/// <summary>
/// Add a performance log.
/// </summary>
/// <param name="function"></param>
public void AddPerfLog(string function)
{
_PerfProvider?.Add(function);
}
/// <summary>
/// Handle the authorization policy for page.
/// </summary>
/// <param name="context"></param>
/// <param name="requirement"></param>
/// <param name="page"></param>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement,
Page page)
{
bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);
// Special case...
if (requirement?.Name == null)
{
_Log?.LogCritical("Access denied to page \"{0}\": Null requirement.", page?.Title);
context.Fail();
}
else if (requirement.Name != AuthorizationRequirement.Read &&
requirement.Name != AuthorizationRequirement.Add &&
requirement.Name != AuthorizationRequirement.Update)
{
_Log?.LogWarning("{0} access denied to page \"{1}\": Invalid requirement.", requirement.Name, page?.Title);
context.Fail();
}
else if (page == null)
{
_Log?.LogInformation("{0} access granted to null page.", requirement.Name);
context.Succeed(requirement);
}
else if (_AppContext == null)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Invalid application context.", requirement.Name, page?.Title);
context.Fail();
}
else if (_AppContext.SignInManager == null)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Invalid SignIn manager.", requirement.Name, page?.Title);
context.Fail();
}
else if (context.User == null)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Invalid User data.", requirement.Name, page?.Title);
context.Fail();
}
// Check inputs...
else if (page.RequestSite == null)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Invalid page.", requirement.Name, page?.Title);
context.Fail();
}
// Check inconsistency...
else if (page.SiteId != page.RequestSite.Id)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Site inconsistency.", requirement.Name, page?.Title);
context.Fail();
}
else if (page.RequestSite.Private == true &&
page.Private == false)
{
_Log?.LogCritical("{0} access denied to page \"{1}\": Privacy inconsistency.", requirement.Name, page?.Title);
context.Fail();
}
// Check user inconsistency...
else if (isSignedIn == true && _AppContext.User == null)
{
// Signed user in the http context, but no user in the application context.
_Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (http but not in app).", requirement.Name, page?.Title);
context.Fail();
}
else if (isSignedIn == false && _AppContext.User != null)
{
// No Signed user in the http context, but user in the application context.
_Log?.LogCritical("{0} access denied to page \"{1}\": User inconsistency (not in http but in app).", requirement.Name, page?.Title);
context.Fail();
}
else if ((isSignedIn == true && _AppContext.User != null) &&
(userName == null || userName != _AppContext.User.UserName))
{
// Different user signed in http context and in application context.
_Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
context.Fail();
}
else if (_AppContext.User != null && _AppContext.User.SiteId != page.SiteId)
{
// Invalid user site...
_Log?.LogCritical($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
context.Fail();
}
// Check access right...
else if (_AppContext.User == null)
{
// Read published and public page is granted to anonymous...
if (requirement.Name == AuthorizationRequirement.Read &&
page.Private == false &&
page.State == State.Valided)
{
_Log?.LogInformation("{0} access granted to page \"{1}\": Published public page allowed to anonymous.", requirement.Name, page?.Title);
context.Succeed(requirement);
}
else
{
_Log?.LogWarning("{0} access denied to page \"{page.Title}\": Anonymous user.", requirement.Name, page?.Title);
context.Fail();
}
}
// If the page is private, check user groups:
// For read: user need to have at least one group of the page.
// For other requirement: user need to have all groups of the page.
else if (page.Private == true &&
requirement.Name == AuthorizationRequirement.Read &&
_AppContext.User.MemberOf(page) == false)
{
_Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in allowed groups.");
context.Fail();
}
else if (page.Private == true &&
requirement.Name != AuthorizationRequirement.Read &&
_AppContext.User.MemberOfAll(page) == false)
{
_Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups.");
context.Fail();
}
// Administrator and publicator have all rights...
else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true ||
_AppContext.User.HasRole(ClaimValueRole.Publicator) == true)
{
_Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}\\{ClaimValueRole.Publicator}.");
context.Succeed(requirement);
}
// Contributeur and reader can only read published page...
else if (_AppContext.User.HasRole(ClaimValueRole.Contributor) == true ||
_AppContext.User.HasRole(ClaimValueRole.Reader) == true)
{
if (requirement.Name == AuthorizationRequirement.Read &&
page.State == State.Valided)
{
_Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page as {ClaimValueRole.Contributor}\\{ClaimValueRole.Reader}.");
context.Succeed(requirement);
}
else
{
_Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Contributor} or {ClaimValueRole.Reader} not allowed.");
context.Fail();
}
}
// User without roles...
