static IServiceCollection ConfigureAuthorizationOptions(this IServiceCollection services, IConfiguration config)
{
var sp = services.BuildServiceProvider();
var log = sp.GetRequiredService <ILogger <Startup> >();
var authentication = sp.GetRequiredService <IOptions <AuthenticationOptions> >().Value;
var authorization = new AuthorizationOptions().WithMechanism(config.GetValue <string>(Config.Authorization.Mechanism));
services.Configure <AuthorizationOptions>(opts =>
{
opts.Mechanism = authorization.Mechanism;
});
switch (authorization.Mechanism)
{
case AuthorizationMechanism.Unsecured:
if (!authentication.IsUnsecured)
{
throw new LeafConfigurationException($"{AuthorizationOptions.Unsecured} authorization mechanism is only supported if {Config.Authentication.Mechanism} is also {AuthenticationOptions.Unsecured}");
}
log.LogCritical("UNSECURED authorization detected, Leaf is not secured by authorization!");
ThrowInvalidUnsecuredEnvironment();
break;
case AuthorizationMechanism.Saml2:
if (!authentication.IsSaml2)
{
throw new LeafConfigurationException($"{AuthorizationOptions.Saml2} authorization mechanism is only supported if {Config.Authentication.Mechanism} is also {AuthenticationOptions.Saml2}");
}
if (!config.TryBind <SAML2AuthorizationOptions>(Config.Authorization.Saml2, out var saml2))
{
throw new LeafConfigurationException($"SAML2 authorization mechanism is missing a complete SAML2 configuration object");
}
Config.ThrowIfInvalid(saml2);
services.Configure <SAML2AuthorizationOptions>(opts =>
{
opts.RolesMapping = saml2.RolesMapping;
opts.HeadersMapping = saml2.HeadersMapping;
});
break;
case AuthorizationMechanism.ActiveDirectory:
if (authentication.IsUnsecured)
{
throw new LeafConfigurationException($"ActiveDirectory authorization mechanism is not compatible with Unsecured authentication");
}
if (!config.TryBind <ActiveDirectoryAuthorizationOptions>(Config.Authorization.ActiveDirectory, out var ad))
{
throw new LeafConfigurationException($"ActiveDirectory authorization mechanism is missing an ActiveDirectory configuration section");
}
Config.ThrowIfInvalid(ad);
services.Configure <ActiveDirectoryAuthorizationOptions>(opts =>
{
opts.DomainConnection = ad.DomainConnection;
opts.RolesMapping = ad.RolesMapping;
});
break;
}
return(services);
}