public void WithMultipleApp1ApplicationPermissions_ShouldStillGetClaim()
{
var permissionRepository = new Mock <IPermissionRepository>();
permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345))
.Returns(new List <Permission>
{
new Permission {
ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = true, CanView = true, CanModify = true, CanDelete = true
},
new Permission {
ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = false, CanView = false, CanModify = false, CanDelete = false
},
new Permission {
ApplicationName = "app1", Name = "app1", Type = "field", CanCreate = true, CanView = true, CanModify = true, CanDelete = true
}
});
var claimsProvider = new ClaimsProvider(permissionRepository.Object, new Mock <IAppFunctionForQueryRepository>().Object);
var claims = claimsProvider.GetClaims(12345).ToList();
claims.Count.ShouldBe(1);
var app1App1Claim = claims.GetClaim("app1", "app1");
app1App1Claim.ShouldNotBe(null);
app1App1Claim.CanGet().ShouldBe(true);
app1App1Claim.CanPost().ShouldBe(true);
app1App1Claim.CanPut().ShouldBe(true);
app1App1Claim.CanDelete().ShouldBe(true);
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.Resources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16)));
}
claims.Add(new Claim(JwtClaimTypes.Name, request.Subject.GetDisplayName()));
var issuer = Context.HttpContext.GetIdentityServerIssuerUri();
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
AccessTokenType = request.ValidatedRequest.AccessTokenType
};
foreach (var api in request.Resources.ApiResources)
{
if (!string.IsNullOrWhiteSpace(api.Name))
{
token.Audiences.Add(api.Name);
}
}
return(token);
}
public async Task <JsonWebToken> Handle(RefreshAccessToken request,
CancellationToken cancellationToken)
{
var token = request.Token;
var refreshToken = await RefreshTokenRepository.GetAsync(token);
if (refreshToken == null)
{
throw new IdentityException(Codes.RefreshTokenNotFound,
"Refresh accessToken was not found.");
}
if (refreshToken.Revoked)
{
throw new IdentityException(Codes.RefreshTokenAlreadyRevoked,
$"Refresh accessToken: '{refreshToken.Id}' was revoked.");
}
var user = await GetUserOrThrowAsync(refreshToken.UserId);
var claims = await ClaimsProvider.GetAsync(user.Id);
var jwt = JwtService.CreateToken(user.Id.ToString("N"), user.Role, claims);
jwt.RefreshToken = refreshToken.Token;
var @event = new AccessTokenRefreshedIntegrationEvent(user.Id);
BusPublisher.Publish(@event);
return(jwt);
}
public void WithNoPermissions_ShouldNotGetClaims()
{
var permissionRepository = new Mock <IPermissionRepository>();
permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345))
.Returns(new List <Permission>());
var claimsProvider = new ClaimsProvider(permissionRepository.Object, new Mock <IAppFunctionForQueryRepository>().Object);
var claims = claimsProvider.GetClaims(12345).ToList();
claims.Count.ShouldBe(0);
}
public void WithApplicationAndFieldPermissions_ApplicationPermissionShouldOverrideFieldPermissionsInClaims()
{
var permissionRepository = new Mock <IPermissionRepository>();
permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345))
.Returns(new List <Permission>
{
new Permission {
ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = true, CanView = true, CanModify = true, CanDelete = true, AppFunctionId = 1, AppFunctionParentId = 0
},
new Permission {
ApplicationName = "app1", Name = "Res1", Type = "field", CanCreate = false, CanView = false, CanModify = false, CanDelete = false, AppFunctionId = 2
}
});
//Note that the app has fields for which the user does not have any permissions. To test "filling in the missing fields" logic.
