/// <summary>
/// Attempts to authorize the client issuing the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("SimpleWebTokenAuthAttribute.OnAuthorization");
// Attempt to get credentials from the the client certificate.
SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
}
if (!isAuthorized)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
/// <summary>
/// The get user credentials from bing header.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
/// <returns>
/// The <see cref="SecurityCredentials"/>.
/// </returns>
private SecurityCredentials GetCredentialsFromBingHeader(HttpActionContext actionContext)
{
SecurityCredentials credentials = null;
IEnumerable <string> headers;
if (actionContext.Request.Headers != null &&
actionContext.Request.Headers.TryGetValues(BingAuhtenticationHeader, out headers))
{
try
{
string token = (from h in headers select h).FirstOrDefault();
if (!string.IsNullOrWhiteSpace(token))
{
credentials = new SecurityCredentials();
credentials.Token = token;
credentials.SecurityProviderName = "lomo";
}
}
catch (Exception e)
{
Log.Error(e, "Error While reading bing header");
throw;
}
}
return(credentials);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set</param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (SimpleWebTokenValidator.Validate(credentials.Token, ResourceNamespace, String.Format(ResourceTemplate, credentials.Name),
TrustedSigningKey) == true)
{
result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
}
return(result);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
// If the client certificate thumbprint is one of the registered thumbprints, create a CustomIdentity object for it.
if (registeredThumbprints.ContainsKey(credentials.Token))
{
result = new AuthPayload(new CustomIdentity(credentials.Token, credentials.Name, credentials.SecurityProviderName));
}
return(result);
}
/// <summary>
/// Attempts to authorize the user for the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public virtual void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("ApiAuthAttribute.OnAuthorization");
string reason = string.Empty;
// Attempt to get credentials from the HTTP authentication header. This could support application auth. or debug scenarios
SecurityCredentials credentials = this.GetCredentialsFromAuthorizationHeader(actionContext);
// If we did not have credentials specifed in the HTTP Authentication header
if (credentials == null)
{
// Attempt to get credentials from the Bing authentication header.
credentials = this.GetCredentialsFromBingHeader(actionContext);
}
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials, this.Flags);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
}
if (!isAuthorized)
{
if (this.AllowAnonymous)
{
var roles = new[] { "reader" };
Security.SetAnonymous(roles);
}
else
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
ReasonPhrase =
reason
};
}
}
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set</param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
bool useExternalIdentity = flags != null && flags.Contains("UseExternalIdentity");
var sb = new StringBuilder();
if (HttpContext.Current != null)
{
// The cookie "bo_referrer" has the publisher info that drove the user sign up to bing offers.
// Add this publisher info to the user's source column in the db for new user
var cookie = HttpContext.Current.Request.Cookies["bor"];
if (cookie != null && !string.IsNullOrEmpty(cookie.Value))
{
sb.Append(cookie.Value);
Log.Info(string.Format("bor cookie is : {0}", cookie.Value));
}
else
{
Log.Info("bor Cookie is null");
}
cookie = HttpContext.Current.Request.Cookies["bof"];
if (cookie != null && !string.IsNullOrEmpty(cookie.Value))
{
sb.Append("#");
sb.Append(cookie.Value);
Log.Info(string.Format("bof cookie is : {0}", cookie.Value));
}
else
{
Log.Info("bof Cookie is null");
}
}
else
{
Log.Info("HttpContext is null");
}
if (!useExternalIdentity)
{
string userSource = sb.Length > 0 ? sb.ToString() : null;
UserLocation userLocation = this.GetUserLocation();
User user = this.usersDal.CreateOrGetUserByMsId(credentials.IdentificationCode, userSource, userLocation: userLocation);
var identity = new CustomIdentity(user.Id, user.Name, "user_debug");
return(new AuthPayload(identity));
}
return(new AuthPayload(new CustomIdentity(default(Guid), null, "user_debug", credentials.IdentificationCode)));
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The user credentials.
/// </param>
/// <param name="flags">the flags</param>
/// <returns>
/// The auth payload
/// </returns>
internal static AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (authorizers.ContainsKey(credentials.SecurityProviderName) == true)
{
ISecurityProvider securityProvider = authorizers[credentials.SecurityProviderName];
result = securityProvider.Authenticate(credentials, flags);
}
else
{
Log.Warn("Unregistered security provider was specified: {0}", credentials.SecurityProviderName);
}
return(result);
}
/// <summary>
/// The get user credentials from the client certificate.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
/// <returns>
/// The <see cref="SecurityCredentials"/>.
/// </returns>
private SecurityCredentials GetCredentialsFromClientCertificate(HttpActionContext actionContext)
{
SecurityCredentials credentials = null;
X509Certificate2 certificate = actionContext.Request.GetClientCertificate();
if (certificate != null)
{
credentials = new SecurityCredentials();
credentials.Token = certificate.Thumbprint;
credentials.SecurityProviderName = MutualSslSecurityProvider.Name;
credentials.Name = certificate.Subject;
}
return(credentials);
}
/// <summary>
/// The get user credentials from the authorization header.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
/// <returns>
/// The <see cref="SecurityCredentials"/>.
