/// <summary>
/// Override method to handle custom role based authorization.
/// </summary>
/// <param name="policyName"></param>
/// <returns></returns>
public async override Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
AuthorizationPolicyBuilder builder = new AuthorizationPolicyBuilder();
builder.RequireAuthenticatedUser();
switch (policyName)
{
case Constants.AdminAccess:
builder.RequireRole(Role.Admin.ToString());
break;
case Constants.AddEditDeleteAccess:
builder.RequireRole(Role.AddEditDelete.ToString(), Role.Admin.ToString());
break;
case Constants.AddEditAccess:
builder.RequireRole(Role.AddEdit.ToString(), Role.AddEditDelete.ToString(), Role.Admin.ToString());
break;
default:
builder.RequireRole(Domain.Global.RoleList);
break;
}
return(await Task.FromResult(builder.Build()));
}
private void BuildAuthorizationPolicy(AuthorizationPolicyBuilder builder, AuthorizationPolicy policy)
{
if (policy.Roles?.Length > 0)
{
builder.RequireRole(policy.Roles);
}
}
/// <summary>
/// Meant to be used during the Authentication configuration to assign proper policies to the proper constants
/// </summary>
/// <param name="policyName">here the constant of this class is meant to be passed as a parameter</param>
/// <returns>The <see cref="AuthorizationPolicy"/> meant for the provided constant.</returns>
/// When adding a new policy, it should be defined here, and then referenced in the services.AddAuthorization is startup like so:
/// "options.AddPolicy(Policies.NEWPOLICY, Policies.GetAuthorizationPolicy(Policies.NEWPOLICY));"
public static AuthorizationPolicy GetAuthorizationPolicy(string policyName)
{
AuthorizationPolicyBuilder builder = new AuthorizationPolicyBuilder();
switch (policyName)
{
case MEMBERS:
return(builder.RequireRole(RoleEnum.Member.GetName()).Build());
case ADMINS:
return(builder.RequireRole(RoleEnum.Admin.GetName()).Build());
case RESTRICTED:
return(builder.RequireRole(RoleEnum.SuperAdmin.GetName()).Build());
}
throw new ArgumentException("Must recive one of the constants of this class as a policyName");
}
public static void RequireUserRole(
this AuthorizationPolicyBuilder policyBuilder,
params UserRole[] userRoles)
{
var roles = userRoles.Select(role => role.ToString());
policyBuilder.RequireRole(roles);
}
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = await base.GetPolicyAsync(policyName);
var tenant = await _tenantProvider.CurrentTenantId();
if (policy == null || await _iamProvider.NeedsUpdate(policyName, tenant, _iamProviderCache))
{
var iamRoles = await _iamProvider.GetRequiredRoles(policyName, tenant, _iamProviderCache);
var iamClaim = await _iamProvider.GetRequiredClaim(policyName, tenant, _iamProviderCache);
var isResourceIdAccessRequired = await _iamProvider.IsResourceIdAccessRequired(policyName, tenant, _iamProviderCache);
var builder = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser();
if (iamRoles != null)
{
var _iamRoles = !string.IsNullOrEmpty(iamClaim) ? new List <string>(iamRoles).Union(new List <string>()
{
iamClaim
}) : iamRoles;
if (iamRoles.Count > 0)
{
builder.RequireRole(_iamRoles.Select(x => x.ToMultiTenantRoleName(tenant)));
}
}
else if (!string.IsNullOrEmpty(iamClaim))
{
builder.RequireRole(iamClaim.ToMultiTenantRoleName(tenant));
}
if (isResourceIdAccessRequired)
{
builder.AddRequirements(new ResourceIdRequirement(policyName));
}
policy = builder
.Build();
}
return(policy);
}
private static void BuildPolicy(AuthorizationPolicyInfo policy, AuthorizationOptions config)
{
var builder = new AuthorizationPolicyBuilder();
policy.AuthenticationSchemes?.ForEach(builder.AuthenticationSchemes.Add);
if (policy.Requirements != null && policy.Requirements.Any())
{
foreach (var policyRequirement in policy.Requirements)
{
switch (policyRequirement.RequirementType)
{
case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
var claimsInfo = JObject.Parse(policyRequirement.Requirement)
.ToObject <ClaimsInfo>();
