private async ValueTask <bool> CheckStreamAccessAsync(ValueTask <string> pending, ClaimsPrincipal cp,
Operation operation, PolicyInformation policy, EvaluationContext result)
{
var streamId = await pending.ConfigureAwait(false);
return(await CheckStreamAccess(cp, operation, policy, result, streamId).ConfigureAwait(false));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
var matches = new List <Claim>(_claims.Count);
foreach (var claim in _claims)
{
if (cp.FindFirst(x =>
string.Equals(x.Type, claim.Type, StringComparison.Ordinal) &&
string.Equals(x.Value, claim.Value, StringComparison.Ordinal)) is Claim matched)
{
matches.Add(matched);
if (_mode != MultipleMatchMode.All)
{
break;
}
}
}
var matchFound = false;
switch (_mode)
{
case MultipleMatchMode.All:
if (matches.Count == _claims.Count)
{
context.Add(new AssertionMatch(policy, Information, matches));
matchFound = true;
}
break;
case MultipleMatchMode.Any:
if (matches.Count > 0)
{
context.Add(new AssertionMatch(policy, Information, matches));
matchFound = true;
}
break;
case MultipleMatchMode.None:
if (matches.Count == 0)
{
context.Add(new AssertionMatch(policy, Information, matches));
matchFound = true;
}
break;
default:
throw new ArgumentOutOfRangeException();
}
return(new ValueTask <bool>(matchFound));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
var streamId = FindStreamId(operation.Parameters.Span, context.CancellationToken);
if (streamId.IsCompleted)
{
return(CheckStreamAccess(cp, operation, policy, context, streamId.Result));
}
return(CheckStreamAccessAsync(streamId, cp, operation, policy, context));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
if (cp.FindFirst(_claimType) is Claim matchedClaim &&
operation.Parameters.Span.Contains(new Parameter(_parameterName, matchedClaim.Value)))
{
context.Add(new AssertionMatch(policy, Information, matchedClaim));
return(new ValueTask <bool>(true));
}
return(new ValueTask <bool>(false));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
if (operation == Operations.Subscriptions.ProcessMessages ||
operation == Operations.Subscriptions.ReplayParked)
{
var stream = FindStreamId(operation.Parameters.Span);
return(_streamAssertion.Evaluate(cp,
StreamRead.WithParameter(Operations.Streams.Parameters.StreamId(stream)), policy, context));
}
return(new ValueTask <bool>(false));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
// ReSharper disable once PatternAlwaysOfType
if (cp.FindFirst(x =>
string.Equals(x.Type, _claim.Type, StringComparison.Ordinal) &&
string.Equals(x.Value, _claim.Value, StringComparison.Ordinal)) is Claim matched)
{
context.Add(new AssertionMatch(policy, Information, matched));
return(new ValueTask <bool>(true));
}
return(new ValueTask <bool>(false));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
if (!cp.Claims.Any() ||
cp.Claims.Any(x => string.Equals(x.Type, ClaimTypes.Anonymous, StringComparison.Ordinal)))
{
context.Add(new AssertionMatch(policy, new AssertionInformation("match", "authenticated", Grant.Deny)));
}
else
{
context.Add(new AssertionMatch(policy,
new AssertionInformation("match", "authenticated", Grant.Allow)));
}
return(new ValueTask <bool>(true));
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
var remaining = _assertions;
while (!remaining.IsEmpty && context.Grant != Grant.Deny)
{
var pending = remaining.Span[0].Evaluate(cp, operation, policy, context);
remaining = remaining.Slice(1);
if (!pending.IsCompleted)
{
return(EvaluateAsync(pending, remaining, cp, operation, policy, context));
}
if (pending.Result)
{
return(new ValueTask <bool>(true));
}
}
return(new ValueTask <bool>(false));
}
private ValueTask <bool> CheckStreamAccess(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context, string streamId)
{
if (streamId == null)
{
context.Add(new AssertionMatch(policy,
new AssertionInformation("streamId", "streamId is null", Grant.Deny)));
return(new ValueTask <bool>(true));
}
if (streamId == "")
{
streamId = SystemStreams.AllStream;
}
if (streamId == SystemStreams.AllStream &&
(operation == Operations.Streams.Delete || operation == Operations.Streams.Write))
{
context.Add(new AssertionMatch(policy,
new AssertionInformation("streamId", $"{operation.Action} denied on $all", Grant.Deny)));
return(new ValueTask <bool>(true));
}
var action = operation.Action;
if (SystemStreams.IsMetastream(streamId))
{
action = operation.Action switch {
"read" => "metadataRead",
"write" => "metadataWrite",
_ => null
};
streamId = SystemStreams.OriginalStreamOf(streamId);
}
return(action switch {
"read" => Check(cp, operation, action, streamId, policy, context),
"write" => Check(cp, operation, action, streamId, policy, context),
"delete" => Check(cp, operation, action, streamId, policy, context),
"metadataWrite" => Check(cp, operation, action, streamId, policy, context),
"metadataRead" => Check(cp, operation, action, streamId, policy, context),
null => InvalidMetadataOperation(operation, policy, context),
_ => throw new ArgumentOutOfRangeException(nameof(operation.Action), action)
});
private async ValueTask <bool> EvaluateAsync(ValueTask <bool> pending, ReadOnlyMemory <IAssertion> remaining,
ClaimsPrincipal cp, Operation operation, PolicyInformation policy, EvaluationContext result)
{
bool evaluated;
while ((evaluated = await pending.ConfigureAwait(false)) && !remaining.IsEmpty)
{
pending = remaining.Span[0].Evaluate(cp, operation, policy, result);
remaining = remaining.Slice(1);
}
if (!evaluated)
{
result.Add(new AssertionMatch(policy, _failedToMatchAllSubAssertions));
}
return(evaluated);
}
public PolicyEvaluator(ReadOnlyPolicy policy)
{
_policy = policy;
_policyInfo = policy.Information;
}
public ValueTask <bool> Evaluate(ClaimsPrincipal cp, Operation operation, PolicyInformation policy,
EvaluationContext context)
{
context.Add(new AssertionMatch(policy, new AssertionInformation("match", "allow anonymous", Grant.Allow)));
return(new ValueTask <bool>(true));
}
public AssertionMatch(PolicyInformation policy, AssertionInformation assertion, IReadOnlyList <Claim> matches)
{
Policy = policy;
Assertion = assertion;
Matches = matches;
}
public AssertionMatch(PolicyInformation policy, AssertionInformation assertion, params Claim[] matches) : this(
policy, assertion, (IReadOnlyList <Claim>)matches)
{
}
