Code Refactoring

Shama-K · Shama-K · commit 5813ff21a0ba · 2020-09-22T13:00:17.000-07:00
diff --git a/5-WebApp-AuthZ/5-2-Groups/Infrastructure/CustomAuthorization.cs b/5-WebApp-AuthZ/5-2-Groups/Infrastructure/CustomAuthorization.cs
@@ -5,8 +5,15 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using WebApp_OpenIDConnect_DotNet.Services;
+
 namespace WebApp_OpenIDConnect_DotNet.Infrastructure
 {
+    /// <summary>
+    /// GroupPolicyHandler represents Policy-based authorization.
+    /// GroupPolicyHandler evaluates the GroupPolicyRequirement against AuthorizationHandlerContext 
+    /// to determine if authorization is allowed.
+    /// </summary>
     public class GroupPolicyHandler : AuthorizationHandler<GroupPolicyRequirement>
     {
         private IHttpContextAccessor _httpContextAccessor;
@@ -15,35 +22,29 @@ public GroupPolicyHandler(IHttpContextAccessor httpContextAccessor)
         {
             _httpContextAccessor = httpContextAccessor;
         }
+
+        /// <summary>
+        /// Makes a decision if authorization is allowed based on GroupPolicyRequirement.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <param name="requirement"></param>
+        /// <returns></returns>
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                    GroupPolicyRequirement requirement)
         {
-            // Checks if groups claim exists in claims collection of signed-in User.
-            if (context.User.Claims.Any(x => x.Type == "groups"))
+            // Calls method to check if requirement exists in user claims or session.
+            if (GraphHelper.CheckUsersGroupMembership(context, requirement.GroupName, _httpContextAccessor))
             {
-                if (context.User.Claims.Any(x => x.Type == "groups" && x.Value == requirement.GroupName))
-                {
-                    context.Succeed(requirement);
-                }
-                return Task.CompletedTask;
-            }
-
-            // Checks if Session contains data for groupClaims.
-            // The data will exist for 'Group Overage' claim.
-            else if (_httpContextAccessor.HttpContext.Session.Keys.Contains("groupClaims"))
-            {
-                // Retrieves all the groups saved in Session.
-                var groups = _httpContextAccessor.HttpContext.Session.GetAsByteArray("groupClaims") as List<string>;
-
-                // Checks if required group exists in Session.
-                if (groups?.Count > 0 && groups.Contains(requirement.GroupName))
-                {
-                    context.Succeed(requirement);
-                }
+                context.Succeed(requirement);
             }
             return Task.CompletedTask;
         }
     }
+
+    /// <summary>
+    /// GroupPolicyRequirement contains data parameter that 
+    /// GroupPolicyHandler uses to evaluate against the current user principal or session data.
+    /// </summary>
     public class GroupPolicyRequirement : IAuthorizationRequirement
     {
         public string GroupName { get; }
diff --git a/5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs b/5-WebApp-AuthZ/5-2-Groups/Services/MicrosoftGraph-Rest/GraphHelper.cs
@@ -1,4 +1,6 @@
 ﻿using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Graph;
 using System;
@@ -14,86 +16,134 @@ namespace WebApp_OpenIDConnect_DotNet.Services
     public class GraphHelper
     {
         /// <summary>
-        /// This method inspects the claims collection created from the ID or Access token issued to a user and returns the groups that are present in the token . If it detects groups overage,
-        /// the method then makes calls to Microsoft Graph to fetch the group membership of the authenticated user.
+        /// This method inspects the claims collection created from the ID or Access token issued to a user and returns the groups that are present in the token.
+        /// If groups claims are already present in Session then it returns the list of groups by calling GetSessionGroupList method.
+        /// If it detects groups overage, the method then makes calls to ProcessUserGroupsForOverage method.
         /// </summary>
         /// <param name="context">TokenValidatedContext</param>
         public static async Task<List<string>> GetSignedInUsersGroups(TokenValidatedContext context)
         {
             List<string> groupClaims = new List<string>();
 
