/// <summary> /// Calls <see cref="AssertionRequirement.Handler"/> to see if authorization is allowed. /// </summary> /// <param name="context">The authorization information.</param> public async Task HandleAsync(AuthorizationHandlerContext context) { if (await Handler(context)) { context.Succeed(this); } }
/// <summary> /// Makes a decision if authorization is allowed. /// </summary> /// <param name="context">The authorization context.</param> public async Task HandleAsync(AuthorizationHandlerContext context) { foreach (var handler in context.Requirements.OfType<IAuthorizationHandler>()) { await handler.HandleAsync(context); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AccessAdminActions requirement) { if (context.User.HasClaim(claim => claim.Type == XtremeIdiotsClaimTypes.SeniorAdmin)) { context.Succeed(requirement); } if (context.User.HasClaim(claim => claim.Type == XtremeIdiotsClaimTypes.HeadAdmin)) { context.Succeed(requirement); } if (context.User.HasClaim(claim => claim.Type == XtremeIdiotsClaimTypes.GameAdmin)) { context.Succeed(requirement); } if (context.User.HasClaim(claim => claim.Type == XtremeIdiotsClaimTypes.Moderator)) { context.Succeed(requirement); } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AccountAccessRequirement requirement) { //Get organizationn id if (context.Resource is AuthorizationFilterContext mvcContext) { if (mvcContext.HttpContext.Request.Method == HttpMethods.Get || mvcContext.HttpContext.Request.Method == HttpMethods.Delete) { var routeDate = mvcContext.RouteData; if (routeDate.Values.ContainsKey("id")) { var account = this.dbContext.Accounts.FirstOrDefault(a => a.Id.ToString() == routeDate.Values["id"].ToString()); if (account != null && !context.User.HasClaim(c => c.Type == "Organization" && c.Value == account.OrganizationId.ToString())) { context.Fail(); return(Task.CompletedTask); } } } } context.Succeed(requirement); return(Task.CompletedTask); }
protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, ShouldBeAnAdminRequirement requirement) { // check if Role claim exists - Else Return // (sort of Claim-based requirement) if (!context.User.HasClaim(x => x.Type == ClaimTypes.Role)) { return(Task.CompletedTask); } // claim exists - retrieve the value var claim = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Role); var role = claim.Value; // check if the claim equals to either Admin or Editor // if satisfied, set the requirement as success if (role == Roles.Admin || role == Roles.Editor) { context.Succeed(requirement); } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, MinimumAgeRequirement requirement) { if (context.User.HasClaim(c => c.Type == ClaimTypes.DateOfBirth)) { var dateOfBirth = Convert.ToDateTime( context.User.FindFirst(c => c.Type == ClaimTypes.DateOfBirth).Value); int calculatedAge = DateTime.Today.Year - dateOfBirth.Year; if (dateOfBirth > DateTime.Today.AddYears(-calculatedAge)) { calculatedAge--; } if (calculatedAge >= requirement._minAge) { context.Succeed(requirement); } } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasScopeRequirement requirement) { // If user does not have the scope claim, get out of here var hasClaim = context.User.HasClaim(c => { return(c.Type == "scope" && c.Issuer == requirement.Issuer); }); if (!hasClaim) { return(Task.CompletedTask); } // Split the scopes string into an array var scopes = context.User.FindFirst(c => c.Type == "scope" && c.Issuer == requirement.Issuer).Value.Split(' '); // Succeed if the scope array contains the required scope if (scopes.Any(s => s == requirement.Scope)) { context.Succeed(requirement); } return(Task.CompletedTask); }
