public override IPermission CreatePermission()
{
if (Unrestricted)
{
return(new PrincipalPermission(PermissionState.Unrestricted));
}
string matchACL = Environment.GetEnvironmentVariable(Role);
if (string.IsNullOrEmpty(matchACL))
{
CloudFoundryWcfTokenValidator.ThrowJwtException("Configuration for not provided for Role: " + Role, "insufficient_scope");
}
IPrincipal principal = Thread.CurrentPrincipal;
if (principal.IsInRole(matchACL))
{
return(new PrincipalPermission(principal.Identity.Name, matchACL, _authenticated));
}
else
{
Console.Out.WriteLine("Access denied user is not in Role: " + Role);
CloudFoundryWcfTokenValidator.ThrowJwtException("Access denied user is not in Role: " + Role, "insufficient_scope");
return(null);
}
}
internal TokenValidationParameters GetTokenValidationParameters()
{
if (TokenValidationParameters != null)
{
return(TokenValidationParameters);
}
var parameters = new TokenValidationParameters();
TokenKeyResolver = TokenKeyResolver ??
new Steeltoe.Security.Authentication.CloudFoundry.CloudFoundryTokenKeyResolver(
new Uri(new Uri(AuthorizationUrl), CloudFoundryDefaults.JwtTokenUri).AbsoluteUri,
null,
ValidateCertificates);
TokenValidator = TokenValidator ?? new CloudFoundryWcfTokenValidator(this, LoggerFactory?.CreateLogger <CloudFoundryWcfTokenValidator>());
parameters.ValidateAudience = ValidateAudience;
parameters.AudienceValidator = TokenValidator.ValidateAudience;
parameters.ValidateIssuer = ValidateIssuer;
parameters.IssuerSigningKeyResolver = TokenKeyResolver.ResolveSigningKey;
parameters.ValidateLifetime = ValidateLifetime;
parameters.IssuerValidator = TokenValidator.ValidateIssuer;
return(parameters);
}
public void Demand()
{
ClaimsPrincipal principal = HttpContext.Current.User as ClaimsPrincipal;
if (principal == null || !principal.HasClaim("scope", Scope))
{
Console.Out.WriteLine("Access denied token is not in Scope: " + Scope);
CloudFoundryWcfTokenValidator.ThrowJwtException("Access denied token does not have Scope: " + Scope, "insufficient_scope");
}
}
internal ClaimsPrincipal GetPrincipalFromRequestHeaders(WebHeaderCollection headers)
{
// Fail if SSO Config is missing
if (_options?.AuthorizationUrl == null || _options?.AuthorizationUrl?.Length == 0)
{
CloudFoundryWcfTokenValidator.ThrowJwtException("SSO Configuration is missing", null);
}
// check if any auth header is present
if (string.IsNullOrEmpty(headers["Authorization"]))
{
CloudFoundryWcfTokenValidator.ThrowJwtException("No Authorization header", null);
}
// check if the auth header has a bearer token format
if (!headers["Authorization"].StartsWith("Bearer", StringComparison.InvariantCultureIgnoreCase))
{
CloudFoundryWcfTokenValidator.ThrowJwtException("Wrong Token Format", null);
}
// get just the token out of the header value
string jwt;
try
{
jwt = headers["Authorization"].Split(' ')[1];
// Return an identity from validated token
return(_options.TokenValidator.ValidateToken(jwt));
}
catch (IndexOutOfRangeException)
{
CloudFoundryWcfTokenValidator.ThrowJwtException("No Token", null);
}
throw new NotImplementedException("Unable to locate a Principal in the request header");
}
