// GET: Topics/Details/5
public async Task <IActionResult> Details(string id)
{
var p = await _policyProvider.GetPolicyAsync(MyIdentityData.Policy_NotBanned + "afds");
var a = p.Requirements;
if (id == null)
{
return(NotFound());
}
var topic = await _context.Topics
.Include(t => t.Posts)
.FirstOrDefaultAsync(m => m.Name == id);
if (topic == null)
{
return(NotFound());
}
if (topic.Posts == null)
{
topic.Posts = new List <Post>();
}
return(View(topic));
}
private async Task <bool> ValidateAuthorizationPolicyAsync(string authorizationPolicyName, string routeId, IConfigErrorReporter errorReporter)
{
if (string.IsNullOrEmpty(authorizationPolicyName))
{
return(true);
}
if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
try
{
var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName);
if (policy == null)
{
errorReporter.ReportError(ConfigErrors.ParsedRouteRuleInvalidAuthorizationPolicy, routeId, $"Authorization policy '{authorizationPolicyName}' not found.");
return(false);
}
}
catch (Exception ex)
{
errorReporter.ReportError(ConfigErrors.ParsedRouteRuleInvalidAuthorizationPolicy, routeId, $"Unable to retrieve the authorization policy '{authorizationPolicyName}'", ex);
return(false);
}
return(true);
}
public async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (!policyName.Contains(_dynamicOptions.Seperator))
{
return(await _fallbackProvider.GetPolicyAsync(policyName));
}
var parts = policyName.Split(_dynamicOptions.Seperator);
if (parts.Length <= 1)
{
throw new InvalidOperationException("Not any param is specified");
}
var paramList = parts.SubSet(1, parts.Length - 1);
if (!_dynamicOptions.Providers.ContainsKey(parts[0]))
{
throw new InvalidOperationException($"No provider for policy '{parts[0]}'");
}
var builder = new AuthorizationPolicyBuilder();
_dynamicOptions.Providers[parts[0]](paramList, builder);
if (builder.AuthenticationSchemes?.Any() != true)
{
builder.AuthenticationSchemes = _dynamicOptions.DefaultSchemes;
}
return(builder.Build());
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
// Don not call filter for ReExecute requests (such as status code pages) and skips all paths marked as AllowAnonymous attribute
if (context.HttpContext.Features.Get <IStatusCodeReExecuteFeature>() != null || context.Filters.Any(x => x is IAllowAnonymousFilter))
{
return;
}
var policy = await _policyProvider.GetPolicyAsync(AnonymousUserForStoreAuthorizationRequirement.PolicyName);
var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>();
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context.HttpContext);
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context.HttpContext, context);
// For all the results except Succeeded we need to return <see cref="ChallengeResult"/>
if (!authorizeResult.Succeeded)
{
// Here we need only ChallengeResult to redirect to Login instead of ForbiddenResult that standard AuthorizeFilter returns in that case (authenticated and non authorized user)
// https://github.com/aspnet/AspNetCore/blob/v2.2.3/src/Mvc/Mvc.Core/src/Authorization/AuthorizeFilter.cs#L210
// https://github.com/aspnet/AspNetCore/blob/v2.2.3/src/Security/Authorization/Policy/src/PolicyEvaluator.cs#L91
context.Result = new ChallengeResult(policy.AuthenticationSchemes.ToArray());
}
}
private async ValueTask ValidateAuthorizationPolicyAsync(IList <Exception> errors, string authorizationPolicyName, string routeId)
{
if (string.IsNullOrEmpty(authorizationPolicyName))
{
return;
}
if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase))
{
return;
}
try
{
var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName);
if (policy == null)
{
errors.Add(new ArgumentException($"Authorization policy '{authorizationPolicyName}' not found for route '{routeId}'."));
}
}
catch (Exception ex)
{
errors.Add(new ArgumentException($"Unable to retrieve the authorization policy '{authorizationPolicyName}' for route '{routeId}'.", ex));
}
}
private static async Task <bool> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
return(string.IsNullOrWhiteSpace(directive.Policy));
}
AuthorizationPolicy policy = null;
if (directive.Roles.Count == 0 &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
"The default authorization policy does not exist.",
context.FieldSelection);
}
}
else if (!string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetPolicyAsync(directive.Policy)
.ConfigureAwait(false);
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
$"The `{directive.Policy}` authorization policy " +
"does not exist.",
context.FieldSelection);
}
}
if (context.Result == null && policy != null)
{
AuthorizationResult result =
await authorizeService.AuthorizeAsync(principal, policy)
.ConfigureAwait(false);
return(result.Succeeded);
}
return(false);
}
public async Task InvokeAsync(HttpContext context)
{
