepository.Add(new PendingRequest
{
Id = Guid.NewGuid().ToString(),
CreateDateTime = DateTime.UtcNow,
ResourceId = resource.Id,
IsConfirmed = false,
RequesterSubject = subject,
Scopes = ticketLineParameter.Scopes
}).ConfigureAwait(false);
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestSubmitted,
ErrorDetails = "a request has been submitted"
}
}
});
}
}
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestNotConfirmed,
ErrorDetails = "the request is not confirmed by the resource owner"
}
}
});
}
private async Task <AuthorizationPolicyResult> CheckClaims(
PolicyRule authorizationPolicy,
List <ClaimTokenParameter> claimTokenParameters)
{
if (authorizationPolicy.Claims == null ||
!authorizationPolicy.Claims.Any())
{
return(null);
}
if (claimTokenParameters == null ||
!claimTokenParameters.Any(c => c.Format == IdTokenType))
{
return(GetNeedInfoResult(authorizationPolicy.Claims));
}
var idToken = claimTokenParameters.First(c => c.Format == IdTokenType);
var jwsPayload = await _jwtTokenParser.UnSign(idToken.Token);
if (jwsPayload == null)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
foreach (var claim in authorizationPolicy.Claims)
{
var payload = jwsPayload
.FirstOrDefault(j => j.Key == claim.Type);
if (payload.Equals(default(KeyValuePair <string, object>)))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
if (claim.Type == SimpleIdentityServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Role)
{
IEnumerable <string> roles = null;
if (payload.Value is string)
{
roles = payload.Value.ToString().Split(',');
}
else
{
var arr = payload.Value as object[];
var jArr = payload.Value as JArray;
if (arr != null)
{
roles = arr.Select(c => c.ToString());
}
if (jArr != null)
{
roles = jArr.Select(c => c.ToString());
}
}
if (roles == null || !roles.Any(v => claim.Value == v))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
}
else
{
if (payload.Value.ToString() != claim.Value)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
}
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}