public static bool HasOwnUpdatePermission(this Role role, Rbac rbac, Utilizer utilizer) { if (rbac.Action.Slug != Rbac.GetSegment(Rbac.CrudActions.Update).Slug) { return(false); } if (rbac.Resource == "users" && utilizer.Type == Utilizer.UtilizerType.User) { if (rbac.Object == utilizer.Id) { return(true); } } if (rbac.Resource == "applications" && utilizer.Type == Utilizer.UtilizerType.Application) { if (rbac.Object == utilizer.Id) { return(true); } } return(false); }
public virtual TModel Create(Utilizer utilizer, string membershipId, TModel model) { // Check membership var membership = this.membershipService.Get(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } else { model.MembershipId = membershipId; } // Model validation if (!this.ValidateModel(model, out var errors)) { throw ErtisAuthException.ValidationError(errors); } // Check existing if (this.IsAlreadyExist(model, membershipId)) { throw this.GetAlreadyExistError(model); } // Insert to database var dto = Mapper.Current.Map <TModel, TDto>(model); var insertedDto = this.repository.Insert(dto); var inserted = Mapper.Current.Map <TDto, TModel>(insertedDto); this.OnCreated?.Invoke(this, new CreateResourceEventArgs <TModel>(utilizer, inserted)); return(inserted); }
public virtual bool?BulkDelete(Utilizer utilizer, string membershipId, string[] ids) { var isAllDeleted = true; var isAllFailed = true; foreach (var id in ids) { var current = this.Get(membershipId, id); if (current != null) { var isDeleted = this.repository.Delete(id); if (isDeleted) { this.OnDeleted?.Invoke(this, new DeleteResourceEventArgs <TModel>(utilizer, current)); } isAllDeleted &= isDeleted; isAllFailed &= !isDeleted; } } if (isAllDeleted) { return(true); } else if (isAllFailed) { return(false); } else { return(null); } }
public static bool?HasPermission(this Utilizer utilizer, Rbac rbac) { bool isPermittedFilter(string permission) { if (Ubac.TryParse(permission, out var userUbac)) { bool isResourcePermitted = userUbac.Resource.IsAll() || userUbac.Resource.Equals(rbac.Resource, StringComparison.CurrentCultureIgnoreCase); bool isActionPermitted = userUbac.Action.IsAll() || userUbac.Action.Equals(rbac.Action, StringComparison.CurrentCultureIgnoreCase); bool isObjectPermitted = userUbac.Object.IsAll() || userUbac.Object.Equals(rbac.Object); bool isPermitted = isResourcePermitted && isActionPermitted && isObjectPermitted; if (isPermitted) { return(true); } } return(false); } var matchedPermissions = utilizer.Permissions?.Where(isPermittedFilter) ?? new string[] {}; var matchedForbiddens = utilizer.Forbidden?.Where(isPermittedFilter) ?? new string[] {}; var permissions = matchedPermissions as string[] ?? matchedPermissions.ToArray(); var forbiddens = matchedForbiddens as string[] ?? matchedForbiddens.ToArray(); if (!permissions.Any() && !forbiddens.Any()) { return(null); } return(!forbiddens.Any() && permissions.Any()); }
private async Task InitializeAsync() { var memberships = await this.membershipService.GetAsync(0, null, false, null, null); if (memberships?.Items != null) { foreach (var membership in memberships.Items) { var utilizer = new Utilizer { Role = Rbac.ReservedRoles.Administrator, Type = Utilizer.UtilizerType.System, MembershipId = membership.Id }; var role = await this.GetByNameAsync(Rbac.ReservedRoles.Administrator, membership.Id); if (role == null) { await this.CreateAsync(utilizer, membership.Id, new Role { Name = Rbac.ReservedRoles.Administrator, Description = "Administrator", MembershipId = membership.Id, Permissions = RoleHelper.AssertAdminPermissionsForReservedResources() }); } } } }
