94 lines
2.7 KiB
C#
94 lines
2.7 KiB
C#
// Copyright Epic Games, Inc. All Rights Reserved.
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.ComponentModel.DataAnnotations;
|
|
using System.Linq;
|
|
using System.Security.Claims;
|
|
using System.Text.Encodings.Web;
|
|
using System.Threading.Tasks;
|
|
using Microsoft.AspNetCore.Authentication;
|
|
using Microsoft.Extensions.Logging;
|
|
using Microsoft.Extensions.Options;
|
|
using Microsoft.Extensions.Primitives;
|
|
using Microsoft.Net.Http.Headers;
|
|
|
|
namespace Jupiter
|
|
{
|
|
class ServiceAccountAuthOptions : AuthenticationSchemeOptions
|
|
{
|
|
public class ServiceAccounts
|
|
{
|
|
[Required] public string Token { get; set; } = null!;
|
|
|
|
public List<string> Claims { get; set; } = new List<string>();
|
|
}
|
|
|
|
public List<ServiceAccounts> Accounts { get; set; } = new List<ServiceAccounts>();
|
|
}
|
|
|
|
class ServiceAccountAuthHandler : AuthenticationHandler<ServiceAccountAuthOptions>
|
|
{
|
|
private readonly IOptionsMonitor<ServiceAccountAuthOptions> _options;
|
|
public const string AuthenticationScheme = "ServiceAccount";
|
|
public const string Prefix = "ServiceAccount";
|
|
|
|
public ServiceAccountAuthHandler(IOptionsMonitor<ServiceAccountAuthOptions> options,
|
|
ILoggerFactory logger, UrlEncoder encoder)
|
|
: base(options, logger, encoder)
|
|
{
|
|
_options = options;
|
|
}
|
|
|
|
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
|
|
{
|
|
if (!Context.Request.Headers.TryGetValue(HeaderNames.Authorization, out StringValues headerValue))
|
|
{
|
|
return AuthenticateResult.NoResult();
|
|
}
|
|
|
|
if (headerValue.Count < 1)
|
|
{
|
|
return AuthenticateResult.NoResult();
|
|
}
|
|
|
|
string? header = headerValue[0];
|
|
if (string.IsNullOrEmpty(header))
|
|
{
|
|
return AuthenticateResult.NoResult();
|
|
}
|
|
|
|
if (!header.StartsWith(Prefix, StringComparison.Ordinal))
|
|
{
|
|
return AuthenticateResult.NoResult();
|
|
}
|
|
|
|
await Task.CompletedTask;
|
|
|
|
string token = header.Replace(Prefix, "", StringComparison.Ordinal).Trim();
|
|
ServiceAccountAuthOptions.ServiceAccounts? serviceAccount = _options.CurrentValue.Accounts.FirstOrDefault(account => account.Token == token);
|
|
if (serviceAccount == null)
|
|
{
|
|
return AuthenticateResult.Fail($"Service account for token {token} not found");
|
|
}
|
|
|
|
List<Claim> claims = new List<Claim>
|
|
{
|
|
new Claim(ClaimTypes.Name, AuthenticationScheme)
|
|
};
|
|
claims.Add(new Claim("sub", serviceAccount.Token));
|
|
foreach (string claim in serviceAccount.Claims)
|
|
{
|
|
string[] tokens = claim.Split(":", 2);
|
|
claims.Add(new Claim(tokens[0], tokens[1]));
|
|
}
|
|
|
|
ClaimsIdentity identity = new ClaimsIdentity(claims, Scheme.Name);
|
|
ClaimsPrincipal principal = new ClaimsPrincipal(identity);
|
|
AuthenticationTicket ticket = new AuthenticationTicket(principal, Scheme.Name);
|
|
|
|
return AuthenticateResult.Success(ticket);
|
|
}
|
|
}
|
|
}
|