/// <summary>
 /// Create a <see cref="ShortCircuitingAccessControlPolicyAdapter"/>.
 /// </summary>
 /// <param name="firstPolicy">
 /// The policy that will be evaluated first. If this returns Allow, we will return an
 /// Allow result immediately without evaluting the other policies. Note that if this
 /// returns Deny, we will ignore any Explanation, because we will go on to evalute the
 /// other policies as if the first policy were not present.
 /// </param>
 /// <param name="otherPolicies">
 /// The policies that will be evaluated only if the first policy returns Deny.
 /// </param>
 public ShortCircuitingAccessControlPolicyAdapter(
     IOpenApiAccessControlPolicy firstPolicy,
     IEnumerable <IOpenApiAccessControlPolicy> otherPolicies)
 {
     this.firstPolicy   = firstPolicy;
     this.otherPolicies = otherPolicies;
 }
        /// <summary>
        /// Adds services required to enable role-based OpenApi access control, with the ability
        /// to exempt some operations without the overhead of invoking the service. Requires an
        /// implementation of <see cref="IClaimsService"/> to be registered.
        /// </summary>
        /// <param name="services">The service collection to which to add services.</param>
        /// <param name="exemptionPolicy">
        /// An access control policy that will be evaluated before attempting to contact the Claims
        /// service. If this exemption policy allows the request, then the request will be allowed
        /// through without asking the Claims service to evaluate permission.
        /// </param>
        /// <param name="resourcePrefix">
        /// An optional prefix to add to the URI path when forming the Resource URI that will be
        /// passed when asking the Claims service what permissions each role has for accessing
        /// the resrouce.
        /// </param>
        /// <param name="allowOnlyIfAll">
        /// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims
        /// service reports different permissions for the different roles. If false, permission
        /// will be granted as long as at least one role grants access. If true, all roles must
        /// grant access (and at least one <c>roles</c> claim must be present in either case).
        /// </param>
        /// <returns>The modified service collection.</returns>
        /// <remarks>
        /// <para>
        /// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works.
        /// </para>
        /// <para>
        /// You will typically use <see cref="ClaimsClientServiceCollectionExtensions.AddClaimsClient(IServiceCollection, Func{IServiceProvider, ClaimsClientOptions})"/>
        /// to configure the <see cref="IClaimsService"/> that this requires.
        /// </para>
        /// </remarks>
        public static IServiceCollection AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions(
            this IServiceCollection services,
            IOpenApiAccessControlPolicy exemptionPolicy,
            string resourcePrefix = null,
            bool allowOnlyIfAll   = false)
        {
            services.AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions(exemptionPolicy, resourcePrefix, allowOnlyIfAll);

            services.AddSingleton <IResourceAccessEvaluator, OpenApiClientResourceAccessEvaluator>();

            return(services);
        }
Exemplo n.º 3
0
        /// <summary>
        /// Adds services required to enable role-based OpenApi access control, with the ability
        /// to exempt some operations without the overhead of invoking the service. Requires an
        /// implementation of <see cref="IResourceAccessEvaluator"/> to be registered.
        /// </summary>
        /// <param name="services">The service collection to which to add services.</param>
        /// <param name="exemptionPolicy">
        /// An access control policy that will be evaluated before attempting to contact the Claims
        /// service. If this exemption policy allows the request, then the request will be allowed
        /// through without asking the Claims service to evaluate permission.
        /// </param>
        /// <param name="resourcePrefix">
        /// An optional prefix to add to the URI path when forming the Resource URI that will be
        /// passed when asking the Claims service what permissions each role has for accessing
        /// the resrouce.
        /// </param>
        /// <param name="allowOnlyIfAll">
        /// Configures the behaviour when multiple <c>roles</c> claims are present, and the Claims
        /// service reports different permissions for the different roles. If false, permission
        /// will be granted as long as at least one role grants access. If true, all roles must
        /// grant access (and at least one <c>roles</c> claim must be present in either case).
        /// </param>
        /// <returns>The modified service collection.</returns>
        /// <remarks>
        /// <para>
        /// See <see cref="OpenApiAccessControlPolicy"/> for details on how this works.
        /// </para>
        /// <para>
        /// You will typically use this indirectly via the Marain.Claims.Client.OpenApi NuGet package's
        /// AddClaimsClientRoleBasedOpenApiAccessControlWithPreemptiveExemptions method.
        /// </para>
        /// </remarks>
        public static IServiceCollection AddRoleBasedOpenApiAccessControlWithPreemptiveExemptions(
            this IServiceCollection services,
            IOpenApiAccessControlPolicy exemptionPolicy,
            string resourcePrefix = null,
            bool allowOnlyIfAll   = false)
        {
            services.AddSingleton <IOpenApiAccessControlPolicy>(sp =>
            {
                IOpenApiAccessControlPolicy roleBasedPolicy = new OpenApiAccessControlPolicy(
                    new RoleBasedResourceAccessSubmissionBuilder(),
                    sp.GetRequiredService <IResourceAccessEvaluator>(),
                    sp.GetRequiredService <ILogger <OpenApiAccessControlPolicy> >(),
                    resourcePrefix,
                    allowOnlyIfAll);
                return(new ShortCircuitingAccessControlPolicyAdapter(
                           exemptionPolicy,
                           new[] { roleBasedPolicy }));
            });

            return(services);
        }