builder.RequireClaim(claimsInfo.ClaimType, claimsInfo.RequiredValues);
break;
case AuthorizationRequirementType.RolesAuthorizationRequirement:
builder.RequireRole(JObject.Parse(policyRequirement.Requirement)
.ToObject <string[]>());
break;
case AuthorizationRequirementType.NameAuthorizationRequirement:
builder.RequireUserName(policyRequirement.Requirement);
break;
case AuthorizationRequirementType.OperationAuthorizationRequirement:
builder.AddRequirements(
new OperationAuthorizationRequirement()
{
Name = policyRequirement.Requirement
});
break;
case AuthorizationRequirementType.DenyAnonymousAuthorizationRequirement:
builder.RequireAuthenticatedUser();
break;
case AuthorizationRequirementType.DenyAuthorizationRequirement:
builder.AddRequirements(new DenyAuthorizationRequirement());
break;
case AuthorizationRequirementType.CustomAuthorizationRequirement:
builder.AddRequirements(Activator.CreateInstance(Type.GetType(policyRequirement.Type),
JObject.Parse(policyRequirement.Requirement).ToObject <object[]>()) as IAuthorizationRequirement);
break;
// TODO implement the assertion requirement.
//case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
// builder.RequireAssertion(handler => {handler.})
// break;
}
}
}
config.AddPolicy(policy.Name, builder.Build());
}
public static IServiceCollection AddAuthorization(this IServiceCollection services,
AuthorizationExtensionConfig config)
{
return(services
.AddSingleton <IAuthorizationHandler, UserSystemAuthorizationHandler>()
.AddSingleton <IAuthorizationHandler, AdministratorSystemAuthorizationHandler>()
.AddSingleton <IAuthorizationHandler, SystemAuthorizationHandler>()
.AddAuthorization(options =>
{
var policyBuilder = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireClaim(JwtClaimTypes.Scope, config.ApiResourceName)
.AddAuthenticationSchemes(AuthenticationExtension.JwtBearerAuthenticationScheme);
var userPolicy = policyBuilder
.RequireRole(DefaultRoleEnumeration.User.DisplayName)
.Build();
var userSystemPolicy = policyBuilder
.AddRequirements(new UserSystemRequirement())
.Build();
var administratorPolicy = policyBuilder
.RequireRole(DefaultRoleEnumeration.Administrator.DisplayName)
.Build();
var administratorSystemPolicy = policyBuilder
.AddRequirements(new AdministratorSystemRequirement())
.Build();
var systemPolicy = policyBuilder
.AddRequirements(new SystemRequirement())
.Build();
options.DefaultPolicy = userPolicy;
options.AddPolicy(JwtBearerUserPolicyName, userPolicy);
options.AddPolicy(JwtBearerUserSystemPolicyName, userSystemPolicy);
options.AddPolicy(JwtBearerAdministratorPolicyName, administratorPolicy);
options.AddPolicy(JwtBearerAdministratorSystemPolicyName, administratorSystemPolicy);
options.AddPolicy(JwtBearerSystemPolicyName, systemPolicy);
foreach (var policy in config.Policies)
{
options.AddPolicy(policy.Name, policy.Policy);
}
}));
}
public static void AddPolicies(this IServiceCollection service, PolicyContext policies)
{
foreach (var namedPolicy in policies.GetPolicySets())
{
var policySet = namedPolicy.Value;
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
var noOneHasAccessToPolicy = policySet == null;
if (noOneHasAccessToPolicy)
{
policyBuilder.RequireAssertion((context) => false); //If no one has access to the policy then always make a false assertion;
}
else
{
var allowableRulesAndUsers = policySet.GetAllowableRolesAndUsersCombined();
if (allowableRulesAndUsers.Any())
{
policyBuilder.RequireRole(policySet.GetAllowableRolesAndUsersCombined());
}
if (policySet.DenyRoles != null)
{
policyBuilder.RequireAssertion(context =>
policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) ||
!policySet.DenyRoles.Any(deniedRole => context.User.IsInRole(deniedRole)));
}
if (policySet.DenyUsers != null)
{
policyBuilder.RequireAssertion(context =>
policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) ||
!policySet.DenyUsers.Any(deniedUser => context.User.IsInRole(deniedUser)));
}
if (policySet.AllowClaim != null)
