public async Task When_JwsPayload_Cannot_Be_Extracted_Then_NotAuthorized_Is_Returned() { // ARRANGE InitializeFakeObjects(); var ticket = new TicketLineParameter { Scopes = new List <string> { "read", "create", "update" } }; var authorizationPolicies = new List <Policy> { new Policy { Scopes = new List <string> { "read", "create", "update" }, Claims = new List <Claim> { new Claim { Type = "name" }, new Claim { Type = "email" } } } }; var claimTokenParameters = new ClaimTokenParameter { Format = "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken", Token = "token" }; _jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <string>())) .Returns(Task.FromResult((JwsPayload)null)); // ACT var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet { Id = "resourceid", AuthPolicies = authorizationPolicies }, ticket, claimTokenParameters); // ASSERT Assert.False(result.IsValid); var error = result.AuthorizationPoliciesResult.First(); Assert.True(error.Type == AuthorizationPolicyResultEnum.NeedInfo); }
public static GetTokenViaTicketIdParameter ToTokenIdGrantTypeParameter(this TokenRequest request) { return(new() { ClaimToken = new ClaimTokenParameter { Token = request.claim_token, Format = request.claim_token_format }, ClientId = request.client_id, ClientAssertion = request.client_assertion, ClientAssertionType = request.client_assertion_type, ClientSecret = request.client_secret, Pct = request.pct, Rpt = request.rpt, Ticket = request.ticket }); }
public async Task When_There_Is_No_Access_Token_Passed_Then_NeedInfo_Is_Returned() { // ARRANGE InitializeFakeObjects(); var ticket = new TicketLineParameter { Scopes = new List <string> { "read", "create", "update" } }; var authorizationPolicies = new List <Policy> { new Policy { Scopes = new List <string> { "read", "create", "update" }, Claims = new List <Claim> { new Claim { Type = "name" }, new Claim { Type = "email" } } } }; var claimTokenParameter = new ClaimTokenParameter { Format = "bad_format", Token = "token" }; // ACT var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet { Id = "resourceid", AuthPolicies = authorizationPolicies }, ticket, claimTokenParameter); // ASSERT Assert.False(result.IsValid); var error = result.AuthorizationPoliciesResult.First(); Assert.True(error.Type == AuthorizationPolicyResultEnum.NeedInfo); var errorDetails = error.ErrorDetails as Dictionary <string, object>; Assert.NotNull(errorDetails); Assert.True(errorDetails.ContainsKey(Constants.ErrorDetailNames.RequestingPartyClaims)); var requestingPartyClaims = errorDetails[Constants.ErrorDetailNames.RequestingPartyClaims] as Dictionary <string, object>; Assert.NotNull(requestingPartyClaims); Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RequiredClaims)); Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RedirectUser)); var requiredClaims = requestingPartyClaims[Constants.ErrorDetailNames.RequiredClaims] as List <Dictionary <string, string> >; Assert.NotNull(requiredClaims); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "name"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "name"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "email"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "email"))); }
public async Task <GrantedToken> Execute(GetTokenViaTicketIdParameter parameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } // 2. Try to authenticate the client. var instruction = CreateAuthenticateInstruction(parameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName); var client = authResult.Client; if (client == null) { throw new BaseUmaException(ErrorCodes.InvalidClient, authResult.ErrorMessage); } if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.uma_ticket)) { throw new BaseUmaException(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.uma_ticket)); } // 3. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 4. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(ticket, client.ClientId, claimTokenParameter); if (authorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.RequestIsNotAuthorized(json); throw new BaseUmaException(ErrorCodes.InvalidGrant, ErrorDescriptions.TheAuthorizationPolicyIsNotSatisfied); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(client, ticket.Lines, "openid", issuerName); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(grantedToken); }