public static Utilizer GetUtilizer(this ControllerBase controller) { var claimUser = controller.User; var utilizerIdentity = claimUser.Identities.FirstOrDefault(x => x.NameClaimType == "Utilizer"); if (utilizerIdentity != null) { var idClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerIdClaimName); var usernameClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerUsernameClaimName); var typeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTypeClaimName); var roleClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerRoleClaimName); var tokenClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenClaimName); var tokenTypeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenTypeClaimName); TokenTypeExtensions.TryParseTokenType(tokenTypeClaim?.Value, out var tokenType); return(new Utilizer { Id = idClaim?.Value, Username = usernameClaim?.Value, Type = Utilizer.ParseType(typeClaim?.Value), Role = roleClaim?.Value, Token = tokenClaim?.Value, TokenType = tokenType }); } return(new Utilizer()); }
public async ValueTask <Role> UpdateAsync(Utilizer utilizer, string membershipId, Role model) { model.MembershipId = membershipId; var current = await this.GetAsync(membershipId, model.Id); if (current != null) { model.Sys = new SysModel { CreatedAt = model.Sys.CreatedAt, CreatedBy = model.Sys.CreatedBy, ModifiedAt = DateTime.Now, ModifiedBy = utilizer.Username }; } else { model.Sys = new SysModel { CreatedAt = DateTime.Now, CreatedBy = utilizer.Username, ModifiedAt = DateTime.Now, ModifiedBy = utilizer.Username }; } var index = this.MockRepository.FindIndex(x => x.MembershipId == membershipId && x.Id == model.Id); this.MockRepository.RemoveAt(index); this.MockRepository.Insert(index, model); return(model); }
public async Task <dynamic> MigrateAsync(string connectionString, Membership _membership, UserWithPassword _user) { // Validation var databaseInformation = Ertis.MongoDB.Helpers.ConnectionStringHelper.ParseConnectionString(connectionString); var connectionString1 = Ertis.MongoDB.Helpers.ConnectionStringHelper.GenerateConnectionString(this.databaseSettings); var connectionString2 = Ertis.MongoDB.Helpers.ConnectionStringHelper.GenerateConnectionString(databaseInformation); if (connectionString1 != connectionString2) { throw ErtisAuthException.MigrationRejected("Connection string could not validated"); } // 1. Membership var membership = await this.membershipService.CreateAsync(new Membership { Name = _membership.Name, DefaultEncoding = _membership.DefaultEncoding, HashAlgorithm = _membership.HashAlgorithm, ExpiresIn = _membership.ExpiresIn, RefreshTokenExpiresIn = _membership.RefreshTokenExpiresIn, SecretKey = string.IsNullOrEmpty(_membership.SecretKey) ? GenerateRandomSecretKey(32) : _membership.SecretKey }); // Utilizer var utilizer = new Utilizer { Role = Rbac.ReservedRoles.Administrator, Type = Utilizer.UtilizerType.System, MembershipId = membership.Id }; // 2. Role var adminRole = await this.roleService.CreateAsync(utilizer, membership.Id, new Role { Name = Rbac.ReservedRoles.Administrator, Description = "Administrator", MembershipId = membership.Id, Permissions = RoleHelper.AssertAdminPermissionsForReservedResources() }); // 3. User (admin) var adminUser = await this.userService.CreateAsync(utilizer, membership.Id, new UserWithPassword { Username = _user.Username, FirstName = _user.FirstName, LastName = _user.LastName, EmailAddress = _user.EmailAddress, Role = adminRole.Name, MembershipId = membership.Id, PasswordHash = this.cryptographyService.CalculatePasswordHash(membership, _user.PasswordHash) }); return(new { membership, user = adminUser, role = adminRole }); }
public override bool Delete(Utilizer utilizer, string membershipId, string id) { // Is Deletable? if (!this.IsDeletable(id, membershipId, out var _)) { throw ErtisAuthException.UserTypeCanNotBeDelete(); } return(base.Delete(utilizer, membershipId, id)); }
