From a321d4d1b86233a7af9e97dc3a80411ec90519a6 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Thu, 2 Apr 2015 14:46:53 +1100
Subject: [PATCH] Allows the ability to use external logins to login to
 authorize upgrades, this means being able to add reserved paths at startup
 dynamically which is now built in as part of the
 AuthenticationOptionsExtensions for registering external logins for the back
 office.

---
 .../Umbraco/Views/AuthorizeUpgrade.cshtml     | 10 ++-
 .../umbraco/Views/Default.cshtml              |  2 +-
 .../Editors/BackOfficeController.cs           | 83 ++++++++++++-------
 .../HtmlHelperBackOfficeExtensions.cs         |  9 +-
 ...henticationDescriptionOptionsExtensions.cs | 31 -------
 .../AuthenticationOptionsExtensions.cs        | 67 +++++++++++++++
 src/Umbraco.Web/Umbraco.Web.csproj            |  2 +-
 src/Umbraco.Web/UmbracoModule.cs              | 45 +++++++++-
 8 files changed, 177 insertions(+), 72 deletions(-)
 delete mode 100644 src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs
 create mode 100644 src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs

diff --git a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
index ac0b453bdb..dcad153fce 100644
--- a/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
+++ b/src/Umbraco.Web.UI/Umbraco/Views/AuthorizeUpgrade.cshtml
@@ -51,7 +51,15 @@
 
     <umb-notifications></umb-notifications>
 
-    @Html.BareMinimumServerVariables(Url, (string)ViewBag.UmbracoPath)
+    @{
+        var externalLoginUrl = Url.Action("ExternalLogin", "BackOffice", new
+        {
+            area = ViewBag.UmbracoPath, 
+            //Custom redirect URL since we don't want to just redirect to the back office since this is for authing upgrades
+            redirectUrl = Url.Action("AuthorizeUpgrade", "BackOffice")
+        });
+    }
+    @Html.BareMinimumServerVariables(Url, externalLoginUrl)
 
     @Html.AngularExternalLoginInfoValues((IEnumerable<string>)ViewBag.ExternalSignInError)
 
diff --git a/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml b/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
index a0c6bd225e..63a8688301 100644
--- a/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
+++ b/src/Umbraco.Web.UI/umbraco/Views/Default.cshtml
@@ -66,7 +66,7 @@
 
     <umb-notifications></umb-notifications>
 
-    @Html.BareMinimumServerVariables(Url, (string)ViewBag.UmbracoPath)
+    @Html.BareMinimumServerVariables(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath }))
 
     @Html.AngularExternalLoginInfoValues((IEnumerable<string>)ViewBag.ExternalSignInError)
     
diff --git a/src/Umbraco.Web/Editors/BackOfficeController.cs b/src/Umbraco.Web/Editors/BackOfficeController.cs
index fe60eb647e..0313dd868f 100644
--- a/src/Umbraco.Web/Editors/BackOfficeController.cs
+++ b/src/Umbraco.Web/Editors/BackOfficeController.cs
@@ -63,27 +63,9 @@ namespace Umbraco.Web.Editors
         /// <returns></returns>
         public async Task<ActionResult> Default()
         {
-            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
-
-            //check if there's errors in the TempData, assign to view bag and render the view
-            if (TempData["ExternalSignInError"] != null)
-            {
-                ViewBag.ExternalSignInError = TempData["ExternalSignInError"];
-                return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
-            }
-
-            //First check if there's external login info, if there's not proceed as normal
-            var loginInfo = await OwinContext.Authentication.GetExternalLoginInfoAsync(
-                Core.Constants.Security.BackOfficeExternalAuthenticationType);
-
-            if (loginInfo == null)
-            {
-                return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
-            }
-
-            //we're just logging in with an external source, not linking accounts
-            return await ExternalSignInAsync(loginInfo);
-
+            return await RenderDefaultOrProcessExternalLoginAsync(
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml"),
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml"));
         }
 
         /// <summary>
@@ -92,11 +74,13 @@ namespace Umbraco.Web.Editors
         /// </summary>
         /// <returns></returns>      
         [HttpGet]
-        public ActionResult AuthorizeUpgrade()
+        public async Task<ActionResult> AuthorizeUpgrade()
         {
-            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
-
-            return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml");
+            return await RenderDefaultOrProcessExternalLoginAsync(
+                //The default view to render when there is no external login info or errors
+                () => View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/AuthorizeUpgrade.cshtml"),
+                //The ActionResult to perform if external login is successful
+                () => Redirect("/"));
         }
 
