Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 3 additions & 7 deletions src/Gemstone.Security/AccessControl/ResourceAccessType.cs
Original file line number Diff line number Diff line change
Expand Up @@ -94,21 +94,17 @@ public static bool HasAccessTo(this ClaimsPrincipal user, string resourceType, s
{
ThrowIfNotValid(access);

const string AllowClaim = "Gemstone.ResourceAccess.Allow";
const string DenyClaim = "Gemstone.ResourceAccess.Deny";
const string BaseClaim = "Gemstone.ResourceAccess.Default";

if (access == ResourceAccessType.None)
return false;

string claimValue = $"{resourceType} {resourceName} {access}";

bool IsDenied() =>
user.HasClaim(DenyClaim, claimValue);
user.HasClaim(GemstoneClaimTypes.DenyClaim, claimValue);

bool IsAllowed() =>
user.HasClaim(AllowClaim, claimValue) ||
user.HasClaim(BaseClaim, $"{access}");
user.HasClaim(GemstoneClaimTypes.AllowClaim, claimValue) ||
user.HasClaim(GemstoneClaimTypes.BaseClaim, $"{access}");

return !IsDenied() && IsAllowed();
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
//******************************************************************************************************
// APIAUthenticationProvider.cs - Gbtc
//
// Copyright © 2026, Grid Protection Alliance. All Rights Reserved.
//
// Licensed to the Grid Protection Alliance (GPA) under one or more contributor license agreements. See
// the NOTICE file distributed with this work for additional information regarding copyright ownership.
// The GPA licenses this file to you under the MIT License (MIT), the "License"; you may not use this
// file except in compliance with the License. You may obtain a copy of the License at:
//
// http://opensource.org/licenses/MIT
//
// Unless agreed to in writing, the subject software distributed under the License is distributed on an
// "AS-IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. Refer to the
// License for the specific language governing permissions and limitations.
//
// Code Modification History:
// ----------------------------------------------------------------------------------------------------
// 07/09/2026 - C. Lackner
// Generated original version of source code.
//
//******************************************************************************************************

using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;

namespace Gemstone.Security.AuthenticationProviders;

/// <summary>
/// Options for the <see cref="APIAuthenticationProvider"/> class.
/// </summary>
public class APIAuthenticationProviderOptions
{
/// <summary>
/// Function that validates a Token
/// </summary>
public Func<string, APIToken?>? ValidateToken { get; set; }

}

public class APIToken
{
public string Name { get; set; }
public DateTime Expiration { get; set; }

public Claim[] Claims { get; set; }
}


public class APIAuthenticationProvider
{
private readonly RequestDelegate _next;
private readonly APIAuthenticationProviderOptions Settings;
public APIAuthenticationProvider(RequestDelegate next, APIAuthenticationProviderOptions options)
{
_next = next;
Settings = options;
}
public async Task InvokeAsync(HttpContext context)
{
if (context.Request.Headers.TryGetValue("Authorization", out var authHeader))
{
string bearerToken = authHeader.ToString();

if (bearerToken.StartsWith("Bearer ", System.StringComparison.OrdinalIgnoreCase))
{
string token = bearerToken.Substring("Bearer ".Length).Trim();
APIToken? resolvedToken = Settings.ValidateToken?.Invoke(token);
if (resolvedToken == null || resolvedToken.Expiration < DateTime.UtcNow)
{
await _next(context);
return;
}
ClaimsIdentity identity = new("APIAuthentication");
identity.AddClaim(new(ClaimTypes.Name, resolvedToken.Name));
identity.AddClaims(resolvedToken.Claims);
context.User = new(identity);
await _next(context);
}
}
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -96,21 +96,20 @@ public IEnumerable<string> GetProviderIdentities()

public IEnumerable<Claim> GetAssignedClaims(string providerIdentity, ClaimsPrincipal principal)
{
const string ProviderIdentityClaim = "Gemstone.ProviderIdentity";
const string UserIdentityClaim = "Gemstone.UserIdentity";

