kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth improvements related to multi-tenancy

Browse Source
This commit is contained in:
Shaun Walker 2021-05-19 08:46:02 -04:00
parent 943adec3a0
commit 09537ab0e4
23 changed files with 235 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Oqtane.Client/Modules/Admin/Login/Index.razor
View File

@ -9,7 +9,13 @@
{ {
<ModuleMessage Message="@_message" Type="@_type" /> <ModuleMessage Message="@_message" Type="@_type" />
} }
<AuthorizeView> <AuthorizeView Roles="@RoleNames.Registered">
<Authorizing>
<text>...</text>
</Authorizing>
<Authorized>
<ModuleMessage Message="@Localizer["You Are Already Signed In"]" Type="MessageType.Info" />
</Authorized>
<NotAuthorized> <NotAuthorized>
<form @ref="login" class="@(validated ? "was-validated" : "needs-validation")" novalidate> <form @ref="login" class="@(validated ? "was-validated" : "needs-validation")" novalidate>
<div class="container Oqtane-Modules-Admin-Login" @onkeypress="@(e => KeyPressed(e))"> <div class="container Oqtane-Modules-Admin-Login" @onkeypress="@(e => KeyPressed(e))">
@ -112,11 +118,10 @@
if (user.IsAuthenticated) if (user.IsAuthenticated)
{ {
await logger.LogInformation("Login Successful For Username {Username}", _username); await logger.LogInformation("Login Successful For Username {Username}", _username);
// complete the login on the server so that the cookies are set correctly on SignalR // complete the login on the server so that the cookies are set correctly
string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken"); string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken");
var fields = new { __RequestVerificationToken = antiforgerytoken, username = _username, password = _password, remember = _remember, returnurl = _returnUrl }; var fields = new { __RequestVerificationToken = antiforgerytoken, username = _username, password = _password, remember = _remember, returnurl = _returnUrl };
string url = "/pages/login/"; string url = Utilities.TenantUrl(PageState.Alias, "/pages/login/");
if (!string.IsNullOrEmpty(PageState.Alias.Path)) url = "/" + PageState.Alias.Path + url;
await interop.SubmitForm(url, fields); await interop.SubmitForm(url, fields);
} }
else else

2
Oqtane.Client/Modules/Admin/Register/Index.razor
View File

@ -6,7 +6,7 @@
@if (PageState.Site.AllowRegistration) @if (PageState.Site.AllowRegistration)
{ {
<AuthorizeView> <AuthorizeView Roles="@RoleNames.Registered">
<Authorizing> <Authorizing>
<text>...</text> <text>...</text>
</Authorizing> </Authorizing>

5
Oqtane.Client/Modules/Admin/Sites/Add.razor
View File

@ -304,12 +304,12 @@ else
if (connectionString != "") if (connectionString != "")
{ {
config.TenantName = _tenantName;
config.DatabaseType = database.DBType; config.DatabaseType = database.DBType;
config.ConnectionString = connectionString; config.ConnectionString = connectionString;
config.HostPassword = _hostpassword;
config.HostEmail = user.Email; config.HostEmail = user.Email;
config.HostPassword = _hostpassword;
config.HostName = user.DisplayName; config.HostName = user.DisplayName;
config.TenantName = _tenantName;
config.IsNewTenant = true; config.IsNewTenant = true;
} }
else else
@ -333,6 +333,7 @@ else
if (tenant != null) if (tenant != null)
{ {
config.TenantName = tenant.Name; config.TenantName = tenant.Name;
config.DatabaseType = tenant.DBType;
config.ConnectionString = tenant.DBConnectionString; config.ConnectionString = tenant.DBConnectionString;
config.IsNewTenant = false; config.IsNewTenant = false;
} }

