public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policies = policyName.Split(',', StringSplitOptions.RemoveEmptyEntries);
if (policies.Length > 1)
{
var singlePolicies = new List <SinglePolicyRequirement>();
foreach (var item in policies)
{
foreach (var requirement in _authorizationOptions.GetPolicy(item.Trim()).Requirements)
{
if (requirement is SinglePolicyRequirement)
{
singlePolicies.Add(requirement as SinglePolicyRequirement);
}
}
}
var combineAuthPolicy = new AuthorizationPolicy(
new List <IAuthorizationRequirement>
{
new MultiplePolicyOrRequirement(singlePolicies)
},
new List <string>());
return(Task.FromResult(combineAuthPolicy));
}
else
{
return(Task.FromResult <AuthorizationPolicy>(_authorizationOptions.GetPolicy(policyName)));
}
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
//因为我们policy的名称其实就是对应的权限名称,所以可以用下列逻辑返回需要的验证规则
AuthorizationPolicy policy = _options.GetPolicy(policyName);
if (policy == null)
{
string[] resourceValues = policyName.Split(new char[] { '-' }, StringSplitOptions.None);
if (resourceValues.Length == 1)
{
_options.AddPolicy(policyName, builder =>
{
builder.AddRequirements(new ClaimsAuthorizationRequirement(resourceValues[0], null));
});
}
else
{
_options.AddPolicy(policyName, builder =>
{
builder.AddRequirements(new ClaimsAuthorizationRequirement(resourceValues[0], new string[] { resourceValues[1] }));
});
}
}
return(Task.FromResult(_options.GetPolicy(policyName)));
}
public async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
AuthorizationPolicy policy;
lock (_myLock)
{
policy = _options.GetPolicy(policyName);
}
if (policy == null && !string.IsNullOrEmpty(policyName) && policyName.IndexOf("=====") > -1)
{
string[] resourceValues = policyName.Split(new string[] { "=====" }, StringSplitOptions.RemoveEmptyEntries);
if (resourceValues.Length > 1)
{
lock (_myLock)
{
_options.AddPolicy(policyName, builder =>
{
builder.RequireClaim(resourceValues[0], new string[] { resourceValues[1] });
});
}
}
}
return(await Task.FromResult(_options.GetPolicy(policyName)));
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
AuthorizationPolicy policy = Options.GetPolicy(policyName);
if (policy == null)
{
string[] resourceValues = policyName.Split(new string[] { "=====" }, StringSplitOptions.RemoveEmptyEntries);
Options.AddPolicy(policyName, builder =>
{
builder.RequireClaim(resourceValues[0], new string[] { resourceValues[1] });
});
}
return(Task.FromResult(Options.GetPolicy(policyName)));
}
public static AuthorizationOptions AddFunctionPolicy(
this AuthorizationOptions options,
string functionName,
params string[] policyNames)
{
var policies = new List <AuthorizationPolicy>();
foreach (var name in policyNames)
{
var policy = options.GetPolicy(name);
if (policy == null)
{
throw new InvalidOperationException($"Authorization policy '{name}' is not registered");
}
policies.Add(policy);
}
if (policies.Any())
{
options.AddPolicy(functionName, AuthorizationPolicy.Combine(policies));
}
return(options);
}
/// <summary>
/// Gets a <see cref="AuthorizationPolicy"/> from the given <paramref name="policyName"/>
/// </summary>
/// <param name="policyName">The policy name to retrieve.</param>
/// <returns>The named <see cref="AuthorizationPolicy"/>.</returns>
public virtual Task <AuthorizationPolicy?> GetPolicyAsync(string policyName)
{
// MVC caches policies specifically for this class, so this method MUST return the same policy per
// policyName for every request or it could allow undesired access. It also must return synchronously.
// A change to either of these behaviors would require shipping a patch of MVC as well.
return(Task.FromResult(_options.GetPolicy(policyName)));
}
// And this is where the magic happens.
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
// Check to see if there's a configured policy with the name.
var _policy = _options.GetPolicy(policyName);
if (_policy == null)
{
// There's no matching policy name in the policies configured in start
// So let's do our thing.
