public InProductTrainingModule( IInProductTrainingController inProductTrainingController, IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, ILoggerFactory loggerFactory) : base(InProductTrainingServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _inProductTrainingController = inProductTrainingController; CreateRoute("CreateInProductTrainingView", HttpMethod.Post, $"{BaseInProductTrainingUrl}/viewed", CreateInProductTrainingViewAsync) .Description("Create a new InProductTraining resource") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(InProductTrainingViewRequest.Example()) .ResponseFormat(InProductTrainingViewResponse.Example()); CreateRoute("GetViewedInProductTraining", HttpMethod.Get, $"{BaseInProductTrainingUrl}/viewed/{{clientApplicationId:int}}", GetViewedInProductTrainingAsync) .Description("Get a InProductTrainingView resource by it's identifier.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(InProductTrainingViewResponse.Example()); CreateRoute("CreateWizardView", HttpMethod.Post, $"{BaseWizardsUrl}/viewed", CreateWizardViewAsync) .Description("Create a new wizard view resource") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(ViewedWizard.Example()) .ResponseFormat(WizardViewResponse.Example()); CreateRoute("GetWizardViewsByUserId", HttpMethod.Get, $"{BaseWizardsUrl}/viewed/{{userId:guid}}", GetWizardViewsByUserIdAsync) .Description("Get a wizard view resource by it's identifier.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(WizardViewResponse.Example()); }
public async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context) + "is null"); } if (context.ActionDescriptor.EndpointMetadata.Any(p => p is IAllowAnonymous)) { return; } if (!context.ActionDescriptor.EndpointMetadata.Any(p => p is AuthorizeAttribute)) { return; } IPolicyEvaluator policyEvaluator = context.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>(); AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(this.policy, context.HttpContext); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(this.policy, authenticateResult, context.HttpContext, context); if (authorizeResult.Challenged) { context.Result = new NavyblueUnAuthorizeResult("Authorization Failed"); } else if (authorizeResult.Forbidden) { context.Result = new ForbidResult(this.policy.AuthenticationSchemes.ToArray()); } }
/// <summary> /// Process an individual request. /// </summary> /// <param name="context">The context.</param> /// <param name="policyEvaluator">The service which can evaluate an <see cref="AuthorizationPolicy" />.</param> /// <returns>The task object representing the asynchronous operation.</returns> public async Task Invoke(HttpContext context, IPolicyEvaluator policyEvaluator) { if (context.Request.Headers[Constants.ACCEPT_HTTP_HEADER] == Constants.SSE_CONTENT_TYPE) { if (!await AuthorizeAsync(context, policyEvaluator)) { return; } DisableResponseBuffering(context); HandleContentEncoding(context); await context.Response.AcceptAsync(_serverSentEventsOptions.OnPrepareAccept); ServerSentEventsClient client = new ServerSentEventsClient(Guid.NewGuid(), context.User, context.Response); if (_serverSentEventsService.ReconnectInterval.HasValue) { await client.ChangeReconnectIntervalAsync(_serverSentEventsService.ReconnectInterval.Value, CancellationToken.None); } await ConnectClientAsync(context.Request, client); await context.RequestAborted.WaitAsync(); await DisconnectClientAsync(context.Request, client); } else { await _next(context); } }
public AuthorizeIndexPageHandlerFilter( IAuthorizationPolicyProvider policyProvider, IPolicyEvaluator policyEvaluator) { this.policyProvider = policyProvider; this.policyEvaluator = policyEvaluator; }
