/// <summary>
/// Check all session is in any supplied roles otherwise a 401 HttpError is thrown
/// </summary>
/// <param name="request"></param>
/// <param name="requiredRoles"></param>
public static void AssertRequiredRoles(IRequest request, params string[] requiredRoles)
{
if (requiredRoles.IsEmpty())
{
return;
}
var req = request.TryResolve <IHttpRequest>();
if (HostContext.HasValidAuthSecret(req))
{
return;
}
var session = req.GetSession();
if (session != null && requiredRoles.Any(session.HasRole))
{
return;
}
session.UpdateFromUserAuthRepo(req);
if (session != null && requiredRoles.Any(session.HasRole))
{
return;
}
var statusCode = session != null && session.IsAuthenticated
? (int)HttpStatusCode.Forbidden
: (int)HttpStatusCode.Unauthorized;
throw new HttpError(statusCode, "Invalid Role");
}
/// <summary>
/// Check all session is in all supplied roles otherwise a 401 HttpError is thrown
/// </summary>
public static void AssertRequiredRoles(IRequest req, IAuthRepository authRepo, params string[] requiredRoles)
{
if (requiredRoles.IsEmpty() || HostContext.HasValidAuthSecret(req))
{
return;
}
var session = req.GetSession();
if (session != null)
{
if (session.HasRole(RoleNames.Admin, authRepo))
{
return;
}
if (requiredRoles.All(x => session.HasRole(x, authRepo)))
{
return;
}
session.UpdateFromUserAuthRepo(req);
}
if (session != null && requiredRoles.All(x => session.HasRole(x, authRepo)))
{
return;
}
var statusCode = session != null && session.IsAuthenticated
? (int)HttpStatusCode.Forbidden
: (int)HttpStatusCode.Unauthorized;
throw new HttpError(statusCode, ErrorMessages.InvalidRole.Localize(req));
}
public static bool HasRequiredRoles(IRequest req, string[] requiredRoles)
{
if (requiredRoles.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
var session = req.GetSession();
if (session != null)
{
if (session.HasRole(RoleNames.Admin))
{
return(true);
}
if (requiredRoles.All(session.HasRole))
{
return(true);
}
}
session.UpdateFromUserAuthRepo(req);
if (session != null && requiredRoles.All(session.HasRole))
{
return(true);
}
return(false);
}
public override async Task ExecuteAsync(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
await base.ExecuteAsync(req, res, requestDto);
if (res.IsClosed)
{
return;
}
var session = req.GetSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session != null && session.HasRole("Admin", authRepo) ||
(this.HasWebSudo(req, session as IWebSudoAuthSession) ||
this.DoHtmlRedirectIfConfigured(req, res)))
{
return;
}
}
res.StatusCode = 402;
res.StatusDescription = "Web Sudo Required";
res.EndRequest();
}
public override async Task ExecuteAsync(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
await base.ExecuteAsync(req, res, requestDto).ConfigAwait(); //first check if session is authenticated
if (res.IsClosed)
{
return; //AuthenticateAttribute already closed the request (ie auth failed)
}
var session = await req.AssertAuthenticatedSessionAsync().ConfigAwait();
var authRepo = HostContext.AppHost.GetAuthRepositoryAsync(req);
await using (authRepo as IAsyncDisposable)
{
if (await session.HasAnyRolesAsync(RequiredRoles, authRepo, req).ConfigAwait())
{
return;
}
}
await HandleShortCircuitedErrors(req, res, requestDto,
HttpStatusCode.Forbidden, ErrorMessages.InvalidRole.Localize(req)).ConfigAwait();
}
public static void AssertRequiredRoles(IRequest req, params string[] requiredRoles)
{
if (requiredRoles.IsEmpty())
{
return;
}
if (HostContext.HasValidAuthSecret(req))
{
return;
}
var session = req.AssertAuthenticatedSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session.HasAnyRoles(requiredRoles, authRepo, req))
{
return;
}
}
throw new HttpError(HttpStatusCode.Forbidden, ErrorMessages.InvalidRole.Localize(req));
}
private static bool SessionValidForAllRoles(IRequest req, IAuthSession session, ICollection <string> requiredRoles)
