public void Init()
{
_sm = new StaffMemberIndicator(SeedGuidFactory.Get("1"));
_ti = new TenancyIndicator(SeedGuidFactory.Get("1"));
_cii = new ClientInstanceIndicator(SeedGuidFactory.Get("1"));
_secKey = new StubSecurityKeyFactory("SecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKey").SecurityKey;
}
public ValidatedJWTokenTestForgery(StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions,
TenancyIndicator tenancy, ClientInstanceIndicator clientInstance, DateTime requestTime, bool hasExpiration)
{
var sskf = new StubSecurityKeyFactory("SecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKeySecretKey");
ACC = new AuthenticatedClientClaims {
Tenancy = tenancy,
User = user,
Client = clientInstance,
};
ACC.SecurityActions.UnionWith(securityActions);
RawTokenData = new JWToken(clientInstance, user, securityActions, tenancy, requestTime, hasExpiration,
sskf.SigningCredentials).SignedToken;
}
private void CreateToken(ClientInstanceIndicator client, StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions,
TenancyIndicator tenancy, DateTime requestTime, bool hasExpiration, SigningCredentials creds)
{
var claims = new List <Claim> {
new Claim(JwtRegisteredClaimNames.Jti, Id.ToString()),
new Claim(UserIdKey, user.GuidID.ToString()),
new Claim(TenancyIdKey, tenancy.GuidID.ToString()),
new Claim(ClientIdKey, client.GuidID.ToString()),
new Claim(GrantsDocumentKey, JsonConvert.SerializeObject(securityActions.Select(x => x.ToString()).ToList())),
};
var expiry = hasExpiration
? requestTime.ToUniversalTime().AddMinutes(AccessTokenExpirationMinutes)
: (DateTime?)null;
var tok = new JwtSecurityToken(Issuer, Audience, claims, null, expiry, creds);
SignedToken = new JwtSecurityTokenHandler().WriteToken(tok);
}
public virtual async Task <SessionSvcStartSessionResult> StartSession(string candidateUsername, string candidatePassword
, ClientInstance clientInstance)
{
var clientInstanceIndicator = new ClientInstanceIndicator(_sp.ClientInstanceId);
if (clientInstance != null)
{
clientInstance.InstanceId = clientInstanceIndicator;
}
var startReq = new SessionSvcStartSessionRequest {
CandidateUsername = candidateUsername,
CandidatePassword = candidatePassword,
ClientInstanceId = clientInstanceIndicator,
OauthClientId = _clientId,
ClientInstance = clientInstance
};
// NOTE(DA) This section of the code has given me more grief than would be expected.
//
// Our gRPC server only uses SSL. We have one port open and it expects all incoming
// traffic to be SSL. This means our client has to speak SSL to the server.
//
// Somewhat annoyingly (though we'll grudgingly admit the safety benefits), gRPC is
// very opinionated in its use of SSL. There is only one way to get it to use SSL --
// supply a bearer credential -- which is exactly what we don't have, we're trying to
// get one with this call! (Chicken and egg problem).
//
// We resort to forgery to trick gRPC into using SSL. We keep this forged channel
// separate and use it only for authentication purposes, throwing it out after we use
// it here.
//
// We were originally keeping the channel around to avoid recreating it, but it's used
// pretty infrequently, which means (1) we don't care about performance and (2) it was
// sitting idle too long, and NAT rules were killing it off. Don't try it, we did it
// and it didn't work.
//
// Future: currently, we don't support "session multiplexing" -- users of this
// component (AppClient) start a single session, and expect it to stay open for the
// life of the client. We need session multiplexing for service-service communication
// where we have numerous security contexts existing side-by-side. We need to do some
// thinking on how to design an interface that facilitates both use cases without making
// either needlessly complicated. One option would be to force the client to suply a
// credential at call time, implementing an optional ApplicationClient-maintained
// "credential registry" or "session registry" that the client could use to retrieve
// the token at call-time, if desired.
var loginChannel = new Channel($"{_sp.AppSvcHostname}:{_sp.AppSvcPort}",
AccessToken.NullToken.ToChannelCredentials());
var ss = new SessionSvc.SessionSvcClient(loginChannel);
var sessionResponse = await ss.TryStartSessionAsync(startReq, new CallOptions(null, DateTime.UtcNow.AddSeconds(30)));
if (sessionResponse.Result == SessionSvcStartSessionResult.Success)
{
SS = new SessionService(sessionResponse.SessionContext);
StartServicesChannelRefresh(sessionResponse.SessionContext);
}
await loginChannel.ShutdownAsync();
return(sessionResponse.Result);
}
public JWToken(ClientInstanceIndicator client, StaffMemberIndicator user, IEnumerable <SecurityAction> securityActions,
TenancyIndicator tenancy, DateTime requestTime, bool hasExpiration, SigningCredentials creds)
{
Id = Guid.NewGuid();
CreateToken(client, user, securityActions, tenancy, requestTime, hasExpiration, creds);
}
