/// <summary>
/// Check the authorization for a <see cref="IPrincipal"/> for an <see cref="Activity"/>.
/// </summary>
/// <param name="activity"></param>
/// <param name="principal"></param>
/// <param name="defaultAuthorization"></param>
/// <returns></returns>
public static AuthorizationReason IsAuthorized(this IPrincipal principal, Activity activity, bool defaultAuthorization)
{
var reason = new AuthorizationReason
{
Resource = activity.Resource,
Action = activity.Action,
Principal = principal,
NoDecision = true,
IsAuthorized = defaultAuthorization,
};
// Authentication takes precedence over everything
if (principal.Identity.IsAuthenticated == false && activity.AllowUnauthenticated.HasValue)
{
reason.NoDecision = false;
reason.Reason = "IsAuthenticated: false";
// Determined by the allowUnauthenticated
reason.IsAuthorized = activity.AllowUnauthenticated.Value;
}
// Check the denies first, must take precedence over the allows
else if (principal.HasPermission(activity.Deny, reason))
{
// Have an explicit deny.
reason.NoDecision = false;
reason.IsAuthorized = false;
}
else if (principal.HasPermission(activity.Allow, reason))
{
// Have an explity allow.
reason.NoDecision = false;
reason.IsAuthorized = true;
}
else if (activity.Default.HasValue)
{
// Default authorization on the activity.
reason.NoDecision = false;
reason.Reason = "Default: " + activity.Default.Value;
reason.IsAuthorized = activity.Default.Value;
}
return(reason);
}
/// <copydoc cref="IActivityAuthorizer.IsAuthorizedAsync" />
public async Task <AuthorizationReason> IsAuthorizedAsync(string resource, string action, IPrincipal principal, IDictionary <string, object> values = null, CancellationToken cancellationToken = default(CancellationToken))
{
var scope = await scopeProvider.AuthorizationScopeAsync(cancellationToken).ConfigureAwait(false);
if (scope == null)
{
Logger.Warn("No data returned from scope provider");
scope = new AuthorizationScope {
Name = "Default"
};
}
var activities = scope.Activities.ToDictionary();
// Get the state for this request
var defaultAuthorization = scope.DefaultAuthorization ?? DefaultAuthorization;
var defaultActivity = scope.DefaultActivity ?? DefaultActivity;
var defaultAllowUnauthenticated = scope.AllowUnauthenticated ?? DefaultAllowUnauthenticated;
// Set up the reason
var reason = new AuthorizationReason
{
Resource = resource,
Action = action,
Principal = principal,
// We will always make a decision at this level
NoDecision = false,
IsAuthorized = defaultAuthorization
};
// Do a short-circuit check for the unauthenticated state, will be overridden if there is a matching activity
if (!defaultAllowUnauthenticated && !principal.Identity.IsAuthenticated)
{
reason.IsAuthorized = false;
reason.Reason = "IsAuthenticated: false";
}
// Check the activities
foreach (var activity in activities.FindActivities(resource, action, defaultActivity))
{
var rs = principal.IsAuthorized(activity, defaultAuthorization);
if (rs.NoDecision)
{
// Try the next one
continue;
}
// Ok, we have a decision
reason.IsAuthorized = rs.IsAuthorized;
reason.Identity = rs.Identity;
if (reason.Resource != rs.Resource || reason.Action != rs.Action)
{
// Decided based on some other activity, so say what that was
reason.PrincipalReason = rs;
}
else
{
// Preserve the reason information
reason.Reason = rs.Reason;
}
// We are done as we have a decision
break;
}
if (!reason.IsAuthorized)
{
Logger.InfoFormat("Failed authorization: User '{0}', Resource: '{1}', Action: '{2}'", principal == null ? "<Unknown>" : principal.Identity.Name, resource, action);
}
return(reason);
}
public static bool?IsAuthorized(this ClaimsIdentity identity, Activity activity, AuthorizationReason reason)
{
// Authentication takes precedence over everything
if (identity.IsAuthenticated == false && activity.AllowUnauthenticated.HasValue)
{
reason.NoDecision = false;
reason.Reason = "IsAuthenticated: false";
// Determined by the allowUnauthenticated
reason.IsAuthorized = activity.AllowUnauthenticated.Value;
reason.Identity = identity;
return(reason.IsAuthorized);
}
// Check the denies first, must take precedence over the allows
if (identity.HasPermission(activity.Deny, reason))
{
// Have an explicit deny.
reason.NoDecision = false;
reason.IsAuthorized = false;
reason.Identity = identity;
return(reason.IsAuthorized);
}
if (identity.HasPermission(activity.Allow, reason))
{
// Have an explity allow.
reason.NoDecision = false;
reason.IsAuthorized = true;
reason.Identity = identity;
return(reason.IsAuthorized);
}
return(null);
}
/// <summary>
/// Check whether the principal has the specified <see cref="Permission"/>
/// </summary>
/// <param name="identity"></param>
/// <param name="permission"></param>
/// <param name="reason"></param>
/// <returns></returns>
public static bool HasPermission(this ClaimsIdentity identity, Permission permission, AuthorizationReason reason)
{
// Check user over roles
var user = permission.HasUser(identity);
if (!string.IsNullOrEmpty(user))
{
reason.Reason = "User: "******"Role: " + role;
return(true);
}
var claim = permission.HasClaim(identity);
if (!string.IsNullOrEmpty(claim))
{
// Record the claim that passes
reason.Reason = "Claim: " + claim;
return(true);
}
return(false);
}
/// <summary>
/// Check whether the principal has the specified <see cref="Permission"/>
/// </summary>
/// <param name="principal"></param>
/// <param name="permission"></param>
/// <param name="reason"></param>
/// <returns></returns>
public static bool HasPermission(this IPrincipal principal, Permission permission, AuthorizationReason reason)
{
if (!(principal is ClaimsPrincipal claimsPrincipal))
{
return(false);
}
// Check user over roles
foreach (var identity in claimsPrincipal.Identities)
{
var user = permission.HasUser(identity);
if (!string.IsNullOrEmpty(user))
{
reason.Reason = "User: "******"Role: " + role;
reason.Identity = identity;
return(true);
}
}
foreach (var identity in claimsPrincipal.Identities)
{
var claim = permission.HasClaim(identity);
if (!string.IsNullOrEmpty(claim))
{
// Record the claim that passes
reason.Reason = "Claim: " + claim;
reason.Identity = identity;
return(true);
}
}
return(false);
}
