Umbraco-CMS/src/Umbraco.Core/Extensions/ClaimsIdentityExtensions.cs

// Copyright (c) Umbraco.
// See LICENSE for more details.

using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Security.Claims;
using System.Security.Principal;
using Umbraco.Cms.Core;

namespace Umbraco.Extensions
{
    public static class ClaimsIdentityExtensions
    {
        public static T GetUserId<T>(this IIdentity identity)
        {
            var strId = identity.GetUserId();
            var converted = strId.TryConvertTo<T>();
            return converted.ResultOr(default);
        }

        /// <summary>
        /// Returns the user id from the <see cref="IIdentity"/> of either the claim type <see cref="ClaimTypes.NameIdentifier"/> or "sub"
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>
        /// The string value of the user id if found otherwise null
        /// </returns>
        public static string GetUserId(this IIdentity identity)
        {
            if (identity == null) throw new ArgumentNullException(nameof(identity));

            string userId = null;
            if (identity is ClaimsIdentity claimsIdentity)
            {
                userId = claimsIdentity.FindFirstValue(ClaimTypes.NameIdentifier)
                         ?? claimsIdentity.FindFirstValue("sub");
            }

            return userId;
        }

        /// <summary>
        /// Returns the user name from the <see cref="IIdentity"/> of either the claim type <see cref="ClaimTypes.Name"/> or "preferred_username"
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>
        /// The string value of the user name if found otherwise null
        /// </returns>
        public static string GetUserName(this IIdentity identity)
        {
            if (identity == null) throw new ArgumentNullException(nameof(identity));

            string username = null;
            if (identity is ClaimsIdentity claimsIdentity)
            {
                username = claimsIdentity.FindFirstValue(ClaimTypes.Name)
                           ?? claimsIdentity.FindFirstValue("preferred_username");
            }

            return username;
        }

        public static string GetEmail(this IIdentity identity)
        {
            if (identity == null) throw new ArgumentNullException(nameof(identity));

            string email = null;
            if (identity is ClaimsIdentity claimsIdentity)
            {
                email = claimsIdentity.FindFirstValue(ClaimTypes.Email);
            }

            return email;
        }

        /// <summary>
        /// Returns the first claim value found in the <see cref="ClaimsIdentity"/> for the given claimType
        /// </summary>
        /// <param name="identity"></param>
        /// <param name="claimType"></param>
        /// <returns>
        /// The string value of the claim if found otherwise null
        /// </returns>
        public static string FindFirstValue(this ClaimsIdentity identity, string claimType)
        {
            if (identity == null) throw new ArgumentNullException(nameof(identity));

            return identity.FindFirst(claimType)?.Value;
        }

        /// <summary>
        /// Returns the required claim types for a back office identity
        /// </summary>
        /// <remarks>
        /// This does not include the role claim type or allowed apps type since that is a collection and in theory could be empty
        /// </remarks>
        public static IEnumerable<string> RequiredBackOfficeClaimTypes => new[]
        {
            ClaimTypes.NameIdentifier, //id
            ClaimTypes.Name,  //username
            ClaimTypes.GivenName,
            // Constants.Security.StartContentNodeIdClaimType, These seem to be able to be null...
            // Constants.Security.StartMediaNodeIdClaimType,
            ClaimTypes.Locality,
            Constants.Security.SecurityStampClaimType
        };

        /// <summary>
        /// Verify that a ClaimsIdentity has all the required claim types
        /// </summary>
        /// <param name="identity"></param>
        /// <param name="verifiedIdentity">Verified identity wrapped in a ClaimsIdentity with BackOfficeAuthentication type</param>
        /// <returns>True if ClaimsIdentity</returns>
        public static bool VerifyBackOfficeIdentity(this ClaimsIdentity identity, out ClaimsIdentity verifiedIdentity)
        {
            if (identity is null)
            {
                verifiedIdentity = null;
                return false;
            }

            // Validate that all required claims exist
            foreach (var claimType in RequiredBackOfficeClaimTypes)
            {
                if (identity.HasClaim(x => x.Type == claimType) == false ||
                    identity.HasClaim(x => x.Type == claimType && x.Value.IsNullOrWhiteSpace()))
                {
                    verifiedIdentity = null;
                    return false;
                }
            }

            verifiedIdentity =  identity.AuthenticationType == Constants.Security.BackOfficeAuthenticationType ? identity : new ClaimsIdentity(identity.Claims, Constants.Security.BackOfficeAuthenticationType);
            return true;
        }