public override async ValueTask <bool> DeleteAsync(Utilizer utilizer, string membershipId, string id) { // Is Deletable? if (!this.IsDeletable(id, membershipId, out var _)) { throw ErtisAuthException.UserTypeCanNotBeDelete(); } return(await base.DeleteAsync(utilizer, membershipId, id)); }
public override async Task <User> UpdateAsync(Utilizer utilizer, string membershipId, User model) { var currentUser = await this.GetUserWithPasswordAsync(model.Id, membershipId); var passwordHash = currentUser.PasswordHash; if (model is UserWithPassword userWithPassword && !string.IsNullOrEmpty(userWithPassword.PasswordHash) && userWithPassword.PasswordHash != passwordHash) { passwordHash = userWithPassword.PasswordHash; } return(await base.UpdateAsync(utilizer, membershipId, new UserWithPassword(model) { PasswordHash = passwordHash })); }
public virtual async Task <bool> DeleteAsync(Utilizer utilizer, string membershipId, string id) { var current = await this.GetAsync(membershipId, id); if (current != null) { this.OnDeleted?.Invoke(this, new DeleteResourceEventArgs <TModel>(utilizer, current)); return(await this.repository.DeleteAsync(id)); } else { return(false); } }
public virtual bool Delete(Utilizer utilizer, string membershipId, string id) { var current = this.Get(membershipId, id); if (current != null) { this.OnDeleted?.Invoke(this, new DeleteResourceEventArgs <TModel>(utilizer, current)); return(this.repository.Delete(id)); } else { return(false); } }
public async ValueTask <Role> CreateAsync(Utilizer utilizer, string membershipId, Role model) { model.MembershipId = membershipId; model.Sys = new SysModel { CreatedAt = DateTime.Now, CreatedBy = utilizer.Username }; await Task.CompletedTask; this.MockRepository.Add(model); return(model); }
public virtual async ValueTask <TModel> UpdateAsync(Utilizer utilizer, string membershipId, TModel model) { // Check membership var membership = await this.membershipService.GetAsync(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } else { model.MembershipId = membershipId; } // Overwrite var current = await this.GetAsync(membershipId, model.Id); if (current == null) { throw this.GetNotFoundError(model.Id); } this.Overwrite(model, current); // Touch model model = await this.TouchAsync(model, CrudOperation.Update); // Model validation if (!this.ValidateModel(model, out var errors)) { throw ErtisAuthException.ValidationError(errors); } // Check existing if (await this.IsAlreadyExistAsync(model, membershipId, current)) { throw this.GetAlreadyExistError(model); } model.MembershipId = membershipId; var dto = Mapper.Current.Map <TModel, TDto>(model); var updatedDto = await this.repository.UpdateAsync(dto); var updated = Mapper.Current.Map <TDto, TModel>(updatedDto); this.OnUpdated?.Invoke(this, new UpdateResourceEventArgs <TModel>(utilizer, current, updated)); return(updated); }
public async ValueTask <bool> DeleteAsync(Utilizer utilizer, string membershipId, string id) { var index = this.MockRepository.FindIndex(x => x.MembershipId == membershipId && x.Id == id); if (index >= 0) { await Task.CompletedTask; this.MockRepository.RemoveAt(index); return(true); } else { return(false); } }
public async Task SetPasswordAsync(Utilizer utilizer, string membershipId, string resetToken, string usernameOrEmailAddress, string password) { if (string.IsNullOrEmpty(usernameOrEmailAddress)) { throw ErtisAuthException.ValidationError(new [] { "Username or email required!" }); } var membership = await this.membershipService.GetAsync(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } var user = await this.GetUserWithPasswordAsync(usernameOrEmailAddress, usernameOrEmailAddress, membershipId); if (user == null) { throw ErtisAuthException.UserNotFound(usernameOrEmailAddress, "username or email_address"); } if (utilizer.Role == Rbac.ReservedRoles.Administrator || utilizer.Id == user.Id) { if (this.jwtService.TryDecodeToken(resetToken, out var securityToken)) { var expireTime = securityToken.ValidTo.ToLocalTime(); if (DateTime.Now > expireTime) { // Token was expired! throw ErtisAuthException.TokenWasExpired(); } await this.ChangePasswordAsync(utilizer, membershipId, user.Id, password); } else { // Reset token could not decoded! throw ErtisAuthException.InvalidToken(); } } else { throw ErtisAuthException.AccessDenied("Unauthorized access"); } }
