public void Require(AuthorizationPolicyBuilder policyOptions) { policyOptions.AuthenticationSchemes.Add(ServiceAuthConsts.AuthenticationScheme); policyOptions.RequireAuthenticatedUser(); policyOptions.RequireClaim(ServiceAuthConsts.ClaimUserType, ServiceAuthConsts.ClaimUserTypeUser); policyOptions.RequireClaim(ServiceAuthConsts.ClaimCanDelete, ServiceAuthConsts.ClaimTargetTopic); }
public static void AddPolicies(this IServiceCollection service, PolicyContext policies) { foreach (var namedPolicy in policies.GetPolicySets()) { var policySet = namedPolicy.Value; var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.RequireAuthenticatedUser(); var noOneHasAccessToPolicy = policySet == null; if (noOneHasAccessToPolicy) { policyBuilder.RequireAssertion((context) => false); //If no one has access to the policy then always make a false assertion; } else { var allowableRulesAndUsers = policySet.GetAllowableRolesAndUsersCombined(); if (allowableRulesAndUsers.Any()) { policyBuilder.RequireRole(policySet.GetAllowableRolesAndUsersCombined()); } if (policySet.DenyRoles != null) { policyBuilder.RequireAssertion(context => policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) || !policySet.DenyRoles.Any(deniedRole => context.User.IsInRole(deniedRole))); } if (policySet.DenyUsers != null) { policyBuilder.RequireAssertion(context => policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) || !policySet.DenyUsers.Any(deniedUser => context.User.IsInRole(deniedUser))); } if (policySet.AllowClaim != null) { policyBuilder.RequireClaim(policySet.AllowClaim.Type, policySet.AllowClaim.Values); } if (policySet.AllowClaims != null) { policySet.AllowClaims.ForEach(claim => policyBuilder.RequireClaim(claim.Type, claim.Values)); } } var policy = policyBuilder.Build(); service.AddAuthorization(options => options.AddPolicy(namedPolicy.Key, policy)); } }
public static AuthorizationPolicy ToAuthPolicy(this AuthorizationPolicyInfo info) { var policy = new AuthorizationPolicyBuilder(); var hasAnyRequirements = false; if (info.AllowedRoles.Count > 0) { policy.RequireRole(info.AllowedRoles); hasAnyRequirements = true; } if (info.AuthenticationSchemes.Count > 0) { policy.AuthenticationSchemes = info.AuthenticationSchemes; } if (info.RequireAuthenticatedUser) { policy.RequireAuthenticatedUser(); hasAnyRequirements = true; } if (info.RequiredClaims.Count > 0) { foreach (var c in info.RequiredClaims) { if (c.AllowedValues.Count > 0) { policy.RequireClaim(c.ClaimName, c.AllowedValues); } else { policy.RequireClaim(c.ClaimName); } hasAnyRequirements = true; } } if (!string.IsNullOrWhiteSpace(info.RequiredUserName)) { policy.RequireUserName(info.RequiredUserName); hasAnyRequirements = true; } if (!hasAnyRequirements) { // allow anonymous Func <AuthorizationHandlerContext, bool> allowAny = (AuthorizationHandlerContext authContext) => true; policy.RequireAssertion(allowAny); } return(policy.Build()); }
// Episode 4 - IAuthorizationService kullanımı public async Task <IActionResult> AuthorizationService( [FromServices] IAuthorizationService authorizationService) { // Poliçe oluşturuyorum. Normalde bu iş Startup içerisinde yapılır. var policyBuilder = new AuthorizationPolicyBuilder(); var policy = policyBuilder .RequireClaim(ClaimTypes.Role, "admin") .Build(); ClaimsPrincipal loggedInUser = HttpContext.User; var authzResult = await authorizationService.AuthorizeAsync(loggedInUser, null, policy); if (authzResult.Succeeded) { // kullanıcı admin rolünde, bir şeyler yap. return(Content("You are the administrator!")); } else { // kullanıcı admin rolünde değil, bir şeyler yap. return(Content("You are not the administrator!")); } }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { if (policyName.StartsWith(ClaimAuthorizeAttribute.POLICY_PREFIX)) { var claim = policyName.Substring(ClaimAuthorizeAttribute.POLICY_PREFIX.Length); var policyBuilder = new AuthorizationPolicyBuilder(); if (claim.StartsWith(AnyGroupPrefix)) { var claimMatch = claim.Substring(AnyGroupPrefix.Length); //Group-insenstive match. policyBuilder.RequireAssertion(context => context.User.HasClaim((c) => c.Type == CustomClaims.Permission && c.Value.EndsWith(claimMatch))); } else { var requestContext = _httpContextAccessor.HttpContext.RequestServices.GetService <RequestContext>(); //Group-specific match. var claimFullName = $"{requestContext.GroupId}:{claim}"; policyBuilder.RequireClaim(CustomClaims.Permission, claimFullName); } return(Task.FromResult(policyBuilder.Build())); } return(FallbackPolicyProvider.GetPolicyAsync(policyName)); }
public async Task <IActionResult> DoStuff() { //Some block of Code //Now Authorize the remaining blocks //We can also use Builder var builder = new AuthorizationPolicyBuilder("policyName"); var customPolicy = builder.RequireClaim("Hello").Build(); //await _authorizationService.AuthorizeAsync(User, "Claim.DoB"); //AuthorizeAsync also accepts AuthorizationPolicy, which is returned by // Build Method var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { } return(View("Index")); }
