HttpResponseMessage WriteAuthorizationChallenge(RavenBaseApiController controller, int statusCode, string error, string errorDescription)
{
var msg = controller.GetEmptyMessage();
var systemConfiguration = controller.SystemConfiguration;
if (string.IsNullOrEmpty(systemConfiguration.OAuthTokenServer) == false)
{
if (systemConfiguration.UseDefaultOAuthTokenServer == false)
{
controller.AddHeader("OAuth-Source", systemConfiguration.OAuthTokenServer, msg);
}
else
{
controller.AddHeader("OAuth-Source", new UriBuilder(systemConfiguration.OAuthTokenServer)
{
Scheme = controller.InnerRequest.RequestUri.Scheme,
Host = controller.InnerRequest.RequestUri.Host,
Port = controller.InnerRequest.RequestUri.Port,
}.Uri.ToString(), msg);
}
}
msg.StatusCode = (HttpStatusCode)statusCode;
msg.Headers.Add("WWW-Authenticate", string.Format("Bearer realm=\"Raven\", error=\"{0}\",error_description=\"{1}\"", error, errorDescription));
msg.Headers.Add("Access-Control-Expose-Headers", "WWW-Authenticate, OAuth-Source");
return(msg);
}
private bool TryCreateUser(RavenBaseApiController controller, string databaseName, out Func <HttpResponseMessage> onRejectingRequest)
{
var invalidUser = (controller.User == null || controller.User.Identity.IsAuthenticated == false);
if (invalidUser)
{
onRejectingRequest = () =>
{
var msg = ProvideDebugAuthInfo(controller, new
{
Reason = "User is null or not authenticated"
});
controller.AddHeader("Raven-Required-Auth", "Windows", msg);
if (string.IsNullOrEmpty(controller.SystemConfiguration.OAuthTokenServer) == false)
{
controller.AddHeader("OAuth-Source", controller.SystemConfiguration.OAuthTokenServer, msg);
}
msg.StatusCode = HttpStatusCode.Unauthorized;
return(msg);
};
return(false);
}
var dbUsersIsAllowedAccessTo = requiredUsers
.Where(data => controller.User.Identity.Name.Equals(data.Name, StringComparison.InvariantCultureIgnoreCase))
.SelectMany(source => source.Databases)
.Concat(requiredGroups.Where(data => controller.User.IsInRole(data.Name)).SelectMany(x => x.Databases))
.ToList();
var fsUsersIsAllowedAccessTo = requiredUsers
.Where(data => controller.User.Identity.Name.Equals(data.Name, StringComparison.InvariantCultureIgnoreCase))
.SelectMany(source => source.FileSystems)
.Concat(requiredGroups.Where(data => controller.User.IsInRole(data.Name)).SelectMany(x => x.FileSystems))
.ToList();
var user = UpdateUserPrincipal(controller, dbUsersIsAllowedAccessTo, fsUsersIsAllowedAccessTo);
onRejectingRequest = () =>
{
var msg = ProvideDebugAuthInfo(controller, new
{
user.Identity.Name,
user.AdminDatabases,
user.ReadOnlyDatabases,
user.ReadWriteDatabases,
user.ReadOnlyFileSystems,
user.ReadWriteFileSystems,
DatabaseName = databaseName
});
msg.StatusCode = HttpStatusCode.Forbidden;
throw new HttpResponseException(msg);
};
return(true);
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;
if (accessControlAllowOrigin.Count == 0)
{
return;
}
var originHeader = controller.GetHeader("Origin");
if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
{
return; // no need
}
bool originAllowed = accessControlAllowOrigin.Contains("*") ||
accessControlAllowOrigin.Contains(originHeader);
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
}
if (controller.InnerRequest.Method.Method != "OPTIONS")
{
return;
}
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
{
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
var accessControlAllowOrigin = landlord.SystemConfiguration.AccessControlAllowOrigin;
if (accessControlAllowOrigin.Count == 0)
return;
var originHeader = controller.GetHeader("Origin");
if (originHeader == null || originHeader.Contains(controller.InnerRequest.Headers.Host))
return; // no need
bool originAllowed = accessControlAllowOrigin.Contains("*") ||
accessControlAllowOrigin.Contains(originHeader);
