|
public AddIdentity ( |
||
| identity | the |
|
| return | void | |
public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
var id = new ClaimsIdentity("ClaimsAuthenticationManager");
id.AddClaim(new Claim(ClaimTypes.Role, "RoleFromClaimsAuthManager", null, "ClaimsAuthenticationManagerMock"));
incomingPrincipal.AddIdentity(id);
return incomingPrincipal;
}
/// <summary>
/// Add an additional ClaimsIdentity to the ClaimsPrincipal in the "server.User" environment key
/// </summary>
/// <param name="identity"></param>
public void AddUserIdentity(IIdentity identity)
{
if (identity == null)
{
throw new ArgumentNullException("identity");
}
var newClaimsPrincipal = new ClaimsPrincipal(identity);
IPrincipal existingPrincipal = _context.Request.User;
if (existingPrincipal != null)
{
var existingClaimsPrincipal = existingPrincipal as ClaimsPrincipal;
if (existingClaimsPrincipal == null)
{
IIdentity existingIdentity = existingPrincipal.Identity;
if (existingIdentity.IsAuthenticated)
{
newClaimsPrincipal.AddIdentity(existingIdentity as ClaimsIdentity ?? new ClaimsIdentity(existingIdentity));
}
}
else
{
foreach (var existingClaimsIdentity in existingClaimsPrincipal.Identities)
{
if (existingClaimsIdentity.IsAuthenticated)
{
newClaimsPrincipal.AddIdentity(existingClaimsIdentity);
}
}
}
}
_context.Request.User = newClaimsPrincipal;
}
public async Task handler_should_throw_exception_with_existing_device()
{
var command = new CreateDevice
{
Id = "device1",
Enabled = true,
Password = "******"
};
var userName = "******";
var httpContext = new DefaultHttpContext();
var user = new System.Security.Claims.ClaimsPrincipal();
user.AddIdentity(new System.Security.Claims.ClaimsIdentity(new List <Claim> {
new Claim(ClaimTypes.Name, userName)
}));
httpContext.User = user;
_httpContextAccessor.HttpContext.Returns(httpContext);
var account = new Account()
{
Id = Guid.NewGuid()
};
_accountRepository.GetByUserName(userName).Returns(account);
_deviceRepository.Get(command.Id).Returns(new Device());
Should.Throw <DeviceAlreadyExistsException>(() => _handler.Handle(command, new System.Threading.CancellationToken()));
}
public ActionResult GetAccessToken(string code)
{
var query = new Dictionary<string, string>();
query.Add("client_id", Constants.GITHUB_CLIENT_ID);
query.Add("client_secret", Constants.GITHUB_CLIENT_SEC);
query.Add("code", code);
query.Add("state", Constants.GITHUB_OAUTH_STATE);
// send request
JObject resp = Utility.MakeJsonHttpRequest(Constants.GITHUB_AK_URL, query);
string accessToken = (string)resp["access_token"];
// call sts and return
// build cliam
var claim = new ClaimsPrincipal();
var id = new ClaimsIdentity();
id.AddClaim(new Claim(Constants.CLAIM_TYPE_GITHUB_AK, accessToken));
claim.AddIdentity(id);
// send claim
var sigingCredentials = new X509SigningCredentials(Utility.GetCertificate(Constants.CERTIFICATE_NAME));
var config = new SecurityTokenServiceConfiguration(Constants.ISSUER_NAME, sigingCredentials);
var sts = new CustomSecurityTokenService(config);
var requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(Request.Url);
var responesMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, claim, sts);
var formData = responesMessage.WriteFormPost();
return new ContentResult() { Content = formData, ContentType = "text/html" };
}
public async Task Invoke(HttpContext context)
{
var headers = context.Request.Headers;
var claimsPrincipal = new System.Security.Claims.ClaimsPrincipal();
if (!headers.ContainsKey("x-api-key"))
{
context.User = claimsPrincipal;
context.Response.StatusCode = 400;
}
else
{
if (headers["x-api-key"] == apiKey.key)
{
var claim = new Claim(ClaimTypes.Role, "User");
var identity = new ClaimsIdentity();
identity.AddClaim(claim);
claimsPrincipal.AddIdentity(identity);
context.User = claimsPrincipal;
await _next(context);
return;
}
else if (headers["x-api-key"] == apiKey.adminKey)
{
var claim = new Claim(ClaimTypes.Role, "Admin");
var identity = new ClaimsIdentity();
identity.AddClaim(claim);
claimsPrincipal.AddIdentity(identity);
context.User = claimsPrincipal;
