protected async Task HandleRequirementAsync(AuthorizationHandlerContext context, ResourceIdRequirement requirement)
{
var resourceClaims = context.User.FindAll($"{Constants.RESOURCE_ID_CLAIM_TYPE}:{requirement.PolicyName}");
var tenantId = await _tenantIdProvider.CurrentTenantId();
var accessibleResources = new string[0];
foreach (var resourceClaim in resourceClaims)
{
var tenantResourceMapping = string.IsNullOrEmpty(resourceClaim.Value) ? new string[0] : resourceClaim.Value.Split('_');
if (tenantResourceMapping.Length == 2 && tenantResourceMapping[1].Equals(tenantId.ToString()))
{
accessibleResources = tenantResourceMapping[0].Split(',');
break;
}
}
bool succeeded = false;
if (await _resourceIdProvider.IsSpecificResourceId())
{
succeeded = accessibleResources.Contains((await _resourceIdProvider.CurrentResourceId()).ToString()) || accessibleResources.Contains(Constants.RESOURCE_ID_WILDCARD);
}
else
{
succeeded = accessibleResources.Contains(Constants.RESOURCE_ID_WILDCARD);
}
if (succeeded)
{
context.Succeed(requirement);
}
}
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName)
{
var policy = await base.GetPolicyAsync(policyName);
var tenant = await _tenantProvider.CurrentTenantId();
if (policy == null || await _iamProvider.NeedsUpdate(policyName, tenant, _iamProviderCache))
{
var iamRoles = await _iamProvider.GetRequiredRoles(policyName, tenant, _iamProviderCache);
var iamClaim = await _iamProvider.GetRequiredClaim(policyName, tenant, _iamProviderCache);
var isResourceIdAccessRequired = await _iamProvider.IsResourceIdAccessRequired(policyName, tenant, _iamProviderCache);
var builder = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser();
if (iamRoles != null)
{
var _iamRoles = !string.IsNullOrEmpty(iamClaim) ? new List <string>(iamRoles).Union(new List <string>()
{
iamClaim
}) : iamRoles;
if (iamRoles.Count > 0)
{
builder.RequireRole(_iamRoles.Select(x => x.ToMultiTenantRoleName(tenant)));
}
}
else if (!string.IsNullOrEmpty(iamClaim))
{
builder.RequireRole(iamClaim.ToMultiTenantRoleName(tenant));
}
if (isResourceIdAccessRequired)
{
builder.AddRequirements(new ResourceIdRequirement(policyName));
}
policy = builder
.Build();
}
return(policy);
}