// GET: Topics/Details/5 public async Task <IActionResult> Details(string id) { var p = await _policyProvider.GetPolicyAsync(MyIdentityData.Policy_NotBanned + "afds"); var a = p.Requirements; if (id == null) { return(NotFound()); } var topic = await _context.Topics .Include(t => t.Posts) .FirstOrDefaultAsync(m => m.Name == id); if (topic == null) { return(NotFound()); } if (topic.Posts == null) { topic.Posts = new List <Post>(); } return(View(topic)); }
private async Task <bool> ValidateAuthorizationPolicyAsync(string authorizationPolicyName, string routeId, IConfigErrorReporter errorReporter) { if (string.IsNullOrEmpty(authorizationPolicyName)) { return(true); } if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase)) { return(true); } try { var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName); if (policy == null) { errorReporter.ReportError(ConfigErrors.ParsedRouteRuleInvalidAuthorizationPolicy, routeId, $"Authorization policy '{authorizationPolicyName}' not found."); return(false); } } catch (Exception ex) { errorReporter.ReportError(ConfigErrors.ParsedRouteRuleInvalidAuthorizationPolicy, routeId, $"Unable to retrieve the authorization policy '{authorizationPolicyName}'", ex); return(false); } return(true); }
public async Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { if (!policyName.Contains(_dynamicOptions.Seperator)) { return(await _fallbackProvider.GetPolicyAsync(policyName)); } var parts = policyName.Split(_dynamicOptions.Seperator); if (parts.Length <= 1) { throw new InvalidOperationException("Not any param is specified"); } var paramList = parts.SubSet(1, parts.Length - 1); if (!_dynamicOptions.Providers.ContainsKey(parts[0])) { throw new InvalidOperationException($"No provider for policy '{parts[0]}'"); } var builder = new AuthorizationPolicyBuilder(); _dynamicOptions.Providers[parts[0]](paramList, builder); if (builder.AuthenticationSchemes?.Any() != true) { builder.AuthenticationSchemes = _dynamicOptions.DefaultSchemes; } return(builder.Build()); }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } // Don not call filter for ReExecute requests (such as status code pages) and skips all paths marked as AllowAnonymous attribute if (context.HttpContext.Features.Get <IStatusCodeReExecuteFeature>() != null || context.Filters.Any(x => x is IAllowAnonymousFilter)) { return; } var policy = await _policyProvider.GetPolicyAsync(AnonymousUserForStoreAuthorizationRequirement.PolicyName); var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>(); var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context.HttpContext); var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context.HttpContext, context); // For all the results except Succeeded we need to return <see cref="ChallengeResult"/> if (!authorizeResult.Succeeded) { // Here we need only ChallengeResult to redirect to Login instead of ForbiddenResult that standard AuthorizeFilter returns in that case (authenticated and non authorized user) // https://github.com/aspnet/AspNetCore/blob/v2.2.3/src/Mvc/Mvc.Core/src/Authorization/AuthorizeFilter.cs#L210 // https://github.com/aspnet/AspNetCore/blob/v2.2.3/src/Security/Authorization/Policy/src/PolicyEvaluator.cs#L91 context.Result = new ChallengeResult(policy.AuthenticationSchemes.ToArray()); } }
private async ValueTask ValidateAuthorizationPolicyAsync(IList <Exception> errors, string authorizationPolicyName, string routeId) { if (string.IsNullOrEmpty(authorizationPolicyName)) { return; } if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase)) { return; } try { var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName); if (policy == null) { errors.Add(new ArgumentException($"Authorization policy '{authorizationPolicyName}' not found for route '{routeId}'.")); } } catch (Exception ex) { errors.Add(new ArgumentException($"Unable to retrieve the authorization policy '{authorizationPolicyName}' for route '{routeId}'.", ex)); } }
private static async Task <bool> AuthorizeWithPolicyAsync( IDirectiveContext context, AuthorizeDirective directive, ClaimsPrincipal principal) { IServiceProvider services = context.Service <IServiceProvider>(); IAuthorizationService authorizeService = services.GetService <IAuthorizationService>(); IAuthorizationPolicyProvider policyProvider = services.GetService <IAuthorizationPolicyProvider>(); if (authorizeService == null || policyProvider == null) { return(string.IsNullOrWhiteSpace(directive.Policy)); } AuthorizationPolicy policy = null; if (directive.Roles.Count == 0 && string.IsNullOrWhiteSpace(directive.Policy)) { policy = await policyProvider.GetDefaultPolicyAsync() .ConfigureAwait(false); if (policy == null) { context.Result = QueryError.CreateFieldError( "The default authorization policy does not exist.", context.FieldSelection); } } else if (!string.IsNullOrWhiteSpace(directive.Policy)) { policy = await policyProvider.GetPolicyAsync(directive.Policy) .ConfigureAwait(false); if (policy == null) { context.Result = QueryError.CreateFieldError( $"The `{directive.Policy}` authorization policy " + "does not exist.", context.FieldSelection); } } if (context.Result == null && policy != null) { AuthorizationResult result = await authorizeService.AuthorizeAsync(principal, policy) .ConfigureAwait(false); return(result.Succeeded); } return(false); }
