/// <summary> /// Utilizes OneAuthZ authorization SDK to validate user access. /// Direct inspection of the JWT token is required since Azure function host /// does not supply the subject (ObjectId) of the caller. /// </summary> /// <param name="req"></param> /// <param name="resource"></param> /// <param name="action"></param> /// <returns></returns> public async Task <bool> CheckAccessAysnc( HttpRequest req, string resource, string action) { StringValues headerValue; req.Headers.TryGetValue(Constants.authorizationHeader, out headerValue); var principle = await ValidateToken(headerValue.FirstOrDefault()).ConfigureAwait(false); var objectId = GetObjectId(principle); var subjectInfo = new SubjectInfo(); subjectInfo.AddAttribute(Constants.objectIdKey, objectId); var resourceInfo = new ResourceInfo(resource); var actionInfo = new ActionInfo(action); var request = new CheckAccessRequest( subjectInfo, resourceInfo, actionInfo, null, options.MiddlewareOptions.GetMemberGroups); return((await client.CheckAccessAsync(request).ConfigureAwait(false)).IsAccessGranted); }
public async Task <AccessResponse> CheckAccess(CheckAccessRequest accessRequest) { try { var validationResult = await _accessRequestValidator.ValidateAsync(accessRequest); if (!validationResult.IsValid) { var response = ValidationResponseHelper.GetResponse(validationResult); return(new AccessResponse { Status = response.Status, Message = response.Message }); } var result = await _securityContext.CheckAccess(accessRequest.UserId, accessRequest.AccessRightNames); return(new AccessResponse { Status = ActionStatus.Success, AccessRightNames = result }); } catch (SecurityDbException e) { return(new AccessResponse { Status = ActionStatus.Warning, Message = PrettyExceptionHelper.GetMessage(e) }); } catch (Exception e) { Console.WriteLine(e); return(new AccessResponse { Status = ActionStatus.Error, Message = "Something went wrong!" }); } }
private async Task <bool> ImpersonationCheckAccess() { if (this.expenseDemoOptions.Mode == Mode.Local) { return(true); } var objectId = GetObjectId(this.httpContext.User); var impersonationSubjectInfo = new SubjectInfo(); impersonationSubjectInfo.AddAttribute(ObjectIdKey, objectId); impersonationSubjectInfo.AddAttribute(UserPrincipalNameKey, this.httpContext.User.Identity.Name); var impersonationResourceInfo = new ResourceInfo(ImpersonationResourceId); var impersonationActionInfo = new ActionInfo(ImpersonationActionId); var impersonationResultRequest = new CheckAccessRequest(impersonationSubjectInfo, impersonationResourceInfo, impersonationActionInfo, null, this.authorizationClientOptions.MiddlewareOptions.GetMemberGroups); var impersonationResult = await this.policyDecisionPoint.CheckAccess(impersonationResultRequest).ConfigureAwait(false); return(impersonationResult); }
/// <summary> /// /// </summary> /// <param name="accessRequest"></param> /// <returns>AccessResponse</returns> public AccessResponse UserRightsCheckUserRights(CheckAccessRequest accessRequest) { // verify the required parameter 'accessRequest' is set if (accessRequest == null) { throw new ApiException(400, "Missing required parameter 'accessRequest' when calling UserRightsCheckUserRights"); } var path = "/api/security/rights/check"; path = path.Replace("{format}", "json"); var queryParams = new Dictionary <String, String>(); var headerParams = new Dictionary <String, String>(); var formParams = new Dictionary <String, String>(); var fileParams = new Dictionary <String, FileParameter>(); String postBody = null; postBody = ApiClient.Serialize(accessRequest); // http body (model) parameter // authentication setting, if any String[] authSettings = new String[] { }; // make the HTTP request IRestResponse response = (IRestResponse)ApiClient.CallApi(path, Method.PUT, queryParams, postBody, headerParams, formParams, fileParams, authSettings); if (((int)response.StatusCode) >= 400) { throw new ApiException((int)response.StatusCode, "Error calling UserRightsCheckUserRights: " + response.Content, response.Content); } else if (((int)response.StatusCode) == 0) { throw new ApiException((int)response.StatusCode, "Error calling UserRightsCheckUserRights: " + response.ErrorMessage, response.ErrorMessage); } return((AccessResponse)ApiClient.Deserialize(response.Content, typeof(AccessResponse), response.Headers)); }
/// <summary> /// Validate access using OneAuthZ /// </summary> /// <param name="claimsIdentity">Identity</param> /// <returns></returns> internal static async Task <RemoteAuthorizationDecision> ValidateAccess(string resourceInfo, string actionInfo, ClaimsIdentity claimsIdentity) { using (AuthorizationClient authorizationClient = AuthHelper.GetAuthorizationClient()) { // Request Parameters var oSubjectInfo = new SubjectInfo(); // Add App/User Principal oid [Subject of an Access Check Determination] oSubjectInfo.AddAttribute("ObjectId", new Guid(claimsIdentity.Claims.First(x => x.Type == AuthHelper.ObjectIdentityType).Value)); // Root resources var oResourceInfo = new ResourceInfo(resourceInfo); // NOTE: We are using Action as a reference key for a Role (RBAC tagging) var oActionInfo = new ActionInfo(actionInfo); // Request Object CheckAccessRequest oReq = new CheckAccessRequest(oSubjectInfo, oResourceInfo, oActionInfo, null, false, false); var authResponse = await authorizationClient.CheckAccessAsync(oReq).ConfigureAwait(false); return(authResponse); } }
public async Task <IActionResult> CheckUserRights([FromBody] CheckAccessRequest accessRequest) { var result = _securityService.CheckAccess(accessRequest); return(Ok(await result)); }
public async Task <bool> CheckAccess(CheckAccessRequest request) { return((await this.authorizationClient.CheckAccessAsync(request).ConfigureAwait(false)).IsAccessGranted); }
public Task <bool> CheckAccess(CheckAccessRequest request) { return(Task.FromResult(this.authorizationClient.CheckAccess(request).IsAccessGranted)); }