private async Task <bool> AuthorizeAsync(HttpContext context, IPolicyEvaluator policyEvaluator) { bool authorized = false; if (_serverSentEventsOptions.Authorization is null) { authorized = true; } else { if (_authorizationPolicy is null) { _authorizationPolicy = await AuthorizationPolicy.CombineAsync(_policyProvider, new[] { _serverSentEventsOptions.Authorization }); } AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(_authorizationPolicy, context); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(_authorizationPolicy, authenticateResult, context, null); if (authorizeResult.Challenged) { await ChallengeAsync(context); } else if (authorizeResult.Forbidden) { await ForbidAsync(context); } else { authorized = true; } } return(authorized); }
public ImpersonateTenantMiddleware(RequestDelegate next, IPolicyEvaluator policyEvaluator, IHttpClient httpClient, IAppSettingsReader appSettingsReader) { _policyEvaluator = policyEvaluator; _httpClient = httpClient; _tenantUrl = appSettingsReader.GetValue <string>("Tenant.Url").TrimEnd('/'); _next = next; }
public AuthorizationFilter( IAuthorizationPolicyProvider policyProvider, IPolicyEvaluator policyEvaluator ) { _policyProvider = policyProvider; _policyEvaluator = policyEvaluator; }
public PolicyAuthorizationProvider(IPolicyEvaluator policyEvaluator, ILogger logger, bool logAuthorization, bool logSuccesses) { _policyEvaluator = policyEvaluator; _logger = logger; _logAuthorization = logAuthorization; _logSuccesses = logSuccesses; }
public AuthorizationPolicyTagHelper( IAuthorizationPolicyProvider policyProvider, IPolicyEvaluator policyEvaluator, IHttpContextAccessor httpContextAccessor) { this.policyProvider = policyProvider; this.policyEvaluator = policyEvaluator; this.httpContextAccessor = httpContextAccessor; }
/// <summary> /// Invokes the authorization filters for the controller action. /// </summary> /// <returns>Whether the user is authenticated or not.</returns> internal static async Task <bool> InvokeAuthorizationFiltersForRequest(this ControllerContext controllerContext, ActionContext actionContext) { ControllerActionDescriptor actionDescriptor = controllerContext.ActionDescriptor; var metadataCollection = new EndpointMetadataCollection(actionDescriptor.EndpointMetadata.Union(new[] { actionDescriptor })); IReadOnlyList <IAuthorizeData> authorizeData = metadataCollection.GetOrderedMetadata <IAuthorizeData>(); IAuthorizationPolicyProvider policyProvider = controllerContext.HttpContext.RequestServices .GetRequiredService <IAuthorizationPolicyProvider>(); AuthorizationPolicy?policy = await AuthorizationPolicy.CombineAsync(policyProvider, authorizeData); if (policy is not null) { IPolicyEvaluator policyEvaluator = controllerContext.HttpContext.RequestServices.GetRequiredService <IPolicyEvaluator>(); AuthenticateResult authenticateResult = await policyEvaluator.AuthenticateAsync(policy, controllerContext.HttpContext); if (!authenticateResult.Succeeded) { return(false); } // TODO this is super hacky, but we rely on the FeatureAuthorizeHandler can still handle endpoints // (The way before .NET 5). The .NET 5 way would need to use han http context, for the "inner" request // with the nested controller var resource = new Endpoint(null, metadataCollection, null); PolicyAuthorizationResult authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, controllerContext.HttpContext, resource); if (!authorizeResult.Succeeded) { return(false); } } IList <FilterDescriptor> filters = actionDescriptor.FilterDescriptors; var filterGrouping = new FilterGrouping(filters, controllerContext.HttpContext.RequestServices); // because the continuation gets built from the inside out we need to reverse the filter list // so that least specific filters (Global) get run first and the most specific filters (Action) get run last. var authorizationFilters = filterGrouping.AuthorizationFilters.Reverse().ToList(); var asyncAuthorizationFilters = filterGrouping.AsyncAuthorizationFilters.Reverse().ToList(); if (authorizationFilters.Count == 0 && asyncAuthorizationFilters.Count == 0) { return(true); } // if the authorization filter returns a result, it means it failed to authorize var authorizationFilterContext = new AuthorizationFilterContext(actionContext, filters.Select(x => x.Filter).ToArray()); return(await ExecuteAuthorizationFiltersAsync(authorizationFilterContext, authorizationFilters, asyncAuthorizationFilters)); }
