Example #1
0
 public static void AddFlexAuthentication(this OpenApiDocument document, IServiceIdentity serviceIdentity)
 {
     document.Components.SecuritySchemes.Add("openid", new OpenApiSecurityScheme
     {
         // swagger-ui doesn't support native OpenIdConnect yet
         Type        = OpenApiSecuritySchemeType.OAuth2,
         Description = "Portal Authentication",
         Flows       = new OpenApiOAuthFlows
         {
             AuthorizationCode = new OpenApiOAuthFlow
             {
                 AuthorizationUrl = serviceIdentity.IdentityProvider + "/oauth2/v2.0/authorize",
                 TokenUrl         = serviceIdentity.IdentityProvider + "/oauth2/v2.0/token",
                 Scopes           = new Dictionary <string, string>
                 {
                     { "openid", "OpenID Connect" },
                     { "profile", "User Profile" },
                     { "email", "E-Mail" }
                 }
             }
         }
     });
     document.Security.Add(new OpenApiSecurityRequirement
     {
         { "openid", Array.Empty <string>() }
     });
 }
Example #2
0
        public async Task NotifyAsync(EventMessage message)
        {
            try
            {
                _ = message ?? throw new ArgumentNullException(nameof(message));

                State.MessageCount++;
                State.ByteCount           += message.Message.LongLength;
                State.LastMessageTimestamp = DateTime.UtcNow;

                if (!string.IsNullOrEmpty(State.Metadata.NotifyAddress))
                {
                    if (sink == null && !EventSinkFactory.IsInitialized)
                    {
                        IServiceIdentity identity  = GrainFactory.GetGrain <IServiceIdentity>("PiraeusIdentity");
                        byte[]           certBytes = await identity.GetCertificateAsync();

                        List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync();

                        X509Certificate2 certificate = certBytes == null ? null : new X509Certificate2(certBytes);
                        List <Claim>     claims      = GetClaims(kvps);

                        sink             = EventSinkFactory.Create(State.Metadata, claims, certificate);
                        sink.OnResponse += Sink_OnResponse;
                    }

                    await sink.SendAsync(message);
                }
                else if (State.MessageLeases.Count > 0)
                {
                    foreach (var observer in State.MessageLeases.Values)
                    {
                        observer.Notify(message);
                    }
                }
                else
                {
                    if (State.Metadata.DurableMessaging && State.Metadata.TTL.HasValue)
                    {
                        await QueueDurableMessageAsync(message);
                    }
                    else
                    {
                        await QueueInMemoryMessageAsync(message);
                    }
                }

                await NotifyMetricsAsync();
            }
            catch (Exception ex)
            {
                await logger?.LogErrorAsync(ex, "Subscription notify.");
                await NotifyErrorAsync(ex);

                throw;
            }
        }
Example #3
0
        private bool InitializeDSTSObjects()
        {
            //initialize objects first and then update member variables under lock to reduce lock duration
            string claimsAuth = this.configStore.ReadUnencryptedString(SecuritySection, ClaimsAuthEnabledKey);

            if (Boolean.TryParse(claimsAuth, out this.claimsAuthEnabled) &&
                this.claimsAuthEnabled &&
                this.configStore.GetSections(this.configSection).Count > 0)
            {
                var settings = new DSTSSettings(configSection);
                settings.LoadSettings(this.configStore);
                IServerHomeDsts serverHomeDsts = new ServerHomeDsts(new Uri(settings.DSTSRealm), settings.DSTSDnsName);

                IServiceIdentity serviceIdentity = new ServiceIdentity(settings.ServiceDnsName, settings.ServiceName);
                var configuration = new DatacenterServiceConfiguration(serverHomeDsts, serviceIdentity);
                WebSecurityTokenAuthenticator tokenAuthenticator = new WebSecurityTokenAuthenticator(configuration);

                ServerAuthenticationProvider authenticationProvider = new ServerAuthenticationProvider(configuration);
                if (!this.reloadLock.TryEnterWriteLock(DSTSObjectManager.LockTimeout))
                {
                    TokenValidationServiceFactory.TraceSource.WriteWarning(
                        DSTSObjectManager.TraceType,
                        "Failed to obtain write lock on InitializeDSTSObjects");
                    return(false);
                }
                bool retval = false;
                try
                {
                    this.settings               = settings;
                    this.serverHomeDsts         = serverHomeDsts;
                    this.serviceIdentity        = serviceIdentity;
                    this.tokenAuthenticator     = tokenAuthenticator;
                    this.authenticationProvider = authenticationProvider;

                    retval = true;
                    TokenValidationServiceFactory.TraceSource.WriteInfo(
                        DSTSObjectManager.TraceType,
                        "DSTSSettings and DSTSObjects initialized for ServiceName {0}",
                        this.settings.ServiceName);
                }
                finally
                {
                    this.reloadLock.ExitWriteLock();
                }
                return(retval);
            }
            else
            {
                TokenValidationServiceFactory.TraceSource.WriteWarning(
                    DSTSObjectManager.TraceType,
                    "TVS is in disabled mode because section {0} key {1} has value {2}",
                    SecuritySection,
                    ClaimsAuthEnabledKey,
                    claimsAuth);
                return(true);
            }
        }
Example #4
0
 public static void AddFlexAuthentication(this SwaggerUi3Settings settings, IServiceIdentity serviceIdentity)
 {
     settings.OAuth2Client = new OAuth2ClientSettings
     {
         AppName      = serviceIdentity.ClientId,
         ClientId     = serviceIdentity.ClientId,
         ClientSecret = string.Empty,
         UsePkceWithAuthorizationCodeGrant = true
     };
 }
Example #5
0
        private async Task SetCertificateAsync()
        {
            IServiceIdentity identity = GraphManager.GetServiceIdentity("PiraeusIdentity");

