Add Challenge/Forbid behavior to policy evaluator

Security.sln

@@ -54,6 +54,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "OpenIdConnect.AzureAdSample
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.ChunkingCookieManager.Sources.Test", "test\Microsoft.AspNetCore.ChunkingCookieManager.Sources.Test\Microsoft.AspNetCore.ChunkingCookieManager.Sources.Test.csproj", "{51563775-C659-4907-9BAF-9995BAB87D01}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Authorization.Policy", "src\Microsoft.AspNetCore.Authorization.Policy\Microsoft.AspNetCore.Authorization.Policy.csproj", "{58194599-F07D-47A3-9DF2-E21A22C5EF9E}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -140,6 +142,22 @@ Global
 		{FC152CC4-054B-457E-8D91-389C5DE3C561}.Release|x64.Build.0 = Release|Any CPU
 		{FC152CC4-054B-457E-8D91-389C5DE3C561}.Release|x86.ActiveCfg = Release|Any CPU
 		{FC152CC4-054B-457E-8D91-389C5DE3C561}.Release|x86.Build.0 = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x64.Build.0 = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x86.Build.0 = Debug|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Any CPU.Build.0 = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Mixed Platforms.Build.0 = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x64.ActiveCfg = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x64.Build.0 = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x86.ActiveCfg = Release|Any CPU
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x86.Build.0 = Release|Any CPU
 		{EEAAEE68-607B-4E33-AF3E-45C66B4DBA5A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{EEAAEE68-607B-4E33-AF3E-45C66B4DBA5A}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{EEAAEE68-607B-4E33-AF3E-45C66B4DBA5A}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
@@ -412,22 +430,22 @@ Global
 		{51563775-C659-4907-9BAF-9995BAB87D01}.Release|x64.Build.0 = Release|Any CPU
 		{51563775-C659-4907-9BAF-9995BAB87D01}.Release|x86.ActiveCfg = Release|Any CPU
 		{51563775-C659-4907-9BAF-9995BAB87D01}.Release|x86.Build.0 = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x64.Build.0 = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x86.ActiveCfg = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Debug|x86.Build.0 = Debug|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Any CPU.Build.0 = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|Mixed Platforms.Build.0 = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x64.ActiveCfg = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x64.Build.0 = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x86.ActiveCfg = Release|Any CPU
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB}.Release|x86.Build.0 = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|x64.Build.0 = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Debug|x86.Build.0 = Debug|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|Mixed Platforms.Build.0 = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|x64.ActiveCfg = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|x64.Build.0 = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|x86.ActiveCfg = Release|Any CPU
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -438,6 +456,7 @@ Global
 		{19711880-46DA-4A26-9E0F-9B2E41D27651} = {F8C0AA27-F3FB-4286-8E4C-47EF86B539FF}
 		{BEF0F5C3-EF4E-4649-9C49-D5E279A3CA2B} = {F8C0AA27-F3FB-4286-8E4C-47EF86B539FF}
 		{FC152CC4-054B-457E-8D91-389C5DE3C561} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
+		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
 		{EEAAEE68-607B-4E33-AF3E-45C66B4DBA5A} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
 		{76579C39-B829-490D-B8BE-1BD35FE8412E} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
 		{35115D55-B69E-46D4-BB33-C9E9E6EC5E7A} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
@@ -455,6 +474,6 @@ Global
 		{A2B5DC39-68D5-4145-A8CC-6AEAB7D33A24} = {7BF11F3A-60B6-4796-B504-579C67FFBA34}
 		{3A7AD414-EBDE-4F92-B307-4E8F19B6117E} = {F8C0AA27-F3FB-4286-8E4C-47EF86B539FF}
 		{51563775-C659-4907-9BAF-9995BAB87D01} = {7BF11F3A-60B6-4796-B504-579C67FFBA34}
-		{BC0D4B56-1A5B-4D88-AFBF-68C0F2D545FB} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
+		{58194599-F07D-47A3-9DF2-E21A22C5EF9E} = {4D2B6A51-2F9F-44F5-8131-EA5CAC053652}
 	EndGlobalSection
 EndGlobal

src/Microsoft.AspNetCore.Authorization.Policy/IPolicyEvaluator.cs

@@ -0,0 +1,35 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Authorization.Policy
+{
+    /// <summary>
+    /// Base class for authorization handlers that need to be called for a specific requirement type.
+    /// </summary>
+    public interface IPolicyEvaluator
+    {
+        /// <summary>
+        /// Does authentication for <see cref="AuthorizationPolicy.AuthenticationSchemes"/> and sets the resulting
+        /// <see cref="ClaimsPrincipal"/> to <see cref="HttpContext.User"/>.  If no schemes are set, this is a no-op.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <returns><see cref="PolicyAuthenticationResult.Success"/> unless all schemes specified by <see cref="AuthorizationPolicy.AuthenticationSchemes"/> failed to authenticate.  </returns>
+        Task<PolicyAuthenticationResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context);
+
+        /// <summary>
+        /// Attempts authorization for a policy using <see cref="IAuthorizationService"/>.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="authenticationResult">The result of a call to <see cref="AuthenticateAsync(AuthorizationPolicy, HttpContext)"/>.</param>
+        /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
+        /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="PolicyAuthenticationResult.Succeeded"/>, otherwise
+        /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
+        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, PolicyAuthenticationResult authenticationResult, HttpContext context);
+    }
+}

