private async Task <Tuple <bool, Organization> > RequiresTwoFactorAsync(User user, string grantType) { if (grantType == "client_credentials") { // Do not require MFA for api key logins return(new Tuple <bool, Organization>(false, null)); } var individualRequired = _userManager.SupportsUserTwoFactor && await _userManager.GetTwoFactorEnabledAsync(user) && (await _userManager.GetValidTwoFactorProvidersAsync(user)).Count > 0; Organization firstEnabledOrg = null; var orgs = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id)) .ToList(); if (orgs.Any()) { var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync(); var twoFactorOrgs = orgs.Where(o => OrgUsing2fa(orgAbilities, o.Id)); if (twoFactorOrgs.Any()) { var userOrgs = await _organizationRepository.GetManyByUserIdAsync(user.Id); firstEnabledOrg = userOrgs.FirstOrDefault( o => orgs.Any(om => om.Id == o.Id) && o.TwoFactorIsEnabled()); } } return(new Tuple <bool, Organization>(individualRequired || firstEnabledOrg != null, firstEnabledOrg)); }
public async Task LogUserEventAsync(Guid userId, EventType type, DateTime?date = null) { var events = new List <IEvent> { new EventMessage(_currentContext) { UserId = userId, ActingUserId = userId, Type = type, Date = date.GetValueOrDefault(DateTime.UtcNow) } }; var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync(); var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, userId); var orgEvents = orgs.Where(o => CanUseEvents(orgAbilities, o.Id)) .Select(o => new EventMessage(_currentContext) { OrganizationId = o.Id, UserId = userId, ActingUserId = userId, Type = type, Date = DateTime.UtcNow }); var providerAbilities = await _applicationCacheService.GetProviderAbilitiesAsync(); var providers = await _currentContext.ProviderMembershipAsync(_providerUserRepository, userId); var providerEvents = providers.Where(o => CanUseProviderEvents(providerAbilities, o.Id)) .Select(p => new EventMessage(_currentContext) { ProviderId = p.Id, UserId = userId, ActingUserId = userId, Type = type, Date = DateTime.UtcNow }); if (orgEvents.Any() || providerEvents.Any()) { events.AddRange(orgEvents); events.AddRange(providerEvents); await _eventWriteService.CreateManyAsync(events); } else { await _eventWriteService.CreateAsync(events.First()); } }
public async Task GetProfileDataAsync(ProfileDataRequestContext context) { var existingClaims = context.Subject.Claims; var newClaims = new List <Claim>(); var user = await _userService.GetUserByPrincipalAsync(context.Subject); if (user != null) { var isPremium = await _licensingService.ValidateUserPremiumAsync(user); var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id); var providers = await _currentContext.ProviderMembershipAsync(_providerUserRepository, user.Id); foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, providers, isPremium)) { var upperValue = claim.Value.ToUpperInvariant(); var isBool = upperValue == "TRUE" || upperValue == "FALSE"; newClaims.Add(isBool ? new Claim(claim.Key, claim.Value, ClaimValueTypes.Boolean) : new Claim(claim.Key, claim.Value) ); } } // filter out any of the new claims var existingClaimsToKeep = existingClaims .Where(c => !c.Type.StartsWith("org") && (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type))) .ToList(); newClaims.AddRange(existingClaimsToKeep); if (newClaims.Any()) { context.IssuedClaims.AddRange(newClaims); } }
