tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Headless CMS and Content Managment Hub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2360 Commits
10 Branches
150 Tags
122 MiB
 
 
 
 
 
Tree: 451a5f24f8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '451a5f24f8'
${ noResults }
squidex/src/Squidex/Pipeline/AppResolver.cs

118 lines
3.7 KiB
Raw Blame History

// ==========================================================================
// Squidex Headless CMS
// ==========================================================================
// Copyright (c) Squidex UG (haftungsbeschränkt)
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Mvc.Filters;
using Squidex.Domain.Apps.Entities;
using Squidex.Domain.Apps.Entities.Apps;
using Squidex.Infrastructure.Security;
using Squidex.Shared;
using Squidex.Shared.Identity;
using Squidex.Shared.Users;
namespace Squidex.Pipeline
{
public sealed class AppResolver : IAsyncActionFilter
{
private readonly IAppProvider appProvider;
public class AppFeature : IAppFeature
{
public IAppEntity App { get; }
public AppFeature(IAppEntity app)
{
App = app;
}
}
public AppResolver(IAppProvider appProvider)
{
this.appProvider = appProvider;
}
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var user = context.HttpContext.User;
var appName = context.RouteData.Values["app"]?.ToString();
if (!string.IsNullOrWhiteSpace(appName))
{
var app = await appProvider.GetAppAsync(appName);
if (app == null)
{
context.Result = new NotFoundResult();
return;
}
var permissions =
FindByOpenIdSubject(app, user) ??
FindByOpenIdClient(app, user);
if (permissions == null || permissions.Count == 0)
{
var set = user.Permissions();
if (!set.Includes(Permissions.ForApp(Permissions.App, appName)) && !AllowAnonymous(context))
{
context.Result = new NotFoundResult();
return;
}
}
if (permissions != null)
{
var identity = user.Identities.First();
foreach (var permission in permissions)
{
identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id));
}
}
context.HttpContext.Features.Set<IAppFeature>(new AppFeature(app));
}
await next();
}
private static bool AllowAnonymous(ActionExecutingContext context)
{
return context.ActionDescriptor.FilterDescriptors.Any(x => x.Filter is AllowAnonymousFilter);
}
private static PermissionSet FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user)
{
var clientId = user.GetClientId();
if (clientId != null && app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGetValue(client.Role, out var role))
{
return role.Permissions;
}
return null;
}
private static PermissionSet FindByOpenIdSubject(IAppEntity app, ClaimsPrincipal user)
{
var subjectId = user.OpenIdSubject();
if (subjectId != null && app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGetValue(roleName, out var role))
{
return role.Permissions;
}
return null;
}
}
}