public override IPermission CreatePermission() { if (Unrestricted) { return(new PrincipalPermission(PermissionState.Unrestricted)); } string matchACL = Environment.GetEnvironmentVariable(Role); if (string.IsNullOrEmpty(matchACL)) { CloudFoundryWcfTokenValidator.ThrowJwtException("Configuration for not provided for Role: " + Role, "insufficient_scope"); } IPrincipal principal = Thread.CurrentPrincipal; if (principal.IsInRole(matchACL)) { return(new PrincipalPermission(principal.Identity.Name, matchACL, _authenticated)); } else { Console.Out.WriteLine("Access denied user is not in Role: " + Role); CloudFoundryWcfTokenValidator.ThrowJwtException("Access denied user is not in Role: " + Role, "insufficient_scope"); return(null); } }
internal TokenValidationParameters GetTokenValidationParameters() { if (TokenValidationParameters != null) { return(TokenValidationParameters); } var parameters = new TokenValidationParameters(); TokenKeyResolver = TokenKeyResolver ?? new Steeltoe.Security.Authentication.CloudFoundry.CloudFoundryTokenKeyResolver( new Uri(new Uri(AuthorizationUrl), CloudFoundryDefaults.JwtTokenUri).AbsoluteUri, null, ValidateCertificates); TokenValidator = TokenValidator ?? new CloudFoundryWcfTokenValidator(this, LoggerFactory?.CreateLogger <CloudFoundryWcfTokenValidator>()); parameters.ValidateAudience = ValidateAudience; parameters.AudienceValidator = TokenValidator.ValidateAudience; parameters.ValidateIssuer = ValidateIssuer; parameters.IssuerSigningKeyResolver = TokenKeyResolver.ResolveSigningKey; parameters.ValidateLifetime = ValidateLifetime; parameters.IssuerValidator = TokenValidator.ValidateIssuer; return(parameters); }
public void Demand() { ClaimsPrincipal principal = HttpContext.Current.User as ClaimsPrincipal; if (principal == null || !principal.HasClaim("scope", Scope)) { Console.Out.WriteLine("Access denied token is not in Scope: " + Scope); CloudFoundryWcfTokenValidator.ThrowJwtException("Access denied token does not have Scope: " + Scope, "insufficient_scope"); } }
internal ClaimsPrincipal GetPrincipalFromRequestHeaders(WebHeaderCollection headers) { // Fail if SSO Config is missing if (_options?.AuthorizationUrl == null || _options?.AuthorizationUrl?.Length == 0) { CloudFoundryWcfTokenValidator.ThrowJwtException("SSO Configuration is missing", null); } // check if any auth header is present if (string.IsNullOrEmpty(headers["Authorization"])) { CloudFoundryWcfTokenValidator.ThrowJwtException("No Authorization header", null); } // check if the auth header has a bearer token format if (!headers["Authorization"].StartsWith("Bearer", StringComparison.InvariantCultureIgnoreCase)) { CloudFoundryWcfTokenValidator.ThrowJwtException("Wrong Token Format", null); } // get just the token out of the header value string jwt; try { jwt = headers["Authorization"].Split(' ')[1]; // Return an identity from validated token return(_options.TokenValidator.ValidateToken(jwt)); } catch (IndexOutOfRangeException) { CloudFoundryWcfTokenValidator.ThrowJwtException("No Token", null); } throw new NotImplementedException("Unable to locate a Principal in the request header"); }