public async Task InvokeAsync(HttpContext context) { if (context is null) { throw new ArgumentNullException(nameof(context)); } var(useDefaultPolicy, policyName) = options is null ? (true, null) : (options.UseDefault, options.PolicyName); var policy = await(useDefaultPolicy ? policyProvider.GetDefaultPolicyAsync() : policyProvider.GetPolicyAsync(policyName)); // Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructor var policyEvaluator = context.RequestServices.GetRequiredService <IPolicyEvaluator>(); var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context); var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource : null); if (authorizeResult.Challenged) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ChallengeAsync(scheme); } } else { await context.ChallengeAsync(); } return; } else if (authorizeResult.Forbidden) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ForbidAsync(scheme); } } else { await context.ForbidAsync(); } return; } await(next?.Invoke(context) ?? Task.CompletedTask); }
public void Apply(Operation operation, OperationFilterContext context) { //everything requires the public scope var requiredRootPolicies = new[] { _appName, ApiConstants.PublicScope }; var apiDescription = context.ApiDescription; var requiredScopes = apiDescription .ActionAttributes() .Union(apiDescription.ControllerAttributes()) .OfType <AuthorizeAttribute>() //Get all auth attributes from the action and controller .Where(a => a.Policy != null) //There has to be a policy set .Select(a => _provider.GetPolicyAsync(a.Policy).Result) //Lookup the policy .SelectMany(p => p.Requirements //flatten the requirements ) .Union( //combine that with the global requirements apiDescription.ActionDescriptor.FilterDescriptors .Select(f => f.Filter) .OfType <AuthorizeFilter>() .Where(f => f.Policy?.Requirements != null) .SelectMany(f => f.Policy?.Requirements ) ).OfType <ClaimsAuthorizationRequirement>() // we only care about scope claims .Where(c => c.ClaimType == "Scope") .SelectMany(c => c.AllowedValues) .Union(requiredRootPolicies) .Distinct() .ToList(); operation.Responses.Add("400", new Response { Description = "Bad Request", Examples = ValidationErrorObject }); if (!requiredScopes.Any()) { return; } operation.Responses.Add("401", new Response { Description = "Unauthorized" }); operation.Responses.Add("403", new Response { Description = "Forbidden" }); operation.Security = new List <IDictionary <string, IEnumerable <string> > > { new Dictionary <string, IEnumerable <string> > { { "oidc", requiredScopes } } }; }
private async ValueTask ValidateAuthorizationPolicyAsync(IList <Exception> errors, string?authorizationPolicyName, string routeId) { if (string.IsNullOrEmpty(authorizationPolicyName)) { return; } if (string.Equals(AuthorizationConstants.Default, authorizationPolicyName, StringComparison.OrdinalIgnoreCase)) { var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName); if (policy != null) { errors.Add(new ArgumentException($"The application has registered an authorization policy named '{authorizationPolicyName}' that conflicts with the reserved authorization policy name used on this route. The registered policy name needs to be changed for this route to function.")); } return; } if (string.Equals(AuthorizationConstants.Anonymous, authorizationPolicyName, StringComparison.OrdinalIgnoreCase)) { var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName); if (policy != null) { errors.Add(new ArgumentException($"The application has registered an authorization policy named '{authorizationPolicyName}' that conflicts with the reserved authorization policy name used on this route. The registered policy name needs to be changed for this route to function.")); } return; } try { var policy = await _authorizationPolicyProvider.GetPolicyAsync(authorizationPolicyName); if (policy == null) { errors.Add(new ArgumentException($"Authorization policy '{authorizationPolicyName}' not found for route '{routeId}'.")); } } catch (Exception ex) { errors.Add(new ArgumentException($"Unable to retrieve the authorization policy '{authorizationPolicyName}' for route '{routeId}'.", ex)); } }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeAttribute in authorizeData.OfType <AuthorizeAttribute>()) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy); if (policy == null) { throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeAttribute.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return(any ? policyBuilder.Build() : null); }
