public void Create_From_Claims_Identity()
{
var sessionId = Guid.NewGuid().ToString();
var claimsIdentity = new ClaimsIdentity(new[]
{
//This is the id that 'identity' uses to check for the user id
new Claim(ClaimTypes.NameIdentifier, "1234", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
//This is the id that 'identity' uses to check for the username
new Claim(ClaimTypes.Name, "testing", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(ClaimTypes.GivenName, "hello world", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.StartContentNodeIdClaimType, "-1", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(Constants.Security.StartMediaNodeIdClaimType, "5543", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(Constants.Security.AllowedApplicationsClaimType, "content", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.AllowedApplicationsClaimType, "media", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(ClaimTypes.Locality, "en-us", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.SessionIdClaimType, sessionId, Constants.Security.SessionIdClaimType, TestIssuer, TestIssuer),
new Claim(ClaimsIdentity.DefaultRoleClaimType, "admin", ClaimValueTypes.String, TestIssuer, TestIssuer),
});
var backofficeIdentity = UmbracoBackOfficeIdentity.FromClaimsIdentity(claimsIdentity);
Assert.AreEqual("1234", backofficeIdentity.Id);
Assert.AreEqual(sessionId, backofficeIdentity.SessionId);
Assert.AreEqual("testing", backofficeIdentity.Username);
Assert.AreEqual("hello world", backofficeIdentity.RealName);
Assert.AreEqual(-1, backofficeIdentity.StartContentNode);
Assert.AreEqual(5543, backofficeIdentity.StartMediaNode);
Assert.IsTrue(new[] { "content", "media" }.SequenceEqual(backofficeIdentity.AllowedApplications));
Assert.AreEqual("en-us", backofficeIdentity.Culture);
Assert.IsTrue(new[] { "admin" }.SequenceEqual(backofficeIdentity.Roles));
Assert.AreEqual(10, backofficeIdentity.Claims.Count());
}
public void Initialize()
{
_controller = new DummyController();
var userData = @"{
'Id' : '6C50D4C1-B608-4EFA-B488-C95DBC6F9BA6',
'Roles' : [ 'Editor' ],
'SessionTimeout' : 60,
'RealName' : 'Dummy User',
'StartContentNode' : '',
'StartMediaNode' : '',
'AllowedApplications' : [ 'Content', 'Media' ]
}";
var ticket = new FormsAuthenticationTicket(1, "DummyUser", DateTime.Now.AddHours(-1), DateTime.Now.AddHours(1), false, userData);
var identity = new UmbracoBackOfficeIdentity(ticket);
var user = Substitute.For <IPrincipal>();
user.Identity.Returns(identity);
var httpContext = Substitute.For <HttpContextBase>();
httpContext.User.Returns(user);
var routeData = new RouteData();
var context = new RequestContext(httpContext, routeData);
var controllerContext = new ControllerContext(context, _controller);
_controller.ControllerContext = controllerContext;
}
public void Create_With_Claims_And_User_Data()
{
var sessionId = Guid.NewGuid().ToString();
var userData = new UserData(sessionId)
{
AllowedApplications = new[] { "content", "media" },
Culture = "en-us",
Id = 1234,
RealName = "hello world",
Roles = new[] { "admin" },
StartContentNode = -1,
StartMediaNode = 654,
Username = "******"
};
var claimsIdentity = new ClaimsIdentity(new[]
{
new Claim("TestClaim1", "test", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim("TestClaim1", "test", ClaimValueTypes.Integer32, TestIssuer, TestIssuer)
});
var backofficeIdentity = new UmbracoBackOfficeIdentity(claimsIdentity, userData);
Assert.AreEqual(13, backofficeIdentity.Claims.Count());
}
/// <summary>
/// Create a ClaimsIdentity from a user
/// </summary>
/// <param name="manager"/><param name="user"/><param name="authenticationType"/>
/// <returns/>
public override async Task <ClaimsIdentity> CreateAsync(UserManager <T, int> manager, T user, string authenticationType)
{
var baseIdentity = await base.CreateAsync(manager, user, authenticationType);
