public AdalOboTokenProvider(OAuthConfig oAuthConfig, ILogger logger, IContainerResolve container, IApplicationContext applicationContext)
{
Logger = logger;
Container = container;
this.oAuthConfig = oAuthConfig;
_applicationContext = applicationContext;
}
public async Task Invoke(HttpContext context)
{
if (context.User.Identity.IsAuthenticated && context.User.Identity.AuthenticationType.Equals(_options.OpenIdSettings.Values[TokenKeys.AuthenticationTypeKey], StringComparison.InvariantCultureIgnoreCase))
{
if (context.User is AppPrincipal principal)
{
context.Request?.Headers?.Add("activityid", principal?.ActivityID.ToString() ?? Guid.NewGuid().ToString());
if (null != principal?.Profile?.CurrentCulture)
{
context.Request?.Headers?.Add("culture", principal.Profile.CurrentCulture.TwoLetterISOLanguageName);
}
}
IContainerResolve container = (IContainerResolve)context.RequestServices.GetService(typeof(IContainerResolve));
// Not thread safe => can call activity source factory more than one but factory implementation is thread safe => so few calls on the start of the service is a possibility.
if (!hasAlreadyTriedToResolve)
{
hasAlreadyTriedToResolve = true;
_activitySource = container.Resolve <IActivitySourceFactory>()?.GetArc4u();
}
using (var activity = _activitySource?.StartActivity("Inject bearer token in header", ActivityKind.Producer))
{
ITokenProvider provider = container.Resolve <ITokenProvider>(_options.OpenIdSettings.Values[TokenKeys.ProviderIdKey]);
var tokenInfo = await provider.GetTokenAsync(_options.OpenIdSettings, context.User.Identity);
var authorization = new AuthenticationHeaderValue("Bearer", tokenInfo.AccessToken).ToString();
context.Request.Headers.Remove("Authorization");
context.Request.Headers.Add("Authorization", authorization);
}
}
await _next.Invoke(context);
}
public ClaimsPrincipalMiddleware(RequestDelegate next, IContainerResolve container, ClaimsPrincipalMiddlewareOption option)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
if (null == container)
{
throw new ArgumentNullException(nameof(container));
}
if (null == option)
{
throw new ArgumentNullException(nameof(option));
}
var logger = container.Resolve <ILogger <ClaimsPrincipalMiddleware> >();
if (!container.TryResolve <CacheContext>(out _cacheContext))
{
logger.Technical().Information("No cache context is available.").Log();
}
_option = option;
_activitySource = container.Resolve <IActivitySourceFactory>()?.GetArc4u();
}
private IApplicationContext GetCallContext(out object parameters, out IContainerResolve containerResolve)
{
containerResolve = GetResolver();
// first priority to the scope one!
if (null != _accessor?.HttpContext?.RequestServices)
{
var ctx = containerResolve.Resolve <IApplicationContext>();
parameters = ctx;
// As this is global for an handler, this can be saved at the level of the class.
// We do this here only when using an accessor => the IContainerResolve is only available in the context of a call not
// when the JwtHttpHandler is built.
if (null == _settings && !String.IsNullOrWhiteSpace(_settingsName))
{
if (!containerResolve.TryResolve(_settingsName, out _settings))
{
_logger.Technical().Debug($"No settings for {_settingsName} is found.").Log();
}
}
return(ctx);
}
parameters = _parameters;
return(_applicationContext);
}
public UsernamePasswordTokenProvider(ISecureCache secureCache, INetworkInformation networkStatus, ILogger logger, IContainerResolve container)
{
this.secureCache = secureCache;
this.networkStatus = networkStatus;
Container = container;
Logger = logger;
}
public DefaultChannelPublisher(IOptionsMonitor <PubSubDefinition> definitions, IContainerResolve serviceProvider, ILogger <DefaultChannelPublisher> logger, IApplicationContext applicationContext, IActivitySourceFactory activitySourceFactory)
{
_definitions = definitions;
_serviceProvider = serviceProvider;
_logger = logger;
_applicationContext = applicationContext;
_activitySource = activitySourceFactory?.GetArc4u();
}
public AppPrincipalFactory(INetworkInformation networkInformation, ISecureCache claimsCache, ICacheKeyGenerator cacheKeyGenerator, IContainerResolve container, IApplicationContext applicationContext)
{
NetworkInformation = networkInformation;
ClaimsCache = claimsCache;
CacheKeyGenerator = cacheKeyGenerator;
Container = container;
ApplicationContext = applicationContext;
}
public ClaimsBearerTokenExtractor(IContainerResolve container, ILogger logger)
{
_container = container;
_jsonSerializer = new DataContractJsonSerializer(typeof(IEnumerable <ClaimDto>));
_logger = logger;
}
public ClaimsProxy(IContainerResolve container, IAppSettings appSettings, Config config, IHttpClientFactory httpClientFactory)
{
_container = container;
_httpClientFactory = httpClientFactory;
_applicationName = config?.ApplicationName ?? "Unknow";
// read information to call the backend service from configuration.
