Esempio n. 1
0
        /// <summary>
        /// Attempts to authorize the client issuing the request.
        /// </summary>
        /// <param name="actionContext">
        /// The action context.
        /// </param>
        public void AuthorizeUser(HttpActionContext actionContext)
        {
            Log.Verbose("SimpleWebTokenAuthAttribute.OnAuthorization");

            // Attempt to get credentials from the the client certificate.
            SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);

            bool isAuthorized = false;

            if (credentials != null)
            {
                AuthPayload payload = Security.Authenticate(credentials);
                if (payload != null)
                {
                    if (Security.Authorize(payload, this.Roles))
                    {
                        isAuthorized = true;
                        Log.Verbose("User is authorized");
                    }
                    else
                    {
                        Log.Warn("Unauthorized user");
                    }
                }
            }

            if (!isAuthorized)
            {
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
        }
Esempio n. 2
0
        /// <summary>
        /// The authorize.
        /// </summary>
        /// <param name="payload">
        /// The payload.
        /// </param>
        /// <param name="roles">
        /// The roles.
        /// </param>
        /// <returns>
        /// The <see cref="bool"/>.
        /// </returns>
        internal static bool Authorize(AuthPayload payload, string[] roles)
        {
            if (payload != null)
            {
                CustomIdentity    identity         = payload.CustomIdentity;
                ISecurityProvider securityProvider = authorizers[identity.SecurityProviderName];
                bool isAuthorized = securityProvider.IsAuthorized(payload, roles);

                if (isAuthorized)
                {
                    string userName     = identity.Name;
                    string providerName = identity.SecurityProviderName;

                    Thread.CurrentPrincipal =
                        new CustomPrincipal(identity, roles);

                    Log.Verbose("User Id {0} is authorized", identity.UserId);

                    return(true);
                }
                else
                {
                    Log.Verbose("Anauthorized user");
                    return(false);
                }
            }
            else
            {
                return(false);
            }
        }
Esempio n. 3
0
        /// <summary>
        /// The is authorized.
        /// </summary>
        /// <param name="payload">
        /// The payload.
        /// </param>
        /// <param name="roles">
        /// The roles.
        /// </param>
        /// <returns>
        /// The <see cref="bool"/>.
        /// </returns>
        public bool IsAuthorized(AuthPayload payload, string[] roles)
        {
            bool result = false;

            if (roles.Length > 0)
            {
                // Create dictionary from the specified roles.
                Dictionary <string, string> authParameters = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase);
                foreach (string role in roles)
                {
                    string[] segments = role.Split(':');
                    if (segments.Length == 2)
                    {
                        authParameters[segments[0]] = segments[1];
                    }
                }

                // Ensure the auth parameters match.
                if (authParameters.ContainsKey(Resource) == true &&
                    authParameters.ContainsKey(Action) == true)
                {
                    string tokenResource = payload.CredentialAuthorizationParameters[Resource];
                    string tokenAction   = payload.CredentialAuthorizationParameters[Action];
                    if (authParameters[Resource].Equals(tokenResource, StringComparison.OrdinalIgnoreCase) == true &&
                        authParameters[Action].Equals(tokenAction, StringComparison.OrdinalIgnoreCase) == true)
                    {
                        result = true;
                    }
                }
            }

            return(result);
        }
        /// <summary>
        /// The authenticate.
        /// </summary>
        /// <param name="credentials">
        /// The credentials.
        /// </param>
        /// <param name="flags">A general purpose flags set</param>
        /// <returns>
        /// The <see cref="AuthPayload"/>.
        /// </returns>
        public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
        {
            AuthPayload result = null;

            if (SimpleWebTokenValidator.Validate(credentials.Token, ResourceNamespace, String.Format(ResourceTemplate, credentials.Name),
                                                 TrustedSigningKey) == true)
            {
                result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
            }

            return(result);
        }
Esempio n. 5
0
        /// <summary>
        /// The authenticate.
        /// </summary>
        /// <param name="credentials">
        /// The credentials.
        /// </param>
        /// <param name="flags">A general purpose flags set </param>
        /// <returns>
        /// The <see cref="AuthPayload"/>.
        /// </returns>
        public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
        {
            AuthPayload result = null;