// For our sample we have the following policy name format,
// ClaimName|ExpectedValue and we assume that neither the claim name nor the
// value have a | character in them, because it's only a sample
var policyDetails = policyName.Split('|');
if (policyDetails.Length != 2)
{
return(Task.FromResult((AuthorizationPolicy)null));
}
// Now we can create our custom requirements with the right parameters
// then build a policy around them, and finally return that policy for evaluation.
var requirements = new IAuthorizationRequirement[1];
requirements[0] = new CustomAuthorizationRequirement {
ClaimType = policyDetails[0], ClaimValue = policyDetails[1]
};
return(Task.FromResult(new AuthorizationPolicyBuilder().AddRequirements(requirements).Build()));
}
return(Task.FromResult(_policy));
}
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = _options.GetPolicy(policyName);
if (policy == null)
{
var claimValues = policyName.Split(new char[] { '.' }, StringSplitOptions.None);
if (claimValues.Length == 1)
{
_options.AddPolicy(policyName, builder => builder.AddRequirements(new ClaimsAuthorizationRequirement(claimValues[0], null)));
}
else
{
_options.AddPolicy(policyName, builder => builder.AddRequirements(new ClaimsAuthorizationRequirement($"{claimValues[0]}.{claimValues[1]}", new string[] { policyName })));
}
}
return(Task.FromResult(_options.GetPolicy(policyName)));
}
private bool AreOptionsEqual(AuthZyinAuthorizationOptions left, AuthorizationOptions right)
{
var propertiesAreTheSame =
left != null && right != null &&
left.DefaultPolicy == right.DefaultPolicy &&
left.FallbackPolicy == right.FallbackPolicy &&
left.InvokeHandlersAfterFailure == right.InvokeHandlersAfterFailure;
var policiesAreTheSame = left.Policies.All(x => x.policy == right.GetPolicy(x.name));
return(propertiesAreTheSame && policiesAreTheSame);
}
/// <summary>
/// Gets the authorization policy
/// </summary>
/// <param name="policyName">String representing the policy</param>
/// <returns></returns>
/// <remarks>
/// Gets a CSLA permissions policy if the policy name corresponds
/// to a CSLA policy, otherwise gets a policy from the fallback
/// provider.
/// </remarks>
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = _options.GetPolicy(policyName);
if (policy is null && CslaPolicy.TryGetPermissionRequirement(policyName, out CslaPermissionRequirement requirement))
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.AddRequirements(requirement);
policy = policyBuilder.Build();
_options.AddPolicy(policyName, policy);
}
return(Task.FromResult(policy));
}
private string GetPrimaryAuthenticationScheme(IAuthorizeData authorizeData)
{
if (authorizeData == null)
{
return(null);
}
if (string.IsNullOrWhiteSpace(authorizeData.Policy) == false)
{
AuthorizationPolicy authorizationPolicy = _authorizationOptions.GetPolicy(authorizeData.Policy);
return(authorizationPolicy?.AuthenticationSchemes.FirstOrDefault());
}
return(string.IsNullOrWhiteSpace(authorizeData.AuthenticationSchemes) ? null : authorizeData.AuthenticationSchemes.Split(',').First());
}
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
// Policy names map to scopes
var requiredPolicies = context.MethodInfo
.GetCustomAttributes(true)
.Concat(context.MethodInfo.DeclaringType.GetCustomAttributes(true))
.OfType <AuthorizeAttribute>()
.Select(attr => attr.Policy)
.Distinct();
var requiredScopes = requiredPolicies.Select(p => _authorizationOptions.GetPolicy(p))
.SelectMany(r => r.Requirements.OfType <ClaimsAuthorizationRequirement>())
.Where(cr => cr.ClaimType == JwtClaimTypes.Scope)
.SelectMany(r => r.AllowedValues)
.Distinct()
.ToList();
if (requiredScopes.Any())
{
operation.Responses.Add("401", new OpenApiResponse {
Description = "Unauthorized"
});
operation.Responses.Add("403", new OpenApiResponse {
Description = "Forbidden"
});
var oAuthScheme = new OpenApiSecurityScheme()
{
Reference = new OpenApiReference()
{
Id = "oauth2",
Type = ReferenceType.SecurityScheme,
}
};
operation.Security = new List <OpenApiSecurityRequirement>()
{
new OpenApiSecurityRequirement()
{
[oAuthScheme] = requiredScopes,
}
};
}
}
// Policies are looked up by string name, so expect 'parameters' (like age)