if (context is null)
{
throw new ArgumentNullException(nameof(context));
}
var(useDefaultPolicy, policyName) = options is null
? (true, null)
: (options.UseDefault, options.PolicyName);
var policy = await(useDefaultPolicy
? policyProvider.GetDefaultPolicyAsync()
: policyProvider.GetPolicyAsync(policyName));
// Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructor
var policyEvaluator = context.RequestServices.GetRequiredService <IPolicyEvaluator>();
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource : null);
if (authorizeResult.Challenged)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ChallengeAsync(scheme);
}
}
else
{
await context.ChallengeAsync();
}
return;
}
else if (authorizeResult.Forbidden)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ForbidAsync(scheme);
}
}
else
{
await context.ForbidAsync();
}
return;
}
await(next?.Invoke(context) ?? Task.CompletedTask);
}
public void Apply(Operation operation, OperationFilterContext context)
{
//everything requires the public scope
var requiredRootPolicies = new[] { _appName, ApiConstants.PublicScope };
var apiDescription = context.ApiDescription;
var requiredScopes = apiDescription
.ActionAttributes()
.Union(apiDescription.ControllerAttributes())
.OfType <AuthorizeAttribute>() //Get all auth attributes from the action and controller
.Where(a => a.Policy != null) //There has to be a policy set
.Select(a => _provider.GetPolicyAsync(a.Policy).Result) //Lookup the policy
.SelectMany(p =>
p.Requirements //flatten the requirements
)
.Union(
//combine that with the global requirements
apiDescription.ActionDescriptor.FilterDescriptors
.Select(f => f.Filter)
.OfType <AuthorizeFilter>()
.Where(f => f.Policy?.Requirements != null)
.SelectMany(f =>
f.Policy?.Requirements
)
).OfType <ClaimsAuthorizationRequirement>() // we only care about scope claims
.Where(c => c.ClaimType == "Scope")
.SelectMany(c => c.AllowedValues)
.Union(requiredRootPolicies)
.Distinct()
.ToList();
operation.Responses.Add("400", new Response {
Description = "Bad Request", Examples = ValidationErrorObject
});
if (!requiredScopes.Any())
{
return;
}
operation.Responses.Add("401", new Response {
Description = "Unauthorized"
});
operation.Responses.Add("403", new Response {
Description = "Forbidden"
});
operation.Security = new List <IDictionary <string, IEnumerable <string> > >
{
new Dictionary <string, IEnumerable <string> >
{
{ "oidc", requiredScopes }
}
};
}
private async ValueTask ValidateAuthorizationPolicyAsync(IList <Exception> errors, string?authorizationPolicyName, string routeId)
{
if (string.IsNullOrEmpty(authorizationPolicyName))
{
return;
}
if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase))
{
var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName);
if (policy != null)
{
errors.Add(new ArgumentException($"The application has registered an authorization policy named '{authorizationPolicyName}' that conflicts with the reserved authorization policy name used on this route. The registered policy name needs to be changed for this route to function."));
}
return;
}
if (string.Equals(AuthorizationConstants.Anonymous, authorizationPolicyName, StringComparison.OrdinalIgnoreCase))
{
var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName);
if (policy != null)
{
errors.Add(new ArgumentException($"The application has registered an authorization policy named '{authorizationPolicyName}' that conflicts with the reserved authorization policy name used on this route. The registered policy name needs to be changed for this route to function."));
}
return;
}
try
{
var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName);
if (policy == null)
{
errors.Add(new ArgumentException($"Authorization policy '{authorizationPolicyName}' not found for route '{routeId}'."));
}
}
catch (Exception ex)
{
errors.Add(new ArgumentException($"Unable to retrieve the authorization policy '{authorizationPolicyName}' for route '{routeId}'.", ex));
}
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in authorizeData.OfType <AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return(any ? policyBuilder.Build() : null);
}
public async Task Invoke(HttpContext context, IProxyApplicationService applicationService, IPolicyEvaluator policyEvaluator)
{
var activeApplication = applicationService.GetActiveApplication();
var mode = context.Request.PathBase == ProxyMetaEndpoints.PathBase ? PathAuthOptions.AuthMode.Web :
activeApplication.GetPathMode(context.Request.Path);
if (!mode.HasValue)
{
context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
context.SetErrorDetail(Errors.Code.UnconfiguredPath, "Path has no authentication method configured.");
return;
}
if (mode == PathAuthOptions.AuthMode.None)
{
await _next(context);
return;
}
var policyName = mode == PathAuthOptions.AuthMode.Web ?
