public static AuthorizationPolicy Combine(AuthorizationOptions options, IEnumerable<IAuthorizeData> attributes)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (attributes == null)
{
throw new ArgumentNullException(nameof(attributes));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in attributes.OfType<AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = options.GetPolicy(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(options.DefaultPolicy);
}
}
return any ? policyBuilder.Build() : null;
}
public void ConfigureAuthorizationPolicies(Microsoft.AspNetCore.Authorization.AuthorizationOptions options)
{
AuthorizationPolicies.options = options;
#region Stores
ReadStores();
#endregion
}
public async Task CanCombineAuthorizeAttributes()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute(),
new AuthorizeAttribute("1") { ActiveAuthenticationSchemes = "dupe" },
new AuthorizeAttribute("2") { ActiveAuthenticationSchemes = "dupe" },
new AuthorizeAttribute { Roles = "r1,r2", ActiveAuthenticationSchemes = "roles" },
};
var options = new AuthorizationOptions();
options.AddPolicy("1", policy => policy.RequireClaim("1"));
options.AddPolicy("2", policy => policy.RequireClaim("2"));
var provider = new DefaultAuthorizationPolicyProvider(Options.Create(options));
// Act
var combined = await AuthorizationPolicy.CombineAsync(provider, attributes);
// Assert
Assert.Equal(2, combined.AuthenticationSchemes.Count());
Assert.True(combined.AuthenticationSchemes.Contains("dupe"));
Assert.True(combined.AuthenticationSchemes.Contains("roles"));
Assert.Equal(4, combined.Requirements.Count());
Assert.True(combined.Requirements.Any(r => r is DenyAnonymousAuthorizationRequirement));
Assert.Equal(2, combined.Requirements.OfType<ClaimsAuthorizationRequirement>().Count());
Assert.Equal(1, combined.Requirements.OfType<RolesAuthorizationRequirement>().Count());
}
public void ConfigureAutrorization(AuthorizationOptions options)
{
options.AddPolicy(UserManagement, policyBuilder =>
{
policyBuilder.RequireClaim("ManageUsers");
});
}
public static void RegisterAuthorizations(AuthorizationOptions options)
{
options.AddPolicy("Administrator", p =>
{
p.RequireAuthenticatedUser();
p.RequireClaim(DAG.Security.Safe.Owin.ClaimTypes.Email);
});
}
public DefaultAuthorizationPolicyProvider(IOptions<AuthorizationOptions> options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
_options = options.Value;
}
public static void AddTestAuthorization(
Microsoft.AspNetCore.Authorization.AuthorizationOptions options)
{
options.AddPolicy(Constants.Policies.Internal,
builder => { builder.RequireClaim("scope", "test"); });
options.AddPolicy(Constants.Policies.Application,
builder => { builder.RequireClaim("scope", "test"); });
options.AddPolicy(Constants.Policies.User,
builder => { builder.RequireClaim("scope", "test"); });
options.AddPolicy(Constants.Policies.InternalOrApplication,
builder => { builder.RequireClaim("scope", "test"); });
}
public void CombineMustTrimRoles()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute() { Roles = "r1 , r2" }
};
var options = new AuthorizationOptions();
// Act
var combined = AuthorizationPolicy.Combine(options, attributes);
// Assert
Assert.True(combined.Requirements.Any(r => r is RolesAuthorizationRequirement));
var rolesAuthorizationRequirement = combined.Requirements.OfType<RolesAuthorizationRequirement>().First();
Assert.Equal(2, rolesAuthorizationRequirement.AllowedRoles.Count());
Assert.True(rolesAuthorizationRequirement.AllowedRoles.Any(r => r.Equals("r1")));
Assert.True(rolesAuthorizationRequirement.AllowedRoles.Any(r => r.Equals("r2")));
}
public async Task CombineMustTrimRoles()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute() { Roles = "r1 , r2" }
};
var options = new AuthorizationOptions();
var provider = new DefaultAuthorizationPolicyProvider(Options.Create(options));
// Act
var combined = await AuthorizationPolicy.CombineAsync(provider, attributes);
