public void OnAuthentication(AuthenticationContext filterContext)
{
var cookies = filterContext.HttpContext.Request.Cookies;
IPrincipal principal = null;
var cookieContext = cookies[Security.Constants.CookieName];
if (cookieContext != null)
{
var authService = this.Container.Resolve <IAuthService>();
var user = authService.GetUserFromCookie(cookieContext);
if (user != null)
{
IIdentity identity = new IndentityUser(user.Login);
principal = new IdentityPrincipal(identity);
}
}
if (principal == null)
{
IIdentity user = new AnonymousUser();
principal = new IdentityPrincipal(user);
}
filterContext.Principal = principal;
filterContext.HttpContext.User = principal;
Thread.CurrentPrincipal = principal;
}
public async Task CertificateSetGetTest()
{
IWorkContext context = _workContext.WithMethodName();
var identityRepository = new IdentityInMemoryStore()
.Set(_workContext, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User).With(new ApiKey("API Key1", DateTime.UtcNow.AddYears(1))))
.Set(_workContext, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User).With(new ApiKey("API Key2", DateTime.UtcNow.AddYears(1))));
var builder = new ContainerBuilder();
builder.RegisterModule(new IdentityActorAutoFacModule());
builder.RegisterInstance(identityRepository).As <IIdentityStore>();
ILifetimeScope container = builder.Build();
IActorManager manager = new ActorConfigurationBuilder()
.AddIdentityModule(container)
.Build()
.ToActorManager();
using (ILifetimeScope scopeContainer = container.BeginLifetimeScope())
using (manager)
{
IIdentityActor clientActor1 = await manager.CreateProxyAsync <IIdentityActor>(context, new ActorKey("*****@*****.**"));
IdentityPrincipal client1 = await clientActor1.Get(context);
client1.Should().NotBeNull();
client1.PrincipalId.Value.Should().Be("*****@*****.**");
client1.ApiKey.Value.Should().Be("API Key1");
IIdentityActor clientActor2 = await manager.CreateProxyAsync <IIdentityActor>(context, new ActorKey("*****@*****.**"));
IdentityPrincipal client2 = await clientActor2.Get(context);
client2.Should().NotBeNull();
client2.PrincipalId.Value.Should().Be("*****@*****.**");
client2.ApiKey.Value.Should().Be("API Key2");
await clientActor2.Remove(context);
(await clientActor2.Get(context)).Should().BeNull();
identityRepository.Get(context, new PrincipalId("*****@*****.**")).Should().BeNull();
await clientActor2.Set(context, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User));
(await clientActor2.Get(context)).Should().NotBeNull();
identityRepository.Get(context, new PrincipalId("*****@*****.**")).Should().NotBeNull();
}
await Verify.AssertExceptionAsync <ArgumentException>(async() => await manager.DeactivateAllAsync(_workContext));
}
public async Task Invoke(HttpContext httpContext)
{
RequestContext requestContext = httpContext.Items.Get <RequestContext>();
IWorkContext context = (requestContext.Context ?? WorkContext.Empty).WithTag(_tag);
// Does the request has an authorization header
string authorizationValue = httpContext.Request.Headers["Authorization"];
if (authorizationValue.IsEmpty())
{
await _next(httpContext);
return;
}
// Get authorization parts
AuthenticationHeaderValue authorization;
if (!AuthenticationHeaderValue.TryParse(authorizationValue, out authorization) || authorization.Scheme != "hmac")
{
await _next(httpContext);
return;
}
AspMvcEventSource.Log.Verbose(context, $"Authorization {authorization.Parameter}");
string[] signatureParts = authorization.Parameter.Split(':');
if (signatureParts.Length != 2)
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Lookup the credential
IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(signatureParts[0]));
if (identity == null || identity.ApiKey == null || identity.ApiKey.HasExpired)
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Try get date
RequestHeaders requestHeaders = httpContext.Request.GetTypedHeaders();
HmacSignature hmac = new HmacSignature(_hmacConfiguration);
Uri url = new Uri(httpContext.Request.GetEncodedUrl());
IEnumerable <KeyValuePair <string, IEnumerable <string> > > headers = httpContext.Request.Headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value));
// Validate HMAC signature
if (!hmac.ValidateSignature(context, authorization.Parameter, identity.ApiKey.Value, httpContext.Request.Method, url, headers, requestHeaders.Date))
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Set identity of the caller
httpContext.Items.Set(new HmacIdentity(authorization.Parameter));
// Next
await _next(httpContext);
}
/// <summary>
/// Create JWT token for access to server
/// </summary>
/// <param name="context">context</param>
/// <param name="requestToken"></param>
/// <returns></returns>
public async Task <string> CreateAutorizationToken(IWorkContext context, string requestToken)
{
Verify.IsNotNull(nameof(context), context);
Verify.IsNotEmpty(nameof(requestToken), requestToken);
context = context.WithTag(_tag);
var certificateList = new List <X509Certificate2>();
foreach (var item in _configuration.TokenAuthorizationRequestCertificateKeys)
{
certificateList.Add(await _certificateRepository.GetCertificate(context, item, true));
}
JwtTokenParser requestTokenParser = new JwtTokenParserBuilder()
.AddCertificates(certificateList)
.AddValidIssuers(_configuration.ValidIssuers)
.Build();
JwtTokenDetails details = requestTokenParser.Parse(context, requestToken);
if (details == null || details.JwtSecurityToken.Payload.Sub.IsEmpty())
{
NetEventSource.Log.Verbose(context, "Payload.Sub is empty");
return(null);
}
IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(details.JwtSecurityToken.Payload.Sub));
// If JWT subject is a valid issuer, then this should be a service principal
if (_configuration.ValidIssuers.Any(x => x == details.JwtSecurityToken.Payload.Sub))
{
if (identity == null)
{
identity = new IdentityPrincipal(new PrincipalId(details.JwtSecurityToken.Payload.Sub), IdentityPrincipalType.Service);
}
else
{
if (identity.PrincipalType != IdentityPrincipalType.Service)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} is not a service principal");
return(null);
}
}
}
else
{
// Identity principal does not exist
if (identity == null)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} does not exist");
return(null);
}
}
DateTime expires = DateTime.UtcNow + _configuration.TokenAuthorization.GoodFor;
identity = identity.With(ApiKey.CreateApiKey(expires));
await _identityRepository.SetAsync(context, identity);
X509Certificate2 certificate = await _certificateRepository.GetCertificate(
context,
_configuration.TokenAuthorization.AuthorizationSigningCertificateKey,
throwOnNotFound : true);
string token = new JwtTokenBuilder()
.AddSubject(identity.PrincipalId)
.SetAudience(_configuration.TokenAuthorization.Audience)
.SetIssuer(_configuration.TokenAuthorization.Issuer)
.SetExpires(expires)
.SetIssuedAt(DateTime.Now)
.SetWebKey(identity.ApiKey.Value)
.SetCertificate(certificate)
.Build();
return(token);
}
