public override Task <bool> CheckAccessAsync(ResourceAuthorizationContext context) { //The IdentityServer admin must add the relevant application claim to the user allow the user to access the application if (!context.Principal.HasClaim("application", Properties.Settings.Default.ClientId)) { return(Nok()); } switch (context.Resource.First().Value) { #region A resouce roughly translates to a table in your database //This determines if the user has access to the resource. //If the user has access, the action parameter will determine //whether the action being performed is authorised or not. //Again, it's up to you to decided what acions are defined //for which resource. #endregion case "SubUser": return(DefaultActionAuthorize(context)); case "SuperUserEndOfShift": return(DefaultActionAuthorize(context)); case "TempModel": return(DefaultActionAuthorize(context)); default: return(Nok()); } }
public override Task <bool> CheckAccessAsync(ResourceAuthorizationContext ctx) { var resource = ctx.Resource.First().Value; if (resource == UhomeResources.VideoClip) { return(CheckAccessVideoClipAsync(ctx)); } if (resource == UhomeResources.Case) { return(CheckAccessCaseAsync(ctx)); } if (resource == UhomeResources.User) { return(CheckAccessUserAsync(ctx)); } if (resource == UhomeResources.DownloadItem) { return(CheckAccessDownloadItemAsync(ctx)); } if (resource == UhomeResources.Event) { return(CheckAccessEventAsync(ctx)); } return(Nok()); }
public override Task <bool> CheckAccessAsync(ResourceAuthorizationContext context) { //TRACE EVERYTHING. We will have to clean out logs every week, month or something. Logger.Trace("\n\nClaimsAuthorizationManager\n_______________________\n"); Logger.Trace("\nAction:"); Logger.Trace(" " + context.Action.First().Value); Logger.Trace("\nResources:"); foreach (var resource in context.Resource) { Logger.Trace(" " + resource.Value); } Logger.Trace("\nClaims:"); foreach (var claim in context.Principal.Claims) { Logger.Trace(" " + claim.Value); } Logger.Trace(" " + context.Action.First().Value); //Handle Authorization. So it dont need to be in a big switch, we need to figure out how we want to this. //I just want authoriation seperated from business logic, and unit tests can be made on the authorizationManager. var action = context.Action.First().Value; return(Ok()); }
private Task <bool> CheckRolesAccessAsync(ResourceAuthorizationContext context) { var principal = context.Principal; var resourceName = Resources.Roles; if (principal.Identity.IsAuthenticated) { var actionName = GetActionName(context); if (HasResourceAndAction(principal, resourceName, actionName)) { // No se puede eliminar el Rol 1 if (actionName == Resources.RolesActions.Eliminar) { if (GetResourceId(context) == "1") { return(Nok()); } } return(Ok()); } } return(Nok()); }
private Task <bool> CheckRealmAssetAccessAsync(ResourceAuthorizationContext context, Realm realm, string path) { var action = context.Action.First().Value; switch (action) { case GunchoResources.AssetActions.Create: case GunchoResources.AssetActions.Import: //XXX return(Nok()); case GunchoResources.AssetActions.Delete: case GunchoResources.AssetActions.Edit: return(Eval(HasRealmAccessLevel(context, realm, RealmAccessLevel.EditSource))); case GunchoResources.AssetActions.Share: return(Eval(HasRealmAccessLevel(context, realm, RealmAccessLevel.EditAccess))); case GunchoResources.AssetActions.List: case GunchoResources.AssetActions.View: case GunchoResources.AssetActions.ViewHistory: return(Eval(HasRealmAccessLevel(context, realm, RealmAccessLevel.ViewSource))); } return(Nok()); }
private Task <bool> CheckUsuariosAccessAsync(ResourceAuthorizationContext context) { var principal = context.Principal; var resourceName = Resources.Usuarios; if (principal.Identity.IsAuthenticated) { var actionName = GetActionName(context); if (HasResourceAndAction(principal, resourceName, actionName)) { // No se puede editar o eliminar a si mismo if (actionName == Resources.UsuariosActions.Editar || actionName == Resources.UsuariosActions.Eliminar) { var userId = principal.FindFirst("user_sid").Value; if (GetResourceId(context) == userId) { return(Nok()); } } return(Ok()); } } return(Nok()); }