{
var singleRequiredRole = requiredRoles.Count == 1 ? requiredRoles.First() : null;
if (singleRequiredRole == RoleNames.AllowAnon)
{
return(true);
}
if (requiredRoles.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
AssertAuthenticated(req, requestDto: req.Dto, session: session);
if (session != null && singleRequiredRole == RoleNames.AllowAnyUser && session.IsAuthenticated)
{
return(true);
}
return(false);
}
public override void Execute(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
base.Execute(req, res, requestDto); //first check if session is authenticated
if (res.IsClosed)
{
return; //AuthenticateAttribute already closed the request (ie auth failed)
}
var session = req.GetSession();
if (HasAnyRoles(req, session))
{
return;
}
if (DoHtmlRedirectIfConfigured(req, res))
{
return;
}
res.StatusCode = (int)HttpStatusCode.Forbidden;
res.StatusDescription = "Invalid Role";
res.EndRequest();
}
public static bool IsAuthenticated(this IRequest req)
{
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
var session = req.GetSession();
return(session != null && AuthenticateService.AuthProviders.Any(x => session.IsAuthorized(x.Provider)));
}
private static bool SessionValidForAllPermissions(IRequest req, IAuthSession session, ICollection <string> requiredPermissions)
{
if (requiredPermissions.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
return(false);
}
public static async Task <bool> AuthenticateAsync(IRequest req, object requestDto = null, IAuthSession session = null, IAuthProvider[] authProviders = null)
{
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
session ??= await(req ?? throw new ArgumentNullException(nameof(req))).GetSessionAsync().ConfigAwait();
authProviders ??= AuthenticateService.GetAuthProviders();
var authValidate = HostContext.GetPlugin <AuthFeature>()?.OnAuthenticateValidate;
var ret = authValidate?.Invoke(req);
if (ret != null)
{
return(false);
}
req.PopulateFromRequestIfHasSessionId(requestDto);
if (!req.Items.ContainsKey(Keywords.HasPreAuthenticated))
{
//Unauthorized or invalid requests will terminate the response and return false
var mockResponse = new BasicRequest().Response;
req.Items[Keywords.HasPreAuthenticated] = true;
foreach (var authWithRequest in authProviders.OfType <IAuthWithRequest>())
{
await authWithRequest.PreAuthenticateAsync(req, mockResponse).ConfigAwait();
if (mockResponse.IsClosed)
{
return(false);
}
}
foreach (var authWithRequest in authProviders.OfType <IAuthWithRequestSync>())
{
authWithRequest.PreAuthenticate(req, mockResponse);
if (mockResponse.IsClosed)
{
return(false);
}
}
}
var sessionIsAuthenticated = session != null && (authProviders.Length > 0
? authProviders.Any(x => session.IsAuthorized(x.Provider))
: session.IsAuthenticated);
return(sessionIsAuthenticated);
}
private static bool SessionValidForAllPermissions(IRequest req, IAuthSession session, ICollection <string> requiredPermissions)
{
if (requiredPermissions.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
AssertAuthenticated(req, requestDto: req.Dto, session: session);
return(false);
}
private static async Task <bool> SessionValidForAllPermissionsAsync(IRequest req, IAuthSession session, ICollection <string> requiredPermissions)
{
if (requiredPermissions.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
await AssertAuthenticatedAsync(req, requestDto : req.Dto, session : session).ConfigAwait();
return(false);
}
public static bool IsAuthenticated(this IRequest req)
{
//Sync with [Authenticate] impl
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
var authProviders = AuthenticateService.GetAuthProviders();
AuthenticateAttribute.PreAuthenticate(req, authProviders);
var session = req.GetSession();
return(session != null && authProviders.Any(x => session.IsAuthorized(x.Provider)));
