public async Task Filter_SkipsAntiforgeryVerification_WhenOverridden()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()))
.Returns(Task.FromResult(0))
.Verifiable();
var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance);
var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor());
actionContext.HttpContext.Request.Method = "POST";
var context = new AuthorizationFilterContext(actionContext, new IFilterMetadata[]
{
filter,
new IgnoreAntiforgeryTokenAttribute(),
});
// Act
await filter.OnAuthorizationAsync(context);
// Assert
antiforgery.Verify(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()), Times.Never());
}
public void OnAuthorization(AuthorizationFilterContext context)
{
if (!HasAllowAnonymous(context))
{
object value;
if (context.HttpContext.Items.TryGetValue(DefaultRouter.CurrentNodeKey, out value))
{
var accessor = context.HttpContext.RequestServices.GetService<IBricsContextAccessor>();
var currentPage = accessor.CurrentPage;
if (currentPage?.Acl == null || currentPage.Acl == AccessControl.Anonymous)
{
return;
}
if (currentPage.Acl == AccessControl.Authenticated && !context.HttpContext.User.Identity.IsAuthenticated)
{
context.Result = new NotFoundResult();
}
if (currentPage.Acl == AccessControl.Administrators && !context.HttpContext.User.IsInRole(Enum.GetName(typeof(AccessControl), currentPage.Acl)))
{
context.Result = new NotFoundResult();
}
}
}
}
private AuthorizationHandlerContext CreateAuthorizationHandlerContext(Type controllerType, string action)
{
var actionContext = new ActionContext();
var mockHttpContext = new Mock <HttpContext>();
mockHttpContext.Setup(c => c.Request)
.Returns(Mock.Of <HttpRequest>());
actionContext.HttpContext = mockHttpContext.Object;
actionContext.RouteData = new RouteData();
var actionDescriptor = new ControllerActionDescriptor
{
ControllerTypeInfo = controllerType.GetTypeInfo(),
MethodInfo = controllerType.GetMethod(action)
};
actionContext.ActionDescriptor = actionDescriptor;
var resource = new Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext(actionContext, new List <IFilterMetadata>());
var requirements = new IAuthorizationRequirement[] { new ConventionBasedRequirement() };
var claims = new[]
{
new Claim(ClaimTypes.Name, _userId),
};
var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer"));
var context = new AuthorizationHandlerContext(requirements, user, resource);
return(context);
}
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
// If there is another authorize filter, do nothing
if (context.Filters.Any(item => item is IAsyncAuthorizationFilter && item.GetType() == typeof(Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter)))
{
var timeStemp = context.HttpContext.User.Claims.FirstOrDefault(c => c.Type == "timestemp");
if (timeStemp == null)
{
context.Result = new UnauthorizedResult();
}
else
{
if (string.IsNullOrWhiteSpace(timeStemp.Value))
{
context.Result = new UnauthorizedResult();
}
else
{
var sp = services.BuildServiceProvider();
var userService = sp.GetService <IUserService>();
var checkModified = userService.CheckModified(timeStemp.Value, context.HttpContext.User.Identity.GetUserId());
if (checkModified)
{
context.Result = new UnauthorizedResult();
}
}
}
return(Task.FromResult(0));
}
//Otherwise apply this policy
return(Task.FromResult(0));
}
public void OnAuthorization(AuthorizationFilterContext context)
{
context.Result = new ContentResult()
{
Content = "You are unauthorized!!",
StatusCode = 401
};
}
public bool HasAllowAnonymous(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentException(nameof(context));
}
return context.Filters.Any(item => item is IAllowAnonymousFilter);
}
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
if (context.HttpContext.User.Claims.ToList()[2].Value == context.HttpContext.Connection.RemoteIpAddress.ToString())
{
return(Task.FromResult(AuthorizationResult.Failed()));
}
// If there is another authorize filter, do nothing
return(base.OnAuthorizationAsync(context));
}
protected virtual bool ShouldValidate(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
return true;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
//var validPrincipal = new ClaimsPrincipal(
// new ClaimsIdentity( new[] {
// new Claim(ClaimTypes.Name, "Admin"),
// new Claim(ClaimTypes.Role, "Administrator"),
//}));
//context.HttpContext.User = validPrincipal;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
if (controllerActionDescriptor.MethodInfo ==
typeof(ProductsController).GetMethod(nameof(ProductsController.GetPrice)))
{
context.HttpContext.Response.Headers.Append("filters",
"Global Authorization Filter - OnAuthorization");
}
}
public override Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
// If there is another authorize filter, do nothing
if (context.Filters.Any(item => item is IAsyncAuthorizationFilter && item != this))
{
return(Task.FromResult(0));
}
//Otherwise apply this policy
return(base.OnAuthorizationAsync(context));
}
/// <summary>
/// Called early in the filter pipeline to confirm request is authorized. Confirms requests are received over
/// HTTPS. Takes no action for HTTPS requests. Otherwise if it was a GET request, sets
/// <see cref="AuthorizationFilterContext.Result"/> to a result which will redirect the client to the HTTPS
/// version of the request URI. Otherwise, sets <see cref="AuthorizationFilterContext.Result"/> to a result
/// which will set the status code to <c>403</c> (Forbidden).
