public async Task <PermissionCheckResult> CheckPermissionAsync(ICurrentUserContext userContext, PermissionCheckContext permissionCheckContext) { //此示例演示基于额外的请求上下文,来完成判断逻辑的场景。例如Query,Form, Cookie等 if (userContext == null) { throw new ArgumentNullException(nameof(userContext)); } if (permissionCheckContext == null) { throw new ArgumentNullException(nameof(permissionCheckContext)); } //todo: read current user's allowed scoped from database or somewhere else var scopeOrgIds = new List <string>() { "123", "789" }; var currentOrgId = await TryGetCurrentOrgId(permissionCheckContext); if (scopeOrgIds.MyContains(currentOrgId)) { var permissionCheckResult = PermissionCheckResult.Allowed.WithMessage("当前组织已授权: " + currentOrgId); _debugHelper.AppendPermissionCheckResults(permissionCheckResult); _logger.LogInformation(permissionCheckResult.Message); return(permissionCheckResult); } var permissionCheckResult2 = PermissionCheckResult.Forbidden.WithMessage("当前组织没有授权: " + currentOrgId); _debugHelper.AppendPermissionCheckResults(permissionCheckResult2); _logger.LogInformation(permissionCheckResult2.Message); return(permissionCheckResult2); }
public Task <PermissionCheckResult> CheckPermissionAsync(ICurrentUserContext userContext, PermissionCheckContext permissionCheckContext) { //此示例演示基于自身Claims,来完成判断逻辑的场景。 var msg = "需要授权: " + KnownPermissionIds.DemoOp; if (userContext.Permissions.MyContains(KnownPermissionIds.DemoOp)) { var allowedCheckResult = PermissionCheckResult.Allowed .WithMessage(msg) .WithData(KnownPermissionIds.DemoOp); _debugHelper.AppendPermissionCheckResults(allowedCheckResult); _logger.LogInformation(allowedCheckResult.Message); return(Task.FromResult(allowedCheckResult)); } var forbiddenResult = PermissionCheckResult.Forbidden .WithMessage(msg) .WithData(KnownPermissionIds.DemoOp); _debugHelper.AppendPermissionCheckResults(forbiddenResult); _logger.LogInformation(forbiddenResult.Message); return(Task.FromResult(forbiddenResult)); }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement, object resource) { var httpContext = _httpContextAccessor.HttpContext; var actionDescriptor = context.GetControllerActionDescriptor(httpContext); if (actionDescriptor == null) { await Task.CompletedTask; return; } _logger.LogInformation(actionDescriptor.DisplayName); var providers = httpContext .RequestServices .GetServices <IResourceBasedCheckLogicProvider>() .OrderBy(x => x.Order) .ToList(); if (providers.Count == 0) { //没由授权逻辑来认领 return; } var checkResults = new List <PermissionCheckResult>(); foreach (var logicProvider in providers) { if (logicProvider.ShouldCare(_currentUserContext, requirement, resource)) { var moreCheckResult = await logicProvider.CheckPermissionAsync(_currentUserContext, requirement, resource); checkResults.Add(moreCheckResult); } } var permissionCheckResult = checkResults.Combine(); foreach (var moreCheckResult in checkResults) { _logger.LogInformation(moreCheckResult.Message); _debugHelper.AppendPermissionCheckResults(moreCheckResult); } if (checkResults.Count > 1) { _logger.LogInformation(permissionCheckResult.Message); } if (permissionCheckResult.Category == PermissionCheckResultCategory.Allowed) { context.Succeed(requirement); return; } //apply super power var superPowerCheck = httpContext .RequestServices .GetService <SuperPowerCheck>(); if (await superPowerCheck.HasSuperPowerAsync(context, httpContext, _currentUserContext)) { _debugHelper.AppendPermissionCheckResults(PermissionCheckResult.Allowed.WithMessage("客体权限:SuperPower!!!")); _logger.LogInformation("客体权限:SuperPower!!!"); context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionCheckRequirement requirement) { var httpContext = _httpContextAccessor.HttpContext; var actionDescriptor = context.GetControllerActionDescriptor(httpContext); if (actionDescriptor == null) { await Task.CompletedTask; return; } _logger.LogInformation(actionDescriptor.DisplayName); var actionId = actionDescriptor.DisplayName.Split().FirstOrDefault(); var permissionIds = _ruleActionPool.TryGetPermissionIdsByActionId(actionId); if (permissionIds.Count == 0) { //如果找到ActionId的配置,以此为准,否则以Attribute为准 permissionIds = context.GetPermissionAttributes(httpContext).Select(x => x.PermissionId).ToList(); } if (permissionIds.Count == 0) { if (_snapshot.Value.RequiredLoginForUnknown) { _logger.LogInformation("没有任何对应规则,根据配置执行登录检测"); permissionIds.Add(KnownPermissionIds.LoginOp); } } var permissionCheckContext = CreatePermissionCheckContext(context, httpContext, actionDescriptor, permissionIds, requirement); var permissionRules = _ruleActionPool.TryGetRoleBasedPermissionRules(permissionIds.ToArray()); var checkResults = _roleBasedPermissionRuleLogic.CheckRules(permissionRules, permissionCheckContext); _debugHelper.AppendPermissionCheckResults(checkResults.ToArray()); if (await _superPowerCheck.HasSuperPowerAsync(context, httpContext, _currentUserContext)) { _debugHelper.AppendPermissionCheckResults(PermissionCheckResult.Allowed.WithMessage("主体权限: SuperPower!!!")); _logger.LogInformation("主体权限: SuperPower!!!"); context.Succeed(requirement); return; } foreach (var permissionCheckResult in checkResults) { _logger.LogInformation(permissionCheckResult.Message); } var checkResult = checkResults.Combine(); if (checkResults.Count > 1) { _logger.LogInformation(checkResult.Message); } if (checkResult.Category == PermissionCheckResultCategory.Allowed) { //RBAC成功后,才有机会执行其他的复杂逻辑 //验证逻辑的扩展点 var checkLogicProviders = httpContext .RequestServices .GetServices <IPermissionCheckLogicProvider>() .OrderBy(x => x.Order) .ToList(); if (checkLogicProviders.Count > 0) { var moreCheckResults = new List <PermissionCheckResult>(); foreach (var logicProvider in checkLogicProviders) { if (await logicProvider.ShouldCareAsync(_currentUserContext, permissionCheckContext)) { var moreCheckResult = await logicProvider.CheckPermissionAsync(_currentUserContext, permissionCheckContext); moreCheckResults.Add(moreCheckResult); } else { moreCheckResults.Add(PermissionCheckResult.NotSure); } } var permissionCheckResult = moreCheckResults.Combine(); if (permissionCheckResult.Category == PermissionCheckResultCategory.Forbidden) { return; } } context.Succeed(requirement); } }