Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication cannot be restricted since $User & $ClaimsPrinciple $Null #208

Closed
itfranck opened this issue Jun 5, 2018 · 4 comments
Closed

Authentication cannot be restricted since $User & $ClaimsPrinciple $Null #208

itfranck opened this issue Jun 5, 2018 · 4 comments
Labels
enhancement New feature or request enterprise
Milestone
2.0.0

Comments

@itfranck
Copy link
Contributor

itfranck commented Jun 5, 2018
edited
Loading

The $ClaimsPrinciple is null when loading the dashboard.
That means any user signing in through the same provider than me can view the dashboard.

I would think that the $ClaimsPrinciple (and $User) needs to be available first thing so we can validate claims before displaying anything.

Maybe this could be a -ClaimsValidationScript parameter in the New-UDDashboard so you can prevent anyone unauthorized to even see a glimpse of the background color choosen or just by having the variables available in the main Content scriptblock

Problem summary
Using a provider to restrict the dashboard still allow everyone having an account with the provider to login into the dashboard. Since $ClaimsPrinciple/$User are not available in the main Content scriptblock, anybody with an account to the provider can enter the dashboard.

Proposed modification
$ClaimsPrinciple (particularly) and $User should be available in the dashboard main Content scriptblock or maybe a -AuthenticationValidationScript parameter for Start-UDDashboard with access to these variables and executed before even the content is accessed should allow us to validate user claims principals.

My Configuration when I encountered the error

  • Latest version (1.6.1)
  • Deployed on IIS
  • Using authentication with Microsoft Provider
@itfranck
Copy link
Contributor Author

itfranck commented Jun 5, 2018

By using the -Endpoint block of the UDPage and then using the -Pages parameter of New-UDDashboard instead of -Content, I am able to make this work.

It would still be optimal if the validation script could occurs before even the Content scriptblock so we wouldn't be forced to use the Endpoint block (which does more stuff and therefore is slower to display anything) .

Here's a working sample for anyone having the same question as I and looking for resolution..

$PageMain = New-UDPage -Url "/home" -Endpoint {
       
    $UID = "$(($ClaimsPrinciple.claims | where type -like '*emailaddress' ).Value.ToLower())"
    $AllowedUsers = @('Myuser@MyDomain.com')
    
    if ($AllowedUsers.Contains($UID) -eq $false) {
        #$Response.Redirect('https://login.microsoftonline.com/logout.srf')  # Not working due to cors
        throw 'Unauthaurized'
    }
    New-UDCard -Title "Page" -Id "PageCard" -Text "$UID"

}

@timd19
Copy link

timd19 commented Jun 6, 2018

Agreed, having a more granular way of restricting access to the dashboard to specific users. Also, the ability to restrict to specific pages - Example Group A has access to pages 1-3 where Group B has access to pages 1,4,5 etc..

@adamdriscoll adamdriscoll added this to the 2.0.0 milestone Jul 19, 2018
@adamdriscoll adamdriscoll added enhancement New feature or request enterprise labels Jul 19, 2018
@acr-varonis
Copy link

@adamdriscoll is it a bug that on pages that use -Content $User is $null ?

@adamdriscoll
Copy link
Member

This has been implemented in 2.0. You will be able to define authorization policies and assign them to endpoints and pages. If a user meets the criteria you specify, they will be able to see the page and\or use the endpoints. The pages that aren't authorized won't show up in the menu and you won't be able to navigate to them by typing in the URL.

You'll be able to do the following for both static (Content) and dynamic (Endpoint) pages.

     $AuthenticationMethod = New-UDAuthenticationMethod -Endpoint {
            param([PSCredential]$Credential)

            if ($Credential.UserName -eq "Adam") {
                New-UDAuthenticationResult -UserName "Adam" -Success 
            } else {
                New-UDAuthenticationResult -ErrorMessage "You're not Adam!!"
            }
        }

        # Needs to return true or false
        $AuthorizationPolicy = New-UDAuthorizationPolicy -Name "Policy" -Endpoint {
            param($User)

            $User.HasClaim("My Claim", "My Value")
        }

        $AuthorizationPolicy2 = New-UDAuthorizationPolicy -Name "Policy2" -Endpoint {
            param($User)

            $true
        }

        $LoginPage = New-UDLoginPage -AuthenticationMethod $AuthenticationMethod -AuthorizationPolicy @($AuthorizationPolicy, $AuthorizationPolicy2)

        $dashboard = New-UDDashboard -Title "Test" -LoginPage $LoginPage -Pages @(
            New-UDPage -Name "Home" -Content {
                New-UDHeading -Text "Home" -Id "Home"
            } -AuthorizationPolicy "Policy2"

            New-UDPage -Name "Settings" -Content {
                New-UDHeading -Text "Settings" -Id "Settings"

                New-UDElement -Tag "div" -Id "myEndpoint" -Endpoint {
                    "Test"
                }
            } -AuthorizationPolicy "Policy"
        )

@itfranck itfranck mentioned this issue Aug 23, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request enterprise
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
4 participants
@adamdriscoll @itfranck @timd19 @acr-varonis