await _next(context);
return;
}
else
{
context.Response.StatusCode = 403;
}
}
//var watch = new Stopwatch();
//watch.Start();
//await _next(context);
//context.Response.Headers.Add("X-Processing-Time-Milliseconds",
//new[] { watch.ElapsedMilliseconds.ToString() });
}
public void AddingPreservesNewIdentitiesAndDropsEmpty()
{
var context = new DefaultHttpContext();
var existingPrincipal = new ClaimsPrincipal(new ClaimsIdentity());
var identityNoAuthTypeWithClaim = new ClaimsIdentity();
identityNoAuthTypeWithClaim.AddClaim(new Claim("identityNoAuthTypeWithClaim", "yes"));
existingPrincipal.AddIdentity(identityNoAuthTypeWithClaim);
var identityEmptyWithAuthType = new ClaimsIdentity("empty");
existingPrincipal.AddIdentity(identityEmptyWithAuthType);
context.User = existingPrincipal;
context.User.Identity.IsAuthenticated.ShouldBe(false);
var newPrincipal = new ClaimsPrincipal();
var newEmptyIdentity = new ClaimsIdentity();
var identityTwo = new ClaimsIdentity("yep");
newPrincipal.AddIdentity(newEmptyIdentity);
newPrincipal.AddIdentity(identityTwo);
SecurityHelper.AddUserPrincipal(context, newPrincipal);
// Preserve newPrincipal order
context.User.Identity.IsAuthenticated.ShouldBe(false);
context.User.Identity.Name.ShouldBe(null);
var principal = context.User;
principal.Identities.Count().ShouldBe(4);
principal.Identities.Skip(0).First().ShouldBe(newEmptyIdentity);
principal.Identities.Skip(1).First().ShouldBe(identityTwo);
principal.Identities.Skip(2).First().ShouldBe(identityNoAuthTypeWithClaim);
principal.Identities.Skip(3).First().ShouldBe(identityEmptyWithAuthType);
// This merge should drop newEmptyIdentity since its empty
SecurityHelper.AddUserPrincipal(context, new GenericPrincipal(new GenericIdentity("Test3", "Gamma"), new string[0]));
context.User.Identity.AuthenticationType.ShouldBe("Gamma");
context.User.Identity.Name.ShouldBe("Test3");
principal = context.User;
principal.Identities.Count().ShouldBe(4);
principal.Identities.Skip(0).First().Name.ShouldBe("Test3");
principal.Identities.Skip(1).First().ShouldBe(identityTwo);
principal.Identities.Skip(2).First().ShouldBe(identityNoAuthTypeWithClaim);
principal.Identities.Skip(3).First().ShouldBe(identityEmptyWithAuthType);
}
public static void SetFakeUser(this Controller controller, string userId)
{
SetFakeHttpContextIfNotAlreadySet(controller);
var claimsPrincipal = new ClaimsPrincipal();
claimsPrincipal.AddIdentity(new ClaimsIdentity(new List<Claim> { new Claim(ClaimTypes.NameIdentifier, userId) }));
Mock.Get(controller.HttpContext).SetupGet(httpContext => httpContext.User).Returns(claimsPrincipal);
}
public async Task Invoke(HttpContext context)
{
var claimsPrincipal = new System.Security.Claims.ClaimsPrincipal();
var headers = context.Request.Headers;
if (!headers.ContainsKey("x-api-key"))
{
context.User = claimsPrincipal;
context.Response.StatusCode = 400;
}
else
{
if (headers["x-api-key"] == _apiKey.key)
{
var claim = new Claim(ClaimTypes.Role, "User");
var identity = new ClaimsIdentity();
identity.AddClaim(claim);
claimsPrincipal.AddIdentity(identity);
context.User = claimsPrincipal;
await _next(context);
return;
}
else if (headers["x-api-key"] == _apiKey.adminKey)
{
var claim = new Claim(ClaimTypes.Role, "Admin");
var identity = new ClaimsIdentity();
identity.AddClaim(claim);
claimsPrincipal.AddIdentity(identity);
context.User = claimsPrincipal;
await _next(context);
return;
}
else
{
context.User = claimsPrincipal;
context.Response.StatusCode = 403;
}
}
}
public void AddingPreservesNewIdentitiesAndDropsEmpty()
{
var existingPrincipal = new ClaimsPrincipal(new ClaimsIdentity());
var identityNoAuthTypeWithClaim = new ClaimsIdentity();
identityNoAuthTypeWithClaim.AddClaim(new Claim("identityNoAuthTypeWithClaim", "yes"));
existingPrincipal.AddIdentity(identityNoAuthTypeWithClaim);
var identityEmptyWithAuthType = new ClaimsIdentity("empty");
existingPrincipal.AddIdentity(identityEmptyWithAuthType);
Assert.False(existingPrincipal.Identity.IsAuthenticated);
var newPrincipal = new ClaimsPrincipal();
var newEmptyIdentity = new ClaimsIdentity();