         /// <summary>
@@ -422,11 +406,15 @@ namespace Umbraco.Web.Editors
         }
         
         [HttpPost]
-        public ActionResult ExternalLogin(string provider)
+        public ActionResult ExternalLogin(string provider, string redirectUrl = null)
         {
+            if (redirectUrl == null)
+            {
+                redirectUrl = Url.Action("Default", "BackOffice");
+            }
+
             // Request a redirect to the external login provider
-            return new ChallengeResult(provider,
-                Url.Action("Default", "BackOffice"));
+            return new ChallengeResult(provider, redirectUrl);
         }
 
         [UmbracoAuthorize]
@@ -466,9 +454,42 @@ namespace Umbraco.Web.Editors
             return RedirectToLocal(Url.Action("Default", "BackOffice"));
         }
 
-        private async Task<ActionResult> ExternalSignInAsync(ExternalLoginInfo loginInfo)
+        /// <summary>
+        /// Used by Default and AuthorizeUpgrade to render as per normal if there's no external login info, otherwise
+        /// process the external login info.
+        /// </summary>
+        /// <returns></returns>
+        private async Task<ActionResult> RenderDefaultOrProcessExternalLoginAsync(Func<ActionResult> defaultResponse, Func<ActionResult> externalSignInResponse)
+        {
+            if (defaultResponse == null) throw new ArgumentNullException("defaultResponse");
+            if (externalSignInResponse == null) throw new ArgumentNullException("externalSignInResponse");
+
+            ViewBag.UmbracoPath = GlobalSettings.UmbracoMvcArea;
+
+            //check if there's errors in the TempData, assign to view bag and render the view
+            if (TempData["ExternalSignInError"] != null)
+            {
+                ViewBag.ExternalSignInError = TempData["ExternalSignInError"];
+                return defaultResponse();
+            }
+
+            //First check if there's external login info, if there's not proceed as normal
+            var loginInfo = await OwinContext.Authentication.GetExternalLoginInfoAsync(
+                Core.Constants.Security.BackOfficeExternalAuthenticationType);
+
+            if (loginInfo == null)
+            {
+                return defaultResponse();
+            }
+
+            //we're just logging in with an external source, not linking accounts
+            return await ExternalSignInAsync(loginInfo, externalSignInResponse);
+        }
+
+        private async Task<ActionResult> ExternalSignInAsync(ExternalLoginInfo loginInfo, Func<ActionResult> response)
         {
             if (loginInfo == null) throw new ArgumentNullException("loginInfo");
+            if (response == null) throw new ArgumentNullException("response");
 
             // Sign in the user with this external login provider if the user already has a login
             var user = await UserManager.FindAsync(loginInfo.Login);
@@ -493,8 +514,8 @@ namespace Umbraco.Web.Editors
                     Response.Cookies[Core.Constants.Security.BackOfficeExternalCookieName].Expires = DateTime.MinValue;    
                 }
             }
-            
-            return View(GlobalSettings.Path.EnsureEndsWith('/') + "Views/Default.cshtml");
+
+            return response();
         }
 
