/// <summary>
/// Generates a JSON Web Token Token (JwtToken) for a given user and role. Based on the method with the same name from https://github.com/jatarga/WebApiJwt/blob/master/Controllers/AccountController.cs
/// </summary>
/// <param name="user">Which <see cref="GirafUser"/> to generate the token for</param>
/// <returns>
/// JWT Token as a string
/// </returns>
private async Task <string> GenerateJwtToken(GirafUser user, string impersonatedBy)
{
var claims = new List <Claim>
{
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.NameIdentifier, user.Id),
new Claim("departmentId", user.DepartmentKey?.ToString() ?? ""),
};
claims.AddRange(await GetRoleClaims(user));
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration.Value.JwtKey));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var expires = DateTime.Now.AddDays(Convert.ToDouble(_configuration.Value.JwtExpireDays));
var token = new JwtSecurityToken(
_configuration.Value.JwtIssuer,
_configuration.Value.JwtIssuer,
claims,
expires: expires,
signingCredentials: creds
);
return(new JwtSecurityTokenHandler().WriteToken(token));
}
/// <summary>
/// Checks if the user has some form of ownership of the pictogram.
/// </summary>
/// <param name="picto">The Pictogram in need of checking.</param>
/// <param name="usr">The user in question.</param>
/// <returns>A bool indicating whether the user owns the pictogram or not.</returns>
private async Task <bool> CheckOwnership(Pictogram picto, GirafUser usr)
{
var ownsPictogram = false;
switch (picto.AccessLevel)
{
case AccessLevel.PUBLIC:
ownsPictogram = true;
break;
case AccessLevel.PROTECTED:
ownsPictogram = await _giraf.CheckProtectedOwnership(picto, usr);
break;
case AccessLevel.PRIVATE:
ownsPictogram = await _giraf.CheckPrivateOwnership(picto, usr);
break;
}
if (!ownsPictogram)
{
return(false);
}
return(true);
}
/// <summary>
/// Checks that a user gots the rights to register a specific role to a specific department
/// Citizen can never register, department and guardian can only register guardians and citizens in same dep
/// Super user can register all roles
/// </summary>
public async Task <bool> HasRegisterUserAccess(GirafUser authUser, GirafRoles roleToAdd, long departmentKey)
{
if (authUser == null)
{
return(false);
}
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
if (authUserRole == GirafRoles.Citizen)
{
return(false);
}
if (authUserRole == GirafRoles.Guardian || authUserRole == GirafRoles.Department)
{
if (!(roleToAdd == GirafRoles.Guardian || roleToAdd == GirafRoles.Citizen) &&
departmentKey == authUser.DepartmentKey)
{
return(false);
}
}
// only super users can add Department role in fact a super user can do anything so just return true
return(true);
}
/// <summary>
/// Gets roles s.t we can get role from payload
/// </summary>
/// <param name="user"><see cref="GirafUser"/> to get claims for</param>
/// <returns>The role claims for the given user</returns>
private async Task <List <Claim> > GetRoleClaims(GirafUser user)
{
var roleclaims = new List <Claim>();
var userRoles = await _giraf._userManager.GetRolesAsync(user);
roleclaims.AddRange(userRoles.Select(userRole => new Claim(ClaimTypes.Role, userRole)));
return(roleclaims);
}
/// <summary>
/// Method for checking whether the authenticated user is allowed to view information related to given department.
