private static void ConfigureAuthorizationPolicies(SillycoreAuthorizationOptions authorizationOptions,
AuthorizationOptions options)
{
foreach (var authorizationPolicy in authorizationOptions.Policies)
{
options.AddPolicy(authorizationPolicy.Name, builder =>
{
builder.RequireClaim("scope", authorizationPolicy.RequiredScopes);
});
}
}
public static void AddPolicy(AuthorizationOptions options)
{
options.AddPolicy(Name, policy =>
{
policy.RequireScopeAndRoles(
new ScopeAndRoles {
Scope = Constants.ControlApi.ResourceAndScope.Tenant, Roles = new [] { Constants.ControlApi.Role.TenantAdmin }
}
);
});
}
public static void AddODPAccessTokenPolicy(this AuthorizationOptions options)
{
options.AddPolicy(ODPAuthenticationDefaults.AccessTokenPolicy, policy =>
{
policy.AddAuthenticationSchemes(ODPAuthenticationDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.RequireAssertion(context =>
context.User.HasClaim(c => c.Type == ODPAuthenticationDefaults.AccessTokenClaim) ||
context.User.HasClaim(c => c.Type == ODPAuthenticationDefaults.IdTokenClaim));
});
}
static public void Load(AuthorizationOptions options)
{
options.AddPolicy("ReadAttendance", p =>
{
p.AddAuthenticationSchemes("Bearer");
p.RequireAuthenticatedUser();
p.RequireRole("Employee");
p.Requirements.Add(new ReadAttendanceRequirement());
}
);
}
public static AuthorizationOptions AddCreyAuthorization(this AuthorizationOptions authorizationOptions, IConfiguration configuration, string[] additionalSchemes)
{
var schemes = CreyAuthorizationDefaults.DefaultAuthenticationSchemes.Concat(additionalSchemes).ToArray();
authorizationOptions.AddPolicy(CreyAuthorizationDefaults.CreyUser, policyBuilder =>
{
policyBuilder
.AddAuthenticationSchemes(schemes)
.RequireAuthenticatedUser();
});
authorizationOptions.AddPolicy(CreyAuthorizationDefaults.AlwaysFail, policyBuilder =>
{
policyBuilder
.AddAuthenticationSchemes(schemes)
.RequireAssertion(x => false);
});
return(authorizationOptions);
}
private static void BuildPolicies(AuthorizationOptions options)
{
options.AddPolicy("PlayingPolicy", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
policy.Requirements.Add(new ScopesRequirement(new[] { "scope2" }));
policy.Requirements.Add(new RolesRequirement(new[] { "Read" }));
policy.Requirements.Add(new ClientsRequirement(new[] { "interactive" }));
});
}
private static void AddPolicy(AuthorizationOptions options, string scope)
{
options.AddPolicy(scope, policy =>
{
policy.RequireAssertion(context => {
return(context.User.HasClaim(claim => {
return claim.Type == _scopeClaimType && claim.Value.Contains(scope);
}));
});
});
}
public static void AddPolicies(AuthorizationOptions options)
{
// Use of different schemas
options.AddPolicy(MultipleSchemas, policyBuilder =>
{
policyBuilder.AddAuthenticationSchemes("bearer", "extra");
policyBuilder.RequireAuthenticatedUser();
policyBuilder.RequireRole("Operator"); // From bearer scheme
policyBuilder.RequireClaim("Supervisor"); // From extra scheme
});
}
public static AuthorizationOptions AddCloudscribeLoggingDefaultPolicy(this AuthorizationOptions options)
{
options.AddPolicy(
"SystemLogPolicy",
authBuilder =>
{
authBuilder.RequireRole("ServerAdmins");
});
return(options);
}
public static AuthorizationOptions AddCloudscribeCoreSimpleContentIntegrationDefaultPolicies(this AuthorizationOptions options)
{
options.AddPolicy(
"BlogEditPolicy",
authBuilder =>
{
//authBuilder.RequireClaim("blogId");
