public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context) + "is null"); } if (context.ActionDescriptor.EndpointMetadata.Any(p => p is IAllowAnonymous)) { return; } if (!context.ActionDescriptor.EndpointMetadata.Any(p => p is AuthorizeAttribute)) { return; } IPolicyEvaluator policyEvaluator = context.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>(); AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(this.policy, context.HttpContext); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(this.policy, authenticateResult, context.HttpContext, context); if (authorizeResult.Challenged) { context.Result = new NavyblueUnAuthorizeResult("Authorization Failed"); } else if (authorizeResult.Forbidden) { context.Result = new ForbidResult(this.policy.AuthenticationSchemes.ToArray()); } }
public async Task <bool> AuthorizeAsync(HttpContext httpContext, AuthorizationContext authorizationContext) { AuthorizationPolicy policy = authorizationContext?.Policy; if (policy == null) { // authorization not required return(true); } AuthenticateResult authenticationResult = await policyEvaluator.AuthenticateAsync(policy, httpContext); PolicyAuthorizationResult authorizationResult = await policyEvaluator.AuthorizeAsync(policy, authenticationResult, httpContext, null); if (authorizationResult.Challenged) { await httpContext.ChallengeAsync(); return(false); } else if (authorizationResult.Forbidden) { await httpContext.ForbidAsync(); return(false); } return(true); }
public async Task HandleAsync( RequestDelegate requestDelegate, HttpContext httpContext, AuthorizationPolicy authorizationPolicy, PolicyAuthorizationResult policyAuthorizationResult) { // if the authorization was forbidden, let's use custom logic to handle that. if (policyAuthorizationResult.Forbidden && policyAuthorizationResult.AuthorizationFailure != null) { // as an example, let's return 404 if specific requirement has failed if (policyAuthorizationResult.AuthorizationFailure.FailedRequirements.Any(requirement => requirement is SampleRequirement)) { httpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; await httpContext.Response.WriteAsync(Startup.CustomForbiddenMessage); // return right away as the default implementation would overwrite the status code return; } else if (policyAuthorizationResult.AuthorizationFailure.FailedRequirements.Any(requirement => requirement is SampleWithCustomMessageRequirement)) { // if other requirements failed, let's just use a custom message // but we have to use OnStarting callback because the default handlers will want to modify i.e. status code of the response // and modifications of the response are not allowed once the writing has started var message = Startup.CustomForbiddenMessage; httpContext.Response.OnStarting(() => httpContext.Response.BodyWriter.WriteAsync(Encoding.UTF8.GetBytes(message)).AsTask()); } } await _handler.HandleAsync(requestDelegate, httpContext, authorizationPolicy, policyAuthorizationResult); }
/// <summary> /// Evaluates the authorization requirement and processes the authorization result. /// </summary> /// <param name="next"> /// The next middleware in the application pipeline. Implementations may not invoke this if the authorization did not succeed. /// </param> /// <param name="context">The <see cref="T:Microsoft.AspNetCore.Http.HttpContext" />.</param> /// <param name="policy">The <see cref="T:Microsoft.AspNetCore.Authorization.AuthorizationPolicy" /> for the resource.</param> /// <param name="authorizeResult">The result of authorization.</param> public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) { throw new NotImplementedException(); }
public async Task <PolicyAuthorizationResult> AuthorizeAsync( AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } var result = await _authorization.AuthorizeAsync(context.User, resource, policy); if (result.Succeeded) { _logger.PolicySucceed(); return(PolicyAuthorizationResult.Success()); } // If authentication was successful, return forbidden, otherwise challenge if (authenticationResult.Succeeded) { _logger.PolicyFailToForbid(); return(PolicyAuthorizationResult.Forbid()); } _logger.PolicyFailToChallenge(); return(PolicyAuthorizationResult.Challenge()); }
