public Response Authorize(Request request)
{
ApiGatewayArn apiGatewayArn = null;
string principalId = null;
try
{
_logger.LogDebug("Authorizing");
_requestValidationService.ValidateRequest(request, out apiGatewayArn);
TokenValidationParameters jwtConfig = _tokenConfigService.GetJwtConfig();
string token = request.AuthorizationToken?.Replace("Bearer ", "");
ClaimsPrincipal user = _tokenValidationService.ValidateToken(token, jwtConfig);
principalId = _claimsPrincipalService.GetPrincipalId(user);
// this uses the all-or-nothing auth strategy by default:
_policyBuilder.AllowAllMethods();
// however, you could allow/deny specific methods/resources based off the user's claims, for example:
// Claim role = user.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Role);
// HttpVerb verb = role?.Value == "admin" ? HttpVerb.All : HttpVerb.Get;
// _policyBuilder.AllowMethod(verb, "config");
_logger.LogDebug("Authorization succeeded", new { principalId });
}
catch (BaseException ex)
{
_logger.LogDebug(ex.Message, new { ex.InnerException });
_logger.LogDebug("Authorization failed", new { });
// you may choose to throw an unauthorized exception here instead of returning a "deny all" policy
// throw new UnauthorizedException();
_policyBuilder.DenyAllMethods();
}
Response response = _policyBuilder.Build(apiGatewayArn, principalId);
// you can add key-value pairs that can be accessed in API Gateway via $context.authorizer.<key>
// response.Context.Add("key", "value");
return(response);
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
{
if (context.User != null && _state.LoggedUser == null)
{
var my = await _esquioHttpClient.GetMy();
if (my != null && !String.IsNullOrEmpty(my.ActAs))
{
var loggedUser = new LoggedUserViewModel()
{
UserName = context.User.Identity.Name,
SubjectId = context.User.FindFirst("sub").Value,
ActAs = my.ActAs
};
var policy = _policyBuilder.Build(my);
_state.ClearState();
_state.SetLoggedUser(loggedUser);
_state.SetPolicy(policy);
}
else
{
context.Fail();
return;
}
}
var actAs = ActAs.From(_state.LoggedUser.ActAs);
bool allowed = requirement.Permission switch
{
Policies.Reader => actAs == ActAs.Reader || actAs == ActAs.Contributor || actAs == ActAs.Management,
Policies.Contributor => actAs == ActAs.Contributor || actAs == ActAs.Management,
Policies.Management => actAs == ActAs.Management,
_ => throw new ArgumentNullException("The configured authorization policy is not supported.")
};
if (!allowed)
{
LogAuthorizationFailed(_state.LoggedUser.SubjectId, requirement.Permission);
context.Fail();
}
context.Succeed(requirement);
}
public IPolicy Create() => _builder.Build();