else if (requirement.Name == AuthorizationRequirement.Read &&
page.State == State.Valided)
{
_Log?.LogInformation($"{requirement.Name} access granted to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" can read published page without role.");
context.Succeed(requirement);
}
else
{
_Log?.LogWarning($"{requirement.Name} access denied to page \"{page.Title}\": \"{context?.User?.Identity?.Name}\" not allowed.");
context.Fail();
}
// Trace performance...
_PerfProvider?.Add("PageAuthorizationHandler::Handle");
// Return...
return(Task.CompletedTask);
}
/// <summary>
/// Handle the authorization policy for site.
/// </summary>
/// <param name="context"></param>
/// <param name="requirement"></param>
/// <param name="site"></param>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement,
Site site)
{
bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);
// Special case...
if (requirement?.Name == null)
{
_Log?.LogCritical($"Access denied to site \"{site?.Title}\": Null requirement.");
context.Fail();
}
else if (requirement.Name.StartsWith(AuthorizationRequirement.Read) == false)
{
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site?.Title}\": Invalid requirement.");
context.Fail();
}
else if (site == null)
{
_Log?.LogInformation($"{requirement.Name} access granted to null site.");
context.Succeed(requirement);
}
else if (_AppContext == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid application context.");
context.Fail();
}
else if (_AppContext.SignInManager == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid SignIn manager.");
context.Fail();
}
else if (_AppContext.UserManager == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User manager.");
context.Fail();
}
else if (context.User == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": Invalid User data.");
context.Fail();
}
// Check user inconsistency...
else if (isSignedIn == true && _AppContext.User == null)
{
// Signed user in the http context, but no user in the application context.
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (http but not in app).");
context.Fail();
}
else if (isSignedIn == false && _AppContext.User != null)
{
// No Signed user in the http context, but user in the application context.
_Log?.LogCritical($"{requirement.Name} access denied to site \"{site.Title}\": User inconsistency (not in http but in app).");
context.Fail();
}
else if ((isSignedIn == true && _AppContext.User != null) &&
(userName == null || userName != _AppContext.User.UserName))
{
// Different user signed in http context and in application context.
_Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
context.Fail();
}
else if (_AppContext.User != null && _AppContext.User.SiteId != site.Id)
{
// Invalid user site...
_Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
context.Fail();
}
// Check access right...
else if (_AppContext.User == null)
{
// Read Public site is granted to anonymous...
if (site.Private == false && requirement.Name == AuthorizationRequirement.Read)
{
_Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Public site allowed to anonymous.");
context.Succeed(requirement);
}
//// Site theme is granted to anonymous user (private and public site)...
//else if (requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/css/") == true
// || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/images/") == true
// || requirement.Name.StartsWith($"{AuthorizationRequirement.Read}/jss/") == true)
//{
// _Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Css, images and jss files allowed to anonymous.");
// context.Succeed(requirement);
//}
// Registration (public site) and login (private and public site) is granted to anonymous user...
else if (requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}".ToLower() ||
(site.Private == false && requirement.Name.ToLower() == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}".ToLower()))
{
_Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Registration and login page allowed to anonymous.");
context.Succeed(requirement);
}
else
{
_Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": Anonymous user.");
context.Fail();
}
}
// Read requirement is granted to all registered user...
else if (requirement.Name == AuthorizationRequirement.Read ||
requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountLogin}" ||
requirement.Name == $"{AuthorizationRequirement.Read}{CRoute.RouteAccountRegister}")
{
_Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": Read granted to \"{context?.User?.Identity?.Name}\".");
context.Succeed(requirement);
}
// Update requirement is granted to admin member of all groups...
else if (requirement.Name == AuthorizationRequirement.Update &&
_AppContext.User.HasRole(ClaimValueRole.Administrator) == true &&
_AppContext.User.MemberOfAllGroup() == true)
{
_Log?.LogInformation($"{requirement.Name} access granted to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" as site {ClaimValueRole.Administrator} of all groups.");
context.Succeed(requirement);
}
// Access denied...
else
{
_Log?.LogWarning($"{requirement.Name} access denied to site \"{site.Title}\": \"{context?.User?.Identity?.Name}\" not allowed.");
context.Fail();
}
// Trace performance...