_url = appSettings.Values.ContainsKey("arc4u_ClaimsProxyUri") ? appSettings.Values["arc4u_ClaimsProxyUri"] : null;
_jsonSerializer = new DataContractJsonSerializer(typeof(IEnumerable <ClaimDto>));
}
/// <summary>
///
/// </summary>
/// <param name="containerResolve"></param>
/// <param name="settingsName"></param>
/// <param name="platformParameter"></param>
public OAuth2Interceptor(IContainerResolve containerResolve, string settingsName, object platformParameter) : this(containerResolve)
{
_container = containerResolve ?? throw new ArgumentNullException(nameof(containerResolve));
_settings = containerResolve.Resolve <IKeyValueSettings>(settingsName);
// can be null.
_platformParameter = platformParameter;
}
public QueueListenerHostedService(IContainerResolve provider,
IMessageHandlerTypes messageHandlers,
IUniqueness unique,
IQueueStreamManager queueStreamManager,
ILogger <QueueListenerHostedService> logger)
{
_provider = provider;
_messageHandlers = messageHandlers;
_queueParameters = unique.GetQueues();
_logger = logger;
_queueStreamManager = queueStreamManager;
}
/// <summary>
/// Create a JwtHttpHandler. Use services.AddHttpHandler to add one and <see cref="ConfigurePrimaryHttpMessageHandler"/> if you need to
/// customize the HttpHandler.
/// </summary>
/// <param name="settings">The settings needed for the <see cref="ITokenProvider"/>.</param>
/// <param name="handler">The handler, can be a <see cref="DelegatingHandler"/></param>
public JwtHttpHandler(IContainerResolve container, IKeyValueSettings settings, IPlatformParameters parameters = null)
{
_container = container ?? throw new ArgumentNullException(nameof(container));
_logger = container.Resolve <ILogger <JwtHttpHandler> >();
_settings = settings ?? throw new ArgumentNullException(nameof(settings));
_parameters = parameters;
_settingsName = null;
container.TryResolve <IApplicationContext>(out _applicationContext);
}
public BaseDistributeCache(IContainerResolve container)
{
if (null == container)
{
throw new ArgumentNullException(nameof(container));
}
_container = container;
if (container.TryResolve <IActivitySourceFactory>(out var activitySourceFactory))
{
_activitySource = activitySourceFactory.GetArc4u();
}
}
public QueueProcessorListener(CancellationToken stoppingToken,
QueueParameters queueParameters,
IQueueStreamManager queueStreamManager,
IMessageHandlerTypes messageHandlers,
IContainerResolve provider)
{
_stoppingToken = stoppingToken;
_queueParameters = queueParameters;
_queueStreamManager = queueStreamManager;
_logger = provider.Resolve <ILogger <QueueProcessorListener> >();
_messageHandlers = messageHandlers;
_provider = provider;
_hasThreadFinishToProcess = new AutoResetEvent(false);
}
public DefaultQueueMessageSender(IOptionsMonitor <QueueDefinition> definitions,
IContainerResolve serviceProvider,
IQueueStreamManager queueStreamManager,
IApplicationContext applicationContext,
ILogger <DefaultQueueMessageSender> logger,
IActivitySourceFactory activitySourceFactory)
{
_definitions = definitions;
_serviceProvider = serviceProvider;
_logger = logger;
_applicationContext = applicationContext;
_queueStreamManager = queueStreamManager;
_activitySource = activitySourceFactory.GetArc4u();
}
// on the backend, we have to retrieve the user context based on his scoped context when we do a request to another
// service if this was done in the context of a user (via rest api or gRPC service).
