/// <summary> /// Add a performance log. /// </summary> /// <param name="function"></param> public void AddPerfLog(string function) { _PerfProvider?.Add(function); }
/// <summary> /// Handle the authorization policy for page. /// </summary> /// <param name="context"></param> /// <param name="requirement"></param> /// <param name="page"></param> protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, Page page) { bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false); string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User); // Special case... if (requirement?.Name == null) { _Log?.LogCritical("Access denied to page \"{0}\": Null requirement.", page?.Title); context.Fail(); } else if (requirement.Name != AuthorizationRequirement.Read && requirement.Name != AuthorizationRequirement.Add && requirement.Name != AuthorizationRequirement.Update) { _Log?.LogWarning("{0} access denied to page \"{1}\": Invalid requirement.", requirement.Name, page?.Title); context.Fail(); } else if (page == null) { _Log?.LogInformation("{0} access granted to null page.", requirement.Name); context.Succeed(requirement); } else if (_AppContext == null) { _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid application context.", requirement.Name, page?.Title); context.Fail(); } else if (_AppContext.SignInManager == null) { _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid SignIn manager.", requirement.Name, page?.Title); context.Fail(); } else if (context.User == null) { _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid User data.", requirement.Name, page?.Title); context.Fail(); } // Check inputs... else if (page.RequestSite == null) { _Log?.LogCritical("{0} access denied to page \"{1}\": Invalid page.", requirement.Name, page?.Title); context.Fail(); } // Check inconsistency... else if (page.SiteId != page.RequestSite.Id) { _Log?.LogCritical("{0} access denied to page \"{1}\": Site inconsistency.", requirement.Name, page?.Title); context.Fail(); } else if (page.RequestSite.Private == true && page.Private == false) { _Log?.LogCritical("{0} access denied to page \"{1}\": Privacy inconsistency.", requirement.Name, page?.Title); context.Fail(); } // Check user inconsistency... else if (isSignedIn == true && _AppContext.User == null) { // Signed user in the http context, but no user in the application context. _Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (http but not in app).", requirement.Name, page?.Title); context.Fail(); } else if (isSignedIn == false && _AppContext.User != null) { // No Signed user in the http context, but user in the application context. _Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (not in http but in app).", requirement.Name, page?.Title); context.Fail(); } else if ((isSignedIn == true && _AppContext.User != null) && (userName == null || userName != _AppContext.User.UserName)) { // Different user signed in http context and in application context. _Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\"."); context.Fail(); } else if (_AppContext.User != null && _AppContext.User.SiteId != page.SiteId) { // Invalid user site... _Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site."); context.Fail(); } // Check access right... else if (_AppContext.User == null) { // Read published and public page is granted to anonymous... if (requirement.Name == AuthorizationRequirement.Read && page.Private == false && page.State == State.Valided) { _Log?.LogInformation("{0} access granted to page \"{1}\": Published public page allowed to anonymous.", requirement.Name, page?.Title); context.Succeed(requirement); } else { _Log?.LogWarning("{0} access denied to page \"{page.Title}\": Anonymous user.", requirement.Name, page?.Title); context.Fail(); } } // If the page is private, check user groups: // For read: user need to have at least one group of the page. // For other requirement: user need to have all groups of the page. else if (page.Private == true && requirement.Name == AuthorizationRequirement.Read && _AppContext.User.MemberOf(page) == false) { _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in allowed groups."); context.Fail(); } else if (page.Private == true && requirement.Name != AuthorizationRequirement.Read && _AppContext.User.MemberOfAll(page) == false) { _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups."); context.Fail(); } // Administrator and publicator have all rights... else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true || _AppContext.User.HasRole(ClaimValueRole.Publicator) == true) { _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}\\{ClaimValueRole.Publicator}."); context.Succeed(requirement); } // Contributeur and reader can only read published page... else if (_AppContext.User.HasRole(ClaimValueRole.Contributor) == true || _AppContext.User.HasRole(ClaimValueRole.Reader) == true) { if (requirement.Name == AuthorizationRequirement.Read && page.State == State.Valided) { _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page as {ClaimValueRole.Contributor}\\{ClaimValueRole.Reader}."); context.Succeed(requirement); } else { _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Contributor} or {ClaimValueRole.Reader} not allowed."); context.Fail(); } } // User without roles... else if (requirement.Name == AuthorizationRequirement.Read && page.State == State.Valided) { _Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page without role."); context.Succeed(requirement); } else { _Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed."); context.Fail(); } // Trace performance... _PerfProvider?.Add("PageAuthorizationHandler::Handle"); // Return... return(Task.CompletedTask); }
/// <summary> /// Handle the authorization policy for site. /// </summary> /// <param name="context"></param> /// <param name="requirement"></param> /// <param name="site"></param> protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, Site site) { bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false); string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User); // Special case... if (requirement?.Name == null) { _Log?.LogCritical($"Access denied to site \"{site?.Title}\": Null requirement."); context.Fail(); } else if (requirement.Name.StartsWith(AuthorizationRequirement.Read) == false) { _Log?.LogCritical($"{requirement.Name} access denied to site \"{site?.Title}\": Invalid requirement."); context.Fail(); } else if (site == null) { _Log?.LogInformation($"{requirement.Name} access granted to null site."); context.Succeed(requirement); } else if (_AppContext == null) { _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid application context."); context.Fail(); } else if (_AppContext.SignInManager == null) { _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid SignIn manager."); context.Fail(); } else if (_AppContext.UserManager == null) { _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User manager."); context.Fail(); } else if (context.User == null) { _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User data."); context.Fail(); } // Check user inconsistency... else if (isSignedIn == true && _AppContext.User == null) { // Signed user in the http context, but no user in the application context. _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (http but not in app)."); context.Fail(); } else if (isSignedIn == false && _AppContext.User != null) { // No Signed user in the http context, but user in the application context. _Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (not in http but in app)."); context.Fail(); } else if ((isSignedIn == true && _AppContext.User != null) && (userName == null || userName != _AppContext.User.UserName)) { // Different user signed in http context and in application context. _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\"."); context.Fail(); } else if (_AppContext.User != null && _AppContext.User.SiteId != site.Id) { // Invalid user site... _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site."); context.Fail(); } // Check access right... else if (_AppContext.User == null) { // Read Public site is granted to anonymous... if (site.Private == false && requirement.Name == AuthorizationRequirement.Read) { _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Public site allowed to anonymous."); context.Succeed(requirement); } //// Site theme is granted to anonymous user (private and public site)... //else if (requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/css/") == true // || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/images/") == true // || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/jss/") == true) //{ // _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Css, images and jss files allowed to anonymous."); // context.Succeed(requirement); //} // Registration (public site) and login (private and public site) is granted to anonymous user... else if (requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}".ToLower() || (site.Private == false && requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}".ToLower())) { _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Registration and login page allowed to anonymous."); context.Succeed(requirement); } else { _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": Anonymous user."); context.Fail(); } } // Read requirement is granted to all registered user... else if (requirement.Name == AuthorizationRequirement.Read || requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}" || requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}") { _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Read granted to \"{context?.User?.Identity?.Name}\"."); context.Succeed(requirement); } // Update requirement is granted to admin member of all groups... else if (requirement.Name == AuthorizationRequirement.Update && _AppContext.User.HasRole(ClaimValueRole.Administrator) == true && _AppContext.User.MemberOfAllGroup() == true) { _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" as site {ClaimValueRole.Administrator} of all groups."); context.Succeed(requirement); } // Access denied... else { _Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed."); context.Fail(); } // Trace performance... _PerfProvider?.Add("SiteAuthorizationHandler::Handle"); // Return... return(Task.CompletedTask); }
/// <summary> /// Handle the authorization policy for user. /// </summary> /// <param name="context"></param> /// <param name="requirement"></param> /// <param name="data"></param> protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, ApplicationUser data) { bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false); string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User); // Special case... if (requirement?.Name == null) { _Log?.LogCritical($"Access denied to user \"{data?.Email}\": Null requirement."); context.Fail(); } else if (requirement.Name != AuthorizationRequirement.Read && requirement.Name != AuthorizationRequirement.Update) { _Log?.LogCritical($"Access denied to user \"{data?.Email}\": Invalid requirement."); context.Fail(); } else if (data == null) { _Log?.LogInformation($"{requirement.Name} access granted to null user."); context.Succeed(requirement); } else if (_AppContext == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid application context."); context.Fail(); } else if (_AppContext.SignInManager == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid SignIn manager."); context.Fail(); } else if (_AppContext.UserManager == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User manager."); context.Fail(); } else if (context.User == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User data."); context.Fail(); } // Check inputs... else if (requirement == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid requirement."); context.Fail(); } else if (data.UserName == null || data.RequestSite == null) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid user."); context.Fail(); } // Check inconsistency... else if (data.SiteId != data.RequestSite.Id) { _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Site inconsistency."); context.Fail(); } // Check user inconsistency... else if (isSignedIn == true && _AppContext.User == null) { // Signed user in the http context, but no user in the application context. _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (http but not in app)."); context.Fail(); } else if (isSignedIn == false && _AppContext.User != null) { // No Signed user in the http context, but user in the application context. _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (not in http but in app)."); context.Fail(); } else if ((isSignedIn == true && _AppContext.User != null) && (userName == null || userName != _AppContext.User.UserName)) { // Different user signed in http context and in application context. _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\"."); context.Fail(); } else if (_AppContext.User != null && _AppContext.User.SiteId != data.SiteId) { // Invalid user site... _Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed on this site."); context.Fail(); } // Check access right... else if (_AppContext.User == null) { // Anonymous is not granted... _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": Anonymous user."); context.Fail(); } // Check user groups: // For read: user need to have at least one group of the user data. // For other requirement: user need to have all groups of the user data. else if (requirement.Name == AuthorizationRequirement.Read && _AppContext.User.MemberOf(data) == false) { _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in allowed groups."); context.Fail(); } else if (requirement.Name != AuthorizationRequirement.Read && _AppContext.User.MemberOfAll(data) == false) { _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups."); context.Fail(); } // Administrator have all rights... else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true) { _Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}."); context.Succeed(requirement); } // User have access to their data... else if (_AppContext.User.Id == data.Id) { if (requirement.Name == AuthorizationRequirement.Read || requirement.Name == AuthorizationRequirement.Add || requirement.Name == AuthorizationRequirement.Update) { _Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as owner."); context.Succeed(requirement); } else { _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed."); context.Fail(); } } // Other cannot see user details... else { _Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed."); context.Fail(); } // Trace performance... _PerfProvider?.Add("UserAuthorizationHandler::Handle"); // Return... return(Task.CompletedTask); }