         private async Task SignInAsync(BackOfficeIdentityUser user, bool isPersistent)
diff --git a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
index dbb79443d9..e43cd21a0e 100644
--- a/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
+++ b/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
@@ -19,13 +19,16 @@ namespace Umbraco.Web
         /// </summary>
         /// <param name="html"></param>
         /// <param name="uri"></param>
-        /// <param name="umbracoPath"></param>
+        /// <param name="externalLoginsUrl">
+        /// The post url used to sign in with external logins - this can change depending on for what service the external login is service.
+        /// Example: normal back office login or authenticating upgrade login
+        /// </param>
         /// <returns></returns>
         /// <remarks>
         /// These are the bare minimal server variables that are required for the application to start without being authenticated,
         /// we will load the rest of the server vars after the user is authenticated.
         /// </remarks>
-        public static IHtmlString BareMinimumServerVariables(this HtmlHelper html, UrlHelper uri, string umbracoPath)
+        public static IHtmlString BareMinimumServerVariables(this HtmlHelper html, UrlHelper uri, string externalLoginsUrl)
         {
             var str = @"<script type=""text/javascript"">
                 var Umbraco = {};
@@ -34,7 +37,7 @@ namespace Umbraco.Web
                     ""umbracoUrls"": {
                         ""authenticationApiBaseUrl"": """ + uri.GetUmbracoApiServiceBaseUrl<AuthenticationController>(controller => controller.PostLogin(null)) + @""",
                         ""serverVarsJs"": """ + uri.GetUrlWithCacheBust("ServerVariables", "BackOffice") + @""",
-                        ""externalLoginsUrl"": """ + uri.Action("ExternalLogin", "BackOffice", new {area = umbracoPath}) + @"""
+                        ""externalLoginsUrl"": """ + externalLoginsUrl + @"""
                     },
                     ""application"": {
                         ""applicationPath"": """ + html.ViewContext.HttpContext.Request.ApplicationPath + @"""
diff --git a/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs b/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs
deleted file mode 100644
index 47ad1b4310..0000000000
--- a/src/Umbraco.Web/Security/Identity/AuthenticationDescriptionOptionsExtensions.cs
+++ /dev/null
@@ -1,31 +0,0 @@
-using Microsoft.Owin.Security;
-using Umbraco.Core;
-
-namespace Umbraco.Web.Security.Identity
-{
-    public static class AuthenticationDescriptionOptionsExtensions
-    {
-        /// <summary>
-        /// Configures the properties of the authentication description instance for use with Umbraco back office
-        /// </summary>
-        /// <param name="options"></param>
-        /// <param name="style"></param>
-        /// <param name="icon"></param>
-        public static void ForUmbracoBackOffice(this AuthenticationOptions options, string style, string icon)
-        {
-            Mandate.ParameterNotNullOrEmpty(options.AuthenticationType, "options.AuthenticationType");
-
-            //Ensure the prefix is set
-            if (options.AuthenticationType.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix) == false)
-            {
-                options.AuthenticationType = Constants.Security.BackOfficeExternalAuthenticationTypePrefix + options.AuthenticationType;    
-            }
-
-            options.Description.Properties["SocialStyle"] = style;
-            options.Description.Properties["SocialIcon"] = icon;
-
-            //flag for use in back office
-            options.Description.Properties["UmbracoBackOffice"] = true;
-        }
-    }
-}
\ No newline at end of file
diff --git a/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs b/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs
new file mode 100644
index 0000000000..43b995bb06
--- /dev/null
+++ b/src/Umbraco.Web/Security/Identity/AuthenticationOptionsExtensions.cs
@@ -0,0 +1,67 @@
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Umbraco.Core;
+using Umbraco.Core.Logging;
+
+namespace Umbraco.Web.Security.Identity
+{
+    public static class AuthenticationOptionsExtensions
+    {
+        /// <summary>
+        /// Configures the properties of the authentication description instance for use with Umbraco back office
+        /// </summary>
+        /// <param name="options"></param>
+        /// <param name="style"></param>
+        /// <param name="icon"></param>
+        /// <param name="callbackPath">
+        /// This is important if the identity provider is to be able to authenticate when upgrading Umbraco. We will try to extract this from
+        /// any options passed in via reflection since none of the default OWIN providers inherit from a base class but so far all of them have a consistent
+        /// name for the 'CallbackPath' property which is of type PathString. So we'll try to extract it if it's not found or supplied.
+        /// 
+        /// If a value is extracted or supplied, this will be added to an internal list which the UmbracoModule will use to allow the request to pass
+        /// through without redirecting to the installer.
+        /// </param>
+        public static void ForUmbracoBackOffice(this AuthenticationOptions options, string style, string icon, string callbackPath = null)
+        {
+            Mandate.ParameterNotNullOrEmpty(options.AuthenticationType, "options.AuthenticationType");
+
+            //Ensure the prefix is set
+            if (options.AuthenticationType.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix) == false)
+            {
+                options.AuthenticationType = Constants.Security.BackOfficeExternalAuthenticationTypePrefix + options.AuthenticationType;    
+            }
+
+            options.Description.Properties["SocialStyle"] = style;
+            options.Description.Properties["SocialIcon"] = icon;
+
+            //flag for use in back office
+            options.Description.Properties["UmbracoBackOffice"] = true;
+
+            if (callbackPath.IsNullOrWhiteSpace())
+            {
+                try
+                {
+                    //try to get it with reflection
+                    var prop = options.GetType().GetProperty("CallbackPath");
+                    if (prop != null && TypeHelper.IsTypeAssignableFrom<PathString>(prop.PropertyType))
+                    {
+                        //get the value
+                        var path = (PathString) prop.GetValue(options);
+                        if (path.HasValue)
+                        {
+                            UmbracoModule.ReservedPaths.TryAdd(path.ToString());
+                        }
+                    }
+                }
+                catch (System.Exception ex)
+                {
+                    LogHelper.Error(typeof (AuthenticationOptionsExtensions), "Could not read AuthenticationOptions properties", ex);
+                }
+            }
+            else
+            {
+                UmbracoModule.ReservedPaths.TryAdd(callbackPath);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index d0e5493474..ffaec48edd 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -558,7 +558,7 @@
     <Compile Include="Scheduling\ILatchedBackgroundTask.cs" />
     <Compile Include="Scheduling\RecurringTaskBase.cs" />
     <Compile Include="Security\Identity\AppBuilderExtensions.cs" />
-    <Compile Include="Security\Identity\AuthenticationDescriptionOptionsExtensions.cs" />
+    <Compile Include="Security\Identity\AuthenticationOptionsExtensions.cs" />
     <Compile Include="Security\Identity\AuthenticationManagerExtensions.cs" />
     <Compile Include="Security\Identity\BackOfficeCookieManager.cs" />
     <Compile Include="Security\Identity\FormsAuthenticationSecureDataFormat.cs" />
diff --git a/src/Umbraco.Web/UmbracoModule.cs b/src/Umbraco.Web/UmbracoModule.cs
index 772573d164..1142775be6 100644
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Collections;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -31,8 +32,7 @@ namespace Umbraco.Web
 	//  Request.RawUrl is still there
 	// response.Redirect does?! always remap to /vdir?!
 
