Skip to content
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.

AuthZ 2.0 - [Breaking] AuthorizeResult/Failure #1193

Closed
wants to merge 11 commits into from
Closed

AuthZ 2.0 - [Breaking] AuthorizeResult/Failure #1193

wants to merge 11 commits into from

Conversation

HaoK
Copy link
Member

@HaoK HaoK commented Apr 28, 2017

@blowdart @ajcvickers @Tratcher

Needed for: #901

First step needed to surface why authorization fails, returning a result which can contain failure information instead of just a bool.

Also added IAuthorizationHandlerProvider, and reworked IAuthorizationEvaluator to work with the new API.

Fixes: #1176

@dnfclas
Copy link

dnfclas commented Apr 28, 2017

@HaoK,
Thanks for having already signed the Contribution License Agreement. Your agreement was validated by .NET Foundation. We will now review your pull request.
Thanks,
.NET Foundation Pull Request Bot

@HaoK HaoK mentioned this pull request May 1, 2017
Closed
HaoK
HaoK commented May 1, 2017
View reviewed changes
src/Microsoft.AspNetCore.Authorization.Policy/Microsoft.AspNetCore.Authorization.Policy.csproj
</ItemGroup>

<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.Authentication.Abstractions" Version="$(AspNetCoreVersion)" />
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AuthZ currently doesn't depend on Http or AuthN, if we are ok taking these dependencies in the main AuthZ package, we don't need to split out the authorize helper logic

kevinchalet
kevinchalet reviewed May 4, 2017
View reviewed changes
src/Microsoft.AspNetCore.Authorization/AuthorizeFailure.cs Outdated
/// <summary>
/// Encapsulates a failure result of <see cref="IAuthorizationService.AuthorizeAsync(ClaimsPrincipal, object, IEnumerable{IAuthorizationRequirement})"/>.
/// </summary>
public class AuthorizeFailure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these verb + Result classes sound a bit weird. Why not AuthorizationFailure?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I started with that, but we went with AuthenticateResult (there that was meant to signify that it was a result for the Authenticate method). I could go either way here since I've had it both ways in this code already :)

@HaoK HaoK mentioned this pull request May 4, 2017
Closed
HaoK
HaoK commented May 4, 2017
View reviewed changes
src/Microsoft.AspNetCore.Authorization.Policy/AuthorizationPolicyResult.cs Outdated
/// <summary>
/// If true, means the callee should challenge and try again.
/// </summary>
public bool Challenged { get; private set; }
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Challenged => RequiresAuthentication?

@HaoK
Copy link
Member Author

HaoK commented May 5, 2017

Updated the PolicyEvaluator to have the new logic where when authorization fails, forbid is returned if any schemes were successfully authenticated.

Tratcher
Tratcher reviewed May 10, 2017
View reviewed changes
src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs Outdated
}
}

if (newPrincipal == null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

!= null?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh yeah, looks like I am missing tests for the Authenticate method too :)

@HaoK
Copy link
Member Author

HaoK commented May 11, 2017

  • Renamed AuthorizeResult/Failure => AuthorizationResult/Failure
  • Eliminated the policy authentication result class trying to reuse AuthenticateResult directly instead.
  • added tests for authentication of policy evaluator

HaoK
HaoK commented May 11, 2017
View reviewed changes
src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs Outdated
return AuthenticateResult.None();
}
}
return AuthenticateResult.None();
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: we will never trigger forbidden if authentication schemes were not set on the policy, since authZ isn't doing the authentication in that case, its just relying on what's in context.User.

Copy link
Member Author

@HaoK HaoK May 11, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could explicitly check the result of AuthenticateAsync with the default scheme to determine if we want to return success/none instead to control the behavior of forbid/challenge if authorization fails later.

@HaoK HaoK mentioned this pull request May 18, 2017
Closed
@HaoK HaoK mentioned this pull request May 18, 2017
Closed
15 tasks
@HaoK
Copy link
Member Author

HaoK commented May 22, 2017

@Tratcher updated to react to the breaking auth changes in HttpAbstractions

@HaoK HaoK mentioned this pull request May 24, 2017
Closed
@HaoK
Copy link
Member Author

HaoK commented May 26, 2017

e940cdb

@HaoK HaoK closed this May 26, 2017
@HaoK HaoK deleted the haok/authz2 branch August 7, 2017 16:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kevinchalet kevinchalet kevinchalet left review comments

@Tratcher Tratcher Tratcher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HaoK @dnfclas @Tratcher @kevinchalet