/// <summary> /// Override method to handle custom role based authorization. /// </summary> /// <param name="policyName"></param> /// <returns></returns> public async override Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { AuthorizationPolicyBuilder builder = new AuthorizationPolicyBuilder(); builder.RequireAuthenticatedUser(); switch (policyName) { case Constants.AdminAccess: builder.RequireRole(Role.Admin.ToString()); break; case Constants.AddEditDeleteAccess: builder.RequireRole(Role.AddEditDelete.ToString(), Role.Admin.ToString()); break; case Constants.AddEditAccess: builder.RequireRole(Role.AddEdit.ToString(), Role.AddEditDelete.ToString(), Role.Admin.ToString()); break; default: builder.RequireRole(Domain.Global.RoleList); break; } return(await Task.FromResult(builder.Build())); }
private void BuildAuthorizationPolicy(AuthorizationPolicyBuilder builder, AuthorizationPolicy policy) { if (policy.Roles?.Length > 0) { builder.RequireRole(policy.Roles); } }
/// <summary> /// Meant to be used during the Authentication configuration to assign proper policies to the proper constants /// </summary> /// <param name="policyName">here the constant of this class is meant to be passed as a parameter</param> /// <returns>The <see cref="AuthorizationPolicy"/> meant for the provided constant.</returns> /// When adding a new policy, it should be defined here, and then referenced in the services.AddAuthorization is startup like so: /// "options.AddPolicy(Policies.NEWPOLICY, Policies.GetAuthorizationPolicy(Policies.NEWPOLICY));" public static AuthorizationPolicy GetAuthorizationPolicy(string policyName) { AuthorizationPolicyBuilder builder = new AuthorizationPolicyBuilder(); switch (policyName) { case MEMBERS: return(builder.RequireRole(RoleEnum.Member.GetName()).Build()); case ADMINS: return(builder.RequireRole(RoleEnum.Admin.GetName()).Build()); case RESTRICTED: return(builder.RequireRole(RoleEnum.SuperAdmin.GetName()).Build()); } throw new ArgumentException("Must recive one of the constants of this class as a policyName"); }
public static void RequireUserRole( this AuthorizationPolicyBuilder policyBuilder, params UserRole[] userRoles) { var roles = userRoles.Select(role => role.ToString()); policyBuilder.RequireRole(roles); }
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policy = await base.GetPolicyAsync(policyName); var tenant = await _tenantProvider.CurrentTenantId(); if (policy == null || await _iamProvider.NeedsUpdate(policyName, tenant, _iamProviderCache)) { var iamRoles = await _iamProvider.GetRequiredRoles(policyName, tenant, _iamProviderCache); var iamClaim = await _iamProvider.GetRequiredClaim(policyName, tenant, _iamProviderCache); var isResourceIdAccessRequired = await _iamProvider.IsResourceIdAccessRequired(policyName, tenant, _iamProviderCache); var builder = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser(); if (iamRoles != null) { var _iamRoles = !string.IsNullOrEmpty(iamClaim) ? new List <string>(iamRoles).Union(new List <string>() { iamClaim }) : iamRoles; if (iamRoles.Count > 0) { builder.RequireRole(_iamRoles.Select(x => x.ToMultiTenantRoleName(tenant))); } } else if (!string.IsNullOrEmpty(iamClaim)) { builder.RequireRole(iamClaim.ToMultiTenantRoleName(tenant)); } if (isResourceIdAccessRequired) { builder.AddRequirements(new ResourceIdRequirement(policyName)); } policy = builder .Build(); } return(policy); }
