/// <summary>
/// Attempts to authorize the client issuing the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("SimpleWebTokenAuthAttribute.OnAuthorization");
// Attempt to get credentials from the the client certificate.
SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
}
if (!isAuthorized)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
/// <summary>
/// The authorize.
/// </summary>
/// <param name="payload">
/// The payload.
/// </param>
/// <param name="roles">
/// The roles.
/// </param>
/// <returns>
/// The <see cref="bool"/>.
/// </returns>
internal static bool Authorize(AuthPayload payload, string[] roles)
{
if (payload != null)
{
CustomIdentity identity = payload.CustomIdentity;
ISecurityProvider securityProvider = authorizers[identity.SecurityProviderName];
bool isAuthorized = securityProvider.IsAuthorized(payload, roles);
if (isAuthorized)
{
string userName = identity.Name;
string providerName = identity.SecurityProviderName;
Thread.CurrentPrincipal =
new CustomPrincipal(identity, roles);
Log.Verbose("User Id {0} is authorized", identity.UserId);
return(true);
}
else
{
Log.Verbose("Anauthorized user");
return(false);
}
}
else
{
return(false);
}
}
/// <summary>
/// The is authorized.
/// </summary>
/// <param name="payload">
/// The payload.
/// </param>
/// <param name="roles">
/// The roles.
/// </param>
/// <returns>
/// The <see cref="bool"/>.
/// </returns>
public bool IsAuthorized(AuthPayload payload, string[] roles)
{
bool result = false;
if (roles.Length > 0)
{
// Create dictionary from the specified roles.
Dictionary <string, string> authParameters = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase);
foreach (string role in roles)
{
string[] segments = role.Split(':');
if (segments.Length == 2)
{
authParameters[segments[0]] = segments[1];
}
}
// Ensure the auth parameters match.
if (authParameters.ContainsKey(Resource) == true &&
authParameters.ContainsKey(Action) == true)
{
string tokenResource = payload.CredentialAuthorizationParameters[Resource];
string tokenAction = payload.CredentialAuthorizationParameters[Action];
if (authParameters[Resource].Equals(tokenResource, StringComparison.OrdinalIgnoreCase) == true &&
authParameters[Action].Equals(tokenAction, StringComparison.OrdinalIgnoreCase) == true)
{
result = true;
}
}
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set</param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (SimpleWebTokenValidator.Validate(credentials.Token, ResourceNamespace, String.Format(ResourceTemplate, credentials.Name),
TrustedSigningKey) == true)
{
result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
// If the client certificate thumbprint is one of the registered thumbprints, create a CustomIdentity object for it.
if (registeredThumbprints.ContainsKey(credentials.Token))
{
result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
}
return(result);
}
/// <summary>
/// Attempts to authorize the user for the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public virtual void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("ApiAuthAttribute.OnAuthorization");
string reason = string.Empty;
// Attempt to get credentials from the HTTP authentication header. This could support application auth. or debug scenarios
SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);
// If we did not have credentials specifed in the HTTP Authentication header
if (credentials == null)
{
// Attempt to get credentials from the Bing authentication header.
credentials = this.GetCredentialsFromBingHeader(actionContext);
}
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials, this.Flags);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
}
if (!isAuthorized)
{
if (this.AllowAnonymous)
{
var roles = new[] { "reader" };
Security.SetAnonymous(roles);
}
else
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
ReasonPhrase =
reason
};
}
}
}
/// <summary>
/// The is authorized.
/// </summary>
/// <param name="payload">
/// The payload.
/// </param>
/// <param name="roles">
/// The roles.
/// </param>
/// <returns>
/// The <see cref="bool"/>.
/// </returns>
public bool IsAuthorized(AuthPayload payload, string[] roles)
{
bool result = false;
Dictionary <string, string> parameters =
SimpleWebTokenValidator.ExtractTokenProperties(payload.CustomIdentity.PresentedClientToken);
if (String.Equals(parameters["Audience"],
String.Format(ResourceTemplate, roles[0]), StringComparison.OrdinalIgnoreCase) == true)
{
result = true;
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The user credentials.
