public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder();
string[] subStringPolicy = policyName.Split(new Char[] { '.' });
AttributeType attributeType = (AttributeType)Enum.Parse(typeof(AttributeType), subStringPolicy[0]);
switch (attributeType)
{
case AttributeType.Module:
var moduleType = (RightModule)Enum.Parse(typeof(RightModule), subStringPolicy[1]);
policy.AddRequirements(new ModuleRequirement(moduleType));
return(Task.FromResult(policy.Build()));
case AttributeType.Permission:
var modulerType = (RightModule)Enum.Parse(typeof(RightModule), subStringPolicy[1]);
var objectType = (RightObject)Enum.Parse(typeof(RightObject), subStringPolicy[2]);
var operatorType = (RightOperator)Enum.Parse(typeof(RightOperator), subStringPolicy[3]);
policy.AddRequirements(new PermissionRequirement(modulerType, objectType, operatorType));
return(Task.FromResult(policy.Build()));
default:
return(defaultAuthorizationPolicyProvider.GetPolicyAsync(policyName));
}
}
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder();
//AuthRole用。
bool isAllowRolePlefix = policyName.StartsWith(AllowRoleAttribute.POLICY_PREFIX, StringComparison.OrdinalIgnoreCase);
bool isDenyRolePlefix = policyName.StartsWith(DenyRoleAttribute.POLICY_PREFIX, StringComparison.OrdinalIgnoreCase);
if (isAllowRolePlefix || isDenyRolePlefix)
{
var policyList = GetPolicyList <AuthFlag>(policyName);
policy.AddRequirements(new AuthRoleRequirement(isAllowRolePlefix, policyList));
}
//Division用。
bool isAllowDivisionPlefix = policyName.StartsWith(AllowDivisionAttribute.POLICY_PREFIX, StringComparison.OrdinalIgnoreCase);
bool isDenyDivisionPlefix = policyName.StartsWith(DenyDivisionAttribute.POLICY_PREFIX, StringComparison.OrdinalIgnoreCase);
if (isAllowDivisionPlefix || isDenyDivisionPlefix)
{
var policyList = GetPolicyList <DivisionCode>(policyName);
policy.AddRequirements(new AuthDivisionRequirement(isAllowDivisionPlefix, policyList));
}
//カスタムの承認があればそれを使う。
if (policy.Requirements.Any())
{
return(Task.FromResult(policy.Build()));
}
else
{
return(base.GetPolicyAsync(policyName)); //それ以外はデフォルト。
}
}
/// <summary>
/// Get policy async
/// </summary>
/// <param name="policyName">Policy name</param>
/// <returns>Authorization policy</returns>
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith(PolicyPrefix, StringComparison.OrdinalIgnoreCase))
{
var policy = new AuthorizationPolicyBuilder();
if (policyName == PermissionRequirement.PermissionPolicies.Permission)
{
policy.AddRequirements(new PermissionRequirement());
}
else if (policyName == PermissionRequirement.PermissionPolicies.PermissionUri)
{
policy.AddRequirements(new PermissionRequirement()
{
IsModelUri = true
});
}
else if (policyName.StartsWith(PermissionRequirement.PermissionPolicies.PermissionLinked))
{
var path = policyName.Substring(PermissionRequirement.PermissionPolicies.PermissionLinked.Length);
policy.AddRequirements(new PermissionRequirement()
{
LinkedPath = path
});
}
return(Task.FromResult(policy.Build()));
}
// If the policy name doesn't match the format expected by this policy provider,
// try the fallback provider. If no fallback provider is used, this would return
// Task.FromResult<AuthorizationPolicy>(null) instead.
return(this.GetDefaultPolicyAsync());
}
private static void BuildPolicy(AuthorizationPolicyInfo policy, AuthorizationOptions config)
{
var builder = new AuthorizationPolicyBuilder();
policy.AuthenticationSchemes?.ForEach(builder.AuthenticationSchemes.Add);
if (policy.Requirements != null && policy.Requirements.Any())
{
foreach (var policyRequirement in policy.Requirements)
{
switch (policyRequirement.RequirementType)
{
case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
var claimsInfo = JObject.Parse(policyRequirement.Requirement)
.ToObject <ClaimsInfo>();
builder.RequireClaim(claimsInfo.ClaimType, claimsInfo.RequiredValues);
break;
case AuthorizationRequirementType.RolesAuthorizationRequirement:
builder.RequireRole(JObject.Parse(policyRequirement.Requirement)
.ToObject <string[]>());
break;
case AuthorizationRequirementType.NameAuthorizationRequirement:
builder.RequireUserName(policyRequirement.Requirement);
break;
case AuthorizationRequirementType.OperationAuthorizationRequirement:
builder.AddRequirements(
new OperationAuthorizationRequirement()
{
Name = policyRequirement.Requirement
});
break;
case AuthorizationRequirementType.DenyAnonymousAuthorizationRequirement:
builder.RequireAuthenticatedUser();
break;
case AuthorizationRequirementType.DenyAuthorizationRequirement:
builder.AddRequirements(new DenyAuthorizationRequirement());
break;
case AuthorizationRequirementType.CustomAuthorizationRequirement:
builder.AddRequirements(Activator.CreateInstance(Type.GetType(policyRequirement.Type),
JObject.Parse(policyRequirement.Requirement).ToObject <object[]>()) as IAuthorizationRequirement);
break;
// TODO implement the assertion requirement.
