public async Task OnAuthorization(AuthorizationFilterContext filterContext)
{
var gatewayAppConfig = AppConfig.Options.ApiGetWay;
if (filterContext.Route != null && filterContext.Route.ServiceDescriptor.DisableNetwork())
{
filterContext.Result = new HttpResultMessage <object> {
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.RequestError, Message = "Request error"
}
}
;
else
{
if (filterContext.Route != null && filterContext.Route.ServiceDescriptor.EnableAuthorization())
{
if (filterContext.Route.ServiceDescriptor.AuthType() == AuthorizationType.JWT.ToString())
{
var author = filterContext.Context.Request.Headers["Authorization"];
if (author.Count > 0)
{
var isSuccess = await _authorizationServerProvider.ValidateClientAuthentication(author);
if (!isSuccess)
{
filterContext.Result = new HttpResultMessage <object> {
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "Invalid authentication credentials"
};
}
else
{
var payload = _authorizationServerProvider.GetPayload(author);
RpcContext.GetContext().SetAttachment("payload", payload);
}
}
else
{
filterContext.Result = new HttpResultMessage <object> {
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "Invalid authentication credentials"
}
};
}
}
}
if (String.Compare(filterContext.Path.ToLower(), gatewayAppConfig.TokenEndpointPath, true) == 0)
{
filterContext.Context.Items.Add("path", gatewayAppConfig.AuthorizationRoutePath);
}
}
}
public async Task <(bool, ServiceResult <object>)> ValidateJwtAuthentication(ServiceRoute route, Dictionary <string, object> model)
{
var result = ServiceResult <object> .Create(false, null);
bool isSuccess = true;
var author = HttpContext.Request.Headers["Authorization"];
if (author.Count > 0)
{
isSuccess = await _authorizationServerProvider.ValidateClientAuthentication(author);
if (!isSuccess)
{
result = new ServiceResult <object> {
IsSucceed = false, StatusCode = Surging.Core.CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "Invalid authentication credentials"
};
}
else
{
var payload = _authorizationServerProvider.GetPayload(author);
RpcContext.GetContext().SetAttachment("payload", payload);
if (model.Count > 0)
{
var keyValue = model.FirstOrDefault();
if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType()))
{
dynamic instance = keyValue.Value;
instance.Payload = payload;
model.Remove(keyValue.Key);
model.Add(keyValue.Key, instance);
}
}
}
}
else
{
result = new ServiceResult <object> {
IsSucceed = false, StatusCode = Surging.Core.CPlatform.Exceptions.StatusCode.RequestError, Message = "Request error"
};
isSuccess = false;
}
return(isSuccess, result);
}
public async Task OnAuthorization(AuthorizationFilterContext filterContext)
{
var gatewayAppConfig = AppConfig.Options.ApiGetWay;
if (filterContext.Route != null && filterContext.Route.ServiceDescriptor.DisableNetwork())
{
var actionName = filterContext.Route.ServiceDescriptor.GroupName().IsNullOrEmpty()
? filterContext.Route.ServiceDescriptor.RoutePath
: filterContext.Route.ServiceDescriptor.GroupName();
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthorized,
Message = $"{actionName}禁止被外网访问"
};
}
else
{
var token = filterContext.Context.Request.Headers["Authorization"];
if (filterContext.Route != null)
{
if (filterContext.Route.ServiceDescriptor.AuthType() == AuthorizationType.JWT.ToString())
{
if (token.Any() && token.Count >= 1)
{
var validateResult = _authorizationServerProvider.ValidateClientAuthentication(token);
if (filterContext.Route.ServiceDescriptor.EnableAuthorization() &&
validateResult != ValidateResult.Success)
{
if (validateResult == ValidateResult.TokenFormatError)
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false,
StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication,
Message = "token格式不正确"
};
return;
}
if (validateResult == ValidateResult.SignatureError)
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false,
StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication,
Message = "token凭证不合法,请重新登录"
};
return;
}
if (validateResult == ValidateResult.TokenExpired)
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.TokenExpired,
Message = "登录超时,请重新登录"
};
return;
}
}
var payload = _authorizationServerProvider.GetPayload(token);
var claimsIdentity = new ClaimsIdentity();
foreach (var item in payload)
{
claimsIdentity.AddClaim(new Claim(item.Key, item.Value.ToString()));
}
if (!gatewayAppConfig.AuthorizationRoutePath.IsNullOrEmpty() &&
filterContext.Route.ServiceDescriptor.EnableAuthorization())
{
var rpcParams = new Dictionary <string, object>()
{
{ "serviceId", filterContext.Route.ServiceDescriptor.Id }
};
var authorizationRoutePath =
await _serviceRouteProvider.GetRouteByPathOrRegexPath(
gatewayAppConfig.AuthorizationRoutePath, HttpMethod.POST.ToString());
if (authorizationRoutePath == null)
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.RequestError,
Message = "没有找到实现接口鉴权的WebApi的路由信息"
};
return;
}
foreach (var kv in payload)
{
RpcContext.GetContext().SetAttachment(kv.Key, kv.Value);
}
var checkPermissionResult =
await _serviceProxyProvider.Invoke <IDictionary <string, object> >(rpcParams,
gatewayAppConfig.AuthorizationRoutePath, HttpMethod.POST,
gatewayAppConfig.AuthorizationServiceKey);
if (checkPermissionResult == null || !checkPermissionResult.ContainsKey("isPermission"))
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = StatusCode.UnAuthorized,
Message = $"接口鉴权返回数据格式错误,鉴权接口返回数据格式必须为字典,且必须包含IsPermission的key"
};
return;
}
var isPermission = Convert.ToBoolean(checkPermissionResult["isPermission"]);
if (!isPermission)
{
var actionName = filterContext.Route.ServiceDescriptor.GroupName().IsNullOrEmpty()
? filterContext.Route.ServiceDescriptor.RoutePath
: filterContext.Route.ServiceDescriptor.GroupName();
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = StatusCode.UnAuthorized,
Message = $"没有请求{actionName}的权限"
};
return;
}
foreach (var kv in checkPermissionResult)
{
if (kv.Key == "isPermission")
{
continue;
}
if (kv.Value == null)
{
continue;
}
claimsIdentity.AddClaim(new Claim(kv.Key, kv.Value.ToString()));
}
}
filterContext.Context.User = new ClaimsPrincipal(claimsIdentity);
}
else
{
if (filterContext.Route.ServiceDescriptor.EnableAuthorization())
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication,
Message = $"请先登录系统"
};
return;
}
else
{
filterContext.Context.User = null;
}
}
}
else
{
if (filterContext.Route.ServiceDescriptor.EnableAuthorization())
{
filterContext.Result = new HttpResultMessage <object>
{
IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication,
Message = $"暂不支持{filterContext.Route.ServiceDescriptor.AuthType()}类型的身份认证方式"
};
}
}
}
}
if (string.Compare(filterContext.Path.ToLower(), gatewayAppConfig.TokenEndpointPath, true) == 0)
{
filterContext.Context.Items.Add("path", gatewayAppConfig.AuthenticationRoutePath);
}
}