public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.LoginCompleted))
{
var externalUserUuid = GetUserExternalUuid();
var cvrNumber = _parser.MatchCvrNumber();
if (externalUserUuid.IsNone)
{
_logger.Warning("No external UUID passed from STS Adgangsstyring");
context.TransitionTo(_stateFactory.CreateErrorState(), _ => _.HandleUnknownError());
}
else if (cvrNumber.IsNone)
{
_logger.Warning("CVR number not provided from STS Adgangsstyring");
context.TransitionTo(_stateFactory.CreateErrorState(), _ => _.HandleUnknownError());
}
else if (CurrentUserHasKitosPrivilege())
{
_logger.Debug("User with UUID {uuid} and CVR {cvr} did have privilege", externalUserUuid.Value, cvrNumber.Value);
context.TransitionTo(_stateFactory.CreatePrivilegeVerifiedState(externalUserUuid.Value, cvrNumber.Value), _ => _.HandleUserPrivilegeVerified());
}
else
{
var privileges = GetPrivilegesString();
_logger.Information("Missing privilege for user with UUID {uuid} and CVR {cvr}. Failed with XML privileges {xmlPrivilegesBase64}", externalUserUuid.Value, cvrNumber.Value, privileges);
context.TransitionTo(_stateFactory.CreateErrorState(), _ => _.HandleUserPrivilegeInvalid());
}
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
_logger.Information("SSO entered {errorStateName} with error: {errorEvent}", nameof(ErrorState), @event);
switch (@event)
{
case FlowEvent.UserPrivilegeInvalid:
ErrorCode = SsoErrorCode.MissingPrivilege;
break;
case FlowEvent.NoOrganizationAndRole:
ErrorCode = SsoErrorCode.NoOrganizationAndRole;
break;
case FlowEvent.UnableToResolveUserInStsOrganization:
ErrorCode = SsoErrorCode.UserNotFoundInSTS;
break;
case FlowEvent.UnableToLocateUser:
ErrorCode = SsoErrorCode.UnableToCreateUserWithUnknownOrganization;
break;
default:
ErrorCode = SsoErrorCode.Unknown;
break;
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
switch (@event)
{
case FlowEvent.UnableToLocateUser:
var organizationByCvrResult = _organizationRepository.GetByCvr(_stsBrugerInfo.MunicipalityCvr);
if (organizationByCvrResult.HasValue)
{
var organization = organizationByCvrResult.Value;
var user = CreateAutoProvisonedUser();
_organizationRoleService.MakeUser(user, organization);
context.TransitionTo(_ssoStateFactory.CreateUserLoggedIn(user),
_ => _.HandleUserAutoProvisioned());
}
else
{
context.TransitionTo(_ssoStateFactory.CreateErrorState(),
_ => _.HandleUnableToLocateUser());
}
break;
default:
throw new ArgumentOutOfRangeException(nameof(@event), @event, null);
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.UserHasNoRoleInOrganization))
{
_organizationRoleService.MakeUser(_user, _ssoOrganization);
context.TransitionTo(_ssoStateFactory.CreateUserLoggedIn(_user), _ => _.HandleRoleAssigned());
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.UserFirstTimeSsoVisit))
{
AssociateUserWithExternalIdentity();
HandleUserWithSsoIdentity(context);
}
else if (@event.Equals(FlowEvent.ExistingSsoUserWithoutRoles))
{
HandleUserWithSsoIdentity(context);
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.UserPrivilegeVerified))
{
var userResult = _ssoUserIdentityRepository.GetByExternalUuid(_userUuid);
if (userResult.HasValue) // User has used the same SSO identity before and exists
{
var user = userResult.Value.User;
if (user.CanAuthenticate())
{
context.TransitionTo(_ssoStateFactory.CreateUserLoggedIn(user),
_ => _.HandleUserSeenBefore());
}
else
{
var stsBrugerInfo = _stsBrugerInfoService.GetStsBrugerInfo(_userUuid, _cvrNumber);
if (!stsBrugerInfo.HasValue)
{
context.TransitionTo(_ssoStateFactory.CreateErrorState(), _ => _.HandleUnableToResolveUserInStsOrganisation());
}
else
{
