108 return databaseContext
110 .Where(
x =>
ids.Contains(
x.Id!.Value))
111 .ToDictionaryAsync(user => user.Id!.Value, cancellationToken);
132 .Where(
x =>
userIds.Contains(
x.User!.Id!.Value))
133 .ToListAsync(cancellationToken);
135 return list.ToLookup(
137 x =>
new GraphQL.Types.OAuth.OAuthConnection
139 ExternalUserId = x.ExternalUserId!,
140 Provider = x.Provider,
162 .Where(
x =>
userIds.Contains(
x.User!.Id!.Value))
163 .ToListAsync(cancellationToken);
165 return list.ToLookup(
167 x =>
new GraphQL.Types.OAuth.OidcConnection
169 ExternalUserId = x.ExternalUserId!,
170 SchemeKey = x.SchemeKey!,
354#pragma warning disable CA1506
359#pragma warning restore CA1506
362 async authorizationService =>
371 .CountAsync(cancellationToken);
392 Logger.LogTrace(
ex,
"System identities not implemented!");
427#pragma warning disable CA1502
428#pragma warning disable CA1506
430#pragma warning restore CA1502
431#pragma warning restore CA1506
438 if (
model.OidcConnections !=
null ||
model.OAuthConnections !=
null)
452 else if (
model.Enabled.HasValue
453 ||
model.Group !=
null
454 ||
model.Name !=
null
455 ||
model.PermissionSet !=
null)
460 async authorizationService =>
464 if (!
model.Id.HasValue ||
model.OAuthConnections?.Any(
x =>
x ==
null) ==
true)
467 if (
model.Group !=
null &&
model.PermissionSet !=
null)
473 .Include(
x =>
x.CreatedBy)
474 .Include(
x =>
x.OAuthConnections)
475 .Include(
x =>
x.OidcConnections)
476 .Include(
x =>
x.Group!)
477 .ThenInclude(
x =>
x.PermissionSet)
478 .Include(
x =>
x.PermissionSet)
479 .FirstOrDefaultAsync(cancellationToken);
494 Logger.LogDebug(
"System user ID {userId}'s PasswordHash is polluted, updating database.",
originalUser.Id);
503 if (
model.Password !=
null)
518 if (
model.OAuthConnections !=
null
520 || !
model.OAuthConnections.All(
x =>
originalUser.OAuthConnections.Any(
y =>
y.Provider ==
x.Provider &&
y.ExternalUserId ==
x.ExternalUserId))))
535 originalUser.OAuthConnections.Add(
new Models.OAuthConnection
537 Provider = updatedConnection.Provider,
538 ExternalUserId = updatedConnection.ExternalUserId,
542 if (
model.OidcConnections !=
null
544 || !
model.OidcConnections.All(
x =>
originalUser.OidcConnections.Any(
y =>
y.SchemeKey ==
x.SchemeKey &&
y.ExternalUserId ==
x.ExternalUserId))))
558 originalUser.OidcConnections.Add(
new Models.OidcConnection
560 SchemeKey = updatedConnection.SchemeKey,
561 ExternalUserId = updatedConnection.ExternalUserId,
565 if (
model.Group !=
null)
572 .Where(
x =>
x.Id ==
model.Group.Id)
573 .Include(
x =>
x.PermissionSet)
574 .FirstOrDefaultAsync(cancellationToken);
582 Logger.LogInformation(
"Deleting permission set {permissionSetId}...",
originalUser.PermissionSet.Id);
587 else if (
model.PermissionSet !=
null)
594 Logger.LogTrace(
"Creating new permission set...");
611 if (
model.Enabled.HasValue)
642 where TResult :
class
657 .