// now we can flow any custom claims that the actual user has currently assigned which could be done in the OnExternalLogin callback
foreach (var claim in user.Claims)
{
baseIdentity.AddClaim(new Claim(claim.ClaimType, claim.ClaimValue));
}
var umbracoIdentity = new UmbracoBackOfficeIdentity(baseIdentity,
user.Id,
user.UserName,
user.Name,
user.CalculatedContentStartNodeIds,
user.CalculatedMediaStartNodeIds,
user.Culture,
//NOTE - there is no session id assigned here, this is just creating the identity, a session id will be generated when the cookie is written
Guid.NewGuid().ToString(),
user.SecurityStamp,
user.AllowedSections,
user.Roles.Select(x => x.RoleId).ToArray());
return(umbracoIdentity);
}
/// <summary>
/// Unprotects the cookie
/// </summary>
/// <param name="protectedText"></param>
/// <returns></returns>
public AuthenticationTicket Unprotect(string protectedText)
{
FormsAuthenticationTicket decrypt;
try
{
decrypt = FormsAuthentication.Decrypt(protectedText);
if (decrypt == null)
{
return(null);
}
}
catch (Exception)
{
return(null);
}
var identity = new UmbracoBackOfficeIdentity(decrypt);
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent,
AllowRefresh = true
});
return(ticket);
}
/// <summary>
/// Unprotects the cookie
/// </summary>
/// <param name="protectedText"></param>
/// <returns></returns>
public AuthenticationTicket Unprotect(string protectedText)
{
AuthenticationTicket decrypt;
try
{
decrypt = _ticketDataFormat.Unprotect(protectedText);
if (decrypt == null)
{
return(null);
}
}
catch (Exception)
{
return(null);
}
UmbracoBackOfficeIdentity identity;
try
{
identity = UmbracoBackOfficeIdentity.FromClaimsIdentity(decrypt.Identity);
}
catch (Exception)
{
//if it cannot be created return null, will be due to serialization errors in user data most likely due to corrupt cookies or cookies
//for previous versions of Umbraco
return(null);
}
//return the ticket with a UmbracoBackOfficeIdentity
var ticket = new AuthenticationTicket(identity, decrypt.Properties);
return(ticket);
}
public void Create_From_Claims_Identity_Missing_Required_Claim()
{
var claimsIdentity = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.NameIdentifier, "1234", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(ClaimTypes.Name, "testing", ClaimValueTypes.String, TestIssuer, TestIssuer),
});
Assert.Throws <InvalidOperationException>(() => UmbracoBackOfficeIdentity.FromClaimsIdentity(claimsIdentity));
}
public void Clone()
{
var sessionId = Guid.NewGuid().ToString();
var identity = new UmbracoBackOfficeIdentity(
1234, "testing", "hello world", new[] { 654 }, new[] { 654 }, "en-us", sessionId, sessionId, new[] { "content", "media" }, new[] { "admin" });
var cloned = identity.Clone();
Assert.AreEqual(10, cloned.Claims.Count());
}
protected override Task <AuthenticationTicket> AuthenticateCoreAsync()
{
var sessionId = Guid.NewGuid().ToString();
var identity = new UmbracoBackOfficeIdentity(
-1, "admin", "Admin", new [] { -1 }, new[] { -1 }, "en-US", sessionId, sessionId, new[] { "content", "media", "members" }, new[] { "admin" });
return(Task.FromResult(new AuthenticationTicket(identity,
new AuthenticationProperties()
{
ExpiresUtc = DateTime.Now.AddDays(1)
})));
}
public async Task Get_Root_Result_With_Custom_Start_Nodes()
{
//represents the node(s) that the user will receive as their root based on their custom start node
var rootNodes = ModelMocks.SimpleMockedContent(123, 456);
var startup = new TestStartup(
//This will be invoked before the controller is created so we can modify these mocked services,
(testServices) =>
{
MockServicesForAuthorizationSuccess(testServices, 456);
var mockContentService = Mock.Get(testServices.ServiceContext.ContentService);
mockContentService.Setup(x => x.GetByIds(It.IsAny <int[]>())).Returns(new[]
{
rootNodes
});
mockContentService.Setup(x => x.GetChildren(123)).Returns(new[] { ModelMocks.SimpleMockedContent(789, 123) });