// When we do a call from a service account, in this case the user is fixed and not scoped => so the creation of the user in this
// case can be a singleton because we do an impersonation!
/// <summary>
/// This is a ctor to use only in a backend scenario => where <see cref="IPlatformParameters"/> it is not used!
/// No inner handler is defined because this will be done via the AddHttpClient method in a service!
/// </summary>
/// <param name="container">The scoped container</param>
/// <param name="resolvingName">The name used to resolve the settings</param>
public JwtHttpHandler(IContainerResolve container, ILogger <JwtHttpHandler> logger, string resolvingName)
{
_container = container ?? throw new ArgumentNullException(nameof(container));
_logger = logger;
if (!container.TryResolve(resolvingName, out _settings))
{
_logger.Technical().Debug($"No settings for {resolvingName} is found.").Log();
}
container.TryResolve <IApplicationContext>(out _applicationContext);
_parameters = _applicationContext;
_settingsName = null;
}
// On a frontend usage of the handler the application (user) context is always global => we don't have 2 users logged on the same application!
// So the Handler is using the IContainerResolve which is not scoped and the IApplicationContext is also not scoped because everything is in fact registered as a Singleton.
// So there is no issue to create even everything in the constructor.
/// <summary>
/// Create a JwtHttpHandler with settings <see cref="IKeyValueSettings"/> resolved based on the name "OAuth" and the <see cref="HttpMessageHandler"/> of type <see cref="HttpClientHandler"/>.
/// </summary>
public JwtHttpHandler(IContainerResolve container, IPlatformParameters parameters = null, bool skipValidateAuthenticationType = false)
{
_container = container ?? throw new ArgumentNullException(nameof(container));
_logger = container.Resolve <ILogger <JwtHttpHandler> >();
if (!container.TryResolve("OAuth", out _settings))
{
_logger.Technical().System("No settings for OAuth is found.").Log();
}
_parameters = parameters;
_settingsName = null;
container.TryResolve <IApplicationContext>(out _applicationContext);
}
/// <summary>
/// Create a JwtHttpHandler. Use services.AddHttpHandler to add one and <see cref="ConfigurePrimaryHttpMessageHandler"/> if you need to
/// customize the HttpHandler.
/// </summary>
/// <param name="resolvingName">The name used to resolve the instance of the <see cref="IKeyValueSettings"/> implementation.</param>
public JwtHttpHandler(IContainerResolve container, string resolvingName, IPlatformParameters parameters = null)
{
_container = container ?? throw new ArgumentNullException(nameof(container));
_logger = container.Resolve <ILogger <JwtHttpHandler> >();
if (!container.TryResolve(resolvingName, out _settings))
{
_logger.Technical().System($"No settings for {resolvingName} is found.").Log();
}
_parameters = parameters;
_settingsName = null;
container.TryResolve <IApplicationContext>(out _applicationContext);
}
public Cache(ILogger logger, IContainerResolve container, string identifier)
{
Logger = logger;
if (!container.TryResolve(out TokenCache))
{
Logger.Technical().From <Cache>().Error("No implementation for an ITokenCache exists! Check your dependencies.").Log();
Logger.Technical().From <Cache>().System($"Token cache is skipped for the user identifier: {identifier}.").Log();
}
_identifier = identifier;
// Attach the events.
BeforeAccess += BeforeAccessNotification;
AfterAccess += AfterAccessNotification;
}
public MessagesScope(IContainerResolve container, ILogger logger, string iocResolveName)
{
Logger = logger;
// Create the unit of work list of messages.
