public void VerifyAuthorization(ClaimsPrincipal user, IAuthorizationRequirement requirement, object resource = null) { if (!IsAuthorized(user, requirement, resource)) { throw new SecurityException(); } }
public void OnProvidersExecuting_DefaultPolicyProvider_NoAuthorizationData_NoFilterCreated() { // Arrange var requirements = new IAuthorizationRequirement[] { new AssertionRequirement((con) => { return(true); }) }; var authorizationPolicy = new AuthorizationPolicy(requirements, new string[] { "dingos" }); var authOptions = Options.Create(new AuthorizationOptions()); authOptions.Value.AddPolicy("Base", authorizationPolicy); var policyProvider = new DefaultAuthorizationPolicyProvider(authOptions); var provider = new AuthorizationApplicationModelProvider(policyProvider); var defaultProvider = new DefaultApplicationModelProvider(Options.Create(new MvcOptions())); // Act var action = GetBaseControllerActionModel(provider, defaultProvider); // Assert var authorizationFilter = Assert.IsType <AuthorizeFilter>(Assert.Single(action.Filters)); Assert.NotNull(authorizationFilter.Policy); Assert.Null(authorizationFilter.AuthorizeData); Assert.Null(authorizationFilter.PolicyProvider); }
public bool IsAuthorized(ClaimsPrincipal user, IAuthorizationRequirement requirement, object resource = null) { Contract.Requires <ArgumentNullException>(user != null, nameof(user)); Contract.Requires <ArgumentNullException>(requirement != null, nameof(requirement)); return(authorizationService.AuthorizeAsync(user, resource, requirement).GetAwaiter().GetResult().Succeeded); }
private AuthorizationHandlerContext CreateAuthorizationHandlerContext(Type controllerType, string action) { var actionContext = new ActionContext(); var mockHttpContext = new Mock <HttpContext>(); mockHttpContext.Setup(c => c.Request) .Returns(Mock.Of <HttpRequest>()); actionContext.HttpContext = mockHttpContext.Object; actionContext.RouteData = new RouteData(); var actionDescriptor = new ControllerActionDescriptor { ControllerTypeInfo = controllerType.GetTypeInfo(), MethodInfo = controllerType.GetMethod(action) }; actionContext.ActionDescriptor = actionDescriptor; var resource = new Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext(actionContext, new List <IFilterMetadata>()); var requirements = new IAuthorizationRequirement[] { new ConventionBasedRequirement() }; var claims = new[] { new Claim(ClaimTypes.Name, _userId), }; var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer")); var context = new AuthorizationHandlerContext(requirements, user, resource); return(context); }
public async Task <IActionResult> OnPostAsync(int?id, ContactStatus status) { if (id == null) { return(NotFound()); } Contact = await Context.Contact.FindAsync(id); if (Contact == null) { return(NotFound()); } IAuthorizationRequirement operation = status == ContactStatus.Approved ? ContactOperations.Approve : ContactOperations.Reject; var isAuthorized = await AuthorizationService.AuthorizeAsync(User, Contact, operation); if (!isAuthorized.Succeeded) { return(new ChallengeResult()); } Contact.status = status; Context.Update(Contact); await Context.SaveChangesAsync(); return(Page()); //return RedirectToPage("./Index"); }
public static AuthorizationPolicyBuilder RequireCustomClaim( this AuthorizationPolicyBuilder builder, IAuthorizationRequirement customRequirement) { builder.AddRequirements(customRequirement); return(builder); }
private Task <AuthorizationResult> ExecuteAuthorizationHandler(IAuthorizationRequirement requirement, CancellationToken cancellationToken) { var requirementType = requirement.GetType(); var handlerType = FindHandlerType(requirement); if (handlerType == null) { throw new InvalidOperationException($"Could not find an authorization handler type for requirement type \"{requirementType.Name}\""); } var handlers = _serviceProvider.GetService(typeof(IEnumerable <>).MakeGenericType(handlerType)) as IEnumerable <object>; if (handlers == null || handlers.Count() == 0) { throw new InvalidOperationException($"Could not find an authorization handler implementation for requirement type \"{requirementType.Name}\""); } if (handlers.Count() > 1) { throw new InvalidOperationException($"Multiple authorization handler implementations were found for requirement type \"{requirementType.Name}\""); } var serviceHandler = handlers.First(); var serviceHandlerType = serviceHandler.GetType(); var methodInfo = _handlerMethodInfo.GetOrAdd(serviceHandlerType, handlerMethodKey => { return(serviceHandlerType.GetMethods() .Where(x => x.Name == nameof(IAuthorizationHandler <IAuthorizationRequirement> .Handle)) .FirstOrDefault()); }); return((Task <AuthorizationResult>)methodInfo.Invoke(serviceHandler, new object[] { requirement, cancellationToken })); }
