public Response <bool> Authorise(ClaimsPrincipal claimsPrincipal, List <string> routeAllowedScopes)
{
if (routeAllowedScopes == null || routeAllowedScopes.Count == 0)
{
return(new OkResponse <bool>(true));
}
var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, _scope);
if (values.IsError)
{
return(new ErrorResponse <bool>(values.Errors));
}
var userScopes = values.Data;
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
if (matchesScopes.Count == 0)
{
return(new ErrorResponse <bool>(
new ScopeNotAuthorisedError($"no one user scope: '{string.Join(",", userScopes)}' match with some allowed scope: '{string.Join(",", routeAllowedScopes)}'")));
}
return(new OkResponse <bool>(true));
}
public bool Authorise(HttpContext httpContext)
{
if (!_loaded && _permissionRepository.Permissions.Count == 0)
{
_permissionRepository.Get();
}
_loaded = true;
var permission = _permissionRepository.Permissions
.FirstOrDefault(it => string.Equals(it.Path, httpContext.Request.Path, StringComparison.CurrentCultureIgnoreCase) && it.Method == httpContext.Request.Method);
if (permission == null)
{
return(true);
}
var values = _claimsParser.GetValuesByClaimType(httpContext.User.Claims, _scope);
var matchesScopes = permission.Scope.Intersect(values).ToList();
if (matchesScopes.Count == 0)
{
return(false);
}
return(true);
}
public Response <bool> Authorise(ClaimsPrincipal claimsPrincipal, Dictionary <string, string> routeClaimsRequirement)
{
foreach (var required in routeClaimsRequirement)
{
var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, required.Key);
if (values.IsError)
{
return(new ErrorResponse <bool>(values.Errors));
}
if (values.Data != null)
{
var authorised = values.Data.Contains(required.Value);
if (!authorised)
{
return(new ErrorResponse <bool>(new List <Error>
{
new ClaimValueNotAuthorisedError(
$"claim value: {values.Data} is not the same as required value: {required.Value} for type: {required.Key}")
}));
}
}
else
{
return(new ErrorResponse <bool>(new List <Error>
{
new UserDoesNotHaveClaimError($"user does not have claim {required.Key}")
}));
}
}
return(new OkResponse <bool>(true));
}
public Response <bool> Authorise(
ClaimsPrincipal claimsPrincipal,
Dictionary <string, string> routeClaimsRequirement,
List <PlaceholderNameAndValue> urlPathPlaceholderNameAndValues
)
{
foreach (var required in routeClaimsRequirement)
{
var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, required.Key);
if (values.IsError)
{
return(new ErrorResponse <bool>(values.Errors));
}
if (values.Data != null)
{
// dynamic claim
var match = Regex.Match(required.Value, @"^{(?<variable>.+)}$");
if (match.Success)
{
var variableName = match.Captures[0].Value;
var matchingPlaceholders = urlPathPlaceholderNameAndValues.Where(p => p.Name.Equals(variableName)).Take(2).ToArray();
if (matchingPlaceholders.Length == 1)
{
// match
var actualValue = matchingPlaceholders[0].Value;
var authorised = values.Data.Contains(actualValue);
if (!authorised)
{
return(new ErrorResponse <bool>(new ClaimValueNotAuthorisedError(
$"dynamic claim value for {variableName} of {string.Join(", ", values.Data)} is not the same as required value: {actualValue}")));
}
}
else
{
// config error
if (matchingPlaceholders.Length == 0)
{
return(new ErrorResponse <bool>(new ClaimValueNotAuthorisedError(
$"config error: requires variable claim value: {variableName} placeholders does not contain that variable: {string.Join(", ", urlPathPlaceholderNameAndValues.Select(p => p.Name))}")));
}
else
{
return(new ErrorResponse <bool>(new ClaimValueNotAuthorisedError(
$"config error: requires variable claim value: {required.Value} but placeholders are ambiguous: {string.Join(", ", urlPathPlaceholderNameAndValues.Where(p => p.Name.Equals(variableName)).Select(p => p.Value))}")));
}
}
}
else
{
// static claim
var authorised = values.Data.Contains(required.Value);
if (!authorised)
{
return(new ErrorResponse <bool>(new ClaimValueNotAuthorisedError(
$"claim value: {string.Join(", ", values.Data)} is not the same as required value: {required.Value} for type: {required.Key}")));
}
}
}
else
{
return(new ErrorResponse <bool>(new UserDoesNotHaveClaimError($"user does not have claim {required.Key}")));
}
}
return(new OkResponse <bool>(true));
}