private static async Task <AuthState> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
// authorization service is not configured so the user is
// authorized with the previous checks.
return(string.IsNullOrWhiteSpace(directive.Policy)
? AuthState.Allowed
: AuthState.NotAllowed);
}
AuthorizationPolicy?policy = null;
if ((directive.Roles is null || directive.Roles.Count == 0) &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
return(AuthState.NoDefaultPolicy);
}
}
public DynamicAuthorizationPolicyProvider(IOptions <AuthorizationOptions> authOptions,
IOptions <DynamicAuthorizationPolicyProviderOptions> dynamicOptions)
{
_authOptions = authOptions.Value;
_dynamicOptions = dynamicOptions.Value;
_fallbackProvider = new DefaultAuthorizationPolicyProvider(authOptions);
}
public FunctionAuthorizationFilterIndex(
IAuthenticationSchemeProvider schemeProvider,
IAuthorizationPolicyProvider policyProvider)
{
_schemeProvider = schemeProvider;
_policyProvider = policyProvider;
}
public AuthorizeIndexPageHandlerFilter(
IAuthorizationPolicyProvider policyProvider,
IPolicyEvaluator policyEvaluator)
{
this.policyProvider = policyProvider;
this.policyEvaluator = policyEvaluator;
}
/// <summary>
/// Creates a new instance of <see cref="DefaultAuthorizationService"/>.
/// </summary>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> used to provide policies.</param>
/// <param name="handlers">The handlers used to fulfill <see cref="IAuthorizationRequirement"/>s.</param>
/// <param name="logger">The logger used to log messages, warnings and errors.</param>
/// <param name="contextFactory">The <see cref="IAuthorizationHandlerContextFactory"/> used to create the context to handle the authorization.</param>
/// <param name="evaluator">The <see cref="IAuthorizationEvaluator"/> used to determine if authorzation was successful.</param>
public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizationHandler> handlers, ILogger logger, IAuthorizationHandlerContextFactory contextFactory, IAuthorizationEvaluator evaluator)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (contextFactory == null)
{
throw new ArgumentNullException(nameof(contextFactory));
}
if (evaluator == null)
{
throw new ArgumentNullException(nameof(evaluator));
}
_handlers = InitializeHandlers(handlers);
_policyProvider = policyProvider;
_logger = logger ?? new DiagnosticsLoggerFactory().CreateDefaultLogger();
_contextFactory = contextFactory;
_evaluator = evaluator;
}
/// <summary>
/// Initializes new instance of middleware.
/// </summary>
/// <param name="next">The next delegate in the pipeline.</param>
/// <param name="policyProvider">The service which can provide an <see cref="AuthorizationPolicy" />.</param>
/// <param name="serverSentEventsService">The service which provides operations over Server-Sent Events protocol.</param>
/// <param name="serverSentEventsOptions"></param>
public ServerSentEventsMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider, TServerSentEventsService serverSentEventsService, IOptions <ServerSentEventsOptions> serverSentEventsOptions)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
_policyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));
_serverSentEventsService = serverSentEventsService ?? throw new ArgumentNullException(nameof(serverSentEventsService));
_serverSentEventsOptions = serverSentEventsOptions?.Value ?? throw new ArgumentNullException(nameof(serverSentEventsOptions));
}
/// <summary>
/// Creates a new instance of <see cref="DefaultAuthorizationService"/>.
/// </summary>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> used to provide policies.</param>
/// <param name="contextFactory">The <see cref="IAuthorizationContextFactory"/> used to initialize the <see cref="AuthorizationContext"/> used by <see cref="IAuthorizationHandler"/>.</param>
/// <param name="evaluator">The <see cref="IAuthorizationContextEvaluator"/> used to determine if authorzation was successful.</param>
/// <param name="handlers">The <see cref="IAuthorizationHandler"/> used to handle policies' requirements.</param>
public DefaultAuthorizationService(
IAuthorizationPolicyProvider policyProvider,
IAuthorizationContextFactory contextFactory,
IAuthorizationContextEvaluator evaluator,
IEnumerable <IAuthorizationHandler> handlers)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (contextFactory == null)
{
throw new ArgumentNullException(nameof(contextFactory));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (evaluator == null)
{
throw new ArgumentNullException(nameof(evaluator));
}
_policyProvider = policyProvider;
_handlers = handlers;
_contextFactory = contextFactory;
_evaluator = evaluator;
}
/// <summary>
/// Creates a new instance of <see cref="DefaultAuthorizationService"/>.
