public void Require(AuthorizationPolicyBuilder policyOptions)
{
policyOptions.AuthenticationSchemes.Add(ServiceAuthConsts.AuthenticationScheme);
policyOptions.RequireAuthenticatedUser();
policyOptions.RequireClaim(ServiceAuthConsts.ClaimUserType, ServiceAuthConsts.ClaimUserTypeUser);
policyOptions.RequireClaim(ServiceAuthConsts.ClaimCanDelete, ServiceAuthConsts.ClaimTargetTopic);
}
public static void AddPolicies(this IServiceCollection service, PolicyContext policies)
{
foreach (var namedPolicy in policies.GetPolicySets())
{
var policySet = namedPolicy.Value;
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
var noOneHasAccessToPolicy = policySet == null;
if (noOneHasAccessToPolicy)
{
policyBuilder.RequireAssertion((context) => false); //If no one has access to the policy then always make a false assertion;
}
else
{
var allowableRulesAndUsers = policySet.GetAllowableRolesAndUsersCombined();
if (allowableRulesAndUsers.Any())
{
policyBuilder.RequireRole(policySet.GetAllowableRolesAndUsersCombined());
}
if (policySet.DenyRoles != null)
{
policyBuilder.RequireAssertion(context =>
policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) ||
!policySet.DenyRoles.Any(deniedRole => context.User.IsInRole(deniedRole)));
}
if (policySet.DenyUsers != null)
{
policyBuilder.RequireAssertion(context =>
policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) ||
!policySet.DenyUsers.Any(deniedUser => context.User.IsInRole(deniedUser)));
}
if (policySet.AllowClaim != null)
{
policyBuilder.RequireClaim(policySet.AllowClaim.Type, policySet.AllowClaim.Values);
}
if (policySet.AllowClaims != null)
{
policySet.AllowClaims.ForEach(claim => policyBuilder.RequireClaim(claim.Type, claim.Values));
}
}
var policy = policyBuilder.Build();
service.AddAuthorization(options => options.AddPolicy(namedPolicy.Key, policy));
}
}
public static AuthorizationPolicy ToAuthPolicy(this AuthorizationPolicyInfo info)
{
var policy = new AuthorizationPolicyBuilder();
var hasAnyRequirements = false;
if (info.AllowedRoles.Count > 0)
{
policy.RequireRole(info.AllowedRoles);
hasAnyRequirements = true;
}
if (info.AuthenticationSchemes.Count > 0)
{
policy.AuthenticationSchemes = info.AuthenticationSchemes;
}
if (info.RequireAuthenticatedUser)
{
policy.RequireAuthenticatedUser();
hasAnyRequirements = true;
}
if (info.RequiredClaims.Count > 0)
{
foreach (var c in info.RequiredClaims)
{
if (c.AllowedValues.Count > 0)
{
policy.RequireClaim(c.ClaimName, c.AllowedValues);
}
else
{
policy.RequireClaim(c.ClaimName);
}
hasAnyRequirements = true;
}
}
if (!string.IsNullOrWhiteSpace(info.RequiredUserName))
{
policy.RequireUserName(info.RequiredUserName);
hasAnyRequirements = true;
}
if (!hasAnyRequirements)
{
// allow anonymous
Func <AuthorizationHandlerContext, bool> allowAny = (AuthorizationHandlerContext authContext) => true;
policy.RequireAssertion(allowAny);
}
return(policy.Build());
}
// Episode 4 - IAuthorizationService kullanımı
public async Task <IActionResult> AuthorizationService(
[FromServices] IAuthorizationService authorizationService)
{
// Poliçe oluşturuyorum. Normalde bu iş Startup içerisinde yapılır.
var policyBuilder = new AuthorizationPolicyBuilder();
var policy =
policyBuilder
.RequireClaim(ClaimTypes.Role, "admin")
.Build();
ClaimsPrincipal loggedInUser = HttpContext.User;
var authzResult = await authorizationService.AuthorizeAsync(loggedInUser, null, policy);
if (authzResult.Succeeded)
{
// kullanıcı admin rolünde, bir şeyler yap.
