public async Task Filter_SkipsAntiforgeryVerification_WhenOverridden() { // Arrange var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict); antiforgery .Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>())) .Returns(Task.FromResult(0)) .Verifiable(); var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance); var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor()); actionContext.HttpContext.Request.Method = "POST"; var context = new AuthorizationFilterContext(actionContext, new IFilterMetadata[] { filter, new IgnoreAntiforgeryTokenAttribute(), }); // Act await filter.OnAuthorizationAsync(context); // Assert antiforgery.Verify(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()), Times.Never()); }
public void OnAuthorization(AuthorizationFilterContext context) { if (!HasAllowAnonymous(context)) { object value; if (context.HttpContext.Items.TryGetValue(DefaultRouter.CurrentNodeKey, out value)) { var accessor = context.HttpContext.RequestServices.GetService<IBricsContextAccessor>(); var currentPage = accessor.CurrentPage; if (currentPage?.Acl == null || currentPage.Acl == AccessControl.Anonymous) { return; } if (currentPage.Acl == AccessControl.Authenticated && !context.HttpContext.User.Identity.IsAuthenticated) { context.Result = new NotFoundResult(); } if (currentPage.Acl == AccessControl.Administrators && !context.HttpContext.User.IsInRole(Enum.GetName(typeof(AccessControl), currentPage.Acl))) { context.Result = new NotFoundResult(); } } } }
private AuthorizationHandlerContext CreateAuthorizationHandlerContext(Type controllerType, string action) { var actionContext = new ActionContext(); var mockHttpContext = new Mock <HttpContext>(); mockHttpContext.Setup(c => c.Request) .Returns(Mock.Of <HttpRequest>()); actionContext.HttpContext = mockHttpContext.Object; actionContext.RouteData = new RouteData(); var actionDescriptor = new ControllerActionDescriptor { ControllerTypeInfo = controllerType.GetTypeInfo(), MethodInfo = controllerType.GetMethod(action) }; actionContext.ActionDescriptor = actionDescriptor; var resource = new Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext(actionContext, new List <IFilterMetadata>()); var requirements = new IAuthorizationRequirement[] { new ConventionBasedRequirement() }; var claims = new[] { new Claim(ClaimTypes.Name, _userId), }; var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer")); var context = new AuthorizationHandlerContext(requirements, user, resource); return(context); }
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { // If there is another authorize filter, do nothing if (context.Filters.Any(item => item is IAsyncAuthorizationFilter && item.GetType() == typeof(Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter))) { var timeStemp = context.HttpContext.User.Claims.FirstOrDefault(c => c.Type == "timestemp"); if (timeStemp == null) { context.Result = new UnauthorizedResult(); } else { if (string.IsNullOrWhiteSpace(timeStemp.Value)) { context.Result = new UnauthorizedResult(); } else { var sp = services.BuildServiceProvider(); var userService = sp.GetService <IUserService>(); var checkModified = userService.CheckModified(timeStemp.Value, context.HttpContext.User.Identity.GetUserId()); if (checkModified) { context.Result = new UnauthorizedResult(); } } } return(Task.FromResult(0)); } //Otherwise apply this policy return(Task.FromResult(0)); }
public void OnAuthorization(AuthorizationFilterContext context) { context.Result = new ContentResult() { Content = "You are unauthorized!!", StatusCode = 401 }; }
public bool HasAllowAnonymous(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentException(nameof(context)); } return context.Filters.Any(item => item is IAllowAnonymousFilter); }
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { if (context.HttpContext.User.Claims.ToList()[2].Value == context.HttpContext.Connection.RemoteIpAddress.ToString()) { return(Task.FromResult(AuthorizationResult.Failed())); } // If there is another authorize filter, do nothing return(base.OnAuthorizationAsync(context)); }
protected virtual bool ShouldValidate(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } return true; }
public void OnAuthorization(AuthorizationFilterContext context) { //var validPrincipal = new ClaimsPrincipal( // new ClaimsIdentity( new[] { // new Claim(ClaimTypes.Name, "Admin"), // new Claim(ClaimTypes.Role, "Administrator"), //})); //context.HttpContext.User = validPrincipal; }
public void OnAuthorization(AuthorizationFilterContext context) { var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor; if (controllerActionDescriptor.MethodInfo == typeof(ProductsController).GetMethod(nameof(ProductsController.GetPrice))) { context.HttpContext.Response.Headers.Append("filters", "Global Authorization Filter - OnAuthorization"); } }