27
Oqtane.Client/Providers/IdentityAuthenticationStateProvider.cs
View File

@ -1,29 +1,27 @@
using System; using System;
using System.Net;
using System.Net.Http; using System.Net.Http;
using System.Net.Http.Json; using System.Net.Http.Json;
using System.Security.Claims; using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks; using System.Threading.Tasks;
using Microsoft.AspNetCore.Components; using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Authorization; using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using Oqtane.Models; using Oqtane.Models;
using Oqtane.Services; using Oqtane.Security;
using Oqtane.Shared; using Oqtane.Shared;
namespace Oqtane.Providers namespace Oqtane.Providers
{ {
public class IdentityAuthenticationStateProvider : AuthenticationStateProvider public class IdentityAuthenticationStateProvider : AuthenticationStateProvider
{ {
private readonly NavigationManager _navigationManager;
private readonly SiteState _siteState;
private readonly IServiceProvider _serviceProvider; private readonly IServiceProvider _serviceProvider;
private readonly NavigationManager _navigationManager;
public IdentityAuthenticationStateProvider(NavigationManager navigationManager, SiteState siteState, IServiceProvider serviceProvider) public IdentityAuthenticationStateProvider(IServiceProvider serviceProvider, NavigationManager navigationManager)
{ {
_navigationManager = navigationManager;
_siteState = siteState;
_serviceProvider = serviceProvider; _serviceProvider = serviceProvider;
_navigationManager = navigationManager;
} }
public override async Task<AuthenticationState> GetAuthenticationStateAsync() public override async Task<AuthenticationState> GetAuthenticationStateAsync()
@ -32,17 +30,14 @@ namespace Oqtane.Providers
// get HttpClient lazily from IServiceProvider as you cannot use standard dependency injection due to the AuthenticationStateProvider being initialized prior to NavigationManager(https://github.com/aspnet/AspNetCore/issues/11867 ) // get HttpClient lazily from IServiceProvider as you cannot use standard dependency injection due to the AuthenticationStateProvider being initialized prior to NavigationManager(https://github.com/aspnet/AspNetCore/issues/11867 )
var http = _serviceProvider.GetRequiredService<HttpClient>(); var http = _serviceProvider.GetRequiredService<HttpClient>();
string apiurl = "/api/User/authenticate"; // get alias as SiteState has not been initialized ( cannot use AliasService as it is not yet registered )
User user = await http.GetFromJsonAsync<User>(apiurl); var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1);
var alias = await http.GetFromJsonAsync<Alias>($"/api/Alias/name/?path={WebUtility.UrlEncode(path)}&sync={DateTime.UtcNow.ToString("yyyyMMddHHmmssfff")}");
// get user
User user = await http.GetFromJsonAsync<User>(Utilities.TenantUrl(alias, "/api/User/authenticate"));
if (user.IsAuthenticated) if (user.IsAuthenticated)
{ {
identity = new ClaimsIdentity("Identity.Application"); identity = UserSecurity.CreateClaimsIdentity(alias, user);
identity.AddClaim(new Claim(ClaimTypes.Name, user.Username));
identity.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
foreach (string role in user.Roles.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
} }
return new AuthenticationState(new ClaimsPrincipal(identity)); return new AuthenticationState(new ClaimsPrincipal(identity));

