public BaleaTagHelper(
IHttpContextAccessor httpContextAccessor,
IRuntimeAuthorizationServerStore store,
IPermissionEvaluator permissionEvaluator)
{
this.httpContextAccessor = httpContextAccessor ?? throw new ArgumentNullException(nameof(httpContextAccessor));
this.store = store ?? throw new ArgumentNullException(nameof(store));
this.permissionEvaluator = permissionEvaluator ?? throw new ArgumentNullException(nameof(permissionEvaluator));
}
public BaleaPolicyEvaluator(
IAuthorizationService authorization,
IRuntimeAuthorizationServerStore store,
BaleaOptions options)
: base(authorization)
{
_store = store;
_options = options;
}
public BaleaPolicyEvaluator(
IAuthorizationService authorization,
IRuntimeAuthorizationServerStore store,
BaleaOptions options,
ILogger <BaleaPolicyEvaluator> logger)
{
_authorization = authorization;
_store = store;
_options = options;
_logger = logger;
}
public AbacAuthorizationHandler(
AbacAuthorizationContextFactory abacAuthorizationContextFactory,
IRuntimeAuthorizationServerStore runtimeAuthorizationServerStore,
ILogger <AbacAuthorizationHandler> logger)
{
Ensure.Argument.NotNull(abacAuthorizationContextFactory, nameof(abacAuthorizationContextFactory));
Ensure.Argument.NotNull(runtimeAuthorizationServerStore, nameof(runtimeAuthorizationServerStore));
Ensure.Argument.NotNull(logger, nameof(logger));
_abacAuthorizationContextFactory = abacAuthorizationContextFactory;
_runtimeAuthorizationServerStore = runtimeAuthorizationServerStore;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context, IRuntimeAuthorizationServerStore store, BaleaOptions options)
{
var endpoint = context.GetEndpoint();
if (context.User.Identity.IsAuthenticated && endpoint.Metadata.GetMetadata <IAuthorizeData>() != null)
{
if (context.Items.ContainsKey(AuthorizationMiddlewareInvokedKey))
{
ThrowMissingAuthMiddlewareException();
}
var authorization = await store
.FindAuthorizationAsync(context.User);
if (!context.Response.HasStarted && options.UnauthorizedFallback != null && !authorization.Roles.Any())
{
await options.UnauthorizedFallback(context);
return;
}
var roleClaims = authorization.Roles
.Where(role => role.Enabled)
.Select(role => new Claim(options.DefaultClaimTypeMap.RoleClaimType, role.Name));
var permissionClaims = authorization.Roles
.SelectMany(role => role.GetPermissions())
.Distinct()
.Select(permission => new Claim(options.DefaultClaimTypeMap.PermissionClaimType, permission));
var identity = new ClaimsIdentity(
authenticationType: nameof(BaleaMiddleware),
nameType: options.DefaultClaimTypeMap.NameClaimType,
roleType: options.DefaultClaimTypeMap.RoleClaimType);
identity.AddClaims(roleClaims);
identity.AddClaims(permissionClaims);
if (authorization.Delegation != null)
{
identity.AddClaim(new Claim(BaleaClaims.DelegatedBy, authorization.Delegation.Who));
identity.AddClaim(new Claim(BaleaClaims.DelegatedFrom, authorization.Delegation.From.ToString()));
identity.AddClaim(new Claim(BaleaClaims.DelegatedTo, authorization.Delegation.To.ToString()));
}
context.User.AddIdentity(identity);
}
await _next(context);
}