public async Task <AuthorizationPolicyResult> IsAuthorized( Ticket validTicket, Client client, ClaimTokenParameter claimTokenParameter, CancellationToken cancellationToken) { if (validTicket.Lines.Length == 0) { throw new ArgumentException(nameof(validTicket.Lines)); } var handler = new JwtSecurityTokenHandler(); var validationParameters = await client.CreateValidationParameters(_jwksStore, cancellationToken : cancellationToken).ConfigureAwait(false); var requester = handler.ValidateToken(claimTokenParameter.Token, validationParameters, out _); var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId).ToArray(); var resources = await _resourceSetRepository.Get(cancellationToken, resourceIds).ConfigureAwait(false); if (resources.Length == 0 || resources.Length != resourceIds.Length) { return(new AuthorizationPolicyResult(AuthorizationPolicyResultKind.NotAuthorized, requester)); } AuthorizationPolicyResult?validationResult = null; foreach (var ticketLine in validTicket.Lines) { var ticketLineParameter = new TicketLineParameter( client.ClientId, ticketLine.Scopes, validTicket.IsAuthorizedByRo); var resource = resources.First(r => r.Id == ticketLine.ResourceSetId); validationResult = await Validate( ticketLineParameter, resource, claimTokenParameter.Format, requester, cancellationToken) .ConfigureAwait(false); switch (validationResult.Result) { case AuthorizationPolicyResultKind.RequestSubmitted: await _eventPublisher.Publish( new AuthorizationRequestSubmitted( Id.Create(), validTicket.Id, client.ClientId, requester.Claims.Select(claim => new ClaimData { Type = claim.Type, Value = claim.Value }), DateTimeOffset.UtcNow)) .ConfigureAwait(false); return(validationResult); case AuthorizationPolicyResultKind.Authorized: break; case AuthorizationPolicyResultKind.NotAuthorized: case AuthorizationPolicyResultKind.NeedInfo: default: { await _eventPublisher.Publish( new AuthorizationPolicyNotAuthorized( Id.Create(), validTicket.Id, DateTimeOffset.UtcNow)) .ConfigureAwait(false); return(validationResult); } } } return(validationResult !); }
public async Task <GetTokenByTicketIdResponse> Execute(GetTokenViaTicketIdParameter parameter, string openidProvider, string issuerName) { // 1. Check parameters. if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new BaseUmaException(ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.TheParameterNeedsToBeSpecified, PostAuthorizationNames.TicketId)); } if (string.IsNullOrWhiteSpace(parameter.Ticket)) { throw new ArgumentNullException(nameof(parameter.Ticket)); } if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } // 2. Retrieve the ticket. var json = JsonConvert.SerializeObject(parameter); _umaServerEventSource.StartGettingAuthorization(json); var ticket = await _ticketStore.GetAsync(parameter.Ticket).ConfigureAwait(false); if (ticket == null) { throw new BaseUmaException(ErrorCodes.InvalidTicket, string.Format(ErrorDescriptions.TheTicketDoesntExist, parameter.Ticket)); } // 3. Check the ticket. if (ticket.ExpirationDateTime < DateTime.UtcNow) { throw new BaseUmaException(ErrorCodes.ExpiredTicket, ErrorDescriptions.TheTicketIsExpired); } _umaServerEventSource.CheckAuthorizationPolicy(json); var claimTokenParameter = new ClaimTokenParameter { Token = parameter.ClaimToken, Format = parameter.ClaimTokenFormat }; // 4. Check the authorization. var authorizationResult = await _authorizationPolicyValidator.IsAuthorized(openidProvider, ticket, claimTokenParameter).ConfigureAwait(false); if (!authorizationResult.IsValid) { _umaServerEventSource.RequestIsNotAuthorized(json); return(new GetTokenByTicketIdResponse { IsValid = false, ResourceValidationResult = authorizationResult }); } // 5. Generate a granted token. var grantedToken = await GenerateTokenAsync(ticket.Audiences, ticket.Lines, "openid", issuerName).ConfigureAwait(false); await _tokenStore.AddToken(grantedToken); await _ticketStore.RemoveAsync(ticket.Id); return(new GetTokenByTicketIdResponse { IsValid = true, GrantedToken = grantedToken }); }