// Assert
Assert.True(combined.Requirements.Any(r => r is RolesAuthorizationRequirement));
var rolesAuthorizationRequirement = combined.Requirements.OfType<RolesAuthorizationRequirement>().First();
Assert.Equal(2, rolesAuthorizationRequirement.AllowedRoles.Count());
Assert.True(rolesAuthorizationRequirement.AllowedRoles.Any(r => r.Equals("r1")));
Assert.True(rolesAuthorizationRequirement.AllowedRoles.Any(r => r.Equals("r2")));
}
public void CanReplaceDefaultPolicy()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute(),
new AuthorizeAttribute("2") { ActiveAuthenticationSchemes = "dupe" }
};
var options = new AuthorizationOptions();
options.DefaultPolicy = new AuthorizationPolicyBuilder("default").RequireClaim("default").Build();
options.AddPolicy("2", policy => policy.RequireClaim("2"));
// Act
var combined = AuthorizationPolicy.Combine(options, attributes);
// Assert
Assert.Equal(2, combined.AuthenticationSchemes.Count());
Assert.True(combined.AuthenticationSchemes.Contains("dupe"));
Assert.True(combined.AuthenticationSchemes.Contains("default"));
Assert.Equal(2, combined.Requirements.Count());
Assert.False(combined.Requirements.Any(r => r is DenyAnonymousAuthorizationRequirement));
Assert.Equal(2, combined.Requirements.OfType<ClaimsAuthorizationRequirement>().Count());
}
public static void AddPlatformAuthorization(
Microsoft.AspNetCore.Authorization.AuthorizationOptions authorizationOptions)
{
authorizationOptions.AddPolicy(Constants.Policies.Internal, builder =>
{
builder.RequireScope(Constants.Scopes.PlatformInternal);
});
authorizationOptions.AddPolicy(Constants.Policies.User, builder =>
{
builder.RequireScope(Constants.Scopes.PlatformUser);
});
authorizationOptions.AddPolicy(Constants.Policies.Application, builder =>
{
builder.RequireScope(Constants.Scopes.PlatformApplication);
});
authorizationOptions.AddPolicy(Constants.Policies.InternalOrApplication, builder =>
{
builder.RequireScope(Constants.Scopes.PlatformApplication, Constants.Scopes.PlatformInternal);
});
}
public AuthorizationApplicationModelProvider(IOptions<AuthorizationOptions> authorizationOptionsAccessor)
{
_authorizationOptions = authorizationOptionsAccessor.Value;
}
public async Task CombineMustTrimAuthenticationScheme()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute() { ActiveAuthenticationSchemes = "a1 , a2" }
};
var options = new AuthorizationOptions();
var provider = new DefaultAuthorizationPolicyProvider(Options.Create(options));
// Act
var combined = await AuthorizationPolicy.CombineAsync(provider, attributes);
// Assert
Assert.Equal(2, combined.AuthenticationSchemes.Count());
Assert.True(combined.AuthenticationSchemes.Any(a => a.Equals("a1")));
Assert.True(combined.AuthenticationSchemes.Any(a => a.Equals("a2")));
}
public void CombineMustTrimAuthenticationScheme()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute() { ActiveAuthenticationSchemes = "a1 , a2" }
};
var options = new AuthorizationOptions();
// Act
var combined = AuthorizationPolicy.Combine(options, attributes);
// Assert
Assert.Equal(2, combined.AuthenticationSchemes.Count());
Assert.True(combined.AuthenticationSchemes.Any(a => a.Equals("a1")));
Assert.True(combined.AuthenticationSchemes.Any(a => a.Equals("a2")));
}
/// <summary>
/// Gets all policies.
///
/// IMPORTANT NOTE: Use this method carefully.
/// It relies on reflection to get all policies from a private field of the <paramref name="options"/>.
/// This method may be removed in the future if internals of <see cref="AuthorizationOptions"/> changes.
/// </summary>
/// <param name="options"></param>
/// <returns></returns>
public static List <string> GetPoliciesNames(this AuthorizationOptions options)
{
return(((IDictionary <string, AuthorizationPolicy>)PolicyMapProperty.GetValue(options)).Keys.ToList());
}
private void AuthorizationOptions(AuthorizationOptions options)
{
options.AddPolicy("doctoruser", policy => policy.RequireClaim("doctor", "true"));
}