public override async Task <PolicyAuthorizationResult> AuthorizeAsync( AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource ) { // This call will check 2 places (requirements): // - AnyValidPermissionRequirementHandler // - ActionAuthorizationRequirementHandler OR the default [Authorize] var result = await base.AuthorizeAsync(policy, authenticationResult, context, resource); if (result.Challenged) { context.Items[contextKey] = new UnauthorizedException(GetExceptionMessageFromHttpContext()); return(PolicyAuthorizationResult.Challenge()); } else if (result.Forbidden) { // If user is authenticated but not allowed, send them to a special error page if (context.User.Identity.IsAuthenticated) { context.Items[contextKey] = new ForbiddenException(GetExceptionMessageFromHttpContext()); return(PolicyAuthorizationResult.Forbid()); } } return(result); }
public virtual async Task <PolicyAuthorizationResult> AuthorizeAsync( AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context) { return(await Task.FromResult(PolicyAuthorizationResult.Success())); }
private async Task <bool> AuthorizeAsync(HttpContext context, IPolicyEvaluator policyEvaluator) { bool authorized = false; if (_serverSentEventsOptions.Authorization is null) { authorized = true; } else { if (_authorizationPolicy is null) { _authorizationPolicy = await AuthorizationPolicy.CombineAsync(_policyProvider, new[] { _serverSentEventsOptions.Authorization }); } AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(_authorizationPolicy, context); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(_authorizationPolicy, authenticateResult, context, null); if (authorizeResult.Challenged) { await ChallengeAsync(context); } else if (authorizeResult.Forbidden) { await ForbidAsync(context); } else { authorized = true; } } return(authorized); }
public async Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, ICasbinAuthorizationContext casbinContext, object?resource) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } if (casbinContext == null) { throw new ArgumentNullException(nameof(casbinContext)); } var result = await _authorizationService.AuthorizeAsync(context.User, casbinContext, policy); if (result.Succeeded) { return(PolicyAuthorizationResult.Success()); } // If authentication was successful, return forbidden, otherwise challenge return(authenticationResult.Succeeded ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge()); }
/// <inheritdoc /> public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) { var endpoint = context.GetEndpoint(); var remoteApi = endpoint.Metadata.GetMetadata <BffRemoteApiEndpointMetadata>(); var localApi = endpoint.Metadata.GetMetadata <BffApiAttribute>(); if (remoteApi == null && localApi == null) { return(_handler.HandleAsync(next, context, policy, authorizeResult)); } if (authorizeResult.Challenged) { context.Response.StatusCode = (int)HttpStatusCode.Unauthorized; return(Task.CompletedTask); } if (authorizeResult.Forbidden) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; return(Task.CompletedTask); } return(_handler.HandleAsync(next, context, policy, authorizeResult)); }
/// <summary> /// Invokes the authorization filters for the controller action. /// </summary> /// <returns>Whether the user is authenticated or not.</returns> internal static async Task <bool> InvokeAuthorizationFiltersForRequest(this ControllerContext controllerContext, ActionContext actionContext) { ControllerActionDescriptor actionDescriptor = controllerContext.ActionDescriptor; var metadataCollection = new EndpointMetadataCollection(actionDescriptor.EndpointMetadata.Union(new[] { actionDescriptor })); IReadOnlyList <IAuthorizeData> authorizeData = metadataCollection.GetOrderedMetadata <IAuthorizeData>(); IAuthorizationPolicyProvider policyProvider = controllerContext.HttpContext.RequestServices .GetRequiredService <IAuthorizationPolicyProvider>(); AuthorizationPolicy?policy = await AuthorizationPolicy.CombineAsync(policyProvider, authorizeData); if (policy is not null) { IPolicyEvaluator policyEvaluator = controllerContext.