_PerfProvider?.Add("SiteAuthorizationHandler::Handle");
// Return...
return(Task.CompletedTask);
}
/// <summary>
/// Handle the authorization policy for user.
/// </summary>
/// <param name="context"></param>
/// <param name="requirement"></param>
/// <param name="data"></param>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement,
ApplicationUser data)
{
bool isSignedIn = (context?.User == null) ? false : (_AppContext?.SignInManager?.IsSignedIn(context.User) ?? false);
string userName = (context?.User == null) ? null : _AppContext?.UserManager?.GetUserName(context.User);
// Special case...
if (requirement?.Name == null)
{
_Log?.LogCritical($"Access denied to user \"{data?.Email}\": Null requirement.");
context.Fail();
}
else if (requirement.Name != AuthorizationRequirement.Read &&
requirement.Name != AuthorizationRequirement.Update)
{
_Log?.LogCritical($"Access denied to user \"{data?.Email}\": Invalid requirement.");
context.Fail();
}
else if (data == null)
{
_Log?.LogInformation($"{requirement.Name} access granted to null user.");
context.Succeed(requirement);
}
else if (_AppContext == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid application context.");
context.Fail();
}
else if (_AppContext.SignInManager == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid SignIn manager.");
context.Fail();
}
else if (_AppContext.UserManager == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User manager.");
context.Fail();
}
else if (context.User == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid User data.");
context.Fail();
}
// Check inputs...
else if (requirement == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid requirement.");
context.Fail();
}
else if (data.UserName == null ||
data.RequestSite == null)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Invalid user.");
context.Fail();
}
// Check inconsistency...
else if (data.SiteId != data.RequestSite.Id)
{
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": Site inconsistency.");
context.Fail();
}
// Check user inconsistency...
else if (isSignedIn == true && _AppContext.User == null)
{
// Signed user in the http context, but no user in the application context.
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (http but not in app).");
context.Fail();
}
else if (isSignedIn == false && _AppContext.User != null)
{
// No Signed user in the http context, but user in the application context.
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": User inconsistency (not in http but in app).");
context.Fail();
}
else if ((isSignedIn == true && _AppContext.User != null) &&
(userName == null || userName != _AppContext.User.UserName))
{
// Different user signed in http context and in application context.
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": \"{userName}\" not matching to context user \"{_AppContext.User.UserName}\".");
context.Fail();
}
else if (_AppContext.User != null && _AppContext.User.SiteId != data.SiteId)
{
// Invalid user site...
_Log?.LogCritical($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed on this site.");
context.Fail();
}
// Check access right...
else if (_AppContext.User == null)
{
// Anonymous is not granted...
_Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": Anonymous user.");
context.Fail();
}
// Check user groups:
// For read: user need to have at least one group of the user data.
// For other requirement: user need to have all groups of the user data.
else if (requirement.Name == AuthorizationRequirement.Read &&
_AppContext.User.MemberOf(data) == false)
{
_Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in allowed groups.");
context.Fail();
}
else if (requirement.Name != AuthorizationRequirement.Read &&
_AppContext.User.MemberOfAll(data) == false)
{
_Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not in all allowed groups.");
context.Fail();
}
// Administrator have all rights...
else if (_AppContext.User.HasRole(ClaimValueRole.Administrator) == true)
{
_Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as {ClaimValueRole.Administrator}.");
context.Succeed(requirement);
}
// User have access to their data...
else if (_AppContext.User.Id == data.Id)
{
if (requirement.Name == AuthorizationRequirement.Read ||
requirement.Name == AuthorizationRequirement.Add ||
requirement.Name == AuthorizationRequirement.Update)
{
_Log?.LogInformation($"{requirement.Name} access granted to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" as owner.");
context.Succeed(requirement);
}
else
{
_Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed.");
context.Fail();
}
}
// Other cannot see user details...
else
{
_Log?.LogWarning($"{requirement.Name} access denied to user \"{data.Email}\": \"{context?.User?.Identity?.Name}\" not allowed.");
context.Fail();
}
// Trace performance...
_PerfProvider?.Add("UserAuthorizationHandler::Handle");
// Return...
return(Task.CompletedTask);
}