mockContentService.Setup(x => x.GetChildren(456)).Returns(new[] { ModelMocks.SimpleMockedContent(321, 456) });
});
var djson = await Get_Root_Result(app =>
{
//we are doing a custom authz for this call so need to change the startup process
var identity = new UmbracoBackOfficeIdentity(
new UserData(Guid.NewGuid().ToString())
{
Id = 0,
Roles = new[] { "admin" },
AllowedApplications = new[] { "content", "media", "members" },
Culture = "en-US",
RealName = "Admin",
StartContentNodes = new[] { 456 },
StartMediaNodes = new[] { -1 },
Username = "******",
SessionId = Guid.NewGuid().ToString(),
SecurityStamp = Guid.NewGuid().ToString()
});
var httpConfig = startup.UseTestWebApiConfiguration(app);
app.AuthenticateEverything(new AuthenticateEverythingAuthenticationOptions(identity));
app.UseUmbracoRestApi(startup.ApplicationContext);
app.UseWebApi(httpConfig);
}, RouteConstants.ContentSegment);
Assert.AreEqual(1, djson["_links"]["content"].Count());
Assert.AreEqual($"/umbraco/rest/v1/content/{123.ToGuid()}", djson["_links"]["content"]["href"].Value <string>());
Assert.AreEqual(1, djson["_embedded"]["content"].Count());
Assert.AreEqual(rootNodes.Key, (Guid)djson["_embedded"]["content"].First["id"]);
}
public void Create_With_Claims_And_User_Data()
{
var sessionId = Guid.NewGuid().ToString();
var claimsIdentity = new ClaimsIdentity(new[]
{
new Claim("TestClaim1", "test", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim("TestClaim1", "test", ClaimValueTypes.Integer32, TestIssuer, TestIssuer)
});
var identity = new UmbracoBackOfficeIdentity(claimsIdentity,
1234, "testing", "hello world", new[] { 654 }, new[] { 654 }, "en-us", sessionId, sessionId, new[] { "content", "media" }, new[] { "admin" });
Assert.AreEqual(12, identity.Claims.Count());
}
public void Create_With_User_Data()
{
var sessionId = Guid.NewGuid().ToString();
var userData = new UserData(sessionId)
{
AllowedApplications = new[] { "content", "media" },
Culture = "en-us",
Id = 1234,
RealName = "hello world",
Roles = new[] { "admin" },
StartMediaNodes = new [] { 654 },
Username = "******"
};
var identity = new UmbracoBackOfficeIdentity(userData);
Assert.AreEqual(11, identity.Claims.Count());
}
public bool TryFindContent(PublishedRequest contentRequest)
{
// handle all requests beginning /website...
var path = contentRequest.Uri.AbsolutePath;
HttpContextBase wrapper = new HttpContextWrapper(HttpContext.Current);
UmbracoBackOfficeIdentity user = wrapper.GetCurrentIdentity(true);
bool isLoggedIn = user != null;
if (!isLoggedIn)
{
if (path.StartsWith("/" + StandingData.UmbracoRootFolderUrl))
{
contentRequest.Is404 = true;
HttpContext.Current.Response.Redirect(path.Replace("/" + StandingData.UmbracoRootFolderUrl, ""));
}
}
return(true);
}
//protected override ApplicationContext CreateApplicationContext()
//{
// serviceContext = MockHelper.GetMockedServiceContext();
// return new ApplicationContext(
// new DatabaseContext(new Mock<IDatabaseFactory>().Object, Mock.Of<ILogger>(), Mock.Of<ISqlSyntaxProvider>(), "test"),
// serviceContext,
// CacheHelper.CreateDisabledCacheHelper(),
// new ProfilingLogger(Mock.Of<ILogger>(), Mock.Of<IProfiler>())
// );
//}
private UmbracoBackOfficeIdentity CreateIdentity(int userId)
{
var sessionId = Guid.NewGuid().ToString();
var userData = new UserData(sessionId)
{
AllowedApplications = new[] { "content", "media" },
Culture = "en-us",
Id = userId,
RealName = "hello world",
Roles = new[] { "admin" },
StartContentNodes = new[] { -1 },
StartMediaNodes = new [] { 654 },
Username = "******"
};
var identity = new UmbracoBackOfficeIdentity(userData);
return(identity);
}
/// <summary>
/// Create a ClaimsIdentity from a user
/// </summary>
/// <param name="manager"/><param name="user"/><param name="authenticationType"/>
/// <returns/>
public override async Task <ClaimsIdentity> CreateAsync(UserManager <T, int> manager, T user, string authenticationType)