/// <summary> /// Process an individual request. /// </summary> /// <param name="context">The context.</param> /// <param name="policyEvaluator">The service which can evaluate an <see cref="AuthorizationPolicy" />.</param> /// <returns>The task object representing the asynchronous operation.</returns> public async Task Invoke(HttpContext context, IPolicyEvaluator policyEvaluator) { if (context.Request.Headers[Constants.ACCEPT_HTTP_HEADER] == Constants.SSE_CONTENT_TYPE) { if (!await AuthorizeAsync(context, policyEvaluator)) { _logger.LogWarning($"{DateTime.Now.ToString()} : Invoke: AuthorizeAsync returned false for context.User.Identity.Name: {context.User?.Identity?.Name}"); return; } bool shouldAccept = context.ShouldAccept(_serverSentEventsOptions.OnShouldAccept); if (!shouldAccept) { _logger.LogWarning($"{DateTime.Now.ToString()} : Invoke: ShouldAccept returned false for context.User.Identity.Name: {context.User?.Identity?.Name}"); return; } DisableResponseBuffering(context); HandleContentEncoding(context); await context.Response.AcceptAsync(_serverSentEventsOptions.OnPrepareAccept); // Use an autogenerated Guid, useful if not using authentication. //ServerSentEventsClient client = new ServerSentEventsClient(Guid.NewGuid(), context.User, context.Response); // Set the Guid later to provide the opportunity for the Guid to be set by user code in the ClientConnected event hander // Useful when using Authentication to allow the client to be associated with a user. CancellationTokenSource _responseEndCts = new CancellationTokenSource(); ServerSentEventsClient client = new ServerSentEventsClient(Guid.NewGuid(), context.User, context.Response, _logger, _responseEndCts); _logger.LogDebug($"{DateTime.Now.ToString()} : Invoke: Client Connected: ConnectedAt: {client.ConnectedAt} User.Identity.Name: {client.User?.Identity?.Name}"); if (_serverSentEventsService.ReconnectInterval.HasValue) { await client.ChangeReconnectIntervalAsync(_serverSentEventsService.ReconnectInterval.Value, CancellationToken.None); } await AddClientAsync(context.Request, client); _responseEndCts.Token.Register(() => _logger.LogDebug("{0} : Invoke: _responseEndCts.Token has been cancelled", DateTime.Now.ToString())); //await context.RequestAborted.WaitAsync(); // Wait until the task completes or the _responseEndCts token triggers await Task.WhenAny(context.RequestAborted.WaitAsync(), Task.Delay(Timeout.Infinite, _responseEndCts.Token)); await RemoveClientAsync(context.Request, client); } else { await _next(context); } }
public ProjectGuestContextModule( IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, IProjectGuestContextController projectGuestContextController, ILoggerFactory loggerFactory) : base(GuestServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _projectGuestContextController = projectGuestContextController; CreateRoute("SetProjectGuestContext", HttpMethod.Post, Routing.ProjectGuestContextRoute, SetProjectGuestContextAsync) .Description("Sets the project guest context and creates guest sessions") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(ProjectGuestContext.Example)); }
public MachinesModule( IMachinesController machineController, IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, ILoggerFactory loggerFactory) : base(ServiceInformation.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _machinesController = machineController; this.RequiresAuthentication(); CreateRoute("CreateMachine", HttpMethod.Post, Routing.Machines, CreateMachineAsync) .Description("Create a new machine resource") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(Machine.Example()) .ResponseFormat(Machine.Example()); CreateRoute("GetMachineById", HttpMethod.Get, Routing.MachinesWithId, GetMachineByIdAsync) .Description("Gets a machine by its unique identifier") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(Machine.Example()); CreateRoute("GetMachineByKey", HttpMethod.Get, Routing.Machines, GetMachineByKeyAsync, c => c.Request.Query.ContainsKey("machinekey")) .Description("Get