yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3792cafb9f70b92f6f06c6fa980aa039e6316737
Umbraco-CMS/src/Umbraco.Web.Common/Security/MemberManager.cs
Shannon Deminick 3792cafb9f Published members cleanup (#10159) 
* Getting new netcore PublicAccessChecker in place

* Adds full test coverage for PublicAccessChecker

* remove PublicAccessComposer

* adjust namespaces, ensure RoleManager works, separate public access controller, reduce content controller

* Implements the required methods on IMemberManager, removes old migrated code

* Updates routing to be able to re-route, Fixes middleware ordering ensuring endpoints are last, refactors pipeline options, adds public access middleware, ensures public access follows all hops

* adds note

* adds note

* Cleans up ext methods, ensures that members identity is added on both front-end and back ends. updates how UmbracoApplicationBuilder works in that it explicitly starts endpoints at the time of calling.

* Changes name to IUmbracoEndpointBuilder

* adds note

* Fixing tests, fixing error describers so there's 2x one for back office, one for members, fixes TryConvertTo, fixes login redirect

* fixing build

* Updates user manager to correctly validate password hashing and injects the IBackOfficeUserPasswordChecker

* Merges PR

* Fixes up build and notes

* Implements security stamp and email confirmed for members, cleans up a bunch of repo/service level member groups stuff, shares user store code between members and users and fixes the user identity object so we arent' tracking both groups and roles.

* Security stamp for members is now working

* Fixes keepalive, fixes PublicAccessMiddleware to not throw, updates startup code to be more clear and removes magic that registers middleware.

* adds note

* removes unused filter, fixes build

* fixes WebPath and tests

* Looks up entities in one query

* remove usings

* Fix test, remove stylesheet

* Set status code before we write to response to avoid error

* Ensures that users and members are validated when logging in. Shares more code between users and members.

* merge changes

* oops

* Reducing and removing published member cache

* Fixes RepositoryCacheKeys to ensure the keys are normalized

* oops didn't mean to commit this

* Fix casing issues with caching, stop boxing value types for all cache operations, stop re-creating string keys in DefaultRepositoryCachePolicy