15
Oqtane.Client/Services/AliasService.cs
View File

@ -19,36 +19,37 @@ namespace Oqtane.Services
_siteState = siteState; _siteState = siteState;
} }
private string Apiurl => CreateApiUrl("Alias", _siteState.Alias); private string ApiUrl => CreateApiUrl("Alias", _siteState.Alias);
public async Task<List<Alias>> GetAliasesAsync() public async Task<List<Alias>> GetAliasesAsync()
{ {
List<Alias> aliases = await GetJsonAsync<List<Alias>>(Apiurl); List<Alias> aliases = await GetJsonAsync<List<Alias>>(ApiUrl);
return aliases.OrderBy(item => item.Name).ToList(); return aliases.OrderBy(item => item.Name).ToList();
} }
public async Task<Alias> GetAliasAsync(int aliasId) public async Task<Alias> GetAliasAsync(int aliasId)
{ {
return await GetJsonAsync<Alias>($"{Apiurl}/{aliasId}"); return await GetJsonAsync<Alias>($"{ApiUrl}/{aliasId}");
} }
public async Task<Alias> GetAliasAsync(string path, DateTime lastSyncDate) public async Task<Alias> GetAliasAsync(string path, DateTime lastSyncDate)
{ {
return await GetJsonAsync<Alias>($"{Apiurl}/name/?path={WebUtility.UrlEncode(path)}&sync={lastSyncDate.ToString("yyyyMMddHHmmssfff")}"); // tenant agnostic as SiteState does not exist
return await GetJsonAsync<Alias>($"{CreateApiUrl("Alias", null)}/name/?path={WebUtility.UrlEncode(path)}&sync={lastSyncDate.ToString("yyyyMMddHHmmssfff")}");
} }
public async Task<Alias> AddAliasAsync(Alias alias) public async Task<Alias> AddAliasAsync(Alias alias)
{ {
return await PostJsonAsync<Alias>(Apiurl, alias); return await PostJsonAsync<Alias>(ApiUrl, alias);
} }
public async Task<Alias> UpdateAliasAsync(Alias alias) public async Task<Alias> UpdateAliasAsync(Alias alias)
{ {
return await PutJsonAsync<Alias>($"{Apiurl}/{alias.AliasId}", alias); return await PutJsonAsync<Alias>($"{ApiUrl}/{alias.AliasId}", alias);
} }
public async Task DeleteAliasAsync(int aliasId) public async Task DeleteAliasAsync(int aliasId)
{ {
await DeleteAsync($"{Apiurl}/{aliasId}"); await DeleteAsync($"{ApiUrl}/{aliasId}");
} }
} }
} }

2
Oqtane.Client/Services/InstallationService.cs
View File

@ -14,7 +14,7 @@ namespace Oqtane.Services
_siteState = siteState; _siteState = siteState;
} }
private string ApiUrl => CreateApiUrl("Installation", _siteState.Alias); private string ApiUrl => CreateApiUrl("Installation", null); // tenant agnostic as SiteState does not exist
public async Task<Installation> IsInstalled() public async Task<Installation> IsInstalled()
{ {

6
Oqtane.Client/Services/ServiceBase.cs
View File

@ -1,4 +1,4 @@
using System; using System;
using System.Net; using System.Net;
using System.Net.Http; using System.Net.Http;
using System.Net.Http.Json; using System.Net.Http.Json;
@ -81,7 +81,6 @@ namespace Oqtane.Services
} }
catch (Exception e) catch (Exception e)
{ {
//TODO replace with logging
Console.WriteLine(e); Console.WriteLine(e);
} }
@ -169,8 +168,6 @@ namespace Oqtane.Services
if (response.IsSuccessStatusCode) return true; if (response.IsSuccessStatusCode) return true;
if (response.StatusCode != HttpStatusCode.NoContent && response.StatusCode != HttpStatusCode.NotFound) if (response.StatusCode != HttpStatusCode.NoContent && response.StatusCode != HttpStatusCode.NotFound)
{ {
//TODO: Log errors here
Console.WriteLine($"Request: {response.RequestMessage.RequestUri}"); Console.WriteLine($"Request: {response.RequestMessage.RequestUri}");
Console.WriteLine($"Response status: {response.StatusCode} {response.ReasonPhrase}"); Console.WriteLine($"Response status: {response.StatusCode} {response.ReasonPhrase}");
} }
@ -182,7 +179,6 @@ namespace Oqtane.Services
{ {
var mediaType = content?.Headers.ContentType?.MediaType; var mediaType = content?.Headers.ContentType?.MediaType;
return mediaType != null && mediaType.Equals("application/json", StringComparison.OrdinalIgnoreCase); return mediaType != null && mediaType.Equals("application/json", StringComparison.OrdinalIgnoreCase);
//TODO Missing content JSON validation
} }
[Obsolete("This method is obsolete. Use CreateApiUrl(Alias alias, string serviceName) instead.", false)] [Obsolete("This method is obsolete. Use CreateApiUrl(Alias alias, string serviceName) instead.", false)]

2
Oqtane.Client/Themes/Controls/Theme/ControlPanel.razor
View File

@ -203,7 +203,7 @@
<LanguageSwitcher /> <LanguageSwitcher />
} }
@if (UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, PageState.Page.Permissions) || (PageState.Page.IsPersonalizable && PageState.User != null)) @if (UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, PageState.Page.Permissions) || (PageState.Page.IsPersonalizable && PageState.User != null && UserSecurity.IsAuthorized(PageState.User, RoleNames.Registered)))
{ {
if (PageState.EditMode) if (PageState.EditMode)
{ {

