public void PostConfigure(string name, JwtBearerOptions options)
{
MonitorApiKeyConfiguration configSnapshot = _apiKeyConfig.CurrentValue;
if (configSnapshot.ValidationErrors.Any())
{
options.SecurityTokenValidators.Add(new RejectAllSecurityValidator());
return;
}
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
// Signing Settings
RequireSignedTokens = true,
ValidAlgorithms = JwtAlgorithmChecker.GetAllowedJwsAlgorithmList(),
// Issuer Settings
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = new SecurityKey[] { configSnapshot.PublicKey },
TryAllIssuerSigningKeys = true,
// Audience Settings
ValidateAudience = true,
ValidAudiences = new string[] { AuthConstants.ApiKeyJwtAudience },
// Other Settings
ValidateActor = false,
ValidateLifetime = false,
};
options.TokenValidationParameters = tokenValidationParameters;
}
private void CheckMonitorApiKeyOptions(MonitorApiKeyConfiguration options)
{
// ValidationErrors will be null if API key authentication is not enabled.
if (null != options.ValidationErrors && options.ValidationErrors.Any())
{
_logger.ApiKeyValidationFailures(options.ValidationErrors);
}
else
{
_logger.ApiKeyAuthenticationOptionsValidated();
}
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizedUserRequirement requirement)
{
if (context.User.Identity.AuthenticationType == AuthConstants.FederationAuthType)
{
// If we get a FederationAuthType (Bearer from a Jwt Token) we need to check that the user has the specified subject claim.
MonitorApiKeyConfiguration configSnapshot = _apiKeyConfig.CurrentValue;
if (context.User.HasClaim(ClaimTypes.NameIdentifier, configSnapshot.Subject))
{
context.Succeed(requirement);
}
}
else if ((context.User.Identity.AuthenticationType == AuthConstants.NtlmSchema) ||
(context.User.Identity.AuthenticationType == AuthConstants.KerberosSchema) ||
(context.User.Identity.AuthenticationType == AuthConstants.NegotiateSchema))
{
// Only supported on Windows
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
return(Task.CompletedTask);
}
//Negotiate, Kerberos, or NTLM.
//CONSIDER In the future, we may want to have configuration around a dotnet-monitor group sid instead.
//We cannot check the user against BUILTIN\Administrators group membership, since the browser user
//has a deny claim on Administrator group.
//Validate that the user that logged in matches the user that is running dotnet-monitor
//Do not allow at all if running as Administrator.
WindowsIdentity currentUser = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(currentUser);
if (principal.IsInRole(WindowsBuiltInRole.Administrator))
{
return(Task.CompletedTask);
}
Claim currentUserClaim = currentUser.Claims.FirstOrDefault(claim => string.Equals(claim.Type, ClaimTypes.PrimarySid));
if ((currentUserClaim != null) && context.User.HasClaim(currentUserClaim.Type, currentUserClaim.Value))
{
context.Succeed(requirement);
}
}
return(Task.CompletedTask);
}
private void OnMonitorApiKeyOptionsChanged(MonitorApiKeyConfiguration options)
{
CheckMonitorApiKeyOptions(options);
}
private void OnReload(MonitorApiKeyConfiguration options)
{
Interlocked.Exchange(ref _reloadToken, new ConfigurationReloadToken()).OnReload();
}