private async Task FireOnCreatedEvent(string membershipId, Utilizer utilizer, DynamicObject inserted) { if (this._eventService != null) { await this._eventService.FireEventAsync(this, new ErtisAuthEvent { Document = inserted.ToDynamic(), Prior = null, EventTime = DateTime.Now, EventType = ErtisAuthEventType.UserCreated, MembershipId = membershipId, UtilizerId = utilizer.Id }); } this.OnCreated?.Invoke(this, new CreateResourceEventArgs <DynamicObject>(utilizer, inserted)); }
public async Task <ResetPasswordToken> ResetPasswordAsync(Utilizer utilizer, string membershipId, string usernameOrEmailAddress) { if (string.IsNullOrEmpty(usernameOrEmailAddress)) { throw ErtisAuthException.ValidationError(new [] { "Username or email required!" }); } var membership = await this.membershipService.GetAsync(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } var user = await this.GetUserWithPasswordAsync(usernameOrEmailAddress, usernameOrEmailAddress, membershipId); if (user == null) { throw ErtisAuthException.UserNotFound(usernameOrEmailAddress, "username or email_address"); } if (utilizer.Role == Rbac.ReservedRoles.Administrator || utilizer.Id == user.Id) { var tokenClaims = new TokenClaims(Guid.NewGuid().ToString(), user, membership); tokenClaims.AddClaim("token_type", "reset_token"); var resetToken = this.jwtService.GenerateToken(tokenClaims, HashAlgorithms.SHA2_256, Encoding.UTF8); var resetPasswordToken = new ResetPasswordToken(resetToken, TimeSpan.FromHours(1)); await this.eventService.FireEventAsync(this, new ErtisAuthEvent { EventType = ErtisAuthEventType.UserPasswordReset, UtilizerId = user.Id, Document = resetPasswordToken, MembershipId = membershipId }); return(resetPasswordToken); } else { throw ErtisAuthException.AccessDenied("Unauthorized access"); } }
public override Application Create(Utilizer utilizer, string membershipId, Application model) { var membership = this.membershipService.Get(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } var application = base.Create(utilizer, membershipId, model); if (application != null) { application.Secret = $"{application.Id}:{membership.SecretKey}"; application = this.Update(utilizer, membershipId, application); } return(application); }
public async Task <User> ChangePasswordAsync(Utilizer utilizer, string membershipId, string userId, string newPassword) { if (string.IsNullOrEmpty(newPassword)) { throw ErtisAuthException.ValidationError(new [] { "Password can not be null or empty!" }); } var membership = await this.membershipService.GetAsync(membershipId); if (membership == null) { throw ErtisAuthException.MembershipNotFound(membershipId); } var user = await this.GetAsync(membershipId, userId); if (user == null) { throw ErtisAuthException.UserNotFound(userId, "_id"); } var userWithPassword = Mapper.Current.Map <User, UserWithPassword>(user); var passwordHash = this.cryptographyService.CalculatePasswordHash(membership, newPassword); userWithPassword.PasswordHash = passwordHash; var updatedUser = await this.UpdateAsync(utilizer, membershipId, userWithPassword); await this.eventService.FireEventAsync(this, new ErtisAuthEvent { EventType = ErtisAuthEventType.UserPasswordChanged, UtilizerId = user.Id, Document = updatedUser, Prior = userWithPassword, MembershipId = membershipId }); return(updatedUser); }