ProxyAuthComponents.GetWebPolicyName(activeApplication) :
ProxyAuthComponents.GetApiPolicyName(activeApplication);
var policy = await _policyProvider.GetPolicyAsync(policyName);
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, null);
var telemetry = context.Features.Get <RequestTelemetry>();
if (telemetry != null && authenticateResult.Succeeded)
{
telemetry.Context.User.Id = context.User.Identity.Name;
}
if (authorizeResult.Challenged)
{
await context.ChallengeAsync(policy.AuthenticationSchemes.First());
}
else if (authorizeResult.Forbidden)
{
await context.ForbidAsync(policy.AuthenticationSchemes.First());
}
else
{
await _next(context);
}
}
/// <summary>
/// Checks if a user meets a specific authorization policy.
/// </summary>
/// <param name="user">The user to check the policy against.</param>
/// <param name="resource">The resource the policy should be checked with.</param>
/// <param name="policyName">The name of the policy to check against a specific context.</param>
/// <returns>
/// A flag indicating whether authorization has succeeded.
/// This value is <value>true</value> when the user fulfills the policy otherwise <value>false</value>.
/// </returns>
public virtual async Task <AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object?resource, string policyName)
{
if (policyName == null)
{
throw new ArgumentNullException(nameof(policyName));
}
var policy = await _policyProvider.GetPolicyAsync(policyName).ConfigureAwait(false);
if (policy == null)
{
throw new InvalidOperationException($"No policy found: {policyName}.");
}
return(await this.AuthorizeAsync(user, resource, policy).ConfigureAwait(false));
}
public async Task <bool> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
{
if (policyName == null)
{
throw new ArgumentNullException(nameof(policyName));
}
var policy = await _policyProvider.GetPolicyAsync(policyName);
if (policy == null)
{
throw new InvalidOperationException($"No policy found: {policyName}.");
}
return(await this.AuthorizeAsync(user, resource, policy));
}
public async Task <AuthorizationContext> GetAuthorizationContextAsync(object implementation, MethodInfo methodInfo)
{
Type[] parameterTypes = methodInfo.GetParameters().Select(x => x.ParameterType).ToArray();
if (parameterTypes.Length == 0)
{
parameterTypes = Type.EmptyTypes;
}
MethodInfo concreteMethod = implementation.GetType().GetMethod(methodInfo.Name, parameterTypes);
AuthorizeAttribute authorizeAttribute = concreteMethod.DeclaringType.GetCustomAttribute <AuthorizeAttribute>();
// overwrite by action attribute
authorizeAttribute = concreteMethod.GetCustomAttribute <AuthorizeAttribute>() ?? authorizeAttribute;
if (authorizeAttribute == null)
{
return(null);
}
if (authorizeAttribute.Roles != null && authorizeAttribute.Policy != null)
{
throw new NotSupportedException("You must specify either Roles or Policy");
}
AuthorizationPolicy policy;
if (authorizeAttribute.Roles != null)
{
var builder = new AuthorizationPolicyBuilder(authorizeAttribute.AuthenticationSchemes.Split(','));
builder.RequireRole(authorizeAttribute.Roles.Split(','));
policy = builder.Build();
}
else if (authorizeAttribute.Policy != null)
{
policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy)
?? throw new ArgumentException($"Policy {authorizeAttribute.Policy} does not exist");
}
else
{
policy = await policyProvider.GetDefaultPolicyAsync();
}
return(new AuthorizationContext
{
Policy = policy
});
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var scopes = GoogleScopedAuthorizeAttribute.ParsePolicy(policyName);
if (scopes != null)
{
// A GoogleScoped policy.