/// </summary>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> used to provide policies.</param>
/// <param name="handlers">The handlers used to fulfill <see cref="IAuthorizationRequirement"/>s.</param>
/// <param name="logger">The logger used to log messages, warnings and errors.</param>
/// <param name="contextFactory">The <see cref="IAuthorizationHandlerContextFactory"/> used to create the context to handle the authorization.</param>
/// <param name="evaluator">The <see cref="IAuthorizationEvaluator"/> used to determine if authorzation was successful.</param>
/// <param name="options">The <see cref="AuthorizationOptions"/> used.</param>
public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IAuthorizationHandlerProvider handlers, ILogger <DefaultAuthorizationService> logger, IAuthorizationHandlerContextFactory contextFactory, IAuthorizationEvaluator evaluator, IOptions <AuthorizationOptions> options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
if (contextFactory == null)
{
throw new ArgumentNullException(nameof(contextFactory));
}
if (evaluator == null)
{
throw new ArgumentNullException(nameof(evaluator));
}
_options = options.Value;
_handlers = handlers;
_policyProvider = policyProvider;
_logger = logger;
_evaluator = evaluator;
_contextFactory = contextFactory;
}
public RouteValidator(ITransformBuilder transformBuilder, IAuthorizationPolicyProvider authorizationPolicyProvider, ICorsPolicyProvider corsPolicyProvider, ILogger <RouteValidator> logger)
{
_transformBuilder = transformBuilder ?? throw new ArgumentNullException(nameof(transformBuilder));
_authorizationPolicyProvider = authorizationPolicyProvider ?? throw new ArgumentNullException(nameof(authorizationPolicyProvider));
_corsPolicyProvider = corsPolicyProvider ?? throw new ArgumentNullException(nameof(corsPolicyProvider));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <param name="authorizationService">Service that authorizes each method for use if configured</param>
/// <param name="policyProvider">Provides authorization policies for the authroziation service</param>
/// <param name="logger">Optional logger for logging Rpc invocation</param>
/// <param name="serverConfig">Configuration data for the server</param>
public DefaultRpcInvoker(IAuthorizationService authorizationService, IAuthorizationPolicyProvider policyProvider, ILogger<DefaultRpcInvoker> logger, IOptions<RpcServerConfiguration> serverConfig)
{
this.authorizationService = authorizationService;
this.policyProvider = policyProvider;
this.logger = logger;
this.serverConfig = serverConfig;
}
public AuthorizationPageApplicationModelProvider(
IAuthorizationPolicyProvider policyProvider,
IOptions <MvcOptions> mvcOptions)
{
_policyProvider = policyProvider;
_mvcOptions = mvcOptions.Value;
}
public MethodInvocationAuthorizationService(
IAuthorizationPolicyProvider authorizationPolicyProvider,
IAuthorizationService abpAuthorizationService)
{
_authorizationPolicyProvider = authorizationPolicyProvider;
_abpAuthorizationService = abpAuthorizationService;
}
/// <param name="authorizationService">Service that authorizes each method for use if configured</param>
/// <param name="policyProvider">Provides authorization policies for the authroziation service</param>
/// <param name="logger">Optional logger for logging Rpc invocation</param>
/// <param name="serverConfig">Configuration data for the server</param>
public DefaultRpcInvoker(IAuthorizationService authorizationService, IAuthorizationPolicyProvider policyProvider, ILogger <DefaultRpcInvoker> logger, IOptions <RpcServerConfiguration> serverConfig)
{
this.authorizationService = authorizationService;
this.policyProvider = policyProvider;
this.logger = logger;
this.serverConfig = serverConfig;
}
public OscriptApplicationModelProvider(ApplicationInstance appObject,
IApplicationRuntime framework,
IFileProvider sourceProvider,
IAuthorizationPolicyProvider authPolicyProvider,
ILoggerFactory loggerFactory) : this(appObject, framework, sourceProvider, authPolicyProvider)
{
_logger = loggerFactory.CreateLogger(GetType());
}
public DefaultQxService(QxOptions options, IAuthorizationService authorizationService, IAuthorizationPolicyProvider authorizationPolicyProvider)