public async Task <bool> CanAccessPremium(ITwoFactorProvidersUser user) { var userId = user.GetUserId(); if (!userId.HasValue) { return(false); } if (user.GetPremium()) { return(true); } var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, userId.Value); if (!orgs.Any()) { return(false); } var orgAbilities = await _applicationCacheService.GetOrganizationAbilitiesAsync(); return(orgs.Any(o => orgAbilities.ContainsKey(o.Id) && orgAbilities[o.Id].UsersGetPremium && orgAbilities[o.Id].Enabled)); }
public async Task <Client> FindClientByIdAsync(string clientId) { if (!_globalSettings.SelfHosted && clientId.StartsWith("installation.")) { var idParts = clientId.Split('.'); if (idParts.Length > 1 && Guid.TryParse(idParts[1], out Guid id)) { var installation = await _installationRepository.GetByIdAsync(id); if (installation != null) { return(new Client { ClientId = $"installation.{installation.Id}", RequireClientSecret = true, ClientSecrets = { new Secret(installation.Key.Sha256()) }, AllowedScopes = new string[] { "api.push", "api.licensing" }, AllowedGrantTypes = GrantTypes.ClientCredentials, AccessTokenLifetime = 3600 * 24, Enabled = installation.Enabled, Claims = new List <ClientClaim> { new ClientClaim(JwtClaimTypes.Subject, installation.Id.ToString()) } }); } } } else if (_globalSettings.SelfHosted && clientId.StartsWith("internal.") && CoreHelpers.SettingHasValue(_globalSettings.InternalIdentityKey)) { var idParts = clientId.Split('.'); if (idParts.Length > 1) { var id = idParts[1]; if (!string.IsNullOrWhiteSpace(id)) { return(new Client { ClientId = $"internal.{id}", RequireClientSecret = true, ClientSecrets = { new Secret(_globalSettings.InternalIdentityKey.Sha256()) }, AllowedScopes = new string[] { "internal" }, AllowedGrantTypes = GrantTypes.ClientCredentials, AccessTokenLifetime = 3600 * 24, Enabled = true, Claims = new List <ClientClaim> { new ClientClaim(JwtClaimTypes.Subject, id) } }); } } } else if (clientId.StartsWith("organization.")) { var idParts = clientId.Split('.'); if (idParts.Length > 1 && Guid.TryParse(idParts[1], out var id)) { var org = await _organizationRepository.GetByIdAsync(id); if (org != null) { return(new Client { ClientId = $"organization.{org.Id}", RequireClientSecret = true, ClientSecrets = { new Secret(org.ApiKey.Sha256()) }, AllowedScopes = new string[] { "api.organization" }, AllowedGrantTypes = GrantTypes.ClientCredentials, AccessTokenLifetime = 3600 * 1, Enabled = org.Enabled && org.UseApi, Claims = new List <ClientClaim> { new ClientClaim(JwtClaimTypes.Subject, org.Id.ToString()) } }); } } } else if (clientId.StartsWith("user.")) { var idParts = clientId.Split('.'); if (idParts.Length > 1 && Guid.TryParse(idParts[1], out var id)) { var user = await _userRepository.GetByIdAsync(id); if (user != null) { var claims = new Collection <ClientClaim>() { new ClientClaim(JwtClaimTypes.Subject, user.Id.ToString()), new ClientClaim(JwtClaimTypes.AuthenticationMethod, "Application", "external") }; var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id); var isPremium = await _licensingService.ValidateUserPremiumAsync(user); foreach (var claim in CoreHelpers.BuildIdentityClaims(user, orgs, isPremium)) { var upperValue = claim.Value.ToUpperInvariant(); var isBool = upperValue == "TRUE" || upperValue == "FALSE"; claims.Add(isBool ? new ClientClaim(claim.Key, claim.Value, ClaimValueTypes.Boolean) : new ClientClaim(claim.Key, claim.Value) ); } return(new Client { ClientId = clientId, RequireClientSecret = true, ClientSecrets = { new Secret(user.ApiKey.Sha256()) }, AllowedScopes = new string[] { "api" }, AllowedGrantTypes = GrantTypes.ClientCredentials, AccessTokenLifetime = 3600 * 1, ClientClaimsPrefix = null, Claims = claims }); } } } return(_staticClientStore.ApiClients.ContainsKey(clientId) ? _staticClientStore.ApiClients[clientId] : null); }