* oops didn't mean to comit this

* bah, far out this keeps getting recommitted. sorry

* cannot inject IPublishedMemberCache and cannot have IPublishedMember

* splits out files, fixes build

* fix tests

* removes membership provider classes

* removes membership provider classes

* updates the identity map definition

* reverts commented out lines

* reverts commented out lines

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
2021-04-22 13:21:43 +02:00

240 lines
8.9 KiB
C#
Raw Blame History

using System;
using System.Linq;
using System.Collections.Generic;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Umbraco.Extensions;
using Umbraco.Cms.Core.Configuration.Models;
using Umbraco.Cms.Core.Net;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using System.Threading.Tasks;
using Umbraco.Cms.Core.PublishedCache;
using Umbraco.Cms.Core.Models.PublishedContent;
namespace Umbraco.Cms.Web.Common.Security
{
public class MemberManager : UmbracoUserManager<MemberIdentityUser, MemberPasswordConfigurationSettings>, IMemberManager
{
private readonly IMemberUserStore _store;
private readonly IPublicAccessService _publicAccessService;
private readonly IHttpContextAccessor _httpContextAccessor;
private MemberIdentityUser _currentMember;
public MemberManager(
IIpResolver ipResolver,
IMemberUserStore store,
IOptions<IdentityOptions> optionsAccessor,
IPasswordHasher<MemberIdentityUser> passwordHasher,
IEnumerable<IUserValidator<MemberIdentityUser>> userValidators,
IEnumerable<IPasswordValidator<MemberIdentityUser>> passwordValidators,
IdentityErrorDescriber errors,
IServiceProvider services,
ILogger<UserManager<MemberIdentityUser>> logger,
IOptions<MemberPasswordConfigurationSettings> passwordConfiguration,
IPublicAccessService publicAccessService,
IHttpContextAccessor httpContextAccessor)
: base(ipResolver, store, optionsAccessor, passwordHasher, userValidators, passwordValidators, errors,
services, logger, passwordConfiguration)
{
_store = store;
_publicAccessService = publicAccessService;
_httpContextAccessor = httpContextAccessor;
}
/// <inheritdoc />
public async Task<bool> IsMemberAuthorizedAsync(IEnumerable<string> allowTypes = null, IEnumerable<string> allowGroups = null, IEnumerable<int> allowMembers = null)
{
if (allowTypes == null)
{
allowTypes = Enumerable.Empty<string>();
}
if (allowGroups == null)
{
allowGroups = Enumerable.Empty<string>();
}
if (allowMembers == null)
{
allowMembers = Enumerable.Empty<int>();
}
// Allow by default
var allowAction = true;
if (IsLoggedIn() == false)
{
// If not logged on, not allowed
allowAction = false;
}
else
{
string username;
MemberIdentityUser currentMember = await GetCurrentMemberAsync();
// If a member could not be resolved from the provider, we are clearly not authorized and can break right here
if (currentMember == null)
{
return false;
}
int memberId = int.Parse(currentMember.Id);
username = currentMember.UserName;
// If types defined, check member is of one of those types
IList<string> allowTypesList = allowTypes as IList<string> ?? allowTypes.ToList();
if (allowTypesList.Any(allowType => allowType != string.Empty))
{
// Allow only if member's type is in list
allowAction = allowTypesList.Select(x => x.ToLowerInvariant()).Contains(currentMember.MemberTypeAlias.ToLowerInvariant());
}
// If specific members defined, check member is of one of those
if (allowAction && allowMembers.Any())
{
// Allow only if member's Id is in the list
allowAction = allowMembers.Contains(memberId);
}
// If groups defined, check member is of one of those groups
IList<string> allowGroupsList = allowGroups as IList<string> ?? allowGroups.ToList();
if (allowAction && allowGroupsList.Any(allowGroup => allowGroup != string.Empty))
{
// Allow only if member is assigned to a group in the list
IList<string> groups = await GetRolesAsync(currentMember);
allowAction = allowGroupsList.Select(s => s.ToLowerInvariant()).Intersect(groups.Select(myGroup => myGroup.ToLowerInvariant())).Any();
}
}
return allowAction;
}
/// <inheritdoc />
public bool IsLoggedIn()
{
HttpContext httpContext = _httpContextAccessor.HttpContext;
return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated;
}
/// <inheritdoc />
public async Task<bool> MemberHasAccessAsync(string path)
{
if (await IsProtectedAsync(path))
{
return await HasAccessAsync(path);
}
return true;
}
/// <inheritdoc />
public async Task<IReadOnlyDictionary<string, bool>> MemberHasAccessAsync(IEnumerable<string> paths)
{
IReadOnlyDictionary<string, bool> protectedPaths = await IsProtectedAsync(paths);
IEnumerable<string> pathsWithProtection = protectedPaths.Where(x => x.Value).Select(x => x.Key);
IReadOnlyDictionary<string, bool> pathsWithAccess = await HasAccessAsync(pathsWithProtection);
var result = new Dictionary<string, bool>();
foreach (var path in paths)
{
pathsWithAccess.TryGetValue(path, out var hasAccess);
// if it's not found it's false anyways
result[path] = !pathsWithProtection.Contains(path) || hasAccess;
}
return result;
}
/// <inheritdoc />
/// <remarks>
/// this is a cached call
/// </remarks>
public Task<bool> IsProtectedAsync(string path) => Task.FromResult(_publicAccessService.IsProtected(path).Success);
/// <inheritdoc />
public Task<IReadOnlyDictionary<string, bool>> IsProtectedAsync(IEnumerable<string> paths)
{
var result = new Dictionary<string, bool>();
foreach (var path in paths)
{
//this is a cached call
result[path] = _publicAccessService.IsProtected(path);
}
return Task.FromResult((IReadOnlyDictionary<string, bool>)result);
}
/// <inheritdoc />
public async Task<MemberIdentityUser> GetCurrentMemberAsync()
{
if (_currentMember == null)
{
if (!IsLoggedIn())
{
return null;
}
_currentMember = await GetUserAsync(_httpContextAccessor.HttpContext.User);
}
return _currentMember;
}
/// <summary>
/// This will check if the member has access to this path
/// </summary>
/// <param name="path"></param>
/// <param name="roleProvider"></param>
/// <returns></returns>
private async Task<bool> HasAccessAsync(string path)
{
MemberIdentityUser currentMember = await GetCurrentMemberAsync();
if (currentMember == null || !currentMember.IsApproved || currentMember.IsLockedOut)
{
return false;
}
return await _publicAccessService.HasAccessAsync(
path,
currentMember.UserName,
async () => await GetRolesAsync(currentMember));
}
private async Task<IReadOnlyDictionary<string, bool>> HasAccessAsync(IEnumerable<string> paths)
{
var result = new Dictionary<string, bool>();
MemberIdentityUser currentMember = await GetCurrentMemberAsync();
if (currentMember == null || !currentMember.IsApproved || currentMember.IsLockedOut)
{
return result;
}
// ensure we only lookup user roles once
IList<string> userRoles = null;
async Task<IList<string>> getUserRolesAsync()
{
if (userRoles != null)
{
return userRoles;
}
userRoles = await GetRolesAsync(currentMember);
return userRoles;
}
foreach (var path in paths)
{
result[path] = await _publicAccessService.HasAccessAsync(
path,
currentMember.UserName,
async () => await getUserRolesAsync());
}
return result;
}
public IPublishedContent AsPublishedMember(MemberIdentityUser user) => _store.GetPublishedMember(user);
}
}
Reference in New Issue View Git Blame Copy Permalink