return(Content("You are the administrator!"));
}
else
{
// kullanıcı admin rolünde değil, bir şeyler yap.
return(Content("You are not the administrator!"));
}
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith(ClaimAuthorizeAttribute.POLICY_PREFIX))
{
var claim = policyName.Substring(ClaimAuthorizeAttribute.POLICY_PREFIX.Length);
var policyBuilder = new AuthorizationPolicyBuilder();
if (claim.StartsWith(AnyGroupPrefix))
{
var claimMatch = claim.Substring(AnyGroupPrefix.Length);
//Group-insenstive match.
policyBuilder.RequireAssertion(context =>
context.User.HasClaim((c) => c.Type == CustomClaims.Permission && c.Value.EndsWith(claimMatch)));
}
else
{
var requestContext = _httpContextAccessor.HttpContext.RequestServices.GetService <RequestContext>();
//Group-specific match.
var claimFullName = $"{requestContext.GroupId}:{claim}";
policyBuilder.RequireClaim(CustomClaims.Permission, claimFullName);
}
return(Task.FromResult(policyBuilder.Build()));
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
public async Task <IActionResult> DoStuff()
{
//Some block of Code
//Now Authorize the remaining blocks
//We can also use Builder
var builder = new AuthorizationPolicyBuilder("policyName");
var customPolicy = builder.RequireClaim("Hello").Build();
//await _authorizationService.AuthorizeAsync(User, "Claim.DoB");
//AuthorizeAsync also accepts AuthorizationPolicy, which is returned by
// Build Method
var authResult =
await _authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
}
return(View("Index"));
}
public static AuthorizationPolicyBuilder RequireAge(this AuthorizationPolicyBuilder policy, int age)
{
policy.RequireClaim(ClaimTypes.DateOfBirth);
policy.Requirements.Add(new MinimumAgeRequirement(26));
return(policy);
}
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = new AuthorizationPolicyBuilder();
policy.RequireClaim(Consts.PrivilegeClaimType, policyName);
return(Task.FromResult(policy.Build()));
}
private static void ConfigureRegularUserPolicy(AuthorizationPolicyBuilder policyBuilder)
{
policyBuilder
.RequireClaim(AuthConst.CLAIM_ID)
.RequireClaim(AuthConst.CLAIM_JTI)
.RequireClaim(AuthConst.CLAIM_IAT)
.RequireClaim(AuthConst.CLAIM_USERNAME)
.RequireClaim(AuthConst.CLAIM_FIRSTNAME)
.RequireClaim(AuthConst.CLAIM_LASTNAME);
}
private static void BuildPolicy(AuthorizationPolicyInfo policy, AuthorizationOptions config)
{
var builder = new AuthorizationPolicyBuilder();
policy.AuthenticationSchemes?.ForEach(builder.AuthenticationSchemes.Add);
if (policy.Requirements != null && policy.Requirements.Any())
{
foreach (var policyRequirement in policy.Requirements)
{
switch (policyRequirement.RequirementType)
{
case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
var claimsInfo = JObject.Parse(policyRequirement.Requirement)
.ToObject <ClaimsInfo>();
builder.RequireClaim(claimsInfo.ClaimType, claimsInfo.RequiredValues);
break;
case AuthorizationRequirementType.RolesAuthorizationRequirement:
builder.RequireRole(JObject.Parse(policyRequirement.Requirement)
.ToObject <string[]>());
break;
case AuthorizationRequirementType.NameAuthorizationRequirement:
builder.RequireUserName(policyRequirement.Requirement);
break;
case AuthorizationRequirementType.OperationAuthorizationRequirement:
builder.AddRequirements(
new OperationAuthorizationRequirement()
{
Name = policyRequirement.Requirement
});
break;
case AuthorizationRequirementType.DenyAnonymousAuthorizationRequirement:
builder.RequireAuthenticatedUser();
break;
case AuthorizationRequirementType.DenyAuthorizationRequirement:
builder.AddRequirements(new DenyAuthorizationRequirement());
break;
case AuthorizationRequirementType.CustomAuthorizationRequirement:
builder.AddRequirements(Activator.CreateInstance(Type.GetType(policyRequirement.Type),
JObject.Parse(policyRequirement.Requirement).ToObject <object[]>()) as IAuthorizationRequirement);
break;
// TODO implement the assertion requirement.
