yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed use of Identity.Owin extension methods. Replaced security stamp constant

Browse Source
This commit is contained in:
Scott Brady
2020-02-25 18:00:06 +00:00
parent 3294ee8e18
commit 38ea741d78
5 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Umbraco.Core/Constants-Web.cs
View File

@@ -34,6 +34,11 @@
/// The header name that angular uses to pass in the token to validate the cookie
/// </summary>
public const string AngularHeadername = "X-UMB-XSRF-TOKEN";
/// <summary>
/// The claim type for the ASP.NET Identity security stamp
/// </summary>
public const string SecurityStampClaimType = "AspNet.Identity.SecurityStamp";
}
}
}

2
src/Umbraco.Tests/Security/UmbracoBackOfficeIdentityTests.cs
View File

@@ -38,7 +38,7 @@ namespace Umbraco.Tests.Security
new Claim(ClaimTypes.Locality, "en-us", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Security.SessionIdClaimType, sessionId, Constants.Security.SessionIdClaimType, TestIssuer, TestIssuer),
new Claim(ClaimsIdentity.DefaultRoleClaimType, "admin", ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Microsoft.AspNet.Identity.Constants.DefaultSecurityStampClaimType, securityStamp, ClaimValueTypes.String, TestIssuer, TestIssuer),
new Claim(Constants.Web.SecurityStampClaimType, securityStamp, ClaimValueTypes.String, TestIssuer, TestIssuer),
});
var backofficeIdentity = UmbracoBackOfficeIdentity.FromClaimsIdentity(claimsIdentity);

3
src/Umbraco.Web/Security/AuthenticationExtensions.cs
View File

@@ -7,7 +7,6 @@ using System.Security.Claims;
using System.Security.Principal;
using System.Threading;
using System.Web;
using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Newtonsoft.Json;
@@ -231,7 +230,7 @@ namespace Umbraco.Web.Security
var claimsIdentity = http.User.Identity as ClaimsIdentity;
if (claimsIdentity != null)
{
var sessionId = claimsIdentity.FindFirstValue(Constants.Security.SessionIdClaimType);
var sessionId = claimsIdentity.FindFirst(Constants.Security.SessionIdClaimType)?.Value;
Guid guidSession;
if (sessionId.IsNullOrWhiteSpace() == false && Guid.TryParse(sessionId, out guidSession))
{

3
src/Umbraco.Web/Security/BackOfficeCookieAuthenticationProvider.cs
View File

@@ -1,7 +1,6 @@
using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Umbraco.Core;
@@ -57,7 +56,7 @@ namespace Umbraco.Web.Security
if (context?.OwinContext?.Authentication?.User?.Identity != null)
{
var claimsIdentity = context.OwinContext.Authentication.User.Identity as ClaimsIdentity;
var sessionId = claimsIdentity.FindFirstValue(Core.Constants.Security.SessionIdClaimType);
var sessionId = claimsIdentity.FindFirst(Core.Constants.Security.SessionIdClaimType)?.Value;
if (sessionId.IsNullOrWhiteSpace() == false && Guid.TryParse(sessionId, out var guidSession))
{
_userService.ClearLoginSession(guidSession);

19
src/Umbraco.Web/Security/UmbracoBackOfficeIdentity.cs
View File

@@ -2,7 +2,6 @@
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using Microsoft.AspNet.Identity;
namespace Umbraco.Core.Security
{
@@ -117,7 +116,7 @@ namespace Umbraco.Core.Security
Constants.Security.StartMediaNodeIdClaimType,
ClaimTypes.Locality,
Constants.Security.SessionIdClaimType,
Microsoft.AspNet.Identity.Constants.DefaultSecurityStampClaimType
Constants.Web.SecurityStampClaimType
};
/// <summary>
@@ -161,8 +160,8 @@ namespace Umbraco.Core.Security
//The security stamp claim is also required... this is because this claim type is hard coded
// by the SecurityStampValidator, see: https://katanaproject.codeplex.com/workitem/444
if (HasClaim(x => x.Type == Microsoft.AspNet.Identity.Constants.DefaultSecurityStampClaimType) == false)
AddClaim(new Claim(Microsoft.AspNet.Identity.Constants.DefaultSecurityStampClaimType, securityStamp, ClaimValueTypes.String, Issuer, Issuer, this));
if (HasClaim(x => x.Type == Constants.Web.SecurityStampClaimType) == false)
AddClaim(new Claim(Constants.Web.SecurityStampClaimType, securityStamp, ClaimValueTypes.String, Issuer, Issuer, this));
//Add each app as a separate claim
if (HasClaim(x => x.Type == Constants.Security.AllowedApplicationsClaimType) == false && allowedApps != null)
@@ -204,17 +203,17 @@ namespace Umbraco.Core.Security
private string[] _allowedApplications;
public string[] AllowedApplications => _allowedApplications ?? (_allowedApplications = FindAll(x => x.Type == Constants.Security.AllowedApplicationsClaimType).Select(app => app.Value).ToArray());
public int Id => int.Parse(this.FindFirstValue(ClaimTypes.NameIdentifier));
public int Id => int.Parse(this.FindFirst(ClaimTypes.NameIdentifier)?.Value);
public string RealName => this.FindFirstValue(ClaimTypes.GivenName);
public string RealName => this.FindFirst(ClaimTypes.GivenName)?.Value;
public string Username => this.GetUserName();
public string Username => this.FindFirst(ClaimTypes.Name)?.Value;
public string Culture => this.FindFirstValue(ClaimTypes.Locality);
public string Culture => this.FindFirst(ClaimTypes.Locality)?.Value;
public string SessionId
{
get => this.FindFirstValue(Constants.Security.SessionIdClaimType);
get => this.FindFirst(Constants.Security.SessionIdClaimType)?.Value;
set
{
var existing = FindFirst(Constants.Security.SessionIdClaimType);
@@ -224,7 +223,7 @@ namespace Umbraco.Core.Security
}
}
public string SecurityStamp => this.FindFirstValue(Microsoft.AspNet.Identity.Constants.DefaultSecurityStampClaimType);
public string SecurityStamp => this.FindFirst(Constants.Web.SecurityStampClaimType)?.Value;
public string[] Roles => this.FindAll(x => x.Type == DefaultRoleClaimType).Select(role => role.Value).ToArray();