private void CheckAuth(
INode node,
IProvideMetadata type,
IProvideClaimsPrincipal userContext,
ValidationContext context,
OperationType operationType)
{
if (type == null || !type.RequiresAuthorization())
{
return;
}
var result = type
.Authorize(userContext?.User, context.UserContext, context.Inputs, _evaluator)
.GetAwaiter()
.GetResult();
if (result.Succeeded)
{
return;
}
var errors = string.Join("\n", result.Errors);
context.ReportError(new ValidationError(
context.OriginalQuery,
"authorization",
$"You are not authorized to run this {operationType.ToString().ToLower()}.\n{errors}",
node));
}
private void CheckAuth(
INode node,
IProvideMetadata provider,
IProvideClaimsPrincipal userContext,
ValidationContext context,
OperationType?operationType)
{
if (provider == null || !provider.RequiresAuthorization())
{
return;
}
// TODO: async -> sync transition
var result = _evaluator
.Evaluate(userContext?.User, context.UserContext, context.Inputs, provider.GetPolicies())
.GetAwaiter()
.GetResult();
if (result.Succeeded)
{
return;
}
string errors = string.Join("\n", result.Errors);
context.ReportError(new ValidationError(
context.Document.OriginalQuery,
"authorization",
$"You are not authorized to run this {operationType.ToString().ToLower()}.\n{errors}",
node));
}
private async Task AuthorizeAsync(
INode node,
IProvideMetadata type,
IProvideClaimsPrincipal userContext,
ValidationContext context,
OperationType operationType)
{
if (type == null || !type.RequiresAuthorization())
{
return;
}
if (userContext == null)
{
throw new ArgumentNullException(
nameof(userContext),
$"You must register a user context that implements {nameof(IProvideClaimsPrincipal)}.");
}
var policyNames = type.GetPolicies();
if (policyNames.Count == 0)
{
return;
}
var tasks = new List <Task <AuthorizationResult> >(policyNames.Count);
foreach (var policyName in policyNames)
{
var task = _authorizationService.AuthorizeAsync(userContext?.User, policyName);
tasks.Add(task);
}
await Task.WhenAll(tasks);
foreach (var task in tasks)
{
var result = task.Result;
if (!result.Succeeded)
{
var stringBuilder = new StringBuilder("You are not authorized to run this ");
stringBuilder.Append(operationType.ToString().ToLower());
stringBuilder.AppendLine(".");
if (_options.IncludeErrorDetails)
{
foreach (var failure in result.Failure.FailedRequirements)
{
AppendFailureLine(stringBuilder, failure);
}
}
context.ReportError(
new ValidationError(context.OriginalQuery, "authorization", stringBuilder.ToString(), node));
}
}
}
private void CheckAuth(
INode node,
IProvideMetadata type,
IProvideClaimsPrincipal userContext,
ValidationContext context,
OperationType operationType)
{
if (type == null || !type.RequiresAuthorization())
{
return;
}
var result = type
.Authorize(userContext?.User, context.UserContext, null, _evaluator) //context.Inputs
.GetAwaiter()
.GetResult();
if (result.Succeeded)
{
return;
}
//var errors = string.Join("\n", result.Errors); // contain revealing information so not using
var failedPolicies = new List <string>();
try
{
var authPolicies = type.Metadata.FirstOrDefault(_ => _.Key == "Authorization__Policies");
failedPolicies = authPolicies.Value as List <string>;
}
catch
{
failedPolicies?.Add("Unknown");
}
var failedPolicyReport = string.Join("\n", failedPolicies ?? new List <string>());
var errorMessage = $"You are not authorized to run this {operationType.ToString().ToLower()}." +
$"\nRequired policies: " +
$"\n{failedPolicyReport}";
if (node.GetType() == typeof(Field))
{
errorMessage += $"\nField: {((Field)node).Name}";
}
context.ReportError(new ValidationError(
context.OriginalQuery,
"authorization",
errorMessage, node));
}
