private static async Task <bool> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IAuthorizationService authorizeService = context
.Service <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider = context
.Service <IAuthorizationPolicyProvider>();
AuthorizationPolicy policy = null;
if (directive.Roles.Count == 0 &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync();
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
"The default authorization policy does not exist.",
context.FieldSelection);
}
}
else if (!string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetPolicyAsync(directive.Policy);
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
$"The `{directive.Policy}` authorization policy " +
"does not exist.",
context.FieldSelection);
}
}
if (context.Result == null && policy != null)
{
AuthorizationResult result =
await authorizeService.AuthorizeAsync(principal, policy);
return(result.Succeeded);
}
return(false);
}
private static async Task <AuthState> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService?authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider?policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
// authorization service is not configured so the user is
// authorized with the previous checks.
return(string.IsNullOrWhiteSpace(directive.Policy)
? AuthState.Allowed
: AuthState.NotAllowed);
}
AuthorizationPolicy?policy = null;
if ((directive.Roles is null || directive.Roles.Count == 0) &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
return(AuthState.NoDefaultPolicy);
}
}
public Task <IExecutionResult> RedirectQueryAsync(
IDirectiveContext directiveContext)
{
if (directiveContext == null)
{
throw new ArgumentNullException(nameof(directiveContext));
}
string schemaName = directiveContext.FieldSelection.GetSchemaName();
var stitchingCtx = directiveContext.Service <IStitchingContext>();
IQueryExecuter queryExecuter =
stitchingCtx.GetQueryExecuter(schemaName);
QueryRequest queryRequest = CreateQuery(directiveContext);
return(queryExecuter.ExecuteAsync(
queryRequest,
directiveContext.RequestAborted));
}
private static async Task AuthorizeAsync(
IDirectiveContext context,
DirectiveDelegate next)
{
#if !ASPNETCLASSIC
IAuthorizationService authorizeService = context
.Service <IAuthorizationService>();
#endif
ClaimsPrincipal principal = context
.CustomProperty <ClaimsPrincipal>(nameof(ClaimsPrincipal));
AuthorizeDirective directive = context.Directive
.ToObject <AuthorizeDirective>();
bool allowed = IsInRoles(principal, directive.Roles);
#if !ASPNETCLASSIC
if (allowed && !string.IsNullOrEmpty(directive.Policy))
{
AuthorizationResult result = await authorizeService
.AuthorizeAsync(principal, directive.Policy);
allowed = result.Succeeded;
}
#endif
if (allowed)
{
await next(context);
}
else
{
context.Result = QueryError.CreateFieldError(
"The current user is not authorized to " +
"access this resource.",
context.Path,
context.FieldSelection);
}
}
private static async Task <bool> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
return(string.IsNullOrWhiteSpace(directive.Policy));
}
AuthorizationPolicy policy = null;
if (directive.Roles.Count == 0 &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
context.Result = context.Result = ErrorBuilder.New()
.SetMessage(
AuthResources.AuthorizeMiddleware_NoDefaultPolicy)
.SetCode(AuthErrorCodes.NoDefaultPolicy)
.SetPath(context.Path)
.AddLocation(context.FieldSelection)
.Build();
}
}
else if (!string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetPolicyAsync(directive.Policy)
.ConfigureAwait(false);
if (policy == null)
{
context.Result = ErrorBuilder.New()
.SetMessage(string.Format(
CultureInfo.InvariantCulture,
AuthResources.AuthorizeMiddleware_PolicyNotFound,
directive.Policy))
.SetCode(AuthErrorCodes.PolicyNotFound)
.SetPath(context.Path)
.AddLocation(context.FieldSelection)
.Build();
}
}
if (context.Result == null && policy != null)
{
AuthorizationResult result =
await authorizeService.AuthorizeAsync(
principal, context, policy)
.ConfigureAwait(false);
return(result.Succeeded);
}
return(false);
}