internal async Task HandlePersonRequirement(AuthorizationHandlerContext context, PersonEditRequirement requirement, Func <Guid> personId) { if (context.User.IsAdminOrHr() || context.User.IsHighLevelSupervisor() || context.User.IsInRole("registrar")) { context.Succeed(requirement); return; } var supervisorGroupId = context.User.SupervisorGroupId() ?? Guid.Empty; if (!context.User.IsSupervisor() || supervisorGroupId == Guid.Empty) { context.Fail(); return; } if (await _orgGroupService.IsPersonInGroup(personId(), supervisorGroupId)) { context.Succeed(requirement); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AccionRequirement requirement) { //marca como Succeed la autorizacion cuando el usuario actual contiene un Claim con el Tipo y el Valor igual a Accion if (context.User.HasClaim(c => c.Type == Accion && c.Value == Accion)) { context.Succeed(requirement); } else { //existen metodos que deben ser llamados por la aplicación mediante AJAX para realizar distintas acciones //para estos casos se pregunta si el usuario tiene un Claim de las acciones que llaman al metodo. switch (Accion) { case "ListarAcciones": if (context.User.HasClaim(c => c.Type == "AdicionarRol" && c.Value == "AdicionarRol" || c.Type == "ActualizarRol" && c.Value == "ActualizarRol")) { context.Succeed(requirement); } break; } } return(Task.FromResult(0)); }
protected async override Task HandleRequirementAsync(AuthorizationHandlerContext context, MustBeQuestionAuthorRequirement requirement) { // check that the user is authenticated if (!context.User.Identity.IsAuthenticated) { context.Fail(); return; } // get the question id from the request var questionId = _httpContextAccessor.HttpContext.Request.RouteValues["questionId"]; int questionIdAsInt = Convert.ToInt32(questionId); // get the user id from the name identifier claim var userId = context.User.FindFirst(ClaimTypes.NameIdentifier).Value; // get the question from the data repository var question = await _dataRepository.GetQuestion(questionIdAsInt); if (question == null) { // let it through so the controller can return a 404 context.Succeed(requirement); return; } // if the question can't be found go to the next piece of middleware if (question.UserId != userId) { context.Fail(); return; } context.Succeed(requirement); // return failure if the user id in the question from the data repository is different to the user id in t // return success if we manage to get here }
protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, MustOwnImageRequirement requirement) { var imageId = _httpContextAccessor.HttpContext.GetRouteValue("id").ToString(); if (!Guid.TryParse(imageId, out Guid imageIdAsGuid)) { context.Fail(); return(Task.CompletedTask); } var ownerId = context.User.Claims.FirstOrDefault(c => c.Type == "sub").Value; if (!_galleryRepository.IsImageOwner(imageIdAsGuid, ownerId)) { context.Fail(); return(Task.CompletedTask); } // all checks out context.Succeed(requirement); return(Task.CompletedTask); }
public async Task ReleaseIsLiveAndOnlyVersion() { var publication = new Publication(); var release = new Release { Published = DateTime.Parse("2019-10-10T12:00:00"), Publication = publication }; publication.Releases.Add(release); var contextId = Guid.NewGuid().ToString(); await using (var contentDbContext = ContentDbUtils.InMemoryContentDbContext(contextId)) { await contentDbContext.AddAsync(publication); await contentDbContext.SaveChangesAsync(); } await using (var contentDbContext = ContentDbUtils.InMemoryContentDbContext(contextId)) { var handler = new ViewReleaseAuthorizationHandler(contentDbContext); var authContext = new AuthorizationHandlerContext( new IAuthorizationRequirement[] { Activator.CreateInstance <ViewReleaseRequirement>() }, null, release ); await handler.HandleAsync(authContext); Assert.True(authContext.HasSucceeded); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext authContext, PlayerCanSeePuzzleRequirement requirement) { PuzzleUser puzzleUser = await PuzzleUser.GetPuzzleUserForCurrentUser(dbContext, authContext.User, userManager); Puzzle puzzle = await AuthorizationHelper.GetPuzzleFromContext(authContext); Event thisEvent = await AuthorizationHelper.GetEventFromContext(authContext); if (thisEvent != null && puzzle != null) { Team team = await UserEventHelper.GetTeamForPlayer(dbContext, thisEvent, puzzleUser); if (team != null) { IQueryable <PuzzleStatePerTeam> statesQ = PuzzleStateHelper.GetFullReadOnlyQuery(dbContext, thisEvent, puzzle, team); if (statesQ.FirstOrDefault().UnlockedTime != null || thisEvent.AreAnswersAvailableNow) { authContext.Succeed(requirement); } } } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ScopeRequirement requirement) { var claim = context.User.FindFirst(c => string.Equals(c.Issuer, requirement.Issuer) && string.Equals(c.Type, "scope")); if (claim is null) { return(Task.CompletedTask); } var scopes = claim.Value.Split(' '); foreach (var scope in scopes) { if (string.Equals(scope, requirement.Scope)) { context.Succeed(requirement); break; } } return(Task.CompletedTask); }