2
Oqtane.Client/Themes/Controls/Theme/Login.razor
View File

@ -3,7 +3,7 @@
@inject IStringLocalizer<Login> Localizer @inject IStringLocalizer<Login> Localizer
<span class="app-login"> <span class="app-login">
<AuthorizeView> <AuthorizeView Roles="@RoleNames.Registered">
<Authorizing> <Authorizing>
<text>...</text> <text>...</text>
</Authorizing> </Authorizing>

3
Oqtane.Client/Themes/Controls/Theme/LoginBase.cs
View File

@ -39,8 +39,7 @@ namespace Oqtane.Themes.Controls
var interop = new Interop(jsRuntime); var interop = new Interop(jsRuntime);
string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken"); string antiforgerytoken = await interop.GetElementByName("__RequestVerificationToken");
var fields = new { __RequestVerificationToken = antiforgerytoken, returnurl = !authorizedtoviewpage ? PageState.Alias.Path : PageState.Alias.Path + "/" + PageState.Page.Path }; var fields = new { __RequestVerificationToken = antiforgerytoken, returnurl = !authorizedtoviewpage ? PageState.Alias.Path : PageState.Alias.Path + "/" + PageState.Page.Path };
string url = "/pages/logout/"; string url = Utilities.TenantUrl(PageState.Alias, "/pages/logout/");
if (!string.IsNullOrEmpty(PageState.Alias.Path)) url = "/" + PageState.Alias.Path + url;
await interop.SubmitForm(url, fields); await interop.SubmitForm(url, fields);
} }
else else

2
Oqtane.Client/Themes/Controls/Theme/UserProfile.razor
View File

@ -5,7 +5,7 @@
@inject NavigationManager NavigationManager @inject NavigationManager NavigationManager
<span class="app-profile"> <span class="app-profile">
<AuthorizeView> <AuthorizeView Roles="@RoleNames.Registered">
<Authorizing> <Authorizing>
<text>...</text> <text>...</text>
</Authorizing> </Authorizing>

8
Oqtane.Client/UI/SiteRouter.razor
View File

@ -12,6 +12,7 @@
@inject IUserService UserService @inject IUserService UserService
@inject IModuleService ModuleService @inject IModuleService ModuleService
@inject ILogService LogService @inject ILogService LogService
@inject IJSRuntime JSRuntime
@implements IHandleAfterRender @implements IHandleAfterRender
@DynamicComponent @DynamicComponent
@ -330,15 +331,13 @@
await Refresh(); await Refresh();
} }
Task IHandleAfterRender.OnAfterRenderAsync() async Task IHandleAfterRender.OnAfterRenderAsync()
{ {
if (!_navigationInterceptionEnabled) if (!_navigationInterceptionEnabled)
{ {
_navigationInterceptionEnabled = true; _navigationInterceptionEnabled = true;
return NavigationInterception.EnableNavigationInterceptionAsync(); await NavigationInterception.EnableNavigationInterceptionAsync();
} }
return Task.CompletedTask;
} }
private Dictionary<string, string> ParseQueryString(string query) private Dictionary<string, string> ParseQueryString(string query)
@ -556,4 +555,5 @@
=> RuntimeInformation.IsOSPlatform(OSPlatform.Create("BROWSER")) => RuntimeInformation.IsOSPlatform(OSPlatform.Create("BROWSER"))
? Oqtane.Shared.Runtime.WebAssembly ? Oqtane.Shared.Runtime.WebAssembly
: Oqtane.Shared.Runtime.Server; : Oqtane.Shared.Runtime.Server;
} }

2
Oqtane.Server/Controllers/UserController.cs
View File

@ -358,7 +358,7 @@ namespace Oqtane.Controllers
[Authorize] [Authorize]
public async Task Logout([FromBody] User user) public async Task Logout([FromBody] User user)
{ {
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme); await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
_logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", (user != null) ? user.Username : ""); _logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", (user != null) ? user.Username : "");
} }