/// </summary>
public async Task <bool> HasReadDepartmentAccess(GirafUser authUser, long?departmentKey)
{
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
if (authUserRole == GirafRoles.SuperUser)
{
return(true);
}
return(authUser.DepartmentKey == departmentKey);
}
private static void AddPictogramsToUser(GirafUser user, params Pictogram[] pictograms)
{
System.Console.WriteLine("Adding pictograms to " + user.UserName);
foreach (var pict in pictograms)
{
if (pict.AccessLevel != AccessLevel.PRIVATE)
{
throw new InvalidOperationException($"You may only add private pictograms to users." +
" Pictogram id: {pict.Id}, AccessLevel: {pict.AccessLevel}.");
}
new UserResource(user, pict);
}
}
private void AddGuardiansToCitizens(GirafUser user)
{
var roleGuardianId = _giraf._context.Roles.Where(r => r.Name == GirafRole.Guardian)
.Select(c => c.Id).FirstOrDefault();
var userIds = _giraf._context.UserRoles.Where(u => u.RoleId == roleGuardianId)
.Select(r => r.UserId).Distinct();
var guardians = _giraf._context.Users.Where(u => userIds.Any(ui => ui == u.Id) &&
u.DepartmentKey == user.DepartmentKey).ToList();
foreach (var guardian in guardians)
{
user.AddGuardian(guardian);
}
}
private void AddCitizensToGuardian(GirafUser user)
{
// Add a relation to all the newly created guardians citizens
var roleGuardianId = _giraf._context.Roles.Where(r => r.Name == GirafRole.Citizen)
.Select(c => c.Id).FirstOrDefault();
var userIds = _giraf._context.UserRoles.Where(u => u.RoleId == roleGuardianId)
.Select(r => r.UserId).Distinct();
var citizens = _giraf._context.Users.Where(u => userIds.Any(ui => ui == u.Id) &&
u.DepartmentKey == user.DepartmentKey).ToList();
foreach (var citizen in citizens)
{
user.AddCitizen(citizen);
}
}
/// <summary>
/// Check that a user has access to read the template of a given user
/// </summary>
public async Task <bool> HasTemplateAccess(GirafUser authUser)
{
if (authUser == null)
{
return(false);
}
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
if (authUserRole == GirafRoles.Citizen)
{
return(false);
}
return(true);
}
public async Task <bool> HasTemplateAccess(GirafUser authUser, long?departmentKey)
{
if (departmentKey == null)
{
return(false);
}
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
if (authUserRole == GirafRoles.SuperUser)
{
return(true);
}
return(HasTemplateAccess(authUser).Result&& authUser?.DepartmentKey == departmentKey);
}
/// <summary>
/// Creates a list of roles a given user is part of
/// </summary>
/// <param name="roleManager">Reference to the roleManager</param>
/// <param name="userManager">Reference to the userManager</param>
/// <param name="user">The user in question</param>
/// <returns>
/// Instance of GirafRole enum
/// </returns>
public static async Task <GirafRoles> findUserRole(
this RoleManager <GirafRole> roleManager,
UserManager <GirafUser> userManager,
GirafUser user)
{
GirafRoles userRole = new GirafRoles();
foreach (var role in roleManager.Roles)
{
if (await userManager.IsInRoleAsync(user, role.Name))
{
userRole = (GirafRoles)Enum.Parse(typeof(GirafRoles), role.Name);
}
}
return(userRole);
}
public Task <bool> CheckPrivateOwnership(Pictogram pictogram, GirafUser user)
{
if (user == null)
{
return(Task.FromResult(false));
}
var ownsResource = _context.UserResources
.Any(ur => ur.Pictogram == pictogram && ur.Other == user);
if (ownsResource)
{
return(Task.FromResult(true));
}
return(Task.FromResult(false));
}
public Task <bool> CheckProtectedOwnership(Pictogram pictogram, GirafUser user)
{
if (user == null)
{
return(Task.FromResult(false));
}
var ownsResource = _context.DepartmentResources
.Any(dr => dr.PictogramKey == pictogram.Id &&
dr.OtherKey == user.DepartmentKey);
if (ownsResource)
{
return(Task.FromResult(true));
}
return(Task.FromResult(false));
}
/// <summary>
/// Checks if the user owns the given <paramref name="pictogram"/>.
