public IActionResult ChangeName([Bind(Prefix = "Name")] UserNameModel model)
{
if (!ModelState.IsValid)
{
return(CorrectErrors(BuildUserProfileModel(model), "name"));
}
var user = _userAccountService.GetByID(User.GetId());
_userAccountService.RemoveClaims(user.ID,
new UserClaimCollection(user.Claims.Where(claim => claim.Type == "given_name" ||
claim.Type == "family_name" ||
claim.Type == "name")));
var claims = new UserClaimCollection();
claims.Add("given_name", model.GivenName);
claims.Add("family_name", model.FamilyName);
claims.Add("name", string.Join(" ",
new string[] { model.GivenName, model.FamilyName }
.Where(name => !string.IsNullOrWhiteSpace(name))));
_userAccountService.AddClaims(user.ID, claims);
return(RedirectToAction("Edit", new { changed = true }));
}
public void UpdateClaims(int accountId, UserClaimCollection additions = null, UserClaimCollection deletions = null)
{
_logger.LogInformation(GetLogMessage($"called for accountId: {accountId}"));
if ((additions == null || !additions.Any()) &&
(deletions == null || !deletions.Any()))
{
_logger.LogInformation(GetLogMessage("no additions or deletions -- exiting"));
return;
}
var account = GetById(accountId);
if (account == null)
{
throw new ArgumentException("Invalid AccountID");
}
foreach (var addition in additions ?? UserClaimCollection.Empty)
{
AddClaim(account, addition);
}
foreach (var deletion in deletions ?? UserClaimCollection.Empty)
{
RemoveClaim(account, deletion.Type, deletion.Value);
}
Update(account);
}
/// <summary>
/// Valida definitivamente l'accesso da parte di un dato utente. Se ritorna vero, l'utente
/// può accedere al servizio; se ritorna falso, l'utente non può accedere ed eventuali
/// indicazioni del motivo devono essere riportate nel risultato di questa chiamata.
/// </summary>
/// <param name="actionContext">Il contesto HTTP da validare.</param>
/// <param name="userClaims">I claim restituiti dal servizio che gestisce l'identità.</param>
/// <returns>
/// Autorizzazione positiva se l'utente è stato autorizzato, negativa altrimenti. Il campo
/// <see cref="AuthorizationResult{TPayload}.Payload"/> deve essere valorizzato con il
/// principal legato all'utente, se l'autorizzazione ha avuto successo.
/// </returns>
public async Task<AuthorizationResult<IPrincipal>> ValidateRequestAsync(HttpActionContext actionContext, UserClaimCollection userClaims)
{
try
{
var idnUserKey = SecUserKey.FromString(userClaims["sub"].Single());
if (!AllowedApps.Contains(idnUserKey.AppName))
{
return new AuthorizationResult<IPrincipal>
{
Authorized = false,
AuthorizationDeniedReason = $"Application '{idnUserKey.AppName}' has not been allowed"
};
}
var user = await SecurityRepository.GetUserByLoginAsync(idnUserKey.AppName, idnUserKey.UserLogin);
var authorizationResult = await ValidateRequestAsync(actionContext, userClaims, user);
if (authorizationResult.Authorized)
{
authorizationResult.Payload = new IdnPrincipal(user);
}
return authorizationResult;
}
catch (SecAppNotFoundException aex)
{
Log.Warn(aex.Message);
return new AuthorizationResult<IPrincipal>
{
Authorized = false,
AuthorizationDeniedReason = aex.Message
};
}
catch (SecUserNotFoundException uex)
{
Log.Warn(uex.Message);
return new AuthorizationResult<IPrincipal>
{
Authorized = false,
AuthorizationDeniedReason = uex.Message
};
}
catch (Exception ex)
{
Log.Error(ex.Message);
return new AuthorizationResult<IPrincipal>
{
Authorized = false,
AuthorizationDeniedReason = ex.Message,
AuthorizationDeniedException = ex
};
}
}
/// <summary>
/// Imposta le mappature necessarie alla libreria Caravan.WebApi.