5
Oqtane.Server/Pages/Login.cshtml.cs
View File

@ -1,4 +1,4 @@
using System.Threading.Tasks; using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
@ -20,6 +20,8 @@ namespace Oqtane.Pages
} }
public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl) public async Task<IActionResult> OnPostAsync(string username, string password, bool remember, string returnurl)
{
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
{ {
bool validuser = false; bool validuser = false;
IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username); IdentityUser identityuser = await _identityUserManager.FindByNameAsync(username);
@ -36,6 +38,7 @@ namespace Oqtane.Pages
{ {
await _identitySignInManager.SignInAsync(identityuser, remember); await _identitySignInManager.SignInAsync(identityuser, remember);
} }
}
if (returnurl == null) if (returnurl == null)
{ {

9
Oqtane.Server/Pages/Logout.cshtml.cs
View File

@ -1,9 +1,9 @@
using System.Threading.Tasks; using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages; using Microsoft.AspNetCore.Mvc.RazorPages;
using Oqtane.Shared;
namespace Oqtane.Pages namespace Oqtane.Pages
{ {
@ -12,7 +12,10 @@ namespace Oqtane.Pages
{ {
public async Task<IActionResult> OnPostAsync(string returnurl) public async Task<IActionResult> OnPostAsync(string returnurl)
{ {
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme); if (HttpContext.User.Identity.IsAuthenticated)
{
await HttpContext.SignOutAsync(Constants.AuthenticationScheme);
}
if (returnurl == null) if (returnurl == null)
{ {

5
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -48,10 +48,12 @@ namespace Oqtane.Pages
} }
// if culture not specified and framework is installed // if culture not specified and framework is installed
if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null && !string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection"))) if (!string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection")))
{ {
var alias = _tenantManager.GetAlias(); var alias = _tenantManager.GetAlias();
if (alias != null) if (alias != null)
{
if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null)
{ {
// set default language for site if the culture is not supported // set default language for site if the culture is not supported
var languages = _languages.GetLanguages(alias.SiteId); var languages = _languages.GetLanguages(alias.SiteId);
@ -67,6 +69,7 @@ namespace Oqtane.Pages
} }
} }
} }
}
private void ProcessHostResources(Assembly assembly) private void ProcessHostResources(Assembly assembly)
{ {

33
Oqtane.Server/Security/ClaimsPrincipalFactory.cs
View File

@ -1,25 +1,23 @@
using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
using System.Security.Claims; using System.Security.Claims;
using System.Threading.Tasks; using System.Threading.Tasks;
using Oqtane.Models; using Oqtane.Models;
using Oqtane.Shared;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Oqtane.Repository; using Oqtane.Repository;
using Oqtane.Infrastructure;
namespace Oqtane.Security namespace Oqtane.Security
{ {
public class ClaimsPrincipalFactory<TUser> : UserClaimsPrincipalFactory<TUser> where TUser : IdentityUser public class ClaimsPrincipalFactory<TUser> : UserClaimsPrincipalFactory<TUser> where TUser : IdentityUser
{ {
private readonly IdentityOptions _options; private readonly ITenantManager _tenants;
private readonly ITenantResolver _tenants;
private readonly IUserRepository _users; private readonly IUserRepository _users;
private readonly IUserRoleRepository _userRoles; private readonly IUserRoleRepository _userRoles;
public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantResolver tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor) public ClaimsPrincipalFactory(UserManager<TUser> userManager, IOptions<IdentityOptions> optionsAccessor, ITenantManager tenants, IUserRepository users, IUserRoleRepository userroles) : base(userManager, optionsAccessor)
{ {
_options = optionsAccessor.Value;
_tenants = tenants; _tenants = tenants;
_users = users; _users = users;
_userRoles = userroles; _userRoles = userroles;
@ -27,33 +25,20 @@ namespace Oqtane.Security
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TUser identityuser) protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TUser identityuser)
{ {
var id = await base.GenerateClaimsAsync(identityuser); var identity = await base.GenerateClaimsAsync(identityuser);
User user = _users.GetUser(identityuser.UserName); User user = _users.GetUser(identityuser.UserName);
if (user != null) if (user != null)
{ {
id.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
Alias alias = _tenants.GetAlias(); Alias alias = _tenants.GetAlias();
if (alias != null)
{
List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList(); List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, alias.SiteId).ToList();
foreach (UserRole userrole in userroles) identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, userrole.Role.Name));
// host users are members of every site
if (userrole.Role.Name == RoleNames.Host)
{
if (userroles.Where(item => item.Role.Name == RoleNames.Registered).FirstOrDefault() == null)
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Registered));
}
if (userroles.Where(item => item.Role.Name == RoleNames.Admin).FirstOrDefault() == null)
{
id.AddClaim(new Claim(_options.ClaimsIdentity.RoleClaimType, RoleNames.Admin));
}
}
} }
} }
return id; return identity;
} }
} }