public async Task Invoke(HttpContext context, IProxyApplicationService applicationService, IPolicyEvaluator policyEvaluator) { var activeApplication = applicationService.GetActiveApplication(); var mode = context.Request.PathBase == ProxyMetaEndpoints.PathBase ? PathAuthOptions.AuthMode.Web : activeApplication.GetPathMode(context.Request.Path); if (!mode.HasValue) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; context.SetErrorDetail(Errors.Code.UnconfiguredPath, "Path has no authentication method configured."); return; } if (mode == PathAuthOptions.AuthMode.None) { await _next(context); return; } var policyName = mode == PathAuthOptions.AuthMode.Web ? ProxyAuthComponents.GetWebPolicyName(activeApplication) : ProxyAuthComponents.GetApiPolicyName(activeApplication); var policy = await _policyProvider.GetPolicyAsync(policyName); var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context); var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, null); var telemetry = context.Features.Get <RequestTelemetry>(); if (telemetry != null && authenticateResult.Succeeded) { telemetry.Context.User.Id = context.User.Identity.Name; } if (authorizeResult.Challenged) { await context.ChallengeAsync(policy.AuthenticationSchemes.First()); } else if (authorizeResult.Forbidden) { await context.ForbidAsync(policy.AuthenticationSchemes.First()); } else { await _next(context); } }
/// <summary> /// Checks if a user meets a specific authorization policy. /// </summary> /// <param name="user">The user to check the policy against.</param> /// <param name="resource">The resource the policy should be checked with.</param> /// <param name="policyName">The name of the policy to check against a specific context.</param> /// <returns> /// A flag indicating whether authorization has succeeded. /// This value is <value>true</value> when the user fulfills the policy otherwise <value>false</value>. /// </returns> public virtual async Task <AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object?resource, string policyName) { if (policyName == null) { throw new ArgumentNullException(nameof(policyName)); } var policy = await _policyProvider.GetPolicyAsync(policyName).ConfigureAwait(false); if (policy == null) { throw new InvalidOperationException($"No policy found: {policyName}."); } return(await this.AuthorizeAsync(user, resource, policy).ConfigureAwait(false)); }
public async Task <bool> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName) { if (policyName == null) { throw new ArgumentNullException(nameof(policyName)); } var policy = await _policyProvider.GetPolicyAsync(policyName); if (policy == null) { throw new InvalidOperationException($"No policy found: {policyName}."); } return(await this.AuthorizeAsync(user, resource, policy)); }
public async Task <AuthorizationContext> GetAuthorizationContextAsync(object implementation, MethodInfo methodInfo) { Type[] parameterTypes = methodInfo.GetParameters().Select(x => x.ParameterType).ToArray(); if (parameterTypes.Length == 0) { parameterTypes = Type.EmptyTypes; } MethodInfo concreteMethod = implementation.GetType().GetMethod(methodInfo.Name, parameterTypes); AuthorizeAttribute authorizeAttribute = concreteMethod.DeclaringType.GetCustomAttribute <AuthorizeAttribute>(); // overwrite by action attribute authorizeAttribute = concreteMethod.GetCustomAttribute <AuthorizeAttribute>() ?? authorizeAttribute; if (authorizeAttribute == null) { return(null); } if (authorizeAttribute.Roles != null && authorizeAttribute.Policy != null) { throw new NotSupportedException("You must specify either Roles or Policy"); } AuthorizationPolicy policy; if (authorizeAttribute.Roles != null) { var builder = new AuthorizationPolicyBuilder(authorizeAttribute.AuthenticationSchemes.Split(',')); builder.RequireRole(authorizeAttribute.Roles.Split(',')); policy = builder.Build(); } else if (authorizeAttribute.Policy != null) { policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy) ?? throw new ArgumentException($"Policy {authorizeAttribute.Policy} does not exist"); } else { policy = await policyProvider.GetDefaultPolicyAsync(); } return(new AuthorizationContext { Policy = policy }); }
public Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var scopes = GoogleScopedAuthorizeAttribute.ParsePolicy(policyName); if (scopes != null) { // A GoogleScoped policy. var policy = new AuthorizationPolicyBuilder(_scheme); policy.RequireAuthenticatedUser(); policy.AddRequirements(new GoogleScopedRequirement(_scheme, scopes)); return(Task.FromResult(policy.Build())); } else { // Not a GoogleScoped policy, use default behaviour. return(_default.GetPolicyAsync(policyName)); } }
