public bool ValidateJwtAuthentication(ServiceRoute route, Dictionary <string, object> model, ref ServiceResult <object> result) { bool isSuccess = true; var author = HttpContext.Request.Headers["Authorization"]; if (author.Count > 0) { isSuccess = _authorizationServerProvider.ValidateClientAuthentication(author).Result; if (!isSuccess) { result = new ServiceResult <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.AuthorizationFailed, Message = "Invalid authentication credentials" }; } else { var keyValue = model.FirstOrDefault(); if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType())) { dynamic instance = keyValue.Value; instance.Payload = _authorizationServerProvider.GetPayloadString(author); model.Remove(keyValue.Key); model.Add(keyValue.Key, instance); } } } else { result = new ServiceResult <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.RequestError, Message = "Request error" }; isSuccess = false; } return(isSuccess); }
public void OnAuthorization(AuthorizationFilterContext filterContext) { if (filterContext.Route.ServiceDescriptor.EnableAuthorization()) { if (filterContext.Route.ServiceDescriptor.AuthType() == AuthorizationType.JWT.ToString()) { var author = filterContext.Context.Request.Headers["Authorization"]; if (author.Count > 0) { var isSuccess = _authorizationServerProvider.ValidateClientAuthentication(author).Result; if (!isSuccess) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.AuthorizationFailed, Message = "Invalid authentication credentials" }; } else { var payload = _authorizationServerProvider.GetPayloadString(author); RpcContext.GetContext().SetAttachment("payload", payload); } } } } }
private async Task OnTokenRequest(IHttpContext context) { context.SetHandled(); var validationContext = context.GetValidationContext(); await _authorizationServerProvider.ValidateClientAuthentication(validationContext) .ConfigureAwait(false); if (!validationContext.IsValidated) { context.Rejected(validationContext.ErrorPayload); return; } var expiryDate = DateTime.SpecifyKind( DateTime.FromBinary(_authorizationServerProvider.GetExpirationDate()), DateTimeKind.Utc); var token = new BearerToken { Token = validationContext.GetToken(SecretKey, expiryDate), TokenType = "bearer", ExpirationDate = _authorizationServerProvider.GetExpirationDate(), Username = validationContext.IdentityName, }; var dictToken = Json.Deserialize <Dictionary <string, object> >(Json.Serialize(token)); OnSuccessTransformation?.Invoke(dictToken); await context .SendDataAsync(dictToken) .ConfigureAwait(false); }
public async Task OnAuthorization(AuthorizationFilterContext filterContext) { if (filterContext.Route != null && filterContext.Route.ServiceDescriptor.EnableAuthorization()) { if (filterContext.Route.ServiceDescriptor.AuthType() == AuthorizationType.JWT.ToString()) { var author = filterContext.Context.Request.Headers["Authorization"]; if (author.Count > 0) { var isSuccess = await _authorizationServerProvider.ValidateClientAuthentication(author); if (!isSuccess) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.AuthorizationFailed, Message = "Invalid authentication credentials" }; } else { var payload = _authorizationServerProvider.GetPayloadString(author); RpcContext.GetContext().SetAttachment("payload", payload); } } } } var gatewayAppConfig = AppConfig.Options.ApiGetWay; if (String.Compare(filterContext.Path.ToLower(), gatewayAppConfig.TokenEndpointPath, true) == 0) { filterContext.Context.Items.Add("path", gatewayAppConfig.AuthorizationRoutePath); } }
/// <summary> /// Initializes a new instance of the <see cref="BearerTokenModule"/> class. /// </summary> /// <param name="authorizationServerProvider">The authorization server provider.</param> /// <param name="routes">The routes.</param> /// <param name="secretKey">The secret key.</param> /// <param name="endpoint">The endpoint.