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { // If there is another authorize filter, do nothing if (context.Filters.Any(item => item is IAsyncAuthorizationFilter && item != this)) { return(Task.FromResult(0)); } //Otherwise apply this policy return(base.OnAuthorizationAsync(context)); }
/// <summary> /// Called early in the filter pipeline to confirm request is authorized. Confirms requests are received over /// HTTPS. Takes no action for HTTPS requests. Otherwise if it was a GET request, sets /// <see cref="AuthorizationFilterContext.Result"/> to a result which will redirect the client to the HTTPS /// version of the request URI. Otherwise, sets <see cref="AuthorizationFilterContext.Result"/> to a result /// which will set the status code to <c>403</c> (Forbidden). /// </summary> /// <inheritdoc /> public virtual void OnAuthorization(AuthorizationFilterContext filterContext) { if (filterContext == null) { throw new ArgumentNullException(nameof(filterContext)); } if (!filterContext.HttpContext.Request.IsHttps) { HandleNonHttpsRequest(filterContext); } }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { // Allow Anonymous skips all authorization if (context.Filters.Any(item => item is IAllowAnonymousFilter)) { return; } try { //TODO: Avoid using try/catch, use conditional checking await _authorizationHelper.AuthorizeAsync(context.ActionDescriptor.GetMethodInfo()); } catch (AbpAuthorizationException ex) { Logger.Warn(ex.ToString(), ex); _eventBus.Trigger(this, new AbpHandledExceptionData(ex)); if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType)) { context.Result = new ObjectResult(new AjaxResponse(_errorInfoBuilder.BuildForException(ex), true)) { StatusCode = context.HttpContext.User.Identity.IsAuthenticated ? (int) System.Net.HttpStatusCode.Forbidden : (int) System.Net.HttpStatusCode.Unauthorized }; } else { context.Result = new ChallengeResult(); } } catch (Exception ex) { Logger.Error(ex.ToString(), ex); _eventBus.Trigger(this, new AbpHandledExceptionData(ex)); if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType)) { context.Result = new ObjectResult(new AjaxResponse(_errorInfoBuilder.BuildForException(ex))) { StatusCode = (int) System.Net.HttpStatusCode.InternalServerError }; } else { //TODO: How to return Error page? context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.InternalServerError); } } }
/// <inheritdoc /> public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var effectivePolicy = Policy ?? await AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData); if (effectivePolicy == null) { return; } // Build a ClaimsPrincipal with the Policy's required authentication types if (effectivePolicy.AuthenticationSchemes != null && effectivePolicy.AuthenticationSchemes.Any()) { ClaimsPrincipal newPrincipal = null; foreach (var scheme in effectivePolicy.AuthenticationSchemes) { var result = await context.HttpContext.Authentication.AuthenticateAsync(scheme); if (result != null) { newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result); } } // If all schemes failed authentication, provide a default identity anyways if (newPrincipal == null) { newPrincipal = new ClaimsPrincipal(new ClaimsIdentity()); } context.HttpContext.User = newPrincipal; } // Allow Anonymous skips all authorization if (context.Filters.Any(item => item is IAllowAnonymousFilter)) { return; } var httpContext = context.HttpContext; var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>(); // Note: Default Anonymous User is new ClaimsPrincipal(new ClaimsIdentity()) if (!await authService.AuthorizeAsync(httpContext.User, context, effectivePolicy)) { context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray()); } }
public void OnAuthorization(AuthorizationFilterContext context) { if (!HasAllowAnonymous(context)) { var user = context.HttpContext.User; var userIsAnonymous = user == null || user.Identity == null || !user.Identity.IsAuthenticated; if (userIsAnonymous) { context.Result = new UnauthorizedResult(); } } }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { var authorizeAttributes = ReflectionHelper.GetAttributesOfMemberAndDeclaringType<AbpMvcAuthorizeAttribute>( context.ActionDescriptor.GetMethodInfo() ); if (!authorizeAttributes.Any()) { return; } using (var authorizationAttributeHelper = _iocResolver.ResolveAsDisposable<IAuthorizeAttributeHelper>()) { await authorizationAttributeHelper.Object.AuthorizeAsync(authorizeAttributes); } }
public static void BeforeOnAuthorization( this DiagnosticSource diagnosticSource, AuthorizationFilterContext authorizationContext, IAuthorizationFilter filter) { if (diagnosticSource.IsEnabled("Microsoft.AspNetCore.Mvc.BeforeOnAuthorization")) { diagnosticSource.Write( "Microsoft.AspNetCore.Mvc.BeforeOnAuthorization", new { actionDescriptor = authorizationContext.ActionDescriptor, authorizationContext = authorizationContext, filter = filter }); } }
