Exemplo n.º 1
0
 public PrivilegeChecker(IPrivilegeProvider privilegeProvider)
 {
     _privilegeProvider = privilegeProvider;
 }
Exemplo n.º 2
0
        public async Task Invoke(HttpContext httpContext, IPrivilegeProvider privilegeProvider, ILogger <LoadUserPrivilegesMiddleware> logger)
        {
            if (httpContext.User.Identity.IsAuthenticated)
            {
                var companyId = (string)httpContext.GetRouteValue(ApiRoutes.CompanyParameter);

                var user = await privilegeProvider.LoadCurrentUserAsync(companyId);

                // User has no account in Atlas
                if (user == null)
                {
                    logger.LogWarning($"No account found for the current user: {httpContext.User.Identity.Name}");

                    var error = new ProblemDetails
                    {
                        Title    = "You do not have the necessary permissions for this resource.",
                        Type     = "https://atlas.ldc.com/security-error",
                        Status   = StatusCodes.Status403Forbidden,
                        Detail   = "No account found for the current user.",
                        Instance = httpContext.Request.Path
                    };

                    httpContext.Response.ContentType = "application/problem+json";
                    httpContext.Response.StatusCode  = StatusCodes.Status403Forbidden;

                    await httpContext.Response.WriteAsync(JsonConvert.SerializeObject(error, Formatting.Indented, new JsonSerializerSettings
                    {
                        ContractResolver = new Newtonsoft.Json.Serialization.CamelCasePropertyNamesContractResolver()
                    }));

                    return;
                }

                var userPrivileges = privilegeProvider.GetCurrentUserPrivilegesAsync(null);

                // User is not configured for the given company
                if (!string.IsNullOrWhiteSpace(companyId) && !userPrivileges.Any(p => p.CompanyId == companyId))
                {
                    logger.LogWarning($"User {user.SamAccountName} is not allowed to access this company: {companyId}");

                    var error = new ProblemDetails
                    {
                        Title    = "You do not have the necessary permissions for this resource.",
                        Type     = "https://atlas.ldc.com/security-error",
                        Status   = StatusCodes.Status403Forbidden,
                        Detail   = $"User {user.SamAccountName} is not allowed to access this company: {companyId}.",
                        Instance = httpContext.Request.Path
                    };

                    httpContext.Response.ContentType = "application/problem+json";
                    httpContext.Response.StatusCode  = StatusCodes.Status403Forbidden;

                    await httpContext.Response.WriteAsync(JsonConvert.SerializeObject(error, Formatting.Indented, new JsonSerializerSettings
                    {
                        ContractResolver = new Newtonsoft.Json.Serialization.CamelCasePropertyNamesContractResolver()
                    }));

                    return;
                }

                ClaimsIdentity identity = new ClaimsIdentity("AtlasPolicyProviderMiddleware", ClaimTypes.WindowsAccountName, null);
                identity.AddClaim(new Claim(ClaimConstants.AtlasId, user.UserId.ToString(CultureInfo.InvariantCulture), ClaimValueTypes.Integer64, ClaimConstants.AtlasIssuer));
                identity.AddClaim(new Claim(ClaimTypes.Upn, user.UserPrincipalName, ClaimValueTypes.UpnName, ClaimConstants.AtlasIssuer));
                identity.AddClaim(new Claim(ClaimTypes.WindowsAccountName, user.SamAccountName, ClaimValueTypes.String, ClaimConstants.AtlasIssuer));
                if (user.Email != null)
                {
                    identity.AddClaim(new Claim(ClaimTypes.Email, user.Email, ClaimValueTypes.Email));
                }

                if (user.Permissions.Any(p => p.CompanyId == companyId && p.ProfileName == AtlasProfiles.Administrator))
                {
                    identity.AddClaim(new Claim(ClaimConstants.IsAdministrator, bool.TrueString, ClaimValueTypes.Boolean, ClaimConstants.AtlasIssuer));
                }

                httpContext.User.AddIdentity(identity);
            }

            await _next(httpContext);
        }