/// </summary>
/// <inheritdoc />
public virtual void OnAuthorization(AuthorizationFilterContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException(nameof(filterContext));
}
if (!filterContext.HttpContext.Request.IsHttps)
{
HandleNonHttpsRequest(filterContext);
}
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
// Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
}
try
{
//TODO: Avoid using try/catch, use conditional checking
await _authorizationHelper.AuthorizeAsync(context.ActionDescriptor.GetMethodInfo());
}
catch (AbpAuthorizationException ex)
{
Logger.Warn(ex.ToString(), ex);
_eventBus.Trigger(this, new AbpHandledExceptionData(ex));
if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType))
{
context.Result = new ObjectResult(new AjaxResponse(_errorInfoBuilder.BuildForException(ex), true))
{
StatusCode = context.HttpContext.User.Identity.IsAuthenticated
? (int) System.Net.HttpStatusCode.Forbidden
: (int) System.Net.HttpStatusCode.Unauthorized
};
}
else
{
context.Result = new ChallengeResult();
}
}
catch (Exception ex)
{
Logger.Error(ex.ToString(), ex);
_eventBus.Trigger(this, new AbpHandledExceptionData(ex));
if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType))
{
context.Result = new ObjectResult(new AjaxResponse(_errorInfoBuilder.BuildForException(ex)))
{
StatusCode = (int) System.Net.HttpStatusCode.InternalServerError
};
}
else
{
//TODO: How to return Error page?
context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.InternalServerError);
}
}
}
/// <inheritdoc />
public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var effectivePolicy = Policy ?? await AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData);
if (effectivePolicy == null)
{
return;
}
// Build a ClaimsPrincipal with the Policy's required authentication types
if (effectivePolicy.AuthenticationSchemes != null && effectivePolicy.AuthenticationSchemes.Any())
{
ClaimsPrincipal newPrincipal = null;
foreach (var scheme in effectivePolicy.AuthenticationSchemes)
{
var result = await context.HttpContext.Authentication.AuthenticateAsync(scheme);
if (result != null)
{
newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result);
}
}
// If all schemes failed authentication, provide a default identity anyways
if (newPrincipal == null)
{
newPrincipal = new ClaimsPrincipal(new ClaimsIdentity());
}
context.HttpContext.User = newPrincipal;
}
// Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
}
var httpContext = context.HttpContext;
var authService = httpContext.RequestServices.GetRequiredService<IAuthorizationService>();
// Note: Default Anonymous User is new ClaimsPrincipal(new ClaimsIdentity())
if (!await authService.AuthorizeAsync(httpContext.User, context, effectivePolicy))
{
context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());
}
}
public void OnAuthorization(AuthorizationFilterContext context)
{
if (!HasAllowAnonymous(context))
{
var user = context.HttpContext.User;
var userIsAnonymous =
user == null ||
user.Identity == null ||
!user.Identity.IsAuthenticated;
if (userIsAnonymous)
{
context.Result = new UnauthorizedResult();
}
}
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var authorizeAttributes =
ReflectionHelper.GetAttributesOfMemberAndDeclaringType<AbpMvcAuthorizeAttribute>(
context.ActionDescriptor.GetMethodInfo()
);
if (!authorizeAttributes.Any())
{
return;
}
using (var authorizationAttributeHelper = _iocResolver.ResolveAsDisposable<IAuthorizeAttributeHelper>())
{
await authorizationAttributeHelper.Object.AuthorizeAsync(authorizeAttributes);
}
}
public static void BeforeOnAuthorization(
this DiagnosticSource diagnosticSource,
AuthorizationFilterContext authorizationContext,
IAuthorizationFilter filter)
{
if (diagnosticSource.IsEnabled("Microsoft.AspNetCore.Mvc.BeforeOnAuthorization"))
{
diagnosticSource.Write(
"Microsoft.AspNetCore.Mvc.BeforeOnAuthorization",
new
{
actionDescriptor = authorizationContext.ActionDescriptor,
authorizationContext = authorizationContext,
filter = filter
});
}
}
public virtual void OnAuthorization(AuthorizationFilterContext context)
{
var controllerActionDescriptor = (ControllerActionDescriptor)context.ActionDescriptor;
if (controllerActionDescriptor.MethodInfo ==
typeof(ProductsController).GetMethod(nameof(ProductsController.GetPrice)))
{
context.HttpContext.Response.Headers.Append("filters",
"Authorize Filter On Action - OnAuthorization");
}
context.HttpContext.User = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CanViewPage"),
new Claim(ClaimTypes.Role, "Administrator"),
new Claim(ClaimTypes.NameIdentifier, "John")},
"Basic"));
}
protected override bool ShouldValidate(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var method = context.HttpContext.Request.Method;
if (string.Equals("GET", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("HEAD", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("TRACE", method, StringComparison.OrdinalIgnoreCase) ||
string.Equals("OPTIONS", method, StringComparison.OrdinalIgnoreCase))
{
return false;
}
// Anything else requires a token.