</param> public BearerTokenModule( IAuthorizationServerProvider authorizationServerProvider, IEnumerable <string> routes = null, SymmetricSecurityKey secretKey = null, string endpoint = "/token") { // TODO: Make secretKey parameter mandatory and and an overload that takes in a string for a secretKey SecretKey = secretKey ?? new SymmetricSecurityKey(Encoding.UTF8.GetBytes("0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9eyJjbGF")); AddHandler(endpoint, HttpVerbs.Post, async(context, ct) => { var validationContext = context.GetValidationContext(); await authorizationServerProvider.ValidateClientAuthentication(validationContext); if (validationContext.IsValidated) { var expiryDate = DateTime.SpecifyKind(DateTime.FromBinary(authorizationServerProvider.GetExpirationDate()), DateTimeKind.Utc); await context.JsonResponseAsync(new BearerToken { Token = validationContext.GetToken(SecretKey, expiryDate), TokenType = "bearer", ExpirationDate = authorizationServerProvider.GetExpirationDate(), Username = validationContext.IdentityName, }); } else { context.Rejected(); } return(true); }); AddHandler(ModuleMap.AnyPath, HttpVerbs.Any, (context, ct) => { if (routes != null) { var match = Match(routes, context); if (!match) { return(Task.FromResult(false)); } } // decode token to see if it's valid if (context.GetSecurityToken(SecretKey) != null) { return(Task.FromResult(false)); } context.Rejected(); return(Task.FromResult(true)); }); }
public async Task <(bool, ServiceResult <object>)> ValidateJwtAuthentication(ServiceRoute route, Dictionary <string, object> model) { var result = ServiceResult <object> .Create(false, null); bool isSuccess = true; var author = HttpContext.Request.Headers["Authorization"]; if (author.Count > 0) { isSuccess = await _authorizationServerProvider.ValidateClientAuthentication(author); if (!isSuccess) { result = new ServiceResult <object> { IsSucceed = false, StatusCode = Surging.Core.CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "Invalid authentication credentials" }; } else { var payload = _authorizationServerProvider.GetPayloadString(author); RpcContext.GetContext().SetAttachment("payload", payload); if (model.Count > 0) { var keyValue = model.FirstOrDefault(); if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType())) { dynamic instance = keyValue.Value; instance.Payload = payload; model.Remove(keyValue.Key); model.Add(keyValue.Key, instance); } } } } else { result = new ServiceResult <object> { IsSucceed = false, StatusCode = Surging.Core.CPlatform.Exceptions.StatusCode.RequestError, Message = "Request error" }; isSuccess = false; } return(isSuccess, result); }
/// <summary> /// 从容器中实例化对象,并调用对应方法 /// </summary> /// <param name="method"></param> /// <param name="implementationMethod"></param> /// <returns>通过容器实例化ServiceEntity实体进行实例化,并调用相应的方法</returns> private ServiceEntity Create(MethodInfo method, MethodBase implementationMethod) { var serviceId = _serviceIdGenerator.GenerateServiceId(method); var serviceDescriptor = new ServiceDescriptor { Id = serviceId }; return(new ServiceEntity { Descriptor = serviceDescriptor, Func = async parameters => { // 从Microsoft.Extensions.DependencyInjection获取当前范围 var serviceScopeFactory = _serviceProvider.GetRequiredService <IServiceScopeFactory>(); if (parameters.Any(p => p.Key.Equals("token"))) { if (!_authorization.ValidateClientAuthentication(parameters.First(l => l.Key.Equals("token")).Value.ToString())) { return Task.FromResult("{\"error\":\"failure token\"}"); } } using (var scope = serviceScopeFactory.CreateScope()) { var par = implementationMethod.GetParameters() .Select(parameterInfo => _typeConvertibleService.Convert(parameters[parameterInfo.Name], parameterInfo.ParameterType)) .ToArray(); var invoke = implementationMethod.Invoke(scope.ServiceProvider.GetRequiredService(method.DeclaringType), par); var fullName = invoke.GetType().FullName; if (fullName != null && fullName.Contains(typeof(Task).FullName ?? throw new InvalidOperationException())) { return Task.FromResult(((dynamic)invoke).Result); } return Task.FromResult(invoke); } } });
public bool ValidateJwtAuthentication(ServiceRoute route, Dictionary <string, object> model, ref ServiceResult <object> result) { bool isSuccess = true; var author = HttpContext.Request.Headers["Authorization"].ToString(); if (author.StartsWith("Bearer ")) { author = author.Substring(7); } if (!string.IsNullOrEmpty(author)) { isSuccess = _authorizationServerProvider.ValidateClientAuthentication(author).Result; if (!isSuccess) { result = new ServiceResult <object> { IsSucceed = false, StatusCode = (int)MessageStatusCode.UnAuthentication, Message = "不合法的身份凭证" }; } else { var keyValue = model.FirstOrDefault(); if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType())) { var payload = _authorizationServerProvider.GetPayLoad(author); RpcContext.GetContext().SetAttachment("payload", payload); } } } else { result = new ServiceResult <object> { IsSucceed = false, StatusCode = (int)MessageStatusCode.UnAuthentication, Message = "请先登录系统" }; isSuccess = false; } return(isSuccess); }