var identityTwo = new ClaimsIdentity("yep");
newPrincipal.AddIdentity(newEmptyIdentity);
newPrincipal.AddIdentity(identityTwo);
var user = SecurityHelper.MergeUserPrincipal(existingPrincipal, newPrincipal);
// Preserve newPrincipal order
Assert.False(user.Identity.IsAuthenticated);
Assert.Null(user.Identity.Name);
Assert.Equal(4, user.Identities.Count());
Assert.Equal(newEmptyIdentity, user.Identities.Skip(0).First());
Assert.Equal(identityTwo, user.Identities.Skip(1).First());
Assert.Equal(identityNoAuthTypeWithClaim, user.Identities.Skip(2).First());
Assert.Equal(identityEmptyWithAuthType, user.Identities.Skip(3).First());
// This merge should drop newEmptyIdentity since its empty
user = SecurityHelper.MergeUserPrincipal(user, new GenericPrincipal(new GenericIdentity("Test3", "Gamma"), new string[0]));
Assert.Equal("Gamma", user.Identity.AuthenticationType);
Assert.Equal("Test3", user.Identity.Name);
Assert.Equal(4, user.Identities.Count());
Assert.Equal("Test3", user.Identities.Skip(0).First().Name);
Assert.Equal(identityTwo, user.Identities.Skip(1).First());
Assert.Equal(identityNoAuthTypeWithClaim, user.Identities.Skip(2).First());
Assert.Equal(identityEmptyWithAuthType, user.Identities.Skip(3).First());
}
public static void SetFakeUserAndUserType(this Controller controller, string userId, UserType userType)
{
SetFakeHttpContextIfNotAlreadySet(controller);
var claimsPrincipal = new ClaimsPrincipal();
claimsPrincipal.AddIdentity(new ClaimsIdentity(new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, userId),
new Claim(AllReady.Security.ClaimTypes.UserType, Enum.GetName(typeof (UserType), userType))
}));
Mock.Get(controller.HttpContext).SetupGet(httpContext => httpContext.User).Returns(claimsPrincipal);
}
public static ClaimsPrincipal ClaimsPrincipal(string userName = null)
{
var currentIdentity = Thread.CurrentPrincipal.Identity;
var name = userName ?? currentIdentity.Name;
var identity = new ClaimsIdentity();
identity.AddClaim(new Claim("nameidentifier",name));
var principal = new ClaimsPrincipal();
principal.AddIdentity(identity);
return principal;
}
public void OrgAdminsCanEditAllReadyTasks()
{
var claimsPrincipal = new ClaimsPrincipal();
claimsPrincipal.AddIdentity(new ClaimsIdentity(new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, "1"),
new Claim(AllReady.Security.ClaimTypes.UserType, Enum.GetName(typeof (UserType), UserType.OrgAdmin))
}));
var sut = new DetermineIfATaskIsEditable();
var result = sut.For(claimsPrincipal, null, null);
Assert.True(result);
}
public ClaimsPrincipal ValidateUser(string token)
{
try
{
//Claims don't deserialize :(
//var jwttoken = JsonWebToken.DecodeToObject<JwtToken>(token, configProvider.GetAppSetting("securekey"));
var decodedtoken = JsonWebToken.DecodeToObject(token, _configProvider.GetAppSetting("securekey")) as Dictionary<string, object>;
if (decodedtoken == null)
return null;
var jwttoken = new JwtToken()
{
Audience = (string)decodedtoken["Audience"],
Issuer = (string)decodedtoken["Issuer"],
Expiry = DateTime.Parse(decodedtoken["Expiry"].ToString()),
};
if (decodedtoken.ContainsKey("Claims"))
{
var claims = new List<Claim>();
for (int i = 0; i < ((ArrayList)decodedtoken["Claims"]).Count; i++)
{
var type = ((Dictionary<string, object>)((ArrayList)decodedtoken["Claims"])[i])["Type"].ToString();
var value = ((Dictionary<string, object>)((ArrayList)decodedtoken["Claims"])[i])["Value"].ToString();
claims.Add(new Claim(type, value));
}
jwttoken.Claims = claims;
}
if (jwttoken.Expiry < DateTime.UtcNow)
{
return null;
}
//TODO Tidy on 3.8 Mono release
var claimsPrincipal = new ClaimsPrincipal();
var claimsIdentity = new ClaimsIdentity("Token");
claimsIdentity.AddClaims(jwttoken.Claims);
claimsPrincipal.AddIdentity(claimsIdentity);
return claimsPrincipal;
}
catch (Exception)
{
return null;
}
}
public async Task InteropWithNewCookieContainsIdentity()
{
var user = new ClaimsPrincipal();
var identity = new ClaimsIdentity("scheme");
identity.AddClaim(new Claim(ClaimTypes.Name, "Alice"));
user.AddIdentity(identity);
