public static PermissionCheckContext CreatePermissionCheckContext(string permissionIdsValue, string user, params string[] roles)
{
var context = new PermissionCheckContext(null, null, CreateUserContext(user, roles), null);
context.AddCheckPermissionIdsValue(permissionIdsValue);
return(context);
}
public Task<PermissionCheckResult> CheckPermissionAsync(PermissionCheckContext permissionCheckContext)
{
if (Allowed)
{
//根据演示flag放行
return PermissionCheckResult.Allowed.WithSource(nameof(DemoBasedLogic)).AsTask();
}
return PermissionCheckResult.Forbidden.WithSource(nameof(DemoBasedLogic)).AsTask();
}
public Task <bool> ShouldCareAsync(PermissionCheckContext checkContext)
{
var needCheckPermissionIds = checkContext.NeedCheckPermissionIds.ToArray();
var roleBasedRules = checkContext.ControlPointRegistry.RoleBasedRules;
MatchedRules = roleBasedRules.GetRoleBasedRules(needCheckPermissionIds);
var hasIt = MatchedRules.Count > 0;
return(hasIt.AsTask());
}
private PermissionCheckContext CreatePermissionCheckContext(AuthorizationHandlerContext context,
HttpContext httpContext,
ActionDescriptor actionDescriptor,
IEnumerable <string> permissionIds,
PermissionCheckRequirement requirement)
{
var permissionCheckContext = new PermissionCheckContext(actionDescriptor, httpContext, _currentUserContext, requirement);
permissionCheckContext.AddCheckPermissionIds(permissionIds?.ToArray());
return(permissionCheckContext);
}
public PermissionCheckResult Check(RoleBasedPermissionRule rule, PermissionCheckContext checkContext)
{
//todo: allowed super do any thing!
if (rule == null)
{
return(PermissionCheckResult.Allowed.WithMessage("没有定义规则 => 放行"));
}
if (checkContext.CheckPermissionIds == null || checkContext.CheckPermissionIds.Count == 0)
{
return(PermissionCheckResult.Allowed.WithMessage("没有指定需要检测的PermissionId => 放行"));
}
if (!checkContext.MatchPermissionId(rule.PermissionId))
{
return(PermissionCheckResult.NotSure
.WithMessage($"规则不匹配 => 无法判断: {rule.PermissionId} ? [{string.Join(',', checkContext.CheckPermissionIds)}]")
.WithData(rule.PermissionId));
}
var userContext = checkContext.CurrentUserContext;
if (rule.NeedGuest())
{
return(PermissionCheckResult.Allowed.WithMessage("访客规则 => 满足").WithData(rule.PermissionId));
}
var hasLogin = userContext.IsLogin();
if (!hasLogin)
{
return(PermissionCheckResult.Forbidden.WithMessage("需要登录 => 不满足").WithData(rule.PermissionId));
}
if (rule.NeedLogin())
{
return(PermissionCheckResult.Allowed.WithMessage("需要登录 => 满足").WithData(rule.PermissionId));
}
var msg = $"指定用户或角色: ctx:[{userContext.User}],[{userContext.Roles.MyJoin()}] + rule:[{rule.AllowedUsers}],[{rule.AllowedRoles}]";
if (rule.NeedUsersOrRoles(userContext.User, userContext.Roles.MyJoin()))
{
return(PermissionCheckResult.Allowed.WithMessage(msg + " => 满足").WithData(rule.PermissionId));
}
return(PermissionCheckResult.Forbidden.WithMessage(msg + " => 不满足").WithData(rule.PermissionId));
}
private async Task <PermissionCheckResult> RunCheckAsync(HttpContext httpContext, string endPointId, PermissionCheckRequirement requirement)
{
var permissionIds = _controlPointService.GetCurrentEndPointPermissionIds(httpContext, endPointId)?.ToArray();
//- 非注册的控制点 => Allowed
//- 注册的控制点,使用投票服务(PermissionCheckVoteService)计算结果
if (permissionIds == null || permissionIds.Length == 0)
{
return(PermissionCheckResult.Allowed.WithMessage("非注册的控制点,放行").WithTarget(endPointId));
//return PermissionCheckResult.NotSure.WithMessage("非注册的控制点,不置可否");
}
var userContext = httpContext.GetCurrentUserContext();
var registry = httpContext.RequestServices.GetService <ControlPointRegistry>();
var checkContext = PermissionCheckContext.Create(registry, userContext, requirement, permissionIds);
var checkResult = await _permissionCheckService.CheckAsync(checkContext);
return(checkResult.WithTarget(endPointId));
}
private static async Task <string> TryGetCurrentOrgId(PermissionCheckContext permissionCheckContext)
{
//or read currentOrgId from other context
var httpContext = permissionCheckContext.HttpContext;
if (httpContext.Request.Query.TryGetValue("orgId", out var currentOrgId))
{
return(currentOrgId);
}
var form = await httpContext.Request.ReadFormAsync();
if (form.TryGetValue("orgId", out currentOrgId))
{
return(currentOrgId);
}
//or read currentOrgId from other context
return(null);
}
private static PermissionCheckResult CheckRoleBasedRule(this PermissionCheckContext checkContext, RoleBasedRule rule)
{
if (!checkContext.MatchPermissionId(rule.PermissionId))
{
return(PermissionCheckResult.NotSure
