public void OnAuthentication(AuthenticationContext filterContext) { var cookies = filterContext.HttpContext.Request.Cookies; IPrincipal principal = null; var cookieContext = cookies[Security.Constants.CookieName]; if (cookieContext != null) { var authService = this.Container.Resolve <IAuthService>(); var user = authService.GetUserFromCookie(cookieContext); if (user != null) { IIdentity identity = new IndentityUser(user.Login); principal = new IdentityPrincipal(identity); } } if (principal == null) { IIdentity user = new AnonymousUser(); principal = new IdentityPrincipal(user); } filterContext.Principal = principal; filterContext.HttpContext.User = principal; Thread.CurrentPrincipal = principal; }
public async Task CertificateSetGetTest() { IWorkContext context = _workContext.WithMethodName(); var identityRepository = new IdentityInMemoryStore() .Set(_workContext, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User).With(new ApiKey("API Key1", DateTime.UtcNow.AddYears(1)))) .Set(_workContext, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User).With(new ApiKey("API Key2", DateTime.UtcNow.AddYears(1)))); var builder = new ContainerBuilder(); builder.RegisterModule(new IdentityActorAutoFacModule()); builder.RegisterInstance(identityRepository).As <IIdentityStore>(); ILifetimeScope container = builder.Build(); IActorManager manager = new ActorConfigurationBuilder() .AddIdentityModule(container) .Build() .ToActorManager(); using (ILifetimeScope scopeContainer = container.BeginLifetimeScope()) using (manager) { IIdentityActor clientActor1 = await manager.CreateProxyAsync <IIdentityActor>(context, new ActorKey("*****@*****.**")); IdentityPrincipal client1 = await clientActor1.Get(context); client1.Should().NotBeNull(); client1.PrincipalId.Value.Should().Be("*****@*****.**"); client1.ApiKey.Value.Should().Be("API Key1"); IIdentityActor clientActor2 = await manager.CreateProxyAsync <IIdentityActor>(context, new ActorKey("*****@*****.**")); IdentityPrincipal client2 = await clientActor2.Get(context); client2.Should().NotBeNull(); client2.PrincipalId.Value.Should().Be("*****@*****.**"); client2.ApiKey.Value.Should().Be("API Key2"); await clientActor2.Remove(context); (await clientActor2.Get(context)).Should().BeNull(); identityRepository.Get(context, new PrincipalId("*****@*****.**")).Should().BeNull(); await clientActor2.Set(context, new IdentityPrincipal(new PrincipalId("*****@*****.**"), IdentityPrincipalType.User)); (await clientActor2.Get(context)).Should().NotBeNull(); identityRepository.Get(context, new PrincipalId("*****@*****.**")).Should().NotBeNull(); } await Verify.AssertExceptionAsync <ArgumentException>(async() => await manager.DeactivateAllAsync(_workContext)); }
public async Task Invoke(HttpContext httpContext) { RequestContext requestContext = httpContext.Items.Get <RequestContext>(); IWorkContext context = (requestContext.Context ?? WorkContext.Empty).WithTag(_tag); // Does the request has an authorization header string authorizationValue = httpContext.Request.Headers["Authorization"]; if (authorizationValue.IsEmpty()) { await _next(httpContext); return; } // Get authorization parts AuthenticationHeaderValue authorization; if (!AuthenticationHeaderValue.TryParse(authorizationValue, out authorization) || authorization.Scheme != "hmac") { await _next(httpContext); return; } AspMvcEventSource.Log.Verbose(context, $"Authorization {authorization.Parameter}"); string[] signatureParts = authorization.Parameter.Split(':'); if (signatureParts.Length != 2) { httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; } // Lookup the credential IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(signatureParts[0])); if (identity == null || identity.ApiKey == null || identity.ApiKey.HasExpired) { httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; } // Try get date RequestHeaders requestHeaders = httpContext.Request.GetTypedHeaders(); HmacSignature hmac = new HmacSignature(_hmacConfiguration); Uri url = new Uri(httpContext.Request.GetEncodedUrl()); IEnumerable <KeyValuePair <string, IEnumerable <string> > > headers = httpContext.Request.Headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value)); // Validate HMAC signature if (!hmac.ValidateSignature(context, authorization.Parameter, identity.ApiKey.Value, httpContext.Request.Method, url, headers, requestHeaders.Date)) { httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; } // Set identity of the caller httpContext.Items.Set(new HmacIdentity(authorization.Parameter)); // Next await _next(httpContext); }
/// <summary> /// Create JWT token for access to server /// </summary> /// <param name="context">context</param> /// <param name="requestToken"></param> /// <returns></returns> public async Task <string> CreateAutorizationToken(IWorkContext context, string requestToken) { Verify.IsNotNull(nameof(context), context); Verify.IsNotEmpty(nameof(requestToken), requestToken); context = context.WithTag(_tag); var certificateList = new List <X509Certificate2>(); foreach (var item in _configuration.TokenAuthorizationRequestCertificateKeys) { certificateList.Add(await _certificateRepository.GetCertificate(context, item, true)); } JwtTokenParser requestTokenParser = new JwtTokenParserBuilder() .AddCertificates(certificateList) .AddValidIssuers(_configuration.ValidIssuers) .Build(); JwtTokenDetails details = requestTokenParser.Parse(context, requestToken); if (details == null || details.JwtSecurityToken.Payload.Sub.IsEmpty()) { NetEventSource.Log.Verbose(context, "Payload.Sub is empty"); return(null); } IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(details.JwtSecurityToken.Payload.Sub)); // If JWT subject is a valid issuer, then this should be a service principal if (_configuration.ValidIssuers.Any(x => x == details.JwtSecurityToken.Payload.Sub)) { if (identity == null) { identity = new IdentityPrincipal(new PrincipalId(details.JwtSecurityToken.Payload.Sub), IdentityPrincipalType.Service); } else { if (identity.PrincipalType != IdentityPrincipalType.Service) { NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} is not a service principal"); return(null); } } } else { // Identity principal does not exist if (identity == null) { NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} does not exist"); return(null); } } DateTime expires = DateTime.UtcNow + _configuration.TokenAuthorization.GoodFor; identity = identity.With(ApiKey.CreateApiKey(expires)); await _identityRepository.SetAsync(context, identity); X509Certificate2 certificate = await _certificateRepository.GetCertificate( context, _configuration.TokenAuthorization.AuthorizationSigningCertificateKey, throwOnNotFound : true); string token = new JwtTokenBuilder() .AddSubject(identity.PrincipalId) .SetAudience(_configuration.TokenAuthorization.Audience) .SetIssuer(_configuration.TokenAuthorization.Issuer) .SetExpires(expires) .SetIssuedAt(DateTime.Now) .SetWebKey(identity.ApiKey.Value) .SetCertificate(certificate) .Build(); return(token); }