/// <summary> /// Create a <see cref="ShortCircuitingAccessControlPolicyAdapter"/>. /// </summary> /// <param name="firstPolicy"> /// The policy that will be evaluated first. If this returns Allow, we will return an /// Allow result immediately without evaluting the other policies. Note that if this /// returns Deny, we will ignore any Explanation, because we will go on to evalute the /// other policies as if the first policy were not present. /// </param> /// <param name="otherPolicies"> /// The policies that will be evaluated only if the first policy returns Deny. /// </param> public ShortCircuitingAccessControlPolicyAdapter( IOpenApiAccessControlPolicy firstPolicy, IEnumerable <IOpenApiAccessControlPolicy> otherPolicies) { this.firstPolicy = firstPolicy; this.otherPolicies = otherPolicies; }
/// <summary> /// Adds services required to enable role-based OpenApi access control, with the ability /// to exempt some operations without the overhead of invoking the service. Requires an /// implementation of <see cref="IClaimsService"/> to be registered. /// </summary> /// <param name="services">The service collection to which to add services.</param> /// <param name="exemptionPolicy"> /// An access control policy that will be evaluated before attempting to contact the Claims /// service. If this exemption policy allows the request, then the request will be allowed /// through without asking the Claims service to evaluate permission. /// </param> /// <param name="resourcePrefix"> /// An optional prefix to add to the URI path when forming the Resource URI that will be /// passed when asking the Claims service what permissions each role has for accessing /// the resrouce. /// </param> /// <param name="allowOnlyIfAll"> /// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims /// service reports different permissions for the different roles. If false, permission /// will be granted as long as at least one role grants access. If true, all roles must /// grant access (and at least one <c>roles</c> claim must be present in either case). /// </param> /// <returns>The modified service collection.</returns> /// <remarks> /// <para> /// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works. /// </para> /// <para> /// You will typically use <see cref="ClaimsClientServiceCollectionExtensions.AddClaimsClient(IServiceCollection, Func{IServiceProvider, ClaimsClientOptions})"/> /// to configure the <see cref="IClaimsService"/> that this requires. /// </para> /// </remarks> public static IServiceCollection AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions( this IServiceCollection services, IOpenApiAccessControlPolicy exemptionPolicy, string resourcePrefix = null, bool allowOnlyIfAll = false) { services.AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions(exemptionPolicy, resourcePrefix, allowOnlyIfAll); services.AddSingleton <IResourceAccessEvaluator, OpenApiClientResourceAccessEvaluator>(); return(services); }
/// <summary> /// Adds services required to enable role-based OpenApi access control, with the ability /// to exempt some operations without the overhead of invoking the service. Requires an /// implementation of <see cref="IResourceAccessEvaluator"/> to be registered. /// </summary> /// <param name="services">The service collection to which to add services.</param> /// <param name="exemptionPolicy"> /// An access control policy that will be evaluated before attempting to contact the Claims /// service. If this exemption policy allows the request, then the request will be allowed /// through without asking the Claims service to evaluate permission. /// </param> /// <param name="resourcePrefix"> /// An optional prefix to add to the URI path when forming the Resource URI that will be /// passed when asking the Claims service what permissions each role has for accessing /// the resrouce. /// </param> /// <param name="allowOnlyIfAll"> /// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims /// service reports different permissions for the different roles. If false, permission /// will be granted as long as at least one role grants access. If true, all roles must /// grant access (and at least one <c>roles</c> claim must be present in either case). /// </param> /// <returns>The modified service collection.</returns> /// <remarks> /// <para> /// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works. /// </para> /// <para> /// You will typically use this indirectly via the Marain.Claims.Client.OpenApi NuGet package's /// AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions method. /// </para> /// </remarks> public static IServiceCollection AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions( this IServiceCollection services, IOpenApiAccessControlPolicy exemptionPolicy, string resourcePrefix = null, bool allowOnlyIfAll = false) { services.AddSingleton <IOpenApiAccessControlPolicy>(sp => { IOpenApiAccessControlPolicy roleBasedPolicy = new OpenApiAccessControlPolicy( new RoleBasedResourceAccessSubmissionBuilder(), sp.GetRequiredService <IResourceAccessEvaluator>(), sp.GetRequiredService <ILogger <OpenApiAccessControlPolicy> >(), resourcePrefix, allowOnlyIfAll); return(new ShortCircuitingAccessControlPolicyAdapter( exemptionPolicy, new[] { roleBasedPolicy })); }); return(services); }