//case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
// builder.RequireAssertion(handler => {handler.})
// break;
}
}
}
config.AddPolicy(policy.Name, builder.Build());
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
//services.AddEntityFramework()
// .AddSqlServer()
// .AddDbContext<ApplicationDbContext>(options =>
// {
// options.UseSqlServer(Configuration["Data:Default"]);
// });
// Add framework services.
services.AddMvc(options =>
{
var builder = new AuthorizationPolicyBuilder();
builder.AddAuthenticationSchemes("Bearer");
builder.AddRequirements(new BearerAuthorizationRequirement());
var policy = builder.Build();
options.Filters.Add(new BearerFilter(policy));
options.Filters.Add(new GlobalExceptionFilter());
});
services.AddInstance <IConfigurationRoot>(Configuration);
}
// Policies are looked up by string name, so expect 'parameters' (like age)
// to be embedded in the policy names. This is abstracted away from developers
// by the more strongly-typed attributes derived from AuthorizeAttribute
// (like [MinimumAgeAuthorize] in this sample)
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith("adminonly"))
{
var policy = new AuthorizationPolicyBuilder();
var adminOnly = Convert.ToBoolean(policyName.Substring(10));
policy.AddRequirements(new CustomAuthorizationRequirement(adminOnly));
return(Task.FromResult(policy.Build()));
}
else if (policyName.StartsWith("privileges"))
{
var policy = new AuthorizationPolicyBuilder();
var privileges = policyName.Substring(11).Split(",").ToArray();
policy.AddRequirements(new CustomAuthorizationRequirement(privileges));
return(Task.FromResult(policy.Build()));
}
// If the policy name doesn't match the format expected by this policy provider,
// try the fallback provider. If no fallback provider is used, this would return
// Task.FromResult<AuthorizationPolicy>(null) instead.
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
public static AuthorizationPolicyBuilder AddCustomAgeRequirement(
this AuthorizationPolicyBuilder builder, int age)
{
//age是外界传进来的
builder.AddRequirements(new CustomAgeRequirement(age));
return(builder);
}
// Policies are looked up by string name, so expect 'parameters' (like age)
// to be embedded in the policy names. This is abstracted away from developers
// by the more strongly-typed attributes derived from AuthorizeAttribute
// (like [MinimumAgeAuthorize] in this sample)
public async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
// First try to get the policy from the existing policies
var policy = await FallbackPolicyProvider.GetPolicyAsync(policyName);
if (policy != null)
{
return(policy);
}
// Then check if it´s a dynamic generated policy
if (policyName.StartsWith(PolicyPrefix, StringComparison.OrdinalIgnoreCase)
&&
int.TryParse(policyName.Substring(PolicyPrefix.Length), out var age))
{
// Generate the policy
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.AddRequirements(new MinimumAgeRequirement(age));
policy = policyBuilder.Build();
// Add the policy to the known policies (cache)
_options.Value.AddPolicy(policyName, policy);
return(policy);
}
// If the policy name doesn't match the format expected by this policy provider,
// this would return null instead.
return(null);
}
//This method will be called by the asp.net core pipeline only when Authorize Attribute has Policy Property set
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
try
{
//All custom policies created by us will have " : " as delimiter to identify policy name and values
//Any delimiter or character can be choosen, and it is upto user choice
var policy = policyName.Split(":").FirstOrDefault(); //Name for policy and values are set in A2AuthorizePermission Attribute
var attributeValue = policyName.Split(":").LastOrDefault();
if (policy != null)
{
//Dynamically building the AuthorizationPolicy and adding the respective requirement based on the policy names which we define in Authroize Attribute.
var policyBuilder = new AuthorizationPolicyBuilder();
if (policy == "CustomAuthPermissionPolicy")
{
//Authorize Hanlders are created based on Authroize Requirement type.
