public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policies = policyName.Split(',', StringSplitOptions.RemoveEmptyEntries); if (policies.Length > 1) { var singlePolicies = new List <SinglePolicyRequirement>(); foreach (var item in policies) { foreach (var requirement in _authorizationOptions.GetPolicy(item.Trim()).Requirements) { if (requirement is SinglePolicyRequirement) { singlePolicies.Add(requirement as SinglePolicyRequirement); } } } var combineAuthPolicy = new AuthorizationPolicy( new List <IAuthorizationRequirement> { new MultiplePolicyOrRequirement(singlePolicies) }, new List <string>()); return(Task.FromResult(combineAuthPolicy)); } else { return(Task.FromResult <AuthorizationPolicy>(_authorizationOptions.GetPolicy(policyName))); } }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { //因为我们policy的名称其实就是对应的权限名称,所以可以用下列逻辑返回需要的验证规则 AuthorizationPolicy policy = _options.GetPolicy(policyName); if (policy == null) { string[] resourceValues = policyName.Split(new char[] { '-' }, StringSplitOptions.None); if (resourceValues.Length == 1) { _options.AddPolicy(policyName, builder => { builder.AddRequirements(new ClaimsAuthorizationRequirement(resourceValues[0], null)); }); } else { _options.AddPolicy(policyName, builder => { builder.AddRequirements(new ClaimsAuthorizationRequirement(resourceValues[0], new string[] { resourceValues[1] })); }); } } return(Task.FromResult(_options.GetPolicy(policyName))); }
public async Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { AuthorizationPolicy policy; lock (_myLock) { policy = _options.GetPolicy(policyName); } if (policy == null && !string.IsNullOrEmpty(policyName) && policyName.IndexOf("=====") > -1) { string[] resourceValues = policyName.Split(new string[] { "=====" }, StringSplitOptions.RemoveEmptyEntries); if (resourceValues.Length > 1) { lock (_myLock) { _options.AddPolicy(policyName, builder => { builder.RequireClaim(resourceValues[0], new string[] { resourceValues[1] }); }); } } } return(await Task.FromResult(_options.GetPolicy(policyName))); }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { AuthorizationPolicy policy = Options.GetPolicy(policyName); if (policy == null) { string[] resourceValues = policyName.Split(new string[] { "=====" }, StringSplitOptions.RemoveEmptyEntries); Options.AddPolicy(policyName, builder => { builder.RequireClaim(resourceValues[0], new string[] { resourceValues[1] }); }); } return(Task.FromResult(Options.GetPolicy(policyName))); }
public static AuthorizationOptions AddFunctionPolicy( this AuthorizationOptions options, string functionName, params string[] policyNames) { var policies = new List <AuthorizationPolicy>(); foreach (var name in policyNames) { var policy = options.GetPolicy(name); if (policy == null) { throw new InvalidOperationException($"Authorization policy '{name}' is not registered"); } policies.Add(policy); } if (policies.Any()) { options.AddPolicy(functionName, AuthorizationPolicy.Combine(policies)); } return(options); }
/// <summary> /// Gets a <see cref="AuthorizationPolicy"/> from the given <paramref name="policyName"/> /// </summary> /// <param name="policyName">The policy name to retrieve.</param> /// <returns>The named <see cref="AuthorizationPolicy"/>.</returns> public virtual Task <AuthorizationPolicy?> GetPolicyAsync(string policyName) { // MVC caches policies specifically for this class, so this method MUST return the same policy per // policyName for every request or it could allow undesired access. It also must return synchronously. // A change to either of these behaviors would require shipping a patch of MVC as well. return(Task.FromResult(_options.GetPolicy(policyName))); }
