// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
//services.AddEntityFramework()
// .AddSqlServer()
// .AddDbContext<ApplicationDbContext>(options =>
// {
// options.UseSqlServer(Configuration["Data:Default"]);
// });
// Add framework services.
services.AddMvc(options =>
{
var builder = new AuthorizationPolicyBuilder();
builder.AddAuthenticationSchemes("Bearer");
builder.AddRequirements(new BearerAuthorizationRequirement());
var policy = builder.Build();
options.Filters.Add(new BearerFilter(policy));
options.Filters.Add(new GlobalExceptionFilter());
});
services.AddInstance <IConfigurationRoot>(Configuration);
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith(Constants.PERMISSION_POLICY_NAME, StringComparison.OrdinalIgnoreCase))
{
var policy = new AuthorizationPolicyBuilder();
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
//policy.RequireAssertion(ctx => IsAuthorized(ctx, GetPermission(policyName)));
return(Task.FromResult(policy.Build()));
}
return(Task.FromResult <AuthorizationPolicy>(null));
}
public AuthorizationPolicy GetGlobalAuthorizationPolicy()
{
AuthorizationPolicyBuilder authorizationPolicyBuilder = new AuthorizationPolicyBuilder();
authorizationPolicyBuilder.RequireAssertion(context =>
{
AuthorizationFilterContext authorizationFilterContext = context.Resource as AuthorizationFilterContext;
return(!authorizationFilterContext.HttpContext.Request.Path.StartsWithSegments(new PathString("/backend")) || context.User.HasClaim(PlatformusClaimTypes.Permission, Permissions.BrowseBackend));
}
);
authorizationPolicyBuilder.AddAuthenticationSchemes(BackendCookieAuthenticationDefaults.AuthenticationScheme);
return(authorizationPolicyBuilder.Build());
}
private static void AddDefaultPolicy(this IServiceCollection services, string[] schemes)
{
var authenticatedPolicyBuilder = new AuthorizationPolicyBuilder();
if (schemes.Any())
{
authenticatedPolicyBuilder = authenticatedPolicyBuilder.AddAuthenticationSchemes(schemes);
authenticatedPolicyBuilder = authenticatedPolicyBuilder.RequireAuthenticatedUser();
}
else
{
authenticatedPolicyBuilder = authenticatedPolicyBuilder.RequireAssertion(_ => true);
}
services.AddAuthorization(o => o.DefaultPolicy = authenticatedPolicyBuilder.Build());
}
private static void AddPolicies(AuthorizationOptions options, IList <IProviderSchemes> schemes)
{
var allRoles = new[]
{
AppRoles.CitizenRole, AppRoles.JudgeRole, AppRoles.RepresentativeRole, AppRoles.CaseAdminRole,
AppRoles.VhOfficerRole, AppRoles.JudicialOfficeHolderRole
};
var rolePolicies = new Dictionary <string, string[]>
{
[AppRoles.JudgeRole] = new[] { AppRoles.JudgeRole },
[AppRoles.VhOfficerRole] = new[] { AppRoles.VhOfficerRole },
["Judicial"] = new[] { AppRoles.JudgeRole, AppRoles.JudicialOfficeHolderRole },
["Individual"] = new[] { AppRoles.CitizenRole, AppRoles.RepresentativeRole },
[AppRoles.RepresentativeRole] = new[] { AppRoles.RepresentativeRole },
[AppRoles.CitizenRole] = new[] { AppRoles.CitizenRole }
};
options.AddPolicy("Callback", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Callback")
.Build());
foreach (var scheme in schemes.SelectMany(s => s.GetProviderSchemes()))
{
options.AddPolicy(scheme, new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole(allRoles)
.AddAuthenticationSchemes(scheme)
.Build());
}
foreach (var policy in rolePolicies)
{
var policyBuilder = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole(policy.Value);
// TODO: These didnt use to include the EventHubSchemes but should they have?