a machine by machine key") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(Machine.Example()); CreateRoute("UpdateMachine", HttpMethod.Put, Routing.MachinesWithId, UpdateMachineAsync) .Description("Update a Principal resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .RequestFormat(Machine.Example()) .ResponseFormat(Machine.Example()); CreateRoute("DeleteMachine", HttpMethod.Delete, Routing.MachinesWithId, DeleteMachineAsync) .Description("Deletes a machine") .StatusCodes(HttpStatusCode.NoContent, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError); CreateRoute("ChangeMachineTenant", HttpMethod.Put, Routing.ChangeMachineTenant, ChangeMachineTenantAsync) .Description("Changes a machine's tenant") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .RequestFormat(Machine.Example()) .ResponseFormat(Machine.Example()); CreateRoute("GetTenantMachines", HttpMethod.Get, Routing.Machines, GetTenantMachinesAsync, c => !c.Request.Query.ContainsKey("machinekey")) .Description("Retrieves a list of machines for the tenant") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(new List <Machine> { Machine.Example() }); }
/// <inheritdoc /> public ProjectLobbyStateModule(IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, ILoggerFactory loggerFactory, IProjectLobbyStateController projectLobbyStateController) : base(GuestServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _projectLobbyStateController = projectLobbyStateController; CreateRoute("GetProjectLobbyState", HttpMethod.Get, $"{Routing.ProjectsRoute}/{{projectId:guid}}/{Routing.ProjectLobbyStatePath}", GetProjectLobbyStateAsync) .Description("Retrieves lobby state for a project.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new ProjectLobbyState())); CreateRoute("RecalculateProjectLobbyState", HttpMethod.Put, $"{Routing.ProjectsRoute}/{{projectId:guid}}/{Routing.ProjectLobbyStatePath}", RecalculateProjectLobbyStateAsync) .Description("Recalculates the the lobby state of a project.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(ProjectLobbyState.Example()); }
public GuestInviteModule( IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, IGuestInviteController guestInviteController, ILoggerFactory loggerFactory) : base(GuestServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { // Init DI _guestInviteController = guestInviteController; // initialize routes CreateRoute("CreateGuestInvite", HttpMethod.Post, Routing.GuestInvitesRoute, CreateGuestInviteAsync) .Description("Create a specific GuestInvite resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestInvite())); CreateRoute("GetGuestInvite", HttpMethod.Get, $"{Routing.GuestInvitesRoute}/{{id:guid}}", GetGuestInviteAsync) .Description("Retrieves a specific GuestInvite resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestInvite())); CreateRoute("GetGuestInvites", HttpMethod.Get, $"{Routing.ProjectsRoute}/{{projectId:guid}}/{Routing.GuestInvitesPath}", GetValidGuestInvitesByProjectIdAsync) .Description("Gets All GuestInvites for a specific Project.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new List <GuestInvite> { new GuestInvite() })); CreateRoute("GetGuestInvitesForUserAsync", HttpMethod.Post, $"{Routing.UsersRoute}/{Routing.GuestInvitesPath}", GetGuestInvitesForUserAsync) .Description("Gets All GuestInvites for a specific User.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new List <GuestInvite> { new GuestInvite() })); CreateRoute("UpdateGuestInvite", HttpMethod.Put, $"{Routing.GuestInvitesRoute}/{{id:guid}}", UpdateGuestInviteAsync) .Description("Update a specific GuestInvite resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestInvite())); CreateRoute("IsGuestRegistrationRequired", HttpMethod.Get, $"{Routing.GuestInvitesRoute}/{Routing.IsGuestRegistrationRequiredPath}", IsGuestRegistrationRequired) .Description("Check if the guest user require registration.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(true)); }