MessagesToPublish.Create();
// Search for the instance used to send commands and publish events on start of the
// scope. So if we have a resolving issue, we know it immediately (and not after the work is done.
if (!container.TryResolve <IEndpointConfiguration>(iocResolveName, out var endpointConfig))
{
logger.Technical().From <MessagesScope>().Warning($"Unable to resolve the IEndpointConfiguration with the name '{iocResolveName}'").Log();
return;
}
if (null == endpointConfig.Instance)
{
logger.Technical().From <MessagesScope>().Warning($"Instance is null for the IEndpointConfiguration with the name '{iocResolveName}'").Log();
return;
}
_instance = endpointConfig.Instance;
}
public async Task Invoke(HttpContext context)
{
// Get the scoped instance of the container!
IContainerResolve container = (IContainerResolve)context.RequestServices.GetService(typeof(IContainerResolve));
var logger = container.Resolve <ILogger <ClaimsPrincipalMiddleware> >();
try
{
// if we have some part of the site not in MVC (like swagger) and we need to force
// authentication. We can add the start of the path to check and in this case we force a login!
if (null != context.User && !context.User.Identity.IsAuthenticated)
{
if (_option.OpenIdOptions.ForceAuthenticationForPaths.Any(r =>
{
return(r.Last().Equals('*') ?
context.Request.Path.Value.StartsWith(r.Remove(r.Length - 1), StringComparison.InvariantCultureIgnoreCase)
:
context.Request.Path.Value.Equals(r, StringComparison.InvariantCultureIgnoreCase));
}))
{
logger.Technical().System("Force an OpenId connection.").Log();
var cleanUri = new Uri(new Uri(context.Request.GetEncodedUrl()).GetLeftPart(UriPartial.Path));
if (Uri.TryCreate(_option.RedirectAuthority, UriKind.Absolute, out var authority))
{
cleanUri = new Uri(authority, cleanUri.AbsolutePath);
}
var properties = new AuthenticationProperties()
{
RedirectUri = cleanUri.ToString()
};
await context.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, properties);
return;
}
}
if (null != context.User && context.User.Identity.IsAuthenticated)
{
logger.Technical().System("Create the principal.").Log();
// Add Telemetry.
using (var activity = _activitySource?.StartActivity("Create Arc4u Principal", ActivityKind.Producer))
{
// As the extension point can use some ITokenProvider based on the user.
// A dummy Principal is created based on the context identity!
// Must be registered as Scoped!
if (container.TryResolve <IApplicationContext>(out var applicationContext))
{
applicationContext.SetPrincipal(new AppPrincipal(new Authorization(), context.User.Identity, "S-1-0-0"));
}
// Load Claims from an external source if necessary!
if (_option.ClaimsFillerOptions.LoadClaimsFromClaimsFillerProvider)
{
await LoadExtraClaimsAsync(context, container, logger);
}
// Build an AppPrincipal.
AppPrincipal principal = null;
var profileFiller = container.Resolve <IClaimProfileFiller>();
var authorizationFiller = container.Resolve <IClaimAuthorizationFiller>();
var authorization = authorizationFiller.GetAuthorization(context.User.Identity);
var profile = profileFiller.GetProfile(context.User.Identity);
principal = new AppPrincipal(authorization, context.User.Identity, profile.Sid)
{
Profile = profile
};
// Check if we have an ActivityID.
var activityIdHeader = context.Request?.Headers?.FirstOrDefault(h => h.Key.Equals("activityid", StringComparison.InvariantCultureIgnoreCase));
if (null == activityIdHeader || !activityIdHeader.HasValue || String.IsNullOrWhiteSpace(activityIdHeader.Value.Key) || StringValues.Empty == activityIdHeader.Value || activityIdHeader.Value.Value.Count == 0)
{
principal.ActivityID = Guid.NewGuid();
}
else
{
Guid activityId = Guid.Empty;
if (Guid.TryParse(activityIdHeader.Value.Value[0], out activityId) && activityId != Guid.Empty)
{
logger.Technical().Information($"Set the activity to the principal based on the caller information: {activityId}.").Log();
}
else
{
logger.Technical().Information($"The activity id given by the caller is not a valid Guid. A new one has been assigned.").Log();
activityId = Guid.NewGuid();
}
principal.ActivityID = activityId;
}
activity?.AddTag(LoggingConstants.ActivityId, principal.ActivityID);
// Check for a culture.
