public void WithMultipleApp1ApplicationPermissions_ShouldStillGetClaim() { var permissionRepository = new Mock <IPermissionRepository>(); permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345)) .Returns(new List <Permission> { new Permission { ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = true, CanView = true, CanModify = true, CanDelete = true }, new Permission { ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = false, CanView = false, CanModify = false, CanDelete = false }, new Permission { ApplicationName = "app1", Name = "app1", Type = "field", CanCreate = true, CanView = true, CanModify = true, CanDelete = true } }); var claimsProvider = new ClaimsProvider(permissionRepository.Object, new Mock <IAppFunctionForQueryRepository>().Object); var claims = claimsProvider.GetClaims(12345).ToList(); claims.Count.ShouldBe(1); var app1App1Claim = claims.GetClaim("app1", "app1"); app1App1Claim.ShouldNotBe(null); app1App1Claim.CanGet().ShouldBe(true); app1App1Claim.CanPost().ShouldBe(true); app1App1Claim.CanPut().ShouldBe(true); app1App1Claim.CanDelete().ShouldBe(true); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.Resources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16))); } claims.Add(new Claim(JwtClaimTypes.Name, request.Subject.GetDisplayName())); var issuer = Context.HttpContext.GetIdentityServerIssuerUri(); var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, AccessTokenType = request.ValidatedRequest.AccessTokenType }; foreach (var api in request.Resources.ApiResources) { if (!string.IsNullOrWhiteSpace(api.Name)) { token.Audiences.Add(api.Name); } } return(token); }
public async Task <JsonWebToken> Handle(RefreshAccessToken request, CancellationToken cancellationToken) { var token = request.Token; var refreshToken = await RefreshTokenRepository.GetAsync(token); if (refreshToken == null) { throw new IdentityException(Codes.RefreshTokenNotFound, "Refresh accessToken was not found."); } if (refreshToken.Revoked) { throw new IdentityException(Codes.RefreshTokenAlreadyRevoked, $"Refresh accessToken: '{refreshToken.Id}' was revoked."); } var user = await GetUserOrThrowAsync(refreshToken.UserId); var claims = await ClaimsProvider.GetAsync(user.Id); var jwt = JwtService.CreateToken(user.Id.ToString("N"), user.Role, claims); jwt.RefreshToken = refreshToken.Token; var @event = new AccessTokenRefreshedIntegrationEvent(user.Id); BusPublisher.Publish(@event); return(jwt); }
public void WithNoPermissions_ShouldNotGetClaims() { var permissionRepository = new Mock <IPermissionRepository>(); permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345)) .Returns(new List <Permission>()); var claimsProvider = new ClaimsProvider(permissionRepository.Object, new Mock <IAppFunctionForQueryRepository>().Object); var claims = claimsProvider.GetClaims(12345).ToList(); claims.Count.ShouldBe(0); }
public void WithApplicationAndFieldPermissions_ApplicationPermissionShouldOverrideFieldPermissionsInClaims() { var permissionRepository = new Mock <IPermissionRepository>(); permissionRepository.Setup(x => x.GetByUserProfileLoginId(12345)) .Returns(new List <Permission> { new Permission { ApplicationName = "app1", Name = "app1", Type = "application", CanCreate = true, CanView = true, CanModify = true, CanDelete = true, AppFunctionId = 1, AppFunctionParentId = 0 }, new Permission { ApplicationName = "app1", Name = "Res1", Type = "field", CanCreate = false, CanView = false, CanModify = false, CanDelete = false, AppFunctionId = 2 } }); //Note that the app has fields for which the user does not have any permissions. To test "filling in the missing fields" logic. var appFunctionForQueryRepository = new Mock <IAppFunctionForQueryRepository>(); appFunctionForQueryRepository.Setup(x => x.GetAllFieldAppFunctionsForApplicationLevelAppFunctions(new[] { 1 })) .Returns(new List <AppFunctionForQuery> { new AppFunctionForQuery { App = "app1", AppFunctionType = "field", Id = 2, Name = "Res1", ParentId = 1, ParentName = "app1" }, new AppFunctionForQuery { App = "app1", AppFunctionType = "field", Id = 3, Name = "Res2", ParentId = 1, ParentName = "app1" } }); var claimsProvider = new ClaimsProvider(permissionRepository.Object, appFunctionForQueryRepository.Object); var claims = claimsProvider.GetClaims(12345).ToList(); var app1Res1Claim = claims.GetClaim("app1", "res1"); app1Res1Claim.ShouldNotBe(null); app1Res1Claim.CanGet().ShouldBe(true); app1Res1Claim.CanPost().ShouldBe(true); app1Res1Claim.CanPut().ShouldBe(true); app1Res1Claim.CanDelete().ShouldBe(true); var app1Res2Claim = claims.GetClaim("app1", "res2"); app1Res2Claim.ShouldNotBe(null); app1Res2Claim.CanGet().ShouldBe(true); app1Res2Claim.CanPost().ShouldBe(true); app1Res2Claim.CanPut().ShouldBe(true); app1Res2Claim.CanDelete().ShouldBe(true); }