// And this is where the magic happens. public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { // Check to see if there's a configured policy with the name. var _policy = _options.GetPolicy(policyName); if (_policy == null) { // There's no matching policy name in the policies configured in start // So let's do our thing. // For our sample we have the following policy name format, // ClaimName|ExpectedValue and we assume that neither the claim name nor the // value have a | character in them, because it's only a sample var policyDetails = policyName.Split('|'); if (policyDetails.Length != 2) { return(Task.FromResult((AuthorizationPolicy)null)); } // Now we can create our custom requirements with the right parameters // then build a policy around them, and finally return that policy for evaluation. var requirements = new IAuthorizationRequirement[1]; requirements[0] = new CustomAuthorizationRequirement { ClaimType = policyDetails[0], ClaimValue = policyDetails[1] }; return(Task.FromResult(new AuthorizationPolicyBuilder().AddRequirements(requirements).Build())); } return(Task.FromResult(_policy)); }
public async Task should_fail_for_role_without_policy_in_it() { // given string authorizedRoleName = "basic.user"; string policyInRole = "AddPage"; IAuthorizationRequirement basicUserRequirement = AddMockRoleAndCreateRequirement(authorizedRoleName, policyInRole); string adminRoleName = "admin.rooty"; string policyInAdminRole = "DeletePage"; IAuthorizationRequirement adminUserRequirement = AddMockRoleAndCreateRequirement(adminRoleName, policyInAdminRole); var requirements = new List <IAuthorizationRequirement>(); requirements.Add(basicUserRequirement); requirements.Add(adminUserRequirement); ClaimsPrincipal user = CreateClaimsPrincipal(authorizedRoleName); var context = new AuthorizationHandlerContext(requirements, user, null); // when await _rolesAuthorizationHandler.HandleAsync(context); // then context.HasSucceeded.ShouldBeFalse(); }
public PermissionCheckContext(ActionDescriptor actionDescriptor, HttpContext httpContext, ICurrentUserContext currentUserContext, IAuthorizationRequirement requirement) { ActionDescriptor = actionDescriptor; HttpContext = httpContext; CurrentUserContext = currentUserContext; Requirement = requirement; }
public void OnProvidersExecuting_NonDefaultPolicyProvider_HasNoPolicy_HasPolicyProviderAndAuthorizeData() { // Arrange var requirements = new IAuthorizationRequirement[] { new AssertionRequirement((con) => { return(true); }) }; var authorizationPolicy = new AuthorizationPolicy(requirements, new string[] { "dingos" }); var authorizationPolicyProviderMock = new Mock <IAuthorizationPolicyProvider>(); authorizationPolicyProviderMock .Setup(s => s.GetPolicyAsync(It.IsAny <string>())) .Returns(Task.FromResult(authorizationPolicy)) .Verifiable(); var provider = new AuthorizationApplicationModelProvider(authorizationPolicyProviderMock.Object); var defaultProvider = new DefaultApplicationModelProvider(Options.Create(new MvcOptions())); // Act var action = GetBaseControllerActionModel(provider, defaultProvider); // Assert var actionFilter = Assert.IsType <AuthorizeFilter>(Assert.Single(action.Filters)); Assert.Null(actionFilter.Policy); Assert.NotNull(actionFilter.AuthorizeData); Assert.NotNull(actionFilter.PolicyProvider); }
public void CuandoUserTieneClaimsPeroConClaimResourceAccessVacioResultadoEsSuccess() { // var role = "admin"; var audience = "TestBackend"; var hasRole = new HasRoleHandler(audience); var resourceAccess = new { TestBackend = new { roles = new string[] { role } } }; var identity = new ClaimsIdentity(); identity.AddClaim(new Claim(ClaimTypes.Name, "Michael Emir")); identity.AddClaim(new Claim(ClaimTypes.Country, "El Salvador")); identity.AddClaim(new Claim("resource_access", JsonConvert.SerializeObject(resourceAccess))); var userClaims = new ClaimsPrincipal(identity); //Usuario var roleRequirement = new HasRoleRequirement(role); var requirements = new IAuthorizationRequirement[] { roleRequirement }; var context = new AuthorizationHandlerContext(requirements, userClaims, null); //Act hasRole.ValidateRoleRequirement(context, roleRequirement); //Assert Assert.IsTrue(context.HasSucceeded); Assert.IsFalse(context.HasFailed); }
public AuthorizationPolicy(string name, IAuthorizationRequirement requirement) { Requirements = new List <IAuthorizationRequirement>(); AuthenticationSchemes = new List <string>(); this.Name = name; this.Requirements.Add(requirement); }
