tgstation-server 6.12.0
The /tg/station 13 server suite
Loading...
Searching...
No Matches
AuthenticationContextFactory.cs
Go to the documentation of this file.
1using System;
2using System.Globalization;
3using System.Linq;
4using System.Security.Claims;
5using System.Threading;
6using System.Threading.Tasks;
7
8using Microsoft.AspNetCore.Authentication.JwtBearer;
9using Microsoft.EntityFrameworkCore;
10using Microsoft.Extensions.Logging;
11using Microsoft.Extensions.Options;
12using Microsoft.IdentityModel.JsonWebTokens;
13using Microsoft.IdentityModel.Tokens;
14
15using Tgstation.Server.Api;
16using Tgstation.Server.Host.Configuration;
17using Tgstation.Server.Host.Database;
18using Tgstation.Server.Host.Models;
19using Tgstation.Server.Host.Utils;
20
21namespace Tgstation.Server.Host.Security
22{
24 sealed class AuthenticationContextFactory : ITokenValidator, IDisposable
25 {
29 public IAuthenticationContext CurrentAuthenticationContext => currentAuthenticationContext;
30
34 readonly IDatabaseContext databaseContext;
35
39 readonly IIdentityCache identityCache;
40
44 readonly ILogger<AuthenticationContextFactory> logger;
45
49 readonly SwarmConfiguration swarmConfiguration;
50
54 readonly AuthenticationContext currentAuthenticationContext;
55
59 readonly ApiHeaders? apiHeaders;
60
64 int initialized;
65
74 public AuthenticationContextFactory(
75 IDatabaseContext databaseContext,
76 IIdentityCache identityCache,
77 IApiHeadersProvider apiHeadersProvider,
78 IOptions<SwarmConfiguration> swarmConfigurationOptions,
79 ILogger<AuthenticationContextFactory> logger)
80 {
81 this.databaseContext = databaseContext ?? throw new ArgumentNullException(nameof(databaseContext));
82 this.identityCache = identityCache ?? throw new ArgumentNullException(nameof(identityCache));
83 ArgumentNullException.ThrowIfNull(apiHeadersProvider);
84
85 apiHeaders = apiHeadersProvider.ApiHeaders;
86 swarmConfiguration = swarmConfigurationOptions?.Value ?? throw new ArgumentNullException(nameof(swarmConfigurationOptions));
87 this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
88
89 currentAuthenticationContext = new AuthenticationContext();
90 }
91
93 public void Dispose() => currentAuthenticationContext.Dispose();
94
96 #pragma warning disable CA1506 // TODO: Decomplexify
97 public async Task ValidateToken(TokenValidatedContext tokenValidatedContext, CancellationToken cancellationToken)
98 #pragma warning restore CA1506
99 {
100 ArgumentNullException.ThrowIfNull(tokenValidatedContext);
101
102 if (tokenValidatedContext.SecurityToken is not JsonWebToken jwt)
103 throw new ArgumentException($"Expected {nameof(tokenValidatedContext)} to contain a {nameof(JsonWebToken)}!", nameof(tokenValidatedContext));
104
105 if (Interlocked.Exchange(ref initialized, 1) != 0)
106 throw new InvalidOperationException("Authentication context has already been loaded");
107
108 var principal = new ClaimsPrincipal(new ClaimsIdentity(jwt.Claims));
109
110 var userIdClaim = principal.FindFirst(JwtRegisteredClaimNames.Sub);
111 if (userIdClaim == default)
112 throw new InvalidOperationException($"Missing '{JwtRegisteredClaimNames.Sub}' claim!");
113
114 long userId;
115 try
116 {
117 userId = Int64.Parse(userIdClaim.Value, CultureInfo.InvariantCulture);
118 }
119 catch (Exception e)
120 {
121 throw new InvalidOperationException("Failed to parse user ID!", e);
122 }
123
124 DateTimeOffset ParseTime(string key)
125 {
126 var claim = principal.FindFirst(key);
127 if (claim == default)
128 throw new InvalidOperationException($"Missing '{key}' claim!");
129
130 try
131 {
132 return new DateTimeOffset(
133 EpochTime.DateTime(
134 Int64.Parse(claim.Value, CultureInfo.InvariantCulture)));
135 }
136 catch (Exception ex)
137 {
138 throw new InvalidOperationException($"Failed to parse '{key}'!", ex);
139 }
140 }
141
142 var notBefore = ParseTime(JwtRegisteredClaimNames.Nbf);
143 var expires = ParseTime(JwtRegisteredClaimNames.Exp);
144
145 var user = await databaseContext
146 .Users
147 .AsQueryable()
148 .Where(x => x.Id == userId)
149 .Include(x => x.CreatedBy)
150 .Include(x => x.PermissionSet)
151 .Include(x => x.Group)
152 .ThenInclude(x => x!.PermissionSet)
153 .Include(x => x.OAuthConnections)
154 .FirstOrDefaultAsync(cancellationToken);
155 if (user == default)
156 {
157 tokenValidatedContext.Fail($"Unable to find user with ID {userId}!");
158 return;
159 }
160
161 ISystemIdentity? systemIdentity;
162 if (user.SystemIdentifier != null)
163 systemIdentity = identityCache.LoadCachedIdentity(user);
164 else
165 {
166 if (user.LastPasswordUpdate.HasValue && user.LastPasswordUpdate >= notBefore)
167 {
168 tokenValidatedContext.Fail($"Rejecting token for user {userId} created before last modification: {user.LastPasswordUpdate.Value}");
169 return;
170 }
171
172 systemIdentity = null;
173 }
174
175 var userPermissionSet = user.PermissionSet ?? user.Group!.PermissionSet;
176 try
177 {
178 InstancePermissionSet? instancePermissionSet = null;
179 var instanceId = apiHeaders?.InstanceId;
180 if (instanceId.HasValue)
181 {
182 instancePermissionSet = await databaseContext.InstancePermissionSets
183 .AsQueryable()
184 .Where(x => x.PermissionSetId == userPermissionSet!.Id && x.InstanceId == instanceId && x.Instance!.SwarmIdentifer == swarmConfiguration.Identifier)
185 .Include(x => x.Instance)
186 .FirstOrDefaultAsync(cancellationToken);
187
188 if (instancePermissionSet == null)
189 logger.LogDebug("User {userId} does not have permissions on instance {instanceId}!", userId, instanceId.Value);
190 }
191
192 currentAuthenticationContext.Initialize(
193 user,
194 expires,
195 jwt.EncodedSignature, // signature is enough to uniquely identify the session as it is composite of all the inputs
196 instancePermissionSet,
197 systemIdentity);
198 }
199 catch
200 {
201 systemIdentity?.Dispose();
202 throw;
203 }
204 }
205 }
206}
Tgstation.Server.Api.ApiHeaders
Represents the header that must be present for every server request.