/// <inheritdoc/> public override async Task ValidatePrincipal(CookieValidatePrincipalContext context) { var user = await _usersService.GetUser(context.Principal.GetId()); if (user?.IsBlocked != false) { context.RejectPrincipal(); return; } if (!string.Equals(user.DetailsStamp, context.Principal.GetDetailsStamp())) { var newPrincipal = ClaimsProvider.GenerateClaimsPrincipal(user, context.Principal.Identity.AuthenticationType); context.ReplacePrincipal(newPrincipal); context.ShouldRenew = true; return; } await base.ValidatePrincipal(context); }
static void Main(string[] args) { var policy = new TrustFrameworkPolicy("MyPolicyId"); var mandatoryClaimsProvider = new ClaimsProvider { DisplayName = "Trustframework Policy Engine TechnicalProfiles", TechnicalProfiles = { new TechnicalProfile("TpEngine_c3bd4fe2-1775-4013-b91d-35f16d377d13") { DisplayName = "Trustframework Policy Engine Default Technical Profile", Metadata = { ["url"] = "${service:te}" } } } }; Console.WriteLine("Hello World!"); }
public async Task <SignInResult> SignIn(string email, string password) { var user = await _userRepository.GetUser(email); if (user == null) { return(new SignInResult(ErrorCodes.InvalidCredentials)); } if (user.IsBlocked) { return(new SignInResult(ErrorCodes.UserBlocked)); } if (!PasswordHasher.VerifyHashedPassword(user.Password, password)) { return(new SignInResult(ErrorCodes.InvalidCredentials)); } var principal = ClaimsProvider.GenerateClaimsPrincipal(user, "login"); return(new SignInResult(principal)); }
public async Task <ActionResult> Login(LoginModel model, string returnUrl) { AppUser user = await UserManager.FindAsync(model.Name, model.Password); if (user == null) { ModelState.AddModelError("", "Wrong E-mail or Password"); } else { ClaimsIdentity ident = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie); ident.AddClaims(ClaimsProvider.GetClaims(ident)); AuthManager.SignOut(); AuthManager.SignIn(new AuthenticationProperties { IsPersistent = false }, ident); return(Redirect(returnUrl)); } return(View(model)); }
public override async Task <Token> CreateAccessTokenAsync(TokenCreationRequest request) { Logger.LogTrace("Creating access token"); request.Validate(); var claims = new List <Claim>(); claims.AddRange(await ClaimsProvider.GetAccessTokenClaimsAsync( request.Subject, request.ValidatedResources, request.ValidatedRequest)); if (request.ValidatedRequest.Client.IncludeJwtId) { claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex))); } if (request.ValidatedRequest.SessionId.IsPresent()) { claims.Add(new Claim(JwtClaimTypes.SessionId, request.ValidatedRequest.SessionId)); } var issuer = _scopedTenantRequestContext.Context.Issuer; if (string.IsNullOrWhiteSpace(issuer)) { issuer = ContextAccessor.HttpContext.GetIdentityServerIssuerUri(); } var token = new Token(OidcConstants.TokenTypes.AccessToken) { CreationTime = Clock.UtcNow.UtcDateTime, Issuer = issuer, Lifetime = request.ValidatedRequest.AccessTokenLifetime, Claims = claims.Distinct(new ClaimComparer()).ToList(), ClientId = request.ValidatedRequest.Client.ClientId, Description = request.Description, AccessTokenType = request.ValidatedRequest.AccessTokenType, AllowedSigningAlgorithms = request.ValidatedResources.Resources.ApiResources.FindMatchingSigningAlgorithms() }; // add aud based on ApiResources in the validated request foreach (var aud in request.ValidatedResources.Resources.ApiResources.Select(x => x.Name).Distinct()) { token.Audiences.Add(aud); } if (Options.EmitStaticAudienceClaim) { token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash())); } // add cnf if present if (request.ValidatedRequest.Confirmation.IsPresent()) { token.Confirmation = request.ValidatedRequest.Confirmation; } else { if (Options.MutualTls.AlwaysEmitConfirmationClaim) { var clientCertificate = await ContextAccessor.HttpContext.Connection.GetClientCertificateAsync(); if (clientCertificate != null) { token.Confirmation = clientCertificate.CreateThumbprintCnf(); } } } return(token); }
public XNode Visit(ClaimsProvider claimsProvider) { return(new XElement(nameof(ClaimsProvider), new XElement("DisplayName", claimsProvider.DisplayName), VisitCollection("TechnicalProfiles", claimsProvider.TechnicalProfiles, Visit))); }