public async Task <Response> Security(DownstreamContext context)
{
IPAddress clientIp = context.HttpContext.Connection.RemoteIpAddress;
SecurityOptions securityOptions = context.DownstreamReRoute.SecurityOptions;
if (securityOptions == null)
{
return(new OkResponse());
}
if (securityOptions.IPBlockedList != null)
{
if (securityOptions.IPBlockedList.Exists(f => f == clientIp.ToString()))
{
var error = new UnauthenticatedError($" This request rejects access to {clientIp.ToString()} IP");
return(new ErrorResponse(error));
}
}
if (securityOptions.IPAllowedList != null && securityOptions.IPAllowedList.Count > 0)
{
if (!securityOptions.IPAllowedList.Exists(f => f == clientIp.ToString()))
{
var error = new UnauthenticatedError($"{clientIp.ToString()} does not allow access, the request is invalid");
return(new ErrorResponse(error));
}
}
return(await Task.FromResult(new OkResponse()));
}
public async Task <Response> Security(DownstreamContext context)
{
string authorization = context.HttpContext.Request.Headers["Authorization"];
// If no authorization header found, nothing to process further
if (string.IsNullOrEmpty(authorization))
{
return(new OkResponse());
}
string tokne = string.Empty;
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
{
tokne = authorization.Substring("Bearer ".Length).Trim();
}
this.LoadBlacklistToken();
if (_cache.TryGetValue(tokne, out string warnInfo))
{
context.HttpContext.Response.StatusCode = 401;
var bytes = Encoding.UTF8.GetBytes(warnInfo);
await context.HttpContext.Response.Body.WriteAsync(bytes, 0, bytes.Length);
var error = new UnauthenticatedError($"{tokne} Token enters the blacklist");
return(new ErrorResponse(error));
}
else
{
return(await Task.FromResult(new OkResponse()));
}
}
public async Task Invoke(DownstreamContext context)
{
if (context.HttpContext.Request.Method.ToUpper() != "OPTIONS" && IsAuthenticatedRoute(context.DownstreamReRoute))
{
Logger.LogInformation($"{context.HttpContext.Request.Path} is an authenticated route. {MiddlewareName} checking if client is authenticated");
var result = await context.HttpContext.AuthenticateAsync(context.DownstreamReRoute.AuthenticationOptions.AuthenticationProviderKey);
context.HttpContext.User = result.Principal;
if (context.HttpContext.User.Identity.IsAuthenticated)
{
Logger.LogInformation($"Client has been authenticated for {context.HttpContext.Request.Path}");
await _next.Invoke(context);
}
else
{
var error = new UnauthenticatedError(
$"Request for authenticated route {context.HttpContext.Request.Path} by {context.HttpContext.User.Identity.Name} was unauthenticated");
Logger.LogWarning($"Client has NOT been authenticated for {context.HttpContext.Request.Path} and pipeline error set. {error}");
SetPipelineError(context, error);
}
}
else
{
Logger.LogInformation($"No authentication needed for {context.HttpContext.Request.Path}");
await _next.Invoke(context);
}
}
private void GivenNotPassingSecurityVerification()
{
for (int i = 0; i < _securityPolicyList.Count; i++)
{
Mock <ISecurityPolicy> item = _securityPolicyList[i];
if (i == 0)
{
Error error = new UnauthenticatedError($"Not passing security verification");
Response response = new ErrorResponse(error);
item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
}
else
{
Response response = new OkResponse();
item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
}
}
}
public async Task Invoke(DownstreamContext context)
{
if (!context.IsError && context.HttpContext.Request.Method.ToUpper() != "OPTIONS" &&
IsAuthenticatedRoute(context.DownstreamReRoute))
{
if (!_options.ClientAuthorization)
{
Logger.LogInformation($"未启用客户端授权管道");
await _next.Invoke(context);
}
else
{
Logger.LogInformation($"{context.HttpContext.Request.Path} 是认证路由. {MiddlewareName} 开始校验授权信息");
#region 提取客户端ID
var clientId = "client_cjy";
var path = context.DownstreamReRoute.UpstreamPathTemplate.OriginalValue; //路由地址
var clientClaim = context.HttpContext.User.Claims.FirstOrDefault(p => p.Type == _options.ClientKey);
if (!string.IsNullOrEmpty(clientClaim?.Value))
{//从Claims中提取客户端id
clientId = clientClaim?.Value;
}
#endregion
if (await _ahphAuthenticationProcessor.CheckClientAuthenticationAsync(clientId, path))
{
await _next.Invoke(context);
}
else
{//未授权直接返回错误
var error = new UnauthenticatedError($"请求认证路由 {context.HttpContext.Request.Path}客户端未授权");
Logger.LogWarning($"路由地址 {context.HttpContext.Request.Path} 自定义认证管道校验失败. {error}");
SetPipelineError(context, error);
}
}
}
else
{
await _next.Invoke(context);
}
}
public async Task <Response> Security(DownstreamContext context)
{
if (!context.HttpContext.Request.Headers.TryGetValue("Authorization", out StringValues value))
{
return(new OkResponse());
}
string tokne = value.ToString().Replace("Bearer ", "");
this.LoadBlacklistToken();
if (_cache.TryGetValue(tokne, out string warnInfo))
{
context.HttpContext.Response.StatusCode = 401;
var bytes = Encoding.UTF8.GetBytes(warnInfo);
await context.HttpContext.Response.Body.WriteAsync(bytes, 0, bytes.Length);
var error = new UnauthenticatedError($"{tokne} Token enters the blacklist");
return(new ErrorResponse(error));
}
else
{
return(await Task.FromResult(new OkResponse()));
}
}
