public static bool IsCountryAdministratorInCountry([NotNullWhen(true)] this ClaimsPrincipal?me, int?countryId) => me.IsGlobalAdministrator() || (me.IsCountryAdministrator() && countryId.HasValue && countryId.Value == me.CountryId());
public static bool MayUploadSkpDrawing(this ClaimsPrincipal?me) => me.GetBool(AppClaimTypes.MayUploadSkpDrawing);
public static bool IsAuthenticated([NotNullWhen(true)] this ClaimsPrincipal?me) => me.Any(AppClaimTypes.ObjectId);
public static int PersonId(this ClaimsPrincipal?me) => me.GetInt32(AppClaimTypes.PersonId);
public static bool IsDemo(this ClaimsPrincipal?me) => me.GetBool(AppClaimTypes.Demo);
internal abstract void BeforeInvokeController(ManagedConnection connection, ClaimsPrincipal?user);
public static string?ObjectId(this ClaimsPrincipal?me) => me?.GetString(AppClaimTypes.ObjectId);
public (CheckersAction?action, bool hasAction) GetRecommendedAction(CheckersState state, ClaimsPrincipal?user) => Rules.GetAutomaticAction(state);
private OperationContext CreateContext(ContentEntity content, ISchemaEntity contextSchema, ClaimsPrincipal? currentUser)
{
var serviceProvider =
new ServiceCollection()
.AddSingleton(contentRepository)
.AddSingleton(contentWorkflow)
.BuildServiceProvider();
return new OperationContext(serviceProvider)
{
Actor = actor,
App = Mocks.App(appId),
ContentProvider = () => content,
ContentId = content.Id,
Schema = contextSchema,
User = currentUser
};
}
public Task <(int Count, string Message, Module?Entity)> SaveAsync(ClaimsPrincipal?principal, Module entity) =>
public Task <IEnumerable <Module> > GetAllAsync(ClaimsPrincipal?principal) => GetAllAsync(principal, ModuleOwnershipRef.None);
public Task <Module?> FindByIdAsync(ClaimsPrincipal?principal, int id) => FindByIdAsync(principal, id, ModuleOwnershipRef.None);
private static async Task <bool> IsGroupOrDataAdministrator(ModulesDbContext dbContext, ClaimsPrincipal?principal, ModuleOwnershipRef ownerRef)
{
if (principal.IsGlobalAdministrator())
{
return(true);
}
if (principal.IsCountryAdministrator())
{
if (await dbContext.Groups.AnyAsync(g => g.Id == ownerRef.GroupId && g.CountryId == principal.CountryId()))
{
return(true);
}
}
return(await dbContext.GroupMembers.AsNoTracking()
.AnyAsync(gm => gm.GroupId == ownerRef.GroupId && gm.PersonId == principal.PersonId() && (gm.IsDataAdministrator || gm.IsGroupAdministrator)));
}
public static bool IsAnyAdministrator([NotNullWhen(true)] this ClaimsPrincipal?me) => me is not null && (me.IsGlobalAdministrator() || me.IsCountryAdministrator());
private static bool TryGetAuthenticatedPrincipal(
IDirectiveContext context,
out ClaimsPrincipal?principal)
public BaseRepository(CustomerManagementDbContext db,
IUserPrincipalAccessor userPrincipalAccessor)
{
_db = db;
_user = userPrincipalAccessor.User;
}
/// <summary> /// Verifies the principal's security stamp, returns the matching user if successful /// </summary> /// <param name="principal">The principal to verify.</param> /// <returns>The verified user or null if verification fails.</returns> protected override Task <TUser?> VerifySecurityStamp(ClaimsPrincipal?principal) => SignInManager.ValidateTwoFactorSecurityStampAsync(principal);
/// <summary>
/// Invoked to process incoming authentication messages.
/// </summary>
/// <returns></returns>
protected override async Task <HandleRequestResult> HandleRemoteAuthenticateAsync()
{
WsFederationMessage? wsFederationMessage = null;
AuthenticationProperties?properties = null;
// assumption: if the ContentType is "application/x-www-form-urlencoded" it should be safe to read as it is small.
if (HttpMethods.IsPost(Request.Method) &&
!string.IsNullOrEmpty(Request.ContentType)
// May have media/type; charset=utf-8, allow partial match.
&& Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase) &&
Request.Body.CanRead)
{
var form = await Request.ReadFormAsync(Context.RequestAborted);
// ToArray handles the StringValues.IsNullOrEmpty case. We assume non-empty Value does not contain null elements.