//Adding the object of A2AuthorizePermissionRequirement will invoke the A2AuthorizePermissionHandler
policyBuilder.AddRequirements(new A2AuthorizePermissionRequirement(attributeValue));
return(Task.FromResult(policyBuilder.Build()));
}
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
catch (Exception)
{
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var defaultValue = _fallbackPolicyProvider.GetPolicyAsync(policyName);
if (!policyName.StartsWith(AuthorizeRoleAttribute.PolicyName, StringComparison.OrdinalIgnoreCase))
{
return(defaultValue);
}
var policyTokens = policyName.Split(AuthorizeRoleAttribute.PolicyDelimiter,
StringSplitOptions.RemoveEmptyEntries);
if (policyTokens.Length != 2)
{
return(defaultValue);
}
var policy = new AuthorizationPolicyBuilder("Bearer");
var roles = policyTokens[1]
.Split(AuthorizeRoleAttribute.RoleDelimiter, StringSplitOptions.RemoveEmptyEntries)
.Select(Enum.Parse <ApolloRoles>)
.ToArray();
policy.AddRequirements(new RolesRequirement(roles));
return(Task.FromResult(policy.Build()));
}
public AuthorizationPolicy ConstructAuthorizationPolicy(ControllerActionDescriptor context)
{
if (_authorizationDataProvider == null)
{
throw new ArgumentNullException(nameof(_authorizationDataProvider));
}
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_authorizationPolicyProvider == null)
{
throw new ArgumentNullException(nameof(_authorizationPolicyProvider));
}
var authorizeData = _authorizationDataProvider.GetAuthorizeData(context);
AuthorizationPolicy newPolicy;
if (authorizeData == null)
{
var builder = new AuthorizationPolicyBuilder();
newPolicy = builder.AddRequirements(new DenyAuthorizationRequirement()).Build();
}
else
{
newPolicy = AuthorizationPolicy
.CombineAsync(_authorizationPolicyProvider, authorizeData).Result;
}
return(AuthorizationPolicy.Combine(BaseAuthorizationPolicy, newPolicy));
}
public static AuthorizationPolicyBuilder RequireScope(
this AuthorizationPolicyBuilder authorizationPolicyBuilder,
IEnumerable <string> requiredScopes)
{
authorizationPolicyBuilder.AddRequirements(new ScopeAuthorizationRequirement(requiredScopes));
return(authorizationPolicyBuilder);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication("DefaultAuth")
.AddScheme <AuthenticationSchemeOptions, CustomeAuthenticationHandler>("DefaultAuth", null);
services.AddAuthorization(config =>
{
var defaultAuthBuilder = new AuthorizationPolicyBuilder();
var defaultAuthPolicy = defaultAuthBuilder
.AddRequirements(new JwtRequirement())
.Build();
config.DefaultPolicy = defaultAuthPolicy;
});
services.AddScoped <IAuthorizationHandler, JwtRequirementHandler>();
services.AddHttpClient()
.AddHttpContextAccessor();
services.AddControllers();
services.AddEntityFrameworkSqlServer()
.AddDbContext <TurnoutDbContext>(config =>
{
config.UseSqlServer(Configuration["database:connection"]);
});
}
public static AuthorizationPolicyBuilder RequireScopes(
this AuthorizationPolicyBuilder authorizationPolicyBuilder,
NonEmptyList <string> requiredScopes)
{
authorizationPolicyBuilder.AddRequirements(new ScopeAuthorizationRequirement(requiredScopes));
return(authorizationPolicyBuilder);
}
/// <summary>
/// Dodaj provjere kao skup AND provjera
/// </summary>
/// <param name="builder">Kreator auth police</param>
/// <param name="checks">Provjere koje se dodaju</param>
/// <returns>Kreator auth police</returns>
public static AuthorizationPolicyBuilder AddAllChecks(this AuthorizationPolicyBuilder builder, params IChecker[] checks)
{
var requirements = checks.Select(c => new CheckingRequirement(c)).ToArray();
builder.AddRequirements(requirements);
return(builder);
}
public static AuthorizationPolicyBuilder RequireKanbananaClaim(
this AuthorizationPolicyBuilder builder,
string claimTypes)
{
builder.AddRequirements(new KanbananaClaim(claimTypes));
return(builder);
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
//Whenever authorization fails,We get challenged as a result this
//handler will trigger,so noone should be authenticate
//with api so we will always fail
services.AddAuthentication("DefaultAuth")
.AddScheme <AuthenticationSchemeOptions, CustomAuthenticationHandler>("DefaultAuth", null);
services.AddAuthorization(config =>
{
var defaultAuthBuilder = new AuthorizationPolicyBuilder();
var defaultAuthPolicy = defaultAuthBuilder
.AddRequirements(new JwtRequirement())
.Build();
config.DefaultPolicy = defaultAuthPolicy;
});