authBuilder.RequireRole("Administrators");
}
);
options.AddPolicy(
"PageEditPolicy",
authBuilder =>
{
authBuilder.RequireRole("Administrators");
});
return(options);
}
public static void ConfigureSystemFuncationalityAuthorization(AuthorizationOptions options)
{
foreach (var item in PermissionConstants.SystemPermissionsSet)
{
options.AddPolicy(
item,
it => it.RequireAssertion(ctx =>
{
return(ctx.User.IsInRole("Administrator") || ctx.User.HasClaim(PermissionConstants.PERMISSION_CLAIM_TYPE, item));
}));
}
}
/// <summary>
/// Add policies to options
/// </summary>
/// <param name="options"></param>
/// <param name="withAuthorization"></param>
/// <param name="useRoleBasedAccess"></param>
public static void AddPolicies(this AuthorizationOptions options,
bool withAuthorization, bool useRoleBasedAccess)
{
if (!withAuthorization)
{
options.AddNoOpPolicies(Policies.All());
return;
}
if (!useRoleBasedAccess)
{
options.AddPolicy(Policies.CanOnboard, policy =>
policy.RequireAuthenticatedUser());
}
else
{
options.AddPolicy(Policies.CanOnboard, policy =>
policy.RequireAuthenticatedUser()
.Require(AdminRights));
}
}
public static void Configure(AuthorizationOptions options)
{
KnownPermissions.Each(p =>
{
options.AddPolicy(p.Key, configure =>
{
configure.Requirements.Add(new RolePolicyRequirement {
Policy = p.Key
});
});
});
}
/// <summary>
/// Gets a <see cref="T:Microsoft.AspNetCore.Authorization.AuthorizationPolicy" /> from the given <paramref name="policyName" />
/// </summary>
/// <param name="policyName">The policy name to retrieve.</param>
/// <returns>The named <see cref="T:Microsoft.AspNetCore.Authorization.AuthorizationPolicy" />.</returns>
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policyExists = await base.GetPolicyAsync(policyName);
if (policyExists == null)
{
policyExists = new AuthorizationPolicyBuilder().AddRequirements(new OlderThanRequirement(10)).Build();
_options.AddPolicy(policyName, policyExists);
}
return(policyExists);
}
public static AuthorizationOptions AddOpenIdSecurityPolicy(this AuthorizationOptions authenticateOptions, string cookieName)
{
if (authenticateOptions == null)
{
throw new ArgumentNullException(nameof(authenticateOptions));
}
authenticateOptions.AddPolicy("Connected", policy => policy.RequireAssertion((ctx) => {
return(ctx.User.Identity != null && ctx.User.Identity.AuthenticationType == cookieName);
}));
return(authenticateOptions);
}
public static void AddDefaultSCIMAuthorizationPolicy(this AuthorizationOptions opts)
{
opts.AddPolicy("QueryScimResource", p => p.RequireClaim("scope", "query_scim_resource"));
opts.AddPolicy("AddScimResource", p => p.RequireClaim("scope", "add_scim_resource"));
opts.AddPolicy("DeleteScimResource", p => p.RequireClaim("scope", "delete_scim_resource"));
opts.AddPolicy("UpdateScimResource", p => p.RequireClaim("scope", "update_scim_resource"));
opts.AddPolicy("BulkScimResource", p => p.RequireClaim("scope", "bulk_scim_resource"));
opts.AddPolicy("Provison", p => p.RequireClaim("scope", "scim_provision"));
opts.AddPolicy("UserAuthenticated", p => p.RequireAuthenticatedUser());
}
public static void AddInstanceAdminPolicies(this AuthorizationOptions options, IEnvironment environment)
{
options.AddPolicy(AuthPolicyNames.AdminAuthLevel, p =>
{
p.AddInstanceAuthenticationSchemes();
p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Admin));
});
options.AddPolicy(AuthPolicyNames.LinuxConsumptionRestriction, p =>
