Beispiel #1
0
        public async Task <ResourceValidationResult> IsAuthorized(string openidProvider, Ticket validTicket, ClaimTokenParameter claimTokenParameter)
        {
            if (string.IsNullOrWhiteSpace(openidProvider))
            {
                throw new ArgumentNullException(nameof(openidProvider));
            }

            if (validTicket == null)
            {
                throw new ArgumentNullException(nameof(validTicket));
            }

            if (validTicket.Lines == null || !validTicket.Lines.Any())
            {
                throw new ArgumentNullException(nameof(validTicket.Lines));
            }

            var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId);
            var resources   = await _resourceSetRepository.Get(resourceIds);

            if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count())
            {
                throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist);
            }

            ResourceValidationResult validationResult = null;

            foreach (var ticketLine in validTicket.Lines)
            {
                var ticketLineParameter = new TicketLineParameter(ticketLine.Scopes);
                if (validTicket.Audiences != null && validTicket.Audiences.Any())
                {
                    ticketLineParameter.ClientId = validTicket.Audiences.First();
                }

                var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
                validationResult = await Validate(openidProvider, ticketLineParameter, resource, claimTokenParameter).ConfigureAwait(false);

                if (!validationResult.IsValid)
                {
                    _umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id);
                    return(validationResult);
                }
            }

            return(validationResult);
        }
Beispiel #2
0
        private AuthorizationPolicyResult CheckClients(Policy authorizationPolicy, TicketLineParameter ticketLineParameter)
        {
            if (authorizationPolicy.ClientIds == null || !authorizationPolicy.ClientIds.Any())
            {
                return(null);
            }

            if (!authorizationPolicy.ClientIds.Contains(ticketLineParameter.ClientId))
            {
                return(new AuthorizationPolicyResult
                {
                    Type = AuthorizationPolicyResultEnum.NotAuthorized,
                    Policy = authorizationPolicy,
                    ErrorDetails = "the client is not authorized"
                });
            }

            return(new AuthorizationPolicyResult
            {
                Type = AuthorizationPolicyResultEnum.Authorized
            });
        }
Beispiel #3
0
        public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter)
        {
            if (string.IsNullOrWhiteSpace(openidProvider))
            {
                throw new ArgumentNullException(nameof(openidProvider));
            }

            if (resource == null)
            {
                throw new ArgumentNullException(nameof(resource));
            }

            if (ticketLineParameter == null)
            {
                throw new ArgumentNullException(nameof(ticketLineParameter));
            }

            JwsPayload jwsPayload = null;
            string     subject    = null;

            if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType)
            {
                var idToken = claimTokenParameter.Token;
                jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false);

                var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
                if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null)
                {
                    subject = subjectClaim.Value.ToString();
                }
            }

            var validationsResult = new List <AuthorizationPolicyResult>();
            var policies          = resource.AuthPolicies;

            if (policies != null && policies.Any())
            {
                foreach (var policy in policies)
                {
                    if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s)))
                    {
                        validationsResult.Add(new AuthorizationPolicyResult
                        {
                            Type         = AuthorizationPolicyResultEnum.NotAuthorized,
                            Policy       = policy,
                            ErrorDetails = "the scope is not valid"
                        });
                        continue;
                    }

                    var clientAuthorizationResult = CheckClients(policy, ticketLineParameter);
                    if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
                    {
                        validationsResult.Add(clientAuthorizationResult);
                        continue;
                    }

                    var validationResult = CheckClaims(openidProvider, policy, jwsPayload);
                    validationsResult.Add(validationResult);
                }
            }


            var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized);

            if (vr != null)
            {
                return(new ResourceValidationResult
                {
                    IsValid = true
                });
            }

            if (!resource.AcceptPendingRequest)
            {
                return(new ResourceValidationResult
                {
                    IsValid = false,
                    AuthorizationPoliciesResult = validationsResult
                });
            }

            if (!string.IsNullOrWhiteSpace(subject))
            {
                var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false);

                var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s)));
                if (pendingRequest == null)
                {
                    await _pendingRequestRepository.Add(new PendingRequest
                    {
                        Id               = Guid.NewGuid().ToString(),
                        CreateDateTime   = DateTime.UtcNow,
                        ResourceId       = resource.Id,
                        IsConfirmed      = false,
                        RequesterSubject = subject,
                        Scopes           = ticketLineParameter.Scopes
                    }).ConfigureAwait(false);

                    return(new ResourceValidationResult
                    {
                        IsValid = false,
                        AuthorizationPoliciesResult = new[]
                        {
                            new AuthorizationPolicyResult
                            {
                                Type = AuthorizationPolicyResultEnum.RequestSubmitted,
                                ErrorDetails = "a request has been submitted"
                            }
                        }
                    });
                }
            }

            return(new ResourceValidationResult
            {
                IsValid = false,
                AuthorizationPoliciesResult = new[]
                {
                    new AuthorizationPolicyResult
                    {
                        Type = AuthorizationPolicyResultEnum.RequestNotConfirmed,
                        ErrorDetails = "the request is not confirmed by the resource owner"
                    }
                }
            });
        }
Beispiel #4
0
 private Task <ResourceValidationResult> Validate(string openidProvider, TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter)
 {
     return(_basicAuthorizationPolicy.Execute(openidProvider, resource, ticketLineParameter, claimTokenParameter));
 }