{
var baseIdentity = await base.CreateAsync(manager, user, authenticationType);
var umbracoIdentity = new UmbracoBackOfficeIdentity(baseIdentity,
user.Id,
user.UserName,
user.Name,
user.CalculatedContentStartNodeIds,
user.CalculatedMediaStartNodeIds,
user.Culture,
//NOTE - there is no session id assigned here, this is just creating the identity, a session id will be generated when the cookie is written
Guid.NewGuid().ToString(),
user.SecurityStamp,
user.AllowedSections,
user.Roles.Select(x => x.RoleId).ToArray());
return(umbracoIdentity);
}
protected override Task <AuthenticationTicket> AuthenticateCoreAsync()
{
var identity = new UmbracoBackOfficeIdentity(
new UserData(Guid.NewGuid().ToString())
{
Id = 0,
Roles = new[] { "admin" },
AllowedApplications = new[] { "content", "media", "members" },
Culture = "en-US",
RealName = "Admin",
Username = "******"
});
return(Task.FromResult(new AuthenticationTicket(identity,
new AuthenticationProperties()
{
ExpiresUtc = DateTime.Now.AddDays(1)
})));
}
public AuthenticateEverythingAuthenticationOptions()
: base("AuthenticateEverything")
{
AuthenticationMode = AuthenticationMode.Active;
var identity = new UmbracoBackOfficeIdentity(
new UserData(Guid.NewGuid().ToString())
{
Id = 0,
Roles = new[] { "admin" },
AllowedApplications = new[] { "content", "media", "members" },
Culture = "en-US",
RealName = "Admin",
StartContentNodes = new[] { -1 },
StartMediaNodes = new[] { -1 },
Username = "******"
});
UmbracoBackOfficeIdentity = identity;
}
public void Create_From_Claims_Identity_Required_Claim_Null()
{
var sessionId = Guid.NewGuid().ToString();
var claimsIdentity = new ClaimsIdentity(new[]
{
//null or empty
new Claim(ClaimTypes.NameIdentifier, "", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(ClaimTypes.Name, "testing", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(ClaimTypes.GivenName, "hello world", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.StartContentNodeIdClaimType, "-1", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(Constants.Security.StartMediaNodeIdClaimType, "5543", ClaimValueTypes.Integer32, TestIssuer, TestIssuer),
new Claim(Constants.Security.AllowedApplicationsClaimType, "content", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.AllowedApplicationsClaimType, "media", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(ClaimTypes.Locality, "en-us", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.SessionIdClaimType, sessionId, Constants.Security.SessionIdClaimType, TestIssuer, TestIssuer),
new Claim(ClaimsIdentity.DefaultRoleClaimType, "admin", ClaimValueTypes.String, TestIssuer, TestIssuer),
});
Assert.Throws <InvalidOperationException>(() => UmbracoBackOfficeIdentity.FromClaimsIdentity(claimsIdentity));
}
public void Create_With_Forms_Ticket()
{
var sessionId = Guid.NewGuid().ToString();
var userData = new UserData(sessionId)
{
AllowedApplications = new[] { "content", "media" },
Culture = "en-us",
Id = 1234,
RealName = "hello world",
Roles = new[] { "admin" },
StartMediaNodes = new [] { 654 },
Username = "******"
};
var ticket = new FormsAuthenticationTicket(1, userData.Username, DateTime.Now, DateTime.Now.AddDays(1), true,
JsonConvert.SerializeObject(userData));
var identity = new UmbracoBackOfficeIdentity(ticket);
Assert.AreEqual(12, identity.Claims.Count());
}
/// <summary>
/// Unprotects the cookie
/// </summary>
/// <param name="protectedText"></param>
/// <returns></returns>
public AuthenticationTicket Unprotect(string protectedText)
{
FormsAuthenticationTicket decrypt;
try
{
decrypt = FormsAuthentication.Decrypt(protectedText);
if (decrypt == null)
{
return(null);
}
}
catch (Exception)
{
return(null);
}
UmbracoBackOfficeIdentity identity;
try
{
identity = new UmbracoBackOfficeIdentity(decrypt);
}
catch (Exception)
{
//if it cannot be created return null, will be due to serialization errors in user data most likely due to corrupt cookies or cookies
