public override async Task <GatekeeperProxySettingsReply> SaveGatekeeperProxySettings(GatekeeperProxySettingsRequest request, ServerCallContext context) { Guid appId = new Guid(request.AppId); ProxyAppSettings settings = await _authDbContext .ProxyAppSettings .SingleAsync(s => s.AuthAppId == appId); if (request.InternalHostname != settings.InternalHostname) { settings.InternalHostname = request.InternalHostname; } if (request.PublicHostname != settings.PublicHostname) { settings.PublicHostname = request.PublicHostname; BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.PublicHostname)); } if (request.PublicEndpoints.Count == 0) { settings.EndpointsWithoutAuth = null; } else { settings.EndpointsWithoutAuth = request.PublicEndpoints.ToList(); } await _authDbContext.SaveChangesAsync(); await _memoryPopulator.PopulateFromDatabase(); return(new GatekeeperProxySettingsReply { }); }
public async Task <bool> IsAuthorizedAsync(Guid sessionId, MemorySingletonProxyConfigProvider.Route route) { ProxyAppSettings proxyAppSetting = await _authDbContext.ProxyAppSettings .AsNoTracking() .Where( p => p.AuthApp.UserGroups.Any( u => u.Members.Any( m => m.Sessions.Any( s => s.Id == sessionId && s.ExpiredTime == null && m.IsDisabled == false ) ) ) ) .SingleOrDefaultAsync(p => p.Id == route.ProxySettingId); if (proxyAppSetting == null) { return(false); } return(true); }
public string GetToken(AppUser user, ProxyAppSettings setting, Guid sessionId) { string token = _jwtFactory.Build() .Subject(user.Id.ToString()) .Id(sessionId) .Audience(setting.InternalHostname) .IssuedAt(DateTime.UtcNow) .Encode(); return(token); }
public override async Task <SsoTokenReply> GetCurrentSessionToken(SsoTokenRequest request, ServerCallContext context) { Guid cookieId = _sessionManager.GetCurrentSessionId(context.GetHttpContext().User); ProxyAppSettings setting = await _authDbContext.ProxyAppSettings .SingleAsync(s => s.Id == new Guid(request.ProxyId)); AppUser user = await _userManager.GetUserAsync(context.GetHttpContext().User); string ssoToken = _authenticationManager.GetToken(user, setting, cookieId); return(new SsoTokenReply { TargetUrl = "https://" + setting.PublicHostname + "/gatekeeper-proxy-sso", SsoToken = ssoToken, }); }
public override async Task <AddNewAppReply> AddNewApp(AddNewAppRequest request, ServerCallContext context) { AuthApp app = new AuthApp { Name = request.Name, Url = request.Url, Description = request.Description, }; _authDbContext.Add(app); switch (request.HostingType) { case HostingType.NonWeb: app.HostingType = AuthApp.HostingTypeEnum.NON_WEB; break; case HostingType.WebGatekeeperProxy: app.HostingType = AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY; break; case HostingType.WebGeneric: app.HostingType = AuthApp.HostingTypeEnum.WEB_GENERIC; break; default: throw new NotImplementedException("Auth mode is not implemented"); } switch (request.DirectoryChoice) { case AddNewAppRequest.Types.DirectoryChoice.NoneDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.NONE; break; case AddNewAppRequest.Types.DirectoryChoice.LdapDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.LDAP; break; case AddNewAppRequest.Types.DirectoryChoice.ScimDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.SCIM; break; } switch (request.AuthChoice) { case AddNewAppRequest.Types.AuthChoice.LdapAuth: app.AuthMethod = AuthApp.AuthMethodEnum.LDAP; break; case AddNewAppRequest.Types.AuthChoice.OidcAuth: app.AuthMethod = AuthApp.AuthMethodEnum.OIDC; break; } if (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP || app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP) { string assembledBaseDn = "dc=" + app.Id; string bindUserPassword = _ldapSettingsDataProtector.Protect(_secureRandom.GetRandomString(16)); string bindUser = "******" + assembledBaseDn; LdapAppSettings ldapAppSettings = new LdapAppSettings { AuthApp = app, UseForAuthentication = (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP), UseForIdentity = (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP), BaseDn = assembledBaseDn, BindUser = bindUser, BindUserPassword = bindUserPassword, }; _authDbContext.Add(ldapAppSettings); app.LdapAppSettings = ldapAppSettings; } if (app.HostingType == AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY) { ProxyAppSettings proxyAppSettings = new ProxyAppSettings { AuthApp = app, InternalHostname = request.ProxySetting.InternalHostname, PublicHostname = request.ProxySetting.PublicHostname, }; _authDbContext.Add(proxyAppSettings); app.ProxyAppSettings = proxyAppSettings; _configurationProvider.TryGet("tls.acme.support", out string isAcmeSupported); if (isAcmeSupported == "true") { // FIXME: Passing an empty email is a hack here. The email is already passed in InstallService. Could be refactored. BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.ProxySetting.PublicHostname)); } } if (app.AuthMethod == AuthApp.AuthMethodEnum.OIDC) { OIDCAppSettings oidcAppSettings = new OIDCAppSettings { RedirectUrl = request.OidcSetting.RedirectUri, AuthApp = app, ClientId = Guid.NewGuid().ToString(), ClientSecret = _secureRandom.GetRandomString(32), Audience = "FIX_ME", }; _authDbContext.Add(oidcAppSettings); app.OidcAppSettings = oidcAppSettings; } if (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.SCIM) { SCIMAppSettings scimAppSettings = new SCIMAppSettings { AuthApp = app, Endpoint = request.ScimSetting.Endpoint, Credentials = request.ScimSetting.Credentials, }; _authDbContext.Add(scimAppSettings); app.ScimAppSettings = scimAppSettings; } foreach (string groupId in request.GroupIds) { Guid groupIdGuid = new Guid(groupId); UserGroup group = await _authDbContext.UserGroup .Include(g => g.AuthApps) .SingleAsync(g => g.Id == groupIdGuid); group.AuthApps.Add(app); } await _authDbContext.SaveChangesAsync(); // fixme: this should be done outside a service await _memoryPopulator.PopulateFromDatabase(); return(new AddNewAppReply { Success = true, }); }