public async Task <bool> IsAccessAllowed(HttpContextBase context, IEndpointOptions target)
{
#pragma warning disable CS0618 // Type or member is obsolete
bool isEnabled = _managementOptions == null ? _options.IsEnabled : _options.IsEnabled(_managementOptions);
#pragma warning restore CS0618 // Type or member is obsolete
// if running on Cloud Foundry, security is enabled, the path starts with /cloudfoundryapplication...
if (Platform.IsCloudFoundry && isEnabled)
{
_logger?.LogTrace("Beginning Cloud Foundry Security Processing");
if (context.Request.HttpMethod == "OPTIONS")
{
return(true);
}
var origin = context.Request.Headers.Get("Origin");
context.Response.Headers.Set("Access-Control-Allow-Origin", origin ?? "*");
// identify the application so we can confirm the user making the request has permission
if (string.IsNullOrEmpty(_options.ApplicationId))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.APPLICATION_ID_MISSING_MESSAGE)).ConfigureAwait(false);
return(false);
}
// make sure we know where to get user permissions
if (string.IsNullOrEmpty(_options.CloudFoundryApi))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.CLOUDFOUNDRY_API_MISSING_MESSAGE)).ConfigureAwait(false);
return(false);
}
_logger?.LogTrace("Getting user permissions");
var sr = await GetPermissions(context).ConfigureAwait(false);
if (sr.Code != HttpStatusCode.OK)
{
await ReturnError(context, sr).ConfigureAwait(false);
return(false);
}
_logger?.LogTrace("Applying user permissions to request");
var permissions = sr.Permissions;
if (!target.IsAccessAllowed(permissions))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.Forbidden, _base.ACCESS_DENIED_MESSAGE)).ConfigureAwait(false);
return(false);
}
_logger?.LogTrace("Access granted!");
}
return(true);
}
public async Task Invoke(HttpContext context)
{
_logger.LogDebug("Invoke({0}) contextPath: {1}", context.Request.Path.Value, _mgmtOptions.Path);
#pragma warning disable CS0618 // Type or member is obsolete
bool isEndpointEnabled = _mgmtOptions == null ? _options.IsEnabled : _options.IsEnabled(_mgmtOptions);
#pragma warning restore CS0618 // Type or member is obsolete
bool isEndpointExposed = _mgmtOptions == null ? true : _options.IsExposed(_mgmtOptions);
if (Platform.IsCloudFoundry &&
isEndpointEnabled &&
isEndpointExposed &&
_base.IsCloudFoundryRequest(context.Request.Path))
{
if (string.IsNullOrEmpty(_options.ApplicationId))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.APPLICATION_ID_MISSING_MESSAGE)).ConfigureAwait(false);
return;
}
if (string.IsNullOrEmpty(_options.CloudFoundryApi))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.CLOUDFOUNDRY_API_MISSING_MESSAGE)).ConfigureAwait(false);
return;
}
IEndpointOptions target = FindTargetEndpoint(context.Request.Path);
if (target == null)
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.ENDPOINT_NOT_CONFIGURED_MESSAGE)).ConfigureAwait(false);
return;
}
var sr = await GetPermissions(context).ConfigureAwait(false);
if (sr.Code != HttpStatusCode.OK)
{
await ReturnError(context, sr).ConfigureAwait(false);
return;
}
var permissions = sr.Permissions;
if (!target.IsAccessAllowed(permissions))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.Forbidden, _base.ACCESS_DENIED_MESSAGE)).ConfigureAwait(false);
return;
}
}
await _next(context).ConfigureAwait(false);
}
public override async Task Invoke(IOwinContext context)
{
#pragma warning disable CS0612 // Type or member is obsolete
bool isEnabled = _mgmtOptions == null ? _options.IsEnabled : _options.IsEnabled(_mgmtOptions);
#pragma warning restore CS0612 // Type or member is obsolete
// if running on Cloud Foundry, security is enabled, the path starts with /cloudfoundryapplication...
if (Platform.IsCloudFoundry && isEnabled && _base.IsCloudFoundryRequest(context.Request.Path.ToString()))
{
context.Response.Headers.Set("Access-Control-Allow-Credentials", "true");
context.Response.Headers.Set("Access-Control-Allow-Origin", context.Request.Headers.Get("origin"));
context.Response.Headers.Set("Access-Control-Allow-Headers", "Authorization,X-Cf-App-Instance,Content-Type");
// don't run security for a CORS request, do return 204
if (context.Request.Method == "OPTIONS")
{
context.Response.StatusCode = (int)HttpStatusCode.NoContent;
return;
}
_logger?.LogTrace("Beginning Cloud Foundry Security Processing");
// identify the application so we can confirm the user making the request has permission
if (string.IsNullOrEmpty(_options.ApplicationId))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.APPLICATION_ID_MISSING_MESSAGE));
return;
}
// make sure we know where to get user permissions
if (string.IsNullOrEmpty(_options.CloudFoundryApi))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.CLOUDFOUNDRY_API_MISSING_MESSAGE));
return;
}
_logger?.LogTrace("Identifying which endpoint the request at {EndpointRequestPath} is for", context.Request.Path);
IEndpointOptions target = FindTargetEndpoint(context.Request.Path);
if (target == null)
{
await ReturnError(context, new SecurityResult(HttpStatusCode.ServiceUnavailable, _base.ENDPOINT_NOT_CONFIGURED_MESSAGE));
return;
}
_logger?.LogTrace("Getting user permissions");
var sr = await GetPermissions(context);
if (sr.Code != HttpStatusCode.OK)
{
await ReturnError(context, sr);
return;
}
_logger?.LogTrace("Applying user permissions to request");
var permissions = sr.Permissions;
if (!target.IsAccessAllowed(permissions))
{
await ReturnError(context, new SecurityResult(HttpStatusCode.Forbidden, _base.ACCESS_DENIED_MESSAGE));
return;
}
_logger?.LogTrace("Access granted!");
}
await Next.Invoke(context);
}
