public static string GetIdP(this ValidatedAuthorizeRequest request)
{
return(request.GetPrefixedAcrValue(Constants.KnownAcrValues.HomeRealm));
}
public static string GetTenant(this ValidatedAuthorizeRequest request)
{
return(request.GetPrefixedAcrValue(Constants.KnownAcrValues.Tenant));
}
public override async Task <InteractionResponse> ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
{
var impersonateId = request.GetPrefixedAcrValue("impersonate:");
var unimpersonateId = request.GetPrefixedAcrValue("unimpersonate:");
if (impersonateId != null && (request.Client?.ClientId == "toolbox" || request.Client?.ClientId == "dwnorth"))
{
var principal = request.Subject; //_httpContextAccessor.HttpContext.User;
var currentUser = await _userManager.FindByNameAsync(principal.Identity.Name);
var roles = await _userManager.GetRolesAsync(currentUser);
var isAccountManager = roles.Any(x => x == "systemsettings_Account Management");
var isDwAdmin = roles.Any(x => x == "Data Warehouse Administrator");
var impersonatedUser = await _userManager.FindByIdAsync(impersonateId);
if (impersonatedUser == null)
{
return(await base.ProcessInteractionAsync(request, consent));
}
var tenantRole = (await _userManager.GetRolesAsync(impersonatedUser))?.First(x => x.StartsWith("tenant"));
var tenantMatches = false;
if (principal != null && tenantRole != null)
{
var tenantId = tenantRole.Replace("tenant", "");
tenantMatches = (principal.IsInRole(tenantRole) || principal.HasClaim("ods_tenant_id", tenantId));
}
if ((isAccountManager && tenantMatches) || isDwAdmin)
{
var origUsername = principal.GetOriginalUsername();
var origUserId = principal.GetOriginalUserId();
var origEmail = principal.GetOriginalEmail();
var newPrincipal = await _signInManager.CreateUserPrincipalAsync(impersonatedUser);
((ClaimsIdentity)newPrincipal.Identity).AddClaims(
new[]
{
new Claim("impersonating", "true"),
new Claim("orig_user_id", origUserId),
new Claim("orig_username", origUsername),
new Claim("orig_email", origEmail)
}
);
foreach (var r in roles)
{
((ClaimsIdentity)newPrincipal.Identity).AddClaim(new Claim("orig_role", r));
}
await _signInManager.SignOutAsync();
await _signInManager.Context.SignInAsync(IdentityConstants.ApplicationScheme, newPrincipal, new AuthenticationProperties());
/*
* IEnumerable<string> requestedClaimTypes = request.Client.AllowedScopes;
*
* IdentityServerUser idSrvUser = new IdentityServerUser(impersonatedUser.Id.ToString())
* {
* AuthenticationTime = Clock.UtcNow.UtcDateTime,
* DisplayName = impersonatedUser.UserName,
* IdentityProvider = !string.IsNullOrEmpty(impersonatedUser.PasswordHash) ? IdentityServerConstants.LocalIdentityProvider : "external"
* };
*
* ProfileDataRequestContext context = new ProfileDataRequestContext(
* idSrvUser.CreatePrincipal(),
* request.Client,
* nameof(AuthorizeInteractionResponseGenerator),
* requestedClaimTypes);
*
* await Profile.GetProfileDataAsync(context);
*
* //Need claims of impersonating user
* var origUserId = currentUser.Id;
* var origUserName = currentUser.UserName;
* var origEmail = currentUser.Email;
*
* idSrvUser.AdditionalClaims.Add(new Claim("impersonating", "true"));
* //context.IssuedClaims.Add(new Claim("impersonating", "true"));
* idSrvUser.AdditionalClaims.Add(new Claim("orig_user_id", origUserId));
* //context.IssuedClaims.Add(new Claim("orig_user_id", origUserId));
* idSrvUser.AdditionalClaims.Add(new Claim("orig_username", origUserName));
* //context.IssuedClaims.Add(new Claim("orig_username", origUserName));
* idSrvUser.AdditionalClaims.Add(new Claim("orig_email", origEmail));
* //context.IssuedClaims.Add(new Claim("orig_email", origEmail));
* //foreach (Claim c in principal.Claims.Where(x => x.Type == "ods_role"))
* foreach(string r in roles)
* {
* idSrvUser.AdditionalClaims.Add(new Claim("orig_ods_role", r));
* //context.IssuedClaims.Add(new Claim("orig_ods_role", c.Value));
* }
*
* //need claims of impersonated user
* foreach (Claim claim in context.IssuedClaims)
* {
* idSrvUser.AdditionalClaims.Add(claim);
* }
*
* ClaimsPrincipal newSubject = idSrvUser.CreatePrincipal();
*
* request.Subject = newSubject;
*
* Logger.LogInformation("Impersonation set, returning response");
*
* return new InteractionResponse();
*/
}
}
else if (unimpersonateId != null)
{
var principal = request.Subject;
if (principal.GetOriginalUserId() == unimpersonateId)
{
var currentUser = await _userManager.FindByIdAsync(unimpersonateId);
await _signInManager.SignOutAsync();
await _signInManager.SignInAsync(currentUser, null);
}
}
return(await base.ProcessInteractionAsync(request, consent));
}
