public async Task <ResourceValidationResult> IsAuthorized(string openidProvider, Ticket validTicket, ClaimTokenParameter claimTokenParameter)
{
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
if (validTicket == null)
{
throw new ArgumentNullException(nameof(validTicket));
}
if (validTicket.Lines == null || !validTicket.Lines.Any())
{
throw new ArgumentNullException(nameof(validTicket.Lines));
}
var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId);
var resources = await _resourceSetRepository.Get(resourceIds);
if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count())
{
throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist);
}
ResourceValidationResult validationResult = null;
foreach (var ticketLine in validTicket.Lines)
{
var ticketLineParameter = new TicketLineParameter(ticketLine.Scopes);
if (validTicket.Audiences != null && validTicket.Audiences.Any())
{
ticketLineParameter.ClientId = validTicket.Audiences.First();
}
var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
validationResult = await Validate(openidProvider, ticketLineParameter, resource, claimTokenParameter).ConfigureAwait(false);
if (!validationResult.IsValid)
{
_umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id);
return(validationResult);
}
}
return(validationResult);
}
private AuthorizationPolicyResult CheckClients(Policy authorizationPolicy, TicketLineParameter ticketLineParameter)
{
if (authorizationPolicy.ClientIds == null || !authorizationPolicy.ClientIds.Any())
{
return(null);
}
if (!authorizationPolicy.ClientIds.Contains(ticketLineParameter.ClientId))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized,
Policy = authorizationPolicy,
ErrorDetails = "the client is not authorized"
});
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter)
{
if (string.IsNullOrWhiteSpace(openidProvider))
{
throw new ArgumentNullException(nameof(openidProvider));
}
if (resource == null)
{
throw new ArgumentNullException(nameof(resource));
}
if (ticketLineParameter == null)
{
throw new ArgumentNullException(nameof(ticketLineParameter));
}
JwsPayload jwsPayload = null;
string subject = null;
if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType)
{
var idToken = claimTokenParameter.Token;
jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false);
var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject);
if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null)
{
subject = subjectClaim.Value.ToString();
}
}
var validationsResult = new List <AuthorizationPolicyResult>();
var policies = resource.AuthPolicies;
if (policies != null && policies.Any())
{
foreach (var policy in policies)
{
if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s)))
{
validationsResult.Add(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized,
Policy = policy,
ErrorDetails = "the scope is not valid"
});
continue;
}
var clientAuthorizationResult = CheckClients(policy, ticketLineParameter);
if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
validationsResult.Add(clientAuthorizationResult);
continue;
}
var validationResult = CheckClaims(openidProvider, policy, jwsPayload);
validationsResult.Add(validationResult);
}
}
var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized);
if (vr != null)
{
return(new ResourceValidationResult
{
IsValid = true
});
}
if (!resource.AcceptPendingRequest)
{
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = validationsResult
});
}
if (!string.IsNullOrWhiteSpace(subject))
{
var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false);
var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s)));
if (pendingRequest == null)
{
await _pendingRequestRepository.Add(new PendingRequest
{
Id = Guid.NewGuid().ToString(),
CreateDateTime = DateTime.UtcNow,
ResourceId = resource.Id,
IsConfirmed = false,
RequesterSubject = subject,
Scopes = ticketLineParameter.Scopes
}).ConfigureAwait(false);
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestSubmitted,
ErrorDetails = "a request has been submitted"
}
}
});
}
}
return(new ResourceValidationResult
{
IsValid = false,
AuthorizationPoliciesResult = new[]
{
new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestNotConfirmed,
ErrorDetails = "the request is not confirmed by the resource owner"
}
}
});
}
private Task <ResourceValidationResult> Validate(string openidProvider, TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter)
{
return(_basicAuthorizationPolicy.Execute(openidProvider, resource, ticketLineParameter, claimTokenParameter));
}