public async Task When_There_Is_No_Access_Token_Passed_Then_NeedInfo_Is_Returned() { // ARRANGE const string configurationUrl = "http://localhost/configuration"; InitializeFakeObjects(); var ticket = new TicketLineParameter("client_id") { Scopes = new List <string> { "read", "create", "update" } }; var authorizationPolicy = new Policy { Rules = new List <PolicyRule> { new PolicyRule { ClientIdsAllowed = new List <string> { "client_id" }, Scopes = new List <string> { "read", "create", "update" }, Claims = new List <Claim> { new Claim { Type = "name" }, new Claim { Type = "email" } }, OpenIdProvider = configurationUrl } } }; var claimTokenParameter = new ClaimTokenParameter { Format = "bad_format", Token = "token" }; // ACT var result = await _basicAuthorizationPolicy.Execute(ticket, authorizationPolicy, claimTokenParameter); // ASSERT Assert.True(result.Type == AuthorizationPolicyResultEnum.NeedInfo); var errorDetails = result.ErrorDetails as Dictionary <string, object>; Assert.NotNull(errorDetails); Assert.True(errorDetails.ContainsKey(Constants.ErrorDetailNames.RequestingPartyClaims)); var requestingPartyClaims = errorDetails[Constants.ErrorDetailNames.RequestingPartyClaims] as Dictionary <string, object>; Assert.NotNull(requestingPartyClaims); Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RequiredClaims)); Assert.True(requestingPartyClaims.ContainsKey(Constants.ErrorDetailNames.RedirectUser)); var requiredClaims = requestingPartyClaims[Constants.ErrorDetailNames.RequiredClaims] as List <Dictionary <string, string> >; Assert.NotNull(requiredClaims); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "name"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "name"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimName && kv.Value == "email"))); Assert.True(requiredClaims.Any(r => r.Any(kv => kv.Key == Constants.ErrorDetailNames.ClaimFriendlyName && kv.Value == "email"))); }
private async Task <AuthorizationPolicyResult> Validate(TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter) { if (resource.Policies == null || !resource.Policies.Any()) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); } foreach (var authorizationPolicy in resource.Policies) { var result = await _basicAuthorizationPolicy.Execute(ticketLineParameter, authorizationPolicy, claimTokenParameter); if (result.Type == AuthorizationPolicyResultEnum.Authorized) { return(result); } } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); }
public async Task <ResourceValidationResult> IsAuthorized(string openidProvider, Ticket validTicket, ClaimTokenParameter claimTokenParameter) { if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } if (validTicket == null) { throw new ArgumentNullException(nameof(validTicket)); } if (validTicket.Lines == null || !validTicket.Lines.Any()) { throw new ArgumentNullException(nameof(validTicket.Lines)); } var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId); var resources = await _resourceSetRepository.Get(resourceIds); if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count()) { throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist); } ResourceValidationResult validationResult = null; foreach (var ticketLine in validTicket.Lines) { var ticketLineParameter = new TicketLineParameter(ticketLine.Scopes); if (validTicket.Audiences != null && validTicket.Audiences.Any()) { ticketLineParameter.ClientId = validTicket.Audiences.First(); } var resource = resources.First(r => r.Id == ticketLine.ResourceSetId); validationResult = await Validate(openidProvider, ticketLineParameter, resource, claimTokenParameter).ConfigureAwait(false); if (!validationResult.IsValid) { _umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id); return(validationResult); } } return(validationResult); }
private Task <ResourceValidationResult> Validate(string openidProvider, TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter) { return(_basicAuthorizationPolicy.Execute(openidProvider, resource, ticketLineParameter, claimTokenParameter)); }
private async Task <AuthorizationPolicyResult> ExecuteAuthorizationPolicyRule(TicketLineParameter ticketLineParameter, PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter) { // 1. Check can access to the scope if (ticketLineParameter.Scopes.Any(s => !authorizationPolicy.Scopes.Contains(s))) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } // 2. Check clients are correct var clientAuthorizationResult = CheckClients(authorizationPolicy, ticketLineParameter); if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { return(clientAuthorizationResult); } // 3. Check claims are correct var claimAuthorizationResult = await CheckClaims(authorizationPolicy, claimTokenParameter).ConfigureAwait(false); if (claimAuthorizationResult != null && claimAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { return(claimAuthorizationResult); } // 4. Check the resource owner consent is needed if (authorizationPolicy.IsResourceOwnerConsentNeeded && !ticketLineParameter.IsAuthorizedByRo) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestSubmitted }); } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); }