public GuestTenantModule( IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, IGuestTenantController tenantController, ILoggerFactory loggerFactory) : base(GuestServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { // Init DI _tenantController = tenantController; // initialize routes CreateRoute("GetGuestTenantIdsForCurrentUser", HttpMethod.Get, Routing.GuestTenantIdsRoute, GetTenantIdsForCurrentUserAsync) .Description("Retrieves the list of tenantids for a guest user") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(new List <Guid> { Guid.Empty }); }
public UserInviteModule( IUserInvitesController userInvitesController, IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, ILoggerFactory loggerFactory) : base(ServiceInformation.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _userInviteController = userInvitesController; this.RequiresAuthentication(); CreateRoute("CreateUserInviteListForTenant", HttpMethod.Post, Routing.UserInvites, _ => CreateUserInviteListForTenantAsync()) .Description("Email invites for passed user list") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(new List <UserInvite> { UserInvite.Example() }) .ResponseFormat(new List <UserInvite> { UserInvite.Example() }); CreateRoute("ResendEmailInvitation", HttpMethod.Post, Routing.ResendUserInvites, _ => ResendEmailInvitationAsync()) .Description("Resend Email invites for passed user list") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(new List <UserInvite> { UserInvite.Example() }) .ResponseFormat(new List <UserInvite> { UserInvite.Example() }); CreateRoute("GetUserInvitesForTenantAsync", HttpMethod.Get, Routing.UserInvites, GetUsersInvitedForTenantAsync) .Description("Gets all invited users for Tenant") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(new PagingMetadata <UserInvite> { List = new List <UserInvite> { UserInvite.Example() } }); }
/// <summary> /// Invokes an IPolicyEvaluator to evaluate the given XML element in the given /// context. An evaluator for the element must be registered in the PolicyManager /// configuration (.config) file. Mappings are registered by element schema namespaces. /// </summary> /// <param name="element">The element to evaluate.</param> /// <param name="context">The context under which to evaluate this element</param> /// <returns>The EvaluationResult that the evaluator returns.</returns> public static EvaluationResult invokeEvaluator(XmlElement element, IContext context) { EvaluationResult result = null; // get class that corresponds to this element // we use the namespace attribute for this tag string className = (string)evaluatorMappings[element.NamespaceURI]; if (className == null) { return(new EvaluationResult(TAG, false, "Evaluator class not found for tag " + element.LocalName + " in namespace " + element.NamespaceURI)); } // check if an evaluator for this class is already instantiated IPolicyEvaluator evaluator = (IPolicyEvaluator)evaluators[className]; if (evaluator == null) { // try to instantiate this evaluator Type type = Type.GetType(className); object o = Activator.CreateInstance(type); if (o == null || !(o is IPolicyEvaluator)) { return(new EvaluationResult(TAG, false, "Could not load evaluator for " + element.LocalName)); } debug("instantiated evaluator for class " + className); evaluator = (IPolicyEvaluator)o; evaluators.Add(className, evaluator); } // now invoke the evaluator! result = evaluator.evaluateExpression(element, context); return(result); }
public GroupsModule( IGroupsController groupsController, IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, ILoggerFactory loggerFactory) : base(ServiceInformation.