Microsoft.Bot.Connector.NetFramework/BotAuthentication.cs
1 using Newtonsoft.Json.Linq;
2 using System;
3 using System.Collections.Generic;
4 using System.Diagnostics;
5 using System.Linq;
6 using System.Net;
7 using System.Net.Http;
8 using System.Security.Claims;
9 using System.Threading;
10 using System.Threading.Tasks;
11 using System.Web;
12 using System.Web.Http.Controllers;
13 using System.Web.Http.Filters;
14 
15 namespace Microsoft.Bot.Connector
16 {
17  [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
18  public class BotAuthentication : ActionFilterAttribute
19  {
26  public string MicrosoftAppId { get; set; }
27 
34  public string MicrosoftAppPassword { get; set; }
35 
42  public string MicrosoftAppIdSettingName { get; set; }
43 
50  public string MicrosoftAppPasswordSettingName { get; set; }
51 
52  public bool DisableEmulatorTokens { get; set; }
53 
57  public Type CredentialProviderType { get; set; }
58 
59  public virtual string OpenIdConfigurationUrl { get; set; } = JwtConfig.ToBotFromChannelOpenIdMetadataUrl;
60 
61 
62 
63  public override async Task OnActionExecutingAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
64  {
65  var provider = this.GetCredentialProvider();
66  var botAuthenticator = new BotAuthenticator(provider, OpenIdConfigurationUrl, DisableEmulatorTokens);
67  var identityToken = await botAuthenticator.TryAuthenticateAsync(actionContext.Request, cancellationToken);
68 
69  // the request is not authenticated, fail with 401.
70  if (!identityToken.Authenticated)
71  {
72  actionContext.Response = BotAuthenticator.GenerateUnauthorizedResponse(actionContext.Request);
73  return;
74  }
75 
76  botAuthenticator.TrustServiceUrls(identityToken, GetActivities(actionContext));
77  await base.OnActionExecutingAsync(actionContext, cancellationToken);
78  }
79 
80  private IList<Activity> GetActivities(HttpActionContext actionContext)
81  {
82  var activties = actionContext.ActionArguments.Select(t => t.Value).OfType<Activity>().ToList();
83  if (activties.Any())
84  {
85  return activties;
86  }
87  else
88  {
89  var objects =
90  actionContext.ActionArguments.Where(t => t.Value is JObject || t.Value is JArray)
91  .Select(t => t.Value).ToArray();
92  if (objects.Any())
93  {
94  activties = new List<Activity>();
95  foreach (var obj in objects)
96  {
97  activties.AddRange((obj is JObject) ? new Activity[] { ((JObject)obj).ToObject<Activity>() } : ((JArray)obj).ToObject<Activity[]>());
98  }
99  }
100  }
101  return activties;
102  }
103 
104  private ICredentialProvider GetCredentialProvider()
105  {
106  ICredentialProvider credentialProvider = null;
107  if (CredentialProviderType != null)
108  {
109  // if we have a credentialprovider type
110  credentialProvider = Activator.CreateInstance(CredentialProviderType) as ICredentialProvider;
111  if (credentialProvider == null)
112  throw new ArgumentNullException($"The CredentialProviderType {CredentialProviderType.Name} couldn't be instantiated with no params or doesn't implement ICredentialProvider");
113  }
114  else if (MicrosoftAppId != null && MicrosoftAppPassword != null)
115  {
116  // if we have raw values
117  credentialProvider = new StaticCredentialProvider(MicrosoftAppId, MicrosoftAppPassword);
118 
119  }
120  else
121  {
122  // if we have setting name, or there is no parameters at all default to default setting name
123  credentialProvider = new SettingsCredentialProvider(MicrosoftAppIdSettingName, MicrosoftAppPasswordSettingName);
124  }
125  return credentialProvider;
126  }
127  }
128 }
const string ToBotFromChannelOpenIdMetadataUrl
TO BOT FROM CHANNEL: OpenID metadata document for tokens coming from MSA
Definition: JwtConfig.cs:28
Configuration for JWT tokens
Definition: JwtConfig.cs:13
override async Task OnActionExecutingAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
An Activity is the basic communication type for the Bot Framework 3.0 protocol
Definition: ActivityEx.cs:18
static HttpResponseMessage GenerateUnauthorizedResponse(HttpRequestMessage request)
Generates HttpStatusCode.Unauthorized response for the request.
Static credential provider which has the appid and password static