public static IMvcCoreBuilder AddSuperUserTokenController <TKey>(this IMvcCoreBuilder mvcBuilder, Func <IServiceProvider, DateTimeOffset> timestamps, Action <ClaimOptions> configureClaimsAction = null, Action <TokenOptions> configureTokensAction = null, Action <SuperUserOptions> configureSuperUserAction = null) where TKey : IEquatable <TKey> { if (configureClaimsAction != null) { mvcBuilder.Services.Configure(configureClaimsAction); } if (configureTokensAction != null) { mvcBuilder.Services.Configure(configureTokensAction); } if (configureSuperUserAction != null) { mvcBuilder.Services.Configure(configureSuperUserAction); } var claims = new ClaimOptions(); configureClaimsAction?.Invoke(claims); var tokens = new TokenOptions(); configureTokensAction?.Invoke(tokens); var superUser = new SuperUserOptions(); configureSuperUserAction?.Invoke(superUser); var credentials = new { SigningKeyString = tokens.SigningKey, EncryptingKeyString = tokens.EncryptingKey }.QuackLike <ITokenCredentials>(); AuthenticationExtensions.MaybeSetSecurityKeys(credentials); var scheme = superUser.Scheme ?? tokens.Scheme; mvcBuilder.Services.AddAuthentication().AddJwtBearer(scheme, o => { if (tokens.Encrypt) { o.TokenValidationParameters = new TokenValidationParameters { TokenDecryptionKeyResolver = (token, securityToken, kid, parameters) => new[] { credentials.EncryptingKey.Key }, ValidateIssuerSigningKey = false, ValidIssuer = tokens.Issuer, ValidateLifetime = true, ValidateAudience = true, ValidAudience = tokens.Audience, RequireSignedTokens = false, IssuerSigningKey = credentials.SigningKey.Key, TokenDecryptionKey = credentials.EncryptingKey.Key, ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds), RoleClaimType = claims.RoleClaim, NameClaimType = claims.UserNameClaim }; } else { o.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, ValidIssuer = tokens.Issuer, ValidateLifetime = true, ValidateAudience = true, ValidAudience = tokens.Audience, RequireSignedTokens = true, IssuerSigningKey = credentials.SigningKey.Key, ClockSkew = TimeSpan.FromSeconds(tokens.ClockSkewSeconds), RoleClaimType = claims.RoleClaim, NameClaimType = claims.UserNameClaim }; } }); mvcBuilder.Services.TryAddSingleton <IIdentityClaimNameProvider, DefaultIdentityClaimNameProvider>(); mvcBuilder.Services.TryAddSingleton <ITokenFabricator <TKey> >(r => new DefaultTokenFabricator <TKey>(() => timestamps(r), r.GetRequiredService <IOptionsSnapshot <TokenOptions> >())); mvcBuilder.AddActiveRoute <SuperUserTokenController <TKey>, SuperUserFeature, SuperUserOptions>(); return(mvcBuilder); }
public static IServiceCollection AddSecurityPolicies(this IServiceCollection services, Action <SecurityOptions> configureSecurityAction = null, Action <SuperUserOptions> configureSuperUserAction = null, ISafeLogger logger = null) { Bootstrap.EnsureInitialized(); Bootstrap.ContractResolver.IgnoreTypes.Add(typeof(KestrelConfigurationLoader)); var security = new SecurityOptions(true); configureSecurityAction?.Invoke(security); var superUser = new SuperUserOptions(); configureSuperUserAction?.Invoke(superUser); var credentials = new { SigningKeyCredentials = security.Signing, EncryptingKey = security.Encrypting }.QuackLike <ITokenCredentials>(); AuthenticationExtensions.MaybeSetSecurityKeys(credentials); security.Signing = credentials.SigningKey; security.Encrypting = credentials.EncryptingKey; if (configureSecurityAction != null) { services.Configure <SecurityOptions>(o => { configureSecurityAction.Invoke(o); o.Signing = security.Signing; o.Encrypting = security.Encrypting; }); } if (configureSuperUserAction != null) { services.Configure <SuperUserOptions>(configureSuperUserAction.Invoke); } services.ConfigureOptions <ConfigureWebServer>(); services.AddCors(logger, security.Cors); services.AddAuthentication(logger, security, superUser); services.AddSuperUser(logger, superUser); services.AddHttps(logger, security); // FIXME: may need a better home for default policies for the platform services.AddDefaultAuthorization(Constants.Security.Policies.AccessOperations, ClaimValues.AccessOperations); services.AddDefaultAuthorization(Constants.Security.Policies.AccessMeta, ClaimValues.AccessMeta); services.AddDefaultAuthorization(Constants.Security.Policies.ManageConfiguration, ClaimValues.ManageConfiguration); services.AddDefaultAuthorization(Constants.Security.Policies.ManageObjects, ClaimValues.ManageObjects); services.AddDefaultAuthorization(Constants.Security.Policies.ManageSchemas, ClaimValues.ManageSchemas); services.AddDefaultAuthorization(Constants.Security.Policies.ManageBackgroundTasks, ClaimValues.ManageBackgroundTasks); services.AddDefaultAuthorization(Constants.Security.Policies.ManageUsers, ClaimValues.ManageUsers); services.AddDefaultAuthorization(Constants.Security.Policies.ManageRoles, ClaimValues.ManageRoles); services.AddDefaultAuthorization(Constants.Security.Policies.ManageTenants, ClaimValues.ManageTenants); services.AddDefaultAuthorization(Constants.Security.Policies.ManageApplications, ClaimValues.ManageApplications); return(services); }