}
public override void Execute(IRequest req, IResponse res, object requestDto)
{
if (AuthenticateService.AuthProviders == null)
{
throw new InvalidOperationException(
"The AuthService must be initialized by calling AuthService.Init to use an authenticate attribute");
}
if (HostContext.HasValidAuthSecret(req))
{
return;
}
var matchingOAuthConfigs = AuthenticateService.AuthProviders.Where(x =>
this.Provider.IsNullOrEmpty() ||
x.Provider == this.Provider).ToList();
if (matchingOAuthConfigs.Count == 0)
{
res.WriteError(req, requestDto, "No OAuth Configs found matching {0} provider"
.Fmt(this.Provider ?? "any"));
res.EndRequest();
return;
}
req.PopulateFromRequestIfHasSessionId(requestDto);
//Call before GetSession so Exceptions can bubble
req.Items[Keywords.HasPreAuthenticated] = true;
matchingOAuthConfigs.OfType <IAuthWithRequest>()
.Each(x => x.PreAuthenticate(req, res));
var session = req.GetSession();
if (session == null || !matchingOAuthConfigs.Any(x => session.IsAuthorized(x.Provider)))
{
if (this.DoHtmlRedirectIfConfigured(req, res, true))
{
return;
}
AuthProvider.HandleFailedAuth(matchingOAuthConfigs[0], session, req, res);
}
}
public override async Task ExecuteAsync(IRequest req, IResponse res, object requestDto)
{
if (AuthenticateService.AuthProviders == null)
{
throw new InvalidOperationException(
"The AuthService must be initialized by calling AuthService.Init to use an authenticate attribute");
}
if (HostContext.HasValidAuthSecret(req))
{
return;
}
var authProviders = AuthenticateService.GetAuthProviders(this.Provider);
if (authProviders.Length == 0)
{
await res.WriteError(req, requestDto, $"No registered Auth Providers found matching {this.Provider ?? "any"} provider").ConfigAwait();
res.EndRequest();
return;
}
req.PopulateFromRequestIfHasSessionId(requestDto);
await PreAuthenticateAsync(req, authProviders).ConfigAwait();
if (res.IsClosed)
{
return;
}
var session = req.GetSession();
if (session == null || !authProviders.Any(x => session.IsAuthorized(x.Provider)))
{
if (this.DoHtmlRedirectIfConfigured(req, res, true))
{
return;
}
await AuthProvider.HandleFailedAuth(authProviders[0], session, req, res).ConfigAwait();
}
}
public override async Task ExecuteAsync(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
await base.ExecuteAsync(req, res, requestDto).ConfigAwait(); //first check if session is authenticated
if (res.IsClosed)
{
return; //AuthenticateAttribute already closed the request (ie auth failed)
}
var session = await req.GetSessionAsync().ConfigAwait();
var authRepo = HostContext.AppHost.GetAuthRepositoryAsync(req);
#if NET472 || NETSTANDARD2_0
await using (authRepo as IAsyncDisposable)
#else
using (authRepo as IDisposable)
#endif
{
if (session != null && await session.HasRoleAsync(RoleNames.Admin, authRepo).ConfigAwait())
{
return;
}
if (await HasAnyPermissionsAsync(req, session, authRepo).ConfigAwait())
{
return;
}
}
if (DoHtmlRedirectAccessDeniedIfConfigured(req, res))
{
return;
}
res.StatusCode = (int)HttpStatusCode.Forbidden;
res.StatusDescription = ErrorMessages.InvalidPermission.Localize(req);
await HostContext.AppHost.HandleShortCircuitedErrors(req, res, requestDto).ConfigAwait();
}
/// <summary>
/// Check all session is in any supplied roles otherwise a 401 HttpError is thrown
/// </summary>
/// <param name="request"></param>
/// <param name="requiredRoles"></param>
public static void AssertRequiredRoles(IRequest req, params string[] requiredRoles)
{
if (requiredRoles.IsEmpty())
{
return;
}
if (HostContext.HasValidAuthSecret(req))
{
return;
}
var session = req.GetSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session != null && session.HasRole(RoleNames.Admin, authRepo))
{
return;
}
if (session != null && session.UserAuthId != null && requiredRoles.Any(x => session.HasRole(x, authRepo)))