//case AuthorizationRequirementType.ClaimsAuthorizationRequirement:
// builder.RequireAssertion(handler => {handler.})
// break;
}
}
}
config.AddPolicy(policy.Name, builder.Build());
}
private AuthorizationPolicyBuilder GetPolicyBuilder(string[] parts)
{
if (parts == null)
{
throw new ArgumentNullException($"{nameof(parts)} cannot be null.");
}
var length = parts.Length;
if (length == 0)
{
throw new ArgumentOutOfRangeException($"{nameof(parts)} cannot cannot be empty.");
}
var policy = new AuthorizationPolicyBuilder();
if (length > 1)
{
return(policy.RequireClaim(parts[0], parts[1]));
}
return(policy.RequireClaim(parts[0]));
}
public async Task <IActionResult> doStuff()
{
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("hello").Build();
var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
}
return(View("index"));
}
AuthorizationPolicy IsAdmin()
{
var scheme = SignInManager.SchemeName;
var builder = new AuthorizationPolicyBuilder(scheme);
return
(builder.RequireClaim("isAdmin", "true")
.RequireClaim("department", "Sales")
.RequireClaim("canEdit", "true")
.Build());
}
public async Task <IActionResult> DoStuff()
{
var builder = new AuthorizationPolicyBuilder("policy1");
var customPolicy = builder.RequireClaim("claimname").Build();
var authResult = await _authorizationService.AuthorizeAsync(HttpContext.User, customPolicy);
if (authResult.Succeeded)
{
}
return(View("Index"));
}
public override Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith("Claim_", StringComparison.InvariantCultureIgnoreCase))
{
var builder = new AuthorizationPolicyBuilder();
var claimName = policyName.Substring(6);
builder.RequireClaim(claimName, "1", "true");
var policy = builder.Build();
return(Task.FromResult(policy));
}
return(base.GetPolicyAsync(policyName));
}
public async Task <IActionResult> DoStuffService([FromServices] IAuthorizationService authorizationService)
{
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
return(View("Index"));
}
return(View("Index"));
}
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
using (var db = _serviceProvider.CreateScope().ServiceProvider.GetRequiredService <ApplicationDbContext>())
{
var policys = db.Policys.Where(p => p.Name == policyName).ToList();
var build = new AuthorizationPolicyBuilder();
foreach (var policy in policys)
{
build.RequireClaim(policyName, policy.Config);
}
return(Task.FromResult(build.Build()));
}
}
public IReadOnlyDictionary <string, AuthorizationPolicy> Create()
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
policyBuilder.RequireClaim("scope", "api1");
return(new Dictionary <string, AuthorizationPolicy>
{
["Weather API Policy"] = policyBuilder.Build()
});
}
public async Task <IActionResult> DoStuff()
{
//we are doing stuff
/*işlem sırısında yetki kontrolü*/
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await _authorizationService.AuthorizeAsync(User, "Claim.DoB", customPolicy);
if (authResult.Succeeded)
{
}
return(View("Index"));
}
public IReadOnlyDictionary <string, AuthorizationPolicy> Create()
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireAuthenticatedUser();
// Check identity provider project (e.g. Config.cs) to get full list of registered scopes
policyBuilder.RequireClaim("scope", "api1");
return(new Dictionary <string, AuthorizationPolicy>
{
["Weather API Policy"] = policyBuilder.Build()
});
}
public async Task <IActionResult> DoStuff()
{
// we are doing stuff here
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await _authenticationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
return(Ok("Index"));
}
return(Ok("Error"));
}
public async Task <IActionResult> DoStuff()