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>(); AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(policy, controllerContext.HttpContext); if (!authenticateResult.Succeeded) { return(false); } // TODO this is super hacky, but we rely on the FeatureAuthorizeHandler can still handle endpoints // (The way before .NET 5). The .NET 5 way would need to use han http context, for the "inner" request // with the nested controller var resource = new Endpoint(null, metadataCollection, null); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, controllerContext.HttpContext, resource); if (!authorizeResult.Succeeded) { return(false); } } IList <FilterDescriptor> filters = actionDescriptor.FilterDescriptors; var filterGrouping = new FilterGrouping(filters, controllerContext.HttpContext.RequestServices); // because the continuation gets built from the inside out we need to reverse the filter list // so that least specific filters (Global) get run first and the most specific filters (Action) get run last. var authorizationFilters = filterGrouping.AuthorizationFilters.Reverse().ToList(); var asyncAuthorizationFilters = filterGrouping.AsyncAuthorizationFilters.Reverse().ToList(); if (authorizationFilters.Count == 0 && asyncAuthorizationFilters.Count == 0) { return(true); } // if the authorization filter returns a result, it means it failed to authorize var authorizationFilterContext = new AuthorizationFilterContext(actionContext, filters.Select(x => x.Filter).ToArray()); return(await ExecuteAuthorizationFiltersAsync(authorizationFilterContext, authorizationFilters, asyncAuthorizationFilters)); }
public Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { if (!authenticationResult.Succeeded) { return(Task.FromResult(PolicyAuthorizationResult.Challenge())); } return(_defaultEvaluator.AuthorizeAsync(policy, authenticationResult, context, resource)); }
public Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy _, AuthenticateResult authenticationResult, HttpContext context, object resource) { var authorizeResult = authenticationResult.Succeeded ? PolicyAuthorizationResult.Success() : PolicyAuthorizationResult.Challenge(); return(Task.FromResult(authorizeResult)); }
public Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { if (!authenticationResult.Succeeded) { return(Task.FromResult(PolicyAuthorizationResult.Forbid())); } return(Task.FromResult(PolicyAuthorizationResult.Success())); }
public async Task NotCallRequestDelegate_If_PolicyAuthorizationResultWasForbidden() { var requestDelegate = new Mock <RequestDelegate>(); var httpContext = CreateHttpContext(); var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build(); var policyAuthorizationResult = PolicyAuthorizationResult.Forbid(); var handler = CreateAuthorizationMiddlewareResultHandler(); await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult); requestDelegate.Verify(next => next(It.IsAny <HttpContext>()), Times.Never); }
public async Task ChallangeWithoutAuthenticationScheme_If_PolicyAuthorizationResultWasChallenged() { var authenticationServiceMock = new Mock <IAuthenticationService>(); var requestDelegate = new Mock <RequestDelegate>(); var httpContext = CreateHttpContext(authenticationServiceMock.Object); var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build(); var policyAuthorizationResult = PolicyAuthorizationResult.Challenge(); var handler = CreateAuthorizationMiddlewareResultHandler(); await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult); authenticationServiceMock.Verify(service => service.ChallengeAsync(httpContext, null, null), Times.Once); }
public async Task HandleAsync( RequestDelegate requestDelegate, HttpContext httpContext, AuthorizationPolicy authorizationPolicy, PolicyAuthorizationResult policyAuthorizationResult) { if (!policyAuthorizationResult.Succeeded) { httpContext.Response.StatusCode = 401; httpContext.Response.ContentType = "application/json"; await httpContext.Response.WriteAsync(unauthorizedResponseJson); return; } await new AuthorizationMiddlewareResultHandler().HandleAsync(requestDelegate, httpContext, authorizationPolicy, policyAuthorizationResult); }
public void OnAuthorizationAsync_Should_Not_Set_Result_When_Authorization_Succeeds() { var policyEvaluator = Substitute.For <IPolicyEvaluator>(); _actionContext.HttpContext.RequestServices = Substitute.For <IServiceProvider>(); _actionContext.HttpContext.RequestServices.GetService(Arg.Any <Type>()).Returns(policyEvaluator); var authorizeResult = PolicyAuthorizationResult.Success(); policyEvaluator.AuthorizeAsync(Arg.Any <AuthorizationPolicy>(), Arg.Any <AuthenticateResult>(), Arg.Any <HttpContext>(), Arg.Any <object>()).Returns(authorizeResult); var context = new AuthorizationFilterContext(_actionContext, Substitute.For <IList <IFilterMetadata> >()); _filter.OnAuthorizationAsync(context); context.Result.Should().BeNull(); }
