public async Task GetDeviceAndModuleOnBehalfOfAsync([FromRoute] string actorDeviceId, [FromRoute] string actorModuleId, [FromBody] IdentityOnBehalfOfRequest request)
{
actorDeviceId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorDeviceId, nameof(actorDeviceId)));
actorModuleId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorModuleId, nameof(actorModuleId)));
Preconditions.CheckNonWhiteSpace(request.AuthChain, nameof(request.AuthChain));
if (actorModuleId != Constants.EdgeHubModuleId)
{
// Only child EdgeHubs are allowed to act OnBehalfOf of devices/modules.
var result = new EdgeHubScopeResultError(HttpStatusCode.Unauthorized, Events.UnauthorizedActor(actorDeviceId, actorModuleId));
await this.SendResponse(result.Status, JsonConvert.SerializeObject(result));
}
IHttpRequestAuthenticator authenticator = await this.authenticatorGetter;
HttpAuthResult authResult = await authenticator.AuthenticateAsync(actorDeviceId, Option.Some(actorModuleId), Option.Some(request.AuthChain), this.HttpContext);
if (authResult.Authenticated)
{
EdgeHubScopeResult reqResult = await this.HandleGetDeviceAndModuleOnBehalfOfAsync(actorDeviceId, actorModuleId, request);
await this.SendResponse(reqResult.Status, JsonConvert.SerializeObject(reqResult));
}
else
{
var result = new EdgeHubScopeResultError(HttpStatusCode.Unauthorized, authResult.ErrorMessage);
await this.SendResponse(result.Status, JsonConvert.SerializeObject(result));
}
}
async Task <bool> AuthenticateAsync(string deviceId, Option <string> moduleId, Option <string> authChain)
{
IHttpRequestAuthenticator authenticator = await this.authenticatorGetter;
HttpAuthResult authResult = await authenticator.AuthenticateAsync(deviceId, moduleId, authChain, this.HttpContext);
if (authResult.Authenticated)
{
Events.Authenticated(deviceId, moduleId.GetOrElse(string.Empty));
return(true);
}
Events.AuthenticateFail(deviceId, moduleId.GetOrElse(string.Empty));
return(false);
}
async Task <MethodResult> InvokeMethodAsync(DirectMethodRequest directMethodRequest)
{
Events.ReceivedMethodCall(directMethodRequest);
IEdgeHub edgeHub = await this.edgeHubGetter;
MethodResult methodResult;
string currentEdgeDeviceId = edgeHub.GetEdgeDeviceId();
if (this.TryGetActorId(out string actorDeviceId, out string actorModuleId))
{
string actorId = $"{actorDeviceId}/{actorModuleId}";
if (actorDeviceId == currentEdgeDeviceId)
{
IHttpRequestAuthenticator authenticator = await this.authenticatorGetter;
HttpAuthResult authResult = await authenticator.AuthenticateAsync(actorDeviceId, Option.Some(actorModuleId), this.HttpContext);
if (authResult.Authenticated)
{
using (Metrics.TimeDirectMethod(actorDeviceId, directMethodRequest.Id))
{
DirectMethodResponse directMethodResponse = await edgeHub.InvokeMethodAsync(actorId, directMethodRequest);
Events.ReceivedMethodCallResponse(directMethodRequest, actorId);
methodResult = GetMethodResult(directMethodResponse);
}
}
else
{
methodResult = new MethodErrorResult(HttpStatusCode.Unauthorized, authResult.ErrorMessage);
}
}
else
{
methodResult = new MethodErrorResult(HttpStatusCode.Unauthorized, "Only modules on the same device can invoke DirectMethods");
}
}
else
{
methodResult = new MethodErrorResult(HttpStatusCode.BadRequest, $"Invalid header value for {Constants.ServiceApiIdHeaderKey}");
}
return(methodResult);
}
public async Task GetDevicesAndModulesInTargetDeviceScopeAsync([FromRoute] string actorDeviceId, [FromRoute] string actorModuleId, [FromBody] NestedScopeRequest request)
{
actorDeviceId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorDeviceId, nameof(actorDeviceId)));
actorModuleId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorModuleId, nameof(actorModuleId)));
Preconditions.CheckNonWhiteSpace(request.AuthChain, nameof(request.AuthChain));
if (actorModuleId != Constants.EdgeHubModuleId)
{
// Only child EdgeHubs are allowed to act OnBehalfOf of devices/modules.
var result = new EdgeHubScopeResultError(HttpStatusCode.Unauthorized, Events.UnauthorizedActor(actorDeviceId, actorModuleId));
await this.SendResponse(result.Status, JsonConvert.SerializeObject(result));
}
string authChain = request.AuthChain;
string[] ids = AuthChainHelpers.GetAuthChainIds(authChain);
if (ids.Length == 1)
{
// A child EdgeHub can use its module credentials to calls upstream
// OnBehalfOf its device identity, so the auth-chain would just have
// one element denoting the target device scope but no actor.
// However, the auth stack requires an actor to be specified for OnBehalfOf
// connections, so we manually add the actor to the auth-chain for this
// special case.
authChain = $"{ids[0]}/{Constants.EdgeHubModuleId};{ids[0]}";
}
IHttpRequestAuthenticator authenticator = await this.authenticatorGetter;
HttpAuthResult authResult = await authenticator.AuthenticateAsync(actorDeviceId, Option.Some(actorModuleId), Option.Some(authChain), this.HttpContext);
if (authResult.Authenticated)
{
EdgeHubScopeResult reqResult = await this.HandleDevicesAndModulesInTargetDeviceScopeAsync(actorDeviceId, actorModuleId, request);
await this.SendResponse(reqResult.Status, JsonConvert.SerializeObject(reqResult));
}
else
{
var result = new EdgeHubScopeResultError(HttpStatusCode.Unauthorized, authResult.ErrorMessage);
await this.SendResponse(result.Status, JsonConvert.SerializeObject(result));
}
}
public async Task GetDevicesAndModulesInTargetDeviceScopeAsync([FromRoute] string actorDeviceId, [FromRoute] string actorModuleId, [FromBody] NestedScopeRequest request)
{
actorDeviceId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorDeviceId, nameof(actorDeviceId)));
actorModuleId = WebUtility.UrlDecode(Preconditions.CheckNonWhiteSpace(actorModuleId, nameof(actorModuleId)));
IHttpRequestAuthenticator authenticator = await this.authenticatorGetter;
HttpAuthResult authResult = await authenticator.AuthenticateAsync(actorDeviceId, Option.Some(actorModuleId), this.HttpContext);
if (authResult.Authenticated)
{
EdgeHubScopeResult reqResult = await this.HandleDevicesAndModulesInTargetDeviceScopeAsync(actorDeviceId, actorModuleId, request);
await this.SendResponse(reqResult.Status, JsonConvert.SerializeObject(reqResult));
}
else
{
var result = new EdgeHubScopeResultError(HttpStatusCode.Unauthorized, authResult.ErrorMessage);
await this.SendResponse(result.Status, JsonConvert.SerializeObject(result));
}
}
