Esempio n. 1
0
 /// <summary>
 /// Add a performance log.
 /// </summary>
 /// <param name="function"></param>
 public void AddPerfLog(string function)
 {
     _PerfProvider?.Add(function);
 }
Esempio n. 2
0
        /// <summary>
        /// Handle the authorization policy for page.
        /// </summary>
        /// <param name="context"></param>
        /// <param name="requirement"></param>
        /// <param name="page"></param>
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       OperationAuthorizationRequirement requirement,
                                                       Page page)
        {
            bool   isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
            string userName   = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);

            // Special case...
            if (requirement?.Name == null)
            {
                _Log?.LogCritical("Access denied to page \"{0}\": Null requirement.", page?.Title);
                context.Fail();
            }
            else if (requirement.Name != AuthorizationRequirement.Read &&
                     requirement.Name != AuthorizationRequirement.Add &&
                     requirement.Name != AuthorizationRequirement.Update)
            {
                _Log?.LogWarning("{0} access denied to page \"{1}\": Invalid requirement.", requirement.Name, page?.Title);
                context.Fail();
            }
            else if (page == null)
            {
                _Log?.LogInformation("{0} access granted to null page.", requirement.Name);
                context.Succeed(requirement);
            }
            else if (_AppContext == null)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid application context.", requirement.Name, page?.Title);
                context.Fail();
            }
            else if (_AppContext.SignInManager == null)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid SignIn manager.", requirement.Name, page?.Title);
                context.Fail();
            }
            else if (context.User == null)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid User data.", requirement.Name, page?.Title);
                context.Fail();
            }
            // Check inputs...
            else if (page.RequestSite == null)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid page.", requirement.Name, page?.Title);
                context.Fail();
            }
            // Check inconsistency...
            else if (page.SiteId != page.RequestSite.Id)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Site inconsistency.", requirement.Name, page?.Title);
                context.Fail();
            }
            else if (page.RequestSite.Private == true &&
                     page.Private == false)
            {
                _Log?.LogCritical("{0} access denied to page \"{1}\": Privacy inconsistency.", requirement.Name, page?.Title);
                context.Fail();
            }
            // Check user inconsistency...
            else if (isSignedIn == true && _AppContext.User == null)
            {
                // Signed user in the http context, but no user in the application context.
                _Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (http but not in app).", requirement.Name, page?.Title);
                context.Fail();
            }
            else if (isSignedIn == false && _AppContext.User != null)
            {
                // No Signed user in the http context, but user in the application context.
                _Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (not in http but in app).", requirement.Name, page?.Title);
                context.Fail();
            }
            else if ((isSignedIn == true && _AppContext.User != null) &&
                     (userName == null || userName != _AppContext.User.UserName))
            {
                // Different user signed in http context and in application context.
                _Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
                context.Fail();
            }
            else if (_AppContext.User != null && _AppContext.User.SiteId != page.SiteId)
            {
                // Invalid user site...
                _Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
                context.Fail();
            }
            // Check access right...
            else if (_AppContext.User == null)
            {
                // Read published and public page is granted to anonymous...
                if (requirement.Name == AuthorizationRequirement.Read &&
                    page.Private == false &&
                    page.State == State.Valided)
                {
                    _Log?.LogInformation("{0} access granted to page \"{1}\": Published public page allowed to anonymous.", requirement.Name, page?.Title);
                    context.Succeed(requirement);
                }
                else
                {
                    _Log?.LogWarning("{0} access denied to page \"{page.Title}\": Anonymous user.", requirement.Name, page?.Title);
                    context.Fail();
                }
            }
            // If the page is private, check user groups:
            //  For read: user need to have at least one group of the page.