private Task <bool> DefaultActionAuthorize(ResourceAuthorizationContext context) { #region Below is a sample of what actions are. //You can create actions to suit the requirements of your app //such as "delete", "update", "create" etc #endregion switch (context.Action.First().Value) { case "read": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "reader"))); case "edit": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "editor"))); case "create": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "creator"))); case "delete": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "remover"))); case "Transactions": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "transactions"))); //not added yet case "PrintOut": return(Eval(context.Principal.HasClaim(ClaimTypes.Role, "printout"))); //not added yet default: return(Nok()); } }
public void AnonymousCannotEditEvent() { var ctx1 = new ResourceAuthorizationContext(Anonymous, UhomeResources.EventActions.Edit, UhomeResources.Event); Assert.IsFalse(subject.CheckAccessAsync(ctx1).Result); }
public void AnonymousCannotListUser() { var ctx = new ResourceAuthorizationContext(Anonymous, UhomeResources.Actions.List, UhomeResources.User); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public Task <bool> CheckAccessVideoClipAsync(ResourceAuthorizationContext ctx) { var user = ctx.Principal.Identity; if (!user.IsAuthenticated) { return(Nok()); } var action = ctx.Action.First().Value; if (action == UhomeResources.VideoClipActions.View) { return(Ok()); } if (action == UhomeResources.VideoClipActions.Edit) { if (ctx.Principal.IsInRole("Admin")) { return(Ok()); } } return(Nok()); }
public override Task <bool> CheckAccessAsync(ResourceAuthorizationContext context) { var permissions = db.Permission.Where(p => true).ToList(); List <string> clients = new List <string>() { "c-01", "c-02", "c-04" }; //this should not be hard code but get from database var sources = context.Resource; var claims = context.Principal; var aa = context.Action; if (permissions.Any(p => sources.Any(r => r.Value == p.ResourceName) && claims.HasClaim("client_role", p.RoleName))) { return(Ok()); } if (permissions.Any(p => context.Action.Any(a => a.Value == p.ActionName) && claims.HasClaim("client_role", p.RoleName))) { return(Ok()); } if (permissions.Any(p => context.Action.Any(a => a.Value == p.ActionName) && clients.Contains(context.Principal.Claims.First(c => c.Type == "client_id").Value))) { return(Ok()); } return(Nok()); }
public async Task Invoke(IDictionary <string, object> env) { var context = new OwinContext(env); var resourceContext = context.ResolveDependency <ResourceContext>(); var options = context.ResolveDependency <MultiTenantBlobStorageOptions>(); resourceContext.Route = await context.ResolveDependency <IRequestTenantResolver>().GetRouteAsync(context.Request); resourceContext.Action = string.Format("{0}_{1}{2}", resourceContext.Route.Path.IsMissing() ? (resourceContext.Route.Resource.IsMissing() ? Constants.Actions.TenantPrefix : Constants.Actions.ContainerPrefix) : Constants.Actions.BlobPrefix, context.Request.Method.ToLower(), context.Request.Query["comp"].IsPresent() ? "_" + context.Request.Query["comp"] : ""); var requestHandler = context.ResolveDependency <IRequestHandlerService>(); var authService = context.ResolveDependency <IAuthenticationService>(); resourceContext.User = context.Authentication.User = await authService.AuthenticateRequestAsync(context.Request, options) ?? new ClaimsPrincipal(); ResourceAuthorizationContext resourceAuthContext = null; if (await authService.SkipAuthorizationManagerAsync(context, resourceContext) || await context.CheckAccessAsync(resourceAuthContext = resourceContext.GetResourceAuthorizationContext())) { await requestHandler.HandleAsync(context, resourceContext); } else { HandleUnauthorizedRequest(context, resourceAuthContext); } // context.Response.Body.Flush(); }
