public async Task EnsureAuthorizedUserAsync(OperationAuthorizationRequirement operation, IEntity entity)
{
if (!await IsUserAuthorizedAsync(operation, entity))
{
throw new UnauthorizedAccessException();
}
}
protected override Task HandleRequirementAsync
(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement, IEnumerable <BaseEntity> resource)
{
bool permission = true;
if (context.User == null || resource == null)
{
return(Task.CompletedTask);
}
var userId = context.User.Claims.FirstOrDefault(c => c.Type == "UserId");
foreach (var e in resource)
{
if (e.OwnerId.ToString() != userId.Value)
{
permission = false;
}
}
if (permission)
{
context.Succeed(requirement);
}
return(Task.CompletedTask);
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement, IEnumerable <ExpenseDto> resourceDto)
{
bool permission = true;
if (context.User == null || resourceDto == null)
{
return;
}
var resource = _repository.Where(r => resourceDto.Any(dto => dto.Id == r.Id));
var userId = context.User.Claims.FirstOrDefault(c => c.Type == "UserId");
foreach (var e in resource)
{
if (e.OwnerId.ToString() != userId.Value)
{
permission = false;
}
}
if (permission)
{
context.Succeed(requirement);
}
}
public static bool IsCrudOperationRequirement(this OperationAuthorizationRequirement requirement)
{
return
(requirement is CreateOperationAuthorizationRequirement ||
requirement is ReadOperationAuthorizationRequirement ||
requirement is UpdateOperationAuthorizationRequirement ||
requirement is DeleteOperationAuthorizationRequirement);
}
protected virtual async Task SetSucceedIfUserIsManagerAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement)
{
if (await _permissionChecker.IsGrantedAsync(FileManagementPermissions.File.Manage))
{
context.Succeed(requirement);
}
}
protected async Task AuthorizeWithException <TCustom>(OperationAuthorizationRequirement requirement, TCustom finalValue) where TCustom : class
{
if (!await Authorize(requirement, finalValue))
{
string message = $"{finalValue} {requirement.Name} authorization failure";
_logger.Trace(message);
throw new AuthorizationException(message);
}
}
public async Task <IActionResult> Open()
{
var requirement = new OperationAuthorizationRequirement
{
Name = CookieJarOperations.Open
};
await _authrozationService.AuthorizeAsync(User, null, requirement);
return(View());
}
public async Task <bool> IsAuthorized(object resource, string requirementName)
{
OperationAuthorizationRequirement authorizationRequirement = new OperationAuthorizationRequirement()
{
Name = requirementName
};
var authorized = await _authorizationService.AuthorizeAsync(_httpContextAccesor.HttpContext.User, resource, authorizationRequirement);
return(authorized.Succeeded);
}
protected virtual async Task BasicCheckAsync(string permissionName, AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement, FileOperationInfoModel resource)
{
await SetFailIfUserDoesNotHavePermissionAsync(permissionName, context);
await SetSucceedIfUserIsManagerAsync(context, requirement);
var configuration = _configurationProvider.Get(resource.FileContainerName);
await SetFailIfUserIsNotPersonalContainerOwnerAsync(configuration, context, resource);
}
public async Task <IActionResult> Open()
{
var cookieJar = new CookieJar();
var requirement = new OperationAuthorizationRequirement()
{
Name = CookieJarOperations.Open
};
await _authorizationService.AuthorizeAsync(User, cookieJar, CookieJarAuthOperations.Open);
return(View());
}
public async Task <bool> IsUserAuthorizedAsync(OperationAuthorizationRequirement operation, IEntity entity)
{
var authorizationService = _serviceProvider.GetService <IAuthorizationService>();
var authorizationChallenge = await authorizationService.AuthorizeAsync(
_httpContextAccessor.HttpContext.User,
entity,
operation);
return(authorizationChallenge.Succeeded);
}
public async Task <IActionResult> Open()
{
var cookieJar = new CookieJar();//get Cookie jar from db
var requirement = new OperationAuthorizationRequirement()
{
Name = CookieJarOperations.ComeNear
};
var result = await authorization.AuthorizeAsync(User, cookieJar, requirement);