{
return;
}
session.UpdateFromUserAuthRepo(req);
if (session != null && session.UserAuthId != null && requiredRoles.Any(x => session.HasRole(x, authRepo)))
{
return;
}
}
var statusCode = session != null && session.IsAuthenticated
? (int)HttpStatusCode.Forbidden
: (int)HttpStatusCode.Unauthorized;
throw new HttpError(statusCode, "Invalid Role");
}
public static bool PreAuthenticatedValidForAllRoles(IRequest req, ICollection <string> requiredRoles)
{
var singleRequiredRole = requiredRoles.Count == 1 ? requiredRoles.First() : null;
if (singleRequiredRole == RoleNames.AllowAnon)
{
return(true);
}
if (requiredRoles.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
return(false);
}
public static IServiceStackHandler GetRequestInfoHandler(IHttpRequest request)
{
if (request.QueryString[Keywords.Debug] != Keywords.RequestInfo)
{
return(null);
}
if (HostContext.Config.DebugMode || HostContext.HasValidAuthSecret(request))
{
return(new RequestInfoHandler());
}
var session = request.GetSession();
if (session != null && session.Roles.Contains("admin"))
{
return(new RequestInfoHandler());
}
return(null);
}
public static bool HasRequiredRoles(IRequest req, string[] requiredRoles)
{
if (requiredRoles.IsEmpty())
{
return(true);
}
if (HostContext.HasValidAuthSecret(req))
{
return(true);
}
var session = req.GetSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session != null)
{
if (session.HasRole(RoleNames.Admin, authRepo))
{
return(true);
}
if (requiredRoles.All(x => session.HasRole(x, authRepo)))
{
return(true);
}
session.UpdateFromUserAuthRepo(req);
}
if (session != null && requiredRoles.All(x => session.HasRole(x, authRepo)))
{
return(true);
}
}
return(false);
}
public override async Task ExecuteAsync(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
await base.ExecuteAsync(req, res, requestDto); //first check if session is authenticated
if (res.IsClosed)
{
return; //AuthenticateAttribute already closed the request (ie auth failed)
}
var session = req.GetSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session != null && session.HasRole(RoleNames.Admin, authRepo))
{
return;
}
if (HasAnyRoles(req, session, authRepo))
{
return;
}
}
if (DoHtmlRedirectIfConfigured(req, res))
{
return;
}
res.StatusCode = (int)HttpStatusCode.Forbidden;
res.StatusDescription = ErrorMessages.InvalidRole.Localize(req);
await HostContext.AppHost.HandleShortCircuitedErrors(req, res, requestDto);
}
internal static IHttpHandler ReturnRequestInfo(IHttpRequest httpReq)
{
if ((HostContext.DebugMode ||
HostContext.Config.AdminAuthSecret != null) &&
httpReq.QueryString["debug"] == RequestInfoHandler.RestPath)
{
if (HostContext.DebugMode || HostContext.HasValidAuthSecret(httpReq))
{
var reqInfo = RequestInfoHandler.GetRequestInfo(httpReq);
reqInfo.Host = HostContext.Config.DebugHttpListenerHostEnvironment + "_v" + Env.ServiceStackVersion + "_" + HostContext.ServiceName;
reqInfo.PathInfo = httpReq.PathInfo;
reqInfo.GetPathUrl = httpReq.GetPathUrl();
return(new RequestInfoHandler {
RequestInfo = reqInfo
});
}
}
return(null);
}
public override void Execute(IRequest req, IResponse res, object requestDto)
{
if (HostContext.HasValidAuthSecret(req))
{
return;
}
base.Execute(req, res, requestDto); //first check if session is authenticated
if (res.IsClosed)
{
return; //AuthenticateAttribute already closed the request (ie auth failed)
}
var session = req.GetSession();
var authRepo = HostContext.AppHost.GetAuthRepository(req);
using (authRepo as IDisposable)
{
if (session != null && session.HasRole(RoleNames.Admin, authRepo))
{
return;
}
if (HasAnyPermissions(req, session, authRepo))
{
return;
}
}
if (DoHtmlRedirectIfConfigured(req, res))
{
return;
}
res.StatusCode = (int)HttpStatusCode.Forbidden;
res.StatusDescription = "Invalid Permission";
res.EndRequest();
}