{
policyBuilder.RequireClaim(policySet.AllowClaim.Type, policySet.AllowClaim.Values);
}
if (policySet.AllowClaims != null)
{
policySet.AllowClaims.ForEach(claim => policyBuilder.RequireClaim(claim.Type, claim.Values));
}
}
var policy = policyBuilder.Build();
service.AddAuthorization(options => options.AddPolicy(namedPolicy.Key, policy));
}
}
public static AuthorizationPolicy ToAuthPolicy(this AuthorizationPolicyInfo info)
{
var policy = new AuthorizationPolicyBuilder();
var hasAnyRequirements = false;
if (info.AllowedRoles.Count > 0)
{
policy.RequireRole(info.AllowedRoles);
hasAnyRequirements = true;
}
if (info.AuthenticationSchemes.Count > 0)
{
policy.AuthenticationSchemes = info.AuthenticationSchemes;
}
if (info.RequireAuthenticatedUser)
{
policy.RequireAuthenticatedUser();
hasAnyRequirements = true;
}
if (info.RequiredClaims.Count > 0)
{
foreach (var c in info.RequiredClaims)
{
if (c.AllowedValues.Count > 0)
{
policy.RequireClaim(c.ClaimName, c.AllowedValues);
}
else
{
policy.RequireClaim(c.ClaimName);
}
hasAnyRequirements = true;
}
}
if (!string.IsNullOrWhiteSpace(info.RequiredUserName))
{
policy.RequireUserName(info.RequiredUserName);
hasAnyRequirements = true;
}
if (!hasAnyRequirements)
{
// allow anonymous
Func <AuthorizationHandlerContext, bool> allowAny = (AuthorizationHandlerContext authContext) => true;
policy.RequireAssertion(allowAny);
}
return(policy.Build());
}
public async Task <AuthorizationContext> GetAuthorizationContextAsync(object implementation, MethodInfo methodInfo)
{
Type[] parameterTypes = methodInfo.GetParameters().Select(x => x.ParameterType).ToArray();
if (parameterTypes.Length == 0)
{
parameterTypes = Type.EmptyTypes;
}
MethodInfo concreteMethod = implementation.GetType().GetMethod(methodInfo.Name, parameterTypes);
AuthorizeAttribute authorizeAttribute = concreteMethod.DeclaringType.GetCustomAttribute <AuthorizeAttribute>();
// overwrite by action attribute
authorizeAttribute = concreteMethod.GetCustomAttribute <AuthorizeAttribute>() ?? authorizeAttribute;
if (authorizeAttribute == null)
{
return(null);
}
if (authorizeAttribute.Roles != null && authorizeAttribute.Policy != null)
{
throw new NotSupportedException("You must specify either Roles or Policy");
}
AuthorizationPolicy policy;
if (authorizeAttribute.Roles != null)
{
var builder = new AuthorizationPolicyBuilder(authorizeAttribute.AuthenticationSchemes.Split(','));
builder.RequireRole(authorizeAttribute.Roles.Split(','));
policy = builder.Build();
}
else if (authorizeAttribute.Policy != null)
{
policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy)
?? throw new ArgumentException($"Policy {authorizeAttribute.Policy} does not exist");
}
else
{
policy = await policyProvider.GetDefaultPolicyAsync();
}
return(new AuthorizationContext
{
Policy = policy
});
}
private async Task <AuthorizationPolicy> GetAuthorizationPolicy(IDotvvmRequestContext context)
{
var policyProvider = GetPolicyProvider(context);
var policyBuilder = new AuthorizationPolicyBuilder();
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(Policy))
{
var policy = await policyProvider.GetPolicyAsync(Policy);
if (policy == null)
{
throw new InvalidOperationException($"The policy '{Policy}' could not be found!");
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
return(policyBuilder.Build());
}
protected virtual void ConfigureFilters(FilterCollection filters)
{
Log.Information(GetLogMessage("Configuring Filters"));
var policyBuilder = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
// .AuthenticationSchemes()
.RequireScope(AppSettings.Scope);
if (SupportsAdminRoleAuthentication)
{
policyBuilder.RequireRole(RoleNames.AdminRole);
}
if (this.SupportsAuthentication)
{
filters.Add(new AuthorizeFilter(policyBuilder.Build()));
}
filters.Add(new SecurityHeadersAttribute());
filters.Add(typeof(ModelStateFeatureFilter));
filters.Add(typeof(ValidateModelAttribute));
}
// Choice: policy= | policy= | role= | role = ...