#pragma warning disable CS8620 // Argument cannot be used for parameter due to differences in the nullability of reference types.
wsFederationMessage = new WsFederationMessage(form.Select(pair => new KeyValuePair <string, string[]>(pair.Key, pair.Value.ToArray())));
#pragma warning restore CS8620 // Argument cannot be used for parameter due to differences in the nullability of reference types.
}
if (wsFederationMessage == null || !wsFederationMessage.IsSignInMessage)
{
if (Options.SkipUnrecognizedRequests)
{
// Not for us?
return(HandleRequestResult.SkipHandler());
}
return(HandleRequestResults.NoMessage);
}
try
{
// Retrieve our cached redirect uri
var state = wsFederationMessage.Wctx;
// WsFed allows for uninitiated logins, state may be missing. See AllowUnsolicitedLogins.
properties = Options.StateDataFormat.Unprotect(state);
if (properties == null)
{
if (!Options.AllowUnsolicitedLogins)
{
return(HandleRequestResults.UnsolicitedLoginsNotAllowed);
}
}
else
{
// Extract the user state from properties and reset.
properties.Items.TryGetValue(WsFederationDefaults.UserstatePropertiesKey, out var userState);
wsFederationMessage.Wctx = userState;
}
var messageReceivedContext = new MessageReceivedContext(Context, Scheme, Options, properties)
{
ProtocolMessage = wsFederationMessage
};
await Events.MessageReceived(messageReceivedContext);
if (messageReceivedContext.Result != null)
{
return(messageReceivedContext.Result);
}
wsFederationMessage = messageReceivedContext.ProtocolMessage;
properties = messageReceivedContext.Properties !; // Provides a new instance if not set.
// If state did flow from the challenge then validate it. See AllowUnsolicitedLogins above.
if (properties.Items.TryGetValue(CorrelationProperty, out string?correlationId) &&
!ValidateCorrelationId(properties))
{
return(HandleRequestResult.Fail("Correlation failed.", properties));
}
if (wsFederationMessage.Wresult == null)
{
Logger.SignInWithoutWResult();
return(HandleRequestResult.Fail(Resources.SignInMessageWresultIsMissing, properties));
}
var token = wsFederationMessage.GetToken();
if (string.IsNullOrEmpty(token))
{
Logger.SignInWithoutToken();
return(HandleRequestResult.Fail(Resources.SignInMessageTokenIsMissing, properties));
}
var securityTokenReceivedContext = new SecurityTokenReceivedContext(Context, Scheme, Options, properties)
{
ProtocolMessage = wsFederationMessage
};
await Events.SecurityTokenReceived(securityTokenReceivedContext);
if (securityTokenReceivedContext.Result != null)
{
return(securityTokenReceivedContext.Result);
}
wsFederationMessage = securityTokenReceivedContext.ProtocolMessage;
properties = messageReceivedContext.Properties !;
if (_configuration == null)
{
_configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
}
// Copy and augment to avoid cross request race conditions for updated configurations.
var tvp = Options.TokenValidationParameters.Clone();
var issuers = new[] { _configuration.Issuer };
tvp.ValidIssuers = (tvp.ValidIssuers == null ? issuers : tvp.ValidIssuers.Concat(issuers));
tvp.IssuerSigningKeys = (tvp.IssuerSigningKeys == null ? _configuration.SigningKeys : tvp.IssuerSigningKeys.Concat(_configuration.SigningKeys));
ClaimsPrincipal?principal = null;
SecurityToken? parsedToken = null;
foreach (var validator in Options.SecurityTokenHandlers)
{
if (validator.CanReadToken(token))
{
principal = validator.ValidateToken(token, tvp, out parsedToken);
break;
}
}
if (principal == null)
{
throw new SecurityTokenException(Resources.Exception_NoTokenValidatorFound);
}
if (Options.UseTokenLifetime && parsedToken != null)
{
// Override any session persistence to match the token lifetime.
