kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth improvements related to multi-tenancy

Browse Source
This commit is contained in:
Shaun Walker 2021-05-19 08:46:02 -04:00
parent 943adec3a0
commit 09537ab0e4
23 changed files with 235 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Oqtane.Client/Modules/Admin/Login/Index.razor
View File

@ -9,7 +9,13 @@
{
<ModuleMessage Message="@_message" Type="@_type" />
}
<AuthorizeView>
<AuthorizeView Roles="@RoleNames.Registered">
<Authorizing>
<text>...</text>
</Authorizing>
<Authorized>
<ModuleMessage Message="@Localizer["You Are Already Signed In"]" Type="MessageType.Info" />
</Authorized>
<NotAuthorized>
<form @ref="login" class="@(validated ? "was-validated" : "needs-validation")" novalidate>
<div class="container Oqtane-Modules-Admin-Login" @onkeypress="@(e => KeyPressed(e))">
@ -112,11 +118,10 @@
if (user.IsAuthenticated)
{
await logger.LogInformation("Login Successful For Username {Username}", _username);
// complete the login on the server so that the cookies are set correctly on SignalR
// complete the login on the server so that the cookies are set correctly
string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken");
var fields = new { __RequestVerificationToken = antiforgerytoken, username = _username, password = _password, remember = _remember, returnurl = _returnUrl };
string url = "/pages/login/";
if (!string.IsNullOrEmpty(PageState.Alias.Path)) url = "/" + PageState.Alias.Path + url;
string url = Utilities.TenantUrl(PageState.Alias, "/pages/login/");
await interop.SubmitForm(url, fields);
}
else

2
Oqtane.Client/Modules/Admin/Register/Index.razor
View File

@ -6,7 +6,7 @@
@if (PageState.Site.AllowRegistration)
{
<AuthorizeView>
<AuthorizeView Roles="@RoleNames.Registered">
<Authorizing>
<text>...</text>
</Authorizing>

7
Oqtane.Client/Modules/Admin/Sites/Add.razor
View File

@ -301,15 +301,15 @@ else
connectionString = databaseConfigControl.GetConnectionString();
}
var database = _databases.SingleOrDefault(d => d.Name == _databaseName);
if (connectionString != "")
{
config.TenantName = _tenantName;
config.DatabaseType = database.DBType;
config.ConnectionString = connectionString;
config.HostPassword = _hostpassword;
config.HostEmail = user.Email;
config.HostPassword = _hostpassword;
config.HostName = user.DisplayName;
config.TenantName = _tenantName;
config.IsNewTenant = true;
}
else
@ -333,6 +333,7 @@ else
if (tenant != null)
{
config.TenantName = tenant.Name;
config.DatabaseType = tenant.DBType;
config.ConnectionString = tenant.DBConnectionString;
config.IsNewTenant = false;
}

29
Oqtane.Client/Providers/IdentityAuthenticationStateProvider.cs
View File

@ -1,29 +1,27 @@
using System;
using System.Net;
using System.Net.Http;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.DependencyInjection;
using Oqtane.Models;
using Oqtane.Services;
using Oqtane.Security;
using Oqtane.Shared;
namespace Oqtane.Providers
{
public class IdentityAuthenticationStateProvider : AuthenticationStateProvider
{
private readonly NavigationManager _navigationManager;
private readonly SiteState _siteState;
private readonly IServiceProvider _serviceProvider;
public IdentityAuthenticationStateProvider(NavigationManager navigationManager, SiteState siteState, IServiceProvider serviceProvider)
private readonly NavigationManager _navigationManager;
public IdentityAuthenticationStateProvider(IServiceProvider serviceProvider, NavigationManager navigationManager)
{
_navigationManager = navigationManager;
_siteState = siteState;
_serviceProvider = serviceProvider;
_navigationManager = navigationManager;
}
public override async Task<AuthenticationState> GetAuthenticationStateAsync()
@ -32,17 +30,14 @@ namespace Oqtane.Providers
// get HttpClient lazily from IServiceProvider as you cannot use standard dependency injection due to the AuthenticationStateProvider being initialized prior to NavigationManager(https://github.com/aspnet/AspNetCore/issues/11867 )
var http = _serviceProvider.GetRequiredService<HttpClient>();
string apiurl = "/api/User/authenticate";
User user = await http.GetFromJsonAsync<User>(apiurl);
// get alias as SiteState has not been initialized ( cannot use AliasService as it is not yet registered )
var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1);
var alias = await http.GetFromJsonAsync<Alias>($"/api/Alias/name/?path={WebUtility.UrlEncode(path)}&sync={DateTime.UtcNow.ToString("yyyyMMddHHmmssfff")}");
// get user
User user = await http.GetFromJsonAsync<User>(Utilities.TenantUrl(alias, "/api/User/authenticate"));
if (user.IsAuthenticated)
{
identity = new ClaimsIdentity("Identity.Application");
identity.AddClaim(new Claim(ClaimTypes.Name, user.Username));
identity.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
foreach (string role in user.Roles.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
identity = UserSecurity.CreateClaimsIdentity(alias, user);
}
return new AuthenticationState(new ClaimsPrincipal(identity));