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase))
{
var policyNames = policyName.Substring(POLICY_PREFIX.Length);
var startIndex = policyNames.IndexOf(":");
if (startIndex == -1 || startIndex == policyNames.Length)
{
throw new ArgumentException($"invalid syntax, must contains a ':' before tokens. The correct format is {Format}");
}
// skip the ":" , and turn it into the following list
// [[policy,policyName],[policy,policName],...[role,roleName],...,]
var list = policyNames.Substring(startIndex + 1)
.Split("|")
.Select(p => p.Split("=").Select(e => e.Trim().Trim('\'')).ToArray())
;
// build policy for roleNames
var rolesPolicyBuilder = new AuthorizationPolicyBuilder();
var roleNames = list.Where(arr => arr[0].ToLower() == TOKEN_ROLE)
.Select(arr => arr[1])
.ToArray();
var rolePolicy = rolesPolicyBuilder.RequireRole(roleNames).Build();
// get policies with all related names
var polices1 = list.Where(arr => arr[0].ToLower() == TOKEN_POLICY);
var polices = polices1
.Select(arr => arr[1])
.Select(name => this._authZOpts.GetPolicy(name)) // if the policy with the name doesn exit => null
.Where(p => p != null) // filter null policy
.Append(rolePolicy)
.ToList();
var pb = new AuthorizationPolicyBuilder();
pb.AddRequirements(new LogicalOrRequirement(polices));
return(Task.FromResult(pb.Build()));
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContextPool <AppDbContext>(
options => options.UseSqlServer(_config.GetConnectionString("ApplicationDbContext")));
services.AddDbContextPool <AppDbContext>(
options => options.UseSqlServer(_config.GetConnectionString("toDoListDBConnection")));
services.AddDbContextPool <AGesContext>(
options => options.UseSqlServer(_config.GetConnectionString("aGesConnection")));
services.AddIdentity <ApplicationUser, IdentityRole>(options =>
{
options.Password.RequiredLength = 10;
options.Password.RequiredUniqueChars = 3;
options.Password.RequireNonAlphanumeric = false;
options.SignIn.RequireConfirmedEmail = true;
options.Lockout.MaxFailedAccessAttempts = 3;
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromHours(1);
}).AddEntityFrameworkStores <AppDbContext>()
.AddDefaultTokenProviders();
services.AddAntiforgery(options => options.HeaderName = "RequestVerificationToken");
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
services.AddDistributedMemoryCache();
services.AddSession(so =>
{
so.IdleTimeout = TimeSpan.FromMinutes(60);
});
services.AddMvc(options =>
{
options.Filters.Add(new AuthorizeFilter(policy));
options.EnableEndpointRouting = false;
}).AddXmlSerializerFormatters();
services.ConfigureApplicationCookie(options =>
{
options.AccessDeniedPath = new PathString("/Administration/AccessDenied");
});
services.AddAuthorization(options =>
{
//options.AddPolicy("DeleteRolePolicy", policy => policy.RequireClaim("Delete Role", "true")
// .RequireRole("Administrator")
// .RequireRole("Super Admin")
//);
//options.AddPolicy("EditRolePolicy", policy => policy.RequireClaim("Edit Role", "true")
// .RequireRole("Administrator")
// .RequireRole("Super Admin"));
//options.AddPolicy("EditRolePolicy", policy => policy.RequireAssertion(context =>
// context.User.IsInRole("Administrator") &&
// context.User.HasClaim(claim => claim.Type == "Edit Role" && claim.Value == "true") ||
// context.User.IsInRole("Super Admin")
// ));
options.AddPolicy("DeleteRolePolicy", policy => policy.RequireAssertion(context =>
context.User.IsInRole("Administrator") &&
context.User.HasClaim(claim => claim.Type == "Delete Role" && claim.Value == "true") ||