public async Task <AuthorizationPolicyResult> Execute(TicketLineParameter ticketLineParameter, Policy authorizationPolicy, ClaimTokenParameter claimTokenParameter) { if (ticketLineParameter == null) { throw new ArgumentNullException(nameof(ticketLineParameter)); } if (authorizationPolicy == null) { throw new ArgumentNullException(nameof(authorizationPolicy)); } if (authorizationPolicy.Rules == null || !authorizationPolicy.Rules.Any()) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); } AuthorizationPolicyResult result = null; foreach (var rule in authorizationPolicy.Rules) { result = await ExecuteAuthorizationPolicyRule(ticketLineParameter, rule, claimTokenParameter); if (result.Type == AuthorizationPolicyResultEnum.Authorized) { return(result); } } return(result); }
private async Task <AuthorizationPolicyResult> CheckClaims(PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter) { if (authorizationPolicy.Claims == null || !authorizationPolicy.Claims.Any()) { return(null); } if (claimTokenParameter == null || claimTokenParameter.Format != Constants.IdTokenType) { return(GetNeedInfoResult(authorizationPolicy.Claims, authorizationPolicy.OpenIdProvider)); } var idToken = claimTokenParameter.Token; var jwsPayload = await _jwtTokenParser.UnSign(idToken, authorizationPolicy).ConfigureAwait(false); if (jwsPayload == null) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } foreach (var claim in authorizationPolicy.Claims) { var payload = jwsPayload .FirstOrDefault(j => j.Key == claim.Type); if (payload.Equals(default(KeyValuePair <string, object>))) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } if (claim.Type == SimpleIdentityServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Role) { IEnumerable <string> roles = null; if (payload.Value is string) { roles = payload.Value.ToString().Split(','); } else { var arr = payload.Value as object[]; var jArr = payload.Value as JArray; if (arr != null) { roles = arr.Select(c => c.ToString()); } if (jArr != null) { roles = jArr.Select(c => c.ToString()); } } if (roles == null || !roles.Any(v => claim.Value == v)) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } } else { if (payload.Value.ToString() != claim.Value) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } } } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); }
public async Task When_ResourceOwnerConsent_Is_Required_Then_RequestSubmitted_Is_Returned() { // ARRANGE InitializeFakeObjects(); var ticket = new TicketLineParameter { Scopes = new List <string> { "read" } }; var authorizationPolicies = new List <Policy> { new Policy { Scopes = new List <string> { "read" }, Claims = new List <Claim> { new Claim { Type = "name", Value = "name" } } } }; _jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <string>())) .Returns(Task.FromResult(new JwsPayload { { "sub", "subject" }, { "name", "bad_name" } })); var claimTokenParameter = new ClaimTokenParameter { Format = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken", Token = "token" }; _pendingRequestRepositorySub.Setup(v => v.Get(It.IsAny <string>(), It.IsAny <string>())).Returns(() => { IEnumerable <PendingRequest> r = new List <PendingRequest>(); return(Task.FromResult(r)); }); // ACT var result = await _basicAuthorizationPolicy.Execute("openid", new ResourceSet { Id = "resourceid", AuthPolicies = authorizationPolicies, AcceptPendingRequest = true }, ticket, claimTokenParameter); // ASSERT Assert.False(result.IsValid); var error = result.AuthorizationPoliciesResult.First(); Assert.True(error.Type == AuthorizationPolicyResultEnum.RequestSubmitted); }
public async Task When_Claims_Are_Not_Corred_Then_NotAuthorized_Is_Returned() { // ARRANGE const string configurationUrl = "http://localhost/configuration"; InitializeFakeObjects(); var ticket = new TicketLineParameter("client_id") { Scopes = new List <string> { "read", "create", "update" } }; var authorizationPolicy = new Policy { Rules = new List <PolicyRule> { new PolicyRule { ClientIdsAllowed = new List <string> { "client_id" }, Scopes = new List <string> { "read", "create", "update" }, Claims = new List <Claim> { new Claim { Type = "name", Value = "name" }, new Claim { Type = "email", Value = "email" } }, OpenIdProvider = configurationUrl } } }; var claimTokenParameter = new ClaimTokenParameter { Format = "http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken", Token = "token" }; _jwtTokenParserStub.Setup(j => j.UnSign(It.IsAny <string>(), It.IsAny <PolicyRule>())) .Returns(Task.FromResult(new JwsPayload { { "name", "bad_name" } })); // ACT var result = await _basicAuthorizationPolicy.Execute(ticket, authorizationPolicy, claimTokenParameter); // ASSERT Assert.True(result.Type == AuthorizationPolicyResultEnum.NeedInfo); }
