tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix anonymous access. (#727)

pull/728/head
Sebastian Stehle 5 years ago
committed by GitHub
parent
5fc201d20f
commit
b8296aee8f
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 48
      backend/src/Squidex.Web/Pipeline/AppResolver.cs
  2. 1
      backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs

48
backend/src/Squidex.Web/Pipeline/AppResolver.cs
View File

@ -14,6 +14,7 @@ using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using Squidex.Domain.Apps.Core.Apps;
using Squidex.Domain.Apps.Entities; using Squidex.Domain.Apps.Entities;
using Squidex.Domain.Apps.Entities.Apps; using Squidex.Domain.Apps.Entities.Apps;
using Squidex.Infrastructure; using Squidex.Infrastructure;
@ -60,16 +61,18 @@ namespace Squidex.Web.Pipeline
return; return;
} }
string? clientId = null;
var (role, permissions) = FindByOpenIdSubject(app, user, isFrontend); var (role, permissions) = FindByOpenIdSubject(app, user, isFrontend);
if (permissions == null) if (permissions == null)
{ {
(role, permissions) = FindByOpenIdClient(app, user, isFrontend); (clientId, role, permissions) = FindByOpenIdClient(app, user, isFrontend);
} }
if (permissions == null) if (permissions == null)
{ {
(role, permissions) = FindAnonymousClient(app, isFrontend); (clientId, role, permissions) = FindAnonymousClient(app, isFrontend);
} }
if (permissions != null) if (permissions != null)
@ -85,6 +88,11 @@ namespace Squidex.Web.Pipeline
{ {
identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id)); identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id));
} }
if (user.Token() == null && clientId != null)
{
identity.AddClaim(new Claim(OpenIdClaims.ClientId, clientId));
}
} }
var requestContext = SetContext(context.HttpContext, app); var requestContext = SetContext(context.HttpContext, app);
@ -150,45 +158,55 @@ namespace Squidex.Web.Pipeline
return context.ActionDescriptor.EndpointMetadata.Any(x => x is AllowAnonymousAttribute); return context.ActionDescriptor.EndpointMetadata.Any(x => x is AllowAnonymousAttribute);
} }
private static (string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user, bool isFrontend) private static (string?, string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user, bool isFrontend)
{ {
var (appName, clientId) = user.GetClient(); var (appName, clientId) = user.GetClient();
if (app.Name != appName) if (app.Name != appName || clientId == null)
{ {
return (null, null); return default;
} }
if (clientId != null && app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role)) if (app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role))
{ {
return (client.Role, role.Permissions); return (clientId, client.Role, role.Permissions);
} }
return (null, null); return default;
} }
private static (string?, PermissionSet?) FindAnonymousClient(IAppEntity app, bool isFrontend) private static (string?, string?, PermissionSet?) FindAnonymousClient(IAppEntity app, bool isFrontend)
{
var client = app.Clients.FirstOrDefault(x => x.Value.AllowAnonymous);
if (client.Value == null)
{ {
var client = app.Clients.Values.FirstOrDefault(x => x.AllowAnonymous); return default;
}
if (client != null && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role)) if (app.Roles.TryGet(app.Name, client.Value.Role, isFrontend, out var role))
{ {
return (client.Role, role.Permissions); return (client.Key, client.Value.Role, role.Permissions);
} }
return (null, null); return default;
} }
private static (string?, PermissionSet?) FindByOpenIdSubject(IAppEntity app, ClaimsPrincipal user, bool isFrontend) private static (string?, PermissionSet?) FindByOpenIdSubject(IAppEntity app, ClaimsPrincipal user, bool isFrontend)
{ {
var subjectId = user.OpenIdSubject(); var subjectId = user.OpenIdSubject();
if (subjectId != null && app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGet(app.Name, roleName, isFrontend, out var role)) if (subjectId == null)
{
return default;
}
if (app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGet(app.Name, roleName, isFrontend, out var role))
{ {
return (roleName, role.Permissions); return (roleName, role.Permissions);
} }
return (null, null); return default;
} }
} }
} }

1
backend/tests/Squidex.Web.Tests/Pipeline/AppResolverTests.cs
View File

@ -196,6 +196,7 @@ namespace Squidex.Web.Pipeline
Assert.Same(app, httpContext.Context().App); Assert.Same(app, httpContext.Context().App);
Assert.True(user.Claims.Count() > 2); Assert.True(user.Claims.Count() > 2);
Assert.True(isNextCalled); Assert.True(isNextCalled);
Assert.Contains(user.Claims, x => x.Type == OpenIdClaims.ClientId && x.Value == "client1");
} }
[Fact] [Fact]

Write Preview
Loading…
Cancel
Save