context.TransitionTo(_ssoStateFactory.CreateUserIdentifiedState(user, stsBrugerInfo.Value),
_ => _.HandleExistingSsoUserWithoutRoles());
}
}
}
else // Try to find the user by email
{
var stsBrugerInfo = _stsBrugerInfoService.GetStsBrugerInfo(_userUuid, _cvrNumber);
if (!stsBrugerInfo.HasValue)
{
context.TransitionTo(_ssoStateFactory.CreateErrorState(), _ => _.HandleUnableToResolveUserInStsOrganisation());
}
else
{
var userByKitosEmail = FindUserByEmail(stsBrugerInfo);
if (userByKitosEmail.HasValue)
{
context.TransitionTo(_ssoStateFactory.CreateUserIdentifiedState(userByKitosEmail.Value, stsBrugerInfo.Value),
_ => _.HandleUserFirstTimeSsoVisit());
}
else
{
context.TransitionTo(_ssoStateFactory.CreateFirstTimeUserNotFoundState(stsBrugerInfo.Value),
_ => _.HandleUnableToLocateUser());
}
}
}
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.OrganizationNotFound))
{
if (_user.CanAuthenticate())
{
context.TransitionTo(_stateFactory.CreateUserLoggedIn(_user), _ => _.HandleUserHasRoleInOrganization());
}
else
{
context.TransitionTo(_stateFactory.CreateErrorState(), _ => _.HandleNoRoleAndOrganization());
}
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
if (@event.Equals(FlowEvent.OrganizationFound))
{
var rolesInOrganization = _organizationRoleService.GetRolesInOrganization(_user, _ssoOrganization.Id);
if (rolesInOrganization.Any())
{
context.TransitionTo(_ssoStateFactory.CreateUserLoggedIn(_user), _ => _.HandleUserHasRoleInOrganization());
}
else
{
context.TransitionTo(_ssoStateFactory.CreateAssigningRoleState(_user, _ssoOrganization), _ => _.HandleUserHasNoRoleInOrganization());
}
}
}
public override void Handle(FlowEvent @event, FlowContext context)
{
switch (@event)
{
case FlowEvent.UserSeenBefore:
case FlowEvent.UserHasRoleInOrganization:
case FlowEvent.RoleAssigned:
case FlowEvent.UserAutoProvisioned:
_authenticationState.SetAuthenticatedUser(User, AuthenticationScope.Session);
break;
default:
throw new ArgumentOutOfRangeException(nameof(@event), @event, null);
}
}
private void HandleUserWithSsoIdentity(FlowContext context)
{
//Transition to authorizing state if organization sso binding already exists
var organizationByExternalIdResult = _ssoOrganizationIdentityRepository.GetByExternalUuid(_externalUser.BelongsToOrganizationUuid);
if (organizationByExternalIdResult.HasValue)
{
context.TransitionTo(_ssoStateFactory.CreateAuthorizingUserState(_user, organizationByExternalIdResult.Value.Organization),
_ => _.HandleOrganizationFound());
}
else
{
//If no sso binding exists for the organization, try to create one by finding the org by cvr and adding the sso relation
var organizationByCvrResult = _organizationRepository.GetByCvr(_externalUser.MunicipalityCvr);
if (organizationByCvrResult.HasValue)
{
var organization = organizationByCvrResult.Value;
var addOrganizationIdentityResult = _ssoOrganizationIdentityRepository.AddNew(organization, _externalUser.BelongsToOrganizationUuid);
if (addOrganizationIdentityResult.Failed)
{
//NOTE: This is not a blocker! - concurrency might be to blame but we log the error.. authentication is still allowed to proceed - it just failed to save the relation between org id and external uuid.
_logger.Error(
"Failed to save SSO relation between org uuid {orgUuid} and organization {orgId} for while authenticating user with id {userId}",
_externalUser.BelongsToOrganizationUuid, organization.Id, _user.Id);
}
context.TransitionTo(_ssoStateFactory.CreateAuthorizingUserState(_user, organization),
_ => _.HandleOrganizationFound());
}
else
{
context.TransitionTo(_ssoStateFactory.CreateAuthorizingUserFromUnknownOrgState(_user),
_ => _.HandleOrganizationNotFound());
}
}
}