public async Task <ResourceValidationResult> Execute(string openidProvider, ResourceSet resource, TicketLineParameter ticketLineParameter, ClaimTokenParameter claimTokenParameter) { if (string.IsNullOrWhiteSpace(openidProvider)) { throw new ArgumentNullException(nameof(openidProvider)); } if (resource == null) { throw new ArgumentNullException(nameof(resource)); } if (ticketLineParameter == null) { throw new ArgumentNullException(nameof(ticketLineParameter)); } JwsPayload jwsPayload = null; string subject = null; if (claimTokenParameter != null && claimTokenParameter.Format == Constants.IdTokenType) { var idToken = claimTokenParameter.Token; jwsPayload = await _jwtTokenParser.UnSign(idToken, openidProvider).ConfigureAwait(false); var subjectClaim = jwsPayload.FirstOrDefault(c => c.Key == SimpleIdServer.Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject); if (!subjectClaim.Equals(default(KeyValuePair <string, object>)) && subjectClaim.Value != null) { subject = subjectClaim.Value.ToString(); } } var validationsResult = new List <AuthorizationPolicyResult>(); var policies = resource.AuthPolicies; if (policies != null && policies.Any()) { foreach (var policy in policies) { if (ticketLineParameter.Scopes.Any(s => !policy.Scopes.Contains(s))) { validationsResult.Add(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized, Policy = policy, ErrorDetails = "the scope is not valid" }); continue; } var clientAuthorizationResult = CheckClients(policy, ticketLineParameter); if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { validationsResult.Add(clientAuthorizationResult); continue; } var validationResult = CheckClaims(openidProvider, policy, jwsPayload); validationsResult.Add(validationResult); } } var vr = validationsResult.FirstOrDefault(v => v.Type == AuthorizationPolicyResultEnum.Authorized); if (vr != null) { return(new ResourceValidationResult { IsValid = true }); } if (!resource.AcceptPendingRequest) { return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = validationsResult }); } if (!string.IsNullOrWhiteSpace(subject)) { var pendingRequestLst = await _pendingRequestRepository.Get(resource.Id, subject).ConfigureAwait(false); var pendingRequest = pendingRequestLst.FirstOrDefault(p => ticketLineParameter.Scopes.Count() == p.Scopes.Count() && ticketLineParameter.Scopes.All(s => p.Scopes.Contains(s))); if (pendingRequest == null) { await _pendingRequestRepository.Add(new PendingRequest { Id = Guid.NewGuid().ToString(), CreateDateTime = DateTime.UtcNow, ResourceId = resource.Id, IsConfirmed = false, RequesterSubject = subject, Scopes = ticketLineParameter.Scopes }).ConfigureAwait(false); return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = new[] { new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestSubmitted, ErrorDetails = "a request has been submitted" } } }); } } return(new ResourceValidationResult { IsValid = false, AuthorizationPoliciesResult = new[] { new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestNotConfirmed, ErrorDetails = "the request is not confirmed by the resource owner" } } }); }
public async Task <AuthorizationPolicyResult> IsAuthorized(Ticket validTicket, string clientId, ClaimTokenParameter claimTokenParameter) { if (validTicket == null) { throw new ArgumentNullException(nameof(validTicket)); } if (string.IsNullOrWhiteSpace(clientId)) { throw new ArgumentNullException(nameof(clientId)); } if (validTicket.Lines == null || !validTicket.Lines.Any()) { throw new ArgumentNullException(nameof(validTicket.Lines)); } var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId); var resources = await _resourceSetRepository.Get(resourceIds); if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count()) { throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist); } AuthorizationPolicyResult validationResult = null; foreach (var ticketLine in validTicket.Lines) { var ticketLineParameter = new TicketLineParameter(clientId, ticketLine.Scopes, validTicket.IsAuthorizedByRo); var resource = resources.First(r => r.Id == ticketLine.ResourceSetId); validationResult = await Validate(ticketLineParameter, resource, claimTokenParameter); if (validationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id); return(validationResult); } } return(validationResult); }