public void CanCombineAuthorizeAttributes()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute(),
new AuthorizeAttribute("1") { ActiveAuthenticationSchemes = "dupe" },
new AuthorizeAttribute("2") { ActiveAuthenticationSchemes = "dupe" },
new AuthorizeAttribute { Roles = "r1,r2", ActiveAuthenticationSchemes = "roles" },
};
var options = new AuthorizationOptions();
options.AddPolicy("1", policy => policy.RequireClaim("1"));
options.AddPolicy("2", policy => policy.RequireClaim("2"));
// Act
var combined = AuthorizationPolicy.Combine(options, attributes);
// Assert
Assert.Equal(2, combined.ActiveAuthenticationSchemes.Count());
Assert.True(combined.ActiveAuthenticationSchemes.Contains("dupe"));
Assert.True(combined.ActiveAuthenticationSchemes.Contains("roles"));
Assert.Equal(4, combined.Requirements.Count());
Assert.True(combined.Requirements.Any(r => r is DenyAnonymousAuthorizationRequirement));
Assert.Equal(2, combined.Requirements.OfType<ClaimsAuthorizationRequirement>().Count());
Assert.Equal(1, combined.Requirements.OfType<RolesAuthorizationRequirement>().Count());
}
public static void Authorization(AuthorizationOptions options)
{
options.AddPolicy(CookieMonsterSecurity.OnlyGoodMonstersPolicy, policy =>
{
policy.AuthenticationSchemes.Add(CookieMonsterAuthenticationSchema);
// Custom requirement
policy.AddRequirements(new IsGoodMonsterRequirement());
});
}
public static void Configuration(AuthorizationOptions options)
{
options.AddPolicy(Admin, policy =>
{
policy.RequireClaim("ManageUsers", "Allowed");
policy.RequireClaim("ManageTenants", "Allowed");
});
options.AddPolicy(Tenant, policy =>
{
policy.RequireClaim("ManageTenants", "Allowed");
});
}
public static AuthorizationPolicy Combine(AuthorizationOptions options, IEnumerable<IAuthorizeData> attributes)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (attributes == null)
{
throw new ArgumentNullException(nameof(attributes));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in attributes.OfType<AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = options.GetPolicy(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
policyBuilder.RequireRole(rolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
policyBuilder.AuthenticationSchemes.Add(authType);
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(options.DefaultPolicy);
}
}
return any ? policyBuilder.Build() : null;
}
public async Task Invoke_EmptyClaimsShouldRejectAnonymousUser()
{
// Arrange
var authorizationOptions = new AuthorizationOptions();
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
var authorizationContext = GetAuthorizationContext(services =>
services.AddAuthorization(),
anonymous: true);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public DefaultAuthorizationService(IOptions<AuthorizationOptions> options, IEnumerable<IAuthorizationHandler> handlers, ILogger<DefaultAuthorizationService> logger)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
_handlers = handlers.ToArray();
_options = options.Value;
_logger = logger;
}
public void CanReplaceDefaultPolicy()
{
// Arrange
var attributes = new AuthorizeAttribute[] {
new AuthorizeAttribute(),
new AuthorizeAttribute("2") { ActiveAuthenticationSchemes = "dupe" }
};
var options = new AuthorizationOptions();
options.DefaultPolicy = new AuthorizationPolicyBuilder("default").RequireClaim("default").Build();
options.AddPolicy("2", policy => policy.RequireClaim("2"));
// Act
var combined = AuthorizationPolicy.Combine(options, attributes);
// Assert
Assert.Equal(2, combined.AuthenticationSchemes.Count());
Assert.True(combined.AuthenticationSchemes.Contains("dupe"));
Assert.True(combined.AuthenticationSchemes.Contains("default"));
Assert.Equal(2, combined.Requirements.Count());
Assert.False(combined.Requirements.Any(r => r is DenyAnonymousAuthorizationRequirement));
Assert.Equal(2, combined.Requirements.OfType<ClaimsAuthorizationRequirement>().Count());
}
public DefaultAuthorizationService(IOptions<AuthorizationOptions> options, IEnumerable<IAuthorizationHandler> handlers)
{
_handlers = handlers.ToArray();
_options = options.Options;
}
public AuthorizationApplicationModelProvider(IOptions<AuthorizationOptions> authorizationOptionsAccessor)
{
_authorizationOptions = authorizationOptionsAccessor.Value;
}
public DefaultAuthorizationService(IOptions <AuthorizationOptions> options, IEnumerable <IAuthorizationHandler> handlers)
{
_handlers = handlers.ToArray();
_options = options.Value;
}