public bool IsAuthorized(Operation operation, IRequest req, IAuthSession session)
{
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
if (operation.RequiresAuthentication && !session.IsAuthenticated)
{
return(false);
}
if (!operation.RequiredRoles.IsEmpty() && !operation.RequiredRoles.All(session.HasRole))
{
return(false);
}
if (!operation.RequiredPermissions.IsEmpty() && !operation.RequiredPermissions.All(session.HasPermission))
{
return(false);
}
if (!operation.RequiresAnyRole.IsEmpty() && !operation.RequiresAnyRole.Any(session.HasRole))
{
return(false);
}
if (!operation.RequiresAnyPermission.IsEmpty() && !operation.RequiresAnyPermission.Any(session.HasPermission))
{
return(false);
}
return(true);
}
//For pass-through requests not handled by ServiceStack
public async Task SignInAuthenticatedSessions(NetCoreRequest req)
{
if (!AutoSignInSessionsMatching(req))
{
return;
}
var session = req.GetSession();
if (session.IsAuthenticated)
{
var claims = session.ConvertSessionToClaims(
issuer: Issuer,
roleClaimType: RoleClaimType,
permissionClaimType: PermissionClaimType);
if (HostContext.HasValidAuthSecret(req))
{
claims.Add(new Claim(RoleClaimType, RoleNames.Admin, Issuer));
}
var principal = CreateClaimsPrincipal != null
? CreateClaimsPrincipal(claims, session, req)
: new ClaimsPrincipal(new ClaimsIdentity(claims, AuthenticationType));
req.HttpContext.User = principal;
}
}
public void Authenticate(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
//ExecuteBasic(req, res, requestDto); //first check if session is authenticated
//if (res.IsClosed) return; //AuthenticateAttribute already closed the request (ie auth failed)
ValidateUser(req);
}
protected async Task <object> AuthenticateAsync(IServiceBase authService, IAuthSession session, string userName, string password, string referrerUrl, CancellationToken token = default)
{
session = await ResetSessionBeforeLoginAsync(authService, session, userName, token).ConfigAwait();
bool success = false;
var authFeature = HostContext.AppHost.AssertPlugin <AuthFeature>();
if (HostContext.HasValidAuthSecret(authService.Request))
{
if (userName == authFeature.AuthSecretSession.UserName)
{
session = authFeature.AuthSecretSession;
success = true;
}
}
if (!success)
{
success = await TryAuthenticateAsync(authService, userName, password, token).ConfigAwait();
}
if (success)
{
session.IsAuthenticated = true;
if (session.UserAuthName == null)
{
session.UserAuthName = userName;
}
var response = await OnAuthenticatedAsync(authService, session, null, null, token).ConfigAwait();
if (response != null)
{
return(response);
}
return(new AuthenticateResponse
{
UserId = session.UserAuthId,
UserName = userName,
SessionId = session.Id,
DisplayName = session.DisplayName
?? session.UserName
?? $"{session.FirstName} {session.LastName}".Trim(),
ReferrerUrl = referrerUrl
});
}
throw HttpError.Unauthorized(ErrorMessages.InvalidUsernameOrPassword.Localize(authService.Request));
}
public async Task <bool> IsAuthorizedAsync(Operation operation, IRequest req, IAuthSession session)
{
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
if (operation.RequiresAuthentication && !session.IsAuthenticated)
{
return(false);
}
var authRepo = HostContext.AppHost.GetAuthRepositoryAsync(req);
#if NET472 || NETCORE
await using (authRepo as IAsyncDisposable)
#else
using (authRepo as IDisposable)
#endif
{
var allRoles = await session.GetRolesAsync(authRepo).ConfigAwait();
if (!operation.RequiredRoles.IsEmpty() && !operation.RequiredRoles.All(allRoles.Contains))
{
return(false);
}
var allPerms = await session.GetPermissionsAsync(authRepo).ConfigAwait();
