fix #4580 - add logout everywhere support using SecurityStamp
This commit is contained in:
sbwalker
@ -1,6 +1,5 @@
|
||||
using System.Linq;
|
||||
using System.Security.Claims;
|
||||
using Oqtane.Models;
|
||||
using Oqtane.Shared;
|
||||
|
||||
namespace Oqtane.Extensions
|
||||
@ -41,9 +40,9 @@ namespace Oqtane.Extensions
|
||||
|
||||
public static string SiteKey(this ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
if (claimsPrincipal.HasClaim(item => item.Type == "sitekey"))
|
||||
if (claimsPrincipal.HasClaim(item => item.Type == Constants.SiteKeyClaimType))
|
||||
{
|
||||
return claimsPrincipal.Claims.FirstOrDefault(item => item.Type == "sitekey").Value;
|
||||
return claimsPrincipal.Claims.FirstOrDefault(item => item.Type == Constants.SiteKeyClaimType).Value;
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -71,6 +70,18 @@ namespace Oqtane.Extensions
|
||||
return -1;
|
||||
}
|
||||
|
||||
public static string SecurityStamp(this ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
if (claimsPrincipal.HasClaim(item => item.Type == Constants.SecurityStampClaimType))
|
||||
{
|
||||
return claimsPrincipal.Claims.FirstOrDefault(item => item.Type == Constants.SecurityStampClaimType).Value;
|
||||
}
|
||||
else
|
||||
{
|
||||
return "";
|
||||
}
|
||||
}
|
||||
|
||||
public static bool IsOnlyInRole(this ClaimsPrincipal claimsPrincipal, string role)
|
||||
{
|
||||
var identity = claimsPrincipal.Identities.FirstOrDefault(item => item.AuthenticationType == Constants.AuthenticationScheme);
|
||||
|
||||
@ -231,6 +231,7 @@ namespace Oqtane.Managers
|
||||
{
|
||||
identityuser.PasswordHash = _identityUserManager.PasswordHasher.HashPassword(identityuser, user.Password);
|
||||
await _identityUserManager.UpdateAsync(identityuser);
|
||||
await _identityUserManager.UpdateSecurityStampAsync(identityuser); // will force user to sign in again
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -241,7 +242,8 @@ namespace Oqtane.Managers
|
||||
|
||||
if (user.Email != identityuser.Email)
|
||||
{
|
||||
await _identityUserManager.SetEmailAsync(identityuser, user.Email);
|
||||
identityuser.Email = user.Email;
|
||||
await _identityUserManager.UpdateAsync(identityuser); // security stamp not updated
|
||||
|
||||
// if email address changed and it is not confirmed, verification is required for new email address
|
||||
if (!user.EmailConfirmed)
|
||||
|
||||
@ -10,6 +10,7 @@ using System;
|
||||
using Oqtane.Infrastructure;
|
||||
using Oqtane.Extensions;
|
||||
using Oqtane.Managers;
|
||||
using System.Security.Claims;
|
||||
|
||||
namespace Oqtane.Providers
|
||||
{
|
||||
@ -41,6 +42,8 @@ namespace Oqtane.Providers
|
||||
else
|
||||
{
|
||||
return true;
|
||||
//var principalStamp = authState.User.FindFirstValue(options.Value.ClaimsIdentity.SecurityStampClaimType);
|
||||
//return principalStamp == user.SecurityStamp;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Microsoft.Extensions.Caching.Memory;
|
||||
using Oqtane.Infrastructure;
|
||||
@ -14,13 +15,15 @@ namespace Oqtane.Repository
|
||||
private readonly IDbContextFactory<TenantDBContext> _dbContextFactory;
|
||||
private readonly IRoleRepository _roles;
|
||||
private readonly ITenantManager _tenantManager;
|
||||
private readonly UserManager<IdentityUser> _identityUserManager;
|
||||
private readonly IMemoryCache _cache;
|
||||
|
||||
public UserRoleRepository(IDbContextFactory<TenantDBContext> dbContextFactory, IRoleRepository roles, ITenantManager tenantManager, IMemoryCache cache)
|
||||
public UserRoleRepository(IDbContextFactory<TenantDBContext> dbContextFactory, IRoleRepository roles, ITenantManager tenantManager, UserManager<IdentityUser> identityUserManager, IMemoryCache cache)