private async Task <bool> BeforeAuthorizeAsync(AuthorizationHandlerContext context, TRequirement requirement) { var curentRole = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Role); var userId = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.NameIdentifier); if (curentRole != null && userId != null) { var _userManager = ResolverFactory.GetService <UserManager <ApplicationUser> >(); var user = await _userManager.FindByIdAsync(userId.Value); var result = await _userManager.GetRolesAsync(user); var dbRole = result.FirstOrDefault(); if (curentRole.Value != dbRole) { return(false); } } return(true); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, User user) { //it's a daemon application, all operations are allowed if (context.User.TryFindClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Daemon")) { context.Succeed(requirement); } //user is an admin of customer if (context.User.TryFindClaim("x-customer-admin", user.CustomerId.ToString())) { context.Succeed(requirement); } //user wants to get own claims if (context.User.TryFindClaim("x-userId", user.Id.ToString())) { context.Succeed(requirement); } return(Task.CompletedTask); }
public async Task ReleaseIsLiveAndOnlyVersion() { var release = new Release { Published = new DateTime(2021, 1, 1), }; var publication = new Publication { Releases = ListOf(release) }; var contextId = Guid.NewGuid().ToString(); await using (var contentDbContext = InMemoryContentDbContext(contextId)) { await contentDbContext.AddAsync(publication); await contentDbContext.SaveChangesAsync(); } await using (var contentDbContext = InMemoryContentDbContext(contextId)) { var handler = new ViewReleaseAuthorizationHandler(contentDbContext); var authContext = new AuthorizationHandlerContext( new IAuthorizationRequirement[] { Activator.CreateInstance <ViewReleaseRequirement>() }, null, release ); await handler.HandleAsync(authContext); Assert.True(authContext.HasSucceeded); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionAuthorizationRequirement requirement) { if (context.User != null) { var userIdClaim = context.User.FindFirst(_ => _.Type == JwtClaimTypes.Id); if (userIdClaim != null) { var userId = userIdClaim.Value; // 根据userId查询数据库权限 获取权限code // 对比权限code 是否包含requirement.Code if (requirement.Code == "3002") { context.Succeed(requirement); } } else { context.Fail(); } } return(Task.CompletedTask); }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, StaffEditRequirement requirement, Guid staffId) { if (context.User.IsAdminOrHr() || context.User.IsHighLevelSupervisor() || context.User.IsInRole("registrar")) { context.Succeed(requirement); return; } var supervisorGroupId = context.User.SupervisorGroupId() ?? Guid.Empty; if (!context.User.IsSupervisor() || supervisorGroupId == Guid.Empty) { context.Fail(); return; } if (await _orgGroupService.IsStaffInGroup(staffId, supervisorGroupId)) { context.Succeed(requirement); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorOnlyRequirement requirement) { if (context.Resource is IPost post) { var user = context.User; if (IsInBypassRole(user, requirement.BypassRoles) || IsAuthor(user, post)) { context.Succeed(requirement); } else { context.Fail(); } } else if (context.Resource != null) { throw new NotSupportedException(); } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, MalfunctionWorkOrder resource) { if (context.User == null || resource == null) { return(Task.CompletedTask); } if (requirement.Name != Constants.CreateOperationName && requirement.Name != Constants.ReadOperationName && requirement.Name != Constants.UpdateOperationName && requirement.Name != Constants.DeleteOperationName) { return(Task.CompletedTask); } if (resource.Creator == _userManager.GetUserAsync(context.User).Result.Name) { context.Succeed(requirement); } return(Task.CompletedTask); }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CourseRoleRequirement requirement) { /* Get MVC context. See https://docs.microsoft.com/en-US/aspnet/core/security/authorization/policies#accessing-mvc-request-context-in-handlers */ if (!