{
_verifier = Verification.Combine(
FeaturesVerification.Create(options.AllowedFeatures),
MembersVerification.Create(MembersVerification.CreateDeclaredMembersVerifier(options.AllowedMembers)));
_authorizationService = authorizationService;
_authorizationPolicyProvider = authorizationPolicyProvider;
}
public Authorizer(TService service, IAuthorizationPolicyProvider policyProvider, IAuthorizationService authorizationService, IUserProvider userProvider)
{
ServiceType = service.GetType();
PolicyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));
AuthorizationService = authorizationService ?? throw new ArgumentNullException(nameof(authorizationService));
_userProvider = userProvider ?? throw new ArgumentNullException(nameof(userProvider), ErrorStrings.ERR_NO_USER);
_serviceAuthorization = new Lazy <IEnumerable <IAuthorizeData> >(() => ServiceType.GetTypeAuthorization(), true);
}
public AuthorizationFilter(
IAuthorizationPolicyProvider policyProvider,
IPolicyEvaluator policyEvaluator
)
{
_policyProvider = policyProvider;
_policyEvaluator = policyEvaluator;
}
public CoreAuthorizeFilter(IAuthorizationDataProvider authorizationDataProvider, IAuthorizer authorizer,
IAuthorizationPolicyProvider policyProvider)
{
_authorizationDataProvider = authorizationDataProvider;
BaseAuthorizor = authorizer;
_authorizationPolicyProvider = policyProvider;
BaseAuthorizationPolicy = ConstructBaseAuthorizationPolicy();
}
public AuthorizationPolicyTagHelper(
IAuthorizationPolicyProvider policyProvider,
IPolicyEvaluator policyEvaluator,
IHttpContextAccessor httpContextAccessor)
{
this.policyProvider = policyProvider;
this.policyEvaluator = policyEvaluator;
this.httpContextAccessor = httpContextAccessor;
}
private static async Task <bool> AuthorizeWithPolicyAsync(
IDirectiveContext context,
AuthorizeDirective directive,
ClaimsPrincipal principal)
{
IServiceProvider services = context.Service <IServiceProvider>();
IAuthorizationService authorizeService =
services.GetService <IAuthorizationService>();
IAuthorizationPolicyProvider policyProvider =
services.GetService <IAuthorizationPolicyProvider>();
if (authorizeService == null || policyProvider == null)
{
return(string.IsNullOrWhiteSpace(directive.Policy));
}
AuthorizationPolicy policy = null;
if (directive.Roles.Count == 0 &&
string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetDefaultPolicyAsync()
.ConfigureAwait(false);
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
"The default authorization policy does not exist.",
context.FieldSelection);
}
}
else if (!string.IsNullOrWhiteSpace(directive.Policy))
{
policy = await policyProvider.GetPolicyAsync(directive.Policy)
.ConfigureAwait(false);
if (policy == null)
{
context.Result = QueryError.CreateFieldError(
$"The `{directive.Policy}` authorization policy " +
"does not exist.",
context.FieldSelection);
}
}
if (context.Result == null && policy != null)
{
AuthorizationResult result =
await authorizeService.AuthorizeAsync(principal, policy)
.ConfigureAwait(false);
return(result.Succeeded);
}
return(false);
}
/// <param name="authorizationService">Service that authorizes each method for use if configured</param>
/// <param name="policyProvider">Provides authorization policies for the authroziation service</param>
/// <param name="logger">Optional logger for logging Rpc invocation</param>
/// <param name="serverConfig">Configuration data for the server</param>
public DefaultRpcInvoker(IAuthorizationService authorizationService, IAuthorizationPolicyProvider policyProvider,
ILogger <DefaultRpcInvoker> logger, IOptions <RpcServerConfiguration> serverConfig)
{
this.authorizationService = authorizationService;
this.policyProvider = policyProvider;
this.logger = logger;
this.serverConfig = serverConfig;
this.convertSnakeCaseToCamelCase = this.serverConfig.Value?.ConvertSnakeCaseToCamelCaseInRequest == true;
}
public MvcAuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
: this(authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException("policyProvider");
}
PolicyProvider = policyProvider;
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationFacade"/> class.
