public override async Task <GatekeeperProxySettingsReply> SaveGatekeeperProxySettings(GatekeeperProxySettingsRequest request, ServerCallContext context)
{
Guid appId = new Guid(request.AppId);
ProxyAppSettings settings = await _authDbContext
.ProxyAppSettings
.SingleAsync(s => s.AuthAppId == appId);
if (request.InternalHostname != settings.InternalHostname)
{
settings.InternalHostname = request.InternalHostname;
}
if (request.PublicHostname != settings.PublicHostname)
{
settings.PublicHostname = request.PublicHostname;
BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.PublicHostname));
}
if (request.PublicEndpoints.Count == 0)
{
settings.EndpointsWithoutAuth = null;
}
else
{
settings.EndpointsWithoutAuth = request.PublicEndpoints.ToList();
}
await _authDbContext.SaveChangesAsync();
await _memoryPopulator.PopulateFromDatabase();
return(new GatekeeperProxySettingsReply {
});
}
public async Task <bool> IsAuthorizedAsync(Guid sessionId, MemorySingletonProxyConfigProvider.Route route)
{
ProxyAppSettings proxyAppSetting = await _authDbContext.ProxyAppSettings
.AsNoTracking()
.Where(
p => p.AuthApp.UserGroups.Any(
u => u.Members.Any(
m => m.Sessions.Any(
s =>
s.Id == sessionId &&
s.ExpiredTime == null &&
m.IsDisabled == false
)
)
)
)
.SingleOrDefaultAsync(p => p.Id == route.ProxySettingId);
if (proxyAppSetting == null)
{
return(false);
}
return(true);
}
public string GetToken(AppUser user, ProxyAppSettings setting, Guid sessionId)
{
string token = _jwtFactory.Build()
.Subject(user.Id.ToString())
.Id(sessionId)
.Audience(setting.InternalHostname)
.IssuedAt(DateTime.UtcNow)
.Encode();
return(token);
}
public override async Task <SsoTokenReply> GetCurrentSessionToken(SsoTokenRequest request, ServerCallContext context)
{
Guid cookieId = _sessionManager.GetCurrentSessionId(context.GetHttpContext().User);
ProxyAppSettings setting = await _authDbContext.ProxyAppSettings
.SingleAsync(s => s.Id == new Guid(request.ProxyId));
AppUser user = await _userManager.GetUserAsync(context.GetHttpContext().User);
string ssoToken = _authenticationManager.GetToken(user, setting, cookieId);
return(new SsoTokenReply
{
TargetUrl = "https://" + setting.PublicHostname + "/gatekeeper-proxy-sso",
SsoToken = ssoToken,
});
}
public override async Task <AddNewAppReply> AddNewApp(AddNewAppRequest request, ServerCallContext context)
{
AuthApp app = new AuthApp
{
Name = request.Name,
Url = request.Url,
Description = request.Description,
};
_authDbContext.Add(app);
switch (request.HostingType)
{
case HostingType.NonWeb:
app.HostingType = AuthApp.HostingTypeEnum.NON_WEB;
break;
case HostingType.WebGatekeeperProxy:
app.HostingType = AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY;
break;
case HostingType.WebGeneric:
app.HostingType = AuthApp.HostingTypeEnum.WEB_GENERIC;
break;
default:
throw new NotImplementedException("Auth mode is not implemented");
}
switch (request.DirectoryChoice)
{
case AddNewAppRequest.Types.DirectoryChoice.NoneDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.NONE;
break;
case AddNewAppRequest.Types.DirectoryChoice.LdapDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.LDAP;
break;
case AddNewAppRequest.Types.DirectoryChoice.ScimDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.SCIM;
break;
}
switch (request.AuthChoice)
{
case AddNewAppRequest.Types.AuthChoice.LdapAuth:
app.AuthMethod = AuthApp.AuthMethodEnum.LDAP;
break;
case AddNewAppRequest.Types.AuthChoice.OidcAuth:
app.AuthMethod = AuthApp.AuthMethodEnum.OIDC;
break;
}
if (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP || app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP)
{
string assembledBaseDn = "dc=" + app.Id;
string bindUserPassword = _ldapSettingsDataProtector.Protect(_secureRandom.GetRandomString(16));
string bindUser = "******" + assembledBaseDn;
LdapAppSettings ldapAppSettings = new LdapAppSettings
{
AuthApp = app,
UseForAuthentication = (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP),
UseForIdentity = (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP),
BaseDn = assembledBaseDn,
BindUser = bindUser,
BindUserPassword = bindUserPassword,
};
_authDbContext.Add(ldapAppSettings);
app.LdapAppSettings = ldapAppSettings;
}
if (app.HostingType == AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY)
{
ProxyAppSettings proxyAppSettings = new ProxyAppSettings
{
AuthApp = app,
InternalHostname = request.ProxySetting.InternalHostname,
PublicHostname = request.ProxySetting.PublicHostname,
};
_authDbContext.Add(proxyAppSettings);
app.ProxyAppSettings = proxyAppSettings;
_configurationProvider.TryGet("tls.acme.support", out string isAcmeSupported);
if (isAcmeSupported == "true")
{
// FIXME: Passing an empty email is a hack here. The email is already passed in InstallService. Could be refactored.
BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.ProxySetting.PublicHostname));
}
}
if (app.AuthMethod == AuthApp.AuthMethodEnum.OIDC)
{
OIDCAppSettings oidcAppSettings = new OIDCAppSettings
{
RedirectUrl = request.OidcSetting.RedirectUri,
AuthApp = app,
ClientId = Guid.NewGuid().ToString(),
ClientSecret = _secureRandom.GetRandomString(32),
Audience = "FIX_ME",
};
_authDbContext.Add(oidcAppSettings);
app.OidcAppSettings = oidcAppSettings;
}
if (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.SCIM)
{
SCIMAppSettings scimAppSettings = new SCIMAppSettings
{
AuthApp = app,
Endpoint = request.ScimSetting.Endpoint,
Credentials = request.ScimSetting.Credentials,
};
_authDbContext.Add(scimAppSettings);
app.ScimAppSettings = scimAppSettings;
}
foreach (string groupId in request.GroupIds)
{
Guid groupIdGuid = new Guid(groupId);
UserGroup group = await _authDbContext.UserGroup
.Include(g => g.AuthApps)
.SingleAsync(g => g.Id == groupIdGuid);
group.AuthApps.Add(app);
}
await _authDbContext.SaveChangesAsync();
// fixme: this should be done outside a service
await _memoryPopulator.PopulateFromDatabase();
return(new AddNewAppReply
{
Success = true,
});
}
