Пример #1
0
        private async Task <Utilizer> CheckAuthorizationAsync(HttpContext httpContext)
        {
            var token = httpContext.Request.GetTokenFromHeader(out var tokenType);

            if (string.IsNullOrEmpty(token))
            {
                throw ErtisAuthException.AuthorizationHeaderMissing();
            }

            if (string.IsNullOrEmpty(tokenType))
            {
                throw ErtisAuthException.UnsupportedTokenType();
            }

            switch (tokenType)
            {
            case "Bearer":
            {
                var verifyTokenResult = await this.tokenService.VerifyBearerTokenAsync(token, false);

                if (!verifyTokenResult.IsValidated)
                {
                    throw ErtisAuthException.InvalidToken();
                }

                var user = verifyTokenResult.User;
                if (!string.IsNullOrEmpty(user.Role))
                {
                    var role = await this.roleService.GetByNameAsync(user.Role, user.MembershipId);

                    if (role != null)
                    {
                        this.VerifyRolePermissions(role, user.Id, httpContext);
                    }
                }

                return(user);
            }

            case "Basic":
            {
                var validationResult = await this.tokenService.VerifyBasicTokenAsync(token);

                if (!validationResult.IsValidated)
                {
                    throw ErtisAuthException.InvalidToken();
                }

                var application = validationResult.Application;
                if (!string.IsNullOrEmpty(application.Role))
                {
                    var role = await this.roleService.GetByNameAsync(application.Role, application.MembershipId);

                    if (role != null)
                    {
                        this.VerifyRolePermissions(role, application.Id, httpContext);
                    }
                }

                return(application);
            }

            default:
                throw ErtisAuthException.UnsupportedTokenType();
            }
        }
Пример #2
0
        private async Task <Utilizer> CheckAuthorizationAsync()
        {
            var token = this.Request.GetTokenFromHeader(out var tokenType);

            if (string.IsNullOrEmpty(token))
            {
                throw ErtisAuthException.AuthorizationHeaderMissing();
            }

            if (string.IsNullOrEmpty(tokenType))
            {
                throw ErtisAuthException.UnsupportedTokenType();
            }

            TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType);
            switch (_tokenType)
            {
            case SupportedTokenTypes.None:
                throw ErtisAuthException.UnsupportedTokenType();

            case SupportedTokenTypes.Basic:
                var basicToken             = new BasicToken(token);
                var applicationId          = token.Split(':')[0];
                var getApplicationResponse = await this.applicationService.GetApplicationAsync(applicationId, basicToken);

                if (getApplicationResponse.IsSuccess)
                {
                    var rbacDefinition       = this.Context.GetRbacDefinition(getApplicationResponse.Data.Id);
                    var rbac                 = $"{rbacDefinition.Resource}.{rbacDefinition.Action}";
                    var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, basicToken);

                    if (!isPermittedForAction)
                    {
                        throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})");
                    }

                    return(new Utilizer
                    {
                        Id = getApplicationResponse.Data.Id,
                        Username = getApplicationResponse.Data.Name,
                        Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User,
                        Role = getApplicationResponse.Data.Role,
                        Token = token,
                        TokenType = _tokenType
                    });
                }
                else
                {
                    var errorMessage = getApplicationResponse.Message;
                    if (ResponseHelper.TryParseError(getApplicationResponse.Message, out var error))
                    {
                        errorMessage = error.Message;
                    }

                    throw ErtisAuthException.Unauthorized(errorMessage);
                }

            case SupportedTokenTypes.Bearer:
                var bearerToken = BearerToken.CreateTemp(token);
                var meResponse  = await this.authenticationService.WhoAmIAsync(bearerToken);

                if (meResponse.IsSuccess)
                {
                    var rbacDefinition       = this.Context.GetRbacDefinition(meResponse.Data.Id);
                    var rbac                 = $"{rbacDefinition.Resource}.{rbacDefinition.Action}";
                    var isPermittedForAction = await this.roleService.CheckPermissionAsync(rbac, bearerToken);

                    if (!isPermittedForAction)
                    {
                        throw ErtisAuthException.AccessDenied($"Token owner role is not permitted for this resource/action ({rbac})");
                    }

                    return(new Utilizer
                    {
                        Id = meResponse.Data.Id,
                        Username = meResponse.Data.Username,
                        Type = tokenType == "Basic" ? Utilizer.UtilizerType.Application : Utilizer.UtilizerType.User,
                        Role = meResponse.Data.Role,
                        Token = token,
                        TokenType = _tokenType
                    });
                }
                else
                {
                    var errorMessage = meResponse.Message;
                    if (ResponseHelper.TryParseError(meResponse.Message, out var error))
                    {
                        errorMessage = error.Message;
                    }

                    throw ErtisAuthException.Unauthorized(errorMessage);
                }

            default:
                throw ErtisAuthException.UnsupportedTokenType();
            }
        }
Пример #3
0
 public static BadRequestObjectResult AuthorizationHeaderMissing(this ControllerBase controller)
 {
     return(controller.BadRequest(ErtisAuthException.AuthorizationHeaderMissing().Error));
 }
Пример #4
0
        private async Task <Utilizer> CheckAuthorizationAsync()
        {
            var token = this.Context.Request.GetTokenFromHeader(out var tokenType);

            if (string.IsNullOrEmpty(token))
            {
                throw ErtisAuthException.AuthorizationHeaderMissing();
            }

            if (string.IsNullOrEmpty(tokenType))
            {
                throw ErtisAuthException.UnsupportedTokenType();
            }

            TokenTypeExtensions.TryParseTokenType(tokenType, out var _tokenType);
            switch (_tokenType)
            {
            case SupportedTokenTypes.None:
                throw ErtisAuthException.UnsupportedTokenType();

            case SupportedTokenTypes.Basic:
                var validationResult = await this.tokenService.VerifyBasicTokenAsync(token, false);

                if (!validationResult.IsValidated)
                {
                    throw ErtisAuthException.InvalidToken();
                }

                var      application         = validationResult.Application;
                Utilizer applicationUtilizer = application;
                if (!string.IsNullOrEmpty(application.Role))
                {
                    var role = await this.roleService.GetByNameAsync(application.Role, application.MembershipId);

                    if (role != null)
                    {
                        var rbac = this.Context.GetRbacDefinition(application.Id);
                        if (!this.accessControlService.HasPermission(role, rbac, applicationUtilizer))
                        {
                            throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action");
                        }
                    }
                }

                applicationUtilizer.Token     = token;
                applicationUtilizer.TokenType = _tokenType;
                return(applicationUtilizer);

            case SupportedTokenTypes.Bearer:
                var verifyTokenResult = await this.tokenService.VerifyBearerTokenAsync(token, false);

                if (!verifyTokenResult.IsValidated)
                {
                    throw ErtisAuthException.InvalidToken();
                }

                var      user         = verifyTokenResult.User;
                Utilizer userUtilizer = user;
                if (!string.IsNullOrEmpty(user.Role))
                {
                    var role = await this.roleService.GetByNameAsync(user.Role, user.MembershipId);

                    if (role != null)
                    {
                        var rbac = this.Context.GetRbacDefinition(user.Id);
                        if (!this.accessControlService.HasPermission(role, rbac, userUtilizer))
                        {
                            throw ErtisAuthException.AccessDenied("Your authorization role is unauthorized for this action");
                        }
                    }
                }

                userUtilizer.Token     = token;
                userUtilizer.TokenType = _tokenType;
                return(userUtilizer);

            default:
                throw ErtisAuthException.UnsupportedTokenType();
            }
        }