public async Task <IActionResult> WhoAmI() { string token = this.GetTokenFromHeader(out string tokenTypeStr); if (string.IsNullOrEmpty(token)) { return(this.AuthorizationHeaderMissing()); } if (!TokenTypeExtensions.TryParseTokenType(tokenTypeStr, out var tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } var user = await this.tokenService.WhoAmIAsync(token, tokenType); if (user != null) { return(this.Ok(user)); } else { return(this.InvalidToken()); } }
public async Task <IActionResult> VerifyToken() { string token = this.GetTokenFromHeader(out string tokenTypeStr); if (string.IsNullOrEmpty(token)) { return(this.AuthorizationHeaderMissing()); } if (!TokenTypeExtensions.TryParseTokenType(tokenTypeStr, out var tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } var validationResult = await this.tokenService.VerifyTokenAsync(token, tokenType); if (validationResult.IsValidated) { return(this.Ok(validationResult)); } else { return(this.Unauthorized(validationResult)); } }
public static Utilizer GetUtilizer(this ControllerBase controller) { var claimUser = controller.User; var utilizerIdentity = claimUser.Identities.FirstOrDefault(x => x.NameClaimType == "Utilizer"); if (utilizerIdentity != null) { var idClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerIdClaimName); var usernameClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerUsernameClaimName); var typeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTypeClaimName); var roleClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerRoleClaimName); var tokenClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenClaimName); var tokenTypeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenTypeClaimName); TokenTypeExtensions.TryParseTokenType(tokenTypeClaim?.Value, out var tokenType); return(new Utilizer { Id = idClaim?.Value, Username = usernameClaim?.Value, Type = Utilizer.ParseType(typeClaim?.Value), Role = roleClaim?.Value, Token = tokenClaim?.Value, TokenType = tokenType }); } return(new Utilizer()); }
public async Task <IActionResult> WhoAmI() { string token = this.GetTokenFromHeader(out string tokenTypeStr); if (string.IsNullOrEmpty(token)) { return(this.AuthorizationHeaderMissing()); } if (!TokenTypeExtensions.TryParseTokenType(tokenTypeStr, out var tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } switch (tokenType) { case SupportedTokenTypes.None: throw ErtisAuthException.UnsupportedTokenType(); case SupportedTokenTypes.Basic: var application = await this.tokenService.WhoAmIAsync(new BasicToken(token)); if (application != null) { return(this.Ok(application)); } else { return(this.InvalidToken()); } case SupportedTokenTypes.Bearer: var user = await this.tokenService.WhoAmIAsync(BearerToken.CreateTemp(token)); if (user != null) { return(this.Ok(user)); } else { return(this.InvalidToken()); } default: throw ErtisAuthException.UnsupportedTokenType(); } }
public static Utilizer ConvertToUtilizer(this ClaimsIdentity utilizerIdentity) { var idClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerIdClaimName); var typeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTypeClaimName); var usernameClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerUsernameClaimName); var roleClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerRoleClaimName); var membershipIdClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.MembershipIdClaimName); var tokenClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenClaimName); var tokenTypeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenTypeClaimName); TokenTypeExtensions.TryParseTokenType(tokenTypeClaim?.Value, out var tokenType); return(new Utilizer { Id = idClaim?.Value, Type = Utilizer.ParseType(typeClaim?.Value), Username = usernameClaim?.Value, Role = roleClaim?.Value, MembershipId = membershipIdClaim?.Value, Token = tokenClaim?.Value, TokenType = tokenType }); }
private async Task <Utilizer> CheckAuthorizationAsync() { var token = this.Request.GetTokenFromHeader(out var tokenType); if (string.IsNullOrEmpty(token)) { throw ErtisAuthException.AuthorizationHeaderMissing(); } if (string.IsNullOrEmpty(tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType); switch (_tokenType) { case SupportedTokenTypes.None: throw ErtisAuthException.UnsupportedTokenType(); case SupportedTokenTypes.Basic: var basicToken = new BasicToken(token); var applicationId = token.Split(':')[0]; var getApplicationResponse = await this.applicationService.GetApplicationAsync(applicationId, basicToken); if (getApplicationResponse.IsSuccess) { var rbacDefinition = this.Context.GetRbacDefinition(getApplicationResponse.Data.Id); var rbac = $"{rbacDefinition.Resource}.{rbacDefinition.Action}"; var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, basicToken); if (!isPermittedForAction) { throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})"); } return(new Utilizer { Id = getApplicationResponse.Data.Id, Username = getApplicationResponse.Data.Name, Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User, Role = getApplicationResponse.Data.Role, Token = token, TokenType = _tokenType }); } else { var errorMessage = getApplicationResponse.Message; if (ResponseHelper.TryParseError(getApplicationResponse.Message, out var error)) { errorMessage = error.Message; } throw ErtisAuthException.Unauthorized(errorMessage); } case SupportedTokenTypes.Bearer: var bearerToken = BearerToken.CreateTemp(token); var meResponse = await this.authenticationService.WhoAmIAsync(bearerToken); if (meResponse.IsSuccess) { var rbacDefinition = this.Context.GetRbacDefinition(meResponse.Data.Id); var rbac = $"{rbacDefinition.Resource}.{rbacDefinition.Action}"; var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, bearerToken); if (!isPermittedForAction) { throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})"); } return(new Utilizer { Id = meResponse.Data.Id, Username = meResponse.Data.Username, Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User, Role = meResponse.Data.Role, Token = token, TokenType = _tokenType }); } else { var errorMessage = meResponse.Message; if (ResponseHelper.TryParseError(meResponse.Message, out var error)) { errorMessage = error.Message; } throw ErtisAuthException.Unauthorized(errorMessage); } default: throw ErtisAuthException.UnsupportedTokenType(); } }
private async Task <Utilizer> CheckAuthorizationAsync() { var token = this.Context.Request.GetTokenFromHeader(out var tokenType); if (string.IsNullOrEmpty(token)) { throw ErtisAuthException.AuthorizationHeaderMissing(); } if (string.IsNullOrEmpty(tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType); switch (_tokenType) { case SupportedTokenTypes.None: throw ErtisAuthException.UnsupportedTokenType(); case SupportedTokenTypes.Basic: var validationResult = await this.tokenService.VerifyBasicTokenAsync(token, false); if (!validationResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var application = validationResult.Application; Utilizer applicationUtilizer = application; if (!string.IsNullOrEmpty(application.Role)) { var role = await this.roleService.GetByNameAsync(application.Role, application.MembershipId); if (role != null) { var rbac = this.Context.GetRbacDefinition(application.Id); if (!this.accessControlService.HasPermission(role, rbac, applicationUtilizer)) { throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action"); } } } applicationUtilizer.Token = token; applicationUtilizer.TokenType = _tokenType; return(applicationUtilizer); case SupportedTokenTypes.Bearer: var verifyTokenResult = await this.tokenService.VerifyBearerTokenAsync(token, false); if (!verifyTokenResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var user = verifyTokenResult.User; Utilizer userUtilizer = user; if (!string.IsNullOrEmpty(user.Role)) { var role = await this.roleService.GetByNameAsync(user.Role, user.MembershipId); if (role != null) { var rbac = this.Context.GetRbacDefinition(user.Id); if (!this.accessControlService.HasPermission(role, rbac, userUtilizer)) { throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action"); } } } userUtilizer.Token = token; userUtilizer.TokenType = _tokenType; return(userUtilizer); default: throw ErtisAuthException.UnsupportedTokenType(); } }