var issued = parsedToken.ValidFrom;
if (issued != DateTime.MinValue)
{
properties.IssuedUtc = issued.ToUniversalTime();
}
var expires = parsedToken.ValidTo;
if (expires != DateTime.MinValue)
{
properties.ExpiresUtc = expires.ToUniversalTime();
}
properties.AllowRefresh = false;
}
var securityTokenValidatedContext = new SecurityTokenValidatedContext(Context, Scheme, Options, principal, properties)
{
ProtocolMessage = wsFederationMessage,
SecurityToken = parsedToken,
};
await Events.SecurityTokenValidated(securityTokenValidatedContext);
if (securityTokenValidatedContext.Result != null)
{
return(securityTokenValidatedContext.Result);
}
// Flow possible changes
principal = securityTokenValidatedContext.Principal !;
properties = securityTokenValidatedContext.Properties;
return(HandleRequestResult.Success(new AuthenticationTicket(principal, properties, Scheme.Name)));
}
catch (Exception exception)
{
Logger.ExceptionProcessingMessage(exception);
// Refresh the configuration for exceptions that may be caused by key rollovers. The user can also request a refresh in the notification.
if (Options.RefreshOnIssuerKeyNotFound && exception is SecurityTokenSignatureKeyNotFoundException)
{
Options.ConfigurationManager.RequestRefresh();
}
var authenticationFailedContext = new AuthenticationFailedContext(Context, Scheme, Options)
{
ProtocolMessage = wsFederationMessage,
Exception = exception
};
await Events.AuthenticationFailed(authenticationFailedContext);
if (authenticationFailedContext.Result != null)
{
return(authenticationFailedContext.Result);
}
return(HandleRequestResult.Fail(exception, properties));
}
}
public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal?existingPrincipal, ClaimsPrincipal?additionalPrincipal)
{
var newPrincipal = new ClaimsPrincipal();
// New principal identities go first
if (additionalPrincipal != null)
{
newPrincipal.AddIdentities(additionalPrincipal.Identities);
}
// Then add any existing non empty or authenticated identities
if (existingPrincipal != null)
{
newPrincipal.AddIdentities(existingPrincipal.Identities.Where(i => i.IsAuthenticated || i.Claims.Any()));
}
return(newPrincipal);
}
public BaseRepository(CustomDbContext db,
IUserPrincipalAccessor userPrincipalAccessor)
{
_db = db;
_user = userPrincipalAccessor?.User;
}
public static int UserId(this ClaimsPrincipal?me) => me.GetInt32(AppClaimTypes.UserId);
//TODO: 做好详细的历史纪录,各个阶段都要打log。一有风吹草动,就立马删除SignInToken
/// <returns>新的AccessToken</returns>
public async Task <string> RefreshAccessTokenAsync(RefreshContext context, string lastUser)
where User : User, new()
where TUserClaim : UserClaim, new()
where TRole : Role, new()
where TRoleOfUser : RoleOfUser, new()
{
ThrowIf.NotValid(context);
//解决并发涌入
using IDistributedLock distributedLock = await _lockManager.NoWaitLockAsync(
nameof (RefreshAccessTokenAsync) + context.DeviceId,
_options.RefreshIntervalTimeSpan).ConfigureAwait(false);
if (!distributedLock.IsAcquired)
{
throw new AuthorizationException(ErrorCode.AuthorizationTooFrequent, $"Context:{SerializeUtil.ToJson(context)}");
}
//AccessToken, Claims 验证
ClaimsPrincipal?claimsPrincipal = null;
try
{
claimsPrincipal = ValidateTokenWithoutLifeCheck(context);
}
catch (Exception ex)
{
throw new AuthorizationException(ErrorCode.AuthorizationInvalideAccessToken, $"Context: {SerializeUtil.ToJson(context)}", ex);
}
//TODO: 这里缺DeviceId验证. 放在了StartupUtil.cs中
if (claimsPrincipal == null)
{
//TODO: Black concern SigninToken by RefreshToken
throw new AuthorizationException(ErrorCode.AuthorizationInvalideAccessToken, $"Context: {SerializeUtil.ToJson(context)}");
}
if (claimsPrincipal.GetDeviceId() != context.DeviceId)
{
throw new AuthorizationException(ErrorCode.AuthorizationInvalideDeviceId, $"Context: {SerializeUtil.ToJson(context)}");
}
string?userGuid = claimsPrincipal.GetUserGuid();
if (string.IsNullOrEmpty(userGuid))
{
throw new AuthorizationException(ErrorCode.AuthorizationInvalideUserGuid, $"Context: {SerializeUtil.ToJson(context)}");
}
//SignInToken 验证
User? user;
SignInToken?signInToken;
