예제 #1
0
        public async Task InvokeAsync(HttpContext context, IRuntimeAuthorizationServerStore store, BaleaOptions options)
        {
            var endpoint = context.GetEndpoint();

            if (context.User.Identity.IsAuthenticated && endpoint.Metadata.GetMetadata <IAuthorizeData>() != null)
            {
                if (context.Items.ContainsKey(AuthorizationMiddlewareInvokedKey))
                {
                    ThrowMissingAuthMiddlewareException();
                }

                var authorization = await store
                                    .FindAuthorizationAsync(context.User);

                if (!context.Response.HasStarted && options.UnauthorizedFallback != null && !authorization.Roles.Any())
                {
                    await options.UnauthorizedFallback(context);

                    return;
                }

                var roleClaims = authorization.Roles
                                 .Where(role => role.Enabled)
                                 .Select(role => new Claim(options.DefaultClaimTypeMap.RoleClaimType, role.Name));

                var permissionClaims = authorization.Roles
                                       .SelectMany(role => role.GetPermissions())
                                       .Distinct()
                                       .Select(permission => new Claim(options.DefaultClaimTypeMap.PermissionClaimType, permission));

                var identity = new ClaimsIdentity(
                    authenticationType: nameof(BaleaMiddleware),
                    nameType: options.DefaultClaimTypeMap.NameClaimType,
                    roleType: options.DefaultClaimTypeMap.RoleClaimType);

                identity.AddClaims(roleClaims);
                identity.AddClaims(permissionClaims);

                if (authorization.Delegation != null)
                {
                    identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
                    identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
                    identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
                }

                context.User.AddIdentity(identity);
            }

            await _next(context);
        }
예제 #2
0
        private async Task AddBaleaIdentity(ClaimsPrincipal user, HttpContext context)
        {
            var authorization = await _store
                                .FindAuthorizationAsync(user);

            if (!context.Response.HasStarted && _options.UnauthorizedFallback != null && !authorization.Roles.Any())
            {
                await _options.UnauthorizedFallback(context);

                return;
            }

            var roleClaims = authorization.Roles
                             .Where(role => role.Enabled)
                             .Select(role => new Claim(_options.DefaultClaimTypeMap.RoleClaimType, role.Name));

            var permissionClaims = authorization.Roles
                                   .SelectMany(role => role.GetPermissions())
                                   .Distinct()
                                   .Select(permission => new Claim(_options.DefaultClaimTypeMap.PermissionClaimType, permission));

            var identity = new ClaimsIdentity(
                authenticationType: "Balea",
                nameType: _options.DefaultClaimTypeMap.NameClaimType,
                roleType: _options.DefaultClaimTypeMap.RoleClaimType);

            identity.AddClaims(roleClaims);
            identity.AddClaims(permissionClaims);

            if (authorization.Delegation != null)
            {
                identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
                identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
                identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
            }

            user.AddIdentity(identity);
        }
예제 #3
0
        private async Task AddBaleaIdentity(ClaimsPrincipal user, HttpContext context)
        {
            var authorization = await _store
                                .FindAuthorizationAsync(user);

            if (authorization.Roles.Any())
            {
                if (_logger.IsEnabled(LogLevel.Debug))
                {
                    _logger.BaleaRolesFoundForUser(user.GetSubjectId(_options), authorization.Roles.Select(r => r.Name));
                }
            }
            else
            {
                // For Balea, a user without mapping roles is an unauthorized user, because we can not match Balea roles or permissions.
                // If the user has not Balea roles, we try to execute the unauthorized fallback to be consistent with this principle.
                // If there is not an unauthorized fallback defined, the authorizations result may be unexpected.
                if (_logger.IsEnabled(LogLevel.Debug))
                {
                    _logger.NoBaleaRolesForUser(user.GetSubjectId(_options));
                }

                if (!context.Response.HasStarted && _options.UnauthorizedFallback != null)
                {
                    _logger.ExecutingBaleaUnauthorizedFallback();

                    await _options.UnauthorizedFallback(context);
                }
                else
                {
                    _logger.NoBaleaRolesForUserAndNoUnauthorizedFallback();
                }

                return;
            }

            var roleClaims = authorization.Roles
                             .Where(role => role.Enabled)
                             .Select(role => new Claim(_options.DefaultClaimTypeMap.RoleClaimType, role.Name));

            var permissionClaims = authorization.Roles
                                   .SelectMany(role => role.GetPermissions())
                                   .Distinct()
                                   .Select(permission => new Claim(_options.DefaultClaimTypeMap.PermissionClaimType, permission));

            var identity = new ClaimsIdentity(
                authenticationType: "Balea",
                nameType: _options.DefaultClaimTypeMap.NameClaimType,
                roleType: _options.DefaultClaimTypeMap.RoleClaimType);

            identity.AddClaims(roleClaims);
            identity.AddClaims(permissionClaims);

            if (authorization.Delegation != null)
            {
                identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
                identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
                identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
            }

            user.AddIdentity(identity);
        }