Security stamp implementation for members (#10140)

* Getting new netcore PublicAccessChecker in place * Adds full test coverage for PublicAccessChecker * remove PublicAccessComposer * adjust namespaces, ensure RoleManager works, separate public access controller, reduce content controller * Implements the required methods on IMemberManager, removes old migrated code * Updates routing to be able to re-route, Fixes middleware ordering ensuring endpoints are last, refactors pipeline options, adds public access middleware, ensures public access follows all hops * adds note * adds note * Cleans up ext methods, ensures that members identity is added on both front-end and back ends. updates how UmbracoApplicationBuilder works in that it explicitly starts endpoints at the time of calling. * Changes name to IUmbracoEndpointBuilder * adds note * Fixing tests, fixing error describers so there's 2x one for back office, one for members, fixes TryConvertTo, fixes login redirect * fixing build * Updates user manager to correctly validate password hashing and injects the IBackOfficeUserPasswordChecker * Merges PR * Fixes up build and notes * Implements security stamp and email confirmed for members, cleans up a bunch of repo/service level member groups stuff, shares user store code between members and users and fixes the user identity object so we arent' tracking both groups and roles. * Security stamp for members is now working * Fixes keepalive, fixes PublicAccessMiddleware to not throw, updates startup code to be more clear and removes magic that registers middleware. * adds note * removes unused filter, fixes build * fixes WebPath and tests * Looks up entities in one query * remove usings * Fix test, remove stylesheet * Set status code before we write to response to avoid error * Ensures that users and members are validated when logging in. Shares more code between users and members. * merge changes * oops * Fixes RepositoryCacheKeys to ensure the keys are normalized * oops didn't mean to commit this * Fix casing issues with caching, stop boxing value types for all cache operations, stop re-creating string keys in DefaultRepositoryCachePolicy * oops didn't mean to comit this * bah, far out this keeps getting recommitted. sorry Co-authored-by: Bjarke Berg <mail@bergmania.dk>
2021-04-20 17:13:40 +10:00
parent de28fbb0a4
commit 6c660d5721
26 changed files with 670 additions and 709 deletions
--- a/src/Umbraco.Web.Common/DependencyInjection/UmbracoBuilder.MembersIdentity.cs
+++ b/src/Umbraco.Web.Common/DependencyInjection/UmbracoBuilder.MembersIdentity.cs
@@ -49,6 +49,8 @@ namespace Umbraco.Extensions

            services.AddScoped<IPasswordHasher<MemberIdentityUser>, MemberPasswordHasher>();

+            services.ConfigureOptions<ConfigureSecurityStampOptions>();
+
            services.ConfigureApplicationCookie(x =>
            {
                // TODO: We may want/need to configure these further
--- a/src/Umbraco.Web.Common/Security/ConfigureSecurityStampOptions.cs
+++ b/src/Umbraco.Web.Common/Security/ConfigureSecurityStampOptions.cs
@@ -0,0 +1,39 @@
+using System;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+using Umbraco.Extensions;
+
+namespace Umbraco.Cms.Web.Common.Security
+{
+    public class ConfigureSecurityStampOptions : IConfigureOptions<SecurityStampValidatorOptions>
+    {
+        public void Configure(SecurityStampValidatorOptions options)
+            => ConfigureOptions(options);
+
+        /// <summary>
+        /// Configures security stamp options and ensures any custom claims
+        /// set on the identity are persisted to the new identity when it's refreshed.
+        /// </summary>
+        /// <param name="options"></param>
+        public static void ConfigureOptions(SecurityStampValidatorOptions options)
+        {
+            options.ValidationInterval = TimeSpan.FromMinutes(30);
+
+            // When refreshing the principal, ensure custom claims that
+            // might have been set with an external identity continue
+            // to flow through to this new one.
+            options.OnRefreshingPrincipal = refreshingPrincipal =>
+            {
+                ClaimsIdentity newIdentity = refreshingPrincipal.NewPrincipal.Identities.First();
+                ClaimsIdentity currentIdentity = refreshingPrincipal.CurrentPrincipal.Identities.First();
+
+                newIdentity.MergeClaimsFromCookieIdentity(currentIdentity);
+
+                return Task.CompletedTask;
+            };
+        }
+    }
+}