return true;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
object value;
if (context.HttpContext.Items.TryGetValue(DefaultRouter.CurrentNodeKey, out value))
{
var accessor = context.HttpContext.RequestServices.GetService<IBricsContextAccessor>();
var currentPage = accessor.CurrentPage;
if (!currentPage.PublishedDate.HasValue)
{
context.Result = new NotFoundResult();
}
if (currentPage.PublishedDate != null && currentPage.PublishedDate.Value > DateTime.Now)
{
context.Result = new NotFoundResult();
}
}
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (IsClosestAntiforgeryPolicy(context.Filters) && ShouldValidate(context))
{
try
{
await _antiforgery.ValidateRequestAsync(context.HttpContext);
}
catch (AntiforgeryValidationException exception)
{
_logger.AntiforgeryTokenInvalid(exception.Message, exception);
context.Result = new BadRequestResult();
}
}
}
public async Task Filter_ValidatesAntiforgery_ForUnsafeMethod(string httpMethod)
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()))
.Returns(Task.FromResult(0))
.Verifiable();
var filter = new AutoValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance);
var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor());
actionContext.HttpContext.Request.Method = httpMethod;
var context = new AuthorizationFilterContext(actionContext, new[] { filter });
// Act
await filter.OnAuthorizationAsync(context);
// Assert
antiforgery.Verify();
}
/// <summary>
/// Called from <see cref="OnAuthorization"/> if the request is not received over HTTPS. Expectation is
/// <see cref="AuthorizationFilterContext.Result"/> will not be <c>null</c> after this method returns.
/// </summary>
/// <param name="filterContext">The <see cref="AuthorizationFilterContext"/> to update.</param>
/// <remarks>
/// If it was a GET request, default implementation sets <see cref="AuthorizationFilterContext.Result"/> to a
/// result which will redirect the client to the HTTPS version of the request URI. Otherwise, default
/// implementation sets <see cref="AuthorizationFilterContext.Result"/> to a result which will set the status
/// code to <c>403</c> (Forbidden).
/// </remarks>
protected virtual void HandleNonHttpsRequest(AuthorizationFilterContext filterContext)
{
// only redirect for GET requests, otherwise the browser might not propagate the verb and request
// body correctly.
if (!string.Equals(filterContext.HttpContext.Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
{
filterContext.Result = new StatusCodeResult(StatusCodes.Status403Forbidden);
}
else
{
var optionsAccessor = filterContext.HttpContext.RequestServices.GetRequiredService<IOptions<MvcOptions>>();
var request = filterContext.HttpContext.Request;
var host = request.Host;
if (optionsAccessor.Value.SslPort.HasValue && optionsAccessor.Value.SslPort > 0)
{
// a specific SSL port is specified
host = new HostString(host.Host, optionsAccessor.Value.SslPort.Value);
}
else
{
// clear the port
host = new HostString(host.Host);
}
var newUrl = string.Concat(
"https://",
host.ToUriComponent(),
request.PathBase.ToUriComponent(),
request.Path.ToUriComponent(),
request.QueryString.ToUriComponent());
// redirect to HTTPS version of page
filterContext.Result = new RedirectResult(newUrl, Permanent);
}
}
public void OnAuthorization(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
if (!user.Identity.IsAuthenticated)
{
// it isn't needed to set unauthorized result
// as the base class already requires the user to be authenticated
// this also makes redirect to a login page work properly
// context.Result = new UnauthorizedResult();
return;
}
_userQueries = (IUserQueries)context.HttpContext.RequestServices.GetService(typeof(IUserQueries));
_userManager = (IUserManager)context.HttpContext.RequestServices.GetService(typeof(IUserManager));
IDictionary <string, PermissionDTO> permissions = _userQueries.GetPermissionsAsync(_userManager.GetCurrentUserId()).GetAwaiter().GetResult();
bool isAuthorized = !Permissions.Any() || (permissions != null && Permissions.All(p => permissions.ContainsKey(p)));
if (!isAuthorized)
{
context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
}
}
public void OnAuthorization(AuthorizationFilterContext context)
{