var dataProtection = DataProtectionProvider.Create(new DirectoryInfo("..\\..\\artifacts"));
var dataProtector = dataProtection.CreateProtector(
"Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", // full name of the ASP.NET Core type
CookieAuthenticationDefaults.AuthenticationType, "v2");
var builder = new WebHostBuilder()
.Configure(app =>
{
app.UseCookieAuthentication(new AspNetCore.Builder.CookieAuthenticationOptions
{
DataProtectionProvider = dataProtection
});
app.Run(context => context.Authentication.SignInAsync("Cookies", user));
})
.ConfigureServices(services => services.AddAuthentication());
var newServer = new AspNetCore.TestHost.TestServer(builder);
var cookie = await SendAndGetCookie(newServer, "http://example.com/login");
var server = TestServer.Create(app =>
{
app.Properties["host.AppName"] = "Microsoft.Owin.Security.Tests";
app.UseCookieAuthentication(new Owin.Security.Cookies.CookieAuthenticationOptions
{
TicketDataFormat = new AspNetTicketDataFormat(new DataProtectorShim(dataProtector)),
CookieName = AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.CookiePrefix
+ AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme,
});
app.Run(async context =>
{
var result = await context.Authentication.AuthenticateAsync("Cookies");
Describe(context.Response, result);
});
});
var transaction2 = await SendAsync(server, "http://example.com/me/Cookies", cookie);
Assert.Equal("Alice", FindClaimValue(transaction2, ClaimTypes.Name));
}
/// <summary>
/// Add an additional ClaimsIdentity to the ClaimsPrincipal
/// </summary>
/// <param name="identity"></param>
public static void AddUserIdentity([NotNull] HttpContext context, [NotNull] IIdentity identity)
{
var newClaimsPrincipal = new ClaimsPrincipal(identity);
ClaimsPrincipal existingPrincipal = context.User;
if (existingPrincipal != null)
{
foreach (var existingClaimsIdentity in existingPrincipal.Identities)
{
if (existingClaimsIdentity.IsAuthenticated)
{
newClaimsPrincipal.AddIdentity(existingClaimsIdentity);
}
}
}
context.User = newClaimsPrincipal;
}
public void AllReadyTaskThatHasInstanceOfEventAndEventHasInstanceOfCampaignAndCampaignHasInstanceOfOrganizerAndOrganizerIdEqualsUserIdIsEditable()
{
const string userId = "1";
var claimsPrincipal = new ClaimsPrincipal();
claimsPrincipal.AddIdentity(new ClaimsIdentity(new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, "1"),
new Claim(AllReady.Security.ClaimTypes.UserType, Enum.GetName(typeof (UserType), UserType.BasicUser))
}));
var allReadyTask = new AllReadyTask { Event = new Event { Campaign = new Campaign { Organizer = new ApplicationUser { Id = userId }}}};
var sut = new DetermineIfATaskIsEditable();
var result = sut.For(claimsPrincipal, allReadyTask, null);
Assert.True(result);
}
public void Ctor_IPrincipal()
{
var baseId = new ClaimsIdentity(
new List<Claim> { new Claim("claim_type", "claim_value") },
"");
var basePrincipal = new ClaimsPrincipal();
basePrincipal.AddIdentity(baseId);
var cp = new ClaimsPrincipal(basePrincipal);
Assert.NotNull(cp.Identities);
Assert.Equal(1, cp.Identities.Count());
Assert.Same(baseId, cp.Identities.First());
Assert.Same(baseId, cp.Identity);
Assert.NotNull(cp.Claims);
Assert.Equal(1, cp.Claims.Count());
Assert.True(cp.Claims.Any(claim => claim.Type == "claim_type" && claim.Value == "claim_value"), "#7");
}
public async Task handler_should_create_device_with_correct_data()
{
var command = new CreateDevice
{
Id = "device1",
Enabled = true,
Password = "******"
};
var userName = "******";
var httpContext = new DefaultHttpContext();
var user = new System.Security.Claims.ClaimsPrincipal();
user.AddIdentity(new System.Security.Claims.ClaimsIdentity(new List <Claim> {
new Claim(ClaimTypes.Name, userName)
}));
httpContext.User = user;
_httpContextAccessor.HttpContext.Returns(httpContext);
var account = new Account()
{
Id = Guid.NewGuid()
};
_accountRepository.GetByUserName(userName).Returns(account);
_deviceRepository.Get(command.Id).Returns((Device)null);
await _handler.Handle(command, new System.Threading.CancellationToken());
await _deviceRepository.Received().Create(Arg.Is <Device>(d =>