protected void UseRequirement(IAuthorizationRequirement requirement) { if (requirement == null) { return; } _requirements.Add(requirement); }
/// <summary> /// Creates a new <see cref="AuthorizationPipeline{TRequest, TResponse}"/> /// which uses a <paramref name="requirement"/> to determine whether or /// not the current user can access the <typeparamref name="TResponse"/>. /// </summary> /// <param name="authorizationService">The service used check the current user's permissions.</param> /// <param name="httpContextAccessor">The http context used to get the current user.</param> /// <param name="requirement">The requirement to authorize against.</param> public AuthorizationPipeline( IAuthorizationService authorizationService, IHttpContextAccessor httpContextAccessor, IAuthorizationRequirement requirement) : this(authorizationService, httpContextAccessor) { this.requirements = new IAuthorizationRequirement[] { requirement }; }
private static void AppendFailureLine( StringBuilder stringBuilder, IAuthorizationRequirement authorizationRequirement) { switch (authorizationRequirement) { case ClaimsAuthorizationRequirement claimsAuthorizationRequirement: stringBuilder.Append("Required claim '"); stringBuilder.Append(claimsAuthorizationRequirement.ClaimType); if (claimsAuthorizationRequirement.AllowedValues == null || !claimsAuthorizationRequirement.AllowedValues.Any()) { stringBuilder.AppendLine("' is not present."); } else { stringBuilder.Append("' with any value of '"); stringBuilder.Append(string.Join(", ", claimsAuthorizationRequirement.AllowedValues)); stringBuilder.AppendLine("' is not present."); } break; case DenyAnonymousAuthorizationRequirement denyAnonymousAuthorizationRequirement: stringBuilder.AppendLine("The current user must be authenticated."); break; case NameAuthorizationRequirement nameAuthorizationRequirement: stringBuilder.Append("The current user name must match the name '"); stringBuilder.Append(nameAuthorizationRequirement.RequiredName); stringBuilder.AppendLine("'."); break; case OperationAuthorizationRequirement operationAuthorizationRequirement: stringBuilder.Append("Required operation '"); stringBuilder.Append(operationAuthorizationRequirement.Name); stringBuilder.AppendLine("' was not present."); break; case RolesAuthorizationRequirement rolesAuthorizationRequirement: if (rolesAuthorizationRequirement.AllowedRoles == null || !rolesAuthorizationRequirement.AllowedRoles.Any()) { // This should never happen. stringBuilder.AppendLine("Required roles are not present."); } else { stringBuilder.Append("Required roles '"); stringBuilder.Append(string.Join(", ", rolesAuthorizationRequirement.AllowedRoles)); stringBuilder.AppendLine("' are not present."); } break; default: stringBuilder.Append("Requirement '"); stringBuilder.Append(authorizationRequirement.GetType().Name); stringBuilder.AppendLine("' was not satisfied."); break; } }
private async Task <bool> IsUserAuthorizedAsync(Product product, IAuthorizationRequirement operation) { AuthorizationResult isAuthorized = await _authorizationService.AuthorizeAsync( User, product, operation ); return(isAuthorized.Succeeded); }
private AuthorizationHandlerContext CreateAuthorizationHandlerContext(List <Claim> claims) { var requirements = new IAuthorizationRequirement[] { new CustomBasedRequirement() }; claims.Add(new Claim(ClaimTypes.Name, _userId)); var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer")); var context = new AuthorizationHandlerContext(requirements, user, null); return(context); }
private void AccessDenied(AuthorizationHandlerContext context, IAuthorizationRequirement requirement) { var httpContext = _accessor.HttpContext; httpContext.Items.TryAdd( AuthLockedResponse.AuthLockedKey, new AuthLockedResponse(httpContext.Request.Path) ); context.Succeed(requirement); }
/// <summary> /// Called to mark the specified <paramref name="requirement"/> as being /// successfully evaluated. /// </summary> /// <param name="requirement">The requirement whose evaluation has succeeded.</param> /// <param name="message">Optional: message we want to pass.</param> public virtual void Succeed(IAuthorizationRequirement requirement, string message = null) { if (!string.IsNullOrWhiteSpace(message)) { Messages.Add(requirement, message); } _pendingRequirements.Remove(requirement); _succeededRequirements.Add(requirement); }