// And this is where the magic happens. public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { // Check to see if there's a configured policy with the name. var _policy = _options.GetPolicy(policyName); if (_policy == null) { // There's no matching policy name in the policies configured in start // So let's do our thing. // For our sample we have the following policy name format, // ClaimName|ExpectedValue and we assume that neither the claim name nor the // value have a | character in them, because it's only a sample var policyDetails = policyName.Split('|'); if (policyDetails.Length != 2) { return(Task.FromResult((AuthorizationPolicy)null)); } // Now we can create our custom requirements with the right parameters // then build a policy around them, and finally return that policy for evaluation. var requirements = new IAuthorizationRequirement[1]; requirements[0] = new CustomAuthorizationRequirement { ClaimType = policyDetails[0], ClaimValue = policyDetails[1] }; return(Task.FromResult(new AuthorizationPolicyBuilder().AddRequirements(requirements).Build())); } return(Task.FromResult(_policy)); }
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policy = _options.GetPolicy(policyName); if (policy == null) { var claimValues = policyName.Split(new char[] { '.' }, StringSplitOptions.None); if (claimValues.Length == 1) { _options.AddPolicy(policyName, builder => builder.AddRequirements(new ClaimsAuthorizationRequirement(claimValues[0], null))); } else { _options.AddPolicy(policyName, builder => builder.AddRequirements(new ClaimsAuthorizationRequirement($"{claimValues[0]}.{claimValues[1]}", new string[] { policyName }))); } } return(Task.FromResult(_options.GetPolicy(policyName))); }
private bool AreOptionsEqual(AuthZyinAuthorizationOptions left, AuthorizationOptions right) { var propertiesAreTheSame = left != null && right != null && left.DefaultPolicy == right.DefaultPolicy && left.FallbackPolicy == right.FallbackPolicy && left.InvokeHandlersAfterFailure == right.InvokeHandlersAfterFailure; var policiesAreTheSame = left.Policies.All(x => x.policy == right.GetPolicy(x.name)); return(propertiesAreTheSame && policiesAreTheSame); }
/// <summary> /// Gets the authorization policy /// </summary> /// <param name="policyName">String representing the policy</param> /// <returns></returns> /// <remarks> /// Gets a CSLA permissions policy if the policy name corresponds /// to a CSLA policy, otherwise gets a policy from the fallback /// provider. /// </remarks> public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policy = _options.GetPolicy(policyName); if (policy is null && CslaPolicy.TryGetPermissionRequirement(policyName, out CslaPermissionRequirement requirement)) { var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.AddRequirements(requirement); policy = policyBuilder.Build(); _options.AddPolicy(policyName, policy); } return(Task.FromResult(policy)); }
private string GetPrimaryAuthenticationScheme(IAuthorizeData authorizeData) { if (authorizeData == null) { return(null); } if (string.IsNullOrWhiteSpace(authorizeData.Policy) == false) { AuthorizationPolicy authorizationPolicy = _authorizationOptions.GetPolicy(authorizeData.Policy); return(authorizationPolicy?.AuthenticationSchemes.FirstOrDefault()); } return(string.IsNullOrWhiteSpace(authorizeData.AuthenticationSchemes) ? null : authorizeData.AuthenticationSchemes.Split(',').First()); }
public void Apply(OpenApiOperation operation, OperationFilterContext context) { // Policy names map to scopes var requiredPolicies = context.MethodInfo .GetCustomAttributes(true) .Concat(context.MethodInfo.DeclaringType.GetCustomAttributes(true)) .OfType <AuthorizeAttribute>() .Select(attr => attr.Policy) .Distinct(); var requiredScopes = requiredPolicies.Select(p => _authorizationOptions.GetPolicy(p)) .SelectMany(r => r.Requirements.OfType <ClaimsAuthorizationRequirement>()) .Where(cr => cr.ClaimType == JwtClaimTypes.Scope) .SelectMany(r => r.AllowedValues) .Distinct() .ToList(); if (requiredScopes.Any()) { operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" }); operation.Responses.Add("403", new OpenApiResponse { Description = "Forbidden" }); var oAuthScheme = new OpenApiSecurityScheme() { Reference = new OpenApiReference() { Id = "oauth2", Type = ReferenceType.SecurityScheme, } }; operation.Security = new List <OpenApiSecurityRequirement>() { new OpenApiSecurityRequirement() { [oAuthScheme] = requiredScopes, } }; } }
