Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Scope permissions by SiteId to support entity level authorization as well as improve caching and performance. Optimize GetTenant to use existing cache.

Browse Source
This commit is contained in:
Shaun Walker
2022-11-07 18:16:32 -05:00
parent 2aa6eb90e2
commit 6182b96d16
19 changed files with 103 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
Oqtane.Server/Security/PermissionHandler.cs
View File

@ -2,6 +2,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Oqtane.Enums;
using Oqtane.Extensions;
using Oqtane.Infrastructure;
using Oqtane.Shared;
@ -9,24 +10,30 @@ namespace Oqtane.Security
{
public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
{
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly IHttpContextAccessor _accessor;
private readonly IUserPermissions _userPermissions;
private readonly ILogManager _logger;
public PermissionHandler(IHttpContextAccessor httpContextAccessor, IUserPermissions userPermissions, ILogManager logger)
public PermissionHandler(IHttpContextAccessor accessor, IUserPermissions userPermissions, ILogManager logger)
{
_httpContextAccessor = httpContextAccessor;
_accessor = accessor;
_userPermissions = userPermissions;
_logger = logger;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on entitynames and ids passed as querystring parameters
var ctx = _httpContextAccessor.HttpContext;
// permission is scoped based on entity name and in some cases entity id
var ctx = _accessor.HttpContext;
if (ctx != null)
{
// get entityid based on a parameter format of auth{entityname}id (ie. authmoduleid )
int siteId = -1;
if (ctx.GetAlias() != null)
{
siteId = ctx.GetAlias().SiteId;
}
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
int entityId = -1;
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
@ -36,7 +43,7 @@ namespace Oqtane.Security
}
}
// legacy support
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
if (entityId == -1)
{
if (ctx.Request.Query.ContainsKey("entityid"))
@ -49,13 +56,20 @@ namespace Oqtane.Security
}
// validate permissions
if (entityId != -1 && _userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName}:{EntityId}", context.User, requirement.PermissionName, requirement.EntityName, entityId);
if (entityId == -1)
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity With ID {EntityId}", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName, entityId);
}
}
}
return Task.CompletedTask;

17
Oqtane.Server/Security/UserPermissions.cs
View File

@ -3,15 +3,20 @@ using Oqtane.Models;
using System.Linq;
using System.Security.Claims;
using Oqtane.Repository;
using Oqtane.Extensions;
using System;
namespace Oqtane.Security
{
public interface IUserPermissions
{
bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName);
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName);
bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions);
User GetUser(ClaimsPrincipal user);
User GetUser();
[Obsolete("IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName) is deprecated. Use IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName) instead.", false)]
bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName);
}
public class UserPermissions : IUserPermissions
@ -25,9 +30,9 @@ namespace Oqtane.Security
_accessor = accessor;
}
public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName)
{
return IsAuthorized(principal, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(siteId, entityName, entityId, permissionName)?.EncodePermissions());
}
public bool IsAuthorized(ClaimsPrincipal principal, string permissionName, string permissions)
@ -73,5 +78,11 @@ namespace Oqtane.Security
return null;
}
}
// deprecated
public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
{
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(_accessor.HttpContext.GetAlias().SiteId, entityName, entityId, permissionName)?.EncodePermissions());
}
}
}