15
Oqtane.Client/Services/AliasService.cs
View File

@ -19,36 +19,37 @@ namespace Oqtane.Services
_siteState = siteState;
}
private string Apiurl => CreateApiUrl("Alias", _siteState.Alias);
private string ApiUrl => CreateApiUrl("Alias", _siteState.Alias);
public async Task<List<Alias>> GetAliasesAsync()
{
List<Alias> aliases = await GetJsonAsync<List<Alias>>(Apiurl);
List<Alias> aliases = await GetJsonAsync<List<Alias>>(ApiUrl);
return aliases.OrderBy(item => item.Name).ToList();
}
public async Task<Alias> GetAliasAsync(int aliasId)
{
return await GetJsonAsync<Alias>($"{Apiurl}/{aliasId}");
return await GetJsonAsync<Alias>($"{ApiUrl}/{aliasId}");
}
public async Task<Alias> GetAliasAsync(string path, DateTime lastSyncDate)
{
return await GetJsonAsync<Alias>($"{Apiurl}/name/?path={WebUtility.UrlEncode(path)}&sync={lastSyncDate.ToString("yyyyMMddHHmmssfff")}");
// tenant agnostic as SiteState does not exist
return await GetJsonAsync<Alias>($"{CreateApiUrl("Alias", null)}/name/?path={WebUtility.UrlEncode(path)}&sync={lastSyncDate.ToString("yyyyMMddHHmmssfff")}");
}
public async Task<Alias> AddAliasAsync(Alias alias)
{
return await PostJsonAsync<Alias>(Apiurl, alias);
return await PostJsonAsync<Alias>(ApiUrl, alias);
}
public async Task<Alias> UpdateAliasAsync(Alias alias)
{
return await PutJsonAsync<Alias>($"{Apiurl}/{alias.AliasId}", alias);
return await PutJsonAsync<Alias>($"{ApiUrl}/{alias.AliasId}", alias);
}
public async Task DeleteAliasAsync(int aliasId)
{
await DeleteAsync($"{Apiurl}/{aliasId}");
await DeleteAsync($"{ApiUrl}/{aliasId}");
}
}
}

2
Oqtane.Client/Services/InstallationService.cs
View File

@ -14,7 +14,7 @@ namespace Oqtane.Services
_siteState = siteState;
}
private string ApiUrl => CreateApiUrl("Installation", _siteState.Alias);
private string ApiUrl => CreateApiUrl("Installation", null); // tenant agnostic as SiteState does not exist
public async Task<Installation> IsInstalled()
{

6
Oqtane.Client/Services/ServiceBase.cs
View File

@ -1,4 +1,4 @@
using System;
using System;
using System.Net;
using System.Net.Http;
using System.Net.Http.Json;
@ -81,7 +81,6 @@ namespace Oqtane.Services
}
catch (Exception e)
{
//TODO replace with logging
Console.WriteLine(e);
}
@ -169,8 +168,6 @@ namespace Oqtane.Services
if (response.IsSuccessStatusCode) return true;
if (response.StatusCode != HttpStatusCode.NoContent && response.StatusCode != HttpStatusCode.NotFound)
{
//TODO: Log errors here
Console.WriteLine($"Request: {response.RequestMessage.RequestUri}");
Console.WriteLine($"Response status: {response.StatusCode} {response.ReasonPhrase}");
}
@ -182,7 +179,6 @@ namespace Oqtane.Services
{
var mediaType = content?.Headers.ContentType?.MediaType;
return mediaType != null && mediaType.Equals("application/json", StringComparison.OrdinalIgnoreCase);
//TODO Missing content JSON validation
}
[Obsolete("This method is obsolete. Use CreateApiUrl(Alias alias, string serviceName) instead.", false)]