Where(user => user.Id ==
id)
658 .TagWith(
"User by ID"),
661 Queried = projected.Queried.CanonicalName!,
662 Result = projected.Result,
666 if (projected == default)
667 return NotFound<TResult>();
669 string canonicalName = projected.Queried;
670 if (!allowSystemUser && canonicalName == User.CanonicalizeName(User.TgsSystemUserName))
671 return Forbid<TResult>();
673 return new AuthorityResponse<TResult>(projected.Result);
675 cancellationToken)));
716 Security.IAuthorizationService authorizationService,
723 || (
await authorizationService.AuthorizeAsync(
740 GraphQL.Subscriptions.UserSubscriptions.UserUpdatedTopics(
741 user.Require(
x =>
x.Id))
765 .Include(
x =>
x.CreatedBy)
766 .Include(
x =>
x.OAuthConnections)
767 .Include(
x =>
x.OidcConnections)
768 .Include(
x =>
x.Group!)
769 .ThenInclude(
x =>
x.PermissionSet)
770 .Include(
x =>
x.PermissionSet);
783 Models.PermissionSet? permissionSet =
null;
785 if (
model.Group !=
null)
788 .Where(
x =>
x.Id ==
model.Group.Id)
789 .Include(
x =>
x.PermissionSet)
790 .FirstOrDefaultAsync(cancellationToken);
813 CreatedAt = DateTimeOffset.UtcNow,
819 SystemIdentifier =
model.SystemIdentifier,
822 ?.Select(
x =>
new Models.OAuthConnection
824 Provider = x.Provider,
825 ExternalUserId = x.ExternalUserId,
828 ??
new List<Models.OAuthConnection>(),
831 ?.
Select(
x =>
new Models.OidcConnection
833 SchemeKey =
x.SchemeKey,
834 ExternalUserId =
x.ExternalUserId,
837 ??
new List<Models.OidcConnection>(),
851 if (
newPassword.Length < generalConfigurationOptions.Value.MinimumPasswordLength)
855 AdditionalData = $
"Required password length: {generalConfigurationOptions.Value.MinimumPasswordLength}",
Represents initial credentials used by the server.
static readonly string AdminUserName
The name of the default admin user.
Represents a valid OAuth connection.
Represents a valid OIDC connection.
Represents a set of server permissions.
AdministrationRights? AdministrationRights
The Rights.AdministrationRights for the user.
For editing a given user.
Represents an error message returned by the server.
Extension methods for the ValueTask and ValueTask<TResult> classes.
static async ValueTask WhenAll(IEnumerable< ValueTask > tasks)
Fully await a given list of tasks .
Base implementation of IAuthority.
ILogger< AuthorityBase > Logger
Gets the ILogger for the AuthorityBase.
Represents a response from an authority.
A projectable TResult based on an underlying TQueried .
static Projectable< TQueried, TResult > Create(IQueryable< TQueried > query, Func< ProjectedPair< object?, TResult >?, AuthorityResponse< TResult > > resultMapper, CancellationToken cancellationToken)
Create a Projectable<TQueried, TResult>.
DTO for moving database projected objects through the system.
Evaluates a set of IAuthorizationRequirements to be checked before executing a response.
readonly ISessionInvalidationTracker sessionInvalidationTracker
The ISessionInvalidationTracker for the UserAuthority.
readonly ITopicEventSender topicEventSender
The ITopicEventSender for the UserAuthority.
UserAuthority(IDatabaseContext databaseContext, ILogger< UserAuthority > logger, IUsersDataLoader usersDataLoader, IOAuthConnectionsDataLoader oAuthConnectionsDataLoader, IOidcConnectionsDataLoader oidcConnectionsDataLoader, ISystemIdentityFactory systemIdentityFactory, IPermissionsUpdateNotifyee permissionsUpdateNotifyee, ICryptographySuite cryptographySuite, ISessionInvalidationTracker sessionInvalidationTracker, ITopicEventSender topicEventSender, IClaimsPrincipalAccessor claimsPrincipalAccessor, IOptionsSnapshot< GeneralConfiguration > generalConfigurationOptions, IOptionsSnapshot< SecurityConfiguration > securityConfigurationOptions)
Initializes a new instance of the UserAuthority class.