Definition ApiHeaders.cs:25
Tgstation.Server.Api.ApiHeaders.InstanceId
long? InstanceId
The instance EntityId.Id being accessed.
Definition ApiHeaders.cs:84
Tgstation.Server.Api.Models.Internal.SwarmServer.Identifier
string? Identifier
The server's identifier.
Definition SwarmServer.cs:26
Tgstation.Server.Host.Configuration.SwarmConfiguration
Configuration for the server swarm system.
Definition SwarmConfiguration.cs:13
Tgstation.Server.Host.Security.AuthenticationContextFactory.CurrentAuthenticationContext
IAuthenticationContext CurrentAuthenticationContext
The IAuthenticationContext the AuthenticationContextFactory created.
Definition AuthenticationContextFactory.cs:29
Tgstation.Server.Host.Security.AuthenticationContextFactory.databaseContext
readonly IDatabaseContext databaseContext
The IDatabaseContext for the AuthenticationContextFactory.
Definition AuthenticationContextFactory.cs:34
Tgstation.Server.Host.Security.AuthenticationContextFactory.logger
readonly ILogger< AuthenticationContextFactory > logger
The ILogger for the AuthenticationContextFactory.
Definition AuthenticationContextFactory.cs:44
Tgstation.Server.Host.Security.AuthenticationContextFactory.initialized
int initialized
1 if currentAuthenticationContext was initialized, 0 otherwise.
Definition AuthenticationContextFactory.cs:64
Tgstation.Server.Host.Security.AuthenticationContextFactory.swarmConfiguration
readonly SwarmConfiguration swarmConfiguration
The SwarmConfiguration for the AuthenticationContextFactory.
Definition AuthenticationContextFactory.cs:49
Tgstation.Server.Host.Security.AuthenticationContextFactory.identityCache
readonly IIdentityCache identityCache
The IIdentityCache for the AuthenticationContextFactory.
Definition AuthenticationContextFactory.cs:39
Tgstation.Server.Host.Security.AuthenticationContextFactory.apiHeaders
readonly? ApiHeaders apiHeaders
The ApiHeaders for the AuthenticationContextFactory.
Definition AuthenticationContextFactory.cs:59
Tgstation.Server.Host.Security.AuthenticationContextFactory.currentAuthenticationContext
readonly AuthenticationContext currentAuthenticationContext
Backing field for CurrentAuthenticationContext.
Definition AuthenticationContextFactory.cs:54
Tgstation.Server.Host.Security.AuthenticationContextFactory.ValidateToken
async Task ValidateToken(TokenValidatedContext tokenValidatedContext, CancellationToken cancellationToken)
Handles tokenValidatedContext .A Task representing the running operation.
Definition AuthenticationContextFactory.cs:97
Tgstation.Server.Host.Security.AuthenticationContextFactory.AuthenticationContextFactory
AuthenticationContextFactory(IDatabaseContext databaseContext, IIdentityCache identityCache, IApiHeadersProvider apiHeadersProvider, IOptions< SwarmConfiguration > swarmConfigurationOptions, ILogger< AuthenticationContextFactory > logger)
Initializes a new instance of the AuthenticationContextFactory class.
Definition AuthenticationContextFactory.cs:74
Tgstation.Server.Host.Security.AuthenticationContext.Initialize
void Initialize(User user, DateTimeOffset sessionExpiry, string sessionId, InstancePermissionSet? instanceUser, ISystemIdentity? systemIdentity)
Initializes the AuthenticationContext.
Definition AuthenticationContext.cs:78
Tgstation.Server.Host.Database.IDatabaseContext.Users
IDatabaseCollection< User > Users
The Users in the IDatabaseContext.
Definition IDatabaseContext.cs:21
Tgstation.Server.Host.Security.IAuthenticationContext
For creating and accessing authentication contexts.
Definition IAuthenticationContext.cs:12
Tgstation.Server.Host.Security.IIdentityCache.LoadCachedIdentity
ISystemIdentity LoadCachedIdentity(User user)
Attempt to load a cached ISystemIdentity.
Tgstation.Server.Host.Security.ISystemIdentity
Represents a user on the current global::System.Runtime.InteropServices.OSPlatform.
Definition ISystemIdentity.cs:11
Tgstation.Server.Host.Utils.IApiHeadersProvider.ApiHeaders
ApiHeaders? ApiHeaders
The created Api.ApiHeaders, if any.
Definition IApiHeadersProvider.cs:13
Generated by doxygen 1.9.8