public static async Task <IActionResult> DfmServeStaticsFunction(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = StaticsRoute)] HttpRequest req,
string p1,
string p2,
string p3,
ExecutionContext context,
ILogger log
)
{
return(await req.HandleErrors(log, async() => {
// Checking nonce, if it was set as an env variable.
// Don't care about return value of this method here.
Auth.IsNonceSetAndValid(req.Headers);
// Two bugs away. Making sure none of these segments ever contain any path separators and/or relative paths
string path = Path.Join(Path.GetFileName(p1), Path.GetFileName(p2), Path.GetFileName(p3));
string root = Path.Join(context.FunctionAppDirectory, "DfmStatics");
var contentType = FileMap.FirstOrDefault((kv => path.StartsWith(kv[0])));
if (contentType != null)
{
string fullPath = Path.Join(root, path);
if (!File.Exists(fullPath))
{
return new NotFoundResult();
}
return new FileStreamResult(File.OpenRead(fullPath), contentType[1])
{
LastModified = File.GetLastWriteTimeUtc(fullPath)
};
}
// Adding anti-forgery token
using (var generator = RandomNumberGenerator.Create())
{
var bytes = new byte[64];
generator.GetBytes(bytes);
string token = Convert.ToBase64String(bytes);
req.HttpContext.Response.Cookies
.Append(Globals.XsrfTokenCookieAndHeaderName, token, new CookieOptions {
HttpOnly = false
});
}
// Returning index.html by default, to support client routing
return await ReturnIndexHtml(context, log, root, p1);
}));
}
public static Task <IActionResult> DfmGetEasyAuthConfigFunction(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "a/p/i/easyauth-config")] HttpRequest req,
ILogger log
)
{
return(req.HandleErrors(log, async() => {
// Checking nonce, if it was set as an env variable.
// Don't care about return value of this method here.
Auth.IsNonceSetAndValid(req.Headers);
string siteName = Environment.GetEnvironmentVariable(EnvVariableNames.WEBSITE_SITE_NAME);
string clientId = Environment.GetEnvironmentVariable(EnvVariableNames.WEBSITE_AUTH_CLIENT_ID);
// When deployed to Azure, this tool should always be protected by EasyAuth
if (!string.IsNullOrEmpty(siteName) && string.IsNullOrEmpty(clientId) && !DfmEndpoint.Settings.DisableAuthentication)
{
log.LogError($"You need to configure EasyAuth for your '{siteName}' instance. This tool should never be exposed to the world without authentication.");
return new UnauthorizedResult();
}
string unauthenticatedAction = Environment.GetEnvironmentVariable(EnvVariableNames.WEBSITE_AUTH_UNAUTHENTICATED_ACTION);
if (unauthenticatedAction == Auth.UnauthenticatedActionRedirectToLoginPage)
{
// Assuming it is the server-directed login flow to be used
// and returning just the user name (to speed up login process)
var userNameClaim = req.HttpContext.User?.FindFirst(DfmEndpoint.Settings.UserNameClaimName);
return new { userName = userNameClaim?.Value }.ToJsonContentResult();
}
// Trying to get tenantId from WEBSITE_AUTH_OPENID_ISSUER environment variable
string tenantId = "common";
string openIdIssuer = Environment.GetEnvironmentVariable(EnvVariableNames.WEBSITE_AUTH_OPENID_ISSUER);
if (!string.IsNullOrEmpty(openIdIssuer))
{
var match = GuidRegex.Match(openIdIssuer);
if (match.Success)
{
tenantId = match.Groups[1].Value;
}
}
return new { clientId, authority = "https://login.microsoftonline.com/" + tenantId }.ToJsonContentResult();
}));
}