public async Task <AuthorServiceResult> ValidateJwtAuthentication(ServiceRoute route, string path, Dictionary <string, object> model) { AuthorServiceResult authorServiceResult = new AuthorServiceResult(); // bool isSuccess = true; var author = HttpContext.Request.Headers["Authorization"]; if (author.Count > 0) { var token = AuthenticationCommon.GetAuthToken(author); authorServiceResult.isSuccess = await _authorizationServerProvider.ValidateClientAuthentication(token); if (!authorServiceResult.isSuccess) { authorServiceResult.result = new Surging.Core.ApiGateWay.ServiceResult <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.AuthorizationFailed, Message = "Invalid authentication credentials" }; } else { var onAuthorModel = new Dictionary <string, object>(); var payload = _authorizationServerProvider.GetPayloadString(token);; var keyValue = model.FirstOrDefault(); if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType())) { dynamic instance = keyValue.Value; instance.Payload = payload; RpcContext.GetContext().SetAttachment("payload", instance.Payload.ToString()); model.Remove(keyValue.Key); model.Add(keyValue.Key, instance); } //onAuthorModel.Add("input", JsonConvert.SerializeObject(new //{ // Path = path, // Payload = payload //})); //var data = await _serviceProxyProvider.Invoke<bool>(onAuthorModel, "api/user/onauthentication", "User"); //if (!data) //{ // authorServiceResult.isSuccess = false; // authorServiceResult.result = new Surging.Core.ApiGateWay.ServiceResult<object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.AuthorizationFailed, Message = "没有该操作权限" }; //} //else //{ // var keyValue = model.FirstOrDefault(); // if (!(keyValue.Value is IConvertible) || !typeof(IConvertible).GetTypeInfo().IsAssignableFrom(keyValue.Value.GetType())) // { // dynamic instance = keyValue.Value; // instance.Payload = payload; // RpcContext.GetContext().SetAttachment("payload", instance.Payload.ToString()); // model.Remove(keyValue.Key); // model.Add(keyValue.Key, instance); // } //} } } else { authorServiceResult.result = new Surging.Core.ApiGateWay.ServiceResult <object> { IsSucceed = false, StatusCode = (int)ServiceStatusCode.RequestError, Message = "Request error" }; authorServiceResult.isSuccess = false; } return(authorServiceResult); }
public async Task OnAuthorization(AuthorizationFilterContext filterContext) { var gatewayAppConfig = AppConfig.Options.ApiGetWay; if (filterContext.Route != null && filterContext.Route.ServiceDescriptor.DisableNetwork()) { var actionName = filterContext.Route.ServiceDescriptor.GroupName().IsNullOrEmpty() ? filterContext.Route.ServiceDescriptor.RoutePath : filterContext.Route.ServiceDescriptor.GroupName(); filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthorized, Message = $"{actionName}禁止被外网访问" }; } else { var token = filterContext.Context.Request.Headers["Authorization"]; if (filterContext.Route != null) { if (filterContext.Route.ServiceDescriptor.AuthType() == AuthorizationType.JWT.ToString()) { if (token.Any() && token.Count >= 1) { var validateResult = _authorizationServerProvider.ValidateClientAuthentication(token); if (filterContext.Route.ServiceDescriptor.EnableAuthorization() && validateResult != ValidateResult.Success) { if (validateResult == ValidateResult.TokenFormatError) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "token格式不正确" }; return; } if (validateResult == ValidateResult.SignatureError) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = "token凭证不合法,请重新登录" }; return; } if (validateResult == ValidateResult.TokenExpired) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.TokenExpired, Message = "登录超时,请重新登录" }; return; } } var payload = _authorizationServerProvider.GetPayload(token); var claimsIdentity = new ClaimsIdentity(); foreach (var item in