Exemplo n.º 1
0
        public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
        {
            // 1. Check parameters.
            if (parameter == null)
            {
                throw new ArgumentNullException(nameof(parameter));
            }

            if (string.IsNullOrWhiteSpace(parameter.Ticket))
            {
                throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
            }

            if (string.IsNullOrWhiteSpace(parameter.Ticket))
            {
                throw new ArgumentNullException(nameof(parameter.Ticket));
            }

            // 2. Try to authenticate the client.
            var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate);
            var authResult  = await _authenticateClient.AuthenticateAsync(instruction, issuerName);

            var client = authResult.Client;

            if (client == null)
            {
                throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
            }

            if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket))
            {
                throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket));
            }

            // 3. Retrieve the ticket.
            var json = JsonConvert.SerializeObject(parameter);

            _umaServerEventSource.StartGettingAuthorization(json);
            var ticket = await _ticketStore.GetAsync(parameter.Ticket);

            if (ticket == null)
            {
                throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
            }

            // 4. Check the ticket.
            if (ticket.ExpirationDateTime < DateTime.UtcNow)
            {
                throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
            }

            _umaServerEventSource.CheckAuthorizationPolicy(json);
            var claimTokenParameter = new ClaimTokenParameter
            {
                Token  = parameter.ClaimToken,
                Format = parameter.ClaimTokenFormat
            };

            // 4. Check the authorization.
            var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter);

            if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
            {
                _umaServerEventSource.RequestIsNotAuthorized(json);
                throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied);
            }

            // 5. Generate a granted token.
            var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName);

            await _tokenStore.AddToken(grantedToken);

            await _ticketStore.RemoveAsync(ticket.Id);

            return(grantedToken);
        }
Exemplo n.º 2
0
        public async Task <IEnumerable <AuthorizationResponse> > Execute(IEnumerable <GetAuthorizationActionParameter> parameters, string clientId)
        {
            var result      = new List <AuthorizationResponse>();
            var rptLifeTime = await _configurationService.GetRptLifeTime();

            // 1. Check parameters.
            if (parameters == null)
            {
                throw new ArgumentNullException(nameof(parameters));
            }

            if (string.IsNullOrWhiteSpace(clientId))
            {
                throw new ArgumentNullException(nameof(clientId));
            }

            // 2. Retrieve the tickets.
            _umaServerEventSource.StartGettingAuthorization(JsonConvert.SerializeObject(parameters));
            var tickets = await _ticketRepository.Get(parameters.Select(p => p.TicketId));

            var rptLst = new List <Rpt>();

            // 3. Check parameters.
            foreach (var parameter in parameters)
            {
                var json = JsonConvert.SerializeObject(parameter);
                if (string.IsNullOrWhiteSpace(parameter.TicketId))
                {
                    throw new BaseUmaException(ErrorCodes.InvalidRequestCode,
                                               string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
                }

                var ticket = tickets.FirstOrDefault(t => t.Id == parameter.TicketId);
                if (ticket == null)
                {
                    throw new BaseUmaException(ErrorCodes.InvalidTicket,
                                               string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.TicketId));
                }

                if (ticket.ClientId != clientId)
                {
                    throw new BaseUmaException(ErrorCodes.InvalidTicket, ErrorDescriptions.TheTicketIssuerIsDifferentFromTheClient);
                }

                if (ticket.ExpirationDateTime < DateTime.UtcNow)
                {
                    throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
                }

                _umaServerEventSource.CheckAuthorizationPolicy(json);
                var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, clientId, parameter.ClaimTokenParameters);

                if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
                {
                    _umaServerEventSource.RequestIsNotAuthorized(json);
                    result.Add(new AuthorizationResponse
                    {
                        AuthorizationPolicyResult = authorizationResult.Type,
                        ErrorDetails = authorizationResult.ErrorDetails
                    });
                    continue;
                }

                var rpt = new Rpt
                {
                    Value              = Guid.NewGuid().ToString(),
                    TicketId           = ticket.Id,
                    ResourceSetId      = ticket.ResourceSetId,
                    CreateDateTime     = DateTime.UtcNow,
                    ExpirationDateTime = DateTime.UtcNow.AddSeconds(rptLifeTime)
                };
                rptLst.Add(rpt);
                result.Add(new AuthorizationResponse
                {
                    AuthorizationPolicyResult = AuthorizationPolicyResultEnum.Authorized,
                    Rpt = rpt.Value
                });
                _umaServerEventSource.RequestIsAuthorized(json);
            }

            // 4. Persist the RPTs.
            if (rptLst.Any())
            {
                await _repositoryExceptionHelper.HandleException(
                    ErrorDescriptions.TheRptCannotBeInserted,
                    () => _rptRepository.Insert(rptLst));
            }

            return(result);
        }
        public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName)
        {
            // 1. Check parameters.
            if (parameter == null)
            {
                throw new ArgumentNullException(nameof(parameter));
            }

            if (string.IsNullOrWhiteSpace(parameter.Ticket))
            {
                throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId));
            }

            if (string.IsNullOrWhiteSpace(parameter.Ticket))
            {
                throw new ArgumentNullException(nameof(parameter.Ticket));
            }

            if (string.IsNullOrWhiteSpace(openidProvider))
            {
                throw new ArgumentNullException(nameof(openidProvider));
            }

            // 2. Retrieve the ticket.
            var json = JsonConvert.SerializeObject(parameter);

            _umaServerEventSource.StartGettingAuthorization(json);
            var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false);

            if (ticket == null)
            {
                throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket));
            }

            // 3. Check the ticket.
            if (ticket.ExpirationDateTime < DateTime.UtcNow)
            {
                throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired);
            }

            _umaServerEventSource.CheckAuthorizationPolicy(json);
            var claimTokenParameter = new ClaimTokenParameter
            {
                Token  = parameter.ClaimToken,
                Format = parameter.ClaimTokenFormat
            };

            // 4. Check the authorization.
            var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false);

            if (!authorizationResult.IsValid)
            {
                _umaServerEventSource.RequestIsNotAuthorized(json);
                return(new GetTokenByTicketIdResponse
                {
                    IsValid = false,
                    ResourceValidationResult = authorizationResult
                });
            }

            // 5. Generate a granted token.
            var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false);

            await _tokenStore.AddToken(grantedToken);

            await _ticketStore.RemoveAsync(ticket.Id);

            return(new GetTokenByTicketIdResponse
            {
                IsValid = true,
                GrantedToken = grantedToken
            });
        }