|
||||
{
|
||||
_dbContextFactory = dbContextFactory;
|
||||
_roles = roles;
|
||||
_tenantManager = tenantManager;
|
||||
_identityUserManager = identityUserManager;
|
||||
_cache = cache;
|
||||
}
|
||||
|
||||
@ -69,10 +72,8 @@ namespace Oqtane.Repository
|
||||
DeleteUserRoles(userRole.UserId);
|
||||
}
|
||||
|
||||
var alias = _tenantManager.GetAlias();
|
||||
_cache.Remove($"user:{userRole.UserId}:{alias.SiteKey}");
|
||||
_cache.Remove($"userroles:{userRole.UserId}:{alias.SiteKey}");
|
||||
|
||||
UpdateSecurityStamp(userRole.UserId);
|
||||
|
||||
return userRole;
|
||||
}
|
||||
|
||||
@ -82,9 +83,7 @@ namespace Oqtane.Repository
|
||||
db.Entry(userRole).State = EntityState.Modified;
|
||||
db.SaveChanges();
|
||||
|
||||
var alias = _tenantManager.GetAlias();
|
||||
_cache.Remove($"user:{userRole.UserId}:{alias.SiteKey}");
|
||||
_cache.Remove($"userroles:{userRole.UserId}:{alias.SiteKey}");
|
||||
UpdateSecurityStamp(userRole.UserId);
|
||||
|
||||
return userRole;
|
||||
}
|
||||
@ -144,9 +143,7 @@ namespace Oqtane.Repository
|
||||
db.UserRole.Remove(userRole);
|
||||
db.SaveChanges();
|
||||
|
||||
var alias = _tenantManager.GetAlias();
|
||||
_cache.Remove($"user:{userRole.UserId}:{alias.SiteKey}");
|
||||
_cache.Remove($"userroles:{userRole.UserId}:{alias.SiteKey}");
|
||||
UpdateSecurityStamp(userRole.UserId);
|
||||
}
|
||||
|
||||
public void DeleteUserRoles(int userId)
|
||||
@ -158,9 +155,30 @@ namespace Oqtane.Repository
|
||||
}
|
||||
db.SaveChanges();
|
||||
|
||||
UpdateSecurityStamp(userId);
|
||||
}
|
||||
|
||||
private void UpdateSecurityStamp(int userId)
|
||||
{
|
||||
// update user security stamp
|
||||
using var db = _dbContextFactory.CreateDbContext();
|
||||
var user = db.User.Find(userId);
|
||||
if (user != null)
|
||||
{
|
||||
var identityuser = _identityUserManager.FindByNameAsync(user.Username).GetAwaiter().GetResult();
|
||||
if (identityuser != null)
|
||||
{
|
||||
_identityUserManager.UpdateSecurityStampAsync(identityuser);
|
||||
}
|
||||
}
|
||||
|
||||
// refresh cache
|
||||
var alias = _tenantManager.GetAlias();
|
||||
_cache.Remove($"user:{userId}:{alias.SiteKey}");
|
||||
_cache.Remove($"userroles:{userId}:{alias.SiteKey}");
|
||||
if (alias != null)
|
||||
{
|
||||
_cache.Remove($"user:{userId}:{alias.SiteKey}");
|
||||
_cache.Remove($"userroles:{userId}:{alias.SiteKey}");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -13,14 +13,17 @@ namespace Oqtane.Security
|
||||
public class ClaimsPrincipalFactory<TUser> : UserClaimsPrincipalFactory<TUser> where TUser : IdentityUser
|
||||
{
|
||||
private readonly ITenantManager _tenants;
|
||||
// cannot utilize IUserManager due to circular references - which is fine as this method is only called on login
|
||||
private readonly IUserRepository _users;
|
||||
private readonly IUserRoleRepository _userRoles;
|
||||
private readonly UserManager<TUser> _userManager;
|
||||
|
||||
public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantManager tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
|
||||
{
|
||||
_tenants = tenants;
|
||||
_users = users;
|
||||
_userRoles = userroles;
|
||||
_userManager = userManager;
|
||||
}
|
||||
|
||||
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TUser identityuser)
|
||||
@ -33,6 +36,7 @@ namespace Oqtane.Security
|
||||
Alias alias = _tenants.GetAlias();
|
||||
if (alias != null)
|
||||
{
|
||||
user.SecurityStamp = await _userManager.GetSecurityStampAsync(identityuser);
|
||||
List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
|
||||
identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
|
||||
}
|
||||
|
||||