            byte[] certBytes = await identity.GetCertificateAsync();

            if (certBytes != null)
            {
                certificate = new X509Certificate2(certBytes);
            }
        }
Example #6
0
        public async Task AddServiceIdentityCertificateAsync(string key, string path, string password)
        {
            IServiceIdentity identity = GetServiceIdentity(key);
            X509Certificate2 cert     = new X509Certificate2(path, password);

            if (cert != null)
            {
                byte[] certBytes = cert.Export(X509ContentType.Pfx, password);
                await identity.AddCertificateAsync(certBytes);
            }
        }
Example #7
0
        public async Task AddServiceIdentityCertificateAsync(string key, string store, string location,
                                                             string thumbprint, string password)
        {
            IServiceIdentity identity = GetServiceIdentity(key);
            X509Certificate2 cert     = GetLocalCertificate(store, location, thumbprint);

            if (cert != null)
            {
                byte[] certBytes = cert.Export(X509ContentType.Pfx, password);
                await identity.AddCertificateAsync(certBytes);
            }
        }
Example #8
0
        public static void AddFlexAuthentication(this IServiceCollection services, IServiceIdentity serviceIdentity)
        {
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);
            JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();

            services.AddAuthentication(config =>
            {
                config.DefaultScheme          = CookieAuthenticationDefaults.AuthenticationScheme;
                config.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                config.DefaultSignInScheme    = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {
                options.Events = new CookieAuthenticationEvents
                {
                    OnRedirectToLogin = context =>
                    {
                        context.Response.Headers["Location"] = context.RedirectUri;
                        context.Response.StatusCode          = StatusCodes.Status401Unauthorized;
                        return(Task.CompletedTask);
                    }
                };
            })
            .AddOpenIdConnect(options =>
            {
                options.ClientId     = serviceIdentity.ClientId;
                options.Authority    = serviceIdentity.IdentityProvider + "/v2.0";
                options.ResponseType = "id_token";
                options.SaveTokens   = true;
                options.GetClaimsFromUserInfoEndpoint = true;
            })
            .AddJwtBearer(options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters()
                {
                    ValidateIssuer   = false,
                    ValidateAudience = false,
                };
            });

            //services.AddTransient<IPostConfigureOptions<OpenIdConnectOptions>, OpenIdConnectPostConfiguration>();

            services.AddAuthorization(options =>
            {
                options.AddPolicy(KnownPolicies.Flexer, new AuthorizationPolicyBuilder(OpenIdConnectDefaults.AuthenticationScheme)
                                  .RequireAssertion(context => context.User.HasClaim(x => x.Value == "Flexer"))
                                  .RequireAuthenticatedUser()
                                  .Build());
            });
        }
Example #9
0
        private async Task SetClaimsAsync()
        {
            tokenExpiration = DateTime.UtcNow.AddDays(1.0);
            IServiceIdentity identity = GraphManager.GetServiceIdentity("PiraeusIdentity");
            List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync();

            if (kvps != null)
            {
                List <Claim> list = new List <Claim>();
                foreach (var kvp in kvps)
                {
                    list.Add(new Claim(kvp.Key, kvp.Value));
                }

                claims = list;
            }
        }
Example #10
0
        public async Task NotifyAsync(EventMessage message)
        {
            Exception error = null;

            State.MessageCount++;
            State.ByteCount           += message.Message.LongLength;
            State.LastMessageTimestamp = DateTime.UtcNow;

            try
            {
                if (!string.IsNullOrEmpty(State.Metadata.NotifyAddress))
                {
                    if (sink == null)
                    {
                        if (!EventSinkFactory.IsInitialized)
                        {
                            IServiceIdentity identity  = GrainFactory.GetGrain <IServiceIdentity>("PiraeusIdentity");
                            byte[]           certBytes = await identity.GetCertificateAsync();

                            List <KeyValuePair <string, string> > kvps = await identity.GetClaimsAsync();

                            X509Certificate2 certificate = certBytes == null ? null : new X509Certificate2(certBytes);
                            List <Claim>     claims      = GetClaims(kvps);

                            sink = EventSinkFactory.Create(State.Metadata, claims, certificate);
                        }
                        else
                        {
                            sink = EventSinkFactory.Create(State.Metadata);
                        }
                    }

                    await sink.SendAsync(message);
                }
                else if (State.MessageLeases.Count > 0)
                {
                    //send to actively connected subsystem
                    foreach (var observer in State.MessageLeases.Values)
                    {
                        observer.Notify(message);
                    }
                }
                else
                {
                    if (State.Metadata.DurableMessaging && State.Metadata.TTL.HasValue) //durable message queue
                    {
                        await QueueDurableMessageAsync(message);
                    }
                    else //in-memory message queue
                    {
                        await QueueInMemoryMessageAsync(message);
                    }
                }
            }
            catch (Exception ex)
            {
                Trace.TraceWarning("Subscription publish failed to complete.");
                Trace.TraceError("Subscription publish error {0}", ex.Message);
                error = ex;
                //GetLogger().Log(2, Orleans.Runtime.Severity.Error, "Subscription notification exception {0}", new object[] { State.Metadata.SubscriptionUriString }, ex);
            }

            await NotifyMetricsAsync();

            if (error != null)
            {
                await NotifyErrorAsync(error);
            }
        }
Example #11
0
 public async Task AddServiceIdentityClaimsAsync(string key, List <KeyValuePair <string, string> > claims)
 {
     IServiceIdentity identity = GetServiceIdentity(key);
     await identity.AddClaimsAsync(claims);
 }