var policy = new AuthorizationPolicyBuilder(_scheme);
policy.RequireAuthenticatedUser();
policy.AddRequirements(new GoogleScopedRequirement(_scheme, scopes));
return(Task.FromResult(policy.Build()));
}
else
{
// Not a GoogleScoped policy, use default behaviour.
return(_default.GetPolicyAsync(policyName));
}
}
public async Task OnPageHandlerSelectionAsync(PageHandlerSelectedContext context)
{
if (context.ActionDescriptor.ModelTypeInfo != typeof(Pages.IndexModel))
{
throw new NotSupportedException("This only works for IndexModel.");
}
if (context.HandlerMethod.MethodInfo !=
typeof(Pages.IndexModel).GetMethod(nameof(Pages.IndexModel.OnPostAuthorized)))
{
return;
}
var policy = await policyProvider.GetPolicyAsync("YourAuthPolicyHere");
// Or you may use the default policy if you don't have a specific policy configured.
// var policy = policyProvider.GetDefaultPolicyAsync();
await AuthoorizeAsync(context, policy);
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeDatum in authorizeData)
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
if (policy == null)
{
//throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
throw new InvalidOperationException(nameof(authorizeDatum.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeDatum.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
if (authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum)
{
var groupsSplit = permissionAuthorizeDatum.Groups?.Split(',');
if (groupsSplit != null && groupsSplit.Any())
{
var trimmedGroupsSplit = groupsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireClaim(TubumuClaimTypes.Group, trimmedGroupsSplit);
//policyBuilder.AddRequirements(new GroupsAuthorizationRequirement(trimmedGroupsSplit));
useDefaultPolicy = false;
}
var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(',');
if (permissionsSplit != null && permissionsSplit.Any())
{
var trimmedPermissionsSplit = permissionsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireClaim(TubumuClaimTypes.Permission, trimmedPermissionsSplit);
//policyBuilder.AddRequirements(new PermissionsAuthorizationRequirement(trimmedPermissionsSplit));
useDefaultPolicy = false;
}
}
var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return(any ? policyBuilder.Build() : null);
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in authorizeData)
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(ResourceHelper.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Roles))
{
policyBuilder.RequireRole(SplitAndTrim(authorizeAttribute.Roles));
useDefaultPolicy = false;
}
if (!string.IsNullOrWhiteSpace(authorizeAttribute.ActiveAuthenticationSchemes))
{
policyBuilder.AddAuthenticationSchemes(SplitAndTrim(authorizeAttribute.ActiveAuthenticationSchemes));
useDefaultPolicy = false;
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
if (any)
{
if (policyBuilder.AuthenticationSchemes.Count > 0)
{
if (policyBuilder.Requirements.Count == 0)
{
policyBuilder.RequireAuthenticatedUser();
}
}
return(policyBuilder.Build());
}
return(null);
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
// Avoid allocating enumerator if the data is known to be empty
var skipEnumeratingData = false;
if (authorizeData is IList <IAuthorizeData> dataList)
{
skipEnumeratingData = dataList.Count == 0;
}
AuthorizationPolicyBuilder policyBuilder = null;
if (!skipEnumeratingData)
{
foreach (var authorizeDatum in authorizeData)
{
if (policyBuilder == null)
{
policyBuilder = new AuthorizationPolicyBuilder();
}
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeDatum.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
}
var requiredPolicy = await policyProvider.GetRequiredPolicyAsync();
if (requiredPolicy != null)
{
if (policyBuilder == null)
{
policyBuilder = new AuthorizationPolicyBuilder();
}
policyBuilder.Combine(requiredPolicy);
}
return(policyBuilder?.Build());
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <param name="policies">A collection of <see cref="AuthorizationPolicy"/> policies to combine.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider,
IEnumerable <IAuthorizeData> authorizeData,
IEnumerable <AuthorizationPolicy> policies)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var anyPolicies = policies.Any();