var cultureHeader = context.Request?.Headers?.FirstOrDefault(h => h.Key.Equals("culture", StringComparison.InvariantCultureIgnoreCase));
if (null != cultureHeader && cultureHeader.HasValue && StringValues.Empty != activityIdHeader.Value && cultureHeader.Value.Value.Count > 0)
{
try
{
principal.Profile.CurrentCulture = new CultureInfo(cultureHeader.Value.Value[0]);
}
catch (Exception ex)
{
logger.Technical().Exception(ex).Log();
}
}
logger.Technical().System("Set AppPrincipal to the HttpContext.User.").Log();
context.User = principal;
if (null != applicationContext)
{
logger.Technical().System("Set AppPrincipal to the ApplicationContext.").Log();
applicationContext.SetPrincipal(principal);
}
}
}
}
catch (Exception ex)
{
logger.Technical().Exception(ex).Log();
}
await _next(context);
}
/// <summary>
/// This code is similar to the code in AppPrincipalFactory where the claims are stored in a secureCache.
/// The differences are:
/// - The cache used is defined by the CacheContext.Principal.
/// - Only the extra claims fetched are saved because on the server we will only have an identity if a network connectivity exist.
/// => we don't save the full claims identity like in a client where a disconnected scenario is possible!
/// </summary>
/// <param name="context"></param>
private async Task LoadExtraClaimsAsync(HttpContext context, IContainerResolve scope, ILogger <ClaimsPrincipalMiddleware> logger)
{
if (null == _option.ClaimsFillerOptions.Settings)
{
logger.Technical().System("No settings are defined in the ClaimPrincipalContext option definition! No extra claims will be fetched.").Log();
return;
}
if (!scope.TryResolve <ICacheKeyGenerator>(out var keyGenerator))
{
logger.Technical().System("No user based cache key generator exist! Check your dependencies.").Log();
return;
}
if (scope.TryResolve(out IClaimsFiller claimFiller)) // Fill the claims with more information.
{
var identity = context.User.Identity as ClaimsIdentity;
var cacheKey = keyGenerator.GetClaimsKey(identity);
// Something already in the cache? Avoid a expensive backend call.
var cachedClaims = GetClaimsFromCache(cacheKey);
// check expirity.
var cachedExpiredClaim = cachedClaims.FirstOrDefault(c => c.ClaimType.Equals(tokenExpirationClaimType, StringComparison.InvariantCultureIgnoreCase));
long cachedExpiredTicks = 0;
if (null != cachedExpiredClaim && long.TryParse(cachedExpiredClaim.Value, out cachedExpiredTicks))
{
var expDate = DateTimeOffset.FromUnixTimeSeconds(cachedExpiredTicks).UtcDateTime;
if (expDate > DateTime.UtcNow)
{
identity.AddClaims(cachedClaims.Where(c => !ClaimsToExclude.Any(arg => arg.Equals(c.ClaimType)))
.Where(c => !identity.Claims.Any(c1 => c1.Type == c.ClaimType))
.Select(c => new Claim(c.ClaimType, c.Value)));
return;
}
}
// Add Telemetry.
using (var activity = _activitySource?.StartActivity("Fetch extra claims.", ActivityKind.Producer))
{
// Call and check if we have to add claims.
// Clean the claims received.
var claims = (await claimFiller.GetAsync(identity, _option.ClaimsFillerOptions.Settings, null)).Where(c => !ClaimsToExclude.Any(arg => arg.Equals(c.ClaimType))).ToList();
// Load the claims into the identity.
identity.AddClaims(claims.Where(c => !identity.Claims.Any(c1 => c1.Type == c.ClaimType))
.Select(c => new Claim(c.ClaimType, c.Value)));
// Add the expiration of the token.