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", originHeader, msg);
}
if (controller.InnerRequest.Method.Method != "OPTIONS")
return;
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
HttpResponseMessage WriteAuthorizationChallenge(RavenBaseApiController controller, int statusCode, string error, string errorDescription)
{
var msg = controller.GetEmptyMessage();
var systemConfiguration = controller.SystemConfiguration;
if (string.IsNullOrEmpty(systemConfiguration.OAuthTokenServer) == false)
{
if (systemConfiguration.UseDefaultOAuthTokenServer == false)
{
controller.AddHeader("OAuth-Source", systemConfiguration.OAuthTokenServer, msg);
}
else
{
controller.AddHeader("OAuth-Source", new UriBuilder(systemConfiguration.OAuthTokenServer)
{
Host = controller.InnerRequest.RequestUri.Host,
Port = controller.InnerRequest.RequestUri.Port
}.Uri.ToString(), msg);
}
}
msg.StatusCode = (HttpStatusCode)statusCode;
msg.Headers.Add("WWW-Authenticate", string.Format("Bearer realm=\"Raven\", error=\"{0}\",error_description=\"{1}\"", error, errorDescription));
return msg;
}
// Cross-Origin Resource Sharing (CORS) is documented here: http://www.w3.org/TR/cors/
public void AddAccessControlHeaders(RavenBaseApiController controller, HttpResponseMessage msg)
{
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlAllowOrigin))
return;
controller.AddHeader("Access-Control-Allow-Credentials", "true", msg);
bool originAllowed = landlord.SystemConfiguration.AccessControlAllowOrigin == "*" ||
landlord.SystemConfiguration.AccessControlAllowOrigin.Split(' ')
.Any(o => o == controller.GetHeader("Origin"));
if (originAllowed)
{
controller.AddHeader("Access-Control-Allow-Origin", controller.GetHeader("Origin"), msg);
}
controller.AddHeader("Access-Control-Max-Age", landlord.SystemConfiguration.AccessControlMaxAge, msg);
controller.AddHeader("Access-Control-Allow-Methods", landlord.SystemConfiguration.AccessControlAllowMethods, msg);
if (string.IsNullOrEmpty(landlord.SystemConfiguration.AccessControlRequestHeaders))
{
// allow whatever headers are being requested
var hdr = controller.GetHeader("Access-Control-Request-Headers"); // typically: "x-requested-with"
if (hdr != null)
controller.AddHeader("Access-Control-Allow-Headers", hdr, msg);
}
else
{
controller.AddHeader("Access-Control-Request-Headers", landlord.SystemConfiguration.AccessControlRequestHeaders, msg);
}
}
private bool TryCreateUser(RavenBaseApiController controller, string databaseName, out Func<HttpResponseMessage> onRejectingRequest)
{
var invalidUser = (controller.User == null || controller.User.Identity.IsAuthenticated == false);
if (invalidUser)
{
onRejectingRequest = () =>
{
var msg = ProvideDebugAuthInfo(controller, new
{
Reason = "User is null or not authenticated"
});
controller.AddHeader("Raven-Required-Auth", "Windows", msg);
if (string.IsNullOrEmpty(controller.SystemConfiguration.OAuthTokenServer) == false)
{
controller.AddHeader("OAuth-Source", controller.SystemConfiguration.OAuthTokenServer, msg);
}
msg.StatusCode = HttpStatusCode.Unauthorized;
return msg;
};
return false;
}
var dbUsersIsAllowedAccessTo = requiredUsers
.Where(data => controller.User.Identity.Name.Equals(data.Name, StringComparison.InvariantCultureIgnoreCase))
.SelectMany(source => source.Databases)
.Concat(requiredGroups.Where(data => controller.User.IsInRole(data.Name)).SelectMany(x => x.Databases))
.ToList();
var user = UpdateUserPrincipal(controller, dbUsersIsAllowedAccessTo);
onRejectingRequest = () =>
{
var msg = ProvideDebugAuthInfo(controller, new
{
user.Identity.Name,
user.AdminDatabases,
user.ReadOnlyDatabases,
user.ReadWriteDatabases,
DatabaseName = databaseName
});
msg.StatusCode = HttpStatusCode.Forbidden;
throw new HttpResponseException(msg);
};
return true;
}