-	public class 
-        UmbracoModule : IHttpModule
+	public class UmbracoModule : IHttpModule
 	{
 		#region HttpModule event handlers
 
@@ -277,7 +277,7 @@ namespace Umbraco.Web
 		/// <param name="httpContext"></param>
 		/// <param name="uri"></param>
 		/// <returns></returns>
-		static bool EnsureDocumentRequest(HttpContextBase httpContext, Uri uri)
+		bool EnsureDocumentRequest(HttpContextBase httpContext, Uri uri)
 		{
 			var maybeDoc = true;
 			var lpath = uri.AbsolutePath.ToLowerInvariant();
@@ -311,7 +311,7 @@ namespace Umbraco.Web
 			// at that point, either we have no extension, or it is .aspx
 
 			// if the path is reserved then it cannot be a document request
-			if (maybeDoc && GlobalSettings.IsReservedPathOrUrl(lpath, httpContext, RouteTable.Routes))
+            if (maybeDoc && GlobalSettings.IsReservedPathOrUrl(lpath, httpContext, _combinedRouteCollection.Value))
 				maybeDoc = false;
 
 			//NOTE: No need to warn, plus if we do we should log the document, as this message doesn't really tell us anything :)
@@ -612,5 +612,42 @@ namespace Umbraco.Web
                 EndRequest(this, args);
         } 
         #endregion
+
+
+        /// <summary>
+        /// This is used to be passed into the GlobalSettings.IsReservedPathOrUrl and will include some 'fake' routes
+        /// used to determine if a path is reserved.
+        /// </summary>
+        /// <remarks>
+        /// This is basically used to reserve paths dynamically
+        /// </remarks>
+        private readonly Lazy<RouteCollection> _combinedRouteCollection = new Lazy<RouteCollection>(() =>
+        {
+            var allRoutes = new RouteCollection();
+            foreach (var route in RouteTable.Routes)
+            {
+                allRoutes.Add(route);
+            }
+            foreach (var reservedPath in ReservedPaths)
+            {
+                try
+                {
+                    allRoutes.Add("_umbreserved_" + reservedPath.ReplaceNonAlphanumericChars(""),
+                                new Route(reservedPath.TrimStart('/'), new StopRoutingHandler()));
+                }
+                catch (Exception ex)
+                {
+                    LogHelper.Error<UmbracoModule>("Could not add reserved path route", ex);
+                }
+            }
+
+            return allRoutes;
+        }); 
+
+        /// <summary>
+        /// This is used internally to track any registered callback paths for Identity providers. If the request path matches
+        /// any of the registered paths, then the module will let the request keep executing
+        /// </summary>
+        internal static readonly ConcurrentHashSet<string> ReservedPaths = new ConcurrentHashSet<string>();
 	}
 }