2
Oqtane.Client/Themes/Controls/Theme/ControlPanel.razor
View File

@ -203,7 +203,7 @@
<LanguageSwitcher />
}
@if (UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, PageState.Page.Permissions) || (PageState.Page.IsPersonalizable && PageState.User != null))
@if (UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, PageState.Page.Permissions) || (PageState.Page.IsPersonalizable && PageState.User != null && UserSecurity.IsAuthorized(PageState.User, RoleNames.Registered)))
{
if (PageState.EditMode)
{

2
Oqtane.Client/Themes/Controls/Theme/Login.razor
View File

@ -3,7 +3,7 @@
@inject IStringLocalizer<Login> Localizer
<span class="app-login">
<AuthorizeView>
<AuthorizeView Roles="@RoleNames.Registered">
<Authorizing>
<text>...</text>
</Authorizing>

3
Oqtane.Client/Themes/Controls/Theme/LoginBase.cs
View File

@ -39,8 +39,7 @@ namespace Oqtane.Themes.Controls
var interop = new Interop(jsRuntime);
string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken");
var fields = new { __RequestVerificationToken = antiforgerytoken, returnurl = !authorizedtoviewpage ? PageState.Alias.Path : PageState.Alias.Path + "/" + PageState.Page.Path };
string url = "/pages/logout/";
if (!string.IsNullOrEmpty(PageState.Alias.Path)) url = "/" + PageState.Alias.Path + url;
string url = Utilities.TenantUrl(PageState.Alias, "/pages/logout/");
await interop.SubmitForm(url, fields);
}
else

2
Oqtane.Client/Themes/Controls/Theme/UserProfile.razor
View File

@ -5,7 +5,7 @@
@inject NavigationManager NavigationManager
<span class="app-profile">
<AuthorizeView>
<AuthorizeView Roles="@RoleNames.Registered">
<Authorizing>
<text>...</text>
</Authorizing>

10
Oqtane.Client/UI/SiteRouter.razor
View File

@ -12,6 +12,7 @@
@inject IUserService UserService
@inject IModuleService ModuleService
@inject ILogService LogService
@inject IJSRuntime JSRuntime
@implements IHandleAfterRender
@DynamicComponent
@ -107,7 +108,7 @@
SiteState.Alias = alias; // set state for services
lastsyncdate = alias.SyncDate;
// process any sync events
// process any sync events
if (reload != Reload.Site && alias.SyncEvents.Any())
{
// if running on WebAssembly reload the client application if the server application was restarted
@ -330,15 +331,13 @@
await Refresh();
}
Task IHandleAfterRender.OnAfterRenderAsync()
async Task IHandleAfterRender.OnAfterRenderAsync()
{
if (!_navigationInterceptionEnabled)
{
_navigationInterceptionEnabled = true;
return NavigationInterception.EnableNavigationInterceptionAsync();
await NavigationInterception.EnableNavigationInterceptionAsync();
}
return Task.CompletedTask;
}
private Dictionary<string, string> ParseQueryString(string query)
@ -556,4 +555,5 @@
=> RuntimeInformation.IsOSPlatform(OSPlatform.Create("BROWSER"))
? Oqtane.Shared.Runtime.WebAssembly
: Oqtane.Shared.Runtime.Server;
}

2
Oqtane.Server/Controllers/UserController.cs
View File

@ -358,7 +358,7 @@ namespace Oqtane.Controllers
[Authorize]
public async Task Logout([FromBody] User user)
{
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
_logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", (user != null) ? user.Username : "");
}

27
Oqtane.Server/Pages/Login.cshtml.cs
View File

@ -1,4 +1,4 @@
using System.Threading.Tasks;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
@ -21,20 +21,23 @@ namespace Oqtane.Pages
public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
{
bool validuser = false;
IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
if (identityuser != null)
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{
var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, false);
if (result.Succeeded)
bool validuser = false;
IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
if (identityuser != null)
{
validuser = true;
var result = await _identitySignInManager.CheckPasswordSignInAsync(identityuser, password, false);
if (result.Succeeded)
{
validuser = true;
}
}
}
if (validuser)
{
await _identitySignInManager.SignInAsync(identityuser, remember);
if (validuser)
{
await _identitySignInManager.SignInAsync(identityuser, remember);
}
}
if (returnurl == null)
@ -49,4 +52,4 @@ namespace Oqtane.Pages
return LocalRedirect(Url.Content("~" + returnurl));
}
}
}
}