        /// <summary>
        /// Add the required claims to be a BackOffice ClaimsIdentity
        /// </summary>
        /// <param name="identity">this</param>
        /// <param name="userId">The users Id</param>
        /// <param name="username">Username</param>
        /// <param name="realName">Real name</param>
        /// <param name="startContentNodes">Start content nodes</param>
        /// <param name="startMediaNodes">Start media nodes</param>
        /// <param name="culture">The locality of the user</param>
        /// <param name="securityStamp">Security stamp</param>
        /// <param name="allowedApps">Allowed apps</param>
        /// <param name="roles">Roles</param>
        public static void AddRequiredClaims(this ClaimsIdentity identity, string userId, string username,
            string realName, IEnumerable<int> startContentNodes, IEnumerable<int> startMediaNodes, string culture,
            string securityStamp, IEnumerable<string> allowedApps, IEnumerable<string> roles)
        {
            //This is the id that 'identity' uses to check for the user id
            if (identity.HasClaim(x => x.Type == ClaimTypes.NameIdentifier) == false)
            {
                identity.AddClaim(new Claim(
                    ClaimTypes.NameIdentifier,
                    userId,
                    ClaimValueTypes.String,
                    Constants.Security.BackOfficeAuthenticationType,
                    Constants.Security.BackOfficeAuthenticationType,
                    identity));
            }

            if (identity.HasClaim(x => x.Type == ClaimTypes.Name) == false)
            {
                identity.AddClaim(new Claim(
                    ClaimTypes.Name,
                    username,
                    ClaimValueTypes.String,
                    Constants.Security.BackOfficeAuthenticationType,
                    Constants.Security.BackOfficeAuthenticationType,
                    identity));
            }

            if (identity.HasClaim(x => x.Type == ClaimTypes.GivenName) == false)
            {
                identity.AddClaim(new Claim(
                    ClaimTypes.GivenName,
                    realName,
                    ClaimValueTypes.String,
                    Constants.Security.BackOfficeAuthenticationType,
                    Constants.Security.BackOfficeAuthenticationType,
                    identity));
            }

            if (identity.HasClaim(x => x.Type == Constants.Security.StartContentNodeIdClaimType) == false &&
                startContentNodes != null)
            {
                foreach (var startContentNode in startContentNodes)
                {
                    identity.AddClaim(new Claim(
                        Constants.Security.StartContentNodeIdClaimType,
                        startContentNode.ToInvariantString(),
                        ClaimValueTypes.Integer32,
                        Constants.Security.BackOfficeAuthenticationType,
                        Constants.Security.BackOfficeAuthenticationType,
                        identity));
                }
            }

            if (identity.HasClaim(x => x.Type == Constants.Security.StartMediaNodeIdClaimType) == false &&
                startMediaNodes != null)
            {
                foreach (var startMediaNode in startMediaNodes)
                {
                    identity.AddClaim(new Claim(
                        Constants.Security.StartMediaNodeIdClaimType,
                        startMediaNode.ToInvariantString(),
                        ClaimValueTypes.Integer32,
                        Constants.Security.BackOfficeAuthenticationType,
                        Constants.Security.BackOfficeAuthenticationType,
                        identity));
                }
            }

            if (identity.HasClaim(x => x.Type == ClaimTypes.Locality) == false)
            {
                identity.AddClaim(new Claim(
                    ClaimTypes.Locality,
                    culture,
                    ClaimValueTypes.String,
                    Constants.Security.BackOfficeAuthenticationType,
                    Constants.Security.BackOfficeAuthenticationType,
                    identity));
            }

            // The security stamp claim is also required
            if (identity.HasClaim(x => x.Type == Constants.Security.SecurityStampClaimType) == false)
            {
                identity.AddClaim(new Claim(
                    Constants.Security.SecurityStampClaimType,
                    securityStamp,
                    ClaimValueTypes.String,
                    Constants.Security.BackOfficeAuthenticationType,
                    Constants.Security.BackOfficeAuthenticationType,
                    identity));
            }