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { _groupsController = groupsController; this.RequiresAuthentication(); CreateRoute("CreateGroup", HttpMethod.Post, Routing.Groups, CreateGroupAsync) .Description("Creates a new group") .StatusCodes(HttpStatusCode.Created, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.BadRequest, HttpStatusCode.InternalServerError) .RequestFormat(Group.Example()) .ResponseFormat(Group.Example()); CreateRoute("GetGroupById", HttpMethod.Get, Routing.GroupsWithId, GetGroupByIdAsync) .Description("Get a group by its unique identifier") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(Group.Example()); CreateRoute("GetGroupsForTenant", HttpMethod.Get, Routing.Groups, GetGroupsForTenantAsync) .Description("Get Group for a tenant") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .ResponseFormat(Group.Example()); CreateRoute("DeleteGroup", HttpMethod.Delete, Routing.GroupsWithId, DeleteGroupAsync) .Description("Deletes a Group") .StatusCodes(HttpStatusCode.NoContent, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError); CreateRoute("UpdateGroup", HttpMethod.Put, Routing.Groups, UpdateGroupAsync) .Description("Updates an existing Group") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError, HttpStatusCode.NotFound) .RequestFormat(Group.Example()) .ResponseFormat(Group.Example()); }
public AuthorizePageHandlerFilter(IAuthorizationPolicyProvider polP, IPolicyEvaluator polE) { policyProvider = polP; policyEval = polE; }
public async Task InvokeAsyncTest() { IServiceProvider serviceProvider = CreateServices(); //未指定权限时且为指定FallbackPolicy时 匿名用户可访问 using (IServiceScope serviceScope = serviceProvider.CreateScope()) { IServiceProvider scopeServiceProvider = serviceScope.ServiceProvider; var next = new TestRequestDelegate(); var middleware = CreateMiddleware(next.Invoke, scopeServiceProvider.GetRequiredService <IPolicyCombiner>()); var context = GetHttpContext(scopeServiceProvider); IPolicyEvaluator policyEvaluator = scopeServiceProvider.GetRequiredService <IPolicyEvaluator>(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(null), policyEvaluator); next.Called.ShouldBeTrue(); } //未指定权限但是指定FallbackPolicy时 serviceProvider = CreateServices(services => { services.AddScoped <IAuthorizationPolicyProvider>(sp => { var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build(); var policyProvider = new Mock <IAuthorizationPolicyProvider>(); policyProvider.Setup(p => p.GetFallbackPolicyAsync()).ReturnsAsync(policy); return(policyProvider.Object); }); }); using (IServiceScope serviceScope = serviceProvider.CreateScope()) { IServiceProvider scopeServiceProvider = serviceScope.ServiceProvider; var next = new TestRequestDelegate(); var middleware = CreateMiddleware(next.Invoke, scopeServiceProvider.GetRequiredService <IPolicyCombiner>()); var context = GetHttpContext(scopeServiceProvider); IPolicyEvaluator policyEvaluator = scopeServiceProvider.GetRequiredService <IPolicyEvaluator>(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(null), policyEvaluator); next.Called.ShouldBeFalse(); } serviceProvider = CreateServices(); using (IServiceScope serviceScope = serviceProvider.CreateScope()) { IServiceProvider scopeServiceProvider = serviceScope.ServiceProvider; var next = new TestRequestDelegate(); var middleware = CreateMiddleware(next.Invoke, scopeServiceProvider.GetRequiredService <IPolicyCombiner>()); IPolicyEvaluator policyEvaluator = scopeServiceProvider.GetRequiredService <IPolicyEvaluator>(); //允许匿名访问 var context = GetHttpContext(scopeServiceProvider); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedAnonymous = true }), policyEvaluator); next.Called.ShouldBeTrue(); //拒绝所有 next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { DeniedAll = true }), policyEvaluator); next.Called.ShouldBeFalse(); //允许所有登录者 访问 next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedAllRoles = true }), policyEvaluator); next.Called.ShouldBeFalse(); next.Reset(); ClaimsPrincipal principal = new ClaimsPrincipal(); ClaimsIdentity basicIdentity = new ClaimsIdentity(new Claim[] { new Claim("Permission", "CanViewPage"), new Claim(ClaimTypes.Role, "Administrator"), new Claim(ClaimTypes.Role, "User"), new Claim(ClaimTypes.NameIdentifier, "John") }, "Basic", ClaimTypes.NameIdentifier, ClaimTypes.Role); principal.AddIdentity(basicIdentity); context = GetHttpContext(scopeServiceProvider, principal); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedAllRoles = true }), policyEvaluator); next.Called.ShouldBeTrue(); // 角色验证 