foreach (var schemeName in schemes.Select(s => s.SchemeName))
{
policyBuilder = policyBuilder.AddAuthenticationSchemes(schemeName);
}
options.AddPolicy(policy.Key, policyBuilder.Build());
}
}
public static void ConfigureJwtToken(IServiceCollection services, IConfiguration configuration)
{
var signingConfigurations = new SigningConfigurations();
services.AddSingleton(signingConfigurations);
var tokenConfigurations = new TokenConfigurations();
new ConfigureFromConfigurationOptions <TokenConfigurations>(
configuration.GetSection("TokenConfigurations"))
.Configure(tokenConfigurations);
services.AddSingleton(tokenConfigurations);
services.AddAuthentication(opt =>
{
opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(opt =>
{
opt.RequireHttpsMetadata = false;
opt.SaveToken = true;
opt.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = signingConfigurations.Key,
ValidAudience = tokenConfigurations.Audience,
ValidIssuer = tokenConfigurations.Issuer,
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero
};
});
services.AddAuthorization(opt =>
{
var builder = new AuthorizationPolicyBuilder();
var authPolicy = builder
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build();
opt.AddPolicy("Bearer", authPolicy);
});
}
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = await base.GetPolicyAsync(policyName);
if (policy != null)
{
return(policy);
}
var requirement = new HasScopeRequirement(policyName, configuration["AuthServer:BaseUrl"]);
var builder = new AuthorizationPolicyBuilder()
.AddRequirements(requirement);
if (requirement.Strict)
{
builder.AddAuthenticationSchemes(OAuthValidationDefaults.AuthenticationScheme);
}
return(builder.Build());
}
private static void AddAlternativeRolesPolicy(this IServiceCollection services, string policyName, string[] roles, string[] schemes)
{
var rolePolicyBuilder = new AuthorizationPolicyBuilder();
if (schemes.Any())
{
rolePolicyBuilder = rolePolicyBuilder.AddAuthenticationSchemes(schemes);
rolePolicyBuilder = rolePolicyBuilder.RequireAuthenticatedUser();
rolePolicyBuilder = rolePolicyBuilder.RequireAssertion(ctx =>
ctx?.User?.HasClaim(c =>
string.Equals(c.Type, ClaimTypes.Role, StringComparison.OrdinalIgnoreCase) &&
roles.Any(r => string.Equals(r, c.Value, StringComparison.OrdinalIgnoreCase))) ??
false);
}
else
{
rolePolicyBuilder = rolePolicyBuilder.RequireAssertion(_ => true);
}
services.AddAuthorization(o =>
{
o.AddPolicy(policyName, rolePolicyBuilder.Build());
});
}
private void ConfigureAuthentication(IServiceCollection services)
{
var authenticationBuilder = services.AddAuthentication();
authenticationBuilder.AddCookie(options => options.LoginPath = new PathString("/Account/Login"));
authenticationBuilder.AddOAuthValidation();
var microsoftClientId = this.Configuration["Authentication:Microsoft:ClientId"];
var microsoftClientSecret = this.Configuration["Authentication:Microsoft:ClientSecret"];
if (!string.IsNullOrEmpty(microsoftClientId) && !string.IsNullOrEmpty(microsoftClientSecret))
{
authenticationBuilder.AddMicrosoftAccount(options =>
{
options.ClientId = microsoftClientId;
options.ClientSecret = microsoftClientSecret;
});
}
var facebookAppId = this.Configuration["Authentication:Facebook:AppId"];
var facebookAppSecret = this.Configuration["Authentication:Facebook:AppSecret"];
if (!string.IsNullOrEmpty(facebookAppId) && !string.IsNullOrEmpty(facebookAppSecret))
{
authenticationBuilder.AddFacebook(options =>
{
options.AppId = facebookAppId;
options.AppSecret = facebookAppSecret;
});
}
var googleClientId = this.Configuration["Authentication:Google:ClientId"];
var googleClientSecret = this.Configuration["Authentication:Google:ClientSecret"];
if (!string.IsNullOrEmpty(googleClientId) && !string.IsNullOrEmpty(googleClientSecret))
{
authenticationBuilder.AddGoogle(options =>
{
options.ClientId = googleClientId;
options.ClientSecret = googleClientSecret;
});
}
var twitterConsumerKey = this.Configuration["Authentication:Twitter:ConsumerKey"];
var twitterConsumerSecret = this.Configuration["Authentication:Twitter:ConsumerSecret"];
if (!string.IsNullOrEmpty(twitterConsumerKey) && !string.IsNullOrEmpty(twitterConsumerSecret))
{
authenticationBuilder.AddTwitter(options =>
{
options.ConsumerKey = twitterConsumerKey;
options.ConsumerSecret = twitterConsumerSecret;
});
}
authenticationBuilder.AddScheme <AuthenticationSchemeOptions, MockAuthenticationHandler>("Mock", options => { });
services.AddAuthorization(options =>
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
// Allow both the application cookies and bearer tokens for auth
policyBuilder.AddAuthenticationSchemes(IdentityConstants.ApplicationScheme, OAuthValidationDefaults.AuthenticationScheme);
// In non-production, allow mock auth as well
if (!this.Environment.IsProduction())
{
policyBuilder.AddAuthenticationSchemes("Mock");
}
options.DefaultPolicy = policyBuilder.Build();
});
}
public static void OpenId(this AuthorizationPolicyBuilder b)
{
b.AddAuthenticationSchemes(IdentityServerConstants.LocalApi.AuthenticationScheme);
b.RequireAuthenticatedUser();
}