public virtual void OnAuthorization(AuthorizationFilterContext context) { var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor; if (controllerActionDescriptor.MethodInfo == typeof(ProductsController).GetMethod(nameof(ProductsController.GetPrice))) { context.HttpContext.Response.Headers.Append("filters", "Authorize Filter On Action - OnAuthorization"); } context.HttpContext.User = new ClaimsPrincipal( new ClaimsIdentity( new Claim[] { new Claim("Permission", "CanViewPage"), new Claim(ClaimTypes.Role, "Administrator"), new Claim(ClaimTypes.NameIdentifier, "John")}, "Basic")); }
protected override bool ShouldValidate(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var method = context.HttpContext.Request.Method; if (string.Equals("GET", method, StringComparison.OrdinalIgnoreCase) || string.Equals("HEAD", method, StringComparison.OrdinalIgnoreCase) || string.Equals("TRACE", method, StringComparison.OrdinalIgnoreCase) || string.Equals("OPTIONS", method, StringComparison.OrdinalIgnoreCase)) { return false; } // Anything else requires a token. return true; }
public void OnAuthorization(AuthorizationFilterContext context) { object value; if (context.HttpContext.Items.TryGetValue(DefaultRouter.CurrentNodeKey, out value)) { var accessor = context.HttpContext.RequestServices.GetService<IBricsContextAccessor>(); var currentPage = accessor.CurrentPage; if (!currentPage.PublishedDate.HasValue) { context.Result = new NotFoundResult(); } if (currentPage.PublishedDate != null && currentPage.PublishedDate.Value > DateTime.Now) { context.Result = new NotFoundResult(); } } }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (IsClosestAntiforgeryPolicy(context.Filters) && ShouldValidate(context)) { try { await _antiforgery.ValidateRequestAsync(context.HttpContext); } catch (AntiforgeryValidationException exception) { _logger.AntiforgeryTokenInvalid(exception.Message, exception); context.Result = new BadRequestResult(); } } }
public async Task Filter_ValidatesAntiforgery_ForUnsafeMethod(string httpMethod) { // Arrange var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict); antiforgery .Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>())) .Returns(Task.FromResult(0)) .Verifiable(); var filter = new AutoValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance); var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor()); actionContext.HttpContext.Request.Method = httpMethod; var context = new AuthorizationFilterContext(actionContext, new[] { filter }); // Act await filter.OnAuthorizationAsync(context); // Assert antiforgery.Verify(); }
/// <summary> /// Called from <see cref="OnAuthorization"/> if the request is not received over HTTPS. Expectation is /// <see cref="AuthorizationFilterContext.Result"/> will not be <c>null</c> after this method returns. /// </summary> /// <param name="filterContext">The <see cref="AuthorizationFilterContext"/> to update.</param> /// <remarks> /// If it was a GET request, default implementation sets <see cref="AuthorizationFilterContext.Result"/> to a /// result which will redirect the client to the HTTPS version of the request URI. Otherwise, default /// implementation sets <see cref="AuthorizationFilterContext.Result"/> to a result which will set the status /// code to <c>403</c> (Forbidden). /// </remarks> protected virtual void HandleNonHttpsRequest(AuthorizationFilterContext filterContext) { // only redirect for GET requests, otherwise the browser might not propagate the verb and request // body correctly. if (!string.Equals(filterContext.HttpContext.Request.Method, "GET", StringComparison.OrdinalIgnoreCase)) { filterContext.Result = new StatusCodeResult(StatusCodes.Status403Forbidden); } else { var optionsAccessor = filterContext.HttpContext.RequestServices.GetRequiredService<IOptions<MvcOptions>>(); var request = filterContext.HttpContext.Request; var host = request.Host; if (optionsAccessor.Value.SslPort.HasValue && optionsAccessor.Value.SslPort > 0) { // a specific SSL port is specified host = new HostString(host.Host, optionsAccessor.Value.SslPort.Value); } else { // clear the port host = new HostString(host.Host); } var newUrl = string.Concat( "https://", host.ToUriComponent(), request.PathBase.ToUriComponent(), request.Path.ToUriComponent(), request.QueryString.ToUriComponent()); // redirect to HTTPS version of page filterContext.Result = new RedirectResult(newUrl, Permanent); } }