@ -3,12 +3,11 @@ using System.Security.Claims;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Oqtane.Infrastructure;
|
||||
using Oqtane.Repository;
|
||||
using Oqtane.Models;
|
||||
using System.Collections.Generic;
|
||||
using Oqtane.Extensions;
|
||||
using Oqtane.Shared;
|
||||
using System.IO;
|
||||
using Oqtane.Managers;
|
||||
|
||||
|
||||
namespace Oqtane.Security
|
||||
{
|
||||
@ -24,49 +23,38 @@ namespace Oqtane.Security
|
||||
// check if framework is installed
|
||||
if (config.IsInstalled() && !path.StartsWith("/_")) // ignore Blazor framework requests
|
||||
{
|
||||
// get current site
|
||||
var _logger = context.HttpContext.RequestServices.GetService(typeof(ILogManager)) as ILogManager;
|
||||
|
||||
var alias = context.HttpContext.GetAlias();
|
||||
if (alias != null)
|
||||
{
|
||||
var claims = context.Principal.Claims;
|
||||
var userManager = context.HttpContext.RequestServices.GetService(typeof(IUserManager)) as IUserManager;
|
||||
var user = userManager.GetUser(context.Principal.UserId(), alias.SiteId); // cached
|
||||
|
||||
// check if principal has roles and matches current site
|
||||
if (!claims.Any(item => item.Type == ClaimTypes.Role) || !claims.Any(item => item.Type == "sitekey" && item.Value == alias.SiteKey))
|
||||
// check if user is valid, not deleted, has roles, and security stamp has not changed
|
||||
if (user != null && !user.IsDeleted && user.Roles.Any() && context.Principal.SecurityStamp() == user.SecurityStamp)
|
||||
{
|
||||
var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
|
||||
var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
|
||||
var _logger = context.HttpContext.RequestServices.GetService(typeof(ILogManager)) as ILogManager;
|
||||
|
||||
User user = userRepository.GetUser(context.Principal.Identity.Name);
|
||||
if (user != null)
|
||||
// validate sitekey in case user has changed sites in installation
|
||||
if (context.Principal.SiteKey() != alias.SiteKey || !context.Principal.Roles().Any())
|
||||
{
|
||||
// replace principal with roles for current site
|
||||
List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
|
||||
if (userroles.Any())
|
||||
{
|
||||
var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
|
||||
context.ReplacePrincipal(new ClaimsPrincipal(identity));
|
||||
context.ShouldRenew = true;
|
||||
Log(_logger, alias, "Permissions Updated For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
}
|
||||
else
|
||||
{
|
||||
// user has no roles - remove principal
|
||||
Log(_logger, alias, "Permissions Removed For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
context.RejectPrincipal();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// user does not exist - remove principal
|
||||
Log(_logger, alias, "Permissions Removed For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
context.RejectPrincipal();
|
||||
// refresh principal
|
||||
var identity = UserSecurity.CreateClaimsIdentity(alias, user);
|
||||
context.ReplacePrincipal(new ClaimsPrincipal(identity));
|
||||
context.ShouldRenew = true;
|
||||
Log(_logger, alias, "Permissions Refreshed For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// remove principal (ie. log user out)
|
||||
Log(_logger, alias, "Permissions Removed For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
context.RejectPrincipal();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// user is signed in but tenant cannot be determined
|
||||
// user is signed in but site cannot be determined
|
||||
Log(_logger, alias, "Alias Could Not Be Resolved For User {Username} Accessing {Url}", context.Principal.Identity.Name, path);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user