var expClaim = identity.Claims.FirstOrDefault(c => c.Type.Equals(tokenExpirationClaimType, StringComparison.InvariantCultureIgnoreCase));
if (null != expClaim)
{
claims.Add(new ClaimDto(expClaim.Type, expClaim.Value));
SaveClaimsToCache(claims, cacheKey, logger);
}
}
}
}
public DefaultMessageHandlerTypes(IOptionsMonitor <HandlerDefintion> definitions, ILogger <DefaultMessageHandlerTypes> logger, IContainerResolve serviceProvider)
{
_definitions = definitions;
_logger = logger;
_serviceProvider = serviceProvider;
}
public static IApplicationBuilder UseClientSecretAuthentication(this IApplicationBuilder app, IContainerResolve container, IKeyValueSettings settings, string settingsSectionName)
{
if (null == app)
{
throw new ArgumentNullException(nameof(app));
}
if (null == container)
{
throw new ArgumentNullException(nameof(container));
}
if (null == settings)
{
throw new ArgumentNullException(nameof(settings));
}
var option = new ClientSecretAuthenticationOption(settings);
container.Resolve <IConfiguration>().Bind(settingsSectionName, option);
return(app.UseMiddleware <ClientSecretAuthenticationMiddleware>(container, option));
}
public ClientSecretAuthenticationMiddleware(RequestDelegate next, IContainerResolve container, ClientSecretAuthenticationOption option)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
if (null == container)
{
throw new ArgumentNullException(nameof(container));
}
if (null == option)
{
throw new ArgumentNullException(nameof(option));
}
_logger = container.Resolve <ILogger <ClientSecretAuthenticationMiddleware> >();
_option = option;
if (null == option.Settings)
{
_logger.Technical().Warning("No settings have been provided.").Log();
return;
}
if (option.Settings.Values.ContainsKey(TokenKeys.ProviderIdKey))
{
_hasProvider = container.TryResolve(option.Settings.Values[TokenKeys.ProviderIdKey], out _provider);
}
if (!_hasProvider)
{
_logger.Technical().Warning("No ClientSecret provider found. Skip ClientSecret capability.").Log();
return;
}
_hasCertificate = null != option.Certificate &&
!String.IsNullOrWhiteSpace(option.Certificate.SecretKey) &&
!String.IsNullOrWhiteSpace(option.Certificate.Name);
// check the certificate exists.
if (_hasCertificate)
{
try
{
var certificateInfo = new CertificateInfo
{
Name = option.Certificate.Name
};
if (Enum.TryParse(option.Certificate.FindType, out X509FindType x509FindType))
{
certificateInfo.FindType = x509FindType;
}
if (Enum.TryParse(option.Certificate.Location, out StoreLocation storeLocation_))
{
certificateInfo.Location = storeLocation_;
}
if (Enum.TryParse(option.Certificate.StoreName, out StoreName storeName_))
{
certificateInfo.StoreName = storeName_;
}
_certificate = Certificate.FindCertificate(
certificateInfo.Name,
certificateInfo.FindType,
certificateInfo.Location,
certificateInfo.StoreName);
_logger.Technical().System($"Authentication with certificate secret activated.").Log();
}
catch (KeyNotFoundException)
{
_hasCertificate = false;
_logger.Technical().Error($"No certificate found with {option.Certificate.FindType} = {option.Certificate.Name} in location = {option.Certificate.Location}.").Log();
}
catch (Exception ex)
{
_logger.Technical().Exception(ex).Log();
}
}
else
{
_logger.Technical().System($"No authentication with certificate secret.").Log();
}
_activitySource = container.Resolve <IActivitySourceFactory>()?.GetArc4u();
}
public static IApplicationBuilder UseClientSecretAuthentication(this IApplicationBuilder app, IContainerResolve container, ClientSecretAuthenticationOption option)
{
if (null == app)
{
throw new ArgumentNullException(nameof(app));
}
if (null == container)
{
throw new ArgumentNullException(nameof(container));
}
if (null == option)
{
throw new ArgumentNullException(nameof(option));
}
return(app.UseMiddleware <ClientSecretAuthenticationMiddleware>(container, option));
}
/// <summary>Exposes underlying Container for direct operation.</summary>
/// <summary>Creates new locator as adapter for provided container.</summary>
/// <param name="container">Container to use/adapt.</param>
public DIServiceLocatorAdapter(IContainerResolve container)
{
Container = container;
}
public AdfsTokenProvider(OAuthConfig oAuthConfig, ILogger logger, IContainerResolve container) : base(oAuthConfig, logger, container)
{
}
public HandleMessageBase(IContainerResolve container)
{
_container = container;
}
public SqlCache(ILogger logger, IContainerResolve container) : base(container)
{
Logger = logger;
}
