/// <summary>
/// Create a <see cref="ShortCircuitingAccessControlPolicyAdapter"/>.
/// </summary>
/// <param name="firstPolicy">
/// The policy that will be evaluated first. If this returns Allow, we will return an
/// Allow result immediately without evaluting the other policies. Note that if this
/// returns Deny, we will ignore any Explanation, because we will go on to evalute the
/// other policies as if the first policy were not present.
/// </param>
/// <param name="otherPolicies">
/// The policies that will be evaluated only if the first policy returns Deny.
/// </param>
public ShortCircuitingAccessControlPolicyAdapter(
IOpenApiAccessControlPolicy firstPolicy,
IEnumerable <IOpenApiAccessControlPolicy> otherPolicies)
{
this.firstPolicy = firstPolicy;
this.otherPolicies = otherPolicies;
}
/// <summary>
/// Adds services required to enable role-based OpenApi access control, with the ability
/// to exempt some operations without the overhead of invoking the service. Requires an
/// implementation of <see cref="IClaimsService"/> to be registered.
/// </summary>
/// <param name="services">The service collection to which to add services.</param>
/// <param name="exemptionPolicy">
/// An access control policy that will be evaluated before attempting to contact the Claims
/// service. If this exemption policy allows the request, then the request will be allowed
/// through without asking the Claims service to evaluate permission.
/// </param>
/// <param name="resourcePrefix">
/// An optional prefix to add to the URI path when forming the Resource URI that will be
/// passed when asking the Claims service what permissions each role has for accessing
/// the resrouce.
/// </param>
/// <param name="allowOnlyIfAll">
/// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims
/// service reports different permissions for the different roles. If false, permission
/// will be granted as long as at least one role grants access. If true, all roles must
/// grant access (and at least one <c>roles</c> claim must be present in either case).
/// </param>
/// <returns>The modified service collection.</returns>
/// <remarks>
/// <para>
/// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works.
/// </para>
/// <para>
/// You will typically use <see cref="ClaimsClientServiceCollectionExtensions.AddClaimsClient(IServiceCollection, Func{IServiceProvider, ClaimsClientOptions})"/>
/// to configure the <see cref="IClaimsService"/> that this requires.
/// </para>
/// </remarks>
public static IServiceCollection AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions(
this IServiceCollection services,
IOpenApiAccessControlPolicy exemptionPolicy,
string resourcePrefix = null,
bool allowOnlyIfAll = false)
{
services.AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions(exemptionPolicy, resourcePrefix, allowOnlyIfAll);
services.AddSingleton <IResourceAccessEvaluator, OpenApiClientResourceAccessEvaluator>();
return(services);
}
/// <summary>
/// Adds services required to enable role-based OpenApi access control, with the ability
/// to exempt some operations without the overhead of invoking the service. Requires an
/// implementation of <see cref="IResourceAccessEvaluator"/> to be registered.
/// </summary>
/// <param name="services">The service collection to which to add services.</param>
/// <param name="exemptionPolicy">
/// An access control policy that will be evaluated before attempting to contact the Claims
/// service. If this exemption policy allows the request, then the request will be allowed
/// through without asking the Claims service to evaluate permission.
/// </param>
/// <param name="resourcePrefix">
/// An optional prefix to add to the URI path when forming the Resource URI that will be
/// passed when asking the Claims service what permissions each role has for accessing
/// the resrouce.
/// </param>
/// <param name="allowOnlyIfAll">
/// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims
/// service reports different permissions for the different roles. If false, permission
/// will be granted as long as at least one role grants access. If true, all roles must
/// grant access (and at least one <c>roles</c> claim must be present in either case).
/// </param>
/// <returns>The modified service collection.</returns>
/// <remarks>
/// <para>
/// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works.
/// </para>
/// <para>
/// You will typically use this indirectly via the Marain.Claims.Client.OpenApi NuGet package's
/// AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions method.
/// </para>
/// </remarks>
public static IServiceCollection AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions(
this IServiceCollection services,
IOpenApiAccessControlPolicy exemptionPolicy,
string resourcePrefix = null,
bool allowOnlyIfAll = false)
{
services.AddSingleton <IOpenApiAccessControlPolicy>(sp =>
{
IOpenApiAccessControlPolicy roleBasedPolicy = new OpenApiAccessControlPolicy(
new RoleBasedResourceAccessSubmissionBuilder(),
sp.GetRequiredService <IResourceAccessEvaluator>(),
sp.GetRequiredService <ILogger <OpenApiAccessControlPolicy> >(),
resourcePrefix,
allowOnlyIfAll);
return(new ShortCircuitingAccessControlPolicyAdapter(
exemptionPolicy,
new[] { roleBasedPolicy }));
});
return(services);
}