next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "User" } }), policyEvaluator); next.Called.ShouldBeTrue(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "userRole" } }), policyEvaluator); next.Called.ShouldBeFalse(); //用户Id next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedUsers = new string[] { "user0" } }), policyEvaluator); next.Called.ShouldBeFalse(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedUsers = new string[] { "John" } }), policyEvaluator); next.Called.ShouldBeTrue(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "role0", "role1" }, AllowedUsers = new string[] { "user0" } }), policyEvaluator); next.Called.ShouldBeFalse(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "role0", "role1" }, AllowedUsers = new string[] { "John" } }), policyEvaluator); next.Called.ShouldBeTrue(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "Administrator", "role1" }, AllowedUsers = new string[] { "John00" } }), policyEvaluator); next.Called.ShouldBeTrue(); next.Reset(); await middleware.InvokeAsync(context, MockAuthorizeDataManager(new AuthorizeData() { AllowedRoles = new string[] { "Administrator", "role1" }, AllowedUsers = new string[] { "John" } }), policyEvaluator); next.Called.ShouldBeTrue(); } }
public AuthorizeTagHelper(IHttpContextAccessor httpContextAccessor, IAuthorizationPolicyProvider policyProvider, IPolicyEvaluator policyEvaluator) { _httpContextAccessor = httpContextAccessor; _policyProvider = policyProvider; _policyEvaluator = policyEvaluator; }
public AuthorizationMiddleware(RequestDelegate next, AuthOptions options, IPolicyEvaluator policyEvaluator) { _next = next; _options = options; _policyEvaluator = policyEvaluator; }
public GuestSessionModule( IMetadataRegistry metadataRegistry, IPolicyEvaluator policyEvaluator, IGuestSessionController guestSessionController, ILoggerFactory loggerFactory) : base(GuestServiceBootstrapper.ServiceNameShort, metadataRegistry, policyEvaluator, loggerFactory) { // Init DI _guestSessionController = guestSessionController; // Initialize Routes CreateRoute("GetGuestSession", HttpMethod.Get, $"{Routing.GuestSessionsRoute}/{{id:guid}}", GetGuestSessionAsync) .Description("Retrieve a specific GuestSession resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestSession())); CreateRoute("DeleteGuestSession", HttpMethod.Delete, $"{Routing.GuestSessionsRoute}/{{id:guid}}", DeleteGuestSessionAsync) .Description("Delete a specific GuestSession resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError); CreateRoute("UpdateGuestSession", HttpMethod.Put, $"{Routing.GuestSessionsRoute}/{{id:guid}}", UpdateGuestSessionAsync) .Description("Update a specific GuestSession resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestSession())); CreateRoute("UpdateGuestSessionState", HttpMethod.Put, Routing.UpdateGuestSessionStateRoute, UpdateGuestSessionStateAsync) .Description("Updates the guest session state") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .RequestFormat(UpdateGuestSessionStateRequest.Example) .ResponseFormat(UpdateGuestSessionStateResponse.Example); CreateRoute("GetGuestSessions", HttpMethod.Get, $"{Routing.ProjectsRoute}/{{projectId:guid}}/{Routing.GuestSessionsPath}", GetGuestSessionsByProjectIdAsync) .Description("Gets all valid GuestSessions for a specific project, excluding those with a GuestState of PromotedToProjectMember.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new List <GuestSession> { new GuestSession() })); CreateRoute("GetGuestSessionsByProjectForCurrentUser", HttpMethod.Get, $"{Routing.GetGuestSessionsByProjectForCurrentUserRoute}", GetGuestSessionsByProjectIdForCurrentUserAsync) .Description("Gets all valid GuestSessions for a specific project and the requesting user, excluding those with a GuestState of PromotedToProjectMember.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new List <GuestSession> { new GuestSession() })); CreateRoute("GetGuestSessionsByProjectForUser", HttpMethod.Get, $"{Routing.GetGuestSessionsByProjectForUserRoute}", GetGuestSessionsByProjectIdForUserAsync) .Description("Gets all valid GuestSessions for a specific project and user.