public static IMvcCoreBuilder AddSuperUserTokenController <TKey>(this IMvcCoreBuilder mvcBuilder, Func <IServiceProvider, DateTimeOffset> timestamps,
Action <ClaimOptions> configureClaimsAction = null,
Action <TokenOptions> configureTokensAction = null,
Action <SuperUserOptions> configureSuperUserAction = null)
where TKey : IEquatable <TKey>
{
if (configureClaimsAction != null)
{
mvcBuilder.Services.Configure(configureClaimsAction);
}
if (configureTokensAction != null)
{
mvcBuilder.Services.Configure(configureTokensAction);
}
if (configureSuperUserAction != null)
{
mvcBuilder.Services.Configure(configureSuperUserAction);
}
var claims = new ClaimOptions();
configureClaimsAction?.Invoke(claims);
var tokens = new TokenOptions();
configureTokensAction?.Invoke(tokens);
var superUser = new SuperUserOptions();
configureSuperUserAction?.Invoke(superUser);
var credentials = new
{
SigningKeyString = tokens.SigningKey,
EncryptingKeyString = tokens.EncryptingKey
}.QuackLike <ITokenCredentials>();
AuthenticationExtensions.MaybeSetSecurityKeys(credentials);
var scheme = superUser.Scheme ?? tokens.Scheme;
mvcBuilder.Services.AddAuthentication().AddJwtBearer(scheme, o =>
{
if (tokens.Encrypt)
{
o.TokenValidationParameters = new TokenValidationParameters
{
TokenDecryptionKeyResolver = (token, securityToken, kid, parameters) => new[] { credentials.EncryptingKey.Key },
ValidateIssuerSigningKey = false,
ValidIssuer = tokens.Issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = tokens.Audience,
RequireSignedTokens = false,
IssuerSigningKey = credentials.SigningKey.Key,
TokenDecryptionKey = credentials.EncryptingKey.Key,
ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds),
RoleClaimType = claims.RoleClaim,
NameClaimType = claims.UserNameClaim
};
}
else
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidIssuer = tokens.Issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = tokens.Audience,
RequireSignedTokens = true,
IssuerSigningKey = credentials.SigningKey.Key,
ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds),
RoleClaimType = claims.RoleClaim,
NameClaimType = claims.UserNameClaim
};
}
});
mvcBuilder.Services.TryAddSingleton <IIdentityClaimNameProvider, DefaultIdentityClaimNameProvider>();
mvcBuilder.Services.TryAddSingleton <ITokenFabricator <TKey> >(r => new DefaultTokenFabricator <TKey>(() => timestamps(r), r.GetRequiredService <IOptionsSnapshot <TokenOptions> >()));
mvcBuilder.AddActiveRoute <SuperUserTokenController <TKey>, SuperUserFeature, SuperUserOptions>();
return(mvcBuilder);
}
public static IServiceCollection AddSecurityPolicies(this IServiceCollection services,
Action <SecurityOptions> configureSecurityAction = null,
Action <SuperUserOptions> configureSuperUserAction = null,
ISafeLogger logger = null)
{
Bootstrap.EnsureInitialized();
Bootstrap.ContractResolver.IgnoreTypes.Add(typeof(KestrelConfigurationLoader));
var security = new SecurityOptions(true);
configureSecurityAction?.Invoke(security);
var superUser = new SuperUserOptions();
configureSuperUserAction?.Invoke(superUser);
var credentials = new
{
SigningKeyCredentials = security.Signing,
EncryptingKey = security.Encrypting
}.QuackLike <ITokenCredentials>();
AuthenticationExtensions.MaybeSetSecurityKeys(credentials);
security.Signing = credentials.SigningKey;
security.Encrypting = credentials.EncryptingKey;
if (configureSecurityAction != null)
{
services.Configure <SecurityOptions>(o =>
{
configureSecurityAction.Invoke(o);
o.Signing = security.Signing;
o.Encrypting = security.Encrypting;
});
}
if (configureSuperUserAction != null)
{
services.Configure <SuperUserOptions>(configureSuperUserAction.Invoke);
}
services.ConfigureOptions <ConfigureWebServer>();
services.AddCors(logger, security.Cors);
services.AddAuthentication(logger, security, superUser);
services.AddSuperUser(logger, superUser);
services.AddHttps(logger, security);
// FIXME: may need a better home for default policies for the platform
services.AddDefaultAuthorization(Constants.Security.Policies.AccessOperations, ClaimValues.AccessOperations);
services.AddDefaultAuthorization(Constants.Security.Policies.AccessMeta, ClaimValues.AccessMeta);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageConfiguration, ClaimValues.ManageConfiguration);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageObjects, ClaimValues.ManageObjects);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageSchemas, ClaimValues.ManageSchemas);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageBackgroundTasks, ClaimValues.ManageBackgroundTasks);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageUsers, ClaimValues.ManageUsers);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageRoles, ClaimValues.ManageRoles);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageTenants, ClaimValues.ManageTenants);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageApplications, ClaimValues.ManageApplications);
return(services);
}