d.Id == command.Id &&
d.Enabled == command.Enabled));
await _accountDeviceRepository.Received().Create(Arg.Is <AccountDevice>(ad =>
ad.DeviceId == command.Id &&
ad.AccountId == account.Id));
await _hiveMqCredentialsService.Received().AddCredentials(command.Id, command.Password);
}
public async Task handler_should_return_device_with_correct_data()
{
var command = new GetDevice
{
Id = "device1",
};
var userName = "******";
var httpContext = new DefaultHttpContext();
var user = new System.Security.Claims.ClaimsPrincipal();
user.AddIdentity(new System.Security.Claims.ClaimsIdentity(new List <Claim> {
new Claim(ClaimTypes.Name, userName)
}));
httpContext.User = user;
_httpContextAccessor.HttpContext.Returns(httpContext);
var account = new Account()
{
Id = Guid.NewGuid()
};
_accountRepository.GetByUserName(userName).Returns(account);
var device = new Device {
Id = command.Id
};
var accountDevice = new AccountDevice {
AccountId = account.Id, DeviceId = device.Id
};
_accountDeviceRepository.Get((account.Id, device.Id)).Returns(accountDevice);
_deviceRepository.Get(command.Id).Returns(device);
var deviceDto = await _handler.Handle(command, new System.Threading.CancellationToken());
deviceDto.Id.ShouldBe(device.Id);
}
/// <inheritdoc />
public virtual async Task OnAuthorizationAsync([NotNull] AuthorizationContext context)
{
// Build a ClaimsPrincipal with the Policy's required authentication types
if (Policy.ActiveAuthenticationSchemes != null && Policy.ActiveAuthenticationSchemes.Any())
{
var newPrincipal = new ClaimsPrincipal();
foreach (var scheme in Policy.ActiveAuthenticationSchemes)
{
var result = (await context.HttpContext.Authentication.AuthenticateAsync(scheme))?.Principal;
if (result != null)
{
newPrincipal.AddIdentities(result.Identities);
}
}
// If all schemes failed authentication, provide a default identity anyways
if (newPrincipal.Identity == null)
{
newPrincipal.AddIdentity(new ClaimsIdentity());
}
context.HttpContext.User = newPrincipal;
}
// Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymous))
{
return;
}
var httpContext = context.HttpContext;
var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
// Note: Default Anonymous User is new ClaimsPrincipal(new ClaimsIdentity())
if (httpContext.User == null ||
!httpContext.User.Identities.Any(i => i.IsAuthenticated) ||
!await authService.AuthorizeAsync(httpContext.User, context, Policy))
{
context.Result = new ChallengeResult(Policy.ActiveAuthenticationSchemes.ToArray());
}
}
public void InteropSerializerCanReadNewTicket()
{
var user = new ClaimsPrincipal();
var identity = new ClaimsIdentity("scheme");
identity.AddClaim(new Claim("Test", "Value"));
user.AddIdentity(identity);
var expires = DateTime.Today;
var issued = new DateTime(1979, 11, 11);
var properties = new Http.Authentication.AuthenticationProperties();
properties.IsPersistent = true;
properties.RedirectUri = "/redirect";
properties.Items["key"] = "value";
properties.ExpiresUtc = expires;
properties.IssuedUtc = issued;
var newTicket = new AuthenticationTicket(user, properties, "scheme");
var newSerializer = new TicketSerializer();
var bytes = newSerializer.Serialize(newTicket);
var interopSerializer = new AspNetTicketSerializer();
var interopTicket = interopSerializer.Deserialize(bytes);
Assert.NotNull(interopTicket);
var newIdentity = interopTicket.Identity;
Assert.NotNull(newIdentity);
Assert.Equal("scheme", newIdentity.AuthenticationType);
Assert.True(newIdentity.HasClaim(c => c.Type == "Test" && c.Value == "Value"));
Assert.NotNull(interopTicket.Properties);
Assert.True(interopTicket.Properties.IsPersistent);
Assert.Equal("/redirect", interopTicket.Properties.RedirectUri);
Assert.Equal("value", interopTicket.Properties.Dictionary["key"]);
Assert.Equal(expires, interopTicket.Properties.ExpiresUtc);
Assert.Equal(issued, interopTicket.Properties.IssuedUtc);
}
public void Should_Override_User_In_Owin_Environment()
{
//Given
var fakeTokenValidator = A.Fake<ITokenValidator>();
var secureuser = new ClaimsPrincipal();
var claimsIdentity = new ClaimsIdentity("Token");
