Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

factor out auth constants, remove TAlias is Alias is not an extensible type, improve SiteOptions cache clearing, improve principal validation, localization improvements

Browse Source
This commit is contained in:
Shaun Walker
2022-03-26 17:30:06 -04:00
parent 79f427e10a
commit b92a888583
22 changed files with 113 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
Oqtane.Server/Security/PrincipalValidator.cs
View File

@ -6,6 +6,8 @@ using Oqtane.Infrastructure;
using Oqtane.Repository;
using Oqtane.Models;
using System.Collections.Generic;
using Oqtane.Extensions;
using Oqtane.Shared;
namespace Oqtane.Security
{
@ -13,51 +15,49 @@ namespace Oqtane.Security
{
public static Task ValidateAsync(CookieValidatePrincipalContext context)
{
if (context != null && context.Principal.Identity.IsAuthenticated)
if (context != null && context.Principal.Identity.IsAuthenticated && context.Principal.Identity.Name != null)
{
// check if framework is installed
var config = context.HttpContext.RequestServices.GetService(typeof(IConfigManager)) as IConfigManager;
if (config.IsInstalled())
{
var tenantManager = context.HttpContext.RequestServices.GetService(typeof(ITenantManager)) as ITenantManager;
var alias = tenantManager.GetAlias();
// get current site
var alias = context.HttpContext.GetAlias();
if (alias != null)
{
// verify principal was authenticated for current tenant
// check if principal matches current site
if (context.Principal.Claims.FirstOrDefault(item => item.Type == ClaimTypes.GroupSid)?.Value != alias.SiteKey)
{
// tenant agnostic requests must be ignored
string path = context.Request.Path.ToString().ToLower();
if (path.StartsWith("/_blazor") || path.StartsWith("/api/installation/"))
{
return Task.CompletedTask;
}
// refresh principal
// principal does not match site
var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
var _logger = context.HttpContext.RequestServices.GetService(typeof(ILogManager)) as ILogManager;
string path = context.Request.Path.ToString().ToLower();
if (context.Principal.Identity.Name != null)
User user = userRepository.GetUser(context.Principal.Identity.Name);
if (user != null)
{
User user = userRepository.GetUser(context.Principal.Identity.Name);
if (user != null)
// replace principal with roles for current site
List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
context.ReplacePrincipal(new ClaimsPrincipal(identity));
context.ShouldRenew = true;
if (!path.StartsWith("/api/")) // reduce log verbosity
{
List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
context.ReplacePrincipal(new ClaimsPrincipal(identity));
context.ShouldRenew = true;
_logger.Log(alias.SiteId, LogLevel.Information, "LoginValidation", Enums.LogFunction.Security, "Permissions Updated For User {Username} Accessing Resource {Url}", context.Principal.Identity.Name, path);
}
else
}
else
{
// user has no roles for site - remove principal
context.RejectPrincipal();
if (!path.StartsWith("/api/")) // reduce log verbosity
{
context.RejectPrincipal();
_logger.Log(alias.SiteId, LogLevel.Information, "LoginValidation", Enums.LogFunction.Security, "Permissions Removed For User {Username} Accessing Resource {Url}", context.Principal.Identity.Name, path);
}
}
}
}
else
{
context.RejectPrincipal();
}
}
}
return Task.CompletedTask;