コード例 #1
0
        public void PostConfigure(string name, JwtBearerOptions options)
        {
            MonitorApiKeyConfiguration configSnapshot = _apiKeyConfig.CurrentValue;

            if (configSnapshot.ValidationErrors.Any())
            {
                options.SecurityTokenValidators.Add(new RejectAllSecurityValidator());
                return;
            }

            TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
            {
                // Signing Settings
                RequireSignedTokens = true,
                ValidAlgorithms     = JwtAlgorithmChecker.GetAllowedJwsAlgorithmList(),

                // Issuer Settings
                ValidateIssuer           = false,
                ValidateIssuerSigningKey = true,
                IssuerSigningKeys        = new SecurityKey[] { configSnapshot.PublicKey },
                TryAllIssuerSigningKeys  = true,

                // Audience Settings
                ValidateAudience = true,
                ValidAudiences   = new string[] { AuthConstants.ApiKeyJwtAudience },

                // Other Settings
                ValidateActor    = false,
                ValidateLifetime = false,
            };

            options.TokenValidationParameters = tokenValidationParameters;
        }
コード例 #2
0
 private void CheckMonitorApiKeyOptions(MonitorApiKeyConfiguration options)
 {
     // ValidationErrors will be null if API key authentication is not enabled.
     if (null != options.ValidationErrors && options.ValidationErrors.Any())
     {
         _logger.ApiKeyValidationFailures(options.ValidationErrors);
     }
     else
     {
         _logger.ApiKeyAuthenticationOptionsValidated();
     }
 }
コード例 #3
0
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizedUserRequirement requirement)
        {
            if (context.User.Identity.AuthenticationType == AuthConstants.FederationAuthType)
            {
                // If we get a FederationAuthType (Bearer from a Jwt Token) we need to check that the user has the specified subject claim.
                MonitorApiKeyConfiguration configSnapshot = _apiKeyConfig.CurrentValue;
                if (context.User.HasClaim(ClaimTypes.NameIdentifier, configSnapshot.Subject))
                {
                    context.Succeed(requirement);
                }
            }
            else if ((context.User.Identity.AuthenticationType == AuthConstants.NtlmSchema) ||
                     (context.User.Identity.AuthenticationType == AuthConstants.KerberosSchema) ||
                     (context.User.Identity.AuthenticationType == AuthConstants.NegotiateSchema))
            {
                // Only supported on Windows
                if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                {
                    return(Task.CompletedTask);
                }

                //Negotiate, Kerberos, or NTLM.
                //CONSIDER In the future, we may want to have configuration around a dotnet-monitor group sid instead.
                //We cannot check the user against BUILTIN\Administrators group membership, since the browser user
                //has a deny claim on Administrator group.
                //Validate that the user that logged in matches the user that is running dotnet-monitor
                //Do not allow at all if running as Administrator.
                WindowsIdentity  currentUser = WindowsIdentity.GetCurrent();
                WindowsPrincipal principal   = new WindowsPrincipal(currentUser);
                if (principal.IsInRole(WindowsBuiltInRole.Administrator))
                {
                    return(Task.CompletedTask);
                }

                Claim currentUserClaim = currentUser.Claims.FirstOrDefault(claim => string.Equals(claim.Type, ClaimTypes.PrimarySid));
                if ((currentUserClaim != null) && context.User.HasClaim(currentUserClaim.Type, currentUserClaim.Value))
                {
                    context.Succeed(requirement);
                }
            }

            return(Task.CompletedTask);
        }
コード例 #4
0
 private void OnMonitorApiKeyOptionsChanged(MonitorApiKeyConfiguration options)
 {
     CheckMonitorApiKeyOptions(options);
 }
コード例 #5
0
 private void OnReload(MonitorApiKeyConfiguration options)
 {
     Interlocked.Exchange(ref _reloadToken, new ConfigurationReloadToken()).OnReload();
 }