/// <inheritdoc /> public ulong GetRight(RightsType rightsType) { var isInstance = RightsHelper.IsInstanceRight(rightsType); //forces the null user check var pullThis = User; if (isInstance && InstanceUser == null) { return(0); } var rightsEnum = RightsHelper.RightToType(rightsType); // use the api versions because they're the ones that contain the actual properties var typeToCheck = isInstance ? typeof(InstanceUser) : typeof(User); var nullableType = typeof(Nullable <>); var nullableRightsType = nullableType.MakeGenericType(rightsEnum); var prop = typeToCheck.GetProperties().Where(x => x.PropertyType == nullableRightsType).First(); var right = prop.GetMethod.Invoke(isInstance ? (object)InstanceUser : User, Array.Empty <object>()); if (right == null) { throw new InvalidOperationException("A user right was null!"); } return((ulong)right); }
public void TestAllPowerOfTwo() { var ulongType = typeof(ulong); foreach (var I in Enum.GetValues(typeof(RightsType)).Cast <RightsType>()) { var expectedLog = -1; var rightType = RightsHelper.RightToType(I); foreach (var J in Enum.GetValues(rightType)) { Assert.AreEqual(ulongType, Enum.GetUnderlyingType(rightType)); var asUlong = (ulong)J; var isOne = asUlong == 1; if (!isOne) { Assert.AreEqual(0U, asUlong % 2, String.Format("Enum {0} of {1} is not a power of 2!", Enum.GetName(rightType, asUlong), rightType)); } if (expectedLog > -1) { var log = Math.Log(asUlong, 2); if (log != expectedLog) { Assert.Fail(String.Format("Expected Log2({1}) == {0} to come next for {2}, got {3} instead!", expectedLog, Enum.GetName(rightType, asUlong), rightType, log)); } } ++expectedLog; } } }
/// <inheritdoc /> public async Task InjectClaimsIntoContext(TokenValidatedContext tokenValidatedContext, CancellationToken cancellationToken) { if (tokenValidatedContext == null) { throw new ArgumentNullException(nameof(tokenValidatedContext)); } // Find the user id in the token var userIdClaim = tokenValidatedContext.Principal.FindFirst(JwtRegisteredClaimNames.Sub); if (userIdClaim == default) { throw new InvalidOperationException("Missing required claim!"); } long userId; try { userId = Int64.Parse(userIdClaim.Value, CultureInfo.InvariantCulture); } catch (Exception e) { throw new InvalidOperationException("Failed to parse user ID!", e); } ApiHeaders apiHeaders; try { apiHeaders = new ApiHeaders(tokenValidatedContext.HttpContext.Request.GetTypedHeaders()); } catch (InvalidOperationException) { // we are not responsible for handling header validation issues return; } // This populates the CurrentAuthenticationContext field for use by us and subsequent controllers await authenticationContextFactory.CreateAuthenticationContext(userId, apiHeaders.InstanceId, tokenValidatedContext.SecurityToken.ValidFrom, cancellationToken).ConfigureAwait(false); var authenticationContext = authenticationContextFactory.CurrentAuthenticationContext; var enumerator = Enum.GetValues(typeof(RightsType)); var claims = new List <Claim>(); foreach (RightsType I in enumerator) { // if there's no instance user, do a weird thing and add all the instance roles // we need it so we can get to OnActionExecutionAsync where we can properly decide between BadRequest and Forbid // if user is null that means they got the token with an expired password var rightInt = authenticationContext.User == null || (RightsHelper.IsInstanceRight(I) && authenticationContext.InstanceUser == null) ? ~0U : authenticationContext.GetRight(I); var rightEnum = RightsHelper.RightToType(I); var right = (Enum)Enum.ToObject(rightEnum, rightInt); foreach (Enum J in Enum.GetValues(rightEnum)) { if (right.HasFlag(J)) { claims.Add(new Claim(ClaimTypes.Role, RightsHelper.RoleName(I, J))); } } } tokenValidatedContext.Principal.AddIdentity(new ClaimsIdentity(claims)); }
/// <summary> /// Runs after a <see cref="Token"/> has been validated. Creates the <see cref="IAuthenticationContext"/> for the <see cref="ControllerBase.Request"/> /// </summary> /// <param name="context">The <see cref="TokenValidatedContext"/> for the operation</param> /// <returns>A <see cref="Task"/> representing the running operation</returns> public static async Task OnTokenValidated(TokenValidatedContext context) { var databaseContext = context.HttpContext.RequestServices.GetRequiredService <IDatabaseContext>(); var authenticationContextFactory = context.HttpContext.RequestServices.GetRequiredService <IAuthenticationContextFactory>(); var userIdClaim = context.Principal.FindFirst(JwtRegisteredClaimNames.Sub); if (userIdClaim == default(Claim)) { throw new InvalidOperationException("Missing required claim!"); } long userId; try { userId = Int64.Parse(userIdClaim.Value, CultureInfo.InvariantCulture); } catch (Exception e) { throw new InvalidOperationException("Failed to parse user ID!", e); } ApiHeaders apiHeaders; try { apiHeaders = new ApiHeaders(context.HttpContext.Request.GetTypedHeaders()); } catch { //let OnActionExecutionAsync handle the reponse return; } await authenticationContextFactory.CreateAuthenticationContext(userId, apiHeaders.InstanceId, context.SecurityToken.ValidFrom, context.HttpContext.RequestAborted).ConfigureAwait(false); var authenticationContext = authenticationContextFactory.CurrentAuthenticationContext; var enumerator = Enum.GetValues(typeof(RightsType)); var claims = new List <Claim>(); foreach (RightsType I in enumerator) { //if there's no instance user, do a weird thing and add all the instance roles //we need it so we can get to OnActionExecutionAsync where we can properly decide between BadRequest and Forbid //if user is null that means they got the token with an expired password var rightInt = authenticationContext.User == null || (RightsHelper.IsInstanceRight(I) && authenticationContext.InstanceUser == null) ? ~0U : authenticationContext.GetRight(I); var rightEnum = RightsHelper.RightToType(I); var right = (Enum)Enum.ToObject(rightEnum, rightInt); foreach (Enum J in Enum.GetValues(rightEnum)) { if (right.HasFlag(J)) { claims.Add(new Claim(ClaimTypes.Role, RightsHelper.RoleName(I, J))); } } } context.Principal.AddIdentity(new ClaimsIdentity(claims)); }