private static void BuildPolicy(AuthorizationPolicyInfo policy, AuthorizationOptions config) { var builder = new AuthorizationPolicyBuilder(); policy.AuthenticationSchemes?.ForEach(builder.AuthenticationSchemes.Add); if (policy.Requirements != null && policy.Requirements.Any()) { foreach (var policyRequirement in policy.Requirements) { switch (policyRequirement.RequirementType) { case AuthorizationRequirementType.ClaimsAuthorizationRequirement: var claimsInfo = JObject.Parse(policyRequirement.Requirement) .ToObject <ClaimsInfo>(); builder.RequireClaim(claimsInfo.ClaimType, claimsInfo.RequiredValues); break; case AuthorizationRequirementType.RolesAuthorizationRequirement: builder.RequireRole(JObject.Parse(policyRequirement.Requirement) .ToObject <string[]>()); break; case AuthorizationRequirementType.NameAuthorizationRequirement: builder.RequireUserName(policyRequirement.Requirement); break; case AuthorizationRequirementType.OperationAuthorizationRequirement: builder.AddRequirements( new OperationAuthorizationRequirement() { Name = policyRequirement.Requirement }); break; case AuthorizationRequirementType.DenyAnonymousAuthorizationRequirement: builder.RequireAuthenticatedUser(); break; case AuthorizationRequirementType.DenyAuthorizationRequirement: builder.AddRequirements(new DenyAuthorizationRequirement()); break; case AuthorizationRequirementType.CustomAuthorizationRequirement: builder.AddRequirements(Activator.CreateInstance(Type.GetType(policyRequirement.Type), JObject.Parse(policyRequirement.Requirement).ToObject <object[]>()) as IAuthorizationRequirement); break; // TODO implement the assertion requirement. //case AuthorizationRequirementType.ClaimsAuthorizationRequirement: // builder.RequireAssertion(handler => {handler.}) // break; } } } config.AddPolicy(policy.Name, builder.Build()); }
public static IServiceCollection AddAuthorization(this IServiceCollection services, AuthorizationExtensionConfig config) { return(services .AddSingleton <IAuthorizationHandler, UserSystemAuthorizationHandler>() .AddSingleton <IAuthorizationHandler, AdministratorSystemAuthorizationHandler>() .AddSingleton <IAuthorizationHandler, SystemAuthorizationHandler>() .AddAuthorization(options => { var policyBuilder = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .RequireClaim(JwtClaimTypes.Scope, config.ApiResourceName) .AddAuthenticationSchemes(AuthenticationExtension.JwtBearerAuthenticationScheme); var userPolicy = policyBuilder .RequireRole(DefaultRoleEnumeration.User.DisplayName) .Build(); var userSystemPolicy = policyBuilder .AddRequirements(new UserSystemRequirement()) .Build(); var administratorPolicy = policyBuilder .RequireRole(DefaultRoleEnumeration.Administrator.DisplayName) .Build(); var administratorSystemPolicy = policyBuilder .AddRequirements(new AdministratorSystemRequirement()) .Build(); var systemPolicy = policyBuilder .AddRequirements(new SystemRequirement()) .Build(); options.DefaultPolicy = userPolicy; options.AddPolicy(JwtBearerUserPolicyName, userPolicy); options.AddPolicy(JwtBearerUserSystemPolicyName, userSystemPolicy); options.AddPolicy(JwtBearerAdministratorPolicyName, administratorPolicy); options.AddPolicy(JwtBearerAdministratorSystemPolicyName, administratorSystemPolicy); options.AddPolicy(JwtBearerSystemPolicyName, systemPolicy); foreach (var policy in config.Policies) { options.AddPolicy(policy.Name, policy.Policy); } })); }
public static void AddPolicies(this IServiceCollection service, PolicyContext policies) { foreach (var namedPolicy in policies.GetPolicySets()) { var policySet = namedPolicy.Value; var policyBuilder = new AuthorizationPolicyBuilder(); policyBuilder.RequireAuthenticatedUser(); var noOneHasAccessToPolicy = policySet == null; if (noOneHasAccessToPolicy) { policyBuilder.RequireAssertion((context) => false); //If no one has access to the policy then always make a false assertion; } else { var allowableRulesAndUsers = policySet.GetAllowableRolesAndUsersCombined(); if (allowableRulesAndUsers.Any()) { policyBuilder.RequireRole(policySet.GetAllowableRolesAndUsersCombined()); } if (policySet.DenyRoles != null) { policyBuilder.RequireAssertion(context => policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) || !policySet.DenyRoles.Any(deniedRole => context.User.IsInRole(deniedRole))); } if (policySet.DenyUsers != null) { policyBuilder.RequireAssertion(context => policySet.GetAllowableRolesAndUsersCombined().Any(allowedRole => context.User.IsInRole(allowedRole)) || !policySet.DenyUsers.Any(deniedUser => context.User.IsInRole(deniedUser))); } if (policySet.AllowClaim != null) { policyBuilder.RequireClaim(policySet.AllowClaim.Type, policySet.AllowClaim.Values); } if (policySet.AllowClaims != null) { policySet.AllowClaims.ForEach(claim => policyBuilder.RequireClaim(claim.Type, claim.Values)); } } var policy = policyBuilder.Build(); service.AddAuthorization(options => options.AddPolicy(namedPolicy.Key, policy)); } }
public static AuthorizationPolicy ToAuthPolicy(this AuthorizationPolicyInfo info) { var policy = new AuthorizationPolicyBuilder(); var hasAnyRequirements = false; if (info.AllowedRoles.Count > 0) { policy.RequireRole(info.AllowedRoles); hasAnyRequirements = true; } if (info.AuthenticationSchemes.Count > 0) { policy.AuthenticationSchemes = info.AuthenticationSchemes; } if (info.RequireAuthenticatedUser) { policy.RequireAuthenticatedUser(); hasAnyRequirements = true; } if (info.RequiredClaims.Count > 0) { foreach (var c in info.RequiredClaims) { if (c.AllowedValues.Count > 0) { policy.RequireClaim(c.ClaimName, c.AllowedValues); } else { policy.RequireClaim(c.ClaimName); } hasAnyRequirements = true; } } if (!string.IsNullOrWhiteSpace(info.RequiredUserName)) { policy.RequireUserName(info.RequiredUserName); hasAnyRequirements = true; } if (!hasAnyRequirements) { // allow anonymous Func <AuthorizationHandlerContext, bool> allowAny = (AuthorizationHandlerContext authContext) => true; policy.RequireAssertion(allowAny); } return(policy.Build()); }
public async Task <AuthorizationContext> GetAuthorizationContextAsync(object implementation, MethodInfo methodInfo) { Type[] parameterTypes = methodInfo.GetParameters().Select(x => x.ParameterType).ToArray(); if (parameterTypes.Length == 0) { parameterTypes = Type.EmptyTypes; } MethodInfo concreteMethod = implementation.GetType().GetMethod(methodInfo.Name, parameterTypes); AuthorizeAttribute authorizeAttribute = concreteMethod.DeclaringType.GetCustomAttribute <AuthorizeAttribute>(); // overwrite by action attribute authorizeAttribute = concreteMethod.GetCustomAttribute <AuthorizeAttribute>() ?? authorizeAttribute; if (authorizeAttribute == null) { return(null); } if (authorizeAttribute.Roles != null && authorizeAttribute.Policy != null) { throw new NotSupportedException("You must specify either Roles or Policy"); } AuthorizationPolicy policy; if (authorizeAttribute.Roles != null) { var builder = new AuthorizationPolicyBuilder(authorizeAttribute.AuthenticationSchemes.Split(',')); builder.RequireRole(authorizeAttribute.Roles.Split(',')); policy = builder.Build(); } else if (authorizeAttribute.Policy != null) { policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy) ?? throw new ArgumentException($"Policy {authorizeAttribute.Policy} does not exist"); } else { policy = await policyProvider.GetDefaultPolicyAsync(); } return(new AuthorizationContext { Policy = policy }); }
private async Task <AuthorizationPolicy> GetAuthorizationPolicy(IDotvvmRequestContext context) { var policyProvider = GetPolicyProvider(context); var policyBuilder = new AuthorizationPolicyBuilder(); var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(Policy)) { var policy = await policyProvider.GetPolicyAsync(Policy); if (policy == null) { throw new InvalidOperationException($"The policy '{Policy}' could not be found!"); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } var authTypesSplit = ActiveAuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } return(policyBuilder.Build()); }