/// </summary>
/// <param name="policyProvider">Policy provider that holds all needed policies.</param>
/// <param name="authorizationService">Service that executes checks if a <see cref="ClaimsPrincipal"/> has needed permission.</param>
/// <param name="logger">Logger used in this type.</param>
public AuthorizationFacade(
IAuthorizationPolicyProvider policyProvider,
IAuthorizationService authorizationService,
ILogger <AuthorizationFacade> logger)
{
this.policyProvider = policyProvider;
this.authorizationService = authorizationService;
this.logger = logger;
}
public WebJobsAuthorizeFilter(
IAuthenticationSchemeProvider schemeProvider,
IAuthorizationPolicyProvider policyProvider,
IEnumerable <IAuthorizeData> authorizeData)
: this(authorizeData)
{
this.SchemeProvider = schemeProvider;
this.PolicyProvider = policyProvider;
}
/// <summary>
/// Invokes the authorization filters for the controller action.
/// </summary>
/// <returns>Whether the user is authenticated or not.</returns>
internal static async Task <bool> InvokeAuthorizationFiltersForRequest(this ControllerContext controllerContext, ActionContext actionContext)
{
ControllerActionDescriptor actionDescriptor = controllerContext.ActionDescriptor;
var metadataCollection =
new EndpointMetadataCollection(actionDescriptor.EndpointMetadata.Union(new[] { actionDescriptor }));
IReadOnlyList <IAuthorizeData> authorizeData = metadataCollection.GetOrderedMetadata <IAuthorizeData>();
IAuthorizationPolicyProvider policyProvider = controllerContext.HttpContext.RequestServices
.GetRequiredService <IAuthorizationPolicyProvider>();
AuthorizationPolicy?policy = await AuthorizationPolicy.CombineAsync(policyProvider, authorizeData);
if (policy is not null)
{
IPolicyEvaluator policyEvaluator =
controllerContext.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>();
AuthenticateResult authenticateResult =
await policyEvaluator.AuthenticateAsync(policy, controllerContext.HttpContext);
if (!authenticateResult.Succeeded)
{
return(false);
}
// TODO this is super hacky, but we rely on the FeatureAuthorizeHandler can still handle endpoints
// (The way before .NET 5). The .NET 5 way would need to use han http context, for the "inner" request
// with the nested controller
var resource = new Endpoint(null, metadataCollection, null);
PolicyAuthorizationResult authorizeResult =
await policyEvaluator.AuthorizeAsync(policy, authenticateResult, controllerContext.HttpContext, resource);
if (!authorizeResult.Succeeded)
{
return(false);
}
}
IList <FilterDescriptor> filters = actionDescriptor.FilterDescriptors;
var filterGrouping = new FilterGrouping(filters, controllerContext.HttpContext.RequestServices);
// because the continuation gets built from the inside out we need to reverse the filter list
// so that least specific filters (Global) get run first and the most specific filters (Action) get run last.
var authorizationFilters = filterGrouping.AuthorizationFilters.Reverse().ToList();
var asyncAuthorizationFilters = filterGrouping.AsyncAuthorizationFilters.Reverse().ToList();
if (authorizationFilters.Count == 0 && asyncAuthorizationFilters.Count == 0)
{
return(true);
}
// if the authorization filter returns a result, it means it failed to authorize
var authorizationFilterContext =
new AuthorizationFilterContext(actionContext, filters.Select(x => x.Filter).ToArray());
return(await ExecuteAuthorizationFiltersAsync(authorizationFilterContext, authorizationFilters, asyncAuthorizationFilters));
}
/// <summary>
/// Constructs the default auth provider.
/// </summary>
/// <param name="provider">
/// The <see cref="IAuthorizationPolicyProvider"/> to check authorization to specified methods and classes.
/// </param>
public AuthProvider(IAuthorizationPolicyProvider provider)
{
if (provider == null)
{
throw new ArgumentNullException(nameof(provider));
}
_policyProvider = provider;
_cachedAuthAttributes = new ConcurrentDictionary <string, IEnumerable <object> >();
}
/// <summary>
/// Initializes a new instance of <see cref="AuthorizationMiddleware"/>.