claimsIdentity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "DumbUser"));
secureuser.AddIdentity(claimsIdentity);
A.CallTo(() => fakeTokenValidator.ValidateUser(A<string>.Ignored))
.Returns(secureuser);
var owinhttps = GetStatelessAuth(GetNextFunc(), tokenValidator: fakeTokenValidator);
//TODO Tidy on 3.8 Mono release
var overriddenUser = new ClaimsPrincipal();
var overriddenIdentity = new ClaimsIdentity("Token");
overriddenIdentity.AddClaim(new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Administrator"));
overriddenUser.AddIdentity(overriddenIdentity);
var environment = new Dictionary<string, object>
{
{ "owin.RequestHeaders", new Dictionary<string, string[]>() { { "Authorization", new[] { "mysecuretoken" } } } },
{ "owin.RequestPath", "/" },
{ "owin.RequestMethod", "GET" },
{ ServerUser, overriddenUser }
};
//When
var task = owinhttps.Invoke(environment);
//Then
var user = environment[ServerUser] as ClaimsPrincipal;
//TODO Tidy on 3.8 Mono release
Assert.True(user.HasClaim(x => x.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" && x.Value == "DumbUser"));
}
private AuthorizationContext GetAuthorizationContext(Action<ServiceCollection> registerServices, bool anonymous = false)
{
var validUser = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CanViewPage"),
new Claim(ClaimTypes.Role, "Administrator"),
new Claim(ClaimTypes.Role, "User"),
new Claim(ClaimTypes.NameIdentifier, "John")},
"Basic"));
validUser.AddIdentity(
new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CupBearer"),
new Claim(ClaimTypes.Role, "Token"),
new Claim(ClaimTypes.NameIdentifier, "John Bear")},
"Bearer"));
// ServiceProvider
var serviceCollection = new ServiceCollection();
if (registerServices != null)
{
registerServices(serviceCollection);
}
var serviceProvider = serviceCollection.BuildServiceProvider();
// HttpContext
var httpContext = new Mock<HttpContext>();
httpContext.SetupProperty(c => c.User);
if (!anonymous)
{
httpContext.Object.User = validUser;
}
httpContext.SetupGet(c => c.RequestServices).Returns(serviceProvider);
// AuthorizationContext
var actionContext = new ActionContext(
httpContext: httpContext.Object,
routeData: new RouteData(),
actionDescriptor: null
);
var authorizationContext = new AuthorizationContext(
actionContext,
Enumerable.Empty<IFilter>().ToList()
);
return authorizationContext;
}
public async Task InteropWithNewCookieContainsIdentity()
{
var user = new ClaimsPrincipal();
var identity = new ClaimsIdentity("scheme");
identity.AddClaim(new Claim(ClaimTypes.Name, "Alice"));
user.AddIdentity(identity);
var dataProtection = new DataProtection.DataProtectionProvider(new DirectoryInfo("..\\..\\artifacts"));
var newServer = TestHost.TestServer.Create(app =>
{
app.UseCookieAuthentication(options => options.DataProtectionProvider = dataProtection);
app.Run(context => context.Authentication.SignInAsync("Cookies", user));
}, services => services.AddAuthentication());
var cookie = await SendAndGetCookie(newServer, "http://example.com/login");
var server = TestServer.Create(app =>
{
app.Properties["host.AppName"] = "Microsoft.Owin.Security.Tests";
app.UseCookieAuthentication(new CookieAuthenticationOptions(), dataProtection);
app.Run(async context =>
{
var result = await context.Authentication.AuthenticateAsync("Cookies");
Describe(context.Response, result);
});
});
var transaction2 = await SendAsync(server, "http://example.com/me/Cookies", cookie);
Assert.Equal("Alice", FindClaimValue(transaction2, ClaimTypes.Name));
}
public void IPrincipalCtorClaimsPrincipalWithMultipleIdentitiesWorks ()
{
var baseId1 = new ClaimsIdentity ("baseId1");
var baseId2 = new GenericIdentity ("generic_name", "baseId2");
var baseId3 = WindowsIdentity.GetAnonymous ();
var basePrincipal = new ClaimsPrincipal (baseId1);
basePrincipal.AddIdentity (baseId2);
basePrincipal.AddIdentity (baseId3);
var p = new ClaimsPrincipal (basePrincipal);
Assert.IsNotNull (p.Identities, "#1");
Assert.AreEqual (3, p.Identities.Count (), "#2");
Assert.IsNotNull (p.Claims, "#3");