protected virtual void ConfigureFilters(FilterCollection filters) { Log.Information(GetLogMessage("Configuring Filters")); var policyBuilder = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() // .AuthenticationSchemes() .RequireScope(AppSettings.Scope); if (SupportsAdminRoleAuthentication) { policyBuilder.RequireRole(RoleNames.AdminRole); } if (this.SupportsAuthentication) { filters.Add(new AuthorizeFilter(policyBuilder.Build())); } filters.Add(new SecurityHeadersAttribute()); filters.Add(typeof(ModelStateFeatureFilter)); filters.Add(typeof(ValidateModelAttribute)); }
// Choice: policy= | policy= | role= | role = ... public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { if (policyName.StartsWith(POLICY_PREFIX, StringComparison.OrdinalIgnoreCase)) { var policyNames = policyName.Substring(POLICY_PREFIX.Length); var startIndex = policyNames.IndexOf(":"); if (startIndex == -1 || startIndex == policyNames.Length) { throw new ArgumentException($"invalid syntax, must contains a ':' before tokens. The correct format is {Format}"); } // skip the ":" , and turn it into the following list // [[policy,policyName],[policy,policName],...[role,roleName],...,] var list = policyNames.Substring(startIndex + 1) .Split("|") .Select(p => p.Split("=").Select(e => e.Trim().Trim('\'')).ToArray()) ; // build policy for roleNames var rolesPolicyBuilder = new AuthorizationPolicyBuilder(); var roleNames = list.Where(arr => arr[0].ToLower() == TOKEN_ROLE) .Select(arr => arr[1]) .ToArray(); var rolePolicy = rolesPolicyBuilder.RequireRole(roleNames).Build(); // get policies with all related names var polices1 = list.Where(arr => arr[0].ToLower() == TOKEN_POLICY); var polices = polices1 .Select(arr => arr[1]) .Select(name => this._authZOpts.GetPolicy(name)) // if the policy with the name doesn exit => null .Where(p => p != null) // filter null policy .Append(rolePolicy) .ToList(); var pb = new AuthorizationPolicyBuilder(); pb.AddRequirements(new LogicalOrRequirement(polices)); return(Task.FromResult(pb.Build())); } return(FallbackPolicyProvider.GetPolicyAsync(policyName)); }
// This method gets called by the runtime. Use this method to add services to the container. // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940 public void ConfigureServices(IServiceCollection services) { services.AddDbContextPool <AppDbContext>( options => options.UseSqlServer(_config.GetConnectionString("ApplicationDbContext"))); services.AddDbContextPool <AppDbContext>( options => options.UseSqlServer(_config.GetConnectionString("toDoListDBConnection"))); services.AddDbContextPool <AGesContext>( options => options.UseSqlServer(_config.GetConnectionString("aGesConnection"))); services.AddIdentity <ApplicationUser, IdentityRole>(options => { options.Password.RequiredLength = 10; options.Password.RequiredUniqueChars = 3; options.Password.RequireNonAlphanumeric = false; options.SignIn.RequireConfirmedEmail = true; options.Lockout.MaxFailedAccessAttempts = 3; options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromHours(1); }).AddEntityFrameworkStores <AppDbContext>() .AddDefaultTokenProviders(); services.AddAntiforgery(options => options.HeaderName = "RequestVerificationToken"); var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); services.AddDistributedMemoryCache(); services.AddSession(so => { so.IdleTimeout = TimeSpan.FromMinutes(60); }); services.AddMvc(options => { options.Filters.Add(new AuthorizeFilter(policy)); options.EnableEndpointRouting = false; }).AddXmlSerializerFormatters(); services.ConfigureApplicationCookie(options => { options.AccessDeniedPath = new PathString("/Administration/AccessDenied"); }); services.AddAuthorization(options => { //options.AddPolicy("DeleteRolePolicy", policy => policy.RequireClaim("Delete Role", "true") // .RequireRole("Administrator") // .RequireRole("Super Admin") //); //options.AddPolicy("EditRolePolicy", policy => policy.RequireClaim("Edit Role", "true") // .RequireRole("Administrator") // .RequireRole("Super Admin")); //options.AddPolicy("EditRolePolicy", policy => policy.RequireAssertion(context => // context.User.IsInRole("Administrator") && // context.User.HasClaim(claim => claim.Type == "Edit Role" && claim.Value == "true") || // context.User.IsInRole("Super Admin") // )); options.AddPolicy("DeleteRolePolicy", policy => policy.RequireAssertion(context => context.User.IsInRole("Administrator") && context.User.HasClaim(claim => claim.Type == "Delete Role" && claim.Value == "true") || context.User.IsInRole("Super Admin") )); options.AddPolicy("EditRolePolicy", policy => policy.AddRequirements(new ManageAdminRolesAndClaimsRequirement())); options.AddPolicy("AdminRolePolicy", policy => policy.RequireRole("Administrator")); options.AddPolicy("SuperAdminRolePolicy", policy => policy.RequireRole("Super Admin")); options.AddPolicy("ManagerRights", policy => policy.RequireAssertion(context => context.User.IsInRole("Administrator") || context.User.IsInRole("Super Admin"))); }); // services.AddScoped<IUserRepository, SQLUserRepository>(); //services.AddScoped<ITaskRepository, SQLTaskRepository>(); //services.AddScoped<IToDoListRepository, SQLToDoRepository>(); services.AddScoped <IForgotPassword, SQL_IForgotPassword>(); services.AddScoped <IConConfig, SQL_ConConfig>(); services.AddScoped <IEmpresa, SQL_IEmpresa>(); services.AddScoped <IEmpresaUtilizadores, SQL_IEmpresaUtilizadores>(); services.AddScoped <IEmpresaAGes, SQL_IEmpresaAGes>(); services.AddScoped <ICLab, SQL_ICLab>(); services.AddScoped <IDadosEmpresaViewModel, SQL_IDadosEmpresaViewModel>(); services.AddScoped <IGabineteContabilidade, Sql_IGabineteContabilidade>(); services.AddSingleton <IAuthorizationHandler, SuperAdminHandler>(); services.AddSingleton <IAuthorizationHandler, AdministratorHandler>(); // services.AddSingleton<ICustomDbContextFactory<CustomDbContext>, CustomDbContextFactory<CustomDbContext>>(); }
public static AuthorizationPolicyBuilder RequireRoleWithAdmin(this AuthorizationPolicyBuilder builder, params string[] roles) { return(builder.RequireRole(roles.Concat(new string[] { "Admin" }))); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeDatum in authorizeData) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy); if (policy == null) { //throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy)); throw new InvalidOperationException(nameof(authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeDatum.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } if (authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum) { var groupsSplit = permissionAuthorizeDatum.Groups?.Split(','); if (groupsSplit != null && groupsSplit.Any()) { var trimmedGroupsSplit = groupsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim(TubumuClaimTypes.Group, trimmedGroupsSplit); //policyBuilder.AddRequirements(new GroupsAuthorizationRequirement(trimmedGroupsSplit)); useDefaultPolicy = false; } var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(','); if (permissionsSplit != null && permissionsSplit.Any()) { var trimmedPermissionsSplit = permissionsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim(TubumuClaimTypes.Permission, trimmedPermissionsSplit); //policyBuilder.AddRequirements(new PermissionsAuthorizationRequirement(trimmedPermissionsSplit)); useDefaultPolicy = false; } } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return(any ? policyBuilder.Build() : null); }
public static AuthorizationPolicyBuilder RequireIsOwnerClaim(this AuthorizationPolicyBuilder builder) => builder.RequireRole(AuthConstants.IsOwner, AuthConstants.TrueValue);
public static void Build(AuthorizationPolicyBuilder builder) => builder.RequireRole("Consulta.Clientes");
public static void Build(AuthorizationPolicyBuilder builder) => builder.RequireRole("Administrator");
public static AuthorizationPolicyBuilder RequireRole <T>(this AuthorizationPolicyBuilder policy, params T[] roles) { return(policy.RequireRole(roles.Select(r => r.ToString()))); }