return(View("Index"));
}
protected bool CheckAuth(OperationAuthorizationRequirement req)
{
var user = _userManager.GetUserAsync(User).Result;
var checkModel = new AuthCheckModel
{
ResourceName = AuthControllerName.IsEmpty() ? GetType().Name : AuthControllerName,
Roles = _userManager.GetRolesAsync(user).Result.ToList()
};
var authorizationResult = _authorizationService.AuthorizeAsync(User, checkModel, req).Result;
return(authorizationResult.Succeeded);
}
private async Task EnsureAuthorizedUserAsync(OperationAuthorizationRequirement operation, IEntity entity)
{
var authorizationChallenge = await _authorizationService.AuthorizeAsync(
_httpContextAccessor.HttpContext.User,
entity,
operation);
if (!authorizationChallenge.Succeeded)
{
throw new UnauthorizedAccessException();
}
}
public async Task <bool> AuthorizeAsync <T>(ClaimsPrincipal claimsPrincipal, OperationAuthorizationRequirement authorizationRequirement, T finalValue, bool throwException) where T : class
{
var result = await _authorizationService.AuthorizeAsync(claimsPrincipal, finalValue, authorizationRequirement);
if (throwException && !result.Succeeded)
{
string message = $"{finalValue} {authorizationRequirement.Name} authorization failure";
_logger.Trace(message);
throw new AuthorizationException(message);
}
return(result.Succeeded);
}
public async Task <bool> IsUserAuthorizedAsync(OperationAuthorizationRequirement operation, IEntity entity)
{
var authorizationService = _serviceProvider.GetService <IAuthorizationService>();
var state = await _authenticationStateProvider.GetAuthenticationStateAsync();
var user = state.User;
var authorizationChallenge = await authorizationService.AuthorizeAsync(user, entity, operation);
return(authorizationChallenge.Succeeded);
}
private async Task <bool> CheckIfUserAuthorizedForNotification(
Comment comment,
OperationAuthorizationRequirement requirement)
{
var isAuthorized = await _authorizationService
.AuthorizeAsync(User, comment, requirement);
if (!isAuthorized.Succeeded)
{
return(false);
}
return(true);
}
public async Task <bool> IsUserAuthorizedAsync(OperationAuthorizationRequirement operation, IEntity entity)
{
var user = _userResolver.GetUser();
if (user == null)
{
return(false);
}
var authorizationChallenge = await _authorizationService.AuthorizeAsync(user, entity, operation);
return(authorizationChallenge.Succeeded);
}
public static RedisPubSubOperation ToRedisOperation(
this OperationAuthorizationRequirement redisPubSubOperationRequirement)
{
switch (redisPubSubOperationRequirement.Name)
{
case "Subscribe": return(RedisPubSubOperation.Subscribe);
case "Unsubscribe": return(RedisPubSubOperation.Unsubscribe);
case "Publish": return(RedisPubSubOperation.Publish);
}
throw new ArgumentException("Invalid redis requirement name.");
}
private async Task <bool> CheckIfUserAuthorizedForOperation(
ClaimsPrincipal principalUser,
OwnerResource resource,
OperationAuthorizationRequirement requirement)
{
var isAuthorized = await _customAuthorizationService
.AuthorizeAsync(principalUser, resource, requirement);
if (!isAuthorized.Succeeded)
{
return(false);
}
return(true);
}
//we pass the resource which like password or something else with pass the authorization operation
//with the user and we can then apply authorization operation to check if with these three params
//if he authorized or not
//three params:
//1-User
//2-Resources
//3-requirement : claims
public async Task <IActionResult> Open()
{
var cookieJar = new CookieJar(); //get cookie jar from db
//we assign requirement in this way
var requirement = new OperationAuthorizationRequirement()
{
Name = CookieJarOperations.Open
};
await _authorizationService.AuthorizeAsync(User, cookieJar, requirement);
//or with shorter way
await _authorizationService.AuthorizeAsync(User, cookieJar, CookieJarAuthOperations.Open);
return(View());
}
public async Task <IActionResult> Open()
{
var cookieJar = new CookieJar(); //may from db
var requirement = new OperationAuthorizationRequirement()
{
Name = CookieJarOperations.Open
};