+            // 
+            groupClaims = GetSessionGroupList(context.HttpContext.Session);
+            if (groupClaims?.Count>0)
+            {
+                return groupClaims;
+            }
+            // Checks if the incoming token contained a 'Group Overage' claim.
+            else if (HasOverageOccurred(context.Principal))
+            {
+                groupClaims= await ProcessUserGroupsForOverage(context);
+            }
+            return groupClaims;
+        }
+
+        /// <summary>
+        /// Retrieves all the groups saved in Session.
+        /// </summary>
+        /// <param name="_httpContextSession"></param>
+        /// <returns></returns>
+        private static List<string> GetSessionGroupList(ISession _httpContextSession)
+        {
+            // Checks if Session contains data for groupClaims.
+            // The data will exist for 'Group Overage' claim.
+            if (_httpContextSession.Keys.Contains("groupClaims"))
+            {
+                return _httpContextSession.GetAsByteArray("groupClaims") as List<string>;
+            }
+            return null;
+        }
+
+        /// <summary>
+        /// Checks if 'Group Overage' claim exists for signed-in user.
+        /// </summary>
+        /// <param name="identity"></param>
+        /// <returns></returns>
+        private static bool HasOverageOccurred(ClaimsPrincipal identity)
+        {
+            return identity.Claims.Any(x => x.Type == "hasgroups" || (x.Type == "_claim_names" && x.Value == "{\"groups\":\"src1\"}"));
+        }
+
+
+        /// <summary>
+        /// This method is called for Groups overage scenario.
+        /// The method makes calls to Microsoft Graph to fetch the group membership of the authenticated user.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns></returns>
+        static async Task<List<string>> ProcessUserGroupsForOverage(TokenValidatedContext context)
+        {
+            List<string> groupClaims = new List<string>();
             try
             {
-                // Checks if the incoming token contained a 'Group Overage' claim.
-                if (context.Principal.Claims.Any(x => x.Type == "hasgroups" || (x.Type == "_claim_names" && x.Value == "{\"groups\":\"src1\"}")))
+               
+                // Before instatntiating GraphServiceClient, the app should have granted admin consent for 'GroupMember.Read.All' permission.
+                var graphClient = context.HttpContext.RequestServices.GetService<GraphServiceClient>();
+
+                if (graphClient == null)
                 {
-                    // Before instatntiating GraphServiceClient, the app should have granted admin consent for 'GroupMember.Read.All' permission.
-                    var graphClient = context.HttpContext.RequestServices.GetService<GraphServiceClient>();
+                    Console.WriteLine("No service for type 'Microsoft.Graph.GraphServiceClient' has been registered in the Startup.");
+                }
 
-                    if (graphClient == null)
+                // Checks if the SecurityToken is not null.
+                // For the Web App, SecurityToken contains value of the ID Token.
+                else if (context.SecurityToken != null)
+                {
+                    // Checks if 'JwtSecurityTokenUsedToCallWebAPI' key already exists.
+                    // This key is required to acquire Access Token for Graph Service Client.
+                    if (!context.HttpContext.Items.ContainsKey("JwtSecurityTokenUsedToCallWebAPI"))
                     {
-                        Console.WriteLine("No service for type 'Microsoft.Graph.GraphServiceClient' has been registered in the Startup.");
+                        // For Web App, access token is retrieved using account identifier. But at this point account identifier is null.
+                        // So, SecurityToken is saved in 'JwtSecurityTokenUsedToCallWebAPI' key.
+                        // The key is then used to get the Access Token on-behalf of user.
+                        context.HttpContext.Items.Add("JwtSecurityTokenUsedToCallWebAPI", context.SecurityToken as JwtSecurityToken);
                     }
 
-                    // Checks if the SecurityToken is not null.
-                    // For the Web App, SecurityToken contains value of the ID Token.
-                    else if (context.SecurityToken != null)
-                    {
-                        // Checks if 'JwtSecurityTokenUsedToCallWebAPI' key already exists.
-                        // This key is required to acquire Access Token for Graph Service Client.
-                        if (!context.HttpContext.Items.ContainsKey("JwtSecurityTokenUsedToCallWebAPI"))
-                        {
-                            // For Web App, access token is retrieved using account identifier. But at this point account identifier is null.
-                            // So, SecurityToken is saved in 'JwtSecurityTokenUsedToCallWebAPI' key.
-                            // The key is then used to get the Access Token on-behalf of user.
-                            context.HttpContext.Items.Add("JwtSecurityTokenUsedToCallWebAPI", context.SecurityToken as JwtSecurityToken);
-                        }
+                    // The properties that we want to retrieve from MemberOf endpoint.
+                    string select = "id,displayName,onPremisesNetBiosName,onPremisesDomainName,onPremisesSamAccountNameonPremisesSecurityIdentifier";
 
-                        // The properties that we want to retrieve from MemberOf endpoint.
-                        string select = "id,displayName,onPremisesNetBiosName,onPremisesDomainName,onPremisesSamAccountNameonPremisesSecurityIdentifier";
+                    IUserMemberOfCollectionWithReferencesPage memberPage = new UserMemberOfCollectionWithReferencesPage();
+                    try
+                    {
+                        //Request to get groups and directory roles that the user is a direct member of.
+                        memberPage = await graphClient.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
+                    }
+                    catch (Exception graphEx)
+                    {
+                        var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
+                        Console.WriteLine("Call to Microsoft Graph failed: " + exMsg);
+                    }
 