/// </summary>
/// <param name="next">The next middleware in the application middleware pipeline.</param>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/>.</param>
/// <param name="services">The <see cref="IServiceProvider"/>.</param>
public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider, IServiceProvider services) : this(next, policyProvider)
{
ArgumentNullException.ThrowIfNull(services);
if (_policyProvider.CanCachePolicy)
{
_policyCache = services.GetService <AuthorizationPolicyCache>();
_canCache = _policyCache != null;
}
}
public DefaultAuthorizationHandler(ILogger <DefaultAuthorizationHandler> logger,
IAuthorizationPolicyProvider policyProvider,
IAuthorizationService authorizationService,
IHttpContextAccessor httpContextAccessor)
{
this.logger = logger;
this.policyProvider = policyProvider;
this.authorizationService = authorizationService;
this.httpContextAccessor = httpContextAccessor;
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in authorizeData.OfType <AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return(any ? policyBuilder.Build() : null);
}
/// <summary>
/// handle per tenant authorization
/// </summary>
/// <param name="context"></param>
/// <param name="policyProvider"></param>
public async Task Invoke(HttpContext context, IAuthorizationPolicyProvider policyProvider)
{
Ensure.Argument.NotNull(context);
Ensure.Argument.NotNull(policyProvider);
var endpoint = context.Features.Get <IEndpointFeature>()?.Endpoint;
var policyProvider_ = policyProvider;
if (endpoint != null)
{
// EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.
// The Authorization middleware can only make this claim if it observes an actual endpoint.
context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;
}
// IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter
var authorizeData = GetAuthorizeData(endpoint);
var policy = await AuthorizationPolicy.CombineAsync(policyProvider_, authorizeData);
if (policy == null)
{
await _next(context);
return;
}
// Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructor
var policyEvaluator = context.RequestServices.GetRequiredService <IPolicyEvaluator>();
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
// Allow Anonymous skips all authorization
if (endpoint?.Metadata.GetMetadata <IAllowAnonymous>() != null)
{
await _next(context);
return;
}
object resource;
if (AppContext.TryGetSwitch(SuppressUseHttpContextAsAuthorizationResource, out var useEndpointAsResource) && useEndpointAsResource)
{
resource = endpoint;
}
else
{
resource = context;
}
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource);
var authorizationMiddlewareResultHandler = context.RequestServices.GetRequiredService <IAuthorizationMiddlewareResultHandler>();
await authorizationMiddlewareResultHandler.HandleAsync(_next, context, policy, authorizeResult);
}
public HackSystemAuthorizationService(
IAuthorizationPolicyProvider policyProvider,
IAuthorizationHandlerProvider handlers,
ILogger <DefaultAuthorizationService> logger,
IAuthorizationHandlerContextFactory contextFactory,
IAuthorizationEvaluator evaluator,
IOptions <AuthorizationOptions> options)
: base(policyProvider, handlers, logger, contextFactory, evaluator, options)
{
this.logger = logger;
}
/// <summary>
/// Initialize a new <see cref="AuthorizeFilter"/> instance.
/// </summary>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> to use to resolve policy names.</param>
/// <param name="authorizeData">The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.</param>
public AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
PolicyProvider = policyProvider;
AuthorizeData = authorizeData;
}
public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizationHandler> handlers, ILogger<DefaultAuthorizationService> logger)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
_handlers = handlers.ToArray();
_policyProvider = policyProvider;
_logger = logger;
}
/// <summary>
/// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
/// <paramref name="policyProvider"/>.
/// </summary>
/// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
/// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
/// <returns>
/// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
/// authorization policies provided by the specified <paramref name="policyProvider"/>.
/// </returns>
public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
var policyBuilder = new AuthorizationPolicyBuilder();
var any = false;
foreach (var authorizeAttribute in authorizeData.OfType<AuthorizeAttribute>())
{
any = true;
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeAttribute.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
return any ? policyBuilder.Build() : null;
}
public AuthorizationApplicationModelProvider(IAuthorizationPolicyProvider policyProvider)
{
_policyProvider = policyProvider;
}
