public async Task ValidateAsync(CookieValidatePrincipalContext context)
{
var authChanges = new AuthChanges();
var extraContext = context.HttpContext.RequestServices.GetRequiredService <ExtraAuthorizeDbContext>();
var newClaims = new List <Claim>();
var originalClaims = context.Principal.Claims.ToList();
if (originalClaims.All(x => x.Type != PermissionConstants.PackedPermissionClaimType) ||
authChanges.IsOutOfDateOrMissing(AuthChangesConsts.FeatureCacheKey,
originalClaims.SingleOrDefault(x => x.Type == PermissionConstants.LastPermissionsUpdatedClaimType)?.Value,
extraContext))
{
var rtoPCalcer = new CalcAllowedPermissions(extraContext);
var dataKeyCalc = new CalcDataKey(extraContext);
//Handle the feature permissions
var userId = originalClaims.GetUserIdFromClaims();
newClaims.AddRange(await BuildFeatureClaimsAsync(userId, rtoPCalcer));
newClaims.AddRange(BuildDataClaims(userId, dataKeyCalc));
//Something has changed so we replace the current ClaimsPrincipal with a new one
newClaims.AddRange(RemoveUpdatedClaimsFromOriginalClaims(originalClaims, newClaims)); //Copy over unchanged claims
//Build a new ClaimsPrincipal and use it to replace the current ClaimsPrincipal
var identity = new ClaimsIdentity(newClaims, "Cookie");
var newPrincipal = new ClaimsPrincipal(identity);
context.ReplacePrincipal(newPrincipal);
//THIS IS IMPORTANT: This updates the cookie, otherwise this calc will be done every HTTP request
context.ShouldRenew = true;
}
}
public async Task ValidateAsync(CookieValidatePrincipalContext context)
{
if (context.Principal.Claims.Any(x => x.Type == PermissionConstants.PackedPermissionClaimType))
{
return;
}
//No permissions in the claims, so we need to add it. This is only happen once after the user has logged in
var extraContext = context.HttpContext.RequestServices.GetRequiredService <ExtraAuthorizeDbContext>();
var rtoPCalcer = new CalcAllowedPermissions(extraContext);
var dataKeyCalc = new CalcDataKey(extraContext);
var claims = new List <Claim>();
claims.AddRange(context.Principal.Claims); //Copy over existing claims
var userId = context.Principal.Claims.GetUserIdFromClaims();
//Now calculate the Permissions Claim value and add it
claims.Add(new Claim(PermissionConstants.PackedPermissionClaimType,
await rtoPCalcer.CalcPermissionsForUserAsync(userId)));
//and the same for the DataKey
claims.Add(new Claim(DataAuthConstants.HierarchicalKeyClaimName,
dataKeyCalc.CalcDataKeyForUser(userId)));
//Build a new ClaimsPrincipal and use it to replace the current ClaimsPrincipal
var identity = new ClaimsIdentity(claims, "Cookie");
var newPrincipal = new ClaimsPrincipal(identity);
context.ReplacePrincipal(newPrincipal);
//THIS IS IMPORTANT: This updates the cookie, otherwise this calc will be done every HTTP request
context.ShouldRenew = true;
}
public async Task ValidateAsync(CookieValidatePrincipalContext context)
{
var originalClaims = context.Principal.Claims.ToList();
var protectionProvider = context.HttpContext.RequestServices.GetService <IDataProtectionProvider>();
var impHandler = new ImpersonationHandler(context.HttpContext, protectionProvider, originalClaims);
var newClaims = new List <Claim>();
if (originalClaims.All(x => x.Type != PermissionConstants.PackedPermissionClaimType) ||
impHandler.ImpersonationChange)
{
//There is no PackedPermissionClaimType or there was a change in the impersonation state
var extraContext = context.HttpContext.RequestServices.GetRequiredService <ExtraAuthorizeDbContext>();
var rtoPCalcer = new CalcAllowedPermissions(extraContext);
var dataKeyCalc = new CalcDataKey(extraContext);
var userId = impHandler.GetUserIdForWorkingDataKey();
newClaims.AddRange(await BuildFeatureClaimsAsync(userId, rtoPCalcer));
newClaims.AddRange(BuildDataClaims(userId, dataKeyCalc));
newClaims.AddRange(RemoveUpdatedClaimsFromOriginalClaims(originalClaims, newClaims)); //Copy over unchanged claims
impHandler.AddOrRemoveImpersonationClaim(newClaims);
//Build a new ClaimsPrincipal and use it to replace the current ClaimsPrincipal
var identity = new ClaimsIdentity(newClaims, "Cookie");
var newPrincipal = new ClaimsPrincipal(identity);
context.ReplacePrincipal(newPrincipal);
//THIS IS IMPORTANT: This updates the cookie, otherwise this calc will be done every HTTP request
context.ShouldRenew = true;
}
}
private List <Claim> BuildDataClaims(string userId, CalcDataKey dataKeyCalc)
{
var claims = new List <Claim>
{
new Claim(DataAuthConstants.HierarchicalKeyClaimName, dataKeyCalc.CalcDataKeyForUser(userId))
};
return(claims);
}
protected override async Task <ClaimsIdentity> GenerateClaimsAsync(IdentityUser user)
{
var identity = await base.GenerateClaimsAsync(user);
var userId = identity.Claims.GetUserIdFromClaims();
var rtoPCalcer = new CalcAllowedPermissions(_extraAuthDbContext);
identity.AddClaim(new Claim(PermissionConstants.PackedPermissionClaimType, await rtoPCalcer.CalcPermissionsForUserAsync(userId)));
var dataKeyCalcer = new CalcDataKey(_extraAuthDbContext);
identity.AddClaim(new Claim(DataAuthConstants.HierarchicalKeyClaimName, dataKeyCalcer.CalcDataKeyForUser(userId)));
return(identity);
}
