/// <summary> /// Attempts to authorize the client issuing the request. /// </summary> /// <param name="actionContext"> /// The action context. /// </param> public void AuthorizeUser(HttpActionContext actionContext) { Log.Verbose("SimpleWebTokenAuthAttribute.OnAuthorization"); // Attempt to get credentials from the the client certificate. SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext); bool isAuthorized = false; if (credentials != null) { AuthPayload payload = Security.Authenticate(credentials); if (payload != null) { if (Security.Authorize(payload, this.Roles)) { isAuthorized = true; Log.Verbose("User is authorized"); } else { Log.Warn("Unauthorized user"); } } } if (!isAuthorized) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); } }
/// <summary> /// The authorize. /// </summary> /// <param name="payload"> /// The payload. /// </param> /// <param name="roles"> /// The roles. /// </param> /// <returns> /// The <see cref="bool"/>. /// </returns> internal static bool Authorize(AuthPayload payload, string[] roles) { if (payload != null) { CustomIdentity identity = payload.CustomIdentity; ISecurityProvider securityProvider = authorizers[identity.SecurityProviderName]; bool isAuthorized = securityProvider.IsAuthorized(payload, roles); if (isAuthorized) { string userName = identity.Name; string providerName = identity.SecurityProviderName; Thread.CurrentPrincipal = new CustomPrincipal(identity, roles); Log.Verbose("User Id {0} is authorized", identity.UserId); return(true); } else { Log.Verbose("Anauthorized user"); return(false); } } else { return(false); } }
/// <summary> /// The is authorized. /// </summary> /// <param name="payload"> /// The payload. /// </param> /// <param name="roles"> /// The roles. /// </param> /// <returns> /// The <see cref="bool"/>. /// </returns> public bool IsAuthorized(AuthPayload payload, string[] roles) { bool result = false; if (roles.Length > 0) { // Create dictionary from the specified roles. Dictionary <string, string> authParameters = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase); foreach (string role in roles) { string[] segments = role.Split(':'); if (segments.Length == 2) { authParameters[segments[0]] = segments[1]; } } // Ensure the auth parameters match. if (authParameters.ContainsKey(Resource) == true && authParameters.ContainsKey(Action) == true) { string tokenResource = payload.CredentialAuthorizationParameters[Resource]; string tokenAction = payload.CredentialAuthorizationParameters[Action]; if (authParameters[Resource].Equals(tokenResource, StringComparison.OrdinalIgnoreCase) == true && authParameters[Action].Equals(tokenAction, StringComparison.OrdinalIgnoreCase) == true) { result = true; } } } return(result); }
/// <summary> /// The authenticate. /// </summary> /// <param name="credentials"> /// The credentials. /// </param> /// <param name="flags">A general purpose flags set</param> /// <returns> /// The <see cref="AuthPayload"/>. /// </returns> public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null) { AuthPayload result = null; if (SimpleWebTokenValidator.Validate(credentials.Token, ResourceNamespace, String.Format(ResourceTemplate, credentials.Name), TrustedSigningKey) == true) { result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName)); } return(result); }
/// <summary> /// The authenticate. /// </summary> /// <param name="credentials"> /// The credentials. /// </param> /// <param name="flags">A general purpose flags set </param> /// <returns> /// The <see cref="AuthPayload"/>. /// </returns> public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null) { AuthPayload result = null; // If the client certificate thumbprint is one of the registered thumbprints, create a CustomIdentity object for it. if (registeredThumbprints.ContainsKey(credentials.Token)) { result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName)); } return(result); }
/// <summary> /// Attempts to authorize the user for the request. /// </summary> /// <param name="actionContext"> /// The action context. /// </param> public virtual void AuthorizeUser(HttpActionContext actionContext) { Log.Verbose("ApiAuthAttribute.OnAuthorization"); string reason = string.Empty; // Attempt to get credentials from the HTTP authentication header. This could support application auth. or debug scenarios SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext); // If we did not have credentials specifed in the HTTP Authentication header if (credentials == null) { // Attempt to get credentials from the Bing authentication header. credentials = this.GetCredentialsFromBingHeader(actionContext); } bool isAuthorized = false; if (credentials != null) { AuthPayload payload = Security.Authenticate(credentials, this.Flags); if (payload != null) { if (Security.Authorize(payload, this.Roles)) { isAuthorized = true; Log.Verbose("User is authorized"); } else { Log.Warn("Unauthorized user"); } } } if (!isAuthorized) { if (this.AllowAnonymous) { var roles = new[] { "reader" }; Security.SetAnonymous(roles); } else { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = reason }; } } }