Assert.AreEqual (1, p.Claims.Count (), "#4");
// The Identity property favours WindowsIdentity
Assert.AreEqual (baseId3, p.Identity, "#5");
Assert.IsTrue (p.Claims.Any (claim => claim.Type == ClaimsIdentity.DefaultNameClaimType && claim.Value == "generic_name"), "#6");
Assert.AreEqual (baseId2.Claims.First (), p.Claims.First (), "#7");
}
public void IPrincipalCtorClaimsPrincipalWorks ()
{
var baseId = new ClaimsIdentity (
new List<Claim> { new Claim ("claim_type", "claim_value") },
"");
var basePrincipal = new ClaimsPrincipal ();
basePrincipal.AddIdentity (baseId);
var p = new ClaimsPrincipal (basePrincipal);
Assert.IsNotNull (p.Identities, "#1");
Assert.AreEqual (1, p.Identities.Count (), "#2");
Assert.AreEqual (baseId, p.Identities.First (), "#3");
Assert.AreEqual (baseId, p.Identity, "#4");
Assert.IsNotNull (p.Claims, "$5");
Assert.AreEqual (1, p.Claims.Count (), "#6");
Assert.IsTrue (p.Claims.Any (claim => claim.Type == "claim_type" && claim.Value == "claim_value"), "#7");
}
/// <summary>
/// Clones a principal by filtering its identities.
/// </summary>
/// <param name="principal">The <see cref="ClaimsPrincipal"/> instance to filter.</param>
/// <param name="filter">
/// The delegate filtering the claims: return <c>true</c>
/// to accept the claim, <c>false</c> to remove it.
/// </param>
public static ClaimsPrincipal Clone(this ClaimsPrincipal principal, Func<Claim, bool> filter) {
if (principal == null) {
throw new ArgumentNullException(nameof(principal));
}
if (filter == null) {
throw new ArgumentNullException(nameof(filter));
}
var clone = new ClaimsPrincipal();
foreach (var identity in principal.Identities) {
clone.AddIdentity(identity.Clone(filter));
}
return clone;
}
/// <summary>
/// Begins handling the current user, whether to create the user in the database.
/// </summary>
/// <param name="context">The owin context</param>
/// <returns>An awaitable task</returns>
public async override Task Invoke(IOwinContext context)
{
try
{
if (context.IsOptionsRequest())
{
await Next.Invoke(context);
return;
}
logger.Debug("Method: Invoke, BEGIN");
logger.Trace("Request is preflight request?: {0}", context.IsOptionsRequest());
var identity = context.Authentication.User.Identity;
var username = identity.Name.Substring(identity.Name.LastIndexOf(@"\", StringComparison.OrdinalIgnoreCase) + 1);
logger.Trace("Trying to retrieve user {0} from the database", username);
var user = await userDatabaseRepository.Get(username);
var error = false;
var roles = new List<Role>();
if (!user.HasValue)
{
logger.Trace("User {0} does not exist in database", username);
logger.Trace("Retrieve \"User\" role from database");
var role = (await roleRepository.GetAll())
.FirstOrDefault(r => r.Name.Equals("User", StringComparison.OrdinalIgnoreCase));
roles.Add(role);
Debug.Assert(role != null, "Must have a predefined role: \"User\"");
logger.Trace("Retrieve user information from Active Directory");
var adUser = await userActiveDirectoryRepository.Get(username);
error = await adUser.Match(async u =>
{
logger.Trace("User info retrieved from Active Directory!");
u.Roles = roles;
logger.Trace("Creating user {0} in the database", username);
var onCreated = new Func<User, Task<bool>>(createdUser =>
{
return Task.FromResult(true);
});
var created = await userDatabaseRepository.Create(u, onCreated);
if (!created.HasValue)
{
// Error, couldn't create user in DB
logger.Error("Could not create user {0} in the database!", username);
return true;
}
logger.Trace("Created user {0} in the database!", username);
user = created;
return false;
},
() =>
{
// Error user, does not exist in AD
logger.Error("No user information for {0} in Active Directory!", username);
return Task.FromResult(true);
});
}
if (error)
{
logger.Trace("Returning with error 500. Reason given earlier");
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
return;
}
// Set principal roles
var actualUser = user.ValueOrFailure();
logger.Trace("Extracting user {1} with ID {0}...", actualUser.ID, username);
//// Note: .NET Framework 1.1 and onwards IsInRole is case-insensitive!
