public PrivilegeChecker(IPrivilegeProvider privilegeProvider)
{
_privilegeProvider = privilegeProvider;
}
public async Task Invoke(HttpContext httpContext, IPrivilegeProvider privilegeProvider, ILogger <LoadUserPrivilegesMiddleware> logger)
{
if (httpContext.User.Identity.IsAuthenticated)
{
var companyId = (string)httpContext.GetRouteValue(ApiRoutes.CompanyParameter);
var user = await privilegeProvider.LoadCurrentUserAsync(companyId);
// User has no account in Atlas
if (user == null)
{
logger.LogWarning($"No account found for the current user: {httpContext.User.Identity.Name}");
var error = new ProblemDetails
{
Title = "You do not have the necessary permissions for this resource.",
Type = "https://atlas.ldc.com/security-error",
Status = StatusCodes.Status403Forbidden,
Detail = "No account found for the current user.",
Instance = httpContext.Request.Path
};
httpContext.Response.ContentType = "application/problem+json";
httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
await httpContext.Response.WriteAsync(JsonConvert.SerializeObject(error, Formatting.Indented, new JsonSerializerSettings
{
ContractResolver = new Newtonsoft.Json.Serialization.CamelCasePropertyNamesContractResolver()
}));
return;
}
var userPrivileges = privilegeProvider.GetCurrentUserPrivilegesAsync(null);
// User is not configured for the given company
if (!string.IsNullOrWhiteSpace(companyId) && !userPrivileges.Any(p => p.CompanyId == companyId))
{
logger.LogWarning($"User {user.SamAccountName} is not allowed to access this company: {companyId}");
var error = new ProblemDetails
{
Title = "You do not have the necessary permissions for this resource.",
Type = "https://atlas.ldc.com/security-error",
Status = StatusCodes.Status403Forbidden,
Detail = $"User {user.SamAccountName} is not allowed to access this company: {companyId}.",
Instance = httpContext.Request.Path
};
httpContext.Response.ContentType = "application/problem+json";
httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
await httpContext.Response.WriteAsync(JsonConvert.SerializeObject(error, Formatting.Indented, new JsonSerializerSettings
{
ContractResolver = new Newtonsoft.Json.Serialization.CamelCasePropertyNamesContractResolver()
}));
return;
}
ClaimsIdentity identity = new ClaimsIdentity("AtlasPolicyProviderMiddleware", ClaimTypes.WindowsAccountName, null);
identity.AddClaim(new Claim(ClaimConstants.AtlasId, user.UserId.ToString(CultureInfo.InvariantCulture), ClaimValueTypes.Integer64, ClaimConstants.AtlasIssuer));
identity.AddClaim(new Claim(ClaimTypes.Upn, user.UserPrincipalName, ClaimValueTypes.UpnName, ClaimConstants.AtlasIssuer));
identity.AddClaim(new Claim(ClaimTypes.WindowsAccountName, user.SamAccountName, ClaimValueTypes.String, ClaimConstants.AtlasIssuer));
if (user.Email != null)
{
identity.AddClaim(new Claim(ClaimTypes.Email, user.Email, ClaimValueTypes.Email));
}
if (user.Permissions.Any(p => p.CompanyId == companyId && p.ProfileName == AtlasProfiles.Administrator))
{
identity.AddClaim(new Claim(ClaimConstants.IsAdministrator, bool.TrueString, ClaimValueTypes.Boolean, ClaimConstants.AtlasIssuer));
}
httpContext.User.AddIdentity(identity);
}
await _next(httpContext);
}