services.AddScoped <IAuthorizationHandler, JwtRequirementHandler>();
services.AddControllers();
services.AddHttpClient()
.AddHttpContextAccessor();
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication("DefaultAuth")
.AddScheme <AuthenticationSchemeOptions, CustomAuthenticationHandler>("DefautAuth", null);
services.AddAuthorization(config =>
{
var defaultAuthBuilder = new AuthorizationPolicyBuilder();
var defaultAuthPolicy = defaultAuthBuilder
.AddRequirements(new JwtRequirement())
.Build();
config.DefaultPolicy = defaultAuthPolicy;
});
services.AddScoped <IAuthorizationHandler, JwtRequirementHandler>();
services.AddHttpClient()
.AddHttpContextAccessor();
services.AddControllers();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo {
Title = "Api", Version = "v1"
});
});
}
/// <summary>
/// Policies are looked up by string name, so expect 'parameters' to be encoded (embedded) in the policy names (errr-don't blame me).
/// </summary>
/// <param name="encodedPolicyName">A colon ':' delimited string of three values [<see cref="RightType>"/>:<see cref="Permission"/>:<see cref="string"/>]</param>
/// <remarks>
/// For Encoding and Decoding see <see cref="PolicyName"/>
/// </remarks>
public Task <AuthorizationPolicy> GetPolicyAsync(string encodedPolicyName)
{
// here's the other end of the magic to decode the string with the requirement details
var requirementDetails = PolicyName.Deserialise(encodedPolicyName);
// If the policy name doesn't match the format expected by this policy provider,
// try the fallback provider. If no fallback provider is used, this would return
// Task.FromResult<AuthorizationPolicy>(null) instead.
if (requirementDetails == null)
{
return(FallbackPolicyProvider.GetPolicyAsync(encodedPolicyName));
}
var policy = new AuthorizationPolicyBuilder();
policy.RequireAuthenticatedUser();
// Set multiple bearer tokens. This pairs with .AddAuthententication to expose
// multiple www-authenticate headers on a 401
//
// see https://stackoverflow.com/questions/49694383/use-multiple-jwt-bearer-authentication
//
policy.AuthenticationSchemes.Add(AuthenticatorDefaults.ExternalAuthenticationSchemeName);
// now we can hand in the requirements from the attribute into the policy which what we really want to do
policy.AddRequirements(
new HasPermissionsOnResourceRequirement(
requirementDetails.Type,
requirementDetails.Access,
requirementDetails.ResourceKey));
return(Task.FromResult(policy.Build()));
}
public static AuthorizationPolicyBuilder requirecustomclaim(
this AuthorizationPolicyBuilder builder,
string claimtype)
{
builder.AddRequirements(new customrequireclaim(claimtype));
return(builder);
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var scopePolicyPrefix = _configuration.GetValue <string>("ScopePolicyPrefix");
var permissionPolicyPrefix = _configuration.GetValue <string>("PermissionPolicyPrefix");
if (string.IsNullOrWhiteSpace(scopePolicyPrefix))
{
scopePolicyPrefix = "Scope";
}
if (string.IsNullOrWhiteSpace(permissionPolicyPrefix))
{
permissionPolicyPrefix = "Permission";
}
if (policyName.StartsWith(scopePolicyPrefix, StringComparison.OrdinalIgnoreCase))
{
var policy = new AuthorizationPolicyBuilder();
policy.AddRequirements(new ScopeRequirement(policyName));
return(Task.FromResult(policy.Build()));
}
if (policyName.StartsWith(permissionPolicyPrefix, StringComparison.OrdinalIgnoreCase))
{
var policy = new AuthorizationPolicyBuilder();
policy.AddRequirements(new PermissionRequirement(policyName));
return(Task.FromResult(policy.Build()));
}
return(_defaultAuthorizationPolicyProvider.GetPolicyAsync(policyName));
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder();
policy.AddRequirements(new PermissionAuthorizationRequirement(_serviceProvider));
return(Task.FromResult(policy.Build()));
}
public static AuthorizationPolicyBuilder RequireCustomClaim(
this AuthorizationPolicyBuilder builder,
string schoolRole)
{
builder.AddRequirements(new SchoolRole(schoolRole));
return(builder);
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith("Create") ||
policyName.StartsWith("Delete") ||
policyName.StartsWith("Edit") ||
policyName.StartsWith("View"))
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(new PermissionRequirement(policyName));
return(Task.FromResult(policyBuilder.Build()));
}
else if (policyName.StartsWith("delete.") ||
policyName.StartsWith("read.") ||
policyName.StartsWith("worker.") ||
policyName.StartsWith("write."))