64
Oqtane.Server/Security/PrincipalValidator.cs Normal file
View File

@ -0,0 +1,64 @@
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication.Cookies;
using Oqtane.Infrastructure;
using Oqtane.Repository;
using Oqtane.Models;
using System.Collections.Generic;
using Microsoft.Extensions.Configuration;
namespace Oqtane.Security
{
public static class PrincipalValidator
{
public static Task ValidateAsync(CookieValidatePrincipalContext context)
{
if (context != null && context.Principal.Identity.IsAuthenticated)
{
// check if framework is installed
var config = context.HttpContext.RequestServices.GetService(typeof(IConfiguration)) as IConfiguration;
if (!string.IsNullOrEmpty(config.GetConnectionString("DefaultConnection")))
{
var tenantManager = context.HttpContext.RequestServices.GetService(typeof(ITenantManager)) as ITenantManager;
var alias = tenantManager.GetAlias();
if (alias != null)
{
// verify principal was authenticated for current tenant
if (context.Principal.Claims.First(item => item.Type == ClaimTypes.GroupSid)?.Value != alias.AliasId.ToString())
{
// tenant agnostic requests must be ignored
string path = context.Request.Path.ToString().ToLower();
if (path.StartsWith("/_blazor") || path.StartsWith("/api/installation/") || path.StartsWith("/api/alias/name/"))
{
return Task.CompletedTask;
}
// refresh principal
var userRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRepository)) as IUserRepository;
var userRoleRepository = context.HttpContext.RequestServices.GetService(typeof(IUserRoleRepository)) as IUserRoleRepository;
User user = userRepository.GetUser(context.Principal.Identity.Name);
if (user != null)
{
List<UserRole> userroles = userRoleRepository.GetUserRoles(user.UserId, alias.SiteId).ToList();
var identity = UserSecurity.CreateClaimsIdentity(alias, user, userroles);
context.ReplacePrincipal(new ClaimsPrincipal(identity));
context.ShouldRenew = true;
}
else
{
context.RejectPrincipal();
}
}
}
else
{
context.RejectPrincipal();
}
}
}
return Task.CompletedTask;
}
}
}

