/// <summary> /// Check the authorization for a <see cref="IPrincipal"/> for an <see cref="Activity"/>. /// </summary> /// <param name="activity"></param> /// <param name="principal"></param> /// <param name="defaultAuthorization"></param> /// <returns></returns> public static AuthorizationReason IsAuthorized(this IPrincipal principal, Activity activity, bool defaultAuthorization) { var reason = new AuthorizationReason { Resource = activity.Resource, Action = activity.Action, Principal = principal, NoDecision = true, IsAuthorized = defaultAuthorization, }; // Authentication takes precedence over everything if (principal.Identity.IsAuthenticated == false && activity.AllowUnauthenticated.HasValue) { reason.NoDecision = false; reason.Reason = "IsAuthenticated: false"; // Determined by the allowUnauthenticated reason.IsAuthorized = activity.AllowUnauthenticated.Value; } // Check the denies first, must take precedence over the allows else if (principal.HasPermission(activity.Deny, reason)) { // Have an explicit deny. reason.NoDecision = false; reason.IsAuthorized = false; } else if (principal.HasPermission(activity.Allow, reason)) { // Have an explity allow. reason.NoDecision = false; reason.IsAuthorized = true; } else if (activity.Default.HasValue) { // Default authorization on the activity. reason.NoDecision = false; reason.Reason = "Default: " + activity.Default.Value; reason.IsAuthorized = activity.Default.Value; } return(reason); }
/// <copydoc cref="IActivityAuthorizer.IsAuthorizedAsync" /> public async Task <AuthorizationReason> IsAuthorizedAsync(string resource, string action, IPrincipal principal, IDictionary <string, object> values = null, CancellationToken cancellationToken = default(CancellationToken)) { var scope = await scopeProvider.AuthorizationScopeAsync(cancellationToken).ConfigureAwait(false); if (scope == null) { Logger.Warn("No data returned from scope provider"); scope = new AuthorizationScope { Name = "Default" }; } var activities = scope.Activities.ToDictionary(); // Get the state for this request var defaultAuthorization = scope.DefaultAuthorization ?? DefaultAuthorization; var defaultActivity = scope.DefaultActivity ?? DefaultActivity; var defaultAllowUnauthenticated = scope.AllowUnauthenticated ?? DefaultAllowUnauthenticated; // Set up the reason var reason = new AuthorizationReason { Resource = resource, Action = action, Principal = principal, // We will always make a decision at this level NoDecision = false, IsAuthorized = defaultAuthorization }; // Do a short-circuit check for the unauthenticated state, will be overridden if there is a matching activity if (!defaultAllowUnauthenticated && !principal.Identity.IsAuthenticated) { reason.IsAuthorized = false; reason.Reason = "IsAuthenticated: false"; } // Check the activities foreach (var activity in activities.FindActivities(resource, action, defaultActivity)) { var rs = principal.IsAuthorized(activity, defaultAuthorization); if (rs.NoDecision) { // Try the next one continue; } // Ok, we have a decision reason.IsAuthorized = rs.IsAuthorized; reason.Identity = rs.Identity; if (reason.Resource != rs.Resource || reason.Action != rs.Action) { // Decided based on some other activity, so say what that was reason.PrincipalReason = rs; } else { // Preserve the reason information reason.Reason = rs.Reason; } // We are done as we have a decision break; } if (!reason.IsAuthorized) { Logger.InfoFormat("Failed authorization: User '{0}', Resource: '{1}', Action: '{2}'", principal == null ? "<Unknown>" : principal.Identity.Name, resource, action); } return(reason); }
public static bool?IsAuthorized(this ClaimsIdentity identity, Activity activity, AuthorizationReason reason) { // Authentication takes precedence over everything if (identity.IsAuthenticated == false && activity.AllowUnauthenticated.HasValue) { reason.NoDecision = false; reason.Reason = "IsAuthenticated: false"; // Determined by the allowUnauthenticated reason.IsAuthorized = activity.AllowUnauthenticated.Value; reason.Identity = identity; return(reason.IsAuthorized); } // Check the denies first, must take precedence over the allows if (identity.HasPermission(activity.Deny, reason)) { // Have an explicit deny. reason.NoDecision = false; reason.IsAuthorized = false; reason.Identity = identity; return(reason.IsAuthorized); } if (identity.HasPermission(activity.Allow, reason)) { // Have an explity allow. reason.NoDecision = false; reason.IsAuthorized = true; reason.Identity = identity; return(reason.IsAuthorized); } return(null); }
/// <summary> /// Check whether the principal has the specified <see cref="Permission"/> /// </summary> /// <param name="identity"></param> /// <param name="permission"></param> /// <param name="reason"></param> /// <returns></returns> public static bool HasPermission(this ClaimsIdentity identity, Permission permission, AuthorizationReason reason) { // Check user over roles var user = permission.HasUser(identity); if (!string.IsNullOrEmpty(user)) { reason.Reason = "User: "******"Role: " + role; return(true); } var claim = permission.HasClaim(identity); if (!string.IsNullOrEmpty(claim)) { // Record the claim that passes reason.Reason = "Claim: " + claim; return(true); } return(false); }
/// <summary> /// Check whether the principal has the specified <see cref="Permission"/> /// </summary> /// <param name="principal"></param> /// <param name="permission"></param> /// <param name="reason"></param> /// <returns></returns> public static bool HasPermission(this IPrincipal principal, Permission permission, AuthorizationReason reason) { if (!(principal is ClaimsPrincipal claimsPrincipal)) { return(false); } // Check user over roles foreach (var identity in claimsPrincipal.Identities) { var user = permission.HasUser(identity); if (!string.IsNullOrEmpty(user)) { reason.Reason = "User: "******"Role: " + role; reason.Identity = identity; return(true); } } foreach (var identity in claimsPrincipal.Identities) { var claim = permission.HasClaim(identity); if (!string.IsNullOrEmpty(claim)) { // Record the claim that passes reason.Reason = "Claim: " + claim; reason.Identity = identity; return(true); } } return(false); }