//for previous versions of Umbraco
return(null);
}
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent,
AllowRefresh = true
});
return(ticket);
}
/// <summary>
/// Unprotects the cookie
/// </summary>
/// <param name="protectedText"></param>
/// <returns></returns>
public AuthenticationTicket Unprotect(string protectedText)
{
FormsAuthenticationTicket decrypt;
try
{
decrypt = FormsAuthentication.Decrypt(protectedText);
if (decrypt == null)
{
return(null);
}
}
catch (Exception)
{
return(null);
}
try
{
var identity = new UmbracoBackOfficeIdentity(decrypt);
var ticket = new AuthenticationTicket(identity, new AuthenticationProperties
{
ExpiresUtc = decrypt.Expiration.ToUniversalTime(),
IssuedUtc = decrypt.IssueDate.ToUniversalTime(),
IsPersistent = decrypt.IsPersistent,
AllowRefresh = true
});
return(ticket);
}
catch (JsonReaderException)
{
//catch this and return null if the json is invalid
//NOTE: This will happen when running on local host and developing on 7.6 and 7.7+ because 7.7 has a different
// auth ticket format.
return(null);
}
}
/// <summary>
/// Process an individual request.
/// </summary>
/// <param name="context"/>
/// <returns/>
public override async Task Invoke(IOwinContext context)
{
var request = context.Request;
if (request.Uri.IsClientSideRequest() == false)
{
var claimsPrincipal = context.Request.User as ClaimsPrincipal;
var isPreview = request.HasPreviewCookie() &&
claimsPrincipal != null &&
request.Uri != null &&
request.Uri.IsBackOfficeRequest(HttpRuntime.AppDomainAppVirtualPath) == false;
if (isPreview)
{
//If we've gotten this far it means a preview cookie has been set and a front-end umbraco document request is executing.
// In this case, authentication will not have occurred for an Umbraco back office User, however we need to perform the authentication
// for the user here so that the preview capability can be authorized otherwise only the non-preview page will be rendered.
var cookie = request.Cookies[_cookieOptions.CookieName];
if (cookie.IsNullOrWhiteSpace() == false)
{
var unprotected = _cookieOptions.TicketDataFormat.Unprotect(cookie);
if (unprotected != null)
{
//Ok, we've got a real ticket, now we can add this ticket's identity to the current
// Principal, this means we'll have 2 identities assigned to the principal which we can
// use to authorize the preview and allow for a back office User.
claimsPrincipal.AddIdentity(UmbracoBackOfficeIdentity.FromClaimsIdentity(unprotected.Identity));
}
}
}
}
if (Next != null)
{
await Next.Invoke(context);
}
}
public override async Task Invoke(IOwinContext context)
{
IOwinRequest request = context.Request;
if (request.Uri.AbsolutePath.StartsWith(MagicStrings.PreviewRouteBase) && request.Uri.Segments.Length == 6)
{
string[] segments = request.Uri.Segments;
string userId = segments[3].Trim('/');
IUser user = ApplicationContext.Current.Services.UserService.GetUserById(int.Parse(userId));
UserData userData = GetUserData(user);
Utility.ExpireCookie(UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName);
HttpCookie authCookie = CreateAuthCookie(
user.Name,
segments[2].Trim('/'),
JsonConvert.SerializeObject(userData),
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName,
UmbracoConfig.For.UmbracoSettings().Security.AuthCookieDomain);
HttpContext.Current.Request.Cookies.Add(authCookie);
HttpContext.Current.Items.Add(UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName, authCookie.Value);
var identity = new UmbracoBackOfficeIdentity(userData);
var securityHelper = new SecurityHelper(context);
securityHelper.AddUserIdentity(identity);
}
if (Next != null)
{
await Next.Invoke(context);
}
}
public AuthenticateEverythingAuthenticationOptions(UmbracoBackOfficeIdentity identity)
: base("AuthenticateEverything")
{
AuthenticationMode = AuthenticationMode.Active;
UmbracoBackOfficeIdentity = identity;
}
