auth improvements related to multi-tenancy

2021-05-19 08:46:02 -04:00
parent 943adec3a0
commit 09537ab0e4
23 changed files with 235 additions and 134 deletions
--- a/Oqtane.Server/Controllers/UserController.cs
+++ b/Oqtane.Server/Controllers/UserController.cs
@ -358,7 +358,7 @@ namespace Oqtane.Controllers
        [Authorize]
        public async Task Logout([FromBody] User user)
        {
-            await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
+            await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
            _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", (user != null) ? user.Username : "");
        }

--- a/Oqtane.Server/Pages/Login.cshtml.cs
+++ b/Oqtane.Server/Pages/Login.cshtml.cs
@ -1,4 +1,4 @@
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
@ -21,20 +21,23 @@ namespace Oqtane.Pages

        public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
        {
-            bool validuser = false;
-            IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
-            if (identityuser != null)
+            if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
            {
-                var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, false);
-                if (result.Succeeded)
+                bool validuser = false;
+                IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
+                if (identityuser != null)
                {
-                    validuser = true;
+                    var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, false);
+                    if (result.Succeeded)
+                    {
+                        validuser = true;
+                    }
                }
-            }

-            if (validuser)
-            {
-                await _identitySignInManager.SignInAsync(identityuser, remember);
+                if (validuser)
+                {
+                    await _identitySignInManager.SignInAsync(identityuser, remember);
+                }
            }

            if (returnurl == null)
@ -49,4 +52,4 @@ namespace Oqtane.Pages
            return LocalRedirect(Url.Content("~" + returnurl));
        }
    }
-}
+}
--- a/Oqtane.Server/Pages/Logout.cshtml.cs
+++ b/Oqtane.Server/Pages/Logout.cshtml.cs
@ -1,9 +1,9 @@
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using Oqtane.Shared;

 namespace Oqtane.Pages
 {
@ -12,7 +12,10 @@ namespace Oqtane.Pages
    {
        public async Task<IActionResult> OnPostAsync(string returnurl)
        {
-            await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
+            if (HttpContext.User.Identity.IsAuthenticated)
+            {
+                await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
+            }

            if (returnurl == null)
            {
@ -26,4 +29,4 @@ namespace Oqtane.Pages
            return LocalRedirect(Url.Content("~" + returnurl));
        }
    }
-}
+}
--- a/Oqtane.Server/Pages/_Host.cshtml.cs
+++ b/Oqtane.Server/Pages/_Host.cshtml.cs
@ -48,21 +48,24 @@ namespace Oqtane.Pages
            }

            // if culture not specified and framework is installed 
-            if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null && !string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection")))
+            if (!string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection")))
            {
                var alias = _tenantManager.GetAlias();
                if (alias != null)
                {
-                    // set default language for site if the culture is not supported
-                    var languages = _languages.GetLanguages(alias.SiteId);
-                    if (languages.Any() && languages.All(l => l.Code != CultureInfo.CurrentUICulture.Name))
+                    if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null)
                    {
-                        var defaultLanguage = languages.Where(l => l.IsDefault).SingleOrDefault() ?? languages.First();
-                        SetLocalizationCookie(defaultLanguage.Code);
-                    }
-                    else
-                    {
-                        SetLocalizationCookie(_localizationManager.GetDefaultCulture());
+                        // set default language for site if the culture is not supported
+                        var languages = _languages.GetLanguages(alias.SiteId);
+                        if (languages.Any() && languages.All(l => l.Code != CultureInfo.CurrentUICulture.Name))
+                        {
+                            var defaultLanguage = languages.Where(l => l.IsDefault).SingleOrDefault() ?? languages.First();
+                            SetLocalizationCookie(defaultLanguage.Code);
+                        }
+                        else
+                        {
+                            SetLocalizationCookie(_localizationManager.GetDefaultCulture());
+                        }
                    }
                }
            }
--- a/Oqtane.Server/Security/ClaimsPrincipalFactory.cs
+++ b/Oqtane.Server/Security/ClaimsPrincipalFactory.cs
@ -1,25 +1,23 @@
-using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Oqtane.Models;
-using Oqtane.Shared;
 using System.Collections.Generic;
 using System.Linq;
 using Oqtane.Repository;
+using Oqtane.Infrastructure;

 namespace Oqtane.Security
 {
    public class ClaimsPrincipalFactory<TUser> : UserClaimsPrincipalFactory<TUser> where TUser : IdentityUser
    {
-        private readonly IdentityOptions _options;
-        private readonly ITenantResolver _tenants;
+        private readonly ITenantManager _tenants;
        private readonly IUserRepository _users;
        private readonly IUserRoleRepository _userRoles;

