public void canCompareScopes(string greater, string lesser)
{
AccessScope greaterScope = AccessScope.parse(greater);
AccessScope lesserScope = AccessScope.parse(lesser);
Assert.True(greaterScope.greaterThan(lesserScope));
}
public Credential?resolve(string tokenStr)
{
// 1. match the token string to a Token
var token = default(Token);
using (var db = serverContext.getDbContext()) {
token = db.tokens.FirstOrDefault(x => x.content == tokenStr);
}
if (token == null)
{
return(null);
}
// 2. check token validity
if (DateTime.Now >= token.expires)
{
// token is expired.
return(null);
}
// 2. match the token to a user
using (var db = serverContext.getDbContext()) {
token = db.tokens.Find(token.id);
db.Entry(token).Reference(x => x.user).Load();
}
// 3. parse token scopes/path
return(new Credential(token, AccessScope.parse(token.scope)));
}
public async Task <(RemoteIdentity, HttpStatusCode)> getAppAuthentication(HttpRequest req, HttpResponse res)
{
var appId = req.RouteValues.As <string>("appId");
// check config for app layers
var appDef = serverContext.config.apps.SingleOrDefault(x => x.name == appId);
if (appDef == null)
{
return(null, HttpStatusCode.NotFound);
}
// load user groups, and aggregate their permissions
var user = serverContext.userManager.loadGroups(currentUser);
var userPermissions = new PermissionResolver(serverContext, user)
.aggregatePermissions();
// check if any permission grants app access
var maybeGrantedScope = default(AccessScope?);
foreach (var permission in userPermissions)
{
var permissionScope = AccessScope.parse(permission.path); // permission: "/Layer" or "/Layer/App"
foreach (var appDefLayer in appDef.layers)
{
var appScope = new AccessScope(appDefLayer, appDef.name); // scope: "/Layer/App"
if (permissionScope.greaterThan(appScope))
{
maybeGrantedScope = appScope; // the granted scope is the one we authorize
}
}
}
if (!maybeGrantedScope.HasValue)
{
return(null, HttpStatusCode.Forbidden);
}
var grantedScope = maybeGrantedScope.Value;
// issue a new token for the app
// TODO: configurable timespan
var token = serverContext.userManager.issueTokenFor(user.id,
serverContext.tokenResolver.issue(grantedScope, TimeSpan.FromDays(7)));
return(new RemoteIdentity(new PublicUser(user), token), HttpStatusCode.Created);
}
public void canParseScopesFromPath(string path)
{
// ensure parsed path matches input path
Assert.Equal(path, AccessScope.parse(path).path);
}