public async Task OnPageHandlerSelectionAsync(PageHandlerSelectedContext context) { if (context.ActionDescriptor.ModelTypeInfo != typeof(Pages.IndexModel)) { throw new NotSupportedException("This only works for IndexModel."); } if (context.HandlerMethod.MethodInfo != typeof(Pages.IndexModel).GetMethod(nameof(Pages.IndexModel.OnPostAuthorized))) { return; } var policy = await policyProvider.GetPolicyAsync("YourAuthPolicyHere"); // Or you may use the default policy if you don't have a specific policy configured. // var policy = policyProvider.GetDefaultPolicyAsync(); await AuthoorizeAsync(context, policy); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeDatum in authorizeData) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy); if (policy == null) { //throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy)); throw new InvalidOperationException(nameof(authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeDatum.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } if (authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum) { var groupsSplit = permissionAuthorizeDatum.Groups?.Split(','); if (groupsSplit != null && groupsSplit.Any()) { var trimmedGroupsSplit = groupsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim(TubumuClaimTypes.Group, trimmedGroupsSplit); //policyBuilder.AddRequirements(new GroupsAuthorizationRequirement(trimmedGroupsSplit)); useDefaultPolicy = false; } var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(','); if (permissionsSplit != null && permissionsSplit.Any()) { var trimmedPermissionsSplit = permissionsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim(TubumuClaimTypes.Permission, trimmedPermissionsSplit); //policyBuilder.AddRequirements(new PermissionsAuthorizationRequirement(trimmedPermissionsSplit)); useDefaultPolicy = false; } } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return(any ? policyBuilder.Build() : null); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeAttribute in authorizeData) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy); if (policy == null) { throw new InvalidOperationException(ResourceHelper.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } if (!string.IsNullOrWhiteSpace(authorizeAttribute.Roles)) { policyBuilder.RequireRole(SplitAndTrim(authorizeAttribute.Roles)); useDefaultPolicy = false; } if (!string.IsNullOrWhiteSpace(authorizeAttribute.ActiveAuthenticationSchemes)) { policyBuilder.AddAuthenticationSchemes(SplitAndTrim(authorizeAttribute.ActiveAuthenticationSchemes)); useDefaultPolicy = false; } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } if (any) { if (policyBuilder.AuthenticationSchemes.Count > 0) { if (policyBuilder.Requirements.Count == 0) { policyBuilder.RequireAuthenticatedUser(); } } return(policyBuilder.Build()); } return(null); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } // Avoid allocating enumerator if the data is known to be empty var skipEnumeratingData = false; if (authorizeData is IList <IAuthorizeData> dataList) { skipEnumeratingData = dataList.Count == 0; } AuthorizationPolicyBuilder policyBuilder = null; if (!skipEnumeratingData) { foreach (var authorizeDatum in authorizeData) { if (policyBuilder == null) { policyBuilder = new AuthorizationPolicyBuilder(); } var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy); if (policy == null) { throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeDatum.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } } var requiredPolicy = await policyProvider.GetRequiredPolicyAsync(); if (requiredPolicy != null) { if (policyBuilder == null) { policyBuilder = new AuthorizationPolicyBuilder(); } policyBuilder.Combine(requiredPolicy); } return(policyBuilder?.Build()); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <param name="policies">A collection of <see cref="AuthorizationPolicy"/> policies to combine.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task <AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable <IAuthorizeData> authorizeData, IEnumerable <AuthorizationPolicy> policies) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var anyPolicies = policies.Any(); // Avoid allocating enumerator if the data is known to be empty var skipEnumeratingData = false; if (authorizeData is IList <IAuthorizeData> dataList) { skipEnumeratingData = dataList.Count == 0; } AuthorizationPolicyBuilder?policyBuilder = null; if (!skipEnumeratingData) { foreach (var authorizeDatum in authorizeData) { if (policyBuilder == null) { policyBuilder = new AuthorizationPolicyBuilder(); } var useDefaultPolicy = !(anyPolicies); if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy).ConfigureAwait(false); if (policy == null) { throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeDatum.Roles?.Split(','); if (rolesSplit?.Length > 0) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(','); if (authTypesSplit?.Length > 0) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync().ConfigureAwait(false)); } } } if (anyPolicies) { policyBuilder ??= new(); foreach (var policy in policies) { policyBuilder.Combine(policy); } } // If we have no policy by now, use the fallback policy if we have one if (policyBuilder == null) { var fallbackPolicy = await policyProvider.GetFallbackPolicyAsync().ConfigureAwait(false); if (fallbackPolicy != null) { return(fallbackPolicy); } } return(policyBuilder?.Build()); }
