public async Task Filter_SkipsAntiforgeryVerification_WhenOverridden()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()))
.Returns(Task.FromResult(0))
.Verifiable();
var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance);
var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor());
actionContext.HttpContext.Request.Method = "POST";
var context = new AuthorizationContext(actionContext, new IFilterMetadata[]
{
filter,
new IgnoreAntiforgeryTokenAttribute(),
});
// Act
await filter.OnAuthorizationAsync(context);
// Assert
antiforgery.Verify(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()), Times.Never());
}
/// <inheritdoc />
public Task OnAuthorizationAsync(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var accessControlRequestMethod =
context.HttpContext.Request.Headers[CorsConstants.AccessControlRequestMethod];
if (string.Equals(
context.HttpContext.Request.Method,
CorsConstants.PreflightHttpMethod,
StringComparison.Ordinal) &&
!StringValues.IsNullOrEmpty(accessControlRequestMethod))
{
// Short circuit if the request is preflight as that should not result in action execution.
context.Result = new HttpStatusCodeResult(StatusCodes.Status200OK);
}
// Let the action be executed.
return Task.FromResult(true);
}
public override void OnAuthorization(AuthorizationContext context)
{
if (context.ActionDescriptor.DisplayName == "FiltersWebSite.ProductsController.GetPrice")
{
context.HttpContext.Response.Headers.Append("filters",
"Global Authorization Filter - OnAuthorization");
}
}
public Task OnAuthorizationAsync(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
return _antiforgery.ValidateRequestAsync(context.HttpContext);
}
protected virtual bool ShouldValidate(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
return true;
}
public override async Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.Filters.AuthorizationContext context)
{
if (!context.Filters.Any(item => item is IAllowAnonymousFilter))
{
if (!context.Filters.Any(item => item is IAsyncAuthorizationFilter && item.GetType() != this.GetType()))
{
await base.OnAuthorizationAsync(context);
}
//to do:权限判断
}
}
public override void OnAuthorization(AuthorizationContext context)
{
if (!HasAllowAnonymous(context))
{
var user = context.HttpContext.User;
var userIsAnonymous =
user == null ||
user.Identity == null ||
!user.Identity.IsAuthenticated;
if (userIsAnonymous)
{
base.Fail(context);
}
}
}
public static void AfterOnAuthorization(
this DiagnosticSource diagnosticSource,
AuthorizationContext authorizationContext,
IAuthorizationFilter filter)
{
if (diagnosticSource.IsEnabled("Microsoft.AspNet.Mvc.AfterOnAuthorization"))
{
diagnosticSource.Write(
"Microsoft.AspNet.Mvc.AfterOnAuthorization",
new
{
actionDescriptor = authorizationContext.ActionDescriptor,
authorizationContext = authorizationContext,
filter = filter
});
}
}
protected override bool ShouldValidate(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var method = context.HttpContext.Request.Method;
if (string.Equals("GET", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("HEAD", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("TRACE", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("OPTIONS", method, StringComparison.OrdinalIgnoreCase))
{
return false;
}
// Anything else requires a token.