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(new ScopeRequirement(policyName));
return(Task.FromResult(policyBuilder.Build()));
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
public static AuthorizationPolicyBuilder RequireCustomClaim(
this AuthorizationPolicyBuilder builder,
string claimType)
{
builder.AddRequirements(new CustomRequireClaim(claimType));
return(builder);
}
public void ConfigureServices(IServiceCollection services)
{
//having below line make it return 401 instead 500 if the token is expired
//for API, if Authorization fails, then it will challenge you to authenticate. in that case, if we dont' have authenticate registered,
//it will return 500. in this case, we rather fail the authenticate with CustomAuthenticationHandler,
//so it will return 401 which makes more sense
//we can just completely remove below AddAuthentication, in that case if the token is expired or invalid, it will return 500
services.AddAuthentication("DefaultAuth")
.AddScheme <AuthenticationSchemeOptions, CustomeAuthenticationHandler>("DefaultAuth", null);
services.AddAuthorization(config =>
{
var defaultAuthBuilder = new AuthorizationPolicyBuilder();
var defaultAuthPolicy = defaultAuthBuilder
.AddRequirements(new JwtRequirement())
.Build();
config.DefaultPolicy = defaultAuthPolicy;
});
services.AddScoped <IAuthorizationHandler, JwtRequirementHandler>();
services.AddHttpClient()
.AddHttpContextAccessor();
services.AddControllers();
}
public static AuthorizationPolicyBuilder RequireCustomClaim(
this AuthorizationPolicyBuilder builder,
IAuthorizationRequirement customRequirement)
{
builder.AddRequirements(customRequirement);
return(builder);
}
/// <summary>
/// SSO配置
/// </summary>
/// <param name="services"></param>
/// <param name="appConfig"></param>
private static void AddSSOSetup(IServiceCollection services, AppConfig appConfig)
{
services.AddAuthentication(options =>
{
/*设置相关处理的默认方案*/
options.DefaultScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme; //默认方案(包含了以下所有配置,但是可以被以下配置覆盖)
options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme; //认证方案
options.DefaultChallengeScheme = nameof(ResponseAuthenticationHandler); //401消息处理方案
options.DefaultForbidScheme = nameof(ResponseAuthenticationHandler); //403消息处理方案
})
.AddIdentityServerAuthentication(options =>
{
options.Authority = appConfig.IdentityServer.Url; //授权端点
options.RequireHttpsMetadata = appConfig.IdentityServer.RequireHttps; //需要HTTPS
options.SupportedTokens = SupportedTokens.Jwt; //Token类型
options.ApiName = appConfig.IdentityServer.ApiName; //api资源名称
options.ApiSecret = appConfig.IdentityServer.ApiSecret; //api资源机密串
options.NameClaimType = JwtClaimTypes.Name; //指定映射到用户名的Claim
options.RoleClaimType = JwtClaimTypes.Role; //指定映射到角色的Claim
options.JwtValidationClockSkew = TimeSpan.Zero; //设置Token有效期验证的时间偏移量为0
options.ClaimsIssuer = appConfig.IdentityServer.Issuer; //颁发者
})
.AddScheme <AuthenticationSchemeOptions, ResponseAuthenticationHandler>(nameof(ResponseAuthenticationHandler), o => { });
//设置授权配置
services.AddAuthorization(options =>
{
var policy = new AuthorizationPolicyBuilder();
policy.RequireAuthenticatedUser();
policy.AddRequirements(new PermissionRequirement(ConstantOptions.RoleConstant.AllRoles));
options.DefaultPolicy = policy.Build();
});
}
/// <summary>
/// GetPolicyAsync
/// </summary>
/// <param name="policyName"></param>
/// <returns></returns>
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder();
policy.AddRequirements(new AmmAuthorizationRequirement());
return(Task.FromResult(policy.Build()));
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme);
policy.AddRequirements(new RbacRequirement(policyName));
return(Task.FromResult(policy.Build()));
}