{
p.AddInstanceAuthenticationSchemes();
if (environment.IsOnLinuxConsumption)
{
p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Admin));
}
else
{
p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Anonymous));
}
});
}
internal static void ConfigureOptions(AuthorizationOptions options)
{
options.AddPolicy("AdminPolicy", policy => policy.RequireRole("Admin"));
options.AddPolicy("EmailVerifiedPolicy",
policy => policy.Requirements.Add(new EmailVerifiedRequirement(true)));
options.AddPolicy("FemalePolicy", policy => policy.RequireClaim(JwtClaimTypes.Gender, "Female"));
options.AddPolicy("ManagerPolicy", policy => policy.RequireRole("Manager"));
options.AddPolicy("FemaleAdminPolicy", policy =>
{
policy.Requirements.Add(new RoleIsPresentRequirement("Admin"));
policy.Requirements.Add(new GenderRequirement("Female"));
}
);
options.AddPolicy("FemaleManagerPolicy", policy =>
{
policy.RequireAssertion(context =>
{
return(context.User.HasClaim(claim => claim.Type == JwtClaimTypes.Gender &&
claim.Value == "Female"));
});
}
);
}
public static AuthorizationOptions SetupAuthorizationPolicies(this AuthorizationOptions options)
{
//https://docs.asp.net/en/latest/security/authorization/policies.html
options.AddCloudscribeLoggingDefaultPolicy();
options.AddCloudscribeCoreDefaultPolicies();
options.AddCloudscribeCoreSimpleContentIntegrationDefaultPolicies();
options.AddPolicy(
"FileManagerPolicy",
authBuilder =>
{
authBuilder.RequireRole("Administrators", "Content Administrators");
});
options.AddPolicy(
"FileManagerDeletePolicy",
authBuilder =>
{
authBuilder.RequireRole("Administrators", "Content Administrators");
});
options.AddPolicy(
"FileUploadPolicy",
authBuilder =>
{
authBuilder.RequireRole("Administrators", "Content Administrators");
});
// add other policies here
return(options);
}
public static AuthorizationOptions AddBTCPayPolicies(this AuthorizationOptions options)
{
options.AddPolicy(CanModifyStoreSettings.Key);
options.AddPolicy(CanListStoreSettings.Key);
options.AddPolicy(CanCreateInvoice.Key);
options.AddPolicy(CanGetRates.Key);
options.AddPolicy(CanModifyServerSettings.Key);
options.AddPolicy(CanModifyServerSettings.Key);
options.AddPolicy(CanModifyProfile.Key);
return(options);
}
public static AuthorizationOptions AddCloudscribeCoreDefaultPolicies(this AuthorizationOptions options)
{
options.AddPolicy(
"ServerAdminPolicy",
authBuilder =>
{
authBuilder.RequireRole("ServerAdmins");
});
options.AddPolicy(
"CoreDataPolicy",
authBuilder =>
{
authBuilder.RequireRole("ServerAdmins");
});
options.AddPolicy(
"AdminPolicy",
authBuilder =>
{
authBuilder.RequireRole("ServerAdmins", "Administrators");
});
options.AddPolicy(
"UserManagementPolicy",
authBuilder =>
{
authBuilder.RequireRole("ServerAdmins", "Administrators");
});
options.AddPolicy(
"RoleAdminPolicy",
authBuilder =>
{
authBuilder.RequireRole("Role Administrators", "Administrators");
});
return(options);
}
public static AuthorizationOptions AddAzurePolicy(this AuthorizationOptions authorizationOptions, Action <AzureAuth> configureOptions)
{
var azureAuth = new AzureAuth();
configureOptions(azureAuth);
foreach (var role in azureAuth.Roles)
{
authorizationOptions.AddPolicy(role.Name, builder => builder.RequireClaim(role.Claim.Type, role.Claim.Values));
}
return(authorizationOptions);
}
/// <summary>
/// Add Policy validated claims with SystemUserId Crm (<see cref="CrmPolicies"/>).