public static AuthorizationPolicyBuilder RequireAge(this AuthorizationPolicyBuilder policy, int age) { policy.RequireClaim(ClaimTypes.DateOfBirth); policy.Requirements.Add(new MinimumAgeRequirement(26)); return(policy); }
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policy = new AuthorizationPolicyBuilder(); policy.RequireClaim(Consts.PrivilegeClaimType, policyName); return(Task.FromResult(policy.Build())); }
private static void ConfigureRegularUserPolicy(AuthorizationPolicyBuilder policyBuilder) { policyBuilder .RequireClaim(AuthConst.CLAIM_ID) .RequireClaim(AuthConst.CLAIM_JTI) .RequireClaim(AuthConst.CLAIM_IAT) .RequireClaim(AuthConst.CLAIM_USERNAME) .RequireClaim(AuthConst.CLAIM_FIRSTNAME) .RequireClaim(AuthConst.CLAIM_LASTNAME); }
private static void BuildPolicy(AuthorizationPolicyInfo policy, AuthorizationOptions config) { var builder = new AuthorizationPolicyBuilder(); policy.AuthenticationSchemes?.ForEach(builder.AuthenticationSchemes.Add); if (policy.Requirements != null && policy.Requirements.Any()) { foreach (var policyRequirement in policy.Requirements) { switch (policyRequirement.RequirementType) { case AuthorizationRequirementType.ClaimsAuthorizationRequirement: var claimsInfo = JObject.Parse(policyRequirement.Requirement) .ToObject <ClaimsInfo>(); builder.RequireClaim(claimsInfo.ClaimType, claimsInfo.RequiredValues); break; case AuthorizationRequirementType.RolesAuthorizationRequirement: builder.RequireRole(JObject.Parse(policyRequirement.Requirement) .ToObject <string[]>()); break; case AuthorizationRequirementType.NameAuthorizationRequirement: builder.RequireUserName(policyRequirement.Requirement); break; case AuthorizationRequirementType.OperationAuthorizationRequirement: builder.AddRequirements( new OperationAuthorizationRequirement() { Name = policyRequirement.Requirement }); break; case AuthorizationRequirementType.DenyAnonymousAuthorizationRequirement: builder.RequireAuthenticatedUser(); break; case AuthorizationRequirementType.DenyAuthorizationRequirement: builder.AddRequirements(new DenyAuthorizationRequirement()); break; case AuthorizationRequirementType.CustomAuthorizationRequirement: builder.AddRequirements(Activator.CreateInstance(Type.GetType(policyRequirement.Type), JObject.Parse(policyRequirement.Requirement).ToObject <object[]>()) as IAuthorizationRequirement); break; // TODO implement the assertion requirement. //case AuthorizationRequirementType.ClaimsAuthorizationRequirement: // builder.RequireAssertion(handler => {handler.}) // break; } } } config.AddPolicy(policy.Name, builder.Build()); }
private AuthorizationPolicyBuilder GetPolicyBuilder(string[] parts) { if (parts == null) { throw new ArgumentNullException($"{nameof(parts)} cannot be null."); } var length = parts.Length; if (length == 0) { throw new ArgumentOutOfRangeException($"{nameof(parts)} cannot cannot be empty."); } var policy = new AuthorizationPolicyBuilder(); if (length > 1) { return(policy.RequireClaim(parts[0], parts[1])); } return(policy.RequireClaim(parts[0])); }
public async Task <IActionResult> doStuff() { var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("hello").Build(); var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { } return(View("index")); }
AuthorizationPolicy IsAdmin() { var scheme = SignInManager.SchemeName; var builder = new AuthorizationPolicyBuilder(scheme); return (builder.RequireClaim("isAdmin", "true") .RequireClaim("department", "Sales") .RequireClaim("canEdit", "true") .Build()); }
public async Task <IActionResult> DoStuff() { var builder = new AuthorizationPolicyBuilder("policy1"); var customPolicy = builder.RequireClaim("claimname").Build(); var authResult = await _authorizationService.AuthorizeAsync(HttpContext.User, customPolicy); if (authResult.Succeeded) { } return(View("Index")); }
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { if (policyName.StartsWith("Claim_", StringComparison.InvariantCultureIgnoreCase)) { var builder = new AuthorizationPolicyBuilder(); var claimName = policyName.Substring(6); builder.RequireClaim(claimName, "1", "true"); var policy = builder.Build(); return(Task.FromResult(policy)); } return(base.GetPolicyAsync(policyName)); }
public async Task <IActionResult> DoStuffService([FromServices] IAuthorizationService authorizationService) { var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { return(View("Index")); } return(View("Index")); }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { using (var db = _serviceProvider.CreateScope().ServiceProvider.GetRequiredService <ApplicationDbContext>()) { var policys = db.Policys.Where(p => p.Name == policyName).ToList(); var build = new AuthorizationPolicyBuilder(); foreach (var policy in policys) { build.RequireClaim(policyName, policy.Config); } return(Task.FromResult(build.Build())); } }