// Policies are looked up by string name, so expect 'parameters' (like age) // to be embedded in the policy names. This is abstracted away from developers // by the more strongly-typed attributes derived from AuthorizeAttribute // (like [MinimumAgeAuthorize()] in this sample) public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var AuthPolicy = _options.GetPolicy(policyName); if (AuthPolicy == null) { if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase) && int.TryParse(policyName.Substring(POLICY_PREFIX.Length), out var age)) { var policy = new AuthorizationPolicyBuilder(CookieAuthenticationDefaults.AuthenticationScheme, "MichaelAuth"); policy.AddRequirements(new MinimumAgeRequirement(age)); return(Task.FromResult(policy.Build())); } return(FallbackPolicyProvider.GetPolicyAsync(policyName)); } else { return(Task.FromResult <AuthorizationPolicy>(AuthPolicy)); } }
public void Apply(OpenApiOperation operation, OperationFilterContext context) { var requiredPolicies = context.MethodInfo .GetCustomAttributes(true) .Concat(context.MethodInfo.DeclaringType.GetCustomAttributes(true)) .OfType <AuthorizeAttribute>() .Select(attr => attr.Policy) .Distinct(); var requiredScopes = requiredPolicies.Select(p => authorizationOptions.GetPolicy(p)) .SelectMany(r => r.Requirements.OfType <ClaimsAuthorizationRequirement>()) .Where(cr => cr.ClaimType == "scope") .SelectMany(r => r.AllowedValues) .Distinct() .ToList(); if (requiredScopes.Any()) { operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized - correct token needed" }); var bearerScheme = new OpenApiSecurityScheme { Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" } }; operation.Security = new List <OpenApiSecurityRequirement> { new OpenApiSecurityRequirement { [bearerScheme] = requiredScopes } }; } }
private static AuthorizationPolicy GetPolicyRequirement(string policy, AuthorizationOptions options) { return(options.GetPolicy(policy) ?? throw new Exception($"{policy} policy not found")); }
public static void Configure(AuthorizationOptions options) { options.InvokeHandlersAfterFailure = true; // This is the default policy (created and used by default) // Can be replaced // options.DefaultPolicy = new AuthorizationPolicyBuilder().RequireRole("Admin").Build(); options.AddPolicy(Default, builder => { builder.RequireAuthenticatedUser(); }); // Policy with simple rules. Based in User claims information options.AddPolicy(Simple, policyBuilder => { policyBuilder.RequireRole("Developer"); policyBuilder.RequireUserName("Hugo Biarge"); policyBuilder.RequireClaim("Department", "CPM", "Platform"); policyBuilder.RequireAssertion(context => { var roles = context.User.FindAll(ClaimTypes.Role); return(roles.Any() ? Task.FromResult(true) : Task.FromResult(false)); }); }); // Policy with simple rules. Show how several succeed are handled options.AddPolicy(HandlersBehavior, policyBuilder => { policyBuilder.AddRequirements(new LastHandlerWinRequirement()); }); // Code based policy: Calculations over Claims information options.AddPolicy(Over21Years, policyBuilder => { policyBuilder.AddRequirements(new MinimumAgeRequirement(21)); }); // Code based policy: Several handlers to validate a requirement options.AddPolicy(AllowedInOffice, policyBuilder => { policyBuilder.AddRequirements(new OfficeEntryRequirement(department: "CPM")); }); // Use of different schemas options.AddPolicy(MultipleSchemas, policyBuilder => { policyBuilder.AddAuthenticationSchemes("bearer", "extra"); policyBuilder.RequireAuthenticatedUser(); policyBuilder.RequireRole("Operator"); // From bearer scheme policyBuilder.RequireClaim("Supervisor"); // From extra scheme }); // Creates a policy that uses several authentication schemes by default // without explicit configuration in builder.AuthenticationSchemes var customBuilder = new AuthorizationPolicyBuilder("scheme1", "scheme2"); customBuilder.RequireAuthenticatedUser(); var policy = customBuilder.Build(); options.AddPolicy("MultipleSchemesBis", policy); // Or Register it as a default policy // options.DefaultPolicy = policy; //// Sample for combined policies options.AddPolicy("Combined", policyBuilder => { policyBuilder.Combine(options.GetPolicy(Simple)); policyBuilder.Combine(options.GetPolicy(Over21Years)); }); }