|
public static TryParseBody ( |
||
| cert | ||
| token | string | |
| body | AccessTokenBody | |
| 리턴 | bool | |
public IPrincipal GetUser(RavenBaseApiController controller, bool hasApiKey)
{
var token = GetToken(controller);
if (token == null)
{
WriteAuthorizationChallenge(controller, hasApiKey ? 412 : 401, "invalid_request", "The access token is required");
return(null);
}
AccessTokenBody tokenBody;
if (!AccessToken.TryParseBody(controller.DatabasesLandlord.SystemConfiguration.OAuthTokenKey, token, out tokenBody))
{
WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is invalid");
return(null);
}
return(new OAuthPrincipal(tokenBody, null));
}
public IPrincipal GetUser(IHttpContext ctx, bool hasApiKey)
{
var token = GetToken(ctx);
if (token == null)
{
WriteAuthorizationChallenge(ctx, hasApiKey ? 412 : 401, "invalid_request", "The access token is required");
return(null);
}
AccessTokenBody tokenBody;
if (!AccessToken.TryParseBody(Settings.OAuthTokenKey, token, out tokenBody))
{
WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid");
return(null);
}
return(new OAuthPrincipal(tokenBody, null));
}
public bool TryAuthorize(RavenBaseApiController controller, bool hasApiKey, bool ignoreDbAccess, out HttpResponseMessage msg)
{
var isGetRequest = IsGetRequest(controller);
var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All ||
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Admin ||
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get &&
isGetRequest;
var token = GetToken(controller);
if (token == null)
{
if (allowUnauthenticatedUsers)
{
msg = controller.GetEmptyMessage();
return(true);
}
msg = WriteAuthorizationChallenge(controller, hasApiKey ? 412 : 401, "invalid_request", "The access token is required");
return(false);
}
AccessTokenBody tokenBody;
if (!AccessToken.TryParseBody(Settings.OAuthTokenKey, token, out tokenBody))
{
if (allowUnauthenticatedUsers)
{
msg = controller.GetEmptyMessage();
return(true);
}
msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is invalid");
return(false);
}
if (tokenBody.IsExpired())
{
if (allowUnauthenticatedUsers)
{
msg = controller.GetEmptyMessage();
return(true);
}
msg = WriteAuthorizationChallenge(controller, 401, "invalid_token", "The access token is expired");
return(false);
}
var writeAccess = isGetRequest == false;
if (!tokenBody.IsAuthorized(controller.ResourceName, writeAccess))
{
if (allowUnauthenticatedUsers || ignoreDbAccess)
{
msg = controller.GetEmptyMessage();
return(true);
}
msg = WriteAuthorizationChallenge(controller, 403, "insufficient_scope",
writeAccess ?
"Not authorized for read/write access for tenant " + controller.ResourceName :
"Not authorized for tenant " + controller.ResourceName);
return(false);
}
controller.User = new OAuthPrincipal(tokenBody, controller.ResourceName);
CurrentOperationContext.User.Value = controller.User;
msg = controller.GetEmptyMessage();
return(true);
}
public override bool Authorize(IHttpContext ctx)
{
var httpRequest = ctx.Request;
var isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath);
var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All ||
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get &&
isGetRequest;
var token = GetToken(ctx);
if (token == null)
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_request", "The access token is required");
return(false);
}
AccessTokenBody tokenBody;
if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody))
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid");
return(false);
}
if (tokenBody.IsExpired())
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired");
return(false);
}
var writeAccess = isGetRequest == false;
if (!tokenBody.IsAuthorized(TenantId, writeAccess))
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 403, "insufficient_scope",
writeAccess ?
"Not authorized for read/write access for tenant " + TenantId :
"Not authorized for tenant " + TenantId);
return(false);
}
ctx.User = new OAuthPrincipal(tokenBody, TenantId);
CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = tokenBody.UserId;
CurrentOperationContext.User.Value = ctx.User;
return(true);
}
public override bool Authorize(IHttpContext ctx)
{
var httpRequest = ctx.Request;
var requestUrl = ctx.GetRequestUrl();
if (neverSecretUrls.Contains(requestUrl, StringComparer.InvariantCultureIgnoreCase))
{
return(true);
}
var allowUnauthenticatedUsers = // we need to auth even if we don't have to, for bundles that want the user
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.All ||
Settings.AnonymousUserAccessMode == AnonymousUserAccessMode.Get &&
IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath);
var token = GetToken(ctx);
if (token == null)
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_request", "The access token is required");
return(false);
}
AccessTokenBody tokenBody;
if (!AccessToken.TryParseBody(Settings.OAuthTokenCertificate, token, out tokenBody))
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is invalid");
return(false);
}
if (tokenBody.IsExpired())
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 401, "invalid_token", "The access token is expired");
return(false);
}
if (!tokenBody.IsAuthorized(TenantId))
{
if (allowUnauthenticatedUsers)
{
return(true);
}
WriteAuthorizationChallenge(ctx, 403, "insufficient_scope", "Not authorized for tenant " + TenantId);
return(false);
}
ctx.User = new OAuthPrincipal(tokenBody);
return(true);
}