async Task <bool> AuthorizeActorAsync(IDeviceScopeIdentitiesCache identitiesCache, string actorDeviceId, string actorModuleId, string targetId)
{
if (actorModuleId != Constants.EdgeHubModuleId)
{
// Only child EdgeHubs are allowed to act OnBehalfOf of devices/modules.
Events.AuthFail_BadActor(actorDeviceId, actorModuleId, targetId);
return(false);
}
// Actor device is claiming to be our child, and that the target device is its child.
// So we should have an authchain already cached for the target device.
Option <string> targetAuthChainOption = await identitiesCache.GetAuthChain(targetId);
if (!targetAuthChainOption.HasValue)
{
Events.AuthFail_NoAuthChain(targetId);
return(false);
}
// Validate the target auth-chain
string targetAuthChain = targetAuthChainOption.Expect(() => new InvalidOperationException());
if (!AuthChainHelpers.ValidateAuthChain(actorDeviceId, targetId, targetAuthChain))
{
Events.AuthFail_InvalidAuthChain(actorDeviceId, targetId, targetAuthChain);
return(false);
}
return(true);
}
internal bool ValidateAuthChain(string actorDeviceId, string targetId, string authChain)
{
if (AuthChainHelpers.ValidateAuthChain(actorDeviceId, targetId, authChain))
{
return(true);
}
else
{
Events.InvalidAuthChain(targetId, authChain);
return(false);
}
}
public void ValidateChainTest()
{
// Correct case
Assert.True(AuthChainHelpers.ValidateAuthChain("edge1", "leaf1", "leaf1;edge1;edgeRoot"));
// Unauthorized actor
Assert.False(AuthChainHelpers.ValidateAuthChain("edge1", "leaf1", "leaf1;edge2;edgeRoot"));
// Bad target
Assert.False(AuthChainHelpers.ValidateAuthChain("edge1", "leaf1", "leaf2;edge1;edgeRoot"));
// Invalid format
Assert.False(AuthChainHelpers.ValidateAuthChain("edge1", "leaf1", ";"));
}
internal static async Task <Try <string> > AuthorizeOnBehalfOf(
string actorDeviceId,
string authChain,
string source,
HttpContext httpContext,
IEdgeHub edgeHub,
IHttpRequestAuthenticator authenticator)
{
if (!AuthChainHelpers.TryGetTargetDeviceId(authChain, out string targetDeviceId))
{
Events.InvalidRequestAuthChain(source, authChain);
return(Try <string> .Failure(new ValidationException(HttpStatusCode.BadRequest, FormatErrorResponseMessage($"Invalid request auth chain {authChain}."))));
}
if (!await AuthenticateAsync(actorDeviceId, Option.Some(Constants.EdgeHubModuleId), Option.Some(authChain), httpContext, authenticator))
{
return(Try <string> .Failure(new ValidationException(HttpStatusCode.Unauthorized)));
}
IDeviceScopeIdentitiesCache identitiesCache = edgeHub.GetDeviceScopeIdentitiesCache();
Option <string> targetAuthChain = await identitiesCache.GetAuthChain(targetDeviceId);
return(targetAuthChain.Match(
ac =>
{
if (!AuthChainHelpers.ValidateAuthChain(actorDeviceId, targetDeviceId, ac))
{
Events.AuthorizationFail_InvalidAuthChain(actorDeviceId, targetDeviceId, ac);
return Try <string> .Failure(new ValidationException(HttpStatusCode.Unauthorized));
}
return ac;
},
() =>
{
Events.AuthorizationFail_NoAuthChain(targetDeviceId);
return Try <string> .Failure(new ValidationException(HttpStatusCode.Unauthorized));
}));
}