public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) { if (authorizeResult.Forbidden && authorizeResult.AuthorizationFailure != null) { if (authorizeResult.AuthorizationFailure.FailedRequirements.Any(req => req is ExpiredPaymentRequirement)) { var user = await _userManager.GetUserAsync(context.User); user.IsBlocked = true; await _userManager.UpdateAsync(user); await _signInManager.SignOutAsync(); } } await _handler.HandleAsync(next, context, policy, authorizeResult); }
public async Task HandleAsync( RequestDelegate requestDelegate, HttpContext httpContext, AuthorizationPolicy authorizationPolicy, PolicyAuthorizationResult policyAuthorizationResult) { // if the authorization was forbidden and the resource had specific requirements, // provide a custom response. if (Show404ForForbiddenResult(policyAuthorizationResult)) { // Return a 404 to make it appear as if the resource does not exist. httpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; return; } // Fallback to the default implementation. await DefaultHandler.HandleAsync(requestDelegate, httpContext, authorizationPolicy, policyAuthorizationResult); }
public async Task <PolicyAuthorizationResult> TryAuthenticate(MethodInfo methodInfo) { if (!methodInfo.GetAuthorizeData().Any()) { return(PolicyAuthorizationResult.Success()); } if (UserValidUntil >= DateTime.Now) { return(PolicyAuthorizationResult.Success()); } var hubContextType = typeof(ClientContextDispatcher <>).MakeGenericType(HARRRType); var harrrContext = (IClientContextDispatcher)ServiceProvider.GetRequiredService(hubContextType); var res = await harrrContext.Challenge(Id); var authentication = new SignalARRRAuthentication(ServiceProvider); return(await authentication.Authorize(this, res, methodInfo)); }
public void OnAuthorizationAsync_Should_Set_Result_When_Authorization_Is_Challenged() { var policyEvaluator = Substitute.For <IPolicyEvaluator>(); _actionContext.HttpContext.RequestServices = Substitute.For <IServiceProvider>(); _actionContext.HttpContext.RequestServices.GetService(Arg.Any <Type>()).Returns(policyEvaluator); var authorizeResult = PolicyAuthorizationResult.Challenge(); policyEvaluator.AuthorizeAsync(Arg.Any <AuthorizationPolicy>(), Arg.Any <AuthenticateResult>(), Arg.Any <HttpContext>(), Arg.Any <object>()).Returns(authorizeResult); var context = new AuthorizationFilterContext(_actionContext, Substitute.For <IList <IFilterMetadata> >()); _filter.OnAuthorizationAsync(context); context.Result.Should().BeAssignableTo <ObjectResult>(); context.Result.As <ObjectResult>().StatusCode.Should().Be(StatusCodes.Status401Unauthorized); context.Result.As <ObjectResult>().Value.Should().BeAssignableTo <ApiResponse>(); context.Result.As <ObjectResult>().Value.As <ApiResponse>().Message.Should().Be("Unauthorised."); context.Result.As <ObjectResult>().Value.As <ApiResponse>().Data.Should().BeNull(); }
public void OnAuthorizationAsync_Should_Set_Result_When_Authorization_Is_Forbidden() { var policyEvaluator = Substitute.For <IPolicyEvaluator>(); _actionContext.HttpContext.RequestServices = Substitute.For <IServiceProvider>(); _actionContext.HttpContext.RequestServices.GetService(Arg.Any <Type>()).Returns(policyEvaluator); var authorizeResult = PolicyAuthorizationResult.Forbid(); policyEvaluator.AuthorizeAsync(Arg.Any <AuthorizationPolicy>(), Arg.Any <AuthenticateResult>(), Arg.Any <HttpContext>(), Arg.Any <object>()).Returns(authorizeResult); var context = new AuthorizationFilterContext(_actionContext, Substitute.For <IList <IFilterMetadata> >()); _filter.OnAuthorizationAsync(context); context.Result.Should().BeAssignableTo <ObjectResult>(); context.Result.As <ObjectResult>().StatusCode.Should().Be(StatusCodes.Status403Forbidden); context.Result.As <ObjectResult>().Value.Should().BeAssignableTo <ApiResponse>(); context.Result.As <ObjectResult>().Value.As <ApiResponse>().Message.Should().Be("Forbidden."); context.Result.As <ObjectResult>().Value.As <ApiResponse>().Data.As <IEnumerable <string> >().Should().BeEquivalentTo(_authenticationScheme); }
public async Task ForbidEachAuthenticationScheme_If_PolicyAuthorizationResultWasForbidden() { var authenticationServiceMock = new Mock <IAuthenticationService>(); var requestDelegate = new Mock <RequestDelegate>(); var httpContext = CreateHttpContext(authenticationServiceMock.Object); var firstScheme = Guid.NewGuid().ToString(); var secondScheme = Guid.NewGuid().ToString(); var thirdScheme = Guid.NewGuid().ToString(); var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .AddAuthenticationSchemes(firstScheme, secondScheme, thirdScheme) .Build(); var policyAuthorizationResult = PolicyAuthorizationResult.Forbid(); var handler = CreateAuthorizationMiddlewareResultHandler(); await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult); authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, It.IsAny <string>(), null), Times.Exactly(3)); authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, firstScheme, null), Times.Once); authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, secondScheme, null), Times.Once); authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, thirdScheme, null), Times.Once); }