public IReadOnlyDictionary <string, AuthorizationPolicy> Create() { var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.RequireAuthenticatedUser(); policyBuilder.RequireClaim("scope", "api1"); return(new Dictionary <string, AuthorizationPolicy> { ["Weather API Policy"] = policyBuilder.Build() }); }
public async Task <IActionResult> DoStuff() { //we are doing stuff /*işlem sırısında yetki kontrolü*/ var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await _authorizationService.AuthorizeAsync(User, "Claim.DoB", customPolicy); if (authResult.Succeeded) { } return(View("Index")); }
public IReadOnlyDictionary <string, AuthorizationPolicy> Create() { var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.RequireAuthenticatedUser(); // Check identity provider project (e.g. Config.cs) to get full list of registered scopes policyBuilder.RequireClaim("scope", "api1"); return(new Dictionary <string, AuthorizationPolicy> { ["Weather API Policy"] = policyBuilder.Build() }); }
public async Task <IActionResult> DoStuff() { // we are doing stuff here var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await _authenticationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { return(Ok("Index")); } return(Ok("Error")); }
public async Task <IActionResult> DoStuff() { // Check Authentication in inside the method var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { return(View("Index")); } return(View("Index")); }
public async Task <IActionResult> DoStuff() { var builder = new AuthorizationPolicyBuilder("Schema"); var customerPolicy = builder.RequireClaim("hello").Build(); // var result = await _authorizationService.AuthorizeAsync(User, "Claim.DoB"); var result = await _authorizationService.AuthorizeAsync(User, customerPolicy); if (result.Succeeded) { return(View()); } return(RedirectToAction("Index")); }
public async Task <IActionResult> dostuff( [FromServices] IAuthorizationService authorizationService) { //let you do something var builder = new AuthorizationPolicyBuilder("Schema"); var custompolicy = builder.RequireClaim("Hello").Build(); var authresult = await authorizationService.AuthorizeAsync(HttpContext.User, "claim.dob"); if (authresult.Succeeded) { return(View("Index")); } return(View("Index")); }
public async Task <IActionResult> DoStuff([FromServices] IAuthorizationService _authorizationService) { // This function is executed if the user is authorized. var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { return(View("Index")); } return(View("index")); }
public async Task <IActionResult> DoStuff([FromServices] IAuthorizationService authorizationService) { var builder = new AuthorizationPolicyBuilder("Schema"); var customPolicy = builder.RequireClaim("Hello").Build(); // Non-existing claim var authResult = await authorizationService.AuthorizeAsync(HttpContext.User, customPolicy); if (authResult.Succeeded) { // Authorization succeeded return(View("Index")); } Console.WriteLine("Auth Failed"); return(View("Index")); }
/// <summary> /// AddIdentity之后这个也会失效 /// 因为Identity/Authenticate返回的Cookie的名字改变了,所以无法解析Cookie /// </summary> /// <returns></returns> public async Task <bool> Auth() { var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.RequireClaim(ClaimTypes.Name); var policy = policyBuilder.Build(); var result = await _authorizationService.AuthorizeAsync(User, policy); if (result.Succeeded) { return(true); } return(false); //也可以使用重定向,直接让api暴露给外面 }
public async Task <IActionResult> SecretService2([FromServices] IAuthorizationService authorizationService) { var authorizationPolicyBuilder = new AuthorizationPolicyBuilder(); authorizationPolicyBuilder.RequireClaim(ClaimTypes.Name, "Peter"); var customAuthPolicy = authorizationPolicyBuilder.Build(); var result = await authorizationService.AuthorizeAsync(this.User, customAuthPolicy); if (!result.Succeeded) { return(RedirectToAction(nameof(HomeController.Authenticate))); } return(View("Index")); }
/// <summary> /// 自定义Policy /// </summary> /// <param name="policyName"></param> /// <returns></returns> public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase)) { //Create new Policy var policy = new AuthorizationPolicyBuilder(); //基于资源授权 //policy.AddRequirements(new PermissionRequirement(policyName.Substring(POLICY_PREFIX.Length))); //基于Claims 授权 policy.RequireClaim(POLICY_PREFIX, policyName.Substring(POLICY_PREFIX.Length)); return(Task.FromResult(policy.Build())); } return(FallbackPolicyProvider.GetPolicyAsync(policyName)); }
//to check authorization in custom action public async Task <IActionResult> DoStuff() { //we are doning stuff here //it will create Authorization Builder var builder = new AuthorizationPolicyBuilder("Schema"); //it will create Authorization Policy var customPolicy = builder.RequireClaim("Hello").Build(); var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy); if (authResult.Succeeded) { } return(View("Index")); }