RequirementsGated< AuthorityResponse< GraphQL.Types.OAuth.OidcConnection[]> > OidcConnections(long userId, CancellationToken cancellationToken)
Gets the GraphQL.Types.OAuth.OidcConnections for the User with a given userId .A RequirementsGated<TR...
readonly IPermissionsUpdateNotifyee permissionsUpdateNotifyee
The IPermissionsUpdateNotifyee for the UserAuthority.
static ? AuthorityResponse< UpdatedUser > CheckValidName(UserUpdateRequest model, bool newUser)
Check if a given model has a valid UserName.Name specified.
AuthorityResponse< UpdatedUser >? TrySetPassword(User dbUser, string newPassword, bool newUser)
Attempt to change the password of a given dbUser .
static Task< Dictionary< long, User > > GetUsers(IReadOnlyList< long > ids, IDatabaseContext databaseContext, CancellationToken cancellationToken)
Implements the usersDataLoader.
readonly IClaimsPrincipalAccessor claimsPrincipalAccessor
The IClaimsPrincipalAccessor for the UserAuthority.
async ValueTask< AuthorityResponse< User > > GetIdImpl(long id, bool includeJoins, bool allowSystemUser, CancellationToken cancellationToken)
Implementation of retrieving a User by ID.
RequirementsGated< AuthorityResponse< User > > Read(CancellationToken cancellationToken)
Gets the currently authenticated user.A RequirementsGated<TResult> User AuthorityResponse<TResult>.
readonly ISystemIdentityFactory systemIdentityFactory
The ISystemIdentityFactory for the UserAuthority.
RequirementsGated< AuthorityResponse< User > > GetId(long id, bool includeJoins, bool allowSystemUser, CancellationToken cancellationToken)
Gets the User with a given id .A RequirementsGated<TResult> User AuthorityResponse<TResult>.
readonly IOptionsSnapshot< GeneralConfiguration > generalConfigurationOptions
The IOptionsSnapshot<TOptions> of GeneralConfiguration for the UserAuthority.
RequirementsGated< IQueryable< User > > Queryable(bool includeJoins)
Gets all registered Users.A RequirementsGated<TResult> IQueryable<T> of Users.
IQueryable< User > Queryable(bool includeJoins, bool allowSystemUser)
Gets all registered Users.
async ValueTask< User > CreateNewUserFromModel(Api.Models.Internal.UserApiBase model, CancellationToken cancellationToken)
Creates a new User from a given model .
RequirementsGated< Projectable< User, TResult > > GetId< TResult >(long id, bool allowSystemUser, CancellationToken cancellationToken)
Gets the User with a given id .A RequirementsGated<TResult> Projectable<TQueried, TResult> User for T...
RequirementsGated< AuthorityResponse< GraphQL.Types.OAuth.OAuthConnection[]> > OAuthConnections(long userId, CancellationToken cancellationToken)
Gets the GraphQL.Types.OAuth.OAuthConnections for the User with a given userId .A RequirementsGated<T...
static async ValueTask< ILookup< long, GraphQL.Types.OAuth.OAuthConnection > > GetOAuthConnections(IReadOnlyList< long > userIds, IDatabaseContext databaseContext, CancellationToken cancellationToken)
Implements the oAuthConnectionsDataLoader.
static async ValueTask< ILookup< long, GraphQL.Types.OAuth.OidcConnection > > GetOidcConnections(IReadOnlyList< long > userIds, IDatabaseContext databaseContext, CancellationToken cancellationToken)
Implements the oidcConnectionsDataLoader.