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new List <GuestSession> { new GuestSession() })); CreateRoute("VerifyGuest", HttpMethod.Post, Routing.VerifyGuestRoute, VerifyGuestAsync) .Description("Verify guest resource.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new GuestVerificationResponse())); CreateRoute("EmailHost", HttpMethod.Post, $"{Routing.GuestSessionsRoute}/{Routing.ProjectsPath}/{{accessCode}}/{Routing.EmailHostPath}", EmailHostAsync) .Description("Send email to project host.") .StatusCodes(HttpStatusCode.OK, HttpStatusCode.BadRequest, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.NotFound, HttpStatusCode.InternalServerError) .ResponseFormat(JsonConvert.SerializeObject(new SendHostEmailResponse())); }
public async Task InvokeAsync(HttpContext context, IAuthorizeDataManager authorizeDataManager, IPolicyEvaluator policyEvaluator) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var endpoint = context.GetEndpoint(); if (endpoint != null) { // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint. // The Authorization middleware can only make this claim if it observes an actual endpoint. context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue; } var authorizeData = await authorizeDataManager.GetAuthorizeDataAsync(); if (authorizeData?.AllowedAnonymous == true) { await _next(context); return; } var policy = await _policyCombiner.CombineAsync(authorizeData); if (policy == null) { await _next(context); return; } var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context); // Note that the resource will be null if there is no matched endpoint var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource : endpoint); if (authorizeResult.Challenged) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ChallengeAsync(scheme); } } else { await context.ChallengeAsync(); } return; } else if (authorizeResult.Forbidden) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ForbidAsync(scheme); } } else { await context.ForbidAsync(); } return; } await _next(context); }
public AuthorizationHandler(IPolicyEvaluator policyEvaluator) { this.policyEvaluator = policyEvaluator; }
public UnAuthorizedRoleTagHelper(IHttpContextAccessor httpContextAccessor, IAuthorizationPolicyProvider policyProvider, IPolicyEvaluator policyEvaluator) { this.httpContextAccessor = httpContextAccessor; authPolicyProvider = policyProvider; this.policyEvaluator = policyEvaluator; }
public SwaggerAuthorizedMiddleware(RequestDelegate next, IPolicyEvaluator policyEvaluator) { _next = next; _policyEvaluator = policyEvaluator; }
public async Task Invoke(HttpContext context, IProxyApplicationService applicationService, IPolicyEvaluator policyEvaluator) { var activeApplication = applicationService.GetActiveApplication(); var mode = context.Request.PathBase == ProxyMetaEndpoints.PathBase ? PathAuthOptions.AuthMode.Web : activeApplication.GetPathMode(context.Request.Path); if (!mode.HasValue) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; context.SetErrorDetail(Errors.Code.UnconfiguredPath, "Path has no authentication method configured."); return; } if (mode == PathAuthOptions.AuthMode.None) { await _next(context); return; } var policyName = mode == PathAuthOptions.AuthMode.Web ? ProxyAuthComponents.GetWebPolicyName(activeApplication) : ProxyAuthComponents.GetApiPolicyName(activeApplication); var policy = await _policyProvider.GetPolicyAsync(policyName); var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context); var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, null); var telemetry = context.Features.Get <RequestTelemetry>(); if (telemetry != null && authenticateResult.Succeeded) { telemetry.Context.User.Id = context.User.Identity.Name; } if (authorizeResult.Challenged) { await context.ChallengeAsync(policy.AuthenticationSchemes.First()); } else if (authorizeResult.Forbidden) { await context.ForbidAsync(policy.AuthenticationSchemes.First()); } else { await _next(context); } }