var result = await _authorizationService.AuthorizeAsync(User, cookieJar, requirement);
if (result.Succeeded)
{
return(View());
}
return(RedirectToAction("Index"));
}
public async Task <IActionResult> Get(string operation)
{
var document = new Document()
{
Author = "zhang",
Secret = "secret",
};
var requirement = new OperationAuthorizationRequirement
{
Name = operation,
};
var authorizationResult = await _authorizationService
.AuthorizeAsync(User, document, requirement);
return(Ok(authorizationResult));
}
public async Task <IActionResult> getreource()
{
string filename = Path.Combine(_hostEnvironment.WebRootPath, "resource.txt");
string text = System.IO.File.ReadAllText(filename);
var opt = new OperationAuthorizationRequirement
{
Name = ResourceOpt.insert
};
var result = await _authorizationService.AuthorizeAsync(User, text, opt);
if (result.Succeeded)
{
return(Json(text));
}
return(Json("you are forbidden"));
}
private void SignUserIn(User user, string provider, HttpContext httpContext)
{
// Using Cookie Authentication without ASP.NET Core Identity
// https://docs.microsoft.com/en-us/aspnet/core/security/authorization/
// https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x
// Todo:
// * Is it okay to create an empty principal in this simple case
// * Is this simple policy okay, create as constant in class perhaps
var principal = CreatePrincipal(user, provider);
var policy = new OperationAuthorizationRequirement {
Name = "All"
};
// https://stackoverflow.com/questions/46057109/why-doesnt-my-cookie-authentication-work-in-asp-net-core
httpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);
}
protected override async Task <bool> ValidateRightsOnEntityPropertiesAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement,
T entity)
{
if (base.IsContentAdministrator(context.User))
{
return(true);
}
bool result = false;
int storeId = await GetStoreIdAsync(entity);
if (context.User.HasClaim(CustomClaimTypes.StoreAdministrator, storeId.ToString()))
{
result = true;
}
return(result);
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement,
T resource)
{
if (context.User == null)
{
return;
}
// Administrators can do anything.
var userIdentity = await _userManager.GetUserAsync(context.User);
if (userIdentity != null && await _userManager.IsInRoleAsync(userIdentity, Constants.AdministratorsRole))
{
context.Succeed(requirement);
}
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
OperationAuthorizationRequirement requirement, IEnumerable <ExpenseDto> resource)
{
if (context.User == null || resource == null)
{
return(Task.CompletedTask);
}
var roles = context.User.Claims.Where(c => c.Type == "Role");
var role = roles.FirstOrDefault(r => r.Value == "admin");
if (role != null)
{
context.Succeed(requirement);
}
return(Task.CompletedTask);
}
public async Task <IActionResult> Open()
{
//create new requirement that will get handled by the handler which is injected by the middleware
var cookieJar = new CookieJar
{
Name = "SomeName"
}; //this resource could be retrieve from the DB
//what operation the user is trying to perform on the resource
var requirement = new OperationAuthorizationRequirement()
{
Name = CookieJarOperations.Open
};
var result = await _authService.AuthorizeAsync(User, cookieJar, requirement);
if (!result.Succeeded)
{
return(RedirectToAction("Index"));
}
return(View());
}
public void Handle_WhenCalledWithIllegalUser_ShouldNotSucceed()
{
var resource = new Document()
{
Name = "Homer's document", Owner = "homer.simpson"
};
var user = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> {
new Claim(ClaimTypes.Name, "ned.flanders")
}));
var requirement = new OperationAuthorizationRequirement {
Name = "Read"
};
var authzContext = new AuthorizationContext(new List <IAuthorizationRequirement> {
requirement
}, user, resource);
var authzHandler = new CustomAuthorizationHandler();
authzHandler.Handle(authzContext);
Assert.False(authzContext.HasSucceeded);
}
internal new void Handle(AuthorizationContext context, OperationAuthorizationRequirement operation, Survey resource)
{
base.Handle(context, operation, resource);
}