            // Add each app as a separate claim
            if (identity.HasClaim(x => x.Type == Constants.Security.AllowedApplicationsClaimType) == false &&
                allowedApps != null)
            {
                foreach (var application in allowedApps)
                {
                    identity.AddClaim(new Claim(
                        Constants.Security.AllowedApplicationsClaimType,
                        application,
                        ClaimValueTypes.String,
                        Constants.Security.BackOfficeAuthenticationType,
                        Constants.Security.BackOfficeAuthenticationType,
                        identity));
                }
            }

            // Claims are added by the ClaimsIdentityFactory because our UserStore supports roles, however this identity might
            // not be made with that factory if it was created with a different ticket so perform the check
            if (identity.HasClaim(x => x.Type == ClaimsIdentity.DefaultRoleClaimType) == false && roles != null)
            {
                // Manually add them
                foreach (var roleName in roles)
                {
                    identity.AddClaim(new Claim(
                        identity.RoleClaimType,
                        roleName,
                        ClaimValueTypes.String,
                        Constants.Security.BackOfficeAuthenticationType,
                        Constants.Security.BackOfficeAuthenticationType,
                        identity));
                }
            }
        }

        /// <summary>
        /// Get the start content nodes from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Array of start content nodes</returns>
        public static int[] GetStartContentNodes(this ClaimsIdentity identity) =>
            identity.FindAll(x => x.Type == Constants.Security.StartContentNodeIdClaimType)
                .Select(node => int.TryParse(node.Value, NumberStyles.Integer, CultureInfo.InvariantCulture, out var i) ? i : default)
                .Where(x => x != default).ToArray();

        /// <summary>
        /// Get the start media nodes from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Array of start media nodes</returns>
        public static int[] GetStartMediaNodes(this ClaimsIdentity identity) =>
            identity.FindAll(x => x.Type == Constants.Security.StartMediaNodeIdClaimType)
                .Select(node => int.TryParse(node.Value, NumberStyles.Integer, CultureInfo.InvariantCulture, out var i) ? i : default)
                .Where(x => x != default).ToArray();

        /// <summary>
        /// Get the allowed applications from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns></returns>
        public static string[] GetAllowedApplications(this ClaimsIdentity identity) => identity
            .FindAll(x => x.Type == Constants.Security.AllowedApplicationsClaimType).Select(app => app.Value).ToArray();

        /// <summary>
        /// Get the user ID from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>User ID as integer</returns>
        public static int GetId(this ClaimsIdentity identity) => int.Parse(identity.FindFirstValue(ClaimTypes.NameIdentifier), CultureInfo.InvariantCulture);

        /// <summary>
        /// Get the real name belonging to the user from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Real name of the user</returns>
        public static string GetRealName(this ClaimsIdentity identity) => identity.FindFirstValue(ClaimTypes.GivenName);

        /// <summary>
        /// Get the username of the user from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Username of the user</returns>
        public static string GetUsername(this ClaimsIdentity identity) => identity.FindFirstValue(ClaimTypes.Name);

        /// <summary>
        /// Get the culture string from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Culture string</returns>
        public static string GetCultureString(this ClaimsIdentity identity) => identity.FindFirstValue(ClaimTypes.Locality);

        /// <summary>
        /// Get the security stamp from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Security stamp</returns>
        public static string GetSecurityStamp(this ClaimsIdentity identity) => identity.FindFirstValue(Constants.Security.SecurityStampClaimType);

        /// <summary>
        /// Get the roles assigned to a user from a ClaimsIdentity
        /// </summary>
        /// <param name="identity"></param>
        /// <returns>Array of roles</returns>
        public static string[] GetRoles(this ClaimsIdentity identity) => identity
            .FindAll(x => x.Type == ClaimsIdentity.DefaultRoleClaimType).Select(role => role.Value).ToArray();


        /// <summary>
        /// Adds or updates and existing claim.
        /// </summary>
        public static void AddOrUpdateClaim(this ClaimsIdentity identity, Claim claim)
        {
            if (identity == null)
            {
                throw new ArgumentNullException(nameof(identity));
            }

            Claim existingClaim = identity.Claims.FirstOrDefault(x => x.Type == claim.Type);
            identity.TryRemoveClaim(existingClaim);

            identity.AddClaim(claim);
        }
    }
}