protected async Task HandleRequirementAsync(AuthorizationHandlerContext context, ResourceIdRequirement requirement) { var resourceClaims = context.User.FindAll($"{Constants.RESOURCE_ID_CLAIM_TYPE}:{requirement.PolicyName}"); var tenantId = await _tenantIdProvider.CurrentTenantId(); var accessibleResources = new string[0]; foreach (var resourceClaim in resourceClaims) { var tenantResourceMapping = string.IsNullOrEmpty(resourceClaim.Value) ? new string[0] : resourceClaim.Value.Split('_'); if (tenantResourceMapping.Length == 2 && tenantResourceMapping[1].Equals(tenantId.ToString())) { accessibleResources = tenantResourceMapping[0].Split(','); break; } } bool succeeded = false; if (await _resourceIdProvider.IsSpecificResourceId()) { succeeded = accessibleResources.Contains((await _resourceIdProvider.CurrentResourceId()).ToString()) || accessibleResources.Contains(Constants.RESOURCE_ID_WILDCARD); } else { succeeded = accessibleResources.Contains(Constants.RESOURCE_ID_WILDCARD); } if (succeeded) { context.Succeed(requirement); } }
public override async Task <AuthorizationPolicy> GetPolicyAsync(string policyName) { var policy = await base.GetPolicyAsync(policyName); var tenant = await _tenantProvider.CurrentTenantId(); if (policy == null || await _iamProvider.NeedsUpdate(policyName, tenant, _iamProviderCache)) { var iamRoles = await _iamProvider.GetRequiredRoles(policyName, tenant, _iamProviderCache); var iamClaim = await _iamProvider.GetRequiredClaim(policyName, tenant, _iamProviderCache); var isResourceIdAccessRequired = await _iamProvider.IsResourceIdAccessRequired(policyName, tenant, _iamProviderCache); var builder = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser(); if (iamRoles != null) { var _iamRoles = !string.IsNullOrEmpty(iamClaim) ? new List <string>(iamRoles).Union(new List <string>() { iamClaim }) : iamRoles; if (iamRoles.Count > 0) { builder.RequireRole(_iamRoles.Select(x => x.ToMultiTenantRoleName(tenant))); } } else if (!string.IsNullOrEmpty(iamClaim)) { builder.RequireRole(iamClaim.ToMultiTenantRoleName(tenant)); } if (isResourceIdAccessRequired) { builder.AddRequirements(new ResourceIdRequirement(policyName)); } policy = builder .Build(); } return(policy); }