{
// Check Authentication in inside the method
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
return(View("Index"));
}
return(View("Index"));
}
public async Task <IActionResult> DoStuff()
{
var builder = new AuthorizationPolicyBuilder("Schema");
var customerPolicy = builder.RequireClaim("hello").Build();
// var result = await _authorizationService.AuthorizeAsync(User, "Claim.DoB");
var result = await _authorizationService.AuthorizeAsync(User, customerPolicy);
if (result.Succeeded)
{
return(View());
}
return(RedirectToAction("Index"));
}
public async Task <IActionResult> dostuff(
[FromServices] IAuthorizationService authorizationService)
{
//let you do something
var builder = new AuthorizationPolicyBuilder("Schema");
var custompolicy = builder.RequireClaim("Hello").Build();
var authresult = await authorizationService.AuthorizeAsync(HttpContext.User, "claim.dob");
if (authresult.Succeeded)
{
return(View("Index"));
}
return(View("Index"));
}
public async Task <IActionResult> DoStuff([FromServices] IAuthorizationService _authorizationService)
{
// This function is executed if the user is authorized.
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
return(View("Index"));
}
return(View("index"));
}
public async Task <IActionResult> DoStuff([FromServices] IAuthorizationService authorizationService)
{
var builder = new AuthorizationPolicyBuilder("Schema");
var customPolicy = builder.RequireClaim("Hello").Build(); // Non-existing claim
var authResult = await authorizationService.AuthorizeAsync(HttpContext.User, customPolicy);
if (authResult.Succeeded)
{
// Authorization succeeded
return(View("Index"));
}
Console.WriteLine("Auth Failed");
return(View("Index"));
}
/// <summary>
/// AddIdentity之后这个也会失效
/// 因为Identity/Authenticate返回的Cookie的名字改变了,所以无法解析Cookie
/// </summary>
/// <returns></returns>
public async Task <bool> Auth()
{
var policyBuilder = new AuthorizationPolicyBuilder();
policyBuilder.RequireClaim(ClaimTypes.Name);
var policy = policyBuilder.Build();
var result = await _authorizationService.AuthorizeAsync(User, policy);
if (result.Succeeded)
{
return(true);
}
return(false);
//也可以使用重定向,直接让api暴露给外面
}
public async Task <IActionResult> SecretService2([FromServices] IAuthorizationService authorizationService)
{
var authorizationPolicyBuilder = new AuthorizationPolicyBuilder();
authorizationPolicyBuilder.RequireClaim(ClaimTypes.Name, "Peter");
var customAuthPolicy = authorizationPolicyBuilder.Build();
var result = await authorizationService.AuthorizeAsync(this.User, customAuthPolicy);
if (!result.Succeeded)
{
return(RedirectToAction(nameof(HomeController.Authenticate)));
}
return(View("Index"));
}
/// <summary>
/// 自定义Policy
/// </summary>
/// <param name="policyName"></param>
/// <returns></returns>
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase))
{
//Create new Policy
var policy = new AuthorizationPolicyBuilder();
//基于资源授权
//policy.AddRequirements(new PermissionRequirement(policyName.Substring(POLICY_PREFIX.Length)));
//基于Claims 授权
policy.RequireClaim(POLICY_PREFIX, policyName.Substring(POLICY_PREFIX.Length));
return(Task.FromResult(policy.Build()));
}
return(FallbackPolicyProvider.GetPolicyAsync(policyName));
}
//to check authorization in custom action
public async Task <IActionResult> DoStuff()
{
//we are doning stuff here
//it will create Authorization Builder
var builder = new AuthorizationPolicyBuilder("Schema");
//it will create Authorization Policy
var customPolicy = builder.RequireClaim("Hello").Build();
var authResult = await _authorizationService.AuthorizeAsync(User, customPolicy);
if (authResult.Succeeded)
{
}
return(View("Index"));
}