var appFunctionForQueryRepository = new Mock <IAppFunctionForQueryRepository>();
appFunctionForQueryRepository.Setup(x => x.GetAllFieldAppFunctionsForApplicationLevelAppFunctions(new[] { 1 }))
.Returns(new List <AppFunctionForQuery>
{
new AppFunctionForQuery {
App = "app1", AppFunctionType = "field", Id = 2, Name = "Res1", ParentId = 1, ParentName = "app1"
},
new AppFunctionForQuery {
App = "app1", AppFunctionType = "field", Id = 3, Name = "Res2", ParentId = 1, ParentName = "app1"
}
});
var claimsProvider = new ClaimsProvider(permissionRepository.Object, appFunctionForQueryRepository.Object);
var claims = claimsProvider.GetClaims(12345).ToList();
var app1Res1Claim = claims.GetClaim("app1", "res1");
app1Res1Claim.ShouldNotBe(null);
app1Res1Claim.CanGet().ShouldBe(true);
app1Res1Claim.CanPost().ShouldBe(true);
app1Res1Claim.CanPut().ShouldBe(true);
app1Res1Claim.CanDelete().ShouldBe(true);
var app1Res2Claim = claims.GetClaim("app1", "res2");
app1Res2Claim.ShouldNotBe(null);
app1Res2Claim.CanGet().ShouldBe(true);
app1Res2Claim.CanPost().ShouldBe(true);
app1Res2Claim.CanPut().ShouldBe(true);
app1Res2Claim.CanDelete().ShouldBe(true);
}
/// <inheritdoc/>
public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
{
var user = await _usersService.GetUser(context.Principal.GetId());
if (user?.IsBlocked != false)
{
context.RejectPrincipal();
return;
}
if (!string.Equals(user.DetailsStamp, context.Principal.GetDetailsStamp()))
{
var newPrincipal = ClaimsProvider.GenerateClaimsPrincipal(user, context.Principal.Identity.AuthenticationType);
context.ReplacePrincipal(newPrincipal);
context.ShouldRenew = true;
return;
}
await base.ValidatePrincipal(context);
}
static void Main(string[] args)
{
var policy = new TrustFrameworkPolicy("MyPolicyId");
var mandatoryClaimsProvider = new ClaimsProvider
{
DisplayName = "Trustframework Policy Engine TechnicalProfiles",
TechnicalProfiles =
{
new TechnicalProfile("TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13")
{
DisplayName = "Trustframework Policy Engine Default Technical Profile",
Metadata =
{
["url"] = "${service:te}"
}
}
}
};
Console.WriteLine("Hello World!");
}
public async Task <SignInResult> SignIn(string email, string password)
{
var user = await _userRepository.GetUser(email);
if (user == null)
{
return(new SignInResult(ErrorCodes.InvalidCredentials));
}
if (user.IsBlocked)
{
return(new SignInResult(ErrorCodes.UserBlocked));
}
if (!PasswordHasher.VerifyHashedPassword(user.Password, password))
{
return(new SignInResult(ErrorCodes.InvalidCredentials));
}
var principal = ClaimsProvider.GenerateClaimsPrincipal(user, "login");
return(new SignInResult(principal));
}
public async Task <ActionResult> Login(LoginModel model, string returnUrl)
{
AppUser user = await UserManager.FindAsync(model.Name, model.Password);
if (user == null)
{
ModelState.AddModelError("", "Wrong E-mail or Password");
}
else
{
ClaimsIdentity ident = await UserManager.CreateIdentityAsync(user,
DefaultAuthenticationTypes.ApplicationCookie);
ident.AddClaims(ClaimsProvider.GetClaims(ident));
AuthManager.SignOut();
AuthManager.SignIn(new AuthenticationProperties
{
IsPersistent = false
}, ident);
return(Redirect(returnUrl));
}
return(View(model));
}
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request)
{
Logger.LogTrace("Creating access token");
request.Validate();
var claims = new List <Claim>();
claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync(
request.Subject,
request.ValidatedResources,
request.ValidatedRequest));
if (request.ValidatedRequest.Client.IncludeJwtId)
{
claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (request.ValidatedRequest.SessionId.IsPresent())
{
claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId));
}
var issuer = _scopedTenantRequestContext.Context.Issuer;
if (string.IsNullOrWhiteSpace(issuer))
{
issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri();
}
var token = new Token(OidcConstants.TokenTypes.AccessToken)
{
CreationTime = Clock.UtcNow.UtcDateTime,
Issuer = issuer,
Lifetime = request.ValidatedRequest.AccessTokenLifetime,
Claims = claims.Distinct(new ClaimComparer()).ToList(),
ClientId = request.ValidatedRequest.Client.ClientId,
Description = request.Description,
AccessTokenType = request.ValidatedRequest.AccessTokenType,
AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms()
};
// add aud based on ApiResources in the validated request
foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct())
{
token.Audiences.Add(aud);
}
if (Options.EmitStaticAudienceClaim)
{
token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
}
// add cnf if present
if (request.ValidatedRequest.Confirmation.IsPresent())
{
token.Confirmation = request.ValidatedRequest.Confirmation;
}
else
{
if (Options.MutualTls.AlwaysEmitConfirmationClaim)
{
var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync();
if (clientCertificate != null)
{
token.Confirmation = clientCertificate.CreateThumbprintCnf();
}
}
}
return(token);
}
public XNode Visit(ClaimsProvider claimsProvider)
{
return(new XElement(nameof(ClaimsProvider),
new XElement("DisplayName", claimsProvider.DisplayName),
VisitCollection("TechnicalProfiles", claimsProvider.TechnicalProfiles, Visit)));
}