            //  For other requirement: user need to have all groups of the page.
            else if (page.Private == true &&
                     requirement.Name == AuthorizationRequirement.Read &&
                     _AppContext.User.MemberOf(page) == false)
            {
                _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in allowed groups.");
                context.Fail();
            }
            else if (page.Private == true &&
                     requirement.Name != AuthorizationRequirement.Read &&
                     _AppContext.User.MemberOfAll(page) == false)
            {
                _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups.");
                context.Fail();
            }
            // Administrator and publicator have all rights...
            else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true ||
                     _AppContext.User.HasRole(ClaimValueRole.Publicator) == true)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}\\{ClaimValueRole.Publicator}.");
                context.Succeed(requirement);
            }
            // Contributeur and reader can only read published page...
            else if (_AppContext.User.HasRole(ClaimValueRole.Contributor) == true ||
                     _AppContext.User.HasRole(ClaimValueRole.Reader) == true)
            {
                if (requirement.Name == AuthorizationRequirement.Read &&
                    page.State == State.Valided)
                {
                    _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page as {ClaimValueRole.Contributor}\\{ClaimValueRole.Reader}.");
                    context.Succeed(requirement);
                }
                else
                {
                    _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Contributor} or {ClaimValueRole.Reader} not allowed.");
                    context.Fail();
                }
            }
            // User without roles...
            else if (requirement.Name == AuthorizationRequirement.Read &&
                     page.State == State.Valided)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page without role.");
                context.Succeed(requirement);
            }
            else
            {
                _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed.");
                context.Fail();
            }
            // Trace performance...
            _PerfProvider?.Add("PageAuthorizationHandler::Handle");
            // Return...
            return(Task.CompletedTask);
        }
Esempio n. 3
0
        /// <summary>
        /// Handle the authorization policy for site.
        /// </summary>
        /// <param name="context"></param>
        /// <param name="requirement"></param>
        /// <param name="site"></param>
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       OperationAuthorizationRequirement requirement,
                                                       Site site)
        {
            bool   isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
            string userName   = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);

            // Special case...
            if (requirement?.Name == null)
            {
                _Log?.LogCritical($"Access denied to site \"{site?.Title}\": Null requirement.");
                context.Fail();
            }
            else if (requirement.Name.StartsWith(AuthorizationRequirement.Read) == false)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site?.Title}\": Invalid requirement.");
                context.Fail();
            }
            else if (site == null)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to null site.");
                context.Succeed(requirement);
            }
            else if (_AppContext == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid application context.");
                context.Fail();
            }
            else if (_AppContext.SignInManager == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid SignIn manager.");
                context.Fail();
            }
            else if (_AppContext.UserManager == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User manager.");
                context.Fail();
            }
            else if (context.User == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User data.");
                context.Fail();
            }
            // Check user inconsistency...
            else if (isSignedIn == true && _AppContext.User == null)
            {
                // Signed user in the http context, but no user in the application context.
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (http but not in app).");
                context.Fail();
            }
            else if (isSignedIn == false && _AppContext.User != null)
            {
                // No Signed user in the http context, but user in the application context.
                _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (not in http but in app).");
                context.Fail();
            }
            else if ((isSignedIn == true && _AppContext.User != null) &&
                     (userName == null || userName != _AppContext.User.UserName))
            {
                // Different user signed in http context and in application context.
                _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
                context.Fail();
            }
            else if (_AppContext.User != null && _AppContext.User.SiteId != site.Id)
            {
                // Invalid user site...
                _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
                context.Fail();
            }
            // Check access right...
            else if (_AppContext.User == null)
            {
                // Read Public site is granted to anonymous...
                if (site.Private == false && requirement.Name == AuthorizationRequirement.Read)
                {
                    _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Public site allowed to anonymous.");
                    context.Succeed(requirement);
                }
                //// Site theme is granted to anonymous user (private and public site)...
                //else if (requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/css/") == true
                //    || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/images/") == true
                //    || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/jss/") == true)
                //{
                //    _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Css, images and jss files allowed to anonymous.");
                //    context.Succeed(requirement);
                //}
                // Registration (public site) and login (private and public site) is granted to anonymous user...
                else if (requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}".ToLower() ||
                         (site.Private == false && requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}".ToLower()))
                {
                    _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Registration and login page allowed to anonymous.");
                    context.Succeed(requirement);
                }
                else
                {
                    _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": Anonymous user.");
                    context.Fail();
                }
            }
            // Read requirement is granted to all registered user...
            else if (requirement.Name == AuthorizationRequirement.Read ||
                     requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}" ||
                     requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}")
            {
                _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Read granted to \"{context?.User?.Identity?.Name}\".");
                context.Succeed(requirement);
            }
            // Update requirement is granted to admin member of all groups...
            else if (requirement.Name == AuthorizationRequirement.Update &&
                     _AppContext.User.HasRole(ClaimValueRole.Administrator) == true &&
                     _AppContext.User.MemberOfAllGroup() == true)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" as site {ClaimValueRole.Administrator} of all groups.");
                context.Succeed(requirement);
            }
            // Access denied...
            else
            {
                _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed.");
                context.Fail();
            }
            // Trace performance...