11
Oqtane.Server/Pages/Logout.cshtml.cs
View File

@ -1,9 +1,9 @@
using System.Threading.Tasks;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Oqtane.Shared;
namespace Oqtane.Pages
{
@ -12,7 +12,10 @@ namespace Oqtane.Pages
{
public async Task<IActionResult> OnPostAsync(string returnurl)
{
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
if (HttpContext.User.Identity.IsAuthenticated)
{
await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
}
if (returnurl == null)
{
@ -26,4 +29,4 @@ namespace Oqtane.Pages
return LocalRedirect(Url.Content("~" + returnurl));
}
}
}
}

23
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -48,21 +48,24 @@ namespace Oqtane.Pages
}
// if culture not specified and framework is installed
if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null && !string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection")))
if (!string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection")))
{
var alias = _tenantManager.GetAlias();
if (alias != null)
{
// set default language for site if the culture is not supported
var languages = _languages.GetLanguages(alias.SiteId);
if (languages.Any() && languages.All(l => l.Code != CultureInfo.CurrentUICulture.Name))
if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null)
{
var defaultLanguage = languages.Where(l => l.IsDefault).SingleOrDefault() ?? languages.First();
SetLocalizationCookie(defaultLanguage.Code);
}
else
{
SetLocalizationCookie(_localizationManager.GetDefaultCulture());
// set default language for site if the culture is not supported
var languages = _languages.GetLanguages(alias.SiteId);
if (languages.Any() && languages.All(l => l.Code != CultureInfo.CurrentUICulture.Name))
{
var defaultLanguage = languages.Where(l => l.IsDefault).SingleOrDefault() ?? languages.First();
SetLocalizationCookie(defaultLanguage.Code);
}
else
{
SetLocalizationCookie(_localizationManager.GetDefaultCulture());
}
}
}
}

33
Oqtane.Server/Security/ClaimsPrincipalFactory.cs
View File

@ -1,25 +1,23 @@
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options;
using System.Security.Claims;
using System.Threading.Tasks;
using Oqtane.Models;
using Oqtane.Shared;
using System.Collections.Generic;
using System.Linq;
using Oqtane.Repository;
using Oqtane.Infrastructure;
namespace Oqtane.Security
{
public class ClaimsPrincipalFactory<TUser> : UserClaimsPrincipalFactory<TUser> where TUser : IdentityUser
{
private readonly IdentityOptions _options;
private readonly ITenantResolver _tenants;
private readonly ITenantManager _tenants;
private readonly IUserRepository _users;
private readonly IUserRoleRepository _userRoles;
public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantResolver tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantManager tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
{
_options = optionsAccessor.Value;
_tenants = tenants;
_users = users;
_userRoles = userroles;
@ -27,33 +25,20 @@ namespace Oqtane.Security
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TUser identityuser)
{
var id = await base.GenerateClaimsAsync(identityuser);
var identity = await base.GenerateClaimsAsync(identityuser);
User user = _users.GetUser(identityuser.UserName);
if (user != null)
{
id.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
Alias alias = _tenants.GetAlias();
List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
foreach (UserRole userrole in userroles)
if (alias != null)
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, userrole.Role.Name));
// host users are members of every site
if (userrole.Role.Name == RoleNames.Host)
{
if (userroles.Where(item => item.Role.Name == RoleNames.Registered).FirstOrDefault() == null)
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Registered));
}
if (userroles.Where(item => item.Role.Name == RoleNames.Admin).FirstOrDefault() == null)
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Admin));
}
}
List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
}
}
return id;
return identity;
}
}