-        public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantResolver tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
+        public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantManager tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
        {
-            _options = optionsAccessor.Value;
            _tenants = tenants;
            _users = users; 
            _userRoles = userroles;
@ -27,33 +25,20 @@ namespace Oqtane.Security

        protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TUser identityuser)
        {
-            var id = await base.GenerateClaimsAsync(identityuser);
+            var identity = await base.GenerateClaimsAsync(identityuser);

            User user = _users.GetUser(identityuser.UserName);
            if (user != null)
            {
-                id.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
                Alias alias = _tenants.GetAlias();
-                List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
-                foreach (UserRole userrole in userroles)
+                if (alias != null)
                {
-                    id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, userrole.Role.Name));
-                    // host users are members of every site
-                    if (userrole.Role.Name == RoleNames.Host)
-                    {
-                        if (userroles.Where(item => item.Role.Name == RoleNames.Registered).FirstOrDefault() == null)
-                        {
-                            id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Registered));
-                        }
-                        if (userroles.Where(item => item.Role.Name == RoleNames.Admin).FirstOrDefault() == null)
-                        {
-                            id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Admin));
-                        }
-                    }
+                    List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
+                    identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
                }
            }

-            return id;
+            return identity;
        }
    }

--- a/Oqtane.Server/Security/PrincipalValidator.cs
+++ b/Oqtane.Server/Security/PrincipalValidator.cs
@ -0,0 +1,64 @@
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Oqtane.Infrastructure;
+using Oqtane.Repository;
+using Oqtane.Models;
+using System.Collections.Generic;
+using Microsoft.Extensions.Configuration;
+
+namespace Oqtane.Security
+{
+    public static class PrincipalValidator
+    {
+        public static Task ValidateAsync(CookieValidatePrincipalContext context)
+        {
+            if (context != null && context.Principal.Identity.IsAuthenticated)
+            {
+                // check if framework is installed
+                var config = context.HttpContext.RequestServices.GetService(typeof(IConfiguration)) as IConfiguration;
+                if (!string.IsNullOrEmpty(config.GetConnectionString("DefaultConnection")))
+                {
+                    var tenantManager = context.HttpContext.RequestServices.GetService(typeof(ITenantManager)) as ITenantManager;
+                    var alias = tenantManager.GetAlias();
+                    if (alias != null)
+                    {
+                        // verify principal was authenticated for current tenant
+                        if (context.Principal.Claims.First(item => item.Type == ClaimTypes.GroupSid)?.Value != alias.AliasId.ToString())
+                        {
+                            // tenant agnostic requests must be ignored 
+                            string path = context.Request.Path.ToString().ToLower();
+                            if (path.StartsWith("/_blazor") || path.StartsWith("/api/installation/") || path.StartsWith("/api/alias/name/"))
+                            {
+                                return Task.CompletedTask;
+                            }
+
+                            // refresh principal
+                            var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
+                            var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
+
+                            User user = userRepository.GetUser(context.Principal.Identity.Name);
+                            if (user != null)
+                            {
+                                List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
+                                var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
+                                context.ReplacePrincipal(new ClaimsPrincipal(identity));
+                                context.ShouldRenew = true;
+                            }
+                            else
+                            {
+                                context.RejectPrincipal();
+                            }
+                        }
+                    }
+                    else
+                    {
+                        context.RejectPrincipal();
+                    }
+                }
+            }
+            return Task.CompletedTask;
+        }
+    }
+}
--- a/Oqtane.Server/Security/UserPermissions.cs
+++ b/Oqtane.Server/Security/UserPermissions.cs
@ -1,4 +1,4 @@
-using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http;
 using Oqtane.Models;
 using System.Linq;
 using System.Security.Claims;
@ -17,40 +17,41 @@ namespace Oqtane.Security
            _accessor = accessor;
        }

-        public bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName)
+        public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
        {
-            return IsAuthorized(user, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
+            return IsAuthorized(principal, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
        }

-        public bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions)
+        public bool IsAuthorized(ClaimsPrincipal principal, string permissionName, string permissions)
        {
-            return UserSecurity.IsAuthorized(GetUser(user), permissionName, permissions);
+            return UserSecurity.IsAuthorized(GetUser(principal), permissionName, permissions);
        }

-        public User GetUser(ClaimsPrincipal user)
+        public User GetUser(ClaimsPrincipal principal)
        {
-            User resultUser = new User();
-            resultUser.Username = "";
-            resultUser.IsAuthenticated = false;
-            resultUser.UserId = -1;
-            resultUser.Roles = "";
+            User user = new User();
+            user.IsAuthenticated = false;
+            user.Username = "";
+            user.UserId = -1;
+            user.Roles = "";