45
Oqtane.Server/Security/UserPermissions.cs
View File

@ -1,4 +1,4 @@
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
using Oqtane.Models; using Oqtane.Models;
using System.Linq; using System.Linq;
using System.Security.Claims; using System.Security.Claims;
@ -17,40 +17,41 @@ namespace Oqtane.Security
_accessor = accessor; _accessor = accessor;
} }
public bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName) public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
{ {
return IsAuthorized(user, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName)); return IsAuthorized(principal, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
} }
public bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions) public bool IsAuthorized(ClaimsPrincipal principal, string permissionName, string permissions)
{ {
return UserSecurity.IsAuthorized(GetUser(user), permissionName, permissions); return UserSecurity.IsAuthorized(GetUser(principal), permissionName, permissions);
} }
public User GetUser(ClaimsPrincipal user) public User GetUser(ClaimsPrincipal principal)
{ {
User resultUser = new User(); User user = new User();
resultUser.Username = ""; user.IsAuthenticated = false;
resultUser.IsAuthenticated = false; user.Username = "";
resultUser.UserId = -1; user.UserId = -1;
resultUser.Roles = ""; user.Roles = "";
if (user == null) return resultUser; if (principal == null) return user;
resultUser.Username = user.Identity.Name; user.IsAuthenticated = principal.Identity.IsAuthenticated;
resultUser.IsAuthenticated = user.Identity.IsAuthenticated; if (user.IsAuthenticated)
var idclaim = user.Claims.FirstOrDefault(item => item.Type == ClaimTypes.PrimarySid);
if (idclaim != null)
{ {
resultUser.UserId = int.Parse(idclaim.Value); user.Username = principal.Identity.Name;
foreach (var claim in user.Claims.Where(item => item.Type == ClaimTypes.Role)) if (principal.Claims.Any(item => item.Type == ClaimTypes.PrimarySid))
{ {
resultUser.Roles += claim.Value + ";"; user.UserId = int.Parse(principal.Claims.First(item => item.Type == ClaimTypes.PrimarySid).Value);
} }
foreach (var claim in principal.Claims.Where(item => item.Type == ClaimTypes.Role))
if (resultUser.Roles != "") resultUser.Roles = ";" + resultUser.Roles; {
user.Roles += claim.Value + ";";
} }
return resultUser; if (user.Roles != "") user.Roles = ";" + user.Roles;
}
return user;
} }
public User GetUser() public User GetUser()

23
Oqtane.Server/Startup.cs
View File

@ -71,14 +71,15 @@ namespace Oqtane
{ {
// creating the URI helper needs to wait until the JS Runtime is initialized, so defer it. // creating the URI helper needs to wait until the JS Runtime is initialized, so defer it.
var navigationManager = s.GetRequiredService<NavigationManager>(); var navigationManager = s.GetRequiredService<NavigationManager>();
var httpContextAccessor = s.GetRequiredService<IHttpContextAccessor>();
var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore.Identity.Application"];
var client = new HttpClient(new HttpClientHandler { UseCookies = false }); var client = new HttpClient(new HttpClientHandler { UseCookies = false });
client.BaseAddress = new Uri(navigationManager.Uri);
// set the auth cookie to allow HttpClient API calls to be authenticated
var httpContextAccessor = s.GetRequiredService<IHttpContextAccessor>();
var authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore." + Constants.AuthenticationScheme];
if (authToken != null) if (authToken != null)
{ {
client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore.Identity.Application=" + authToken); client.DefaultRequestHeaders.Add("Cookie", ".AspNetCore." + Constants.AuthenticationScheme + "=" + authToken);
} }
client.BaseAddress = new Uri(navigationManager.Uri);
return client; return client;
}); });
} }
@ -131,7 +132,8 @@ namespace Oqtane
services.AddIdentityCore<IdentityUser>(options => { }) services.AddIdentityCore<IdentityUser>(options => { })
.AddEntityFrameworkStores<TenantDBContext>() .AddEntityFrameworkStores<TenantDBContext>()
.AddSignInManager() .AddSignInManager()
.AddDefaultTokenProviders(); .AddDefaultTokenProviders()
.AddClaimsPrincipalFactory<ClaimsPrincipalFactory<IdentityUser>>(); // role claims
services.Configure<IdentityOptions>(options => services.Configure<IdentityOptions>(options =>
{ {
@ -151,8 +153,8 @@ namespace Oqtane
options.User.RequireUniqueEmail = false; options.User.RequireUniqueEmail = false;
}); });
services.AddAuthentication(IdentityConstants.ApplicationScheme) services.AddAuthentication(Constants.AuthenticationScheme)
.AddCookie(IdentityConstants.ApplicationScheme); .AddCookie(Constants.AuthenticationScheme);
services.ConfigureApplicationCookie(options => services.ConfigureApplicationCookie(options =>
{ {
@ -162,11 +164,9 @@ namespace Oqtane
context.Response.StatusCode = 401; context.Response.StatusCode = 401;
return Task.CompletedTask; return Task.CompletedTask;
}; };
options.Events.OnValidatePrincipal = PrincipalValidator.ValidateAsync;
}); });
// register custom claims principal factory for role claims
services.AddTransient<IUserClaimsPrincipalFactory<IdentityUser>, ClaimsPrincipalFactory<IdentityUser>>();
// register singleton scoped core services // register singleton scoped core services
services.AddSingleton(Configuration); services.AddSingleton(Configuration);
services.AddSingleton<IInstallationManager, InstallationManager>(); services.AddSingleton<IInstallationManager, InstallationManager>();
@ -249,11 +249,12 @@ namespace Oqtane
app.UseHttpsRedirection(); app.UseHttpsRedirection();
app.UseStaticFiles(); app.UseStaticFiles();
app.UseTenantResolution(); // must be declared directly after static files app.UseTenantResolution();
app.UseBlazorFrameworkFiles(); app.UseBlazorFrameworkFiles();
app.UseRouting(); app.UseRouting();
app.UseAuthentication(); app.UseAuthentication();
app.UseAuthorization(); app.UseAuthorization();
if (_useSwagger) if (_useSwagger)
{ {
app.UseSwagger(); app.UseSwagger();

