public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, Route = null)] HttpRequest req,
ILogger log)
{
string errorMessage = string.Empty;
var deviceId = req.Headers["deviceid"].ToString().ToLowerInvariant(); // Device id, either a MAC address or a random string per session
var userName = req.Headers["username"].ToString().ToLowerInvariant(); // Username as registered in choosen authernication service (e.g. AAD userPrincipalName, GitHub username)
var team = req.Headers["teamname"].ToString().ToLowerInvariant(); // Teamname - id or name of the target group or team. Must be group id for AAD, team id for GitHub
var company = req.Headers["companyname"].ToString().ToLowerInvariant(); // Company name or tenant id. Must be tenant id for AAD, company id for GitHub
var authServiceToken = req.Headers["authservicetoken"].ToString(); // Authentication token received from authentication service. Bearer token for AAD or GitHub.
var authService = req.Headers["authservicename"].ToString().ToLowerInvariant(); // Authentication sercvice name. "graph.microsoft.com" for AAD, "github.com" for GitHub
var provider = GraphServiceFactory.GetGraphService(authService);
GraphAuthStatus authStatus = GraphAuthStatus.Unauthorized;
if (provider == null)
{
errorMessage = $"{authService} is not a valid graph service name.";
}
else
{
authStatus = await provider.IsGroupMember(userName, company, team, authServiceToken, log);
}
ObjectResult funcResult = null;
string userId = string.Empty;
if (authStatus == GraphAuthStatus.OK)
{
userId = SignalRGroupUtils.GetFullUserId(authService, company, team, userName, deviceId);
userId = userId.ToLowerInvariant();
ServiceUtils utils = new ServiceUtils(ConfigUtils.GetSignalRConnection());
var hubName = ConfigUtils.GetHubName();
var clientUrl = $"{utils.Endpoint}/client/?hub={hubName}";
var clientToken = utils.GenerateAccessToken(clientUrl,
userId,
TimeSpan.FromMinutes(UInt64.Parse(ConfigUtils.GetAuthTokenLifetimeMinutes())));
string serverTime = ((long)(DateTime.UtcNow - DateTime.UnixEpoch).TotalSeconds).ToString();
string turnServersAuthorization = ConfigUtils.MakeTURNAuthToken(company);
funcResult = new OkObjectResult(new string[] { userId, clientToken, clientUrl, serverTime, turnServersAuthorization });
}
else
{
if (string.IsNullOrEmpty(errorMessage))
{
errorMessage = $"Graph verification failed. Reason: {authStatus}";
}
}
if (!string.IsNullOrEmpty(errorMessage))
{
log.LogError(errorMessage);
}
else
{
log.LogInformation($"Successfully negotiated for {userName} as {userId}");
}
return(string.IsNullOrEmpty(errorMessage)
? (ActionResult)funcResult
: new BadRequestObjectResult(new { message = errorMessage }));
}
public async Task <GraphAuthStatus> IsGroupMember(string userName, string companyOrTenant, string groupOrTeam, string authToken, ILogger log = null)
{
if (string.IsNullOrEmpty(userName) ||
string.IsNullOrEmpty(groupOrTeam) ||
string.IsNullOrEmpty(authToken))
{
log.LogError($"Invalid userName, company or group name");
return(GraphAuthStatus.InvalidName);
}
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authToken);
var tokenStatus = await IsUserAuthToken(_client, userName, companyOrTenant, log);
if (tokenStatus != System.Net.HttpStatusCode.OK)
{
return(GraphServiceFactory.GraphAuthStatusFromHttp(tokenStatus));
}
// If group doesn't matter we only check authentication status in AAD tenant
if (groupOrTeam == "*")
{
return(GraphAuthStatus.OK);
}
GraphAuthStatus resStatus = GraphAuthStatus.UnknownError;
string json = JsonConvert.SerializeObject(new GroupMembershipRequest()
{
groupIds = new string[] { groupOrTeam }
});
using (var content = new StringContent(json, Encoding.UTF8, "application/json"))
{
using (var response = await _client.PostAsync("https://graph.microsoft.com/beta/me/checkMemberGroups", content))
{
if (response.IsSuccessStatusCode)
{
dynamic res = JsonConvert.DeserializeObject(await response.Content.ReadAsStringAsync());
if (res.value.Count > 0)
{
resStatus = GraphAuthStatus.OK;
}
else
{
resStatus = GraphAuthStatus.NotMemberOfTargetGroup;
}
}
else
{
if (log != null)
{
log.LogError($"Team membership check failed: {response.StatusCode} ({await response.Content.ReadAsStringAsync()})");
}
resStatus = GraphServiceFactory.GraphAuthStatusFromHttp(response.StatusCode);
}
}
}
return(resStatus);
}