private async Task <T> Execute <T>(string url, ApplicationSecurityRequestModel data)
{
_request.Parameters.Clear();
_request.Resource = url;
_request.Method = Method.POST;
_request.AddJsonBody(JsonConvert.SerializeObject(data));
_request.AddHeader("Content-type", "application/json");
var response = await _client.ExecuteAsync(_request);
if (response.StatusCode == HttpStatusCode.OK)
{
return(JsonConvert.DeserializeObject <T>(response.Content));
}
throw new ApplicationException(response.Content);
}
public async Task <IEnumerable <ApplicationSecurityResponseModel> > Get(
ApplicationSecurityRequestModel applicationSecurityRequestModel)
{
var asmApiUrl = _asmApiModel.Value.Url;
var endPoint = _asmApiModel.Value.Endpoint.ApplicationSecurity;
var response =
await Execute <AsmResponse <ApplicationSecurityResponseModel> >(asmApiUrl + endPoint,
applicationSecurityRequestModel);
if (!response.Succeeded)
{
RaiseApplicationException(response);
}
return(response.Data);
}
public async Task <IEnumerable <ApplicationSecurityResponseModel> > Get(ApplicationSecurityRequestModel applicationSecurityRequestModel)
{
return(await _asmService.Get(applicationSecurityRequestModel));
}
public void OnActionExecuting(ActionExecutingContext context)
{
var appSettings = new AppSettings();
_configuration.GetSection("AppSettings").Bind(appSettings);
if (!appSettings.EnableAsmAuthorization)
{
return;
}
// User Id will be exist once SSO Validation is successfully completed using CustomAuthorization filter
var userId = _httpContextAccessor?.HttpContext?.Request.HttpContext.Items["UserId"]?.ToString();
// Below list of headers must be passed to each API Call to perform authorization
var applicationId = _httpContextAccessor?.HttpContext?.Request.Headers["x-baps-auth-app-id"].ToString();
var applicationSecret = _httpContextAccessor?.HttpContext?.Request.Headers["x-baps-auth-app-secret"].ToString();
var personId = _httpContextAccessor?.HttpContext?.Request.Headers["x-baps-auth-user-id"].ToString();
var roleId = _httpContextAccessor?.HttpContext?.Request.Headers["x-baps-auth-role-id"].ToString();
var positionId = _httpContextAccessor?.HttpContext?.Request.Headers["x-baps-auth-position-id"].ToString();
if (string.IsNullOrEmpty(userId) || string.IsNullOrEmpty(personId) || string.IsNullOrEmpty(roleId) ||
string.IsNullOrEmpty(positionId))
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
else
{
/* We may utilize Application Id & Secret in future
*
* if (appSettings.ApplicationId != applicationId)
* {
* context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
* context.Result = new UnauthorizedResult();
* }
*
* if (appSettings.ApplicationSecret != applicationSecret)
* {
* context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
* context.Result = new UnauthorizedResult();
* }
*
*/
// Compare SSO User Id (Person Id) to User Id passed in header
if (userId != personId)
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
// TODO: Store PersonPosition in a cache, so doesn't need to hit MIS Api for each call
var positions = _misService.GetPersonPosition(int.Parse(userId)).Result.ToList();
if (positions.Count == 0)
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
var selectedPosition = positions.FirstOrDefault(x => x.PositionId == int.Parse(positionId));
if (selectedPosition == null)
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
// Allow For Non-Protected Access
if (AccessType == AccessType.AllowAny)
{
return;
}
// TODO: Store ASM Access Data in a cache, so doesn't need to hit ASM Api for each call
var applicationSecurityRequestModel = new ApplicationSecurityRequestModel
{
ApplicationId = Guid.Parse(appSettings.ApplicationId),
PersonId = int.Parse(userId),
Positions = positions.Select(currentPosition => new PositionRequestModel
{
RoleId = currentPosition.RoleId, PositionId = currentPosition.PositionId
}).ToList()
};
var accessPermissions = _asmService.Get(applicationSecurityRequestModel).Result.ToList();
if (accessPermissions.Count == 0)
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
var selectedAccessPermission = accessPermissions.FirstOrDefault(x =>
x.RoleId == selectedPosition?.RoleId && x.PositionId == selectedPosition.PositionId);
if (selectedAccessPermission == null)
{
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
if (HasAccess(ModuleCode, AccessType, selectedAccessPermission?.ApplicationAccess))
{
return;
}
context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Result = new UnauthorizedResult();
}
}