public string[] GetAuthInfo()
{
IServiceProvider provider = HttpContext.RequestServices;
IModuleHandler moduleHandler = provider.GetRequiredService <IModuleHandler>();
IFunctionAuthorization functionAuthorization = provider.GetService <IFunctionAuthorization>();
ModuleInfo[] moduleInfos = moduleHandler.ModuleInfos;
//先查找出所有有权限的模块
List <ModuleInfo> authModules = new List <ModuleInfo>();
foreach (ModuleInfo moduleInfo in moduleInfos)
{
bool hasAuth = moduleInfo.DependOnFunctions.All(m => functionAuthorization.Authorize(m, User).IsOk);
if (moduleInfo.DependOnFunctions.Length == 0 || hasAuth)
{
authModules.Add(moduleInfo);
}
}
List <string> codes = new List <string>();
foreach (ModuleInfo moduleInfo in authModules)
{
string fullCode = moduleInfo.FullCode;
//模块下边有功能,或者拥有子模块
if (moduleInfo.DependOnFunctions.Length > 0 ||
authModules.Any(m => m.FullCode.Length > fullCode.Length && m.FullCode.Contains(fullCode) && m.DependOnFunctions.Length > 0))
{
codes.AddIfNotExist(fullCode);
}
}
return(codes.ToArray());
}
/// <summary>
/// 重写以实现功能权限的核心验证逻辑
/// </summary>
/// <param name="context">权限过滤器上下文</param>
/// <param name="function">要验证的功能</param>
/// <returns>权限验证结果</returns>
protected virtual AuthorizationResult AuthorizeCore(AuthorizationFilterContext context, IFunction function)
{
IPrincipal user = context.HttpContext.User;
IServiceProvider provider = context.HttpContext.RequestServices;
IFunctionAuthorization authorization = provider.GetService<IFunctionAuthorization>();
AuthorizationResult result = authorization.Authorize(function, user);
return result;
}
/// <summary>
/// 检测当前用户是否拥有指定URL的功能权限
/// </summary>
public static bool CheckFunctionAuth(this ControllerBase controller, string url)
{
IFunction function = controller.GetFunction(url);
if (function == null)
{
return(false);
}
IFunctionAuthorization authorization = controller.HttpContext.RequestServices.GetService <IFunctionAuthorization>();
return(authorization.Authorize(function, controller.User).IsOk);
}
/// <summary>
/// 检测当前用户是否有指定功能的功能权限
/// </summary>
public static bool CheckFunctionAuth(this ControllerBase controller, string actionName, string controllerName, string areaName = null)
{
IServiceProvider provider = controller.HttpContext.RequestServices;
IFunctionHandler functionHandler = provider.GetService <IFunctionHandler>();
IFunction function = functionHandler?.GetFunction(areaName, controllerName, actionName);
if (function == null)
{
return(false);
}
IFunctionAuthorization authorization = provider.GetService <IFunctionAuthorization>();
return(authorization.Authorize(function, controller.User).IsOk);
}
public void OnActionExecuting(ActionExecutingContext context)
{
IServiceProvider provider = context.HttpContext.RequestServices;
IFunction function = context.GetExecuteFunction();
if (function == null)
{
return;
}
ScopedDictionary dict = provider.GetService <ScopedDictionary>();
dict.Function = function;
// 数据权限有效角色,即有当前功能权限的角色
IFunctionAuthorization functionAuthorization = provider.GetService <IFunctionAuthorization>();
ClaimsPrincipal principal = context.HttpContext.User;
string[] roleName = functionAuthorization.GetOkRoles(function, principal);
dict.DataAuthValidRoleNames = roleName;
IAuditingConfiguration configuration = provider.GetRequiredService <IAuditingConfiguration>();
if (!AuditingHelper.ShouldSaveAudit(configuration, principal, function, context.ActionDescriptor.GetMethodInfo()))
{
return;
}
AuditOperationEntry operation = new AuditOperationEntry
{
FunctionName = function.Name,
ClientIpAddress = context.HttpContext.GetClientIp(),
UserAgent = context.HttpContext.Request.Headers["User-Agent"].FirstOrDefault(),
CreatedTime = DateTime.Now
};
if (principal.Identity.IsAuthenticated && principal.Identity is ClaimsIdentity identity)
{
operation.UserId = identity.GetUserId();
operation.UserName = identity.GetUserName();
operation.NickName = identity.GetNickName();
}
dict.AuditOperation = operation;
}
/// <summary>
/// 验证是否拥有指定模块的权限
/// </summary>
/// <param name="module">要验证的模块</param>
/// <param name="empty">返回模块是否为空模块,即是否分配有功能</param>
