private void CheckAuth( INode node, IProvideMetadata type, IProvideClaimsPrincipal userContext, ValidationContext context, OperationType operationType) { if (type == null || !type.RequiresAuthorization()) { return; } var result = type .Authorize(userContext?.User, context.UserContext, context.Inputs, _evaluator) .GetAwaiter() .GetResult(); if (result.Succeeded) { return; } var errors = string.Join("\n", result.Errors); context.ReportError(new ValidationError( context.OriginalQuery, "authorization", $"You are not authorized to run this {operationType.ToString().ToLower()}.\n{errors}", node)); }
private void CheckAuth( INode node, IProvideMetadata provider, IProvideClaimsPrincipal userContext, ValidationContext context, OperationType?operationType) { if (provider == null || !provider.RequiresAuthorization()) { return; } // TODO: async -> sync transition var result = _evaluator .Evaluate(userContext?.User, context.UserContext, context.Inputs, provider.GetPolicies()) .GetAwaiter() .GetResult(); if (result.Succeeded) { return; } string errors = string.Join("\n", result.Errors); context.ReportError(new ValidationError( context.Document.OriginalQuery, "authorization", $"You are not authorized to run this {operationType.ToString().ToLower()}.\n{errors}", node)); }
private async Task AuthorizeAsync( INode node, IProvideMetadata type, IProvideClaimsPrincipal userContext, ValidationContext context, OperationType operationType) { if (type == null || !type.RequiresAuthorization()) { return; } if (userContext == null) { throw new ArgumentNullException( nameof(userContext), $"You must register a user context that implements {nameof(IProvideClaimsPrincipal)}."); } var policyNames = type.GetPolicies(); if (policyNames.Count == 0) { return; } var tasks = new List <Task <AuthorizationResult> >(policyNames.Count); foreach (var policyName in policyNames) { var task = _authorizationService.AuthorizeAsync(userContext?.User, policyName); tasks.Add(task); } await Task.WhenAll(tasks); foreach (var task in tasks) { var result = task.Result; if (!result.Succeeded) { var stringBuilder = new StringBuilder("You are not authorized to run this "); stringBuilder.Append(operationType.ToString().ToLower()); stringBuilder.AppendLine("."); if (_options.IncludeErrorDetails) { foreach (var failure in result.Failure.FailedRequirements) { AppendFailureLine(stringBuilder, failure); } } context.ReportError( new ValidationError(context.OriginalQuery, "authorization", stringBuilder.ToString(), node)); } } }
private void CheckAuth( INode node, IProvideMetadata type, IProvideClaimsPrincipal userContext, ValidationContext context, OperationType operationType) { if (type == null || !type.RequiresAuthorization()) { return; } var result = type .Authorize(userContext?.User, context.UserContext, null, _evaluator) //context.Inputs .GetAwaiter() .GetResult(); if (result.Succeeded) { return; } //var errors = string.Join("\n", result.Errors); // contain revealing information so not using var failedPolicies = new List <string>(); try { var authPolicies = type.Metadata.FirstOrDefault(_ => _.Key == "Authorization__Policies"); failedPolicies = authPolicies.Value as List <string>; } catch { failedPolicies?.Add("Unknown"); } var failedPolicyReport = string.Join("\n", failedPolicies ?? new List <string>()); var errorMessage = $"You are not authorized to run this {operationType.ToString().ToLower()}." + $"\nRequired policies: " + $"\n{failedPolicyReport}"; if (node.GetType() == typeof(Field)) { errorMessage += $"\nField: {((Field)node).Name}"; } context.ReportError(new ValidationError( context.OriginalQuery, "authorization", errorMessage, node)); }