private async Task <Utilizer> CheckAuthorizationAsync(HttpContext httpContext) { var token = httpContext.Request.GetTokenFromHeader(out var tokenType); if (string.IsNullOrEmpty(token)) { throw ErtisAuthException.AuthorizationHeaderMissing(); } if (string.IsNullOrEmpty(tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } switch (tokenType) { case "Bearer": { var verifyTokenResult = await this.tokenService.VerifyBearerTokenAsync(token, false); if (!verifyTokenResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var user = verifyTokenResult.User; if (!string.IsNullOrEmpty(user.Role)) { var role = await this.roleService.GetByNameAsync(user.Role, user.MembershipId); if (role != null) { this.VerifyRolePermissions(role, user.Id, httpContext); } } return(user); } case "Basic": { var validationResult = await this.tokenService.VerifyBasicTokenAsync(token); if (!validationResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var application = validationResult.Application; if (!string.IsNullOrEmpty(application.Role)) { var role = await this.roleService.GetByNameAsync(application.Role, application.MembershipId); if (role != null) { this.VerifyRolePermissions(role, application.Id, httpContext); } } return(application); } default: throw ErtisAuthException.UnsupportedTokenType(); } }
private async Task <Utilizer> CheckAuthorizationAsync() { var token = this.Request.GetTokenFromHeader(out var tokenType); if (string.IsNullOrEmpty(token)) { throw ErtisAuthException.AuthorizationHeaderMissing(); } if (string.IsNullOrEmpty(tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType); switch (_tokenType) { case SupportedTokenTypes.None: throw ErtisAuthException.UnsupportedTokenType(); case SupportedTokenTypes.Basic: var basicToken = new BasicToken(token); var applicationId = token.Split(':')[0]; var getApplicationResponse = await this.applicationService.GetApplicationAsync(applicationId, basicToken); if (getApplicationResponse.IsSuccess) { var rbacDefinition = this.Context.GetRbacDefinition(getApplicationResponse.Data.Id); var rbac = $"{rbacDefinition.Resource}.{rbacDefinition.Action}"; var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, basicToken); if (!isPermittedForAction) { throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})"); } return(new Utilizer { Id = getApplicationResponse.Data.Id, Username = getApplicationResponse.Data.Name, Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User, Role = getApplicationResponse.Data.Role, Token = token, TokenType = _tokenType }); } else { var errorMessage = getApplicationResponse.Message; if (ResponseHelper.TryParseError(getApplicationResponse.Message, out var error)) { errorMessage = error.Message; } throw ErtisAuthException.Unauthorized(errorMessage); } case SupportedTokenTypes.Bearer: var bearerToken = BearerToken.CreateTemp(token); var meResponse = await this.authenticationService.WhoAmIAsync(bearerToken); if (meResponse.IsSuccess) { var rbacDefinition = this.Context.GetRbacDefinition(meResponse.Data.Id); var rbac = $"{rbacDefinition.Resource}.{rbacDefinition.Action}"; var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, bearerToken); if (!isPermittedForAction) { throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})"); } return(new Utilizer { Id = meResponse.Data.Id, Username = meResponse.Data.Username, Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User, Role = meResponse.Data.Role, Token = token, TokenType = _tokenType }); } else { var errorMessage = meResponse.Message; if (ResponseHelper.TryParseError(meResponse.Message, out var error)) { errorMessage = error.Message; } throw ErtisAuthException.Unauthorized(errorMessage); } default: throw ErtisAuthException.UnsupportedTokenType(); } }
public static BadRequestObjectResult AuthorizationHeaderMissing(this ControllerBase controller) { return(controller.BadRequest(ErtisAuthException.AuthorizationHeaderMissing().Error)); }
private async Task <Utilizer> CheckAuthorizationAsync() { var token = this.Context.Request.GetTokenFromHeader(out var tokenType); if (string.IsNullOrEmpty(token)) { throw ErtisAuthException.AuthorizationHeaderMissing(); } if (string.IsNullOrEmpty(tokenType)) { throw ErtisAuthException.UnsupportedTokenType(); } TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType); switch (_tokenType) { case SupportedTokenTypes.None: throw ErtisAuthException.UnsupportedTokenType(); case SupportedTokenTypes.Basic: var validationResult = await this.tokenService.VerifyBasicTokenAsync(token, false); if (!validationResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var application = validationResult.Application; Utilizer applicationUtilizer = application; if (!string.IsNullOrEmpty(application.Role)) { var role = await this.roleService.GetByNameAsync(application.Role, application.MembershipId); if (role != null) { var rbac = this.Context.GetRbacDefinition(application.Id); if (!this.accessControlService.HasPermission(role, rbac, applicationUtilizer)) { throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action"); } } } applicationUtilizer.Token = token; applicationUtilizer.TokenType = _tokenType; return(applicationUtilizer); case SupportedTokenTypes.Bearer: var verifyTokenResult = await this.tokenService.VerifyBearerTokenAsync(token, false); if (!verifyTokenResult.IsValidated) { throw ErtisAuthException.InvalidToken(); } var user = verifyTokenResult.User; Utilizer userUtilizer = user; if (!string.IsNullOrEmpty(user.Role)) { var role = await this.roleService.GetByNameAsync(user.Role, user.MembershipId); if (role != null) { var rbac = this.Context.GetRbacDefinition(user.Id); if (!this.accessControlService.HasPermission(role, rbac, userUtilizer)) { throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action"); } } } userUtilizer.Token = token; userUtilizer.TokenType = _tokenType; return(userUtilizer); default: throw ErtisAuthException.UnsupportedTokenType(); } }