/// <summary> /// The is authorized. /// </summary> /// <param name="payload"> /// The payload. /// </param> /// <param name="roles"> /// The roles. /// </param> /// <returns> /// The <see cref="bool"/>. /// </returns> public bool IsAuthorized(AuthPayload payload, string[] roles) { bool result = false; Dictionary <string, string> parameters = SimpleWebTokenValidator.ExtractTokenProperties(payload.CustomIdentity.PresentedClientToken); if (String.Equals(parameters["Audience"], String.Format(ResourceTemplate, roles[0]), StringComparison.OrdinalIgnoreCase) == true) { result = true; } return(result); }
/// <summary> /// The authenticate. /// </summary> /// <param name="credentials"> /// The user credentials. /// </param> /// <param name="flags">the flags</param> /// <returns> /// The auth payload /// </returns> internal static AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null) { AuthPayload result = null; if (authorizers.ContainsKey(credentials.SecurityProviderName) == true) { ISecurityProvider securityProvider = authorizers[credentials.SecurityProviderName]; result = securityProvider.Authenticate(credentials, flags); } else { Log.Warn("Unregistered security provider was specified: {0}", credentials.SecurityProviderName); } return(result); }
/// <summary> /// The authenticate. /// </summary> /// <param name="credentials"> /// The credentials. /// </param> /// <param name="flags">A general purpose flags set </param> /// <returns> /// The <see cref="AuthPayload"/>. /// </returns> public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null) { bool useExternalIdentity = flags != null && flags.Contains("UseExternalIdentity"); if (credentials == null) { // || string.IsNullOrWhiteSpace(credentials.IdentificationCode)) throw new Exception("The LomoSecurityProvider.Authenticate() method was called with invalid Credentials."); } var externalIdentityInfo = Authentication.BingSocialAccessorRepository.GetUserAccountInfo(credentials.Token); if (externalIdentityInfo != null && externalIdentityInfo.UserId != null) { User user = null; if (!useExternalIdentity) { user = this.CreateOrGetInternalUser(externalIdentityInfo); } Guid userId = default(Guid); var userName = externalIdentityInfo.Name; var emailAddress = externalIdentityInfo.UserEmail; if (user != null) { userId = user.Id; if (string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(user.Name)) { userName = user.Name; } emailAddress = user.Email; } var identity = new CustomIdentity(userId, userName, SecurityProvider, externalIdentityInfo.UserId) { EmailAddress = emailAddress }; var payload = new AuthPayload(identity); return(payload); } return(null); }
/// <summary> /// The is authorized. /// </summary> /// <param name="payload"> /// The payload. /// </param> /// <param name="roles"> /// The roles. /// </param> /// <returns> /// The <see cref="bool"/>. /// </returns> public bool IsAuthorized(AuthPayload payload, string[] roles) { bool result = false; foreach (string role in roles) { KeyValueConfigurationElement roleElement = AuthorizationConfig.Instance.CertificateMap[role]; if (roleElement != null) { string[] thumbprints = roleElement.Value.Split(','); if (thumbprints.Contains(payload.CustomIdentity.PresentedClientToken, StringComparer.OrdinalIgnoreCase) == true) { result = true; break; } } } return(result); }
/// <summary> /// The authenticate. /// </summary> /// <param name="credentials"> /// The credentials. /// </param> /// <param name="flags"> /// A general purpose flags set /// </param> /// <returns> /// The <see cref="AuthPayload"/>. /// </returns> public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null) { AuthPayload result = null; if (credentials.Token != null) { LomoUserIdSecurityToken token = new LomoUserIdSecurityToken( credentials.Token, ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSigningKey], ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenPassword], ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSalt], Convert.ToUInt64(ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenClockSkew])); var identity = new CustomIdentity(new Guid(token.UserId), null, credentials.SecurityProviderName); result = new AuthPayload(identity); result.CredentialAuthorizationParameters[Resource] = token.Resource; result.CredentialAuthorizationParameters[Action] = token.Action; } return(result); }
/// <summary> /// Attempts to authorize the client issuing the request. /// </summary> /// <param name="actionContext"> /// The action context. /// </param> public void AuthorizeUser(HttpActionContext actionContext) { Log.Verbose("MutualSslAuthAttribute.OnAuthorization"); // Attempt to get credentials from the the client certificate. SecurityCredentials credentials = this.GetCredentialsFromClientCertificate(actionContext); bool isAuthorized = false; if (credentials != null) { AuthPayload payload = Security.Authenticate(credentials); if (payload != null) { if (Security.Authorize(payload, this.Roles)) { isAuthorized = true; Log.Verbose("User is authorized"); } else { Log.Warn("Unauthorized user"); } } else { Log.Warn("Unable to build auth payload while authenticating credentials."); } } else { Log.Warn("Unable to build credentials from client certificate."); } if (!isAuthorized) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized); } }
/// <summary> /// The is authorized. /// </summary> /// <param name="payload"> /// The payload. /// </param> /// <param name="roles"> /// The roles. /// </param> /// <returns> /// The <see cref="bool"/>. /// </returns> public bool IsAuthorized(AuthPayload payload, string[] roles) { return(payload != null); // TODO }