private static bool CheckPermission(Role role, Rbac rbac, Utilizer utilizer) { var hasUbacPermission = utilizer.HasPermission(rbac); if (hasUbacPermission != null) { return(hasUbacPermission.Value); } if (role.HasPermission(rbac)) { return(true); } else if (role.HasOwnUpdatePermission(rbac, utilizer)) { return(true); } else { return(false); } }
public static Utilizer GetUtilizer(this ControllerBase controller) { var claimUser = controller.User; var utilizerIdentity = claimUser.Identities.FirstOrDefault(x => x.NameClaimType == "Utilizer"); if (utilizerIdentity != null) { var idClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerIdClaimName); var typeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTypeClaimName); var roleClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerRoleClaimName); var membershipIdClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.MembershipIdClaimName); return(new Utilizer { Id = idClaim?.Value, Type = Utilizer.ParseType(typeClaim?.Value), Role = roleClaim?.Value, MembershipId = membershipIdClaim?.Value }); } return(new Utilizer()); }
public static Utilizer ConvertToUtilizer(this ClaimsIdentity utilizerIdentity) { var idClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerIdClaimName); var typeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTypeClaimName); var usernameClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerUsernameClaimName); var roleClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerRoleClaimName); var membershipIdClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.MembershipIdClaimName); var tokenClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenClaimName); var tokenTypeClaim = utilizerIdentity.Claims.FirstOrDefault(x => x.Type == Utilizer.UtilizerTokenTypeClaimName); TokenTypeExtensions.TryParseTokenType(tokenTypeClaim?.Value, out var tokenType); return(new Utilizer { Id = idClaim?.Value, Type = Utilizer.ParseType(typeClaim?.Value), Username = usernameClaim?.Value, Role = roleClaim?.Value, MembershipId = membershipIdClaim?.Value, Token = tokenClaim?.Value, TokenType = tokenType }); }
public static Utilizer GetUtilizer(this ControllerBase controller) { var claimUser = controller.User; var utilizerIdentity = claimUser.Identities.FirstOrDefault(x => x.NameClaimType == "Utilizer"); if (utilizerIdentity != null) { var utilizerSampling = utilizerIdentity.ConvertToUtilizer(); // ReSharper disable once ConvertIfStatementToSwitchStatement if (utilizerSampling.Type == Utilizer.UtilizerType.User) { var userService = controller.HttpContext.RequestServices.GetService <IUserService>(); if (userService != null) { var dynamicObject = userService.GetAsync(utilizerSampling.MembershipId, utilizerSampling.Id).ConfigureAwait(false).GetAwaiter().GetResult(); var user = dynamicObject.Deserialize <User>(); Utilizer utilizer = user; return(utilizer); } } else if (utilizerSampling.Type == Utilizer.UtilizerType.Application) { var applicationService = controller.HttpContext.RequestServices.GetService <IApplicationService>(); if (applicationService != null) { Utilizer application = applicationService.Get(utilizerSampling.MembershipId, utilizerSampling.Id); return(application); } } return(utilizerSampling); } return(new Utilizer()); }
public Task <bool?> BulkDeleteAsync(Utilizer utilizer, string membershipId, string[] ids) { throw new NotImplementedException(); }
ValueTask <bool?> IDeletableMembershipBoundedService.BulkDeleteAsync(Utilizer utilizer, string membershipId, string[] ids) { throw new NotImplementedException(); }
public bool?BulkDelete(Utilizer utilizer, string membershipId, string[] ids) { throw new NotImplementedException(); }
public Task <DynamicObject> UpdateAsync(Utilizer utilizer, string membershipId, string userId, DynamicObject model) { throw new NotImplementedException(); }
public Task <bool> CheckPasswordAsync(Utilizer utilizer, string password) { throw new NotImplementedException(); }