/// <summary>
/// Utilizes OneAuthZ authorization SDK to validate user access.
/// Direct inspection of the JWT token is required since Azure function host
/// does not supply the subject (ObjectId) of the caller.
/// </summary>
/// <param name="req"></param>
/// <param name="resource"></param>
/// <param name="action"></param>
/// <returns></returns>
public async Task <bool> CheckAccessAysnc(
HttpRequest req,
string resource,
string action)
{
StringValues headerValue;
req.Headers.TryGetValue(Constants.authorizationHeader, out headerValue);
var principle = await ValidateToken(headerValue.FirstOrDefault()).ConfigureAwait(false);
var objectId = GetObjectId(principle);
var subjectInfo = new SubjectInfo();
subjectInfo.AddAttribute(Constants.objectIdKey, objectId);
var resourceInfo = new ResourceInfo(resource);
var actionInfo = new ActionInfo(action);
var request = new CheckAccessRequest(
subjectInfo,
resourceInfo,
actionInfo,
null,
options.MiddlewareOptions.GetMemberGroups);
return((await client.CheckAccessAsync(request).ConfigureAwait(false)).IsAccessGranted);
}
public async Task <AccessResponse> CheckAccess(CheckAccessRequest accessRequest)
{
try
{
var validationResult = await _accessRequestValidator.ValidateAsync(accessRequest);
if (!validationResult.IsValid)
{
var response = ValidationResponseHelper.GetResponse(validationResult);
return(new AccessResponse
{
Status = response.Status,
Message = response.Message
});
}
var result = await _securityContext.CheckAccess(accessRequest.UserId, accessRequest.AccessRightNames);
return(new AccessResponse
{
Status = ActionStatus.Success,
AccessRightNames = result
});
}
catch (SecurityDbException e)
{
return(new AccessResponse
{
Status = ActionStatus.Warning,
Message = PrettyExceptionHelper.GetMessage(e)
});
}
catch (Exception e)
{
Console.WriteLine(e);
return(new AccessResponse
{
Status = ActionStatus.Error,
Message = "Something went wrong!"
});
}
}
private async Task <bool> ImpersonationCheckAccess()
{
if (this.expenseDemoOptions.Mode == Mode.Local)
{
return(true);
}
var objectId = GetObjectId(this.httpContext.User);
var impersonationSubjectInfo = new SubjectInfo();
impersonationSubjectInfo.AddAttribute(ObjectIdKey, objectId);
impersonationSubjectInfo.AddAttribute(UserPrincipalNameKey, this.httpContext.User.Identity.Name);
var impersonationResourceInfo = new ResourceInfo(ImpersonationResourceId);
var impersonationActionInfo = new ActionInfo(ImpersonationActionId);
var impersonationResultRequest = new CheckAccessRequest(impersonationSubjectInfo, impersonationResourceInfo, impersonationActionInfo, null, this.authorizationClientOptions.MiddlewareOptions.GetMemberGroups);
var impersonationResult = await this.policyDecisionPoint.CheckAccess(impersonationResultRequest).ConfigureAwait(false);
return(impersonationResult);
}
/// <summary>
///
/// </summary>
/// <param name="accessRequest"></param>
/// <returns>AccessResponse</returns>
public AccessResponse UserRightsCheckUserRights(CheckAccessRequest accessRequest)
{
// verify the required parameter 'accessRequest' is set
if (accessRequest == null)
{
throw new ApiException(400, "Missing required parameter 'accessRequest' when calling UserRightsCheckUserRights");
}
var path = "/api/security/rights/check";
path = path.Replace("{format}", "json");
var queryParams = new Dictionary <String, String>();
var headerParams = new Dictionary <String, String>();
var formParams = new Dictionary <String, String>();
var fileParams = new Dictionary <String, FileParameter>();
String postBody = null;
postBody = ApiClient.Serialize(accessRequest); // http body (model) parameter
// authentication setting, if any
String[] authSettings = new String[] { };
// make the HTTP request
IRestResponse response = (IRestResponse)ApiClient.CallApi(path, Method.PUT, queryParams, postBody, headerParams, formParams, fileParams, authSettings);
if (((int)response.StatusCode) >= 400)
{
throw new ApiException((int)response.StatusCode, "Error calling UserRightsCheckUserRights: " + response.Content, response.Content);
}
else if (((int)response.StatusCode) == 0)
{
throw new ApiException((int)response.StatusCode, "Error calling UserRightsCheckUserRights: " + response.ErrorMessage, response.ErrorMessage);
}
return((AccessResponse)ApiClient.Deserialize(response.Content, typeof(AccessResponse), response.Headers));
}
/// <summary>
/// Validate access using OneAuthZ
/// </summary>
/// <param name="claimsIdentity">Identity</param>
/// <returns></returns>
internal static async Task <RemoteAuthorizationDecision> ValidateAccess(string resourceInfo, string actionInfo, ClaimsIdentity claimsIdentity)
{
using (AuthorizationClient authorizationClient = AuthHelper.GetAuthorizationClient())
{
// Request Parameters
var oSubjectInfo = new SubjectInfo();
// Add App/User Principal oid [Subject of an Access Check Determination]
oSubjectInfo.AddAttribute("ObjectId", new Guid(claimsIdentity.Claims.First(x => x.Type == AuthHelper.ObjectIdentityType).Value));
// Root resources
var oResourceInfo = new ResourceInfo(resourceInfo);
// NOTE: We are using Action as a reference key for a Role (RBAC tagging)
var oActionInfo = new ActionInfo(actionInfo);
// Request Object
CheckAccessRequest oReq = new CheckAccessRequest(oSubjectInfo, oResourceInfo, oActionInfo, null, false, false);
var authResponse = await authorizationClient.CheckAccessAsync(oReq).ConfigureAwait(false);
return(authResponse);
}
}
public async Task <IActionResult> CheckUserRights([FromBody] CheckAccessRequest accessRequest)
{
var result = _securityService.CheckAccess(accessRequest);
return(Ok(await result));
}
public async Task <bool> CheckAccess(CheckAccessRequest request)
{
return((await this.authorizationClient.CheckAccessAsync(request).ConfigureAwait(false)).IsAccessGranted);
}
public Task <bool> CheckAccess(CheckAccessRequest request)
{
return(Task.FromResult(this.authorizationClient.CheckAccess(request).IsAccessGranted));
}