if (!operation.RequiredPermissions.IsEmpty() && !operation.RequiredPermissions.All(allPerms.Contains))
{
return(false);
}
if (!operation.RequiresAnyRole.IsEmpty() && !operation.RequiresAnyRole.Any(allRoles.Contains))
{
return(false);
}
if (!operation.RequiresAnyPermission.IsEmpty() && !operation.RequiresAnyPermission.Any(allPerms.Contains))
{
return(false);
}
return(true);
}
}
public bool IsAuthorized(Operation operation, IRequest req, IAuthSession session)
{
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
if (operation.RequiresAuthentication && !session.IsAuthenticated)
{
return(false);
}
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
var allRoles = session.GetRoles(authRepo);
if (!operation.RequiredRoles.IsEmpty() && !operation.RequiredRoles.All(allRoles.Contains))
{
return(false);
}
var allPerms = session.GetPermissions(authRepo);
if (!operation.RequiredPermissions.IsEmpty() && !operation.RequiredPermissions.All(allPerms.Contains))
{
return(false);
}
if (!operation.RequiresAnyRole.IsEmpty() && !operation.RequiresAnyRole.Any(allRoles.Contains))
{
return(false);
}
if (!operation.RequiresAnyPermission.IsEmpty() && !operation.RequiresAnyPermission.Any(allPerms.Contains))
{
return(false);
}
return(true);
}
}
public static HashSet <string> GetUserAttributes(this IRequest request)
{
if (request == null)
{
return(TypeConstants <string> .EmptyHashSet);
}
if (request.Items.TryGetValue(Keywords.Attributes, out var oAttrs))
{
return((HashSet <string>)oAttrs);
}
var authSession = request.GetSession();
var attrs = new HashSet <string>();
if (authSession?.IsAuthenticated == true)
{
attrs.Add("auth");
if (HostContext.HasValidAuthSecret(request))
{
attrs.Add(RoleNames.Admin);
}
var roles = authSession.Roles;
var permissions = authSession.Permissions;
if (roles.IsEmpty() && permissions.IsEmpty())
{
var authRepo = HostContext.AppHost.GetAuthRepository(request);
using (authRepo as IDisposable)
{
if (authRepo is IManageRoles manageRoles)
{
manageRoles.GetRolesAndPermissions(authSession.UserAuthId, out var iroles, out var ipermissions);
roles = iroles.ToList();
permissions = ipermissions.ToList();
}
}
}
if (roles != null)
{
foreach (var role in roles)
{
attrs.Add("role:" + role);
}
}
if (permissions != null)
{
foreach (var perm in permissions)
{
attrs.Add("perm:" + perm);
}
}
if (authSession is IAuthSessionExtended extended)
{
if (extended.Scopes != null)
{
foreach (var item in extended.Scopes)
{
attrs.Add("scope:" + item);
}
}
}
var claims = request.GetClaims();
if (claims != null)
{
foreach (var claim in claims)
{
attrs.Add("claim:" + claim);
}
}
}
request.Items[Keywords.Attributes] = attrs;
return(attrs);
}
public static HashSet <string> GetUserAttributes(this IRequest request)
{
if (request == null)
{
return(TypeConstants <string> .EmptyHashSet);
}
if (request.Items.TryGetValue(Keywords.Attributes, out var oAttrs))
{
return((HashSet <string>)oAttrs);
}
var authSession = request.GetSession();
var attrs = new HashSet <string>();
if (authSession?.IsAuthenticated == true)
{
attrs.Add("auth");
if (HostContext.HasValidAuthSecret(request))
{
attrs.Add(RoleNames.Admin);
}
if (authSession.Roles != null)
{
foreach (var role in authSession.Roles)
{
attrs.Add("role:" + role);
}
}
if (authSession.Permissions != null)
{
foreach (var perm in authSession.Permissions)
{
attrs.Add("perm:" + perm);
}
}
if (authSession is IAuthSessionExtended extended)
{
if (extended.Scopes != null)
{
foreach (var item in extended.Scopes)
{
attrs.Add("scope:" + item);
}
}
}
var claims = request.GetClaims();
if (claims != null)
{
foreach (var claim in claims)
{
attrs.Add("claim:" + claim);
}
}
}
request.Items[Keywords.Attributes] = attrs;
return(attrs);
}