//// source: https://msdn.microsoft.com/en-us/library/fs485fwh(v=vs.110).aspx
logger.Trace("Setting authenticated user to principal");
var claimsPrincipal = new ClaimsPrincipal();
var claimsIdentity = new ClaimsIdentity(AuthenticationTypes.Windows);
logger.Trace("Filtering out the claims...");
var claims = context.Authentication.User.Claims.Where(c => !c.Type.Equals(ClaimTypes.Name, StringComparison.OrdinalIgnoreCase));
logger.Trace("Adding filtered claims...");
claimsIdentity.AddClaims(claims);
logger.Trace("Setting claim to username: {0}", actualUser.Username);
claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, actualUser.Username));
foreach (var role in actualUser.Roles)
{
logger.Trace("Adding role \"{0}\" to claims", role.Name);
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.Name));
}
logger.Trace("Adding identity to principal...");
claimsPrincipal.AddIdentity(claimsIdentity);
logger.Trace("Setting context to principal...");
context.Authentication.User = claimsPrincipal;
logger.Trace("Saving user in owin context: ({0}, {1})...", Constants.CURRENT_USER, actualUser.Username);
context.Set(Constants.CURRENT_USER, actualUser);
logger.Trace("Proceeding with the owin middleware pipeline");
await Next.Invoke(context);
logger.Debug("Method: Invoke, END");
}
catch (Exception ex)
{
logger.Error(ex);
throw;
}
}
internal static async Task<AuthorizationCode> FromDbFormat(StoredAuthorizationCode code, IAsyncDocumentSession s, IScopeStore scopeStore)
{
var result = new AuthorizationCode
{
CreationTime = code.CreationTime,
IsOpenId = code.IsOpenId,
RedirectUri = code.RedirectUri,
WasConsentShown = code.WasConsentShown,
Nonce = code.Nonce,
Client = Data.StoredClient.FromDbFormat(await s.LoadAsync<Data.StoredClient>("clients/" + code.Client)),
CodeChallenge = code.CodeChallenge,
CodeChallengeMethod = code.CodeChallengeMethod,
SessionId = code.SessionId,
RequestedScopes = await scopeStore.FindScopesAsync(code.RequestedScopes)
};
var claimsPrinciple = new ClaimsPrincipal();
foreach (var id in code.Subject)
{
claimsPrinciple.AddIdentity(Data.StoredIdentity.FromDbFormat(id));
}
result.Subject = claimsPrinciple;
return result;
}
private static FormsModel ReadData(JsonReader reader)
{
bool isPersistent;
DateTimeOffset expireUtc;
var principal = new ClaimsPrincipal();
reader
.StartObject()
.Property("p", out isPersistent, true)
.Property("e", out expireUtc, DateTimeOffset.MinValue)
.StartArray("i");
while (reader.TokenType != JsonToken.EndArray)
{
string authenticationType;
string nameClaimType;
string roleClaimType;
var claims = new List<Claim>();
reader
.StartObject()
.Property("at", out authenticationType, null)
.Property("nct", out nameClaimType, ClaimsIdentity.DefaultNameClaimType)
.Property("rct", out roleClaimType, ClaimsIdentity.DefaultRoleClaimType)
.StartArray("c");
while (reader.TokenType != JsonToken.EndArray)
{
string claimType;
string claimValue;
reader
.StartObject()
.Property("t", out claimType, nameClaimType)
.Property("v", out claimValue, null)
.EndObject();
claims.Add(new Claim(claimType, claimValue));
}
reader
.EndArray()
.EndObject();
principal.AddIdentity(new ClaimsIdentity(
claims,
authenticationType,
nameClaimType,
roleClaimType));
}
reader
.EndArray()
.EndObject(final: true);
return new FormsModel
{
IsPersistent = isPersistent,
ExpireUtc = expireUtc,
Principal = principal
};
}
