This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
/
AuthorizeFilter.cs
222 lines (188 loc) · 8.21 KB
/
AuthorizeFilter.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Mvc.Core;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Mvc.Internal;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
namespace Microsoft.AspNetCore.Mvc.Authorization
{
/// <summary>
/// An implementation of <see cref="IAsyncAuthorizationFilter"/> which applies a specific
/// <see cref="AuthorizationPolicy"/>. MVC recognizes the <see cref="AuthorizeAttribute"/> and adds an instance of
/// this filter to the associated action or controller.
/// </summary>
public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{
private MvcOptions _mvcOptions;
private AuthorizationPolicy _effectivePolicy;
/// <summary>
/// Initializes a new <see cref="AuthorizeFilter"/> instance.
/// </summary>
public AuthorizeFilter()
: this(authorizeData: new[] { new AuthorizeAttribute() })
{
}
/// <summary>
/// Initialize a new <see cref="AuthorizeFilter"/> instance.
/// </summary>
/// <param name="policy">Authorization policy to be used.</param>
public AuthorizeFilter(AuthorizationPolicy policy)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
Policy = policy;
}
/// <summary>
/// Initialize a new <see cref="AuthorizeFilter"/> instance.
/// </summary>
/// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> to use to resolve policy names.</param>
/// <param name="authorizeData">The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.</param>
public AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
: this(authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
PolicyProvider = policyProvider;
}
/// <summary>
/// Initializes a new instance of <see cref="AuthorizeFilter"/>.
/// </summary>
/// <param name="authorizeData">The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.</param>
public AuthorizeFilter(IEnumerable<IAuthorizeData> authorizeData)
{
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
AuthorizeData = authorizeData;
}
/// <summary>
/// Initializes a new instance of <see cref="AuthorizeFilter"/>.
/// </summary>
/// <param name="policy">The name of the policy to require for authorization.</param>
public AuthorizeFilter(string policy)
: this(new[] { new AuthorizeAttribute(policy) })
{
}
/// <summary>
/// The <see cref="IAuthorizationPolicyProvider"/> to use to resolve policy names.
/// </summary>
public IAuthorizationPolicyProvider PolicyProvider { get; }
/// <summary>
/// The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.
/// </summary>
public IEnumerable<IAuthorizeData> AuthorizeData { get; }
/// <summary>
/// Gets the authorization policy to be used.
/// </summary>
/// <remarks>
/// If<c>null</c>, the policy will be constructed using
/// <see cref="AuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider, IEnumerable{IAuthorizeData})"/>.
/// </remarks>
public AuthorizationPolicy Policy { get; }
bool IFilterFactory.IsReusable => true;
private async Task<AuthorizationPolicy> GetEffectivePolicyAsync(AuthorizationFilterContext context)
{
if (_effectivePolicy != null)
{
return _effectivePolicy;
}
var effectivePolicy = Policy;
if (_mvcOptions == null)
{
_mvcOptions = context.HttpContext.RequestServices.GetRequiredService<IOptions<MvcOptions>>().Value;
}
if (_mvcOptions.AllowCombiningAuthorizeFilters)
{
if (!context.IsEffectivePolicy<AuthorizeFilter>(this))
{
return null;
}
// Combine all authorize filters into single effective policy that's only run on the closest filter
AuthorizationPolicyBuilder builder = null;
for (var i = 0; i < context.Filters.Count; i++)
{
if (ReferenceEquals(this, context.Filters[i]))
{
continue;
}
if (context.Filters[i] is AuthorizeFilter authorizeFilter)
{
builder = builder ?? new AuthorizationPolicyBuilder(effectivePolicy);
builder.Combine(authorizeFilter.Policy);
}
}
effectivePolicy = builder?.Build() ?? effectivePolicy;
}
if (effectivePolicy == null)
{
if (PolicyProvider == null)
{
throw new InvalidOperationException(
Resources.FormatAuthorizeFilter_AuthorizationPolicyCannotBeCreated(
nameof(AuthorizationPolicy),
nameof(IAuthorizationPolicyProvider)));
}
effectivePolicy = await AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData);
}
// We can cache the effective policy when there is no custom policy provider
if (PolicyProvider == null)
{
_effectivePolicy = effectivePolicy;
}
return effectivePolicy;
}
/// <inheritdoc />
public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var effectivePolicy = await GetEffectivePolicyAsync(context);
if (effectivePolicy == null)
{
return;
}
var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
var authenticateResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
// Allow Anonymous skips all authorization
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
}
var authorizeResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context);
if (authorizeResult.Challenged)
{
context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());
}
else if (authorizeResult.Forbidden)
{
context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());
}
}
IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider)
{
if (Policy != null || PolicyProvider != null)
{
// The filter is fully constructed. Use the current instance to authorize.
return this;
}
Debug.Assert(AuthorizeData != null);
var policyProvider = serviceProvider.GetRequiredService<IAuthorizationPolicyProvider>();
return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData);
}
}
}