private async Task <ClaimsPrincipal> CreatePrincipalFor(SiteMinderAuthenticationToken smAuthToken)
{
var claims = new List <Claim>();
claims.Add(new Claim(ClaimTypes.Role, "role_everyone"));
if (smAuthToken.IsInternal())
{
//EMBC admin
claims.Add(new Claim(ClaimTypes.Role, "role_volunteer"));
claims.Add(new Claim(ClaimTypes.Role, "role_local_authority"));
claims.Add(new Claim(ClaimTypes.Role, "role_provincial_admin"));
claims.Add(new Claim(ClaimTypes.Sid, smAuthToken.smgov_userguid));
claims.Add(new Claim(ClaimTypes.Upn, smAuthToken.sm_universalid));
claims.Add(new Claim(SiteMinderClaimTypes.USER_TYPE, smAuthToken.smgov_usertype));
claims.Add(new Claim(SiteMinderClaimTypes.NAME, smAuthToken.smgov_userdisplayname));
claims.Add(new Claim(EssClaimTypes.USER_ID, smAuthToken.smgov_userguid));
}
else if (smAuthToken.IsExternal())
{
//Volunteer
var volunteer = dataInterface.GetVolunteerByBceidUserId(smAuthToken.sm_universalid);
if (volunteer == null)
{
throw new ApplicationException($"Volunteer not found");
}
if (volunteer.Externaluseridentifier != null && volunteer.Externaluseridentifier != smAuthToken.smgov_userguid)
{
throw new ApplicationException("Volunteer BCeID GUID does not match");
}
if (volunteer.Organization.BCeIDBusinessGuid != null && volunteer.Organization.BCeIDBusinessGuid != smAuthToken.smgov_businessguid)
{
throw new ApplicationException("Volunteer doesn't belong to the correct organization");
}
if (string.IsNullOrEmpty(volunteer.Externaluseridentifier))
{
volunteer.Externaluseridentifier = smAuthToken.smgov_userguid;
await dataInterface.UpdateVolunteerAsync(volunteer);
}
claims.Add(new Claim(ClaimTypes.Role, "role_volunteer"));
if (volunteer.IsAdministrator ?? false)
{
claims.Add(new Claim(ClaimTypes.Role, "role_local_authority"));
}
claims.Add(new Claim(ClaimTypes.Sid, smAuthToken.smgov_userguid));
claims.Add(new Claim(ClaimTypes.Upn, smAuthToken.sm_universalid));
claims.Add(new Claim(SiteMinderClaimTypes.USER_TYPE, smAuthToken.smgov_usertype));
claims.Add(new Claim(SiteMinderClaimTypes.NAME, smAuthToken.smgov_userdisplayname));
claims.Add(new Claim(SiteMinderClaimTypes.BUSINESS_GUID, smAuthToken.smgov_businessguid));
claims.Add(new Claim(EssClaimTypes.USER_ID, volunteer.Id));
claims.Add(new Claim(EssClaimTypes.ORG_ID, volunteer.Organization.Id));
}
return(new ClaimsPrincipal(new ClaimsIdentity(claims, Options.Scheme)));
}
public static void AddToResponse(SiteMinderAuthenticationToken token, HttpResponse res)
{
res.Cookies.Append(SM_TOKEN_NAME, token.ToString().Base64Encode(), new CookieOptions()
{
SameSite = SameSiteMode.Strict,
Expires = DateTimeOffset.Now.AddSeconds(30),
HttpOnly = true
});
}
protected override async Task <AuthenticateResult> HandleAuthenticateAsync()
{
var smAuthToken = SiteMinderAuthenticationToken.CreateFromFwdHeaders(Request);
if (!environment.IsProduction() && smAuthToken.IsAnonymous())
{
smAuthToken = SiteMinderAuthenticationToken.CreateForDev(Request);
Response.Cookies.Delete(SiteMinderAuthenticationToken.SM_TOKEN_NAME);
}
logger.LogDebug($"smAuthToken: {smAuthToken.ToString()}");
var claims = Context.Session.GetString("app.principal");
if (!string.IsNullOrEmpty(claims))
{
var principal = claims.FromJwt();
logger.LogDebug($"Success (session): {principal.Identity.Name}");
return(AuthenticateResult.Success(new AuthenticationTicket(principal, Options.Scheme)));
}
if (smAuthToken.IsAnonymous())
{
logger.LogDebug($"NoResult");
return(AuthenticateResult.NoResult());
}
try
{
var principal = await CreatePrincipalFor(smAuthToken);
Context.Session.SetString("app.principal", principal.ToJwt());
logger.LogDebug($"Success (new): {principal.Identity.Name}");
return(AuthenticateResult.Success(new AuthenticationTicket(principal, Options.Scheme)));
}
catch (ApplicationException e)
{
logger.LogError($"Fail to authenticate user with token '{smAuthToken.ToString()}': {e.Message}");
return(AuthenticateResult.Fail(e.Message));
}
}