(context.Resource is AuthorizationFilterContext mvcContext)) { logger.Error("Can't get MVC context in CourseRoleAuthenticationHandler"); context.Fail(); return; } var routeData = mvcContext.RouteData; if (!(routeData.Values["courseId"] is string courseId)) { logger.Error("Can't find `courseId` parameter in route data for checking course role requirement."); context.Fail(); return; } if (context.User.IsSystemAdministrator()) { context.Succeed(requirement); return; } var userId = context.User.GetUserId(); if (await userRolesRepo.HasUserAccessToCourseAsync(userId, courseId, requirement.MinCourseRole)) { context.Succeed(requirement); } else { context.Fail(); } }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleAuthorizeRequirement requirement) { var controllerContext = context.Resource as AuthorizationFilterContext; var redirectResult = new RedirectToRouteResult(new RouteValueDictionary(new { area = requirement.Role, controller = "Account", action = "Login" })); if (context.User?.Identity.IsAuthenticated ?? false) { if (context.User.HasClaim(c => c.Type == ClaimTypes.Role) && context.User.IsInRole(requirement.Role)) { context.Succeed(requirement); } else { if (controllerContext != null) { controllerContext.Result = redirectResult; } context.Succeed(requirement); } } else { if (controllerContext != null) { controllerContext.Result = redirectResult; } context.Succeed(requirement); } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, OmsApiRequirement requirement) { if (!(context.User.Identity is WindowsIdentity windowsIdentity)) { return(Task.CompletedTask); } var windowsUser = new WindowsPrincipal(windowsIdentity); try { var hasRole = windowsUser?.IsInRole(requirement.GroupName) ?? false; if (hasRole) { context.Succeed(requirement); } } catch (Exception ex) { logger.LogError(ex, "Unable to check groups the user belongs too"); } return(Task.CompletedTask); }
HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, Contact resource) { if (context.User == null || resource == null) { return(Task.FromResult(0)); } // If not asking for approval/reject, return. if (requirement.Name != Constants.ApproveOperationName && requirement.Name != Constants.RejectOperationName) { return(Task.FromResult(0)); } // Managers can approve or reject. if (context.User.IsInRole(Constants.ContactManagersRole)) { context.Succeed(requirement); } return(Task.FromResult(0)); }
public Task HandleAsync(AuthorizationHandlerContext context) { var pendingRequirements = context.PendingRequirements.ToList(); foreach (var requirement in pendingRequirements) { switch (requirement) { case RoleIsPresentRequirement roleIsPresentRequirement: { if (context.User.IsInRole(roleIsPresentRequirement.Role)) { context.Succeed(roleIsPresentRequirement); } break; } case GenderRequirement genderRequirement: { if (context.User.HasClaim(c => c.Type == JwtClaimTypes.Gender)) { var claim = context.User.FindFirst(c => c.Type == JwtClaimTypes.Gender); if (claim.Value == genderRequirement.Gender) { context.Succeed(requirement); } } break; } } } return(Task.CompletedTask); }
/// <summary> /// Handle requirement /// </summary> protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, EmailDomainRequirement requirement) { string validateMsgOK = $"Validate OK with {nameof(EmailDomainAuthHandler)}"; string validateMsgNG = $"Validate NG with {nameof(EmailDomainAuthHandler)}"; ClaimsPrincipal userClaim = context.User; if (context.HasFailed || userClaim.Identity == null || !userClaim.Identities.Any(i => i.IsAuthenticated)) { context.Fail(); this.logger.LogWarning($"Skip validating with {nameof(EmailDomainAuthHandler)} cus the authorization process had been failed!"); return; } var userEmailClaim = userClaim.Claims.FirstOrDefault(c => c.Type.Equals(ClaimTypes.Email)); if (userEmailClaim != null) { // Get domain name from email var address = new MailAddress(userEmailClaim.Value); string userDomain = address.Host; // e.q. google.com // Verify domain if (userDomain.Equals(requirement.Domain)) { this.logger.LogDebug(validateMsgOK); context.Succeed(requirement); return; } } this.logger.LogDebug(validateMsgNG); context.Fail(); await Task.CompletedTask; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement) { if (context.User.Claims.Any()) { if (context.Resource is Endpoint endpoint) { var actionDescriptor = endpoint.Metadata.GetMetadata <ControllerActionDescriptor>(); var theController = actionDescriptor.RouteValues["controller"]; var theAction = actionDescriptor.RouteValues["action"]; //判断过期时间 if (DateTime.Parse(context.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Expiration).Value) >= DateTime.Now) { context.Succeed(requirement); } else { context.Fail(); } } } ; return(Task.CompletedTask); }
async protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, AccountRequirement requirement) { var httpContext = _httpContextAccessor; httpContext.HttpContext.Request.EnableBuffering(); string authHeader = httpContext.HttpContext.Request.Headers["Authorization"]; string tokenStr = authHeader.Replace("Bearer ", ""); var handler = new JwtSecurityTokenHandler(); var payload = handler.ReadJwtToken(tokenStr).Payload; var claims = payload.Claims; var roomId = claims.First(claim => claim.Type == "roomId").Value; var body = httpContext.HttpContext.Request.Body; var reader = new StreamReader(body); var bodyStr = await reader.ReadToEndAsync(); body.Position = 0; string roomIdByBody = string.Empty; if (string.IsNullOrEmpty(bodyStr) || !bodyStr.Contains("roomId")) { roomIdByBody = httpContext.HttpContext.Request.RouteValues.Values.ToList()[2].ToString(); } else { roomIdByBody = JsonConvert.DeserializeObject <CreatRoomDTO>(bodyStr).RoomId.ToString(); } if (roomId != roomIdByBody) { context.Fail(); return; } context.Succeed(requirement); return; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IsHostRequirement requirement) { if (context.Resource is AuthorizationFilterContext authContext) { var currentUserName = _httpContextAccessor.HttpContext.User?.Claims?.SingleOrDefault(x => x.Type == ClaimTypes.NameIdentifier)?.Value; var activityId = Guid.Parse(authContext.RouteData.Values["id"].ToString()); var activity = _context.Activities.FindAsync(activityId).Result; var host = activity.UserActivities.FirstOrDefault(x => x.IsHost); if (host?.AppUser?.UserName == currentUserName) { context.Succeed(requirement); } } else { context.Fail(); } return(Task.CompletedTask); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ManageAdminRolesAndClaimsRequirement requirement) { var authFilterContext = httpContextAccessor.HttpContext; if (authFilterContext == null) { return(Task.CompletedTask); } string loggedInAdminId = context.User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier).Value; string adminIdBeingEdited = httpContextAccessor.HttpContext.Request.Query["userId"].ToString(); if (context.User.IsInRole("Admin") && context.User.HasClaim(claim => claim.Type == "Edit Role" && claim.Value == "true") && adminIdBeingEdited.ToLower() != loggedInAdminId.ToLower()) { context.Succeed(requirement); } return(Task.CompletedTask); }
/// <inheritdoc/> public async Task HandleAsync(AuthorizationHandlerContext context) { context = context ?? throw new ArgumentNullException(nameof(context)); string teamId = string.Empty; var oidClaimType = Constants.OidClaimType; var oidClaim = context.User.Claims.FirstOrDefault(p => oidClaimType == p.Type); foreach (var requirement in context.Requirements) { if (requirement is MustBeTeacherOrAdminUserPolicyRequirement) { if (context.Resource is AuthorizationFilterContext authorizationFilterContext) { // Wrap the request stream so that we can rewind it back to the start for regular request processing. authorizationFilterContext.HttpContext.Request.EnableBuffering(); var isUserPartOfTeachersGroup = await this.memberValidationService.ValidateMemberAsync(oidClaim.Value, this.securityGroupOptions.Value.TeacherSecurityGroupId, authorizationFilterContext.HttpContext.Request.Headers["Authorization"].ToString()); if (isUserPartOfTeachersGroup) { context.Succeed(requirement); } // Check whether user is part of Administrator group or not. Administrator has access to edit and delete other teachers content. var isUserPartOfAdminGroup = await this.memberValidationService.ValidateMemberAsync(oidClaim.Value, this.securityGroupOptions.Value.AdminGroupId, authorizationFilterContext.HttpContext.Request.Headers["Authorization"].ToString()); if (isUserPartOfAdminGroup) { context.Succeed(requirement); } } } } }