-            if (user == null) return resultUser;
+            if (principal == null) return user;

-            resultUser.Username = user.Identity.Name;
-            resultUser.IsAuthenticated = user.Identity.IsAuthenticated;
-            var idclaim = user.Claims.FirstOrDefault(item => item.Type == ClaimTypes.PrimarySid);
-            if (idclaim != null)
+            user.IsAuthenticated = principal.Identity.IsAuthenticated;
+            if (user.IsAuthenticated)
            {
-                resultUser.UserId = int.Parse(idclaim.Value);
-                foreach (var claim in user.Claims.Where(item => item.Type == ClaimTypes.Role))
+                user.Username = principal.Identity.Name;
+                if (principal.Claims.Any(item => item.Type == ClaimTypes.PrimarySid))
                {
-                    resultUser.Roles += claim.Value + ";";
+                    user.UserId = int.Parse(principal.Claims.First(item => item.Type == ClaimTypes.PrimarySid).Value);
                }
-
-                if (resultUser.Roles != "") resultUser.Roles = ";" + resultUser.Roles;
+                foreach (var claim in principal.Claims.Where(item => item.Type == ClaimTypes.Role))
+                {
+                    user.Roles += claim.Value + ";";
+                }
+                if (user.Roles != "") user.Roles = ";" + user.Roles;
            }
-            return resultUser;
+            return user;
        }

        public User GetUser()
--- a/Oqtane.Server/Startup.cs
+++ b/Oqtane.Server/Startup.cs
@ -71,14 +71,15 @@ namespace Oqtane
                {
                    // creating the URI helper needs to wait until the JS Runtime is initialized, so defer it.
                    var navigationManager = s.GetRequiredService<NavigationManager>();
+                    var client = new HttpClient(new HttpClientHandler { UseCookies = false });
+                    client.BaseAddress = new Uri(navigationManager.Uri);
+                    // set the auth cookie to allow HttpClient API calls to be authenticated
                    var httpContextAccessor = s.GetRequiredService<IHttpContextAccessor>();
-                    var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore.Identity.Application"];
-                    var client = new HttpClient(new HttpClientHandler {UseCookies = false});
+                    var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore." + Constants.AuthenticationScheme];
                    if (authToken != null)
                    {
-                        client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore.Identity.Application=" + authToken);
+                        client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore." + Constants.AuthenticationScheme + "=" + authToken);
                    }
-                    client.BaseAddress = new Uri(navigationManager.Uri);
                    return client;
                });
            }
@ -131,7 +132,8 @@ namespace Oqtane
            services.AddIdentityCore<IdentityUser>(options => { })
                .AddEntityFrameworkStores<TenantDBContext>()
                .AddSignInManager()
-                .AddDefaultTokenProviders();
+                .AddDefaultTokenProviders()
+                .AddClaimsPrincipalFactory<ClaimsPrincipalFactory<IdentityUser>>(); // role claims

            services.Configure<IdentityOptions>(options =>
            {
@ -151,8 +153,8 @@ namespace Oqtane
                options.User.RequireUniqueEmail = false;
            });

-            services.AddAuthentication(IdentityConstants.ApplicationScheme)
-                .AddCookie(IdentityConstants.ApplicationScheme);
+            services.AddAuthentication(Constants.AuthenticationScheme)
+                .AddCookie(Constants.AuthenticationScheme);

            services.ConfigureApplicationCookie(options =>
            {
@ -162,11 +164,9 @@ namespace Oqtane
                    context.Response.StatusCode = 401;
                    return Task.CompletedTask;
                };
+                options.Events.OnValidatePrincipal = PrincipalValidator.ValidateAsync;
            });

-            // register custom claims principal factory for role claims
-            services.AddTransient<IUserClaimsPrincipalFactory<IdentityUser>, ClaimsPrincipalFactory<IdentityUser>>();
-
            // register singleton scoped core services
            services.AddSingleton(Configuration);
            services.AddSingleton<IInstallationManager, InstallationManager>();
@ -249,11 +249,12 @@ namespace Oqtane

            app.UseHttpsRedirection();
            app.UseStaticFiles();
-            app.UseTenantResolution(); // must be declared directly after static files
+            app.UseTenantResolution();
            app.UseBlazorFrameworkFiles();
            app.UseRouting();
            app.UseAuthentication();
            app.UseAuthorization();
+
            if (_useSwagger)
            {
                app.UseSwagger();