public void AuthenticatedStaffCanViewAssignedCase() { var staff = User("StaffUser", new string[] { "Staff" }); var applicationUser1 = new ApplicationUser(); applicationUser1.UserName = staff.Identity.Name; db.Users.Add(applicationUser1); var applicationUser2 = new ApplicationUser(); applicationUser2.UserName = "******"; db.Users.Add(applicationUser2); var @case = CreateCase(); @case.ApplicationUserId = applicationUser2.Id; db.Cases.Add(@case); @case.CaseAssignment = new CaseAssignment(); @case.CaseAssignment.ApplicationUserId = applicationUser1.Id; @case.CaseAssignment.AssignmentDate = System.DateTime.Now; @case.UpdatedAt = System.DateTime.Now; db.SaveChanges(); var ctx = new ResourceAuthorizationContext(staff, UhomeResources.Actions.View, UhomeResources.Case, @case.ID.ToString()); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void Authenticated_Manager_Cannot_Edit_Track() { var ctx = new ResourceAuthorizationContext(User("test", "Manager"), ChinookResources.TrackActions.Edit, ChinookResources.Track); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedAdminCanEditUser() { var admin = User("AdminUser", new string[] { "Admin" }); var ctx = new ResourceAuthorizationContext(admin, UhomeResources.Actions.Edit, UhomeResources.User); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedNonAdminCannotEditUser() { var user = User("John"); var ctx = new ResourceAuthorizationContext(user, UhomeResources.Actions.Edit, UhomeResources.User); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public void Authenticated_Admin_Can_Edit_Track() { var ctx = new ResourceAuthorizationContext(User("test", "Admin"), ChinookResources.TrackActions.Edit, ChinookResources.Track); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void Authenticated_Can_View_Album() { var ctx = new ResourceAuthorizationContext(User("test"), ChinookResources.AlbumActions.View, ChinookResources.Album); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void Anonymous_Cannot_Access_Track() { var ctx = new ResourceAuthorizationContext(Anonymous, ChinookResources.TrackActions.Edit, ChinookResources.Track); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedCanListCase() { var user = User("John"); var ctx = new ResourceAuthorizationContext(user, UhomeResources.Actions.List, UhomeResources.Case); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedManagerCanAdminEditCase() { var manager = User("ManagerUser", new string[] { "Manager" }); var ctx = new ResourceAuthorizationContext(manager, UhomeResources.Actions.AdminEdit, UhomeResources.Case); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public override Task <bool> CheckAccessAsync(ResourceAuthorizationContext context) { return(this.Eval( this.currentPolicies.ContainsPolicy( context.Resource.First().Value, context.Action.First().Value, context.Principal.Claims.Where(x => x.Type.Equals(ClaimTypes.Role)).Select(x => x.Value).ToList()))); }
private Task <bool> CheckProfileEditAccessAsync(ResourceAuthorizationContext context) { var profileUser = context.Resource.Skip(1).Take(1).Single().Value; var username = context.Principal.Identity.Name; username = username.Substring(username.LastIndexOf(@"\", StringComparison.OrdinalIgnoreCase) + 1); return(Eval(profileUser == username)); }
private Task <bool> AuthorizeContactDetails(ResourceAuthorizationContext context) { switch (context.Action.First().Value) { default: return(Nok()); } }
public void Authenticated_NonAdmin_Cannot_Edit_Album() { var ctx = new ResourceAuthorizationContext(User("test"), ChinookResources.AlbumActions.Edit, ChinookResources.Album); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedCanViewEvent() { var user = User("John"); var ctx = new ResourceAuthorizationContext(user, UhomeResources.EventActions.View, UhomeResources.Event); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
Task <bool> CheckTodoReadAccessAsync(ResourceAuthorizationContext context) { if (!context.Principal.Claims.Any(claim => claim.Type == "scope" && claim.Value == "read")) { return(Nok()); } return(Ok()); }
public void AuthenticatedAdminCanEditEvent() { var roles = new string[] { "Admin" }; var user = User("John", roles); var ctx = new ResourceAuthorizationContext(user, UhomeResources.EventActions.Edit, UhomeResources.Event); Assert.IsTrue(subject.CheckAccessAsync(ctx).Result); }
public void AuthenticatedNonAdminCannotEditEvent() { var roles = new string[] { "Manager", "Staff", "FreeAccount", "SilverAccount", "GoldAccount" }; var user = User("John", roles); var ctx = new ResourceAuthorizationContext(user, UhomeResources.EventActions.Edit, UhomeResources.Event); Assert.IsFalse(subject.CheckAccessAsync(ctx).Result); }
public static Task <bool> CheckAccessAsync(this HttpRequestMessage request, IEnumerable <Claim> actions, IEnumerable <Claim> resources) { var authorizationContext = new ResourceAuthorizationContext( request.GetOwinContext().Authentication.User ?? Principal.Anonymous, actions, resources); return(request.CheckAccessAsync(authorizationContext)); }