private FilterDescriptor GetFilterDescriptor(IAuthorizationRequirement requirement, int filterScope) { var requirements = new List <IAuthorizationRequirement>() { requirement }; var policy = new AuthorizationPolicy(requirements, new List <string>()); return(new FilterDescriptor(new AuthorizeFilter(policy), 30)); }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { GetPolicyCount++; var requirements = new IAuthorizationRequirement[] { new AssertionRequirement((con) => { return(true); }) }; return(Task.FromResult(new AuthorizationPolicy(requirements, new string[] { }))); }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement, TEntity resource) { IAuthorizationRequirement delegateRequirement = CreateInstance <TDelegateRequirement>(); var delegateContext = new AuthorizationHandlerContext(new[] { delegateRequirement }, context.User, _delegateResourceFn.Invoke(resource)); await _delegateHandler.HandleAsync(delegateContext); if (delegateContext.HasSucceeded) { context.Succeed(requirement); } }
public void PropertiesShouldBeSet() { var requirements = new IAuthorizationRequirement[0]; var user = new ClaimsPrincipal(); var context = new AuthorizationContext(requirements, user, requirements); Assert.AreSame(requirements, context.Requirements); Assert.AreSame(user, context.User); Assert.AreSame(requirements, context.Resource); }
public static async Task AssertAuthorizedAsync( this IUserAuthorizationService userAuthorizationService, object resource, IAuthorizationRequirement requirement) { var result = await userAuthorizationService.AuthorizeAsync(resource, requirement); if (!result.Succeeded) { throw new UserUnauthorizedException(); } }
protected async Task <bool> IsAuthorizedAsync(RegionEntity region, IAuthorizationRequirement requirement) { var identity = new ClaimsIdentity(); identity.AddClaim(new Claim("sub", Guid.NewGuid().ToString())); identity.AddClaim(new Claim("email", Email)); _regionMembershipRoleClaimValues.ForEach(rm => identity.AddRegionMembershipRole(rm)); var principal = new ClaimsPrincipal(identity); return((await _authorizationService.AuthorizeAsync(principal, region, requirement)).Succeeded); }
public void SucceedShouldUpdatePendingRequirements() { var requirements = new IAuthorizationRequirement[] { new DenyAnonymousAuthorizationRequirement() }; var context = new AuthorizationContext(requirements, null, null); Assert.AreEqual(requirements.Length, context.PendingRequirements.Count()); context.Succeed(requirements[0]); Assert.IsFalse(context.PendingRequirements.Any(), "context.PendingRequirements.Any()"); }
public static void Add(string key, IAuthorizationRequirement requirement) { if (Requirments.ContainsKey(key)) { Requirments[key].Add(requirement); } else { Requirments.Add(key, new List <IAuthorizationRequirement> { requirement }); } }
/// <summary> /// Checks if a user meets a specific requirement for the specified resource /// </summary> /// <param name="service">The <see cref="IAuthorizationService"/>.</param> /// <param name="user"></param> /// <param name="resource"></param> /// <param name="requirement"></param> /// <returns></returns> public static Task<bool> AuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, object resource, IAuthorizationRequirement requirement) { if (service == null) { throw new ArgumentNullException(nameof(service)); } if (requirement == null) { throw new ArgumentNullException(nameof(requirement)); } return service.AuthorizeAsync(user, resource, new IAuthorizationRequirement[] { requirement }); }
private static PolicyDefinition CreatePolicyDefinition(string policyName, IAuthorizationRequirement authorizationRequirement = null) { return(new PolicyDefinition { PolicyName = policyName, ConfigurationAction = policyBuilder => { policyBuilder.RequireDefaultPolicy(); if (authorizationRequirement != null) { policyBuilder.Requirements.Add(authorizationRequirement); } }, }); }
public async Task CheckAsync(object resource, IAuthorizationRequirement requirement) { var claimIdentity = new ClaimsIdentity(new List <Claim> { new Claim(ClaimTypes.NameIdentifier, _currentUser.Id.ToString()) }); var result = await _authorizationService .AuthorizeAsync(new ClaimsPrincipal(claimIdentity), resource, requirement); if (!result.Succeeded) { throw new ResourceAuthorizationException(resource.GetType().Name); } }
public static void AddTeamOwnerPolicy(this AuthorizationOptions options, IServiceProvider provider) { if (options == null) { throw new ArgumentNullException(nameof(options)); } // build team ownership policy var ownershipRequirements = new IAuthorizationRequirement[] { new DenyAnonymousAuthorizationRequirement(), (TeamOwnerRequirement)provider.GetService(typeof(TeamOwnerRequirement)) }; var ownershipPolicy = new AuthorizationPolicy(ownershipRequirements, new string[0]); options.AddPolicy(AuthorizationDefaults.PolicyTeamOwner, ownershipPolicy); }
public void Succeed(IAuthorizationRequirement requirement) { _succeedCalled = true; _pendingRequirements.Remove(requirement); }