return true;
}
public async Task OnAuthorizationAsync(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (IsClosestAntiforgeryPolicy(context.Filters) && ShouldValidate(context))
{
try
{
await _antiforgery.ValidateRequestAsync(context.HttpContext);
}
catch (AntiforgeryValidationException exception)
{
_logger.AntiforgeryTokenInvalid(exception.Message, exception);
context.Result = new BadRequestResult();
}
}
}
public void OnAuthorization(AuthorizationContext context)
{
if (context.HttpContext.Request.Method == "OPTIONS")
{
return;
}
var authToken = ((FrameRequestHeaders)context.HttpContext.Request.Headers).HeaderAuthorization;
if (Authorize(authToken) == false)
{
context.Result = new HttpStatusCodeResult(403);
return;
}
if (AllowAction(authToken) == false)
{
context.Result = new HttpStatusCodeResult(403);
return;
}
}
public void OnAuthorization(AuthorizationContext context)
{
if (context.HttpContext.Request.Method == "OPTIONS")
{
return;
}
var authToken = ((FrameRequestHeaders)context.HttpContext.Request.Headers).HeaderAuthorization;
if (Authorize(authToken) == false)
{
context.Result = new HttpStatusCodeResult(403);
return;
}
if (AllowAction(authToken) == false)
{
context.Result = new HttpStatusCodeResult(403);
return;
}
}
public async Task Filter_ValidatesAntiforgery_ForAllMethods(string httpMethod)
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()))
.Returns(Task.FromResult(0))
.Verifiable();
var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance);
var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor());
actionContext.HttpContext.Request.Method = httpMethod;
var context = new AuthorizationContext(actionContext, new[] { filter });
// Act
await filter.OnAuthorizationAsync(context);
// Assert
antiforgery.Verify();
}
public override void OnAuthorization(AuthorizationContext actionContext)
{
bool skipAuthorization =
actionContext.ActionDescriptor.FilterDescriptors.Any(f => f.Filter.GetType() == typeof(AllowAnonymousFilter));
if (!skipAuthorization)
{
if (actionContext.HttpContext.Request.Headers.Any(h => h.Key.Equals("Authorization")))
{
StringValues authHeader = StringValues.Empty;
if (!actionContext.HttpContext.Request.Headers.TryGetValue("Authorization", out authHeader))
throw new ApplicationException("Could not find authroization header");
var creds = ParseAuthHeader(authHeader);
var username = creds[0];
var password = creds[1];
Retry.Do(() =>
{
IUser user;
if (IsValidUser(username, password, out user))
{
var principal = new UserPrincipal(user);
Thread.CurrentPrincipal = principal;
if (actionContext.HttpContext != null)
actionContext.HttpContext.User = principal;
}
}, TimeSpan.FromMilliseconds(200));
}
else
{
actionContext.HttpContext.Response.Headers.Add("WWW-Authenticate", new[] { "Basic" });
actionContext.Result = new HttpUnauthorizedResult();
}
}
base.OnAuthorization(actionContext);
}
/// <summary>
/// 执行权限验证,如果Action上存在AllowAnonymous的Attribute,则不进行验证,
/// 存在Bearer的AuthorizeFilter,则只进行权限验证,
/// 如果二者都不存在,则进行OAuth的验证
/// </summary>
/// <param name="context">验证请求上下文</param>
/// <returns></returns>
public override async Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.Filters.AuthorizationContext context)
{
if (!context.Filters.Any(item => item is IAllowAnonymous))
{
if (!context.Filters.Any(item => item is AuthorizeFilter &&
(item as AuthorizeFilter).Policy.AuthenticationSchemes.Contains("Bearer") &&
item.GetType() != GetType()))
{
await base.OnAuthorizationAsync(context);
}
var result = await FrameworkConfig.IocConfig.Resolve <PermissionService>().Authorize(context);
if (!result)
{
ErrorApiResult content = new ErrorApiResult();
content.Result = false;
content.ErrorMsg = Resource.ResourceManager.GetString("ERROR_NOT_PERMISSION");
content.ErrorCode = InnerErrorCode.NOT_PERMISSION;
await content.ExecuteResultAsync(context, HttpStatusCode.Unauthorized);
}
}
}
/// <summary>
/// Called when authorization is required.
/// </summary>
/// <param name="context">The filter context.</param>
/// <returns>A task representing this function.</returns>
/// <exception cref="System.ArgumentNullException">The <paramref name="context"/> parameter is <c>null</c>.</exception>
public Task OnAuthorizationAsync(AuthorizationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
HttpRequest request = context.HttpContext.Request;
string headerTokenValue = request.Headers[RequestVerificationTokenHttpHeaderName];
// Ajax POSTs using jquery have a header set that defines the token.
// However using unobtrusive ajax the token is still submitted normally in the form.
// if the header is present then use it, else fall back to processing the form like normal.