context.User.IsInRole("Super Admin")
));
options.AddPolicy("EditRolePolicy", policy => policy.AddRequirements(new ManageAdminRolesAndClaimsRequirement()));
options.AddPolicy("AdminRolePolicy", policy => policy.RequireRole("Administrator"));
options.AddPolicy("SuperAdminRolePolicy", policy => policy.RequireRole("Super Admin"));
options.AddPolicy("ManagerRights",
policy => policy.RequireAssertion(context =>
context.User.IsInRole("Administrator") ||
context.User.IsInRole("Super Admin")));
});
// services.AddScoped<IUserRepository, SQLUserRepository>();
//services.AddScoped<ITaskRepository, SQLTaskRepository>();
//services.AddScoped<IToDoListRepository, SQLToDoRepository>();
services.AddScoped <IForgotPassword, SQL_IForgotPassword>();
services.AddScoped <IConConfig, SQL_ConConfig>();
services.AddScoped <IEmpresa, SQL_IEmpresa>();
services.AddScoped <IEmpresaUtilizadores, SQL_IEmpresaUtilizadores>();
services.AddScoped <IEmpresaAGes, SQL_IEmpresaAGes>();
services.AddScoped <ICLab, SQL_ICLab>();
services.AddScoped <IDadosEmpresaViewModel, SQL_IDadosEmpresaViewModel>();
services.AddScoped <IGabineteContabilidade, Sql_IGabineteContabilidade>();
services.AddSingleton <IAuthorizationHandler, SuperAdminHandler>();
services.AddSingleton <IAuthorizationHandler, AdministratorHandler>();
// services.AddSingleton<ICustomDbContextFactory<CustomDbContext>, CustomDbContextFactory<CustomDbContext>>();
}
public static AuthorizationPolicyBuilder RequireRoleWithAdmin(this AuthorizationPolicyBuilder builder, params string[] roles)
{
return(builder.RequireRole(roles.Concat(new string[] { "Admin" })));
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeDatum in authorizeData)
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
if (policy == null)
{
//throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
throw new InvalidOperationException(nameof(authorizeDatum.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeDatum.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
if (authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum)
{
var groupsSplit = permissionAuthorizeDatum.Groups?.Split(',');
if (groupsSplit != null && groupsSplit.Any())
{
var trimmedGroupsSplit = groupsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireClaim(TubumuClaimTypes.Group, trimmedGroupsSplit);
//policyBuilder.AddRequirements(new GroupsAuthorizationRequirement(trimmedGroupsSplit));
useDefaultPolicy = false;
}
var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(',');
if (permissionsSplit != null && permissionsSplit.Any())
{
var trimmedPermissionsSplit = permissionsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireClaim(TubumuClaimTypes.Permission, trimmedPermissionsSplit);
//policyBuilder.AddRequirements(new PermissionsAuthorizationRequirement(trimmedPermissionsSplit));
useDefaultPolicy = false;
}
}
var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return(any ? policyBuilder.Build() : null);
}
public static AuthorizationPolicyBuilder RequireIsOwnerClaim(this AuthorizationPolicyBuilder builder) => builder.RequireRole(AuthConstants.IsOwner, AuthConstants.TrueValue);
public static void Build(AuthorizationPolicyBuilder builder) =>
builder.RequireRole("Consulta.Clientes");
public static void Build(AuthorizationPolicyBuilder builder)
=> builder.RequireRole("Administrator");
public static AuthorizationPolicyBuilder RequireRole <T>(this AuthorizationPolicyBuilder policy, params T[] roles)
{
return(policy.RequireRole(roles.Select(r => r.ToString())));
}