.WithMessage($"规则中没有发现匹配的规则: {rule.PermissionId} not found in [{string.Join(',', checkContext.NeedCheckPermissionIds)}] ")
.WithData(rule.PermissionId));
}
var ruleExpression = rule.ToExpression();
var userContext = checkContext.UserContext;
var msg = $"userContext:[{userContext.User}],[{userContext.Roles.JoinToOneValue()}] ? rule:[{rule.Rule}]";
if (ruleExpression.ValidateNeedGuest())
{
return(PermissionCheckResult.Allowed.WithMessage("访客规则 => 满足 " + msg).WithData(rule.PermissionId));
}
var hasLogin = userContext.IsLogin();
if (!hasLogin)
{
return(PermissionCheckResult.Forbidden.WithMessage("需要登录 => 不满足 " + msg).WithData(rule.PermissionId));
}
if (ruleExpression.ValidateNeedLogin())
{
return(PermissionCheckResult.Allowed.WithMessage("需要登录 => 满足 " + msg).WithData(rule.PermissionId));
}
if (ruleExpression.ValidateNeedAnyOfUsersOrRoles(userContext.User, userContext.Roles.JoinToOneValue()))
{
return(PermissionCheckResult.Allowed.WithMessage("满足 " + msg).WithData(rule.PermissionId));
}
return(PermissionCheckResult.Forbidden.WithMessage("不满足 " + msg).WithData(rule.PermissionId));
}
public Task<bool> ShouldCareAsync(PermissionCheckContext permissionCheckContext)
{
return permissionCheckContext.MatchPermissionId(DemoConst.PermissionIds.DemoBasedOp).AsTask();
}
public Task <PermissionCheckResult> CheckPermissionAsync(PermissionCheckContext permissionCheckContext)
{
var checkResult = permissionCheckContext.CheckRoleBasedRules(MatchedRules.ToArray());
return(checkResult.AsTask());
}
public Task <PermissionCheckResult> CheckPermissionAsync(ICurrentUserContext userContext, PermissionCheckContext permissionCheckContext)
{
//此示例演示基于自身Claims,来完成判断逻辑的场景。
var msg = "需要授权: " + KnownPermissionIds.DemoOp;
if (userContext.Permissions.MyContains(KnownPermissionIds.DemoOp))
{
var allowedCheckResult = PermissionCheckResult.Allowed
.WithMessage(msg)
.WithData(KnownPermissionIds.DemoOp);
_debugHelper.AppendPermissionCheckResults(allowedCheckResult);
_logger.LogInformation(allowedCheckResult.Message);
return(Task.FromResult(allowedCheckResult));
}
var forbiddenResult = PermissionCheckResult.Forbidden
.WithMessage(msg)
.WithData(KnownPermissionIds.DemoOp);
_debugHelper.AppendPermissionCheckResults(forbiddenResult);
_logger.LogInformation(forbiddenResult.Message);
return(Task.FromResult(forbiddenResult));
}
public Task <bool> ShouldCareAsync(ICurrentUserContext userContext, PermissionCheckContext permissionCheckContext)
{
//按需决定是否需要参与
return(Task.FromResult(permissionCheckContext.MatchPermissionId(KnownPermissionIds.DemoOp)));
}
public static IList <PermissionCheckResult> CheckRules(this IRoleBasedCheckLogic logic, IEnumerable <RoleBasedPermissionRule> rules, PermissionCheckContext checkContext)
{
if (rules == null)
{
return(new List <PermissionCheckResult>()
{
PermissionCheckResult.NotSure
});
}
var checkResults = rules.Select(x => logic.Check(x, checkContext)).ToList();
return(checkResults);
}
public static PermissionCheckResult CheckRulesAsOne(this IRoleBasedCheckLogic logic, IEnumerable <RoleBasedPermissionRule> rules, PermissionCheckContext checkContext)
{
return(logic.CheckRules(rules, checkContext).Combine());
}
public async Task <PermissionCheckResult> CheckPermissionAsync(ICurrentUserContext userContext, PermissionCheckContext permissionCheckContext)
{
//此示例演示基于额外的请求上下文,来完成判断逻辑的场景。例如Query,Form, Cookie等
if (userContext == null)
{
throw new ArgumentNullException(nameof(userContext));
}
if (permissionCheckContext == null)
{
throw new ArgumentNullException(nameof(permissionCheckContext));
}
//todo: read current user's allowed scoped from database or somewhere else
var scopeOrgIds = new List <string>()
{
"123", "789"
};
var currentOrgId = await TryGetCurrentOrgId(permissionCheckContext);
if (scopeOrgIds.MyContains(currentOrgId))
{
var permissionCheckResult = PermissionCheckResult.Allowed.WithMessage("当前组织已授权: " + currentOrgId);
_debugHelper.AppendPermissionCheckResults(permissionCheckResult);
_logger.LogInformation(permissionCheckResult.Message);
return(permissionCheckResult);
}
var permissionCheckResult2 = PermissionCheckResult.Forbidden.WithMessage("当前组织没有授权: " + currentOrgId);
_debugHelper.AppendPermissionCheckResults(permissionCheckResult2);
_logger.LogInformation(permissionCheckResult2.Message);
return(permissionCheckResult2);
}
public static PermissionCheckResult CheckRoleBasedRules(this PermissionCheckContext checkContext, params RoleBasedRule[] roleBasedRules)
{
var result = roleBasedRules.Select(checkContext.CheckRoleBasedRule).Combine();
return(result);
}
