Skip to content
Permalink
Browse files

Implemented app permissions

  • Loading branch information
Joonas Westlin
Joonas Westlin committed Nov 18, 2019
1 parent 2672bc4 commit afff5d4ea333bf8e45bb164a0eeabe89f4d7bc80
@@ -13,8 +13,14 @@ internal class ActionAuthorizationRequirementHandler : AuthorizationHandler<Acti
// Checks the user has a permission accepted for this action
string[] delegatedPermissions = context.User.FindAll(Claims.ScopeClaimType).Select(c => c.Value).ToArray();
string[] acceptedDelegatedPermissions = AuthorizedPermissions.DelegatedPermissionsForActions[requirement.Action];
string[] appPermissionsOrRoles = context.User.FindAll(Claims.AppPermissionOrRolesClaimType).Select(c => c.Value).ToArray();
string[] acceptedApplicationPermissions = AuthorizedPermissions.ApplicationPermissionsForActions[requirement.Action];

if (acceptedDelegatedPermissions.Any(accepted => delegatedPermissions.Any(available => accepted == available)))
if (acceptedDelegatedPermissions.Any(accepted => delegatedPermissions.Contains(accepted)))
{
context.Succeed(requirement);
}
else if (acceptedApplicationPermissions.Any(accepted => appPermissionsOrRoles.Contains(accepted)))
{
context.Succeed(requirement);
}
@@ -11,14 +11,21 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
{
// Checks caller has at least one valid permission
string[] delegatedPermissions = context.User.FindAll(Claims.ScopeClaimType).Select(c => c.Value).ToArray();
string[] allAcceptedPermissions = DelegatedPermissions.All;
if (delegatedPermissions.Any(p => allAcceptedPermissions.Contains(p)))
string[] allAcceptedDelegatedPermissions = DelegatedPermissions.All;
string[] appPermissionsOrRoles = context.User.FindAll(Claims.AppPermissionOrRolesClaimType).Select(c => c.Value).ToArray();
string[] allAcceptedApplicationPermissions = ApplicationPermissions.All;
if (delegatedPermissions.Any(p => allAcceptedDelegatedPermissions.Contains(p)))
{
// Caller has a valid delegated permission
// If your API has different user roles,
// this is where you would check that, before calling context.Succeed()
context.Succeed(requirement);
}
else if (appPermissionsOrRoles.Any(p => allAcceptedApplicationPermissions.Contains(p)))
{
// Caller has a valid application permission
context.Succeed(requirement);
}

// If we reached here without calling context.Succeed(),
// the call will fail with a 403 Forbidden
@@ -0,0 +1,16 @@
using System.Linq;

namespace Joonasw.AadTestingDemo.API.Authorization
{
internal static class ApplicationPermissions
{
public const string ReadAllThings = "Things.Read.All";
public const string ReadAllOtherThings = "OtherThings.Read.All";

public static string[] All => typeof(ApplicationPermissions)
.GetFields()
.Where(f => f.Name != nameof(All))
.Select(f => f.GetValue(null) as string)
.ToArray();
}
}
@@ -14,5 +14,16 @@ internal static class AuthorizedPermissions
[Actions.ReadThings] = new[] { DelegatedPermissions.ReadThings },
[Actions.ReadOtherThings] = new[] { DelegatedPermissions.ReadOtherThings }
};

/// <summary>
/// Contains the allowed application permissions for each action.
/// If the caller has one of the allowed ones, they should be allowed
/// to perform the action.
/// </summary>
public static IReadOnlyDictionary<string, string[]> ApplicationPermissionsForActions = new Dictionary<string, string[]>
{
[Actions.ReadThings] = new[] { ApplicationPermissions.ReadAllThings },
[Actions.ReadOtherThings] = new[] { ApplicationPermissions.ReadAllOtherThings }
};
}
}

0 comments on commit afff5d4

Please sign in to comment.
You can’t perform that action at this time.