Assert.NotNull(context.ModelState.MaxAllowedErrors);
Assert.Equal(_expectedMaxAllowedErrors, context.ModelState.MaxAllowedErrors);
}
public void OnAuthorization(AuthorizationFilterContext context)
{
// getting the current module and claim
string action = context.RouteData.Values["action"].ToString().ToLower();
string controller = context.RouteData.Values["controller"].ToString().ToLower() + "controller";
var page = PageService.Pages.Where(c => string.Compare(c.Controller, controller, true) == 0 && string.Compare(c.ActionMethod, action, true) == 0).FirstOrDefault();
if (page == null)
{
context.Result = new StatusCodeResult(403);
return;
}
// setting the current DashbaordInd
if (page.DashboardInd)
{
NTContext.Context.DashboardPageId = page.PageId;
}
// checking for annonymous claim
if (page.PageClaims.Any(p => p.ClaimType == SecuritySettings.AnonymouseClaimType && p.ClaimValue == SecuritySettings.AnonymousClaim))
{
return;
}
var userClaims = context.HttpContext.User.Claims;
// checking the companyid passed in headers
string companies = userClaims.Where(c => c.Type == NTClaimTypes.Companies).Select(c => c.Value).FirstOrDefault();
string companyId = context.HttpContext.Request.Headers[SecurityConstants.HeaderCompanyId];
companyId = companyId ?? userClaims.Where(c => c.Type == NTClaimTypes.CompanyId).Select(c => c.Value).FirstOrDefault();
if (companies == null || companyId == null || !companies.Split(',').Contains(companyId))
{
context.Result = new StatusCodeResult(403);
return;
}
// checking for annonymous claim for each module
if (page.PageClaims.Any(p => p.ClaimValue == SecuritySettings.AnonymousClaim))
{
return;
}
// getting current roles and then get all the child roles
string[] roles = userClaims.Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToArray();
roles = PageService.AdminRoles.Where(r => roles.Contains(r.Key)).Select(r => r.Item).ToArray();
// checking whether user is an admin
if (!roles.Any(r => page.PageClaims.Any(p => r == p.ClaimType + SecuritySettings.AdminSuffix)))
{
// checking for deny claim
if (userClaims.Any(c => page.PageClaims.Any(p => c.Type == p.ClaimType + SecuritySettings.DenySuffix && c.Value == p.ClaimValue)))
{
context.Result = new StatusCodeResult(403); // new HttpUnauthorizedResult();
}
// checking for current claim
else if (!userClaims.Any(c => page.PageClaims.Any(p => c.Type == p.ClaimType && c.Value == p.ClaimValue)))
{
context.Result = new StatusCodeResult(403);
}
}
}
public virtual void OnAuthorization(AuthorizationFilterContext context)
{
}
protected override void HandleNonHttpsRequest(AuthorizationFilterContext filterContext)
{
filterContext.Result = new StatusCodeResult(StatusCodes.Status404NotFound);
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var methodInfo = context.ActionDescriptor.GetMethodInfo();
await CheckFeatures(methodInfo);
await CheckPermissions(methodInfo);
}
public void OnAuthorization(AuthorizationFilterContext context)
{
throw new InvalidProgramException("Authorization Filter Threw");
}
public void OnAuthorization(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
context.HttpContext.Response.Headers.Add("x-authorization-filter", context.HttpContext.User == null ? "Anonymous" : context.HttpContext.User.Identity.Name);
}
public Task OnAuthorizationAsync(Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext context)
{
return(Task.CompletedTask);
}
public static void BeforeOnAuthorizationAsync(
this DiagnosticSource diagnosticSource,
AuthorizationFilterContext authorizationContext,
IAsyncAuthorizationFilter filter)
{
Debug.Assert(diagnosticSource != null);
Debug.Assert(authorizationContext != null);
Debug.Assert(filter != null);
if (diagnosticSource.IsEnabled("Microsoft.AspNetCore.Mvc.BeforeOnAuthorization"))
{
diagnosticSource.Write(
"Microsoft.AspNetCore.Mvc.BeforeOnAuthorization",
new
{
actionDescriptor = authorizationContext.ActionDescriptor,
authorizationContext = authorizationContext,
filter = filter
});
}
}
public void OnAuthorization(AuthorizationFilterContext context)
{
Apply(context.HttpContext);
}
public override void OnAuthorization(AuthorizationFilterContext context)
{
context.HttpContext.Response.Headers.Append("filters", "On Controller Authorization Filter - OnAuthorization");
}