            // If the client certificate thumbprint is one of the registered thumbprints, create a CustomIdentity object for it.
            if (registeredThumbprints.ContainsKey(credentials.Token))
            {
                result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
            }

            return(result);
        }
Esempio n. 6
0
        /// <summary>
        /// Attempts to authorize the user for the request.
        /// </summary>
        /// <param name="actionContext">
        /// The action context.
        /// </param>
        public virtual void AuthorizeUser(HttpActionContext actionContext)
        {
            Log.Verbose("ApiAuthAttribute.OnAuthorization");

            string reason = string.Empty;

            // Attempt to get credentials from the HTTP authentication header. This could support application auth. or debug scenarios
            SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);

            // If we did not have credentials specifed in the HTTP Authentication header
            if (credentials == null)
            {
                // Attempt to get credentials from the Bing authentication header.
                credentials = this.GetCredentialsFromBingHeader(actionContext);
            }

            bool isAuthorized = false;

            if (credentials != null)
            {
                AuthPayload payload = Security.Authenticate(credentials, this.Flags);
                if (payload != null)
                {
                    if (Security.Authorize(payload, this.Roles))
                    {
                        isAuthorized = true;
                        Log.Verbose("User is authorized");
                    }
                    else
                    {
                        Log.Warn("Unauthorized user");
                    }
                }
            }

            if (!isAuthorized)
            {
                if (this.AllowAnonymous)
                {
                    var roles = new[] { "reader" };
                    Security.SetAnonymous(roles);
                }
                else
                {
                    actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
                    {
                        ReasonPhrase =
                            reason
                    };
                }
            }
        }
        /// <summary>
        /// The is authorized.
        /// </summary>
        /// <param name="payload">
        /// The payload.
        /// </param>
        /// <param name="roles">
        /// The roles.
        /// </param>
        /// <returns>
        /// The <see cref="bool"/>.
        /// </returns>
        public bool IsAuthorized(AuthPayload payload, string[] roles)
        {
            bool result = false;

            Dictionary <string, string> parameters =
                SimpleWebTokenValidator.ExtractTokenProperties(payload.CustomIdentity.PresentedClientToken);

            if (String.Equals(parameters["Audience"],
                              String.Format(ResourceTemplate, roles[0]), StringComparison.OrdinalIgnoreCase) == true)
            {
                result = true;
            }

            return(result);
        }
Esempio n. 8
0
        /// <summary>
        /// The authenticate.
        /// </summary>
        /// <param name="credentials">
        /// The user credentials.
        /// </param>
        /// <param name="flags">the flags</param>
        /// <returns>
        /// The auth payload
        /// </returns>
        internal static AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
        {
            AuthPayload result = null;

            if (authorizers.ContainsKey(credentials.SecurityProviderName) == true)
            {
                ISecurityProvider securityProvider = authorizers[credentials.SecurityProviderName];
                result = securityProvider.Authenticate(credentials, flags);
            }
            else
            {
                Log.Warn("Unregistered security provider was specified: {0}", credentials.SecurityProviderName);
            }

            return(result);
        }
        /// <summary>
        /// The authenticate.
        /// </summary>
        /// <param name="credentials">
        /// The credentials.
        /// </param>
        /// <param name="flags">A general purpose flags set </param>
        /// <returns>
        /// The <see cref="AuthPayload"/>.
        /// </returns>
        public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
        {
            bool useExternalIdentity = flags != null && flags.Contains("UseExternalIdentity");

            if (credentials == null)
            {
                // || string.IsNullOrWhiteSpace(credentials.IdentificationCode))
                throw new Exception("The LomoSecurityProvider.Authenticate() method was called with invalid Credentials.");
            }

            var externalIdentityInfo = Authentication.BingSocialAccessorRepository.GetUserAccountInfo(credentials.Token);

            if (externalIdentityInfo != null && externalIdentityInfo.UserId != null)
            {
                User user = null;
                if (!useExternalIdentity)
                {
                    user = this.CreateOrGetInternalUser(externalIdentityInfo);
                }

