public override async Task <PolicyAuthorizationResult> AuthorizeAsync(
AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource
)
{
// This call will check 2 places (requirements):
// - AnyValidPermissionRequirementHandler
// - ActionAuthorizationRequirementHandler OR the default [Authorize]
var result = await base.AuthorizeAsync(policy, authenticationResult, context, resource);
if (result.Challenged)
{
context.Items[contextKey] = new UnauthorizedException(GetExceptionMessageFromHttpContext());
return(PolicyAuthorizationResult.Challenge());
}
else if (result.Forbidden)
{
// If user is authenticated but not allowed, send them to a special error page
if (context.User.Identity.IsAuthenticated)
{
context.Items[contextKey] = new ForbiddenException(GetExceptionMessageFromHttpContext());
return(PolicyAuthorizationResult.Forbid());
}
}
return(result);
}
public async Task <PolicyAuthorizationResult> AuthorizeAsync(
AuthorizationPolicy policy,
AuthenticateResult authenticationResult,
HttpContext context,
object resource)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded)
{
_logger.PolicySucceed();
return(PolicyAuthorizationResult.Success());
}
// If authentication was successful, return forbidden, otherwise challenge
if (authenticationResult.Succeeded)
{
_logger.PolicyFailToForbid();
return(PolicyAuthorizationResult.Forbid());
}
_logger.PolicyFailToChallenge();
return(PolicyAuthorizationResult.Challenge());
}
public async Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy,
AuthenticateResult authenticationResult, HttpContext context,
ICasbinAuthorizationContext casbinContext, object?resource)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
if (casbinContext == null)
{
throw new ArgumentNullException(nameof(casbinContext));
}
var result = await _authorizationService.AuthorizeAsync(context.User, casbinContext, policy);
if (result.Succeeded)
{
return(PolicyAuthorizationResult.Success());
}
// If authentication was successful, return forbidden, otherwise challenge
return(authenticationResult.Succeeded
? PolicyAuthorizationResult.Forbid()
: PolicyAuthorizationResult.Challenge());
}
public Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context,
object resource)
{
if (!authenticationResult.Succeeded)
{
return(Task.FromResult(PolicyAuthorizationResult.Forbid()));
}
return(Task.FromResult(PolicyAuthorizationResult.Success()));
}
public async Task NotCallRequestDelegate_If_PolicyAuthorizationResultWasForbidden()
{
var requestDelegate = new Mock <RequestDelegate>();
var httpContext = CreateHttpContext();
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
var policyAuthorizationResult = PolicyAuthorizationResult.Forbid();
var handler = CreateAuthorizationMiddlewareResultHandler();
await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult);
requestDelegate.Verify(next => next(It.IsAny <HttpContext>()), Times.Never);
}
public async Task ForbidWithoutAuthenticationScheme_If_PolicyAuthorizationResultWasForbidden()
{
var authenticationServiceMock = new Mock <IAuthenticationService>();
var requestDelegate = new Mock <RequestDelegate>();
var httpContext = CreateHttpContext(authenticationServiceMock.Object);
var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
var policyAuthorizationResult = PolicyAuthorizationResult.Forbid();
var handler = CreateAuthorizationMiddlewareResultHandler();
await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult);
authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, null, null), Times.Once);
}
public void OnAuthorizationAsync_Should_Set_Result_When_Authorization_Is_Forbidden()
{
var policyEvaluator = Substitute.For <IPolicyEvaluator>();
_actionContext.HttpContext.RequestServices = Substitute.For <IServiceProvider>();
_actionContext.HttpContext.RequestServices.GetService(Arg.Any <Type>()).Returns(policyEvaluator);
var authorizeResult = PolicyAuthorizationResult.Forbid();