payload) { claimsIdentity.AddClaim(new Claim(item.Key, item.Value.ToString())); } if (!gatewayAppConfig.AuthorizationRoutePath.IsNullOrEmpty() && filterContext.Route.ServiceDescriptor.EnableAuthorization()) { var rpcParams = new Dictionary <string, object>() { { "serviceId", filterContext.Route.ServiceDescriptor.Id } }; var authorizationRoutePath = await _serviceRouteProvider.GetRouteByPathOrRegexPath( gatewayAppConfig.AuthorizationRoutePath, HttpMethod.POST.ToString()); if (authorizationRoutePath == null) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.RequestError, Message = "没有找到实现接口鉴权的WebApi的路由信息" }; return; } foreach (var kv in payload) { RpcContext.GetContext().SetAttachment(kv.Key, kv.Value); } var checkPermissionResult = await _serviceProxyProvider.Invoke <IDictionary <string, object> >(rpcParams, gatewayAppConfig.AuthorizationRoutePath, HttpMethod.POST, gatewayAppConfig.AuthorizationServiceKey); if (checkPermissionResult == null || !checkPermissionResult.ContainsKey("isPermission")) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = StatusCode.UnAuthorized, Message = $"接口鉴权返回数据格式错误,鉴权接口返回数据格式必须为字典,且必须包含IsPermission的key" }; return; } var isPermission = Convert.ToBoolean(checkPermissionResult["isPermission"]); if (!isPermission) { var actionName = filterContext.Route.ServiceDescriptor.GroupName().IsNullOrEmpty() ? filterContext.Route.ServiceDescriptor.RoutePath : filterContext.Route.ServiceDescriptor.GroupName(); filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = StatusCode.UnAuthorized, Message = $"没有请求{actionName}的权限" }; return; } foreach (var kv in checkPermissionResult) { if (kv.Key == "isPermission") { continue; } if (kv.Value == null) { continue; } claimsIdentity.AddClaim(new Claim(kv.Key, kv.Value.ToString())); } } filterContext.Context.User = new ClaimsPrincipal(claimsIdentity); } else { if (filterContext.Route.ServiceDescriptor.EnableAuthorization()) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = $"请先登录系统" }; return; } else { filterContext.Context.User = null; } } } else { if (filterContext.Route.ServiceDescriptor.EnableAuthorization()) { filterContext.Result = new HttpResultMessage <object> { IsSucceed = false, StatusCode = CPlatform.Exceptions.StatusCode.UnAuthentication, Message = $"暂不支持{filterContext.Route.ServiceDescriptor.AuthType()}类型的身份认证方式" }; } } } } if (string.Compare(filterContext.Path.ToLower(), gatewayAppConfig.TokenEndpointPath, true) == 0) { filterContext.Context.Items.Add("path", gatewayAppConfig.AuthenticationRoutePath); } }
/// <summary> /// Module's Constructor /// </summary> /// <param name="authorizationServerProvider">The AuthorizationServerProvider to use</param> /// <param name="routes">The routes to authorizate</param> /// <param name="secretKey">The secret key to encrypt tokens</param> public BearerTokenModule(IAuthorizationServerProvider authorizationServerProvider, IEnumerable <string> routes = null, string secretKey = "0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9eyJjbGF") { AddHandler("/token", HttpVerbs.Post, (server, context) => { var validationContext = context.GetValidationContext(); authorizationServerProvider.ValidateClientAuthentication(validationContext); if (validationContext.IsValidated) { context.JsonResponse(new BearerToken { Token = validationContext.GetToken(secretKey), TokenType = "bearer", ExpirationDate = authorizationServerProvider.GetExpirationDate(), Username = validationContext.ClientId }); } else { context.Rejected(); } return(true); }); AddHandler(ModuleMap.AnyPath, HttpVerbs.Any, (server, context) => { if (routes != null && routes.Contains(context.RequestPath()) == false) { return(false); } var authHeader = context.RequestHeader(AuthorizationHeader); if (string.IsNullOrWhiteSpace(authHeader) == false && authHeader.StartsWith("Bearer ")) { try { var token = authHeader.Replace("Bearer ", ""); var payload = JWT.JsonWebToken.DecodeToObject(token, secretKey) as IDictionary <string, object>; if (payload == null || payload.Count == 0) { throw new Exception("Invalid token"); } return(false); } catch (JWT.SignatureVerificationException) { server.Log.DebugFormat("Invalid token {0}", authHeader); throw; } catch (Exception ex) { server.Log.Error(ex); } } context.Rejected(); return(true); }); }