/// <returns></returns>
private bool CheckFuncAuth(Module module, out bool empty)
{
IServiceProvider services = HttpContext.RequestServices;
IFunctionAuthorization authorization = services.GetRequiredService <IFunctionAuthorization>();
Function[] functions = _securityManager.ModuleFunctions.Where(m => m.ModuleId == module.Id).Select(m => m.Function).ToArray();
empty = functions.Length == 0;
if (empty)
{
return(true);
}
foreach (Function function in functions)
{
if (!authorization.Authorize(function, User).IsOk)
{
return(false);
}
}
return(true);
}
/// <inheritdoc />
public override void OnActionExecuting(ActionExecutingContext context)
{
IServiceProvider provider = context.HttpContext.RequestServices;
IFunction function = context.GetExecuteFunction();
if (function == null)
{
return;
}
ScopedDictionary dict = provider.GetService <ScopedDictionary>();
dict.Function = function;
// 数据权限有效角色,即有当前功能权限的角色
IFunctionAuthorization functionAuthorization = provider.GetService <IFunctionAuthorization>();
string[] roleName = functionAuthorization.GetOkRoles(function, context.HttpContext.User);
dict.DataAuthValidRoleNames = roleName;
if (!function.AuditOperationEnabled)
{
return;
}
AuditOperationEntry operation = new AuditOperationEntry
{
FunctionName = function.Name,
Ip = context.HttpContext.GetClientIp(),
UserAgent = context.HttpContext.Request.Headers["User-Agent"].FirstOrDefault(),
CreatedTime = DateTime.Now
};
if (context.HttpContext.User.Identity.IsAuthenticated && context.HttpContext.User.Identity is ClaimsIdentity identity)
{
operation.UserId = identity.GetUserId();
operation.UserName = identity.GetUserName();
operation.NickName = identity.GetNickName();
}
dict.AuditOperation = operation;
}
/// <summary>
/// 初始化一个<see cref="FunctionAuthorizationHandler"/>类型的新实例
/// </summary>
public FunctionAuthorizationHandler(IFunctionAuthorization functionAuthorization, IHttpContextAccessor httpContextAccessor)
{
_functionAuthorization = functionAuthorization;
_httpContextAccessor = httpContextAccessor;
}
/// <summary>
/// 初始化一个<see cref="FunctionAuthorizationHandler"/>类型的新实例
/// </summary>
public FunctionAuthorizationHandler(IFunctionAuthorization functionAuthorization, IHttpContextAccessor httpContextAccessor, IServiceProvider provider)
{
_functionAuthorization = functionAuthorization;
_httpContextAccessor = httpContextAccessor;
_provider = provider;
}
//public List<string> GetAuthInfo()
public async Task <IActionResult> GetAuthInfo()
{
try
{
// 出于性能考虑,将EF导航查询更改为关联查询
var cache = ServiceProvider.GetService <IDistributedCache>();
var key = $"{User.Identity.Name}.AuthInfo";
DistributedCacheEntryOptions options = new DistributedCacheEntryOptions();
options.SetSlidingExpiration(TimeSpan.FromMinutes(120));
var authInfo = await cache.GetAsync <List <string> >(key,
async() =>
{
IFunctionAuthorization authorization = ServiceProvider.GetService <IFunctionAuthorization>();
List <AuthItem> list = new List <AuthItem>();
Module[] modules = await _securityManager.Modules.ToArrayAsync();
foreach (Module module in modules)
{
if (CheckFuncAuth(module, authorization, out bool empty))
{
list.Add(new AuthItem {
Code = GetModuleTreeCode(module, modules), HasFunc = !empty
});
}
}
//var moduleFunctions = await (from module in _securityManager.Modules
// join moduleFunction in _securityManager.ModuleFunctions
// on module.Id equals moduleFunction.ModuleId
// join function in _securityManager.Functions
// on moduleFunction.FunctionId equals function.Id into f
// select new { Module = module, Functions = f }).ToListAsync();
//var modules = moduleFunctions.Select(m => m.Module).ToArray();
foreach (var item in modules)
{
if (CheckFuncAuth(item, authorization, out bool empty))
{
list.Add(new AuthItem {
Code = GetModuleTreeCode(item, modules), HasFunc = !empty
});
}
}
List <string> codes = new List <string>();
foreach (AuthItem item in list)
{
if (item.HasFunc)
{
codes.Add(item.Code);
}
else if (list.Any(m => m.Code.Length > item.Code.Length && m.Code.Contains(item.Code) && m.HasFunc))
{
codes.Add(item.Code);
}
}
return(codes);
},
options);
return(Json(authInfo));
}