IAuthenticationProvider? provider = ProviderLookup(providerIdentity);

if (provider is null)
return [];

string userIdentity = provider.GetIdentity(principal);

IEnumerable<Claim> providerClaims = Setup
.GetProviderClaims(providerIdentity)
.Join(principal.Claims, ToKey, ToKey, (providerClaim, _) => providerClaim.Assigned)
.Prepend(new(UserIdentityClaim, userIdentity))
.Prepend(new(ProviderIdentityClaim, providerIdentity));
IEnumerable<Claim> principalClaims = principal.Claims
.Append(new(GemstoneClaimTypes.AllUsers,string.Empty));

IEnumerable<Claim> providerClaims = Setup.GetProviderClaims(providerIdentity)
.Join(principalClaims, ToKey, ToKey, (providerClaim, _) => providerClaim.Assigned)
.Prepend(new(GemstoneClaimTypes.UserIdentity, userIdentity))
.Prepend(new(GemstoneClaimTypes.ProviderIdentity, providerIdentity));

return providerClaims;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ public string GetIdentity(ClaimsPrincipal principal)
.Claims
.Select(claim => claim.Type)
.Distinct()
.Select(type => new ClaimType(type)).Prepend(new ClaimType("Gemstone.AllUsers")).ToArray();
.Select(type => new ClaimType(type)).ToArray();

string? identity = principal
.FindFirst(Options.UserIdClaim ?? "sub")?
Expand Down Expand Up @@ -158,7 +158,7 @@ private static ClaimType[] ClaimTypes
{
get;
set;
} = [new ClaimType("Gemstone.AllUsers")];
} = [new ClaimType(GemstoneClaimTypes.AllUsers), new (GemstoneClaimTypes.UserIdentity)];

// Static Methods

Expand Down
63 changes: 63 additions & 0 deletions src/Gemstone.Security/GemstoneClaimTypes.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
//******************************************************************************************************
// GemstoneClaimTypes.cs - Gbtc
//
// Copyright © 2026, Grid Protection Alliance. All Rights Reserved.
//
// Licensed to the Grid Protection Alliance (GPA) under one or more contributor license agreements. See
// the NOTICE file distributed with this work for additional information regarding copyright ownership.
// The GPA licenses this file to you under the MIT License (MIT), the "License"; you may not use this
// file except in compliance with the License. You may obtain a copy of the License at:
//
// http://opensource.org/licenses/MIT
//
// Unless agreed to in writing, the subject software distributed under the License is distributed on an
// "AS-IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. Refer to the
// License for the specific language governing permissions and limitations.
//
// Code Modification History:
// ----------------------------------------------------------------------------------------------------
// 10/16/2019 - J. Ritchie Carroll
// Generated original version of source code.
//
//******************************************************************************************************

using System.Runtime.CompilerServices;

namespace Gemstone.Security
{
/// <summary>
/// The Claim Types used bu the <see cref="Gemstone.Security"/> namespace
/// </summary>
public static class GemstoneClaimTypes
{
/// <summary>
/// Holds the unique identifier for the User.
/// </summary>
public const string UserIdentity = "Gemstone.UserIdentity";
/// <summary>
/// Holds the unique identifier for the Authentication Provider.
/// </summary>
public const string ProviderIdentity = "Gemstone.ProviderIdentity";

/// <summary>
/// Is used in Matrching Claims to match any user, regardless of claims they have
/// </summary>
public const string AllUsers = "Gemstone.AllUsers";

/// <summary>
/// Allows a user to access a resource.
/// </summary>
public const string AllowClaim = "Gemstone.ResourceAccess.Allow";

/// <summary>
/// Denies a user access to a resource.
/// </summary>
public const string DenyClaim = "Gemstone.ResourceAccess.Deny";

/// <summary>
/// Allows access to the value as the default access level.
/// </summary>
public const string BaseClaim = "Gemstone.ResourceAccess.Default";

}
}