//TransactionContext transactionContext = await _transaction.BeginTransactionAsync<SignInToken>().ConfigureAwait(false);
try
{
signInToken = await _signInTokenBiz.GetAsync(
claimsPrincipal.GetSignInTokenGuid(),
context.RefreshToken,
context.DeviceId,
userGuid,
).ConfigureAwait(false);
if (signInToken == null || signInToken.Blacked)
{
//await _database.RollbackAsync(transactionContext).ConfigureAwait(false);
throw new AuthorizationException(ErrorCode.AuthorizationNoTokenInStore, $"Refresh token error. signInToken not saved in db. ");
}
//验证SignInToken过期问题
if (signInToken.ExpireAt < DateTimeOffset.UtcNow)
{
//await _transaction.RollbackAsync(transactionContext).ConfigureAwait(false);
await BlackSignInTokenAsync(signInToken, lastUser).ConfigureAwait(false);
throw new AuthorizationException(ErrorCode.AuthorizationRefreshTokenExpired, $"Refresh Token Expired.");
}
// User 信息变动验证
user = await _identityService.GetUserByUserGuidAsync(userGuid).ConfigureAwait(false);
if (user == null || user.SecurityStamp != claimsPrincipal.GetUserSecurityStamp())
{
//await _transaction.RollbackAsync(transactionContext).ConfigureAwait(false);
await BlackSignInTokenAsync(signInToken, lastUser).ConfigureAwait(false);
throw new AuthorizationException(ErrorCode.AuthorizationUserSecurityStampChanged, $"Refresh token error. User SecurityStamp Changed.");
}
// 更新SignInToken
signInToken.RefreshCount++;
await _signInTokenBiz.UpdateAsync(signInToken, lastUser, transactionContext).ConfigureAwait(false);
await _transaction.CommitAsync(transactionContext).ConfigureAwait(false);
}
catch
{
await _transaction.RollbackAsync(transactionContext).ConfigureAwait(false);
throw;
}
// 发布新的AccessToken
return(await _jwtBuilder.BuildJwtAsync(user, signInToken, claimsPrincipal.GetAudience()).ConfigureAwait(false));
}
public static int CountryId(this ClaimsPrincipal?me) => me.GetInt32(AppClaimTypes.CountryId);
/// <inheritdoc/>
#pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously
public async Task <AuthenticationResult> GetAuthenticationResultForUserAsync(IEnumerable <string> scopes, string?tenantId = null, string?userFlow = null, ClaimsPrincipal?user = null, TokenAcquisitionOptions?tokenAcquisitionOptions = null)
{
throw new NotImplementedException();
}
public static bool IsReadOnly(this ClaimsPrincipal?me) => me.GetBool(AppClaimTypes.ReadOnly);
/// <summary> /// Verifies the principal's security stamp, returns the matching user if successful /// </summary> /// <param name="principal">The principal to verify.</param> /// <returns>The verified user or null if verification fails.</returns> protected virtual Task <TUser?> VerifySecurityStamp(ClaimsPrincipal?principal) => SignInManager.ValidateSecurityStampAsync(principal);
public static bool IsLatestTermsOfUseAccepted([NotNullWhen(true)] this ClaimsPrincipal?me) => me.Any(AppClaimTypes.LastTermsOfUseAcceptTime);
private ContentOperation Operation(ContentEntity content, ISchemaEntity operationSchema, ClaimsPrincipal?currentUser)
{
var serviceProvider =
new ServiceCollection()
.AddSingleton(contentRepository)
.AddSingleton(contentWorkflow)
.BuildServiceProvider();
return(new ContentOperation(serviceProvider, () => content)
{
App = Mocks.App(appId),
Command = new CreateContent {
User = currentUser, Actor = actor
},
CommandId = content.Id,
Schema = operationSchema
});
}
public static bool IsCountryAdministrator([NotNullWhen(true)] this ClaimsPrincipal?me) => me.Any(AppClaimTypes.CountryAdministrator);
public async Task <(int Count, string Message, ModuleGableType?Entity)> SaveAsync(ClaimsPrincipal?principal, ModuleGableType entity)
{
if (principal.IsAnyAdministrator())
{
var dbContext = Factory.CreateDbContext();
var existing = await dbContext.ModuleGableTypes.FindAsync(entity.Id);
if (existing is null)
{
dbContext.ModuleGableTypes.Add(entity);
}
else
{
dbContext.Entry(existing).CurrentValues.SetValues(entity);
if (dbContext.Entry(existing).State == EntityState.Unchanged)
{
return((-1).SaveResult(existing));
}
}
var result = await dbContext.SaveChangesAsync();
return(result.SaveResult(existing ?? entity));
}
return(principal.SaveNotAuthorised <ModuleGableType>());
}