/// </summary>
/// <param name="pictogram">The pictogram to check the ownership for.</param>
/// <param name="user"></param>
/// <returns>True if the user is authorized to see the resource and false if not.</returns>
public async Task <bool> CheckPrivateOwnership(Pictogram pictogram, GirafUser user)
{
if (pictogram.AccessLevel != AccessLevel.PRIVATE)
{
return(false);
}
//The pictogram was not public, check if the user owns it.
if (user == null)
{
return(false);
}
var ownedByUser = await _context.UserResources
.Where(ur => ur.PictogramKey == pictogram.Id && ur.OtherKey == user.Id)
.AnyAsync();
return(ownedByUser);
}
/// <summary>
/// Initializes a new instance of the <see cref="T:GirafRest.Models.DTOs.GirafUserDTO"/> class.
/// </summary>
/// <param name="user">User.</param>
/// <param name="userRole">User role.</param>
/// <param name="addGuardianRelation">If set to <c>true</c> add guardian relation.</param>
public GirafUserDTO(GirafUser user, GirafRoles userRole)
{
//Add all trivial values
Id = user.Id;
Username = user.UserName;
ScreenName = user.DisplayName;
RoleName = userRole.ToString();
Role = userRole;
//Check if a user is in a department, add null as key if not.
if (user.Department == null && user.DepartmentKey == -1)
{
Department = null;
}
else
{
Department = user.DepartmentKey;
}
}
/// <summary>
/// Given the authenticated user and the id on another user this methods check if the authenticated user
/// has the access to edit the provided user's userinformation.
/// Does not currently support parents.
/// </summary>
public async Task <bool> HasEditOrReadUserAccess(GirafUser authUser, GirafUser userToEdit)
{
if (authUser == null || userToEdit == null)
{
return(false);
}
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
var userRole = await _roleManager.findUserRole(_userManager, userToEdit);
if (authUser.Id == userToEdit.Id)
{
return(true);
}
if (userRole == GirafRoles.SuperUser)
{
return(false);
}
switch (authUserRole)
{
case GirafRoles.Citizen:
return(false);
case GirafRoles.Guardian:
if (authUser.DepartmentKey != userToEdit.DepartmentKey || userRole != GirafRoles.Citizen)
{
return(false);
}
break;
case GirafRoles.Department:
if (authUser.DepartmentKey != userToEdit.DepartmentKey)
{
return(false);
}
break;
}
return(true);
}
/// <summary>
/// Checks if the current user's department owns the given resource.
/// </summary>
/// <param name="resource">The resource to check ownership for.</param>
/// <param name="user"></param>
/// <returns>True if the user's department owns the pictogram, false if not.</returns>
public async Task <bool> CheckProtectedOwnership(Pictogram resource, GirafUser user)
{
if (resource.AccessLevel != AccessLevel.PROTECTED)
{
return(false);
}
if (user == null)
{
return(false);
}
//The pictogram was not owned by user, check if his department owns it.
var ownedByDepartment = await _context.DepartmentResources
.Where(dr => dr.PictogramKey == resource.Id && dr.OtherKey == user.Department.Key)
.AnyAsync();
return(ownedByDepartment);
}
public async Task <Response <DepartmentDTO> > Post([FromBody] DepartmentDTO depDTO)
{
try
{
if (depDTO?.Name == null)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.MissingProperties,
"Deparment name has to be specified!"));
}
var authenticatedUser = await _giraf.LoadBasicUserDataAsync(HttpContext.User);
if (authenticatedUser == null)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.UserNotFound));
}
var userRole = await _roleManager.findUserRole(_giraf._userManager, authenticatedUser);
if (userRole != GirafRoles.SuperUser)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.NotAuthorized));
}
//Add the department to the database.