            _PerfProvider?.Add("SiteAuthorizationHandler::Handle");
            // Return...
            return(Task.CompletedTask);
        }
Esempio n. 4
0
        /// <summary>
        /// Handle the authorization policy for user.
        /// </summary>
        /// <param name="context"></param>
        /// <param name="requirement"></param>
        /// <param name="data"></param>
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       OperationAuthorizationRequirement requirement,
                                                       ApplicationUser data)
        {
            bool   isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
            string userName   = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);

            // Special case...
            if (requirement?.Name == null)
            {
                _Log?.LogCritical($"Access denied to user \"{data?.Email}\": Null requirement.");
                context.Fail();
            }
            else if (requirement.Name != AuthorizationRequirement.Read &&
                     requirement.Name != AuthorizationRequirement.Update)
            {
                _Log?.LogCritical($"Access denied to user \"{data?.Email}\": Invalid requirement.");
                context.Fail();
            }
            else if (data == null)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to null user.");
                context.Succeed(requirement);
            }
            else if (_AppContext == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid application context.");
                context.Fail();
            }
            else if (_AppContext.SignInManager == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid SignIn manager.");
                context.Fail();
            }
            else if (_AppContext.UserManager == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User manager.");
                context.Fail();
            }
            else if (context.User == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User data.");
                context.Fail();
            }
            // Check inputs...
            else if (requirement == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid requirement.");
                context.Fail();
            }
            else if (data.UserName == null ||
                     data.RequestSite == null)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid user.");
                context.Fail();
            }
            // Check inconsistency...
            else if (data.SiteId != data.RequestSite.Id)
            {
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Site inconsistency.");
                context.Fail();
            }
            // Check user inconsistency...
            else if (isSignedIn == true && _AppContext.User == null)
            {
                // Signed user in the http context, but no user in the application context.
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (http but not in app).");
                context.Fail();
            }
            else if (isSignedIn == false && _AppContext.User != null)
            {
                // No Signed user in the http context, but user in the application context.
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (not in http but in app).");
                context.Fail();
            }
            else if ((isSignedIn == true && _AppContext.User != null) &&
                     (userName == null || userName != _AppContext.User.UserName))
            {
                // Different user signed in http context and in application context.
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\":  \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
                context.Fail();
            }
            else if (_AppContext.User != null && _AppContext.User.SiteId != data.SiteId)
            {
                // Invalid user site...
                _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
                context.Fail();
            }
            // Check access right...
            else if (_AppContext.User == null)
            {
                // Anonymous is not granted...
                _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": Anonymous user.");
                context.Fail();
            }
            // Check user groups:
            //  For read: user need to have at least one group of the user data.
            //  For other requirement: user need to have all groups of the user data.
            else if (requirement.Name == AuthorizationRequirement.Read &&
                     _AppContext.User.MemberOf(data) == false)
            {
                _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in allowed groups.");
                context.Fail();
            }
            else if (requirement.Name != AuthorizationRequirement.Read &&
                     _AppContext.User.MemberOfAll(data) == false)
            {
                _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups.");
                context.Fail();
            }
            // Administrator have all rights...
            else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true)
            {
                _Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}.");
                context.Succeed(requirement);
            }
            // User have access to their data...
            else if (_AppContext.User.Id == data.Id)
            {
                if (requirement.Name == AuthorizationRequirement.Read ||
                    requirement.Name == AuthorizationRequirement.Add ||
                    requirement.Name == AuthorizationRequirement.Update)
                {
                    _Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as owner.");
                    context.Succeed(requirement);
                }
                else
                {
                    _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed.");
                    context.Fail();
                }
            }
            // Other cannot see user details...
            else
            {
                _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed.");
                context.Fail();
            }
            // Trace performance...
            _PerfProvider?.Add("UserAuthorizationHandler::Handle");
            // Return...
            return(Task.CompletedTask);
        }