protected void SignIn(string username, int userId, string role)
{
AuthenticationExtensions.SignIn(
username, userId, new List <string> {
role
}, this.Request);
this.SetAuthentication();
}
public void ConfigureServices(IServiceCollection services)
{
services.AddOptions();
services.AddHttpContextAccessor();
var authenticationExtensions = new AuthenticationExtensions(Configuration);
authenticationExtensions.ConfigureAuthenticationServices(services);
services.ConfigureApplicationServices(Configuration, WebHostEnvironment);
services.ConfigureLoggingServices(Configuration);
}
private static void CreateSettingsBox(Ui ui, DashboardModel model)
{
var completed = model.HasSettings;
var id = ui.NextId("settings").ToString();
var message = completed
? "You have successfully initialized your configuration settings."
: "Create a configuration to manage your cluster's features and security.";
var icon = completed ? FontAwesomeIcons.CheckCircle : FontAwesomeIcons.PlusCircle;
var color = completed ? NamedColors.Grey : NamedColors.Green;
var buttonState = completed ? " disabled" : "";
ui.BeginDiv("card");
{
ui.BeginDiv("content");
{
ui.Div("Configure Cluster Settings", new { @class = "header" });
ui.Div(message, new { @class = "description" });
}
ui.EndDiv();
ui.BeginDiv($"ui bottom attached button{buttonState}", id: id)
.Icon(icon, color).Literal("Create Settings")
.EndDiv();
}
ui.EndDiv();
if (ui.OnClick())
{
if (!SqliteConfigurationHelper.IsEmptyConfiguration("settings.db"))
{
return;
}
var configSeed = ConfigurationLoader.FromEmbeddedJsonFile("seed.json");
if (configSeed == null)
{
return;
}
SqliteConfigurationHelper.MigrateToLatest("settings.db", SaveConfigurationOptions.Default, configSeed);
var configRoot = ui.Context.UiServices.GetRequiredService <IConfigurationRoot>();
configRoot.Reload();
var options = ui.Context.UiServices.GetRequiredService <ISaveOptions <SecurityOptions> >();
if (AuthenticationExtensions.MaybeSelfCreateMissingKeys(options.Value.Tokens))
{
options.TrySave("HQ:Security", () => { });
}
ui.Invalidate();
}
}
protected void SignOut()
{
AuthenticationExtensions.SignOut(this.Request);
}
public static IMvcCoreBuilder AddSuperUserTokenController <TKey>(this IMvcCoreBuilder mvcBuilder, Func <IServiceProvider, DateTimeOffset> timestamps,
Action <ClaimOptions> configureClaimsAction = null,
Action <TokenOptions> configureTokensAction = null,
Action <SuperUserOptions> configureSuperUserAction = null)
where TKey : IEquatable <TKey>
{
if (configureClaimsAction != null)
{
mvcBuilder.Services.Configure(configureClaimsAction);
}
if (configureTokensAction != null)
{
mvcBuilder.Services.Configure(configureTokensAction);
}
if (configureSuperUserAction != null)
{
mvcBuilder.Services.Configure(configureSuperUserAction);
}
var claims = new ClaimOptions();
configureClaimsAction?.Invoke(claims);
var tokens = new TokenOptions();
configureTokensAction?.Invoke(tokens);
var superUser = new SuperUserOptions();
configureSuperUserAction?.Invoke(superUser);
var credentials = new
{
SigningKeyString = tokens.SigningKey,
EncryptingKeyString = tokens.EncryptingKey
}.QuackLike <ITokenCredentials>();
AuthenticationExtensions.MaybeSetSecurityKeys(credentials);
var scheme = superUser.Scheme ?? tokens.Scheme;
mvcBuilder.Services.AddAuthentication().AddJwtBearer(scheme, o =>
{
if (tokens.Encrypt)
{
o.TokenValidationParameters = new TokenValidationParameters
{
TokenDecryptionKeyResolver = (token, securityToken, kid, parameters) => new[] { credentials.EncryptingKey.Key },
ValidateIssuerSigningKey = false,
ValidIssuer = tokens.Issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = tokens.Audience,
RequireSignedTokens = false,
IssuerSigningKey = credentials.SigningKey.Key,
TokenDecryptionKey = credentials.EncryptingKey.Key,
ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds),
RoleClaimType = claims.RoleClaim,
NameClaimType = claims.UserNameClaim
};
}
else
{
o.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidIssuer = tokens.Issuer,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = tokens.Audience,
RequireSignedTokens = true,
IssuerSigningKey = credentials.SigningKey.Key,
ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds),
RoleClaimType = claims.RoleClaim,
NameClaimType = claims.UserNameClaim
};
}
});
mvcBuilder.Services.TryAddSingleton <IIdentityClaimNameProvider, DefaultIdentityClaimNameProvider>();
mvcBuilder.Services.TryAddSingleton <ITokenFabricator <TKey> >(r => new DefaultTokenFabricator <TKey>(() => timestamps(r), r.GetRequiredService <IOptionsSnapshot <TokenOptions> >()));
mvcBuilder.AddActiveRoute <SuperUserTokenController <TKey>, SuperUserFeature, SuperUserOptions>();
return(mvcBuilder);
}
public static IServiceCollection AddSecurityPolicies(this IServiceCollection services,
Action <SecurityOptions> configureSecurityAction = null,
Action <SuperUserOptions> configureSuperUserAction = null,
ISafeLogger logger = null)
{
Bootstrap.EnsureInitialized();
Bootstrap.ContractResolver.IgnoreTypes.Add(typeof(KestrelConfigurationLoader));
var security = new SecurityOptions(true);
configureSecurityAction?.Invoke(security);
var superUser = new SuperUserOptions();
configureSuperUserAction?.Invoke(superUser);
var credentials = new
{
SigningKeyCredentials = security.Signing,
EncryptingKey = security.Encrypting
}.QuackLike <ITokenCredentials>();
AuthenticationExtensions.MaybeSetSecurityKeys(credentials);
security.Signing = credentials.SigningKey;
security.Encrypting = credentials.EncryptingKey;
if (configureSecurityAction != null)
{
services.Configure <SecurityOptions>(o =>
{
configureSecurityAction.Invoke(o);
o.Signing = security.Signing;
o.Encrypting = security.Encrypting;
});
}
if (configureSuperUserAction != null)
{
services.Configure <SuperUserOptions>(configureSuperUserAction.Invoke);
}
services.ConfigureOptions <ConfigureWebServer>();
services.AddCors(logger, security.Cors);
services.AddAuthentication(logger, security, superUser);
services.AddSuperUser(logger, superUser);
services.AddHttps(logger, security);
// FIXME: may need a better home for default policies for the platform
services.AddDefaultAuthorization(Constants.Security.Policies.AccessOperations, ClaimValues.AccessOperations);
services.AddDefaultAuthorization(Constants.Security.Policies.AccessMeta, ClaimValues.AccessMeta);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageConfiguration, ClaimValues.ManageConfiguration);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageObjects, ClaimValues.ManageObjects);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageSchemas, ClaimValues.ManageSchemas);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageBackgroundTasks, ClaimValues.ManageBackgroundTasks);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageUsers, ClaimValues.ManageUsers);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageRoles, ClaimValues.ManageRoles);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageTenants, ClaimValues.ManageTenants);
services.AddDefaultAuthorization(Constants.Security.Policies.ManageApplications, ClaimValues.ManageApplications);
return(services);
}