                Guid userId       = default(Guid);
                var  userName     = externalIdentityInfo.Name;
                var  emailAddress = externalIdentityInfo.UserEmail;
                if (user != null)
                {
                    userId = user.Id;
                    if (string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(user.Name))
                    {
                        userName = user.Name;
                    }

                    emailAddress = user.Email;
                }

                var identity = new CustomIdentity(userId, userName, SecurityProvider, externalIdentityInfo.UserId)
                {
                    EmailAddress = emailAddress
                };

                var payload = new AuthPayload(identity);
                return(payload);
            }

            return(null);
        }
Esempio n. 10
0
        /// <summary>
        /// The is authorized.
        /// </summary>
        /// <param name="payload">
        /// The payload.
        /// </param>
        /// <param name="roles">
        /// The roles.
        /// </param>
        /// <returns>
        /// The <see cref="bool"/>.
        /// </returns>
        public bool IsAuthorized(AuthPayload payload, string[] roles)
        {
            bool result = false;

            foreach (string role in roles)
            {
                KeyValueConfigurationElement roleElement = AuthorizationConfig.Instance.CertificateMap[role];
                if (roleElement != null)
                {
                    string[] thumbprints = roleElement.Value.Split(',');
                    if (thumbprints.Contains(payload.CustomIdentity.PresentedClientToken, StringComparer.OrdinalIgnoreCase) == true)
                    {
                        result = true;
                        break;
                    }
                }
            }

            return(result);
        }
Esempio n. 11
0
        /// <summary>
        /// The authenticate.
        /// </summary>
        /// <param name="credentials">
        /// The credentials.
        /// </param>
        /// <param name="flags">
        /// A general purpose flags set
        /// </param>
        /// <returns>
        /// The <see cref="AuthPayload"/>.
        /// </returns>
        public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
        {
            AuthPayload result = null;

            if (credentials.Token != null)
            {
                LomoUserIdSecurityToken token = new LomoUserIdSecurityToken(
                    credentials.Token,
                    ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSigningKey],
                    ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenPassword],
                    ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSalt],
                    Convert.ToUInt64(ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenClockSkew]));

                var identity = new CustomIdentity(new Guid(token.UserId), null, credentials.SecurityProviderName);
                result = new AuthPayload(identity);
                result.CredentialAuthorizationParameters[Resource] = token.Resource;
                result.CredentialAuthorizationParameters[Action]   = token.Action;
            }

            return(result);
        }
        /// <summary>
        /// Attempts to authorize the client issuing the request.
        /// </summary>
        /// <param name="actionContext">
        /// The action context.
        /// </param>
        public void AuthorizeUser(HttpActionContext actionContext)
        {
            Log.Verbose("MutualSslAuthAttribute.OnAuthorization");

            // Attempt to get credentials from the the client certificate.
            SecurityCredentials credentials = this.GetCredentialsFromClientCertificate(actionContext);

            bool isAuthorized = false;

            if (credentials != null)
            {
                AuthPayload payload = Security.Authenticate(credentials);
                if (payload != null)
                {
                    if (Security.Authorize(payload, this.Roles))
                    {
                        isAuthorized = true;
                        Log.Verbose("User is authorized");
                    }
                    else
                    {
                        Log.Warn("Unauthorized user");
                    }
                }
                else
                {
                    Log.Warn("Unable to build auth payload while authenticating credentials.");
                }
            }
            else
            {
                Log.Warn("Unable to build credentials from client certificate.");
            }

            if (!isAuthorized)
            {
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
        }
 /// <summary>
 /// The is authorized.
 /// </summary>
 /// <param name="payload">
 /// The payload.
 /// </param>
 /// <param name="roles">
 /// The roles.
 /// </param>
 /// <returns>
 /// The <see cref="bool"/>.
 /// </returns>
 public bool IsAuthorized(AuthPayload payload, string[] roles)
 {
     return(payload != null); // TODO
 }