64
Oqtane.Server/Security/PrincipalValidator.cs Normal file
View File

@ -0,0 +1,64 @@
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Oqtane.Infrastructure;
using Oqtane.Repository;
using Oqtane.Models;
using System.Collections.Generic;
using Microsoft.Extensions.Configuration;
namespace Oqtane.Security
{
public static class PrincipalValidator
{
public static Task ValidateAsync(CookieValidatePrincipalContext context)
{
if (context != null && context.Principal.Identity.IsAuthenticated)
{
// check if framework is installed
var config = context.HttpContext.RequestServices.GetService(typeof(IConfiguration)) as IConfiguration;
if (!string.IsNullOrEmpty(config.GetConnectionString("DefaultConnection")))
{
var tenantManager = context.HttpContext.RequestServices.GetService(typeof(ITenantManager)) as ITenantManager;
var alias = tenantManager.GetAlias();
if (alias != null)
{
// verify principal was authenticated for current tenant
if (context.Principal.Claims.First(item => item.Type == ClaimTypes.GroupSid)?.Value != alias.AliasId.ToString())
{
// tenant agnostic requests must be ignored
string path = context.Request.Path.ToString().ToLower();
if (path.StartsWith("/_blazor") || path.StartsWith("/api/installation/") || path.StartsWith("/api/alias/name/"))
{
return Task.CompletedTask;
}
// refresh principal
var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
User user = userRepository.GetUser(context.Principal.Identity.Name);
if (user != null)
{
List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
context.ReplacePrincipal(new ClaimsPrincipal(identity));
context.ShouldRenew = true;
}
else
{
context.RejectPrincipal();
}
}
}
else
{
context.RejectPrincipal();
}
}
}
return Task.CompletedTask;
}
}
}

45
Oqtane.Server/Security/UserPermissions.cs
View File

@ -1,4 +1,4 @@
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http;
using Oqtane.Models;
using System.Linq;
using System.Security.Claims;
@ -17,40 +17,41 @@ namespace Oqtane.Security
_accessor = accessor;
}
public bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName)
public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
{
return IsAuthorized(user, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
return IsAuthorized(principal, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
}
public bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions)
public bool IsAuthorized(ClaimsPrincipal principal, string permissionName, string permissions)
{
return UserSecurity.IsAuthorized(GetUser(user), permissionName, permissions);
return UserSecurity.IsAuthorized(GetUser(principal), permissionName, permissions);
}
public User GetUser(ClaimsPrincipal user)
public User GetUser(ClaimsPrincipal principal)
{
User resultUser = new User();
resultUser.Username = "";
resultUser.IsAuthenticated = false;
resultUser.UserId = -1;
resultUser.Roles = "";
User user = new User();
user.IsAuthenticated = false;
user.Username = "";
user.UserId = -1;
user.Roles = "";
if (user == null) return resultUser;
if (principal == null) return user;
resultUser.Username = user.Identity.Name;
resultUser.IsAuthenticated = user.Identity.IsAuthenticated;
var idclaim = user.Claims.FirstOrDefault(item => item.Type == ClaimTypes.PrimarySid);
if (idclaim != null)
user.IsAuthenticated = principal.Identity.IsAuthenticated;
if (user.IsAuthenticated)
{
resultUser.UserId = int.Parse(idclaim.Value);
foreach (var claim in user.Claims.Where(item => item.Type == ClaimTypes.Role))
user.Username = principal.Identity.Name;
if (principal.Claims.Any(item => item.Type == ClaimTypes.PrimarySid))
{
resultUser.Roles += claim.Value + ";";
user.UserId = int.Parse(principal.Claims.First(item => item.Type == ClaimTypes.PrimarySid).Value);
}
if (resultUser.Roles != "") resultUser.Roles = ";" + resultUser.Roles;
foreach (var claim in principal.Claims.Where(item => item.Type == ClaimTypes.Role))
{
user.Roles += claim.Value + ";";
}
if (user.Roles != "") user.Roles = ";" + user.Roles;
}
return resultUser;
return user;
}
public User GetUser()

