public async Task <Response> Security(DownstreamContext context) { IPAddress clientIp = context.HttpContext.Connection.RemoteIpAddress; SecurityOptions securityOptions = context.DownstreamReRoute.SecurityOptions; if (securityOptions == null) { return(new OkResponse()); } if (securityOptions.IPBlockedList != null) { if (securityOptions.IPBlockedList.Exists(f => f == clientIp.ToString())) { var error = new UnauthenticatedError($" This request rejects access to {clientIp.ToString()} IP"); return(new ErrorResponse(error)); } } if (securityOptions.IPAllowedList != null && securityOptions.IPAllowedList.Count > 0) { if (!securityOptions.IPAllowedList.Exists(f => f == clientIp.ToString())) { var error = new UnauthenticatedError($"{clientIp.ToString()} does not allow access, the request is invalid"); return(new ErrorResponse(error)); } } return(await Task.FromResult(new OkResponse())); }
public async Task <Response> Security(DownstreamContext context) { string authorization = context.HttpContext.Request.Headers["Authorization"]; // If no authorization header found, nothing to process further if (string.IsNullOrEmpty(authorization)) { return(new OkResponse()); } string tokne = string.Empty; if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) { tokne = authorization.Substring("Bearer ".Length).Trim(); } this.LoadBlacklistToken(); if (_cache.TryGetValue(tokne, out string warnInfo)) { context.HttpContext.Response.StatusCode = 401; var bytes = Encoding.UTF8.GetBytes(warnInfo); await context.HttpContext.Response.Body.WriteAsync(bytes, 0, bytes.Length); var error = new UnauthenticatedError($"{tokne} Token enters the blacklist"); return(new ErrorResponse(error)); } else { return(await Task.FromResult(new OkResponse())); } }
public async Task Invoke(DownstreamContext context) { if (context.HttpContext.Request.Method.ToUpper() != "OPTIONS" && IsAuthenticatedRoute(context.DownstreamReRoute)) { Logger.LogInformation($"{context.HttpContext.Request.Path} is an authenticated route. {MiddlewareName} checking if client is authenticated"); var result = await context.HttpContext.AuthenticateAsync(context.DownstreamReRoute.AuthenticationOptions.AuthenticationProviderKey); context.HttpContext.User = result.Principal; if (context.HttpContext.User.Identity.IsAuthenticated) { Logger.LogInformation($"Client has been authenticated for {context.HttpContext.Request.Path}"); await _next.Invoke(context); } else { var error = new UnauthenticatedError( $"Request for authenticated route {context.HttpContext.Request.Path} by {context.HttpContext.User.Identity.Name} was unauthenticated"); Logger.LogWarning($"Client has NOT been authenticated for {context.HttpContext.Request.Path} and pipeline error set. {error}"); SetPipelineError(context, error); } } else { Logger.LogInformation($"No authentication needed for {context.HttpContext.Request.Path}"); await _next.Invoke(context); } }
private void GivenNotPassingSecurityVerification() { for (int i = 0; i < _securityPolicyList.Count; i++) { Mock <ISecurityPolicy> item = _securityPolicyList[i]; if (i == 0) { Error error = new UnauthenticatedError($"Not passing security verification"); Response response = new ErrorResponse(error); item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response)); } else { Response response = new OkResponse(); item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response)); } } }
public async Task Invoke(DownstreamContext context) { if (!context.IsError && context.HttpContext.Request.Method.ToUpper() != "OPTIONS" && IsAuthenticatedRoute(context.DownstreamReRoute)) { if (!_options.ClientAuthorization) { Logger.LogInformation($"未启用客户端授权管道"); await _next.Invoke(context); } else { Logger.LogInformation($"{context.HttpContext.Request.Path} 是认证路由. {MiddlewareName} 开始校验授权信息"); #region 提取客户端ID var clientId = "client_cjy"; var path = context.DownstreamReRoute.UpstreamPathTemplate.OriginalValue; //路由地址 var clientClaim = context.HttpContext.User.Claims.FirstOrDefault(p => p.Type == _options.ClientKey); if (!string.IsNullOrEmpty(clientClaim?.Value)) {//从Claims中提取客户端id clientId = clientClaim?.Value; } #endregion if (await _ahphAuthenticationProcessor.CheckClientAuthenticationAsync(clientId, path)) { await _next.Invoke(context); } else {//未授权直接返回错误 var error = new UnauthenticatedError($"请求认证路由 {context.HttpContext.Request.Path}客户端未授权"); Logger.LogWarning($"路由地址 {context.HttpContext.Request.Path} 自定义认证管道校验失败. {error}"); SetPipelineError(context, error); } } } else { await _next.Invoke(context); } }
public async Task <Response> Security(DownstreamContext context) { if (!context.HttpContext.Request.Headers.TryGetValue("Authorization", out StringValues value)) { return(new OkResponse()); } string tokne = value.ToString().Replace("Bearer ", ""); this.LoadBlacklistToken(); if (_cache.TryGetValue(tokne, out string warnInfo)) { context.HttpContext.Response.StatusCode = 401; var bytes = Encoding.UTF8.GetBytes(warnInfo); await context.HttpContext.Response.Body.WriteAsync(bytes, 0, bytes.Length); var error = new UnauthenticatedError($"{tokne} Token enters the blacklist"); return(new ErrorResponse(error)); } else { return(await Task.FromResult(new OkResponse())); } }