public void OnAuthorization(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { var user = context.HttpContext.User; if (!user.Identity.IsAuthenticated) { // it isn't needed to set unauthorized result // as the base class already requires the user to be authenticated // this also makes redirect to a login page work properly // context.Result = new UnauthorizedResult(); return; } _userQueries = (IUserQueries)context.HttpContext.RequestServices.GetService(typeof(IUserQueries)); _userManager = (IUserManager)context.HttpContext.RequestServices.GetService(typeof(IUserManager)); IDictionary <string, PermissionDTO> permissions = _userQueries.GetPermissionsAsync(_userManager.GetCurrentUserId()).GetAwaiter().GetResult(); bool isAuthorized = !Permissions.Any() || (permissions != null && Permissions.All(p => permissions.ContainsKey(p))); if (!isAuthorized) { context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden); } }
public void OnAuthorization(AuthorizationFilterContext context) { Assert.NotNull(context.ModelState.MaxAllowedErrors); Assert.Equal(_expectedMaxAllowedErrors, context.ModelState.MaxAllowedErrors); }
public void OnAuthorization(AuthorizationFilterContext context) { // getting the current module and claim string action = context.RouteData.Values["action"].ToString().ToLower(); string controller = context.RouteData.Values["controller"].ToString().ToLower() + "controller"; var page = PageService.Pages.Where(c => string.Compare(c.Controller, controller, true) == 0 && string.Compare(c.ActionMethod, action, true) == 0).FirstOrDefault(); if (page == null) { context.Result = new StatusCodeResult(403); return; } // setting the current DashbaordInd if (page.DashboardInd) { NTContext.Context.DashboardPageId = page.PageId; } // checking for annonymous claim if (page.PageClaims.Any(p => p.ClaimType == SecuritySettings.AnonymouseClaimType && p.ClaimValue == SecuritySettings.AnonymousClaim)) { return; } var userClaims = context.HttpContext.User.Claims; // checking the companyid passed in headers string companies = userClaims.Where(c => c.Type == NTClaimTypes.Companies).Select(c => c.Value).FirstOrDefault(); string companyId = context.HttpContext.Request.Headers[SecurityConstants.HeaderCompanyId]; companyId = companyId ?? userClaims.Where(c => c.Type == NTClaimTypes.CompanyId).Select(c => c.Value).FirstOrDefault(); if (companies == null || companyId == null || !companies.Split(',').Contains(companyId)) { context.Result = new StatusCodeResult(403); return; } // checking for annonymous claim for each module if (page.PageClaims.Any(p => p.ClaimValue == SecuritySettings.AnonymousClaim)) { return; } // getting current roles and then get all the child roles string[] roles = userClaims.Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToArray(); roles = PageService.AdminRoles.Where(r => roles.Contains(r.Key)).Select(r => r.Item).ToArray(); // checking whether user is an admin if (!roles.Any(r => page.PageClaims.Any(p => r == p.ClaimType + SecuritySettings.AdminSuffix))) { // checking for deny claim if (userClaims.Any(c => page.PageClaims.Any(p => c.Type == p.ClaimType + SecuritySettings.DenySuffix && c.Value == p.ClaimValue))) { context.Result = new StatusCodeResult(403); // new HttpUnauthorizedResult(); } // checking for current claim else if (!userClaims.Any(c => page.PageClaims.Any(p => c.Type == p.ClaimType && c.Value == p.ClaimValue))) { context.Result = new StatusCodeResult(403); } } }
public virtual void OnAuthorization(AuthorizationFilterContext context) { }
protected override void HandleNonHttpsRequest(AuthorizationFilterContext filterContext) { filterContext.Result = new StatusCodeResult(StatusCodes.Status404NotFound); }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { var methodInfo = context.ActionDescriptor.GetMethodInfo(); await CheckFeatures(methodInfo); await CheckPermissions(methodInfo); }
public void OnAuthorization(AuthorizationFilterContext context) { throw new InvalidProgramException("Authorization Filter Threw"); }
public void OnAuthorization(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { context.HttpContext.Response.Headers.Add("x-authorization-filter", context.HttpContext.User == null ? "Anonymous" : context.HttpContext.User.Identity.Name); }
public Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context) { return(Task.CompletedTask); }
public static void BeforeOnAuthorizationAsync( this DiagnosticSource diagnosticSource, AuthorizationFilterContext authorizationContext, IAsyncAuthorizationFilter filter) { Debug.Assert(diagnosticSource != null); Debug.Assert(authorizationContext != null); Debug.Assert(filter != null); if (diagnosticSource.IsEnabled("Microsoft.AspNetCore.Mvc.BeforeOnAuthorization")) { diagnosticSource.Write( "Microsoft.AspNetCore.Mvc.BeforeOnAuthorization", new { actionDescriptor = authorizationContext.ActionDescriptor, authorizationContext = authorizationContext, filter = filter }); } }
public void OnAuthorization(AuthorizationFilterContext context) { Apply(context.HttpContext); }
public override void OnAuthorization(AuthorizationFilterContext context) { context.HttpContext.Response.Headers.Append("filters", "On Controller Authorization Filter - OnAuthorization"); }