tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Headless CMS and Content Managment Hub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5183 Commits
10 Branches
150 Tags
122 MiB
 
 
 
 
 
Tree: 5990416301
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5990416301'
${ noResults }
squidex/backend/src/Squidex.Web/Pipeline/AppResolver.cs

201 lines
6.9 KiB
Raw Blame History

// ==========================================================================
// Squidex Headless CMS
// ==========================================================================
// Copyright (c) Squidex UG (haftungsbeschraenkt)
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Squidex.Domain.Apps.Entities;
using Squidex.Domain.Apps.Entities.Apps;
using Squidex.Infrastructure.Security;
using Squidex.Shared;
using Squidex.Shared.Identity;
namespace Squidex.Web.Pipeline
{
public sealed class AppResolver : IAsyncActionFilter
{
private readonly IAppProvider appProvider;
public AppResolver(IAppProvider appProvider)
{
this.appProvider = appProvider;
}
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var user = context.HttpContext.User;
var appName = context.RouteData.Values["app"]?.ToString();
if (!string.IsNullOrWhiteSpace(appName))
{
var isFrontend = user.IsInClient(DefaultClients.Frontend);
var app = await appProvider.GetAppAsync(appName, !isFrontend, context.HttpContext.RequestAborted);
if (app == null)
{
var log = context.HttpContext.RequestServices?.GetService<ILogger<AppResolver>>();
log?.LogWarning("Cannot find app with the given name {name}.", appName);
context.Result = new NotFoundResult();
return;
}
string? clientId = null;
var (role, permissions) = FindByOpenIdSubject(app, user, isFrontend);
if (permissions == null)
{
(clientId, role, permissions) = FindByOpenIdClient(app, user, isFrontend);
}
if (permissions == null)
{
(clientId, role, permissions) = FindAnonymousClient(app, isFrontend);
}
if (permissions != null)
{
var identity = user.Identities.First();
if (!string.IsNullOrWhiteSpace(role))
{
identity.AddClaim(new Claim(ClaimTypes.Role, role));
}
foreach (var permission in permissions)
{
identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission.Id));
}
if (user.Token() == null && clientId != null)
{
identity.AddClaim(new Claim(OpenIdClaims.ClientId, clientId));
}
}
var requestContext = SetContext(context.HttpContext, app);
if (!AllowAnonymous(context) && !HasPermission(appName, requestContext))
{
if (string.IsNullOrWhiteSpace(user.Identity?.AuthenticationType))
{
context.Result = new UnauthorizedResult();
}
else
{
var log = context.HttpContext.RequestServices?.GetService<ILogger<AppResolver>>();
log?.LogWarning("Authenticated user has no permission to access the app {name} with ID {id}.",
app.Id,
app.Name);
context.Result = new NotFoundResult();
}
return;
}
context.HttpContext.Features.Set<IAppFeature>(new AppFeature(app));
context.HttpContext.Response.Headers.Add("X-AppId", app.Id.ToString());
}
else
{
SetContext(context.HttpContext, null!);
}
await next();
}
private static Context SetContext(HttpContext httpContext, IAppEntity app)
{
var requestContext =
new Context(httpContext.User, app).Clone(builder =>
{
foreach (var (key, value) in httpContext.Request.Headers)
{
if (key.StartsWith("X-", StringComparison.OrdinalIgnoreCase))
{
builder.SetHeader(key, value.ToString());
}
}
});
httpContext.Features.Set(requestContext);
return requestContext;
}
private static bool HasPermission(string appName, Context requestContext)
{
return requestContext.UserPermissions.Includes(Permissions.ForApp(Permissions.App, appName));
}
private static bool AllowAnonymous(ActionExecutingContext context)
{
return context.ActionDescriptor.EndpointMetadata.Any(x => x is AllowAnonymousAttribute);
}
private static (string?, string?, PermissionSet?) FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user, bool isFrontend)
{
var (appName, clientId) = user.GetClient();
if (app.Name != appName || clientId == null)
{
return default;
}
if (app.Clients.TryGetValue(clientId, out var client) && app.Roles.TryGet(app.Name, client.Role, isFrontend, out var role))
{
return (clientId, client.Role, role.Permissions);
}
return default;
}
private static (string?, string?, PermissionSet?) FindAnonymousClient(IAppEntity app, bool isFrontend)
{
var client = app.Clients.FirstOrDefault(x => x.Value.AllowAnonymous);
if (client.Value == null)
{
return default;
}
if (app.Roles.TryGet(app.Name, client.Value.Role, isFrontend, out var role))
{
return (client.Key, client.Value.Role, role.Permissions);
}
return default;
}
private static (string?, PermissionSet?) FindByOpenIdSubject(IAppEntity app, ClaimsPrincipal user, bool isFrontend)
{
var subjectId = user.OpenIdSubject();
if (subjectId == null)
{
return default;
}
if (app.Contributors.TryGetValue(subjectId, out var roleName) && app.Roles.TryGet(app.Name, roleName, isFrontend, out var role))
{
return (roleName, role.Permissions);
}
return default;
}
}
}