src/Microsoft.AspNetCore.Authorization.Policy/PolicyAuthenticationResult.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Security.Claims;
+
+namespace Microsoft.AspNetCore.Authorization.Policy
+{
+    public class PolicyAuthenticationResult
+    {
+        private PolicyAuthenticationResult() { }
+
+        /// <summary>
+        /// Authentication from at least one scheme was successful.
+        /// </summary>
+        public bool Succeeded { get; private set; }
+
+        public static PolicyAuthenticationResult Success()
+            => new PolicyAuthenticationResult { Succeeded = true };
+
+        public static PolicyAuthenticationResult Failed()
+            => new PolicyAuthenticationResult();
+    }
+}

src/Microsoft.AspNetCore.Authorization.Policy/AuthorizationPolicyResult.cs → src/Microsoft.AspNetCore.Authorization.Policy/PolicyAuthorizationResult.cs

@@ -1,11 +1,11 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-namespace Microsoft.AspNetCore.Authorization
+namespace Microsoft.AspNetCore.Authorization.Policy
 {
-    public class AuthorizationPolicyResult
+    public class PolicyAuthorizationResult
     {
-        private AuthorizationPolicyResult() { }
+        private PolicyAuthorizationResult() { }
 
         /// <summary>
         /// If true, means the callee should challenge and try again.
@@ -22,14 +22,14 @@ private AuthorizationPolicyResult() { }
         /// </summary>
         public bool Succeeded { get; private set; }
 
-        public static AuthorizationPolicyResult Challenge()
-            => new AuthorizationPolicyResult { Challenged = true };
+        public static PolicyAuthorizationResult Challenge()
+            => new PolicyAuthorizationResult { Challenged = true };
 
-        public static AuthorizationPolicyResult Forbid()
-            => new AuthorizationPolicyResult { Forbidden = true };
+        public static PolicyAuthorizationResult Forbid()
+            => new PolicyAuthorizationResult { Forbidden = true };
 
-        public static AuthorizationPolicyResult Success()
-            => new AuthorizationPolicyResult { Succeeded = true };
+        public static PolicyAuthorizationResult Success()
+            => new PolicyAuthorizationResult { Succeeded = true };
 
     }
 }

src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs

@@ -0,0 +1,89 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Internal;
+
+namespace Microsoft.AspNetCore.Authorization.Policy
+{
+    public class PolicyEvaluator : IPolicyEvaluator
+    {
+        private readonly IAuthorizationService _authorization;
+
+        /// <summary>
+        /// Constructor
+        /// </summary>
+        /// <param name="authorization">The authorization service.</param>
+        public PolicyEvaluator(IAuthorizationService authorization)
+        {
+            _authorization = authorization;
+        }
+
+        /// <summary>
+        /// Does authentication for <see cref="AuthorizationPolicy.AuthenticationSchemes"/> and sets the resulting
+        /// <see cref="ClaimsPrincipal"/> to <see cref="HttpContext.User"/>.  If no schemes are set, this is a no-op.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <returns><see cref="PolicyAuthenticationResult.Success"/> unless all schemes specified by <see cref="AuthorizationPolicy.AuthenticationSchemes"/> failed to authenticate.  </returns>
+        public virtual async Task<PolicyAuthenticationResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
+        {
+            if (policy.AuthenticationSchemes != null && policy.AuthenticationSchemes.Count > 0)
+            {
+                ClaimsPrincipal newPrincipal = null;
+                foreach (var scheme in policy.AuthenticationSchemes)
+                {
+                    var result = await context.AuthenticateAsync(scheme);
+                    if (result != null && result.Succeeded)
+                    {
+                        newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result.Principal);
+                    }
+                }
+
+                if (newPrincipal == null)
+                {
+                    context.User = newPrincipal;
+                    return PolicyAuthenticationResult.Success();
+                }
+                else
+                {
+                    context.User = new ClaimsPrincipal(new ClaimsIdentity());
+                    return PolicyAuthenticationResult.Failed();
+                }
+            }
+            return PolicyAuthenticationResult.Success();
+        }
+
+        /// <summary>
+        /// Attempts authorization for a policy using <see cref="IAuthorizationService"/>.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="authenticationResult">The result of a call to <see cref="AuthenticateAsync(AuthorizationPolicy, HttpContext)"/>.</param>
+        /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
+        /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="PolicyAuthenticationResult.Succeeded"/>, otherwise
+        /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
+        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, PolicyAuthenticationResult authenticationResult, HttpContext context)
+        {
+            if (policy == null)
+            {
+                throw new ArgumentNullException(nameof(policy));
+            }
+
+            var authResult = await _authorization.AuthorizeAsync(context.User, context, policy);
+            if (authResult.Succeeded)
+            {
+                return PolicyAuthorizationResult.Success();
+            }
+
+            // If authentication was successful, return forbidden, otherwise challenge
+            return (authenticationResult.Succeeded) 
+                ? PolicyAuthorizationResult.Forbid() 
+                : PolicyAuthorizationResult.Challenge();
+        }
+    }
+}