// Avoid allocating enumerator if the data is known to be empty
var skipEnumeratingData = false;
if (authorizeData is IList <IAuthorizeData> dataList)
{
skipEnumeratingData = dataList.Count == 0;
}
AuthorizationPolicyBuilder?policyBuilder = null;
if (!skipEnumeratingData)
{
foreach (var authorizeDatum in authorizeData)
{
if (policyBuilder == null)
{
policyBuilder = new AuthorizationPolicyBuilder();
}
var useDefaultPolicy = !(anyPolicies);
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy).ConfigureAwait(false);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeDatum.Roles?.Split(',');
if (rolesSplit?.Length > 0)
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',');
if (authTypesSplit?.Length > 0)
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync().ConfigureAwait(false));
}
}
}
if (anyPolicies)
{
policyBuilder ??= new();
foreach (var policy in policies)
{
policyBuilder.Combine(policy);
}
}
// If we have no policy by now, use the fallback policy if we have one
if (policyBuilder == null)
{
var fallbackPolicy = await policyProvider.GetFallbackPolicyAsync().ConfigureAwait(false);
if (fallbackPolicy != null)
{
return(fallbackPolicy);
}
}
return(policyBuilder?.Build());
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in authorizeData.OfType<AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return any ? policyBuilder.Build() : null;
}
public async Task <AuthorizationPolicy> CombineAsync(AuthorizeData authorizeData)
{
// Avoid allocating enumerator if the data is known to be empty
var skip = authorizeData == null;
if (skip)
{ // If we have no policy by now, use the fallback policy if we have one
var fallbackPolicy = await PolicyProvider.GetFallbackPolicyAsync();
if (fallbackPolicy != null)
{
return(fallbackPolicy);
}
}
else
{
AuthorizationPolicyBuilder policyBuilder = new AuthorizationPolicyBuilder();
var useDefaultPolicy = true;
if (authorizeData.DeniedAll)
{
policyBuilder.AddRequirements(new DenyAllAuthorizationRequirement(true));
useDefaultPolicy = false;
}
else
{
if (!authorizeData.AuthenticationSchemes.IsNullOrEmpty())
{
foreach (string scheme in authorizeData.AuthenticationSchemes)
{
policyBuilder.AuthenticationSchemes.Add(scheme.Trim());
}
}
// 假如允许所有角色访问,只需要求登录即可
if (authorizeData.AllowedAllRoles)
{
policyBuilder.RequireAuthenticatedUser();
useDefaultPolicy = false;
}
else
{
if (!authorizeData.Policies.IsNullOrEmpty())
{
foreach (string policyName in authorizeData.Policies)
{
var policy = await PolicyProvider.GetPolicyAsync(policyName);
if (policy == null)
{
throw new InvalidOperationException($"找不到名为: '{policyName}'的策略!");
}
policyBuilder.Combine(policy);
}
useDefaultPolicy = false;
}
if (!authorizeData.AllowedUsers.IsNullOrEmpty() || !authorizeData.AllowedRoles.IsNullOrEmpty())
{
policyBuilder.AddRequirements(new RolesOrUsersAuthorizationRequirement(authorizeData.AllowedUsers, authorizeData.AllowedRoles));
useDefaultPolicy = false;
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await PolicyProvider.GetDefaultPolicyAsync());
}
}
return(policyBuilder?.Build());
}
return(null);
}
private static async Task <bool> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
return(string.IsNullOrWhiteSpace(directive.Policy));
}
AuthorizationPolicy policy = null;
if (directive.Roles.Count == 0 &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
context.Result = context.Result = ErrorBuilder.New()
.SetMessage(
AuthResources.AuthorizeMiddleware_NoDefaultPolicy)
.SetCode(AuthErrorCodes.NoDefaultPolicy)
.SetPath(context.Path)
.AddLocation(context.FieldSelection)
.Build();
}
}
else if (!string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetPolicyAsync(directive.Policy)
.ConfigureAwait(false);
if (policy == null)
{
context.Result = ErrorBuilder.New()
.SetMessage(string.Format(
CultureInfo.InvariantCulture,
AuthResources.AuthorizeMiddleware_PolicyNotFound,
directive.Policy))
.SetCode(AuthErrorCodes.PolicyNotFound)
.SetPath(context.Path)
.AddLocation(context.FieldSelection)
.Build();
}
}
if (context.Result == null && policy != null)
{
AuthorizationResult result =
await authorizeService.AuthorizeAsync(
principal, context, policy)
.ConfigureAwait(false);
return(result.Succeeded);
}
return(false);
}