/// <summary> /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified /// <paramref name="policyProvider"/>. /// </summary> /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param> /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param> /// <returns> /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the /// authorization policies provided by the specified <paramref name="policyProvider"/>. /// </returns> public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeAttribute in authorizeData.OfType<AuthorizeAttribute>()) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeAttribute.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeAttribute.Policy); if (policy == null) { throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeAttribute.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeAttribute.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } var authTypesSplit = authorizeAttribute.ActiveAuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return any ? policyBuilder.Build() : null; }
public async Task <AuthorizationPolicy> CombineAsync(AuthorizeData authorizeData) { // Avoid allocating enumerator if the data is known to be empty var skip = authorizeData == null; if (skip) { // If we have no policy by now, use the fallback policy if we have one var fallbackPolicy = await PolicyProvider.GetFallbackPolicyAsync(); if (fallbackPolicy != null) { return(fallbackPolicy); } } else { AuthorizationPolicyBuilder policyBuilder = new AuthorizationPolicyBuilder(); var useDefaultPolicy = true; if (authorizeData.DeniedAll) { policyBuilder.AddRequirements(new DenyAllAuthorizationRequirement(true)); useDefaultPolicy = false; } else { if (!authorizeData.AuthenticationSchemes.IsNullOrEmpty()) { foreach (string scheme in authorizeData.AuthenticationSchemes) { policyBuilder.AuthenticationSchemes.Add(scheme.Trim()); } } // 假如允许所有角色访问,只需要求登录即可 if (authorizeData.AllowedAllRoles) { policyBuilder.RequireAuthenticatedUser(); useDefaultPolicy = false; } else { if (!authorizeData.Policies.IsNullOrEmpty()) { foreach (string policyName in authorizeData.Policies) { var policy = await PolicyProvider.GetPolicyAsync(policyName); if (policy == null) { throw new InvalidOperationException($"找不到名为: '{policyName}'的策略!"); } policyBuilder.Combine(policy); } useDefaultPolicy = false; } if (!authorizeData.AllowedUsers.IsNullOrEmpty() || !authorizeData.AllowedRoles.IsNullOrEmpty()) { policyBuilder.AddRequirements(new RolesOrUsersAuthorizationRequirement(authorizeData.AllowedUsers, authorizeData.AllowedRoles)); useDefaultPolicy = false; } } if (useDefaultPolicy) { policyBuilder.Combine(await PolicyProvider.GetDefaultPolicyAsync()); } } return(policyBuilder?.Build()); } return(null); }
private static async Task <bool> AuthorizeWithPolicyAsync( IDirectiveContext context, AuthorizeDirective directive, ClaimsPrincipal principal) { IServiceProvider services = context.Service <IServiceProvider>(); IAuthorizationService authorizeService = services.GetService <IAuthorizationService>(); IAuthorizationPolicyProvider policyProvider = services.GetService <IAuthorizationPolicyProvider>(); if (authorizeService == null || policyProvider == null) { return(string.IsNullOrWhiteSpace(directive.Policy)); } AuthorizationPolicy policy = null; if (directive.Roles.Count == 0 && string.IsNullOrWhiteSpace(directive.Policy)) { policy = await policyProvider.GetDefaultPolicyAsync() .ConfigureAwait(false); if (policy == null) { context.Result = context.Result = ErrorBuilder.New() .SetMessage( AuthResources.AuthorizeMiddleware_NoDefaultPolicy) .SetCode(AuthErrorCodes.NoDefaultPolicy) .SetPath(context.Path) .AddLocation(context.FieldSelection) .Build(); } } else if (!string.IsNullOrWhiteSpace(directive.Policy)) { policy = await policyProvider.GetPolicyAsync(directive.Policy) .ConfigureAwait(false); if (policy == null) { context.Result = ErrorBuilder.New() .SetMessage(string.Format( CultureInfo.InvariantCulture, AuthResources.AuthorizeMiddleware_PolicyNotFound, directive.Policy)) .SetCode(AuthErrorCodes.PolicyNotFound) .SetPath(context.Path) .AddLocation(context.FieldSelection) .Build(); } } if (context.Result == null && policy != null) { AuthorizationResult result = await authorizeService.AuthorizeAsync( principal, context, policy) .ConfigureAwait(false); return(result.Succeeded); } return(false); }