public void When_Passing_Null_Parameter_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); // ACT & ASSERT Assert.ThrowsAsync <ArgumentNullException>(() => _jwtTokenParser.UnSign(null)); Assert.ThrowsAsync <ArgumentNullException>(() => _jwtTokenParser.UnSign(string.Empty)); }
public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter) { if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } if (resource == null) { throw new ArgumentNullException(nameof(resource)); } if (ticketLineParameter == null) { throw new ArgumentNullException(nameof(ticketLineParameter)); } JwsPayload jwsPayload = null; string subject = null; if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType) { var idToken = claimTokenParameter.Token; jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false); var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null) { subject = subjectClaim.Value.ToString(); } } var validationsResult = new List <AuthorizationPolicyResult>(); var policies = resource.AuthPolicies; if (policies != null && policies.Any()) { foreach (var policy in policies) { if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s))) { validationsResult.Add(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized, Policy = policy, ErrorDetails = "the scope is not valid" }); continue; } var clientAuthorizationResult = CheckClients(policy, ticketLineParameter); if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { validationsResult.Add(clientAuthorizationResult); continue; } var validationResult = CheckClaims(openidProvider, policy, jwsPayload); validationsResult.Add(validationResult); } } var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized); if (vr != null) { return(new ResourceValidationResult { IsValid = true }); } if (!resource.AcceptPendingRequest) { return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = validationsResult }); } if (!string.IsNullOrWhiteSpace(subject)) { var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false); var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s))); if (pendingRequest == null) { await _pendingRequestRepository.Add(new PendingRequest { Id = Guid.NewGuid().ToString(), CreateDateTime = DateTime.UtcNow, ResourceId = resource.Id, IsConfirmed = false, RequesterSubject = subject, Scopes = ticketLineParameter.Scopes }).ConfigureAwait(false); return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = new[] { new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestSubmitted, ErrorDetails = "a request has been submitted" } } }); } } return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = new[] { new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestNotConfirmed, ErrorDetails = "the request is not confirmed by the resource owner" } } }); }
private async Task <AuthorizationPolicyResult> CheckClaims( PolicyRule authorizationPolicy, List <ClaimTokenParameter> claimTokenParameters) { if (authorizationPolicy.Claims == null || !authorizationPolicy.Claims.Any()) { return(null); } if (claimTokenParameters == null || !claimTokenParameters.Any(c => c.Format == IdTokenType)) { return(GetNeedInfoResult(authorizationPolicy.Claims)); } var idToken = claimTokenParameters.First(c => c.Format == IdTokenType); var jwsPayload = await _jwtTokenParser.UnSign(idToken.Token); if (jwsPayload == null) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } foreach (var claim in authorizationPolicy.Claims) { var payload = jwsPayload .FirstOrDefault(j => j.Key == claim.Type); if (payload.Equals(default(KeyValuePair <string, object>))) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } if (claim.Type == SimpleIdentityServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Role) { IEnumerable <string> roles = null; if (payload.Value is string) { roles = payload.Value.ToString().Split(','); } else { var arr = payload.Value as object[]; var jArr = payload.Value as JArray; if (arr != null) { roles = arr.Select(c => c.ToString()); } if (jArr != null) { roles = jArr.Select(c => c.ToString()); } } if (roles == null || !roles.Any(v => claim.Value == v)) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } } else { if (payload.Value.ToString() != claim.Value) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } } } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); }