public async Task HandleAsync(RequestDelegate requestDelegate, HttpContext context, AuthorizationPolicy authorizationPolicy, PolicyAuthorizationResult policyAuthorizationResult) { if (!policyAuthorizationResult.Succeeded) { context.Response.ContentType = "application/json"; if (context.User.Identity.IsAuthenticated) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; await context.Response.WriteAsync("{ \"code\": \"forbidden\", \"message\": \"You do not have authority to execute this request!\" }"); } else { context.Response.StatusCode = (int)HttpStatusCode.Unauthorized; await context.Response.WriteAsync("{ \"code\": \"invalid_token\", \"message\": \"Invalid token information!\" }"); } return; } await DefaultHandler.HandleAsync(requestDelegate, context, authorizationPolicy, policyAuthorizationResult); }
private static async Task <PolicyAuthorizationResult> AuthorizeAsync( IAuthorizationService service, AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } var result = await service.AuthorizeAsync(context.User, resource, policy); if (result.Succeeded) { return(PolicyAuthorizationResult.Success()); } return(authenticationResult.Succeeded ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge()); }
public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) { if (authorizeResult.Challenged) { context.Response.ContentType = "application/json"; await context.Response.WriteAsync( JsonConvert.SerializeObject(new ApiResponse(HttpStatusCode.Unauthorized).JsonResultModel)); return; } if (authorizeResult.Forbidden) { context.Response.ContentType = "application/json"; await context.Response.WriteAsync( JsonConvert.SerializeObject(new ApiResponse(HttpStatusCode.Forbidden).JsonResultModel)); return; } await next.Invoke(context); }
public async Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } var result = await _authorization.AuthorizeAsync(context.User, resource, policy); if (result.Succeeded) { return(PolicyAuthorizationResult.Success()); } //if (result.Failure?.FailedRequirements.Any(x => x is AuthorizationClaimsRequirement) ?? false) //{ // context.SetErrorDetail(Errors.Code.NoAuthorizationClaims, "Authorization claim is missing from the authenticated token."); //} // If authentication was successful, return forbidden, otherwise challenge return((authenticationResult.Succeeded) ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge()); }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context.ActionDescriptor is ControllerActionDescriptor controllerActionDescriptor) { if (controllerActionDescriptor.ControllerTypeInfo.IsGenericType) { var genericType = controllerActionDescriptor.ControllerTypeInfo.GenericTypeArguments[0]; var customNameAttribute = genericType.GetCustomAttribute <MediatRControllerAttribute>(); if (customNameAttribute != null) { var requestPolicies = genericType.GetCustomAttributes <AuthorizeAttribute>(inherit: true); authorizePolicy = await AuthorizationPolicy.CombineAsync(_policyProvider, requestPolicies); if (requestPolicies.Count() == 0) { return; } AuthenticateResult authenticateResult = await _policyEvaluator.AuthenticateAsync(authorizePolicy, context.HttpContext); PolicyAuthorizationResult authorizeResult = await _policyEvaluator.AuthorizeAsync(authorizePolicy, authenticateResult, context.HttpContext, null); if (authorizeResult.Challenged) { await ChallengeAsync(context); } else if (authorizeResult.Forbidden) { await ForbidAsync(context); } } } } }
public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) { if (authorizeResult.Challenged) { if (policy.AuthenticationSchemes.Count > 0) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ChallengeAsync(scheme); } } else { await context.ChallengeAsync(); } return; } if (authorizeResult.Forbidden) { if (policy.AuthenticationSchemes.Count > 0) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ForbidAsync(scheme); } } else { await context.ForbidAsync(); } return; } await next(context); }