Department department = new Department(depDTO);
//Add all members specified by either id or username in the DTO
if (depDTO.Members != null)
{
foreach (var mem in depDTO.Members)
{
var usr = await _giraf._context.Users
.Where(u => u.UserName == mem.UserName || u.Id == mem.UserId)
.FirstOrDefaultAsync();
if (usr == null)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.InvalidProperties,
"The member list contained an invalid id: " + mem));
}
department.Members.Add(usr);
usr.Department = department;
}
}
//Add all the resources with the given ids
if (depDTO.Resources != null)
{
foreach (var reso in depDTO.Resources)
{
var res = await _giraf._context.Pictograms
.Where(p => p.Id == reso)
.FirstOrDefaultAsync();
if (res == null)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.InvalidProperties,
"The list of resources contained an invalid resource id: " + reso));
}
var dr = new DepartmentResource(department, res);
await _giraf._context.DepartmentResources.AddAsync(dr);
}
}
await _giraf._context.Departments.AddAsync(department);
//Create a new user with the supplied information
var departmentUser = new GirafUser(depDTO.Name, department)
{
IsDepartment = true
};
//department.Members.Add(user);
var identityUser = await _giraf._userManager.CreateAsync(departmentUser, "0000");
if (identityUser.Succeeded == false)
{
return(new ErrorResponse <DepartmentDTO>(ErrorCode.CouldNotCreateDepartmentUser, string.Join("\n", identityUser.Errors)));
}
await _giraf._userManager.AddToRoleAsync(departmentUser, GirafRole.Department);
//Save the changes and return the entity
await _giraf._context.SaveChangesAsync();
var members = DepartmentDTO.FindMembers(department.Members, _roleManager, _giraf);
return(new Response <DepartmentDTO>(new DepartmentDTO(department, members)));
}
catch (System.Exception e)
{
var errorDescription = $"Exception in Post: {e.Message}, {e.InnerException}";
_giraf._logger.LogError(errorDescription);
return(new ErrorResponse <DepartmentDTO>(ErrorCode.Error, errorDescription));
}
}
public GuardianRelation(GirafUser guardian, GirafUser citizen)
{
this.Citizen = citizen;
this.Guardian = guardian;
}
public async Task <bool> HasEditDepartmentAccess(GirafUser authUser, long?departmentKey)
{
var authUserRole = await _roleManager.findUserRole(_userManager, authUser);
return(authUserRole == GirafRoles.SuperUser);
}
public async Task <Response <GirafUserDTO> > Register([FromBody] RegisterDTO model)
{
if (model == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties));
}
//Check that all the necesarry data has been supplied
if (!ModelState.IsValid)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties));
}
if (String.IsNullOrEmpty(model.Username) || String.IsNullOrEmpty(model.Password))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.InvalidCredentials));
}
var UserRoleStr = GirafRoleFromEnumToString(model.Role);
if (UserRoleStr == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.RoleNotFound));
}
// check that authenticated user has the right to add user for the given department
// else all guardians, deps and admin roles can create user that does not belong to a dep
if (model.DepartmentId != null)
{
if (!(await _authentication.HasRegisterUserAccess(await _giraf._userManager.GetUserAsync(HttpContext.User),
model.Role, model.DepartmentId.Value)))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized));
}
}
var doesUserAlreadyExist = (_giraf._context.Users.FirstOrDefault(u => u.UserName == model.Username) != null);
if (doesUserAlreadyExist)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserAlreadyExists));
}
Department department = await _giraf._context.Departments.Where(dep => dep.Key == model.DepartmentId).FirstOrDefaultAsync();
// Check that the department with the specified id exists
if (department == null && model.DepartmentId != null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.DepartmentNotFound));
}
//Create a new user with the supplied information
var user = new GirafUser(model.Username, department);
if (model.DisplayName == null)
{
user.DisplayName = model.Username;
}
else
{
user.DisplayName = model.DisplayName;
}
var result = await _giraf._userManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
if (department != null)
{
if (model.Role == GirafRoles.Citizen)
{
AddGuardiansToCitizens(user);
}
else if (model.Role == GirafRoles.Guardian)
{
AddCitizensToGuardian(user);
}
// save changes
await _giraf._context.SaveChangesAsync();
}
await _giraf._userManager.AddToRoleAsync(user, UserRoleStr);
await _signInManager.SignInAsync(user, isPersistent : true);
_giraf._logger.LogInformation("User created a new account with password.");
return(new Response <GirafUserDTO>(new GirafUserDTO(user, model.Role)));
}
return(new ErrorResponse <GirafUserDTO>(ErrorCode.Error));
}