40
Oqtane.Shared/Security/UserSecurity.cs
View File

@ -1,6 +1,7 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using System.Security.Claims;
using System.Text.Json; using System.Text.Json;
using Oqtane.Models; using Oqtane.Models;
using Oqtane.Shared; using Oqtane.Shared;
@ -114,5 +115,42 @@ namespace Oqtane.Security
} }
return false; return false;
} }
public static ClaimsIdentity CreateClaimsIdentity(Alias alias, User user, List<UserRole> userroles)
{
user.Roles = "";
foreach (UserRole userrole in userroles)
{
user.Roles += userrole.Role.Name + ";";
}
if (user.Roles != "") user.Roles = ";" + user.Roles;
return CreateClaimsIdentity(alias, user);
}
public static ClaimsIdentity CreateClaimsIdentity(Alias alias, User user)
{
ClaimsIdentity identity = new ClaimsIdentity(Constants.AuthenticationScheme);
if (alias != null && user != null && !user.IsDeleted)
{
identity.AddClaim(new Claim(ClaimTypes.Name, user.Username));
identity.AddClaim(new Claim(ClaimTypes.PrimarySid, user.UserId.ToString()));
identity.AddClaim(new Claim(ClaimTypes.GroupSid, alias.AliasId.ToString()));
if (user.Roles.Contains(RoleNames.Host))
{
// host users are site admins by default
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Host));
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Admin));
identity.AddClaim(new Claim(ClaimTypes.Role, RoleNames.Registered));
}
foreach (string role in user.Roles.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
if (!identity.Claims.Any(item => item.Type == ClaimTypes.Role && item.Value == role))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
}
}
return identity;
}
} }
} }

3
Oqtane.Shared/Shared/Constants.cs
View File

@ -1,5 +1,4 @@
using System; using System;
using System.Globalization;
namespace Oqtane.Shared { namespace Oqtane.Shared {
@ -72,5 +71,7 @@ namespace Oqtane.Shared {
public static readonly string SatelliteAssemblyExtension = ".resources.dll"; public static readonly string SatelliteAssemblyExtension = ".resources.dll";
public static readonly string DefaultCulture = "en"; public static readonly string DefaultCulture = "en";
public static readonly string AuthenticationScheme = "Identity.Application";
} }
} }

5
Oqtane.Shared/Shared/Utilities.cs
View File

@ -108,6 +108,11 @@ namespace Oqtane.Shared
return $"{aliasUrl}{Constants.ContentUrl}{fileId}{method}"; return $"{aliasUrl}{Constants.ContentUrl}{fileId}{method}";
} }
public static string TenantUrl(Alias alias, string url)
{
url = (!url.StartsWith("/")) ? "/" + url : url;
return (alias != null && !string.IsNullOrEmpty(alias.Path)) ? "/" + alias.Path + url : url;
}
public static string GetTypeName(string fullyqualifiedtypename) public static string GetTypeName(string fullyqualifiedtypename)
{ {
if (fullyqualifiedtypename.Contains(",")) if (fullyqualifiedtypename.Contains(","))