if (headerTokenValue != null)
{
string antiForgeryCookieValue = request.Cookies[this.antiForgeryCookieName];
this.antiforgery.ValidateTokens(context.HttpContext, new AntiforgeryTokenSet(headerTokenValue, antiForgeryCookieValue));
return Task.FromResult<object>(null);
}
else
{
return this.antiforgery.ValidateRequestAsync(context.HttpContext);
}
}
public override void OnAuthorization(AuthorizationContext context)
{
throw new InvalidProgramException("Authorization Filter Threw");
}
#pragma warning disable 1998
public override async Task OnAuthorizationAsync(AuthorizationContext context)
{
}
private AuthorizationContext GetAuthorizationContext(
FilterDescriptor[] filterDescriptors,
RequestHeaders headers = null,
bool isPreflight = false)
{
// HttpContext
var httpContext = new DefaultHttpContext();
if (headers != null)
{
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestHeaders, headers.Headers.Split(','));
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { headers.Method });
httpContext.Request.Headers.Add(CorsConstants.AccessControlExposeHeaders, headers.ExposedHeaders.Split(','));
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { headers.Origin });
}
var services = new ServiceCollection();
services.AddInstance<ILoggerFactory>(NullLoggerFactory.Instance);
httpContext.RequestServices = services.BuildServiceProvider();
var method = isPreflight ? CorsConstants.PreflightHttpMethod : "GET";
httpContext.Request.Method = method;
// AuthorizationContext
var actionContext = new ActionContext(
httpContext: httpContext,
routeData: new RouteData(),
actionDescriptor: new ActionDescriptor() { FilterDescriptors = filterDescriptors });
var authorizationContext = new AuthorizationContext(
actionContext,
filterDescriptors.Select(filter => filter.Filter).ToList()
);
return authorizationContext;
}
public void OnAuthorization(AuthorizationContext context)
{
Apply(context.HttpContext);
}
public override void OnAuthorization(AuthorizationContext context)
{
context.HttpContext.Response.Headers.Append("filters", "On Controller Authorization Filter - OnAuthorization");
}
public virtual Task OnAuthorizationAsync([NotNull] AuthorizationContext context)
{
OnAuthorization(context);
return(TaskCache.CompletedTask);
}
public virtual void OnAuthorization([NotNull] AuthorizationContext context)
{
}
protected virtual bool HasAllowAnonymous([NotNull] AuthorizationContext context)
{
return(context.Filters.Any(item => item is IAllowAnonymous));
}
protected virtual void Fail([NotNull] AuthorizationContext context)
{
context.Result = new HttpUnauthorizedResult();
}
private AuthorizationContext GetAuthorizationContext(Action <ServiceCollection> registerServices, bool anonymous = false)
{
var basicPrincipal = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CanViewPage"),
new Claim(ClaimTypes.Role, "Administrator"),
new Claim(ClaimTypes.Role, "User"),
new Claim(ClaimTypes.NameIdentifier, "John")
},
"Basic"));
var validUser = basicPrincipal;
var bearerIdentity = new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CupBearer"),
new Claim(ClaimTypes.Role, "Token"),
new Claim(ClaimTypes.NameIdentifier, "John Bear")
},
"Bearer");
var bearerPrincipal = new ClaimsPrincipal(bearerIdentity);
validUser.AddIdentity(bearerIdentity);
// ServiceProvider
var serviceCollection = new ServiceCollection();
if (registerServices != null)
{
serviceCollection.AddOptions();
serviceCollection.AddLogging();
registerServices(serviceCollection);
}
var serviceProvider = serviceCollection.BuildServiceProvider();
// HttpContext
var httpContext = new Mock <HttpContext>();
var auth = new Mock <AuthenticationManager>();
httpContext.Setup(o => o.Authentication).Returns(auth.Object);
httpContext.SetupProperty(c => c.User);
if (!anonymous)
{
httpContext.Object.User = validUser;
}
httpContext.SetupGet(c => c.RequestServices).Returns(serviceProvider);
auth.Setup(c => c.AuthenticateAsync("Bearer")).ReturnsAsync(bearerPrincipal);
auth.Setup(c => c.AuthenticateAsync("Basic")).ReturnsAsync(basicPrincipal);
auth.Setup(c => c.AuthenticateAsync("Fails")).ReturnsAsync(null);
// AuthorizationContext
var actionContext = new ActionContext(
httpContext: httpContext.Object,
routeData: new RouteData(),
actionDescriptor: new ActionDescriptor());
var authorizationContext = new AuthorizationContext(
actionContext,
Enumerable.Empty <IFilterMetadata>().ToList()
);
return(authorizationContext);
}
public void OnAuthorization(AuthorizationContext context)
{
Assert.NotNull(context.ModelState.MaxAllowedErrors);
Assert.Equal(_expectedMaxAllowedErrors, context.ModelState.MaxAllowedErrors);
}
public virtual void OnAuthorization(AuthorizationContext context)
{
}