// to be embedded in the policy names. This is abstracted away from developers
// by the more strongly-typed attributes derived from AuthorizeAttribute
// (like [MinimumAgeAuthorize()] in this sample)
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var AuthPolicy = _options.GetPolicy(policyName);
if (AuthPolicy == null)
{
if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase) &&
int.TryParse(policyName.Substring(POLICY_PREFIX.Length), out var age))
{
var policy = new AuthorizationPolicyBuilder(CookieAuthenticationDefaults.AuthenticationScheme, "MichaelAuth");
policy.AddRequirements(new MinimumAgeRequirement(age));
return(Task.FromResult(policy.Build()));
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
else
{
return(Task.FromResult <AuthorizationPolicy>(AuthPolicy));
}
}
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
var requiredPolicies = context.MethodInfo
.GetCustomAttributes(true)
.Concat(context.MethodInfo.DeclaringType.GetCustomAttributes(true))
.OfType <AuthorizeAttribute>()
.Select(attr => attr.Policy)
.Distinct();
var requiredScopes = requiredPolicies.Select(p => authorizationOptions.GetPolicy(p))
.SelectMany(r => r.Requirements.OfType <ClaimsAuthorizationRequirement>())
.Where(cr => cr.ClaimType == "scope")
.SelectMany(r => r.AllowedValues)
.Distinct()
.ToList();
if (requiredScopes.Any())
{
operation.Responses.Add("401", new OpenApiResponse {
Description = "Unauthorized - correct token needed"
});
var bearerScheme = new OpenApiSecurityScheme
{
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme, Id = "Bearer"
}
};
operation.Security = new List <OpenApiSecurityRequirement>
{
new OpenApiSecurityRequirement
{
[bearerScheme] = requiredScopes
}
};
}
}
private static AuthorizationPolicy GetPolicyRequirement(string policy, AuthorizationOptions options)
{
return(options.GetPolicy(policy) ?? throw new Exception($"{policy} policy not found"));
}
public static void Configure(AuthorizationOptions options)
{
options.InvokeHandlersAfterFailure = true;
// This is the default policy (created and used by default)
// Can be replaced
// options.DefaultPolicy = new AuthorizationPolicyBuilder().RequireRole("Admin").Build();
options.AddPolicy(Default, builder =>
{
builder.RequireAuthenticatedUser();
});
// Policy with simple rules. Based in User claims information
options.AddPolicy(Simple, policyBuilder =>
{
policyBuilder.RequireRole("Developer");
policyBuilder.RequireUserName("Hugo Biarge");
policyBuilder.RequireClaim("Department", "CPM", "Platform");
policyBuilder.RequireAssertion(context =>
{
var roles = context.User.FindAll(ClaimTypes.Role);
return(roles.Any()
? Task.FromResult(true)
: Task.FromResult(false));
});
});
// Policy with simple rules. Show how several succeed are handled
options.AddPolicy(HandlersBehavior, policyBuilder =>
{
policyBuilder.AddRequirements(new LastHandlerWinRequirement());
});
// Code based policy: Calculations over Claims information
options.AddPolicy(Over21Years, policyBuilder =>
{
policyBuilder.AddRequirements(new MinimumAgeRequirement(21));
});
// Code based policy: Several handlers to validate a requirement
options.AddPolicy(AllowedInOffice, policyBuilder =>
{
policyBuilder.AddRequirements(new OfficeEntryRequirement(department: "CPM"));
});
// Use of different schemas
options.AddPolicy(MultipleSchemas, policyBuilder =>
{
policyBuilder.AddAuthenticationSchemes("bearer", "extra");
policyBuilder.RequireAuthenticatedUser();
policyBuilder.RequireRole("Operator"); // From bearer scheme
policyBuilder.RequireClaim("Supervisor"); // From extra scheme
});
// Creates a policy that uses several authentication schemes by default
// without explicit configuration in builder.AuthenticationSchemes
var customBuilder = new AuthorizationPolicyBuilder("scheme1", "scheme2");
customBuilder.RequireAuthenticatedUser();
var policy = customBuilder.Build();
options.AddPolicy("MultipleSchemesBis", policy);
// Or Register it as a default policy
// options.DefaultPolicy = policy;
//// Sample for combined policies
options.AddPolicy("Combined", policyBuilder =>
{
policyBuilder.Combine(options.GetPolicy(Simple));
policyBuilder.Combine(options.GetPolicy(Over21Years));
});
}
