public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) { var user = context.HttpContext.User; var appName = context.RouteData.Values["app"]?.ToString(); if (!string.IsNullOrWhiteSpace(appName)) { var isFrontend = user.IsInClient(DefaultClients.Frontend); var app = await appProvider.GetAppAsync(appName, !isFrontend); if (app == null) { var log = context.HttpContext.RequestServices?.GetService <ISemanticLog>(); log?.LogWarning(w => w .WriteProperty("message", "Cannot find app with the given name.") .WriteProperty("appId", "404") .WriteProperty("appName", appName)); context.Result = new NotFoundResult(); return; } string?clientId = null; var(role, permissions) = FindByOpenIdSubject(app, user, isFrontend); if (permissions == null) { (clientId, role, permissions) = FindByOpenIdClient(app, user, isFrontend); } if (permissions == null) { (clientId, role, permissions) = FindAnonymousClient(app, isFrontend); } if (permissions != null) { var identity = user.Identities.First(); if (!string.IsNullOrWhiteSpace(role)) { identity.AddClaim(new Claim(ClaimTypes.Role, role)); } foreach (var permission in permissions) { identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id)); } if (user.Token() == null && clientId != null) { identity.AddClaim(new Claim(OpenIdClaims.ClientId, clientId)); } } var requestContext = SetContext(context.HttpContext, app); if (!AllowAnonymous(context) && !HasPermission(appName, requestContext)) { if (string.IsNullOrWhiteSpace(user.Identity?.AuthenticationType)) { context.Result = new UnauthorizedResult(); } else { var log = context.HttpContext.RequestServices?.GetService <ISemanticLog>(); log?.LogWarning(w => w .WriteProperty("message", "Authenticated user has no permission to access the app.") .WriteProperty("appId", app.Id.ToString()) .WriteProperty("appName", appName)); context.Result = new NotFoundResult(); } return; } context.HttpContext.Features.Set <IAppFeature>(new AppFeature(app)); context.HttpContext.Response.Headers.Add("X-AppId", app.Id.ToString()); } else { SetContext(context.HttpContext, null !); } await next(); }
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) { var user = context.HttpContext.User; var appName = context.RouteData.Values["app"]?.ToString(); if (!string.IsNullOrWhiteSpace(appName)) { var isFrontend = user.IsInClient(DefaultClients.Frontend); var app = await appProvider.GetAppAsync(appName, !isFrontend); if (app == null) { context.Result = new NotFoundResult(); return; } var(role, permissions) = FindByOpenIdSubject(app, user, isFrontend); if (permissions == null) { (role, permissions) = FindByOpenIdClient(app, user, isFrontend); } if (permissions == null) { (role, permissions) = FindAnonymousClient(app, isFrontend); } if (permissions != null) { var identity = user.Identities.First(); if (!string.IsNullOrWhiteSpace(role)) { identity.AddClaim(new Claim(ClaimTypes.Role, role)); } foreach (var permission in permissions) { identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id)); } } var requestContext = SetContext(context.HttpContext, app); if (!AllowAnonymous(context) && !HasPermission(appName, requestContext)) { if (string.IsNullOrWhiteSpace(user.Identity.AuthenticationType)) { context.Result = new UnauthorizedResult(); } else { context.Result = new NotFoundResult(); } return; } context.HttpContext.Features.Set <IAppFeature>(new AppFeature(app.NamedId())); context.HttpContext.Response.Headers.Add("X-AppId", app.Id.ToString()); } else { SetContext(context.HttpContext, null !); } await next(); }
public async Task Should_return_not_found_if_app_name_is_null(string?app) { SetupUser(); actionExecutingContext.RouteData.Values["app"] = app; await sut.OnActionExecutionAsync(actionExecutingContext, next); Assert.IsType <NotFoundResult>(actionExecutingContext.Result); Assert.False(isNextCalled); A.CallTo(() => appProvider.GetAppAsync(A <string> ._, false, httpContext.RequestAborted)) .MustNotHaveHappened(); }
public async Task Should_return_not_found_if_app_not_found() { SetupUser(); A.CallTo(() => appProvider.GetAppAsync(appName, false)) .Returns(Task.FromResult <IAppEntity?>(null)); await sut.OnActionExecutionAsync(actionExecutingContext, next); Assert.IsType <NotFoundResult>(actionExecutingContext.Result); Assert.False(isNextCalled); }