/// </summary>
/// <param name="options">Authorization options</param>
/// <returns></returns>
/// <remarks>
/// Usage: [<see cref="AuthorizeAttribute" /> (Policy = <see cref="CrmPolicies.ActiveSystemUser"/>)]
/// </remarks>
public static AuthorizationOptions AddActiveSystemUserPolicy(this AuthorizationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
options.AddPolicy(CrmPolicies.ActiveSystemUser,
policy => { policy.AddRequirements(new SystemUserRequirement()); }
);
return(options);
}
public ControllerBase()
{
var options = new AuthorizationOptions();
options.AddPolicy("Users", new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddRequirements(new WindowsLocalUserPolicyRequirement())
.Build());
authorizationService = new AuthorizationService(
new AuthorizationPolicyProvider(options),
new IAuthorizationHandler[] { new PassThroughAuthorizationHandler() });
}
/// <summary>An IServiceCollection extension method that adds a default policies.</summary>
/// <param name="services"> The services to act on. </param>
/// <param name="authorizationOptions"> Options for controlling the authorization. </param>
public static void AddDefaultPolicies(this IServiceCollection services, AuthorizationOptions authorizationOptions)
{
foreach (var policy in new DefaultPolicies().Policies)
{
authorizationOptions.AddPolicy(policy.Name, builder =>
{
foreach (var requirement in policy.Requirements)
{
builder.Requirements.Add(requirement);
}
});
}
}
internal static void Execute(AuthorizationOptions options)
{
options.AddPolicy(PolicyConstants.CanDeleteArticles, policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireRole("Administrators");
});
options.AddPolicy(PolicyConstants.CanCreateComments, policy =>
{
policy.RequireAuthenticatedUser();
});
options.AddPolicy(PolicyConstants.CanWriteArticles, policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireAnyRole("Authors", "Administrators");
});
// Authors can edit their own articles
// Editors can edit anyones articles
}
public static void BuildPolicies(AuthorizationOptions options)
{
options.AddPolicy(PolicyConstants.BasicAccess,
policy =>
{
policy.AuthenticationSchemes.Insert(0, "JwtAuth");
policy.AuthenticationSchemes.Insert(1, "CookieAuth");
policy.RequireAuthenticatedUser();
policy.RequireRole(RolesConstants.BasicUser);
policy.Build();
}
);
}
public static AuthorizationOptions AddUmaWebsiteSecurityPolicy(this AuthorizationOptions authorizationOptions)
{
if (authorizationOptions == null)
{
throw new ArgumentNullException(nameof(authorizationOptions));
}
authorizationOptions.AddPolicy("connected", policy =>
{
policy.AddAuthenticationSchemes(Constants.DEFAULT_COOKIE_NAME);
policy.RequireAuthenticatedUser();
});
return(authorizationOptions);
}
public static void AddAuthorizationPolicies(this AuthorizationOptions options)
{
options.AddPolicy("read", policy =>
{
policy.AddRequirements(new ScopeRequirement(new List <string> {
"app.expensetracker.api.read", "app.expensetracker.api.full"
}, false));
});
options.AddPolicy("write", policy =>
{
policy.AddRequirements(new ScopeRequirement(new List <string> {
"app.expensetracker.api.write", "app.expensetracker.api.full"
}, false));
});
options.AddPolicy("full", policy =>
{
policy.AddRequirements(new ScopeRequirement(new List <string> {
"app.expensetracker.api.full"
}));
});
}
public static AuthorizationOptions CreatePermissions(AuthorizationOptions options)
{
List <string> permissionsList = GetPermissions();
foreach (string permission in permissionsList)
{
options.AddPolicy(permission, policy =>
{
policy.Requirements.Add(new PermissionRequirement(permission));
});
}
return(options);
}
