/// <summary>
/// Convert an <see cref="ActivityAuthorizationSection"/> into a <see cref="AuthorizationScope"/>
/// </summary>
/// <param name="authorizationSection"></param>
/// <returns></returns>
public static AuthorizationScope ToAuthorizationScope(this ActivityAuthorizationSection authorizationSection)
{
var scope = new AuthorizationScope();
if (authorizationSection == null)
{
return(scope);
}
var activities = new List <Activity>();
for (var i = 0; i < authorizationSection.Activities.Count; i++)
{
var element = authorizationSection.Activities[i];
activities.Add(element.ToActivity());
}
scope.Name = authorizationSection.Name;
scope.DefaultAuthorization = authorizationSection.Default;
scope.DefaultActivity = authorizationSection.DefaultActivity;
scope.AllowUnauthenticated = authorizationSection.DefaultAllowUnauthenticated;
scope.Activities = activities;
return(scope);
}
/// <copydoc cref="IAuthorizationScopeProvider.AuthorizationScopeAsync" />
/// <remarks>Can potentially return duplicate <see cref="Activity"> if multiple providers supply the same activity</see></remarks>
public async Task <AuthorizationScope> AuthorizationScopeAsync(CancellationToken cancellationToken = default(CancellationToken))
{
var scope = new AuthorizationScope
{
Name = name
};
// Kick them all off
var tasks = providers.Select(provider => provider.AuthorizationScopeAsync(cancellationToken)).ToList();
// Wait to finish
var results = await Task.WhenAll(tasks).ConfigureAwait(false);
// Now aggregate them
var activities = new List <Activity>();
foreach (var result in results)
{
if (result == null)
{
// Ignore if we don't get anything
continue;
}
// Last one wins on the global properties
if (!string.IsNullOrEmpty(result.DefaultActivity))
{
scope.DefaultActivity = result.DefaultActivity;
}
if (result.DefaultAuthorization.HasValue)
{
scope.DefaultAuthorization = result.DefaultAuthorization;
}
if (result.AllowUnauthenticated.HasValue)
{
scope.AllowUnauthenticated = result.AllowUnauthenticated;
}
activities.AddRange(result.Activities);
}
scope.Activities = activities;
return(scope);
}
/// <copydoc cref="IActivityAuthorizer.IsAuthorizedAsync" />
public async Task <AuthorizationReason> IsAuthorizedAsync(string resource, string action, IPrincipal principal, IDictionary <string, object> values = null, CancellationToken cancellationToken = default(CancellationToken))
{
var scope = await scopeProvider.AuthorizationScopeAsync(cancellationToken).ConfigureAwait(false);
if (scope == null)
{
Logger.Warn("No data returned from scope provider");
scope = new AuthorizationScope {
Name = "Default"
};
}
var activities = scope.Activities.ToDictionary();
// Get the state for this request
var defaultAuthorization = scope.DefaultAuthorization ?? DefaultAuthorization;
var defaultActivity = scope.DefaultActivity ?? DefaultActivity;
var defaultAllowUnauthenticated = scope.AllowUnauthenticated ?? DefaultAllowUnauthenticated;
// Set up the reason
var reason = new AuthorizationReason
{
Resource = resource,
Action = action,
Principal = principal,
// We will always make a decision at this level
NoDecision = false,
IsAuthorized = defaultAuthorization
};
// Do a short-circuit check for the unauthenticated state, will be overridden if there is a matching activity
if (!defaultAllowUnauthenticated && !principal.Identity.IsAuthenticated)
{
reason.IsAuthorized = false;
reason.Reason = "IsAuthenticated: false";
}
// Check the activities
foreach (var activity in activities.FindActivities(resource, action, defaultActivity))
{
var rs = principal.IsAuthorized(activity, defaultAuthorization);
if (rs.NoDecision)
{
// Try the next one
continue;
}
// Ok, we have a decision
reason.IsAuthorized = rs.IsAuthorized;
reason.Identity = rs.Identity;
if (reason.Resource != rs.Resource || reason.Action != rs.Action)
{
// Decided based on some other activity, so say what that was
reason.PrincipalReason = rs;
}
else
{
// Preserve the reason information
reason.Reason = rs.Reason;
}
// We are done as we have a decision
break;
}
if (!reason.IsAuthorized)
{
Logger.InfoFormat("Failed authorization: User '{0}', Resource: '{1}', Action: '{2}'", principal == null ? "<Unknown>" : principal.Identity.Name, resource, action);
}
return(reason);
}
public StaticAuthorizationScopeProvider(AuthorizationScope scope)
{
this.scope = scope;
}
public static string ToJson(this AuthorizationScope entity)
{
return(JsonConvert.SerializeObject(entity, AuthorizationsSettings()));
}
/// <summary>
/// Creates a new instance of the <see cref="ConfigurationAuthorizationScopeProvider"/> class.
/// </summary>
/// <param name="sectionName"></param>
public ConfigurationAuthorizationScopeProvider(string sectionName = "activityAuthorization")
{
section = ActivitySection(sectionName);
scope = section.ToAuthorizationScope();
}