-                        IUserMemberOfCollectionWithReferencesPage memberPage = new UserMemberOfCollectionWithReferencesPage();
-                        try
-                        {
-                            //Request to get groups and directory roles that the user is a direct member of.
-                            memberPage = await graphClient.Me.MemberOf.Request().Select(select).GetAsync().ConfigureAwait(false);
-                        }
-                        catch (Exception graphEx)
-                        {
-                            var exMsg = graphEx.InnerException != null ? graphEx.InnerException.Message : graphEx.Message;
-                            Console.WriteLine("Call to Microsoft Graph failed: " + exMsg);
-                        }
+                    if (memberPage?.Count > 0)
+                    {
+                        // There is a limit to number of groups returned, below method make calls to Microsoft graph to get all the groups.
+                        var allgroups = ProcessIGraphServiceMemberOfCollectionPage(memberPage);
 
-                        if (memberPage?.Count > 0)
+                        if (allgroups?.Count > 0)
                         {
-                            // There is a limit to number of groups returned, below method make calls to Microsoft graph to get all the groups.
-                            var allgroups = ProcessIGraphServiceMemberOfCollectionPage(memberPage);
+                            var identity = (ClaimsIdentity)context.Principal.Identity;
 
-                            if (allgroups?.Count > 0)
+                            if (identity != null)
                             {
-                                var identity = (ClaimsIdentity)context.Principal.Identity;
-
-                                if (identity != null)
+                                // Checks if token is 'ID Token'. 
+                                // ID Token does not contain 'aapid' or 'azp' claims.
+                                // These claims exist for Access Token.
+                                if (!identity.Claims.Any(x => x.Type == "appid" || x.Type == "azp"))
                                 {
-                                    // Checks if token is 'ID Token'. 
-                                    // ID Token does not contain 'aapid' or 'azp' claims.
-                                    // These claims exist for Access Token.
-                                    if (!identity.Claims.Any(x => x.Type == "appid" || x.Type == "azp"))
+                                    // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
+                                    foreach (Group group in allgroups)
                                     {
-                                        // Re-populate the `groups` claim with the complete list of groups fetched from MS Graph
-                                        foreach (Group group in allgroups)
-                                        {
-                                            // The following code adds group ids to the 'groups' claim. But depending upon your reequirement and the format of the 'groups' claim selected in
-                                            // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
-
-                                            // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
-                                            // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
-                                            groupClaims.Add(group.Id);
-                                        }
-
-                                        // Here we add the groups in a session variable that is used in authorization policy handler.
-                                        context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
+                                        // The following code adds group ids to the 'groups' claim. But depending upon your reequirement and the format of the 'groups' claim selected in
+                                        // the app registration, you might want to add other attributes than id to the `groups` claim, examples being;
+
+                                        // For instance if the required format is 'NetBIOSDomain\sAMAccountName' then the code is as commented below:
+                                        // groupClaims.Add(group.OnPremisesNetBiosName+"\\"+group.OnPremisesSamAccountName));
+                                        groupClaims.Add(group.Id);
                                     }
+
+                                    // Here we add the groups in a session variable that is used in authorization policy handler.
+                                    context.HttpContext.Session.SetAsByteArray("groupClaims", groupClaims);
                                 }
                             }
                         }
@@ -164,5 +214,34 @@ private static List<Group> ProcessIGraphServiceMemberOfCollectionPage(IUserMembe
             }
             return allGroups;
         }
+
+        /// <summary>
+        /// Checks if user is member of the required group.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <param name="GroupName"></param>
+        /// <param name="_httpContextAccessor"></param>
+        /// <returns></returns>
+        public static bool CheckUsersGroupMembership(AuthorizationHandlerContext context, string GroupName, IHttpContextAccessor _httpContextAccessor)
+        {
+            bool result = false;
+            // Checks if groups claim exists in claims collection of signed-in User.
+            if(HasOverageOccurred(context.User))
+            {
+                // Calls method GetSessionGroupList to get groups from session.
+                var groups = GetSessionGroupList(_httpContextAccessor.HttpContext.Session);
+
+                // Checks if required group exists in Session.
+                if (groups?.Count > 0 && groups.Contains(GroupName))
+                {
+                    result = true;
+                }
+            }
+            else if (context.User.Claims.Any(x => x.Type == "groups" && x.Value == GroupName))
+            {
+                    result = true;
+            }
+            return result;
+        }
     }
 }
