protected sealed override Task <HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
bool userIsAuthenticated = UserIsAuthenticated(request);
if (!_handleAnonymous && !userIsAuthenticated)
{
return(SendAsyncBranching(request, cancellationToken));
}
else
{
var context = new AuthenticatorSendContext()
{
Message = request,
AuthenticatedUser = userIsAuthenticated ? GetTicket(request).Principal : null,
AuthenticationProperties = userIsAuthenticated ? GetTicket(request).Properties : null
};
return(SendAsyncAuthenticator(context, cancellationToken));
}
}
protected override Task <HttpResponseMessage> SendAsyncAuthenticator(AuthenticatorSendContext context, CancellationToken cancellationToken)
{
var upnClaim = context.AuthenticatedUser.Claims.FirstOrDefault(c => c.Type == Options.DomainUpnClaimName);
string domainUserPrincipalName = upnClaim?.Value;
if (String.IsNullOrEmpty(domainUserPrincipalName))
{
throw new AuthenticatorException(Errors.Code.DomainUpnClaimMissing, "The domain identity claim is missing.");
}
WindowsIdentity domainIdentity = IdentityService.LogonUser(domainUserPrincipalName);
if (domainIdentity is null)
{
throw new AuthenticatorException(Errors.Code.DomainLogonFailed, "The domain identity could not be logged on to the domain.");
}
context.Message.Properties.Add("S4uIdentity", domainIdentity);
context.AuthenticatorProvidedUser = domainUserPrincipalName;
return(base.SendAsyncAuthenticator(context, cancellationToken));
}
public async Task Apply(AuthenticatorSendContext context, CancellationToken cancellationToken)
{
var user = context.AuthenticatedUser;
ExpressionGlobals globals = null;
if (_needsGlobals)
{
globals = new ExpressionGlobals();
globals.c = user.Claims.ToDictionary(c => c.Type, c => c.Value);
}
foreach (var applicator in _applicators)
{
string value = null;
if (applicator.UseBasicClaim)
{
value = user.Claims.FirstOrDefault(c => c.Type == applicator.Definition.ClaimName)?.Value;
if (String.IsNullOrEmpty(value) && applicator.Definition.Required)
{
_logger.LogError($"Failed to resolve required claim '{applicator.Definition.ClaimName}' on user '{user.Identity.Name}' for header '{applicator.Definition.HeaderName}'.");
throw new AuthenticatorException(Errors.Code.Unknown, "Missing required claims for authentication.");
}
}
else
{
bool computed = false;
try
{
value = await applicator.ExpressionRunner(globals, cancellationToken);
computed = true;
}
catch (TaskCanceledException)
{
throw;
}
catch (Exception e)
{
_logger.LogError(e, $"Failed to run expression on user '{user.Identity.Name}' for header '{applicator.Definition.HeaderName}'.");
}
if (String.IsNullOrEmpty(value) && applicator.Definition.Required)
{
if (computed)
{
throw new AuthenticatorException(Errors.Code.Unknown, "No value was computed for a required header for authentication.");
}
else
{
throw new AuthenticatorException(Errors.Code.Unknown, "Failed to compute required header for authentication.");
}
}
}
if (value == null)
{
if (context.Message.Headers.Contains(applicator.Definition.HeaderName))
{
context.Message.Headers.Remove(applicator.Definition.HeaderName);
}
}
else
{
context.Message.Headers.Add(applicator.Definition.HeaderName, value);
}
}
}
protected override async Task <HttpResponseMessage> SendAsyncAuthenticator(AuthenticatorSendContext context, CancellationToken cancellationToken)
{
await Authenticator.Apply(context, cancellationToken);
return(await base.SendAsyncAuthenticator(context, cancellationToken));
}
protected virtual Task <HttpResponseMessage> SendAsyncAuthenticator(AuthenticatorSendContext context, CancellationToken cancellationToken)
{
return(SendAsyncBranching(context.Message, cancellationToken));
}