/// </summary>
public CaravanWebApiMapperConfig()
{
CreateMap<LogEntryBulkDTO, LogEntry>();
CreateMap<SecApp, LinkedSecApp>();
CreateMap<IEnumerable<Tuple<string, string>>, UserClaimCollection>()
.ConvertUsing(tuples =>
{
var uc = new UserClaimCollection();
foreach (var t in tuples)
{
uc.Add(t.Item1, t.Item2);
}
return uc;
});
}
public ClaimsIdentity FindByUserId(string userId)
{
var claims = new ClaimsIdentity();
var list = UserClaimCollection.GetUserClaimERList(userId);
foreach (var item in list)
{
claims.AddClaim(new IdentityClaim
{
Id = item.Id,
UserId = item.UserId,
ClaimType = item.ClaimType,
ClaimValue = item.ClaimValue
});
}
return(claims);
}
public IActionResult Save(UserProfileModel profile)
{
Guid userGuid;
if (!Guid.TryParse(profile.UserId, out userGuid))
{
return(HttpBadRequest("Failed to parse userId."));
}
if (ModelState.IsValid)
{
var user = _userAccountService.GetByID(userGuid);
_userAccountService.RemoveClaims(userGuid,
new UserClaimCollection(user.Claims.Where(claim => claim.Type == "given_name" ||
claim.Type == "family_name" ||
claim.Type == "name" ||
claim.Type == "fsw:organization" ||
claim.Type == "fsw:department")));
var claims = new UserClaimCollection();
claims.Add("given_name", profile.GivenName);
claims.Add("family_name", profile.FamilyName);
claims.Add("name", string.Join(" ",
new string[] { profile.GivenName, profile.FamilyName }
.Where(name => !string.IsNullOrWhiteSpace(name))));
if (!string.IsNullOrWhiteSpace(profile.Organization))
{
claims.Add("fsw:organization", profile.Organization);
}
if (!string.IsNullOrWhiteSpace(profile.Department))
{
claims.Add("fsw:department", profile.Department);
}
_userAccountService.AddClaims(userGuid, claims);
return(RedirectToAction("Edit", new { userId = profile.UserId, changed = true }));
}
return(View("Edit", profile));
}
public ActionResult Index(RegisterInputModel model)
{
if (ModelState.IsValid)
{
try
{
model.Email = model.Email.ToLowerInvariant().Trim();
var account = this._userAccountService.CreateAccount(model.Username, model.Password, model.Email);
ViewData["RequireAccountVerification"] = this._userAccountService.Configuration.RequireAccountVerification;
UserClaimCollection claims = new UserClaimCollection
{
new UserClaim("given_name", model.GivenName),
new UserClaim("family_name", model.FamilyName),
new UserClaim("name", string.Join(" ",
new string[] { model.GivenName, model.FamilyName }
.Where(name => !string.IsNullOrWhiteSpace(name))
))
};
if (model.Email.EndsWith("@foodservicewarehouse.com") || model.Email.EndsWith("@fsw.com"))
{
claims.Add(new UserClaim("fsw:organization", "FSW"));
}
else
{
string emailDomain = model.Email.Split('@')[1];
claims.Add(new UserClaim("fsw:organization", emailDomain));
}
_userAccountService.AddClaims(account.ID, claims);
return(View("Success", model));
}
catch (ValidationException ex)
{
ModelState.AddModelError("", ex.Message);
}
}
return(View(model));
}
private void AddClaims(Guid accountId, CreateAccountInputModel model)
{
model.Email = model.Email.ToLowerInvariant().Trim();
UserClaimCollection claims = new UserClaimCollection
{
new UserClaim("given_name", model.GivenName),
new UserClaim("family_name", model.FamilyName),
new UserClaim("name", string.Join(" ",
new string[] { model.GivenName, model.FamilyName }
.Where(name => !string.IsNullOrWhiteSpace(name))
))
};
if (model.IsAuthCentralAdmin)
{
claims.Add(new UserClaim("fsw:authcentral:admin", "true"));
}
if (!string.IsNullOrWhiteSpace(model.Organization))
{
claims.Add(new UserClaim("fsw:organization", model.Organization));
}
else if (model.Email.EndsWith("@foodservicewarehouse.com") || model.Email.EndsWith("@fsw.com"))
{
claims.Add(new UserClaim("fsw:organization", "FSW"));
}
else
{
string emailDomain = model.Email.Split('@')[1];
claims.Add(new UserClaim("fsw:organization", emailDomain));
}
if (!string.IsNullOrWhiteSpace(model.Department))
{
claims.Add(new UserClaim("fsw:department", model.Department));
}
_userAccountService.AddClaims(accountId, claims);
}
public Task RemoveClaimAsync(User user, Claim claim)
{
return(Task.Run(() => { UserClaimCollection.DeleteByTypeAndValue(user, claim.Type, claim.Value); }));
}
/// <summary> /// Valida definitivamente l'accesso da parte di un dato utente. Se ritorna vero, l'utente /// può accedere al servizio; se ritorna falso, l'utente non può accedere ed eventuali indicazioni /// </summary> /// <param name="actionContext">La richiesta HTTP da validare.</param> /// <param name="userClaims">I claim restituiti dal servizio che gestisce l'identità.</param> /// <param name="user">L'utente caricato da Caravan.</param> /// <returns>Vero se l'utente è stato autorizzato, falso altrimenti.</returns> protected virtual Task<AuthorizationResult<IPrincipal>> ValidateRequestAsync(HttpActionContext actionContext, UserClaimCollection userClaims, SecUser user) => Task.FromResult(AuthorizationResult<IPrincipal>.Success);
public void RemoveClaims(int accountId, UserClaimCollection claims)
{
_logger.LogInformation(GetLogMessage($"called for accountId: {accountId}"));
UpdateClaims(accountId, null, claims);
}