23
Oqtane.Server/Startup.cs
View File

@ -71,14 +71,15 @@ namespace Oqtane
{
// creating the URI helper needs to wait until the JS Runtime is initialized, so defer it.
var navigationManager = s.GetRequiredService<NavigationManager>();
var client = new HttpClient(new HttpClientHandler { UseCookies = false });
client.BaseAddress = new Uri(navigationManager.Uri);
// set the auth cookie to allow HttpClient API calls to be authenticated
var httpContextAccessor = s.GetRequiredService<IHttpContextAccessor>();
var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore.Identity.Application"];
var client = new HttpClient(new HttpClientHandler {UseCookies = false});
var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore." + Constants.AuthenticationScheme];
if (authToken != null)
{
client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore.Identity.Application=" + authToken);
client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore." + Constants.AuthenticationScheme + "=" + authToken);
}
client.BaseAddress = new Uri(navigationManager.Uri);
return client;
});
}
@ -131,7 +132,8 @@ namespace Oqtane
services.AddIdentityCore<IdentityUser>(options => { })
.AddEntityFrameworkStores<TenantDBContext>()
.AddSignInManager()
.AddDefaultTokenProviders();
.AddDefaultTokenProviders()
.AddClaimsPrincipalFactory<ClaimsPrincipalFactory<IdentityUser>>(); // role claims
services.Configure<IdentityOptions>(options =>
{
@ -151,8 +153,8 @@ namespace Oqtane
options.User.RequireUniqueEmail = false;
});
services.AddAuthentication(IdentityConstants.ApplicationScheme)
.AddCookie(IdentityConstants.ApplicationScheme);
services.AddAuthentication(Constants.AuthenticationScheme)
.AddCookie(Constants.AuthenticationScheme);
services.ConfigureApplicationCookie(options =>
{
@ -162,11 +164,9 @@ namespace Oqtane
context.Response.StatusCode = 401;
return Task.CompletedTask;
};
options.Events.OnValidatePrincipal = PrincipalValidator.ValidateAsync;
});
// register custom claims principal factory for role claims
services.AddTransient<IUserClaimsPrincipalFactory<IdentityUser>, ClaimsPrincipalFactory<IdentityUser>>();
// register singleton scoped core services
services.AddSingleton(Configuration);
services.AddSingleton<IInstallationManager, InstallationManager>();
@ -249,11 +249,12 @@ namespace Oqtane
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseTenantResolution(); // must be declared directly after static files
app.UseTenantResolution();
app.UseBlazorFrameworkFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
if (_useSwagger)
{
app.UseSwagger();

40
Oqtane.Shared/Security/UserSecurity.cs
View File

@ -1,6 +1,7 @@
using System;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Text.Json;
using Oqtane.Models;
using Oqtane.Shared;
@ -114,5 +115,42 @@ namespace Oqtane.Security
}
return false;
}
public static ClaimsIdentity CreateClaimsIdentity(Alias alias, User user, List<UserRole> userroles)
{
user.Roles = "";
foreach (UserRole userrole in userroles)
{
user.Roles += userrole.Role.Name + ";";
}
if (user.Roles != "") user.Roles = ";" + user.Roles;
return CreateClaimsIdentity(alias, user);
}
public static ClaimsIdentity CreateClaimsIdentity(Alias alias, User user)
{
ClaimsIdentity identity = new ClaimsIdentity(Constants.AuthenticationScheme);
if (alias != null && user != null && !user.IsDeleted)
{
identity.AddClaim(new Claim(ClaimTypes.Name, user.Username));
identity.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
identity.AddClaim(new Claim(ClaimTypes.GroupSid, alias.AliasId.ToString()));
if (user.Roles.Contains(RoleNames.Host))
{
// host users are site admins by default
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Host));
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Admin));
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Registered));
}
foreach (string role in user.Roles.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
if (!identity.Claims.Any(item => item.Type == ClaimTypes.Role && item.Value == role))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
}
}
return identity;
}
}
}

3
Oqtane.Shared/Shared/Constants.cs
View File

@ -1,5 +1,4 @@
using System;
using System.Globalization;
namespace Oqtane.Shared {
@ -72,5 +71,7 @@ namespace Oqtane.Shared {
public static readonly string SatelliteAssemblyExtension = ".resources.dll";
public static readonly string DefaultCulture = "en";
public static readonly string AuthenticationScheme = "Identity.Application";
}
}

5
Oqtane.Shared/Shared/Utilities.cs
View File

@ -108,6 +108,11 @@ namespace Oqtane.Shared
return $"{aliasUrl}{Constants.ContentUrl}{fileId}{method}";
}
public static string TenantUrl(Alias alias, string url)
{
url = (!url.StartsWith("/")) ? "/" + url : url;
return (alias != null && !string.IsNullOrEmpty(alias.Path)) ? "/" + alias.Path + url : url;
}
public static string GetTypeName(string fullyqualifiedtypename)
{
if (fullyqualifiedtypename.Contains(","))