private void ReplacePrincipalWithRoleMappings(object sender, EventArgs e)
{
if (!Request.IsAuthenticated || Context.User is ApiUserPrincipal) return;
var username = Context.User.Identity.Name;
var apiUser = Store.FindByUsername(username);
var isNew = false;
if (apiUser == null)
{
isNew = true;
apiUser = new ApiUser {Username = username};
}
var origRoles = (apiUser.Roles ?? Empty).ToArray();
var missingRoles = RoleNames.All.Except(origRoles);
apiUser.Roles = (origRoles).Union(GetUserRoles(Context.User, missingRoles)).Distinct().ToArray();
if (isNew || !apiUser.Roles.SequenceEqual(origRoles))
{
Store.Add(apiUser, UserUpdateMode.Overwrite);
}
var identity = new GenericIdentity(apiUser.Username, typeof(RoleMappingAuthenticationModule).Name);
Context.User = new GenericPrincipal(identity, apiUser.Roles.ToArray());
}
protected override Task AuthenticateCoreAsync()
{
if (!IsAuthenticated)
{
return completedTask;
}
var apiUser = store.FindByUsername(CurrentUsername);
var isNew = false;
if (apiUser == null)
{
isNew = true;
apiUser = new ApiUser { Username = CurrentUsername };
}
var origRoles = (apiUser.Roles ?? Empty).ToArray();
var missingRoles = RoleNames.All.Except(origRoles);
var implicitGrants = GetMappedUserRoles(Request.User, missingRoles).ToArray();
apiUser.Roles = origRoles.Union(implicitGrants).Distinct().ToArray();
if (isNew || !apiUser.Roles.SequenceEqual(origRoles))
{
store.Add(apiUser, UserUpdateMode.Overwrite);
}
if (apiUser.Roles.Any())
{
Request.User = new SupplementalRolePrincipalWrapper(Request.User, apiUser.Roles);
}
return completedTask;
}
private void AddInternal(ApiUser user, UserUpdateMode mode, bool disableProtectedAccountChecks=false)
{
user.Username = ScrubUsername(user.Username);
if (string.IsNullOrWhiteSpace(user.Key))
{
user.Key = Guid.NewGuid().ToString();
}
using (var session = OpenSession())
{
var userExists = session.Query().Any(u => u.Username == user.Username);
if (mode == UserUpdateMode.NoClobber && userExists)
{
throw new UserOverwriteException();
}
if (userExists && !disableProtectedAccountChecks && IsProtectedAccount(user.Username))
{
throw new UserPermissionException(user.Username + " account cannot be overwritten.");
}
session.Add(user);
}
}
private dynamic DescribeUser(ApiUser user)
{
dynamic d = new ExpandoObject();
d.Username = user.Username;
// if current user is admin
// d.ApiKey = user.ApiKey
return d;
}
public HttpResponseMessage Put(string username, [FromBody]UserAttributes attributes)
{
var user = new ApiUser {Username = username, Key = attributes.Key, Roles = attributes.Roles};
try
{
Store.Add(user, GetUserUpdateMode(attributes));
}
catch (UserOverwriteException)
{
return Request.CreateErrorResponse(HttpStatusCode.Conflict,
"User " + username + " already exists.");
}
catch (UserPermissionException ex)
{
return Request.CreateErrorResponse(HttpStatusCode.Forbidden, ex.Message);
}
return Request.CreateResponse(HttpStatusCode.Created);
}
public void Add(ApiUser user, UserUpdateMode mode)
{
AddInternal(user, mode);
}
public void Add(ApiUser user)
{
Add(user, UserUpdateMode.Overwrite);
}
private bool IsSelf(ApiUser user)
{
if (!IsUserAuthenticated) return false;
return string.Equals(CurrentUserName, user.Username, StringComparison.InvariantCultureIgnoreCase);
}
private ApiUser DescribeUser(ApiUser user)
{
if (IsUserAuthenticated && User.IsInRole(RoleNames.AccountAdministrator) || IsSelf(user))
{
return user;
}
// Hide details that non-admins should not see.
return new ApiUser {Username = user.Username};
}
public ApiUser GetRequiredAuthenticationInfo()
{
var apiUser = Store.FindByUsername(CurrentUserName);
if (apiUser != null) return apiUser;
apiUser = new ApiUser { Username = CurrentUserName, Roles = GetUserRoles(User) };
Store.Add(apiUser, UserUpdateMode.Overwrite);
return apiUser;
}
private bool IsSelf(ApiUser user)
{
return string.Equals(User.Identity.Name, user.Username, StringComparison.InvariantCultureIgnoreCase);
}
public ApiUser GetRequiredAuthenticationInfo()
{
var name = ScrubUsername(User.Identity.Name);
var apiUser = Store.Users.SingleOrDefault(u => u.Username == name);
if (apiUser != null) return apiUser;
using (var session = Store.OpenSession())
{
apiUser = new ApiUser { Username = name, Key = Guid.NewGuid().ToString(), Roles = GetUserRoles(User) };
session.Add(apiUser);
}
return apiUser;
}