public async Task InvokeAsync(HttpContext context, IRuntimeAuthorizationServerStore store, BaleaOptions options)
{
var endpoint = context.GetEndpoint();
if (context.User.Identity.IsAuthenticated && endpoint.Metadata.GetMetadata <IAuthorizeData>() != null)
{
if (context.Items.ContainsKey(AuthorizationMiddlewareInvokedKey))
{
ThrowMissingAuthMiddlewareException();
}
var authorization = await store
.FindAuthorizationAsync(context.User);
if (!context.Response.HasStarted && options.UnauthorizedFallback != null && !authorization.Roles.Any())
{
await options.UnauthorizedFallback(context);
return;
}
var roleClaims = authorization.Roles
.Where(role => role.Enabled)
.Select(role => new Claim(options.DefaultClaimTypeMap.RoleClaimType, role.Name));
var permissionClaims = authorization.Roles
.SelectMany(role => role.GetPermissions())
.Distinct()
.Select(permission => new Claim(options.DefaultClaimTypeMap.PermissionClaimType, permission));
var identity = new ClaimsIdentity(
authenticationType: nameof(BaleaMiddleware),
nameType: options.DefaultClaimTypeMap.NameClaimType,
roleType: options.DefaultClaimTypeMap.RoleClaimType);
identity.AddClaims(roleClaims);
identity.AddClaims(permissionClaims);
if (authorization.Delegation != null)
{
identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
}
context.User.AddIdentity(identity);
}
await _next(context);
}
private async Task AddBaleaIdentity(ClaimsPrincipal user, HttpContext context)
{
var authorization = await _store
.FindAuthorizationAsync(user);
if (!context.Response.HasStarted && _options.UnauthorizedFallback != null && !authorization.Roles.Any())
{
await _options.UnauthorizedFallback(context);
return;
}
var roleClaims = authorization.Roles
.Where(role => role.Enabled)
.Select(role => new Claim(_options.DefaultClaimTypeMap.RoleClaimType, role.Name));
var permissionClaims = authorization.Roles
.SelectMany(role => role.GetPermissions())
.Distinct()
.Select(permission => new Claim(_options.DefaultClaimTypeMap.PermissionClaimType, permission));
var identity = new ClaimsIdentity(
authenticationType: "Balea",
nameType: _options.DefaultClaimTypeMap.NameClaimType,
roleType: _options.DefaultClaimTypeMap.RoleClaimType);
identity.AddClaims(roleClaims);
identity.AddClaims(permissionClaims);
if (authorization.Delegation != null)
{
identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
}
user.AddIdentity(identity);
}
private async Task AddBaleaIdentity(ClaimsPrincipal user, HttpContext context)
{
var authorization = await _store
.FindAuthorizationAsync(user);
if (authorization.Roles.Any())
{
if (_logger.IsEnabled(LogLevel.Debug))
{
_logger.BaleaRolesFoundForUser(user.GetSubjectId(_options), authorization.Roles.Select(r => r.Name));
}
}
else
{
// For Balea, a user without mapping roles is an unauthorized user, because we can not match Balea roles or permissions.
// If the user has not Balea roles, we try to execute the unauthorized fallback to be consistent with this principle.
// If there is not an unauthorized fallback defined, the authorizations result may be unexpected.
if (_logger.IsEnabled(LogLevel.Debug))
{
_logger.NoBaleaRolesForUser(user.GetSubjectId(_options));
}
if (!context.Response.HasStarted && _options.UnauthorizedFallback != null)
{
_logger.ExecutingBaleaUnauthorizedFallback();
await _options.UnauthorizedFallback(context);
}
else
{
_logger.NoBaleaRolesForUserAndNoUnauthorizedFallback();
}
return;
}
var roleClaims = authorization.Roles
.Where(role => role.Enabled)
.Select(role => new Claim(_options.DefaultClaimTypeMap.RoleClaimType, role.Name));
var permissionClaims = authorization.Roles
.SelectMany(role => role.GetPermissions())
.Distinct()
.Select(permission => new Claim(_options.DefaultClaimTypeMap.PermissionClaimType, permission));
var identity = new ClaimsIdentity(
authenticationType: "Balea",
nameType: _options.DefaultClaimTypeMap.NameClaimType,
roleType: _options.DefaultClaimTypeMap.RoleClaimType);
identity.AddClaims(roleClaims);
identity.AddClaims(permissionClaims);
if (authorization.Delegation != null)
{
identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
}
user.AddIdentity(identity);
}