/// </param>
/// <param name="flags">the flags</param>
/// <returns>
/// The auth payload
/// </returns>
internal static AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (authorizers.ContainsKey(credentials.SecurityProviderName) == true)
{
ISecurityProvider securityProvider = authorizers[credentials.SecurityProviderName];
result = securityProvider.Authenticate(credentials, flags);
}
else
{
Log.Warn("Unregistered security provider was specified: {0}", credentials.SecurityProviderName);
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
bool useExternalIdentity = flags != null && flags.Contains("UseExternalIdentity");
if (credentials == null)
{
// || string.IsNullOrWhiteSpace(credentials.IdentificationCode))
throw new Exception("The LomoSecurityProvider.Authenticate() method was called with invalid Credentials.");
}
var externalIdentityInfo = Authentication.BingSocialAccessorRepository.GetUserAccountInfo(credentials.Token);
if (externalIdentityInfo != null && externalIdentityInfo.UserId != null)
{
User user = null;
if (!useExternalIdentity)
{
user = this.CreateOrGetInternalUser(externalIdentityInfo);
}
Guid userId = default(Guid);
var userName = externalIdentityInfo.Name;
var emailAddress = externalIdentityInfo.UserEmail;
if (user != null)
{
userId = user.Id;
if (string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(user.Name))
{
userName = user.Name;
}
emailAddress = user.Email;
}
var identity = new CustomIdentity(userId, userName, SecurityProvider, externalIdentityInfo.UserId)
{
EmailAddress = emailAddress
};
var payload = new AuthPayload(identity);
return(payload);
}
return(null);
}
/// <summary>
/// The is authorized.
/// </summary>
/// <param name="payload">
/// The payload.
/// </param>
/// <param name="roles">
/// The roles.
/// </param>
/// <returns>
/// The <see cref="bool"/>.
/// </returns>
public bool IsAuthorized(AuthPayload payload, string[] roles)
{
bool result = false;
foreach (string role in roles)
{
KeyValueConfigurationElement roleElement = AuthorizationConfig.Instance.CertificateMap[role];
if (roleElement != null)
{
string[] thumbprints = roleElement.Value.Split(',');
if (thumbprints.Contains(payload.CustomIdentity.PresentedClientToken, StringComparer.OrdinalIgnoreCase) == true)
{
result = true;
break;
}
}
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">
/// A general purpose flags set
/// </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (credentials.Token != null)
{
LomoUserIdSecurityToken token = new LomoUserIdSecurityToken(
credentials.Token,
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSigningKey],
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenPassword],
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSalt],
Convert.ToUInt64(ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenClockSkew]));
var identity = new CustomIdentity(new Guid(token.UserId), null, credentials.SecurityProviderName);
result = new AuthPayload(identity);
result.CredentialAuthorizationParameters[Resource] = token.Resource;
result.CredentialAuthorizationParameters[Action] = token.Action;
}
return(result);
}
/// <summary>
/// Attempts to authorize the client issuing the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("MutualSslAuthAttribute.OnAuthorization");
// Attempt to get credentials from the the client certificate.
SecurityCredentials credentials = this.GetCredentialsFromClientCertificate(actionContext);
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
else
{
Log.Warn("Unable to build auth payload while authenticating credentials.");
}
}
else
{
Log.Warn("Unable to build credentials from client certificate.");
}
if (!isAuthorized)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
/// <summary>
/// The is authorized.
/// </summary>
/// <param name="payload">
/// The payload.
/// </param>
/// <param name="roles">
/// The roles.
/// </param>
/// <returns>
/// The <see cref="bool"/>.
/// </returns>
public bool IsAuthorized(AuthPayload payload, string[] roles)
{
return(payload != null); // TODO
}