policyEvaluator.AuthorizeAsync(Arg.Any <AuthorizationPolicy>(), Arg.Any <AuthenticateResult>(), Arg.Any <HttpContext>(), Arg.Any <object>()).Returns(authorizeResult);
var context = new AuthorizationFilterContext(_actionContext, Substitute.For <IList <IFilterMetadata> >());
_filter.OnAuthorizationAsync(context);
context.Result.Should().BeAssignableTo <ObjectResult>();
context.Result.As <ObjectResult>().StatusCode.Should().Be(StatusCodes.Status403Forbidden);
context.Result.As <ObjectResult>().Value.Should().BeAssignableTo <ApiResponse>();
context.Result.As <ObjectResult>().Value.As <ApiResponse>().Message.Should().Be("Forbidden.");
context.Result.As <ObjectResult>().Value.As <ApiResponse>().Data.As <IEnumerable <string> >().Should().BeEquivalentTo(_authenticationScheme);
}
public async Task ForbidEachAuthenticationScheme_If_PolicyAuthorizationResultWasForbidden()
{
var authenticationServiceMock = new Mock <IAuthenticationService>();
var requestDelegate = new Mock <RequestDelegate>();
var httpContext = CreateHttpContext(authenticationServiceMock.Object);
var firstScheme = Guid.NewGuid().ToString();
var secondScheme = Guid.NewGuid().ToString();
var thirdScheme = Guid.NewGuid().ToString();
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.AddAuthenticationSchemes(firstScheme, secondScheme, thirdScheme)
.Build();
var policyAuthorizationResult = PolicyAuthorizationResult.Forbid();
var handler = CreateAuthorizationMiddlewareResultHandler();
await handler.HandleAsync(requestDelegate.Object, httpContext, policy, policyAuthorizationResult);
authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, It.IsAny <string>(), null), Times.Exactly(3));
authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, firstScheme, null), Times.Once);
authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, secondScheme, null), Times.Once);
authenticationServiceMock.Verify(service => service.ForbidAsync(httpContext, thirdScheme, null), Times.Once);
}
private static async Task <PolicyAuthorizationResult> AuthorizeAsync(
IAuthorizationService service,
AuthorizationPolicy policy,
AuthenticateResult authenticationResult,
HttpContext context,
object resource)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
var result = await service.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded)
{
return(PolicyAuthorizationResult.Success());
}
return(authenticationResult.Succeeded
? PolicyAuthorizationResult.Forbid()
: PolicyAuthorizationResult.Challenge());
}
public async Task <PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded)
{
return(PolicyAuthorizationResult.Success());
}
//if (result.Failure?.FailedRequirements.Any(x => x is AuthorizationClaimsRequirement) ?? false)
//{
// context.SetErrorDetail(Errors.Code.NoAuthorizationClaims, "Authorization claim is missing from the authenticated token.");
//}
// If authentication was successful, return forbidden, otherwise challenge
return((authenticationResult.Succeeded)
? PolicyAuthorizationResult.Forbid()
: PolicyAuthorizationResult.Challenge());
}
public async Task Invoke_SseRequest_AuthorizationWithSchemes_PolicyAuthorizationResultForbid_CallsForbidAsyncForEveryScheme()
{
Mock <IAuthenticationService> authenticationServiceMock = new Mock <IAuthenticationService>();
ServerSentEventsMiddleware <ServerSentEventsService> serverSentEventsMiddleware = PrepareServerSentEventsMiddleware(new ServerSentEventsAuthorization {
AuthenticationSchemes = "schema1,schema2"
});
HttpContext context = PrepareHttpContext(authenticationServiceMock);
Mock <IPolicyEvaluator> policyEvaluatorMock = PreparePolicyEvaluatorMock(context, policyAuthorizationResult: PolicyAuthorizationResult.Forbid());
await serverSentEventsMiddleware.Invoke(context, policyEvaluatorMock.Object);
authenticationServiceMock.Verify(m => m.ForbidAsync(context, "schema1", null), Times.Once);
authenticationServiceMock.Verify(m => m.ForbidAsync(context, "schema2", null), Times.Once);
}