From abf11c2d62dd0296bffeeb900cb0bb4b7b30f5f5 Mon Sep 17 00:00:00 2001 From: Bjarke Berg Date: Fri, 12 Mar 2021 21:50:47 +0100 Subject: [PATCH] Fixed issue with BackOfficeIdentity. Previews did not work, because we did not check for multiple identities on the priciple, after the move the pure ClaimsIdentity --- .../Extensions/ClaimsIdentityExtensions.cs | 8 +++- .../Security/ClaimsPrincipalExtensions.cs | 46 ++++++++++++++----- 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/src/Umbraco.Core/Extensions/ClaimsIdentityExtensions.cs b/src/Umbraco.Core/Extensions/ClaimsIdentityExtensions.cs index 7569b64cb7..57c69ee9aa 100644 --- a/src/Umbraco.Core/Extensions/ClaimsIdentityExtensions.cs +++ b/src/Umbraco.Core/Extensions/ClaimsIdentityExtensions.cs @@ -101,6 +101,12 @@ namespace Umbraco.Extensions /// True if ClaimsIdentity public static bool VerifyBackOfficeIdentity(this ClaimsIdentity identity, out ClaimsIdentity verifiedIdentity) { + if (identity is null) + { + verifiedIdentity = null; + return false; + } + // Validate that all required claims exist foreach (var claimType in RequiredBackOfficeClaimTypes) { @@ -112,7 +118,7 @@ namespace Umbraco.Extensions } } - verifiedIdentity = new ClaimsIdentity(identity.Claims, Constants.Security.BackOfficeAuthenticationType); + verifiedIdentity = identity.AuthenticationType == Constants.Security.BackOfficeAuthenticationType ? identity : new ClaimsIdentity(identity.Claims, Constants.Security.BackOfficeAuthenticationType); return true; } diff --git a/src/Umbraco.Core/Security/ClaimsPrincipalExtensions.cs b/src/Umbraco.Core/Security/ClaimsPrincipalExtensions.cs index ce0e0eb774..1ee5699868 100644 --- a/src/Umbraco.Core/Security/ClaimsPrincipalExtensions.cs +++ b/src/Umbraco.Core/Security/ClaimsPrincipalExtensions.cs @@ -7,31 +7,53 @@ using System.Linq; using System.Security.Claims; using System.Security.Principal; using Umbraco.Cms.Core; -using Umbraco.Cms.Core.Security; namespace Umbraco.Extensions { public static class ClaimsPrincipalExtensions { + + public static bool IsBackOfficeAuthenticationType(this ClaimsIdentity claimsIdentity) + { + if (claimsIdentity is null) + { + return false; + } + + return claimsIdentity.IsAuthenticated && claimsIdentity.AuthenticationType == Constants.Security.BackOfficeAuthenticationType; + } /// /// This will return the current back office identity if the IPrincipal is the correct type and authenticated. /// - /// + /// /// - public static ClaimsIdentity GetUmbracoIdentity(this IPrincipal user) + public static ClaimsIdentity GetUmbracoIdentity(this IPrincipal principal) { - // Check if the identity is a ClaimsIdentity, and that's it's authenticated and has all required claims. - if (user.Identity is ClaimsIdentity claimsIdentity - && claimsIdentity.IsAuthenticated - && claimsIdentity.VerifyBackOfficeIdentity(out ClaimsIdentity umbracoIdentity)) + //If it's already a UmbracoBackOfficeIdentity + if (principal.Identity is ClaimsIdentity claimsIdentity + && claimsIdentity.IsBackOfficeAuthenticationType() + && claimsIdentity.VerifyBackOfficeIdentity(out var backOfficeIdentity)) { - if (claimsIdentity.AuthenticationType == Constants.Security.BackOfficeAuthenticationType) - { - return claimsIdentity; - } - return umbracoIdentity; + return backOfficeIdentity; } + //Check if there's more than one identity assigned and see if it's a UmbracoBackOfficeIdentity and use that + // We can have assigned more identities if it is a preview request. + if (principal is ClaimsPrincipal claimsPrincipal ) + { + claimsIdentity = claimsPrincipal.Identities.FirstOrDefault(x=>x.IsBackOfficeAuthenticationType()); + if (claimsIdentity.VerifyBackOfficeIdentity(out backOfficeIdentity)) + { + return backOfficeIdentity; + } + } + + //Otherwise convert to a UmbracoBackOfficeIdentity if it's auth'd + if (principal.Identity is ClaimsIdentity claimsIdentity2 + && claimsIdentity2.VerifyBackOfficeIdentity(out backOfficeIdentity)) + { + return backOfficeIdentity; + } return null; }