/// </returns>
private SecurityCredentials GetCredentialsFromAuthorizationHeader(HttpActionContext actionContext)
{
SecurityCredentials credentials = null;
if (actionContext.Request.Headers != null && actionContext.Request.Headers.Authorization != null)
{
string token = actionContext.Request.Headers.Authorization.Parameter;
credentials = new SecurityCredentials
{
Token = token,
SecurityProviderName = actionContext.Request.Headers.Authorization.Scheme,
Name = Roles[0]
};
}
return(credentials);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">A general purpose flags set </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
bool useExternalIdentity = flags != null && flags.Contains("UseExternalIdentity");
if (credentials == null)
{
// || string.IsNullOrWhiteSpace(credentials.IdentificationCode))
throw new Exception("The LomoSecurityProvider.Authenticate() method was called with invalid Credentials.");
}
var externalIdentityInfo = Authentication.BingSocialAccessorRepository.GetUserAccountInfo(credentials.Token);
if (externalIdentityInfo != null && externalIdentityInfo.UserId != null)
{
User user = null;
if (!useExternalIdentity)
{
user = this.CreateOrGetInternalUser(externalIdentityInfo);
}
Guid userId = default(Guid);
var userName = externalIdentityInfo.Name;
var emailAddress = externalIdentityInfo.UserEmail;
if (user != null)
{
userId = user.Id;
if (string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(user.Name))
{
userName = user.Name;
}
emailAddress = user.Email;
}
var identity = new CustomIdentity(userId, userName, SecurityProvider, externalIdentityInfo.UserId)
{
EmailAddress = emailAddress
};
var payload = new AuthPayload(identity);
return(payload);
}
return(null);
}
/// <summary>
/// The authenticate.
/// </summary>
/// <param name="credentials">
/// The credentials.
/// </param>
/// <param name="flags">
/// A general purpose flags set
/// </param>
/// <returns>
/// The <see cref="AuthPayload"/>.
/// </returns>
public AuthPayload Authenticate(SecurityCredentials credentials, HashSet <string> flags = null)
{
AuthPayload result = null;
if (credentials.Token != null)
{
LomoUserIdSecurityToken token = new LomoUserIdSecurityToken(
credentials.Token,
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSigningKey],
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenPassword],
ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenSalt],
Convert.ToUInt64(ConfigurationManager.AppSettings[AppSettingsKeys.SecureTokenClockSkew]));
var identity = new CustomIdentity(new Guid(token.UserId), null, credentials.SecurityProviderName);
result = new AuthPayload(identity);
result.CredentialAuthorizationParameters[Resource] = token.Resource;
result.CredentialAuthorizationParameters[Action] = token.Action;
}
return(result);
}
/// <summary>
/// The get user credentials from authorization header.
/// The header name is: Authentication
/// HttpHeader: Authentication bearer XXXXXXXXXXXXXXXXXXX
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
/// <returns>
/// The <see cref="SecurityCredentials"/>.
/// </returns>
private SecurityCredentials GetCredentialsFromAuthorizationHeader(HttpActionContext actionContext)
{
SecurityCredentials credentials = null;
if (actionContext.Request.Headers != null && actionContext.Request.Headers.Authorization != null)
{
string token = actionContext.Request.Headers.Authorization.Parameter;
credentials = new SecurityCredentials();
// this should be an encrypted token.
credentials.Token = token;
// The HTTP authentication header has the form: Authentication: <scheme> token
// We are using the scheme to select the security provider. This might not be a good idea for production
// Once we figure out the scenarios we should support only a Provider for applications
credentials.SecurityProviderName = actionContext.Request.Headers.Authorization.Scheme;
credentials.IdentificationCode = token;
credentials.Name = token; // what do we use for a name?
}
return(credentials);
}
/// <summary>
/// Attempts to authorize the client issuing the request.
/// </summary>
/// <param name="actionContext">
/// The action context.
/// </param>
public void AuthorizeUser(HttpActionContext actionContext)
{
Log.Verbose("MutualSslAuthAttribute.OnAuthorization");
// Attempt to get credentials from the the client certificate.
SecurityCredentials credentials = this.GetCredentialsFromClientCertificate(actionContext);
bool isAuthorized = false;
if (credentials != null)
{
AuthPayload payload = Security.Authenticate(credentials);
if (payload != null)
{
if (Security.Authorize(payload, this.Roles))
{
isAuthorized = true;
Log.Verbose("User is authorized");
}
else
{
Log.Warn("Unauthorized user");
}
}
else
{
Log.Warn("Unable to build auth payload while authenticating credentials.");
}
}
else
{
Log.Warn("Unable to build credentials from client certificate.");
}
if (!isAuthorized)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