RequirementsGated< AuthorityResponse< UpdatedUser > > Create(UserCreateRequest createRequest, bool? needZeroLengthPasswordWithOAuthConnections, CancellationToken cancellationToken)
Creates a User.A RequirementsGated<TResult> AuthorityResponse<TResult> for the created UpdatedUser.
static bool BadCreateRequestChecks(UserCreateRequest createRequest, bool? needZeroLengthPasswordWithOAuthConnections, [NotNullWhen(true)] out AuthorityResponse< UpdatedUser >? failResponse)
Checks if a createRequest should return a bad request AuthorityResponse<TResult>.
readonly IOidcConnectionsDataLoader oidcConnectionsDataLoader
The IOidcConnectionsDataLoader for the UserAuthority.
async ValueTask< AuthorityResponse< UpdatedUser > > UpdatedUserResponse(Security.IAuthorizationService authorizationService, User user, HttpSuccessResponse successResponse)
Create the AuthorityResponse<TResult> for an UpdatedUser.
readonly ICryptographySuite cryptographySuite
The ICryptographySuite for the UserAuthority.
ValueTask SendUserUpdatedTopics(User user)
Send topics through the topicEventSender indicating a given user was created or updated.
readonly IOptionsSnapshot< SecurityConfiguration > securityConfigurationOptions
The IOptionsSnapshot<TOptions> of SecurityConfiguration for the UserAuthority.
readonly IUsersDataLoader usersDataLoader
The IUsersDataLoader for the UserAuthority.
RequirementsGated< AuthorityResponse< UpdatedUser > > Update(UserUpdateRequest model, CancellationToken cancellationToken)
Updates a User.A RequirementsGated<TResult> AuthorityResponse<TResult> for the created UpdatedUser.
readonly IOAuthConnectionsDataLoader oAuthConnectionsDataLoader
The IOAuthConnectionsDataLoader for the UserAuthority.
Backend abstract implementation of IDatabaseContext.
DbSet< OAuthConnection > OAuthConnections
The OAuthConnections in the DatabaseContext.
DbSet< PermissionSet > PermissionSets
The PermissionSets in the DatabaseContext.
Task Save(CancellationToken cancellationToken)
Saves changes made to the IDatabaseContext.A Task representing the running operation.
DbSet< User > Users
The Users in the DatabaseContext.
DbSet< OidcConnection > OidcConnections
The OidcConnections in the DatabaseContext.
DbSet< UserGroup > Groups
The UserGroups in the DatabaseContext.
Represents a User that has been updated.
Represents a group of Users.
const string TgsSystemUserName
Username used when creating jobs automatically.
static string CanonicalizeName(string name)
Change a UserName.Name into a CanonicalName.
string? CanonicalName
The uppercase invariant of UserName.Name.
An conditional expression of TRights .
IAuthority for managing Users.
IDatabaseCollection< OidcConnection > OidcConnections
The DbSet<TEntity> for OidcConnections.
IDatabaseCollection< User > Users
The Users in the IDatabaseContext.
IDatabaseCollection< OAuthConnection > OAuthConnections
The DbSet<TEntity> for OAuthConnections.
Interface for accessing the current request's ClaimsPrincipal.
ClaimsPrincipal User
Get the current ClaimsPrincipal.
Contains various cryptographic functions.
Receives notifications about permissions updates.
ValueTask UserDisabled(User user, CancellationToken cancellationToken)
Called when a given User is successfully disabled.
Handles invalidating user sessions.
void UserModifiedInvalidateSessions(User user)
Invalidate all sessions for a given user .
Factory for ISystemIdentitys.
Task< ISystemIdentity?> CreateSystemIdentity(User user, CancellationToken cancellationToken)
Create a ISystemIdentity for a given user .
ErrorCode
Types of Response.ErrorMessageResponses that the API may return.
@ List
User may list files if the Models.Instance allows it.
InstanceManagerRights
Rights for managing Models.Instances.
AdministrationRights
Administration rights for the server.
@ Api
The ApiHeaders.ApiVersionHeader header is missing or invalid.
HttpFailureResponse
Indicates the type of HTTP status code an failing AuthorityResponse should generate.
HttpSuccessResponse
Indicates the type of HTTP status code a successful AuthorityResponse<TResult> should generate.
@ Enabled
The OAuth Gateway is enabled.