public async Task ShouldAllowAdminImpersonateOthers()
{
const string userName = "******";
var claims = new[]
{
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Role, UserRoles.Admin)
};
var jwtAuthManager = _serviceProvider.GetRequiredService <IJwtAuthManager>();
var jwtResult = jwtAuthManager.GenerateTokens(userName, claims, DateTime.Now.AddMinutes(-1));
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, jwtResult.AccessToken);
var request = new ImpersonationRequest {
UserName = "******"
};
var response = await _httpClient.PostAsync("api/account/impersonation",
new StringContent(JsonSerializer.Serialize(request), Encoding.UTF8, MediaTypeNames.Application.Json));
var responseContent = await response.Content.ReadAsStringAsync();
var result = JsonSerializer.Deserialize <LoginResult>(responseContent);
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual(request.UserName, result.UserName);
Assert.AreEqual(userName, result.OriginalUserName);
Assert.AreEqual(UserRoles.BasicUser, result.Role);
Assert.IsFalse(string.IsNullOrWhiteSpace(result.AccessToken));
Assert.IsFalse(string.IsNullOrWhiteSpace(result.RefreshToken));
var(principal, jwtSecurityToken) = jwtAuthManager.DecodeJwtToken(result.AccessToken);
Assert.AreEqual(request.UserName, principal.Identity.Name);
Assert.AreEqual(UserRoles.BasicUser, principal.FindFirst(ClaimTypes.Role).Value);
Assert.AreEqual(userName, principal.FindFirst("OriginalUserName").Value);
Assert.IsNotNull(jwtSecurityToken);
}
/// <inheritdoc />
public async Task <Uri> GetImpersonationUrlAsync(ImpersonationRequest request)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
var body = new
{
protocol = request.Protocol,
impersonator_id = request.ImpersonatorId,
client_id = request.ClientId,
response_type = request.ResponseType,
state = request.State
};
var response = await connection.SendAsync <string>(
HttpMethod.Post,
BuildUri($"users/{request.ImpersonateId}/impersonate"),
body,
BuildHeaders(request.Token)
).ConfigureAwait(false);
return(new Uri(response));
}
public async Task ShouldReturnBadRequestIfStopImpersonationWhenNotImpersonating()
{
const string userName = "******";
var claims = new[]
{
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Role, UserRoles.BasicUser)
};
var jwtAuthManager = _serviceProvider.GetRequiredService <IJwtAuthManager>();
var jwtResult = jwtAuthManager.GenerateTokens(userName, claims, DateTime.Now.AddMinutes(-1));
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, jwtResult.AccessToken);
var request = new ImpersonationRequest {
UserName = "******"
};
var response = await _httpClient.PostAsync("api/account/stop-impersonation",
new StringContent(JsonSerializer.Serialize(request), Encoding.UTF8, MediaTypeNames.Application.Json));
Assert.AreEqual(HttpStatusCode.BadRequest, response.StatusCode);
}
/// <summary>
/// Generates a link that can be used once to log in as a specific user.
/// </summary>
/// <param name="request">The <see cref="ImpersonationRequest"/> containing the details of the user to impersonate.</param>
/// <returns>A <see cref="Uri"/> which can be used to sign in as the specified user.</returns>
public async Task <Uri> GetImpersonationUrlAsync(ImpersonationRequest request)
{
string url = await Connection.PostAsync <string>("users/{impersonate_id}/impersonate",
new
{
protocol = request.Protocol,
impersonator_id = request.ImpersonatorId,
client_id = request.ClientId,
response_type = request.ResponseType,
state = request.State
}, null, null,
new Dictionary <string, string>
{
{ "impersonate_id", request.ImpersonateId }
},
new Dictionary <string, object>
{
{ "Authorization", $"Bearer {request.Token}" }
}, null).ConfigureAwait(false);
return(new Uri(url));
}
public async Task <ActionResult <LoginResult> > Impersonate([FromBody] ImpersonationRequest request)
{
var email = User.Identity.Name;
_logger.LogInformation($"User [{email}] is trying to impersonate [{request.Email}].");
var impersonatedRole = await _userService.GetUserRoleAsync(request.Email);
if (string.IsNullOrWhiteSpace(impersonatedRole))
{
_logger.LogInformation($"User [{email}] failed to impersonate [{request.Email}] due to the target user not found.");
return(BadRequest($"The target user [{request.Email}] is not found."));
}
if (impersonatedRole == Policies.Admin)
{
_logger.LogInformation($"User [{email}] is not allowed to impersonate another Admin.");
return(BadRequest("This action is not supported."));
}
var claims = new[]
{
new Claim(ClaimTypes.Name, request.Email),
new Claim(ClaimTypes.Role, impersonatedRole),
new Claim("OriginalEmail", email)
};
var jwtResult = await _jwtAuthManager.GenerateTokensAsync(request.Email, claims, DateTime.Now);
_logger.LogInformation($"User [{request.Email}] is impersonating [{request.Email}] in the system.");
return(new LoginResult
{
Email = request.Email,
Role = impersonatedRole,
OriginalEmail = email,
AccessToken = jwtResult.AccessToken,
RefreshToken = jwtResult.RefreshToken.TokenString
});
}
public ActionResult Impersonate([FromBody] ImpersonationRequest request)
{
var userName = User.Identity.Name;
_logger.LogInformation($"User [{userName}] is trying to impersonate [{request.UserName}].");
var impersonatedRole = _userService.GetUserRole(request.UserName);
if (string.IsNullOrWhiteSpace(impersonatedRole))
{
_logger.LogInformation($"User [{userName}] failed to impersonate [{request.UserName}] due to the target user not found.");
return(BadRequest($"The target user [{request.UserName}] is not found."));
}
if (impersonatedRole == UserRoles.Admin)
{
_logger.LogInformation($"User [{userName}] is not allowed to impersonate another Admin.");
return(BadRequest("This action is not supported."));
}
var claims = new[]
{
new Claim(ClaimTypes.Name, request.UserName),
new Claim(ClaimTypes.Role, impersonatedRole),
new Claim("OriginalUserName", userName)
};
var jwtResult = _jwtAuthManager.GenerateTokens(request.UserName, claims, DateTime.Now);
_logger.LogInformation($"User [{request.UserName}] is impersonating [{request.UserName}] in the system.");
return(Ok(new LoginResult
{
UserName = request.UserName,
Role = impersonatedRole,
OriginalUserName = userName,
AccessToken = jwtResult.AccessToken,
RefreshToken = jwtResult.RefreshToken.TokenString
}));
}
public Task <Uri> GetImpersonationUrlAsync(ImpersonationRequest request)
{
return(_inner.GetImpersonationUrlAsync(request));
}
public Task <Uri> GetImpersonationUrlAsync(ImpersonationRequest request, CancellationToken cancellationToken = default)
{
return(_inner.GetImpersonationUrlAsync(request, cancellationToken));
}
