async Task <(bool isAuthenticated, bool serviceIdentityFound)> AuthenticateWithAuthChain(T credentials, string actorDeviceId, bool syncServiceIdentity)
{
// The auth target is the first element of the authchain
Option <string> authTargetOption = AuthChainHelpers.GetAuthTarget(credentials.AuthChain);
string authTarget = authTargetOption.Expect(() => new InvalidOperationException("Credentials should always have a valid auth-chain for OnBehalfOf authentication"));
// For nested Edge, we need to check that we have
// a valid authchain for the target identity
Option <string> authChain = await this.deviceScopeIdentitiesCache.GetAuthChain(authTarget);
if (!authChain.HasValue)
{
Events.NoAuthChain(authTarget);
return(false, false);
}
// Check that the actor is authorized to connect OnBehalfOf of the target
if (!AuthChainHelpers.ValidateAuthChain(actorDeviceId, authTarget, authChain.OrDefault()))
{
// We found the target identity in our cache, but can't proceed with auth
Events.UnauthorizedAuthChain(actorDeviceId, authTarget, authChain.OrDefault());
return(false, true);
}
// Check credentials against the acting EdgeHub
string actorEdgeHubId = actorDeviceId + $"/{Constants.EdgeHubModuleId}";
return(await this.AuthenticateWithServiceIdentity(credentials, actorEdgeHubId, syncServiceIdentity));
}
async Task <(bool isAuthenticated, bool serviceIdentityFound)> AuthenticateWithAuthChain(T credentials, string actorDeviceId, bool syncServiceIdentity)
{
// The auth target is the first element of the authchain
Option <string> authTargetOption = AuthChainHelpers.GetAuthTarget(credentials.AuthChain);
string authTarget = authTargetOption.Expect(() => new InvalidOperationException("Credentials should always have a valid auth-chain for OnBehalfOf authentication"));
// For nested Edge, we need to check that we have
// a valid authchain for the target identity
Option <string> authChain = await this.deviceScopeIdentitiesCache.GetAuthChain(authTarget);
if (!authChain.HasValue)
{
// The auth-target might be a new device that was recently added, and our
// cache might not have it yet. Try refreshing the target identity to see
// if we can get it from upstream.
Events.NoAuthChainResyncing(authTarget, actorDeviceId);
await this.deviceScopeIdentitiesCache.RefreshServiceIdentityOnBehalfOf(authTarget, actorDeviceId);
authChain = await this.deviceScopeIdentitiesCache.GetAuthChain(authTarget);
if (!authChain.HasValue)
{
// Still don't have a valid auth-chain for the target, it must be
// out of scope, so we're done here
Events.NoAuthChain(authTarget);
return(false, false);
}
}
// Check that the actor is authorized to connect OnBehalfOf of the target
if (!AuthChainHelpers.ValidateAuthChain(actorDeviceId, authTarget, authChain.OrDefault()))
{
// We found the target identity in our cache, but can't proceed with auth
Events.UnauthorizedAuthChain(actorDeviceId, authTarget, authChain.OrDefault());
return(false, true);
}
// Check credentials against the acting EdgeHub, since we would have
// already refreshed the target identity on failure, there's no need
// to have AuthenticateWithServiceIdentity do it again.
string actorEdgeHubId = actorDeviceId + $"/{Constants.EdgeHubModuleId}";
return(await this.AuthenticateWithServiceIdentity(credentials, actorEdgeHubId, false));
}