Merge pull request #2514 from sbwalker/dev
enhance dynamic authorization policies to support default role specification
This commit is contained in:
Shaun Walker
@ -28,7 +28,7 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
// GET: api/<controller>?siteid=x&global=true/false
|
// GET: api/<controller>?siteid=x&global=true/false
|
||||||
[HttpGet]
|
[HttpGet]
|
||||||
[Authorize(Roles = RoleNames.Registered)]
|
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Read}:{RoleNames.Registered}")]
|
||||||
public IEnumerable<Role> Get(string siteid, string global)
|
public IEnumerable<Role> Get(string siteid, string global)
|
||||||
{
|
{
|
||||||
int SiteId;
|
int SiteId;
|
||||||
@ -50,7 +50,7 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
// GET api/<controller>/5
|
// GET api/<controller>/5
|
||||||
[HttpGet("{id}")]
|
[HttpGet("{id}")]
|
||||||
[Authorize(Roles = RoleNames.Registered)]
|
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Read}:{RoleNames.Registered}")]
|
||||||
public Role Get(int id)
|
public Role Get(int id)
|
||||||
{
|
{
|
||||||
var role = _roles.GetRole(id);
|
var role = _roles.GetRole(id);
|
||||||
@ -68,7 +68,7 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
// POST api/<controller>
|
// POST api/<controller>
|
||||||
[HttpPost]
|
[HttpPost]
|
||||||
[Authorize(Roles = RoleNames.Admin)]
|
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Write}:{RoleNames.Admin}")]
|
||||||
public Role Post([FromBody] Role role)
|
public Role Post([FromBody] Role role)
|
||||||
{
|
{
|
||||||
if (ModelState.IsValid && role.SiteId == _alias.SiteId)
|
if (ModelState.IsValid && role.SiteId == _alias.SiteId)
|
||||||
@ -88,7 +88,7 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
// PUT api/<controller>/5
|
// PUT api/<controller>/5
|
||||||
[HttpPut("{id}")]
|
[HttpPut("{id}")]
|
||||||
[Authorize(Roles = RoleNames.Admin)]
|
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Write}:{RoleNames.Admin}")]
|
||||||
public Role Put(int id, [FromBody] Role role)
|
public Role Put(int id, [FromBody] Role role)
|
||||||
{
|
{
|
||||||
if (ModelState.IsValid && role.SiteId == _alias.SiteId && _roles.GetRole(role.RoleId, false) != null)
|
if (ModelState.IsValid && role.SiteId == _alias.SiteId && _roles.GetRole(role.RoleId, false) != null)
|
||||||
@ -108,7 +108,7 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
// DELETE api/<controller>/5
|
// DELETE api/<controller>/5
|
||||||
[HttpDelete("{id}")]
|
[HttpDelete("{id}")]
|
||||||
[Authorize(Roles = RoleNames.Admin)]
|
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Write}:{RoleNames.Admin}")]
|
||||||
public void Delete(int id)
|
public void Delete(int id)
|
||||||
{
|
{
|
||||||
var role = _roles.GetRole(id);
|
var role = _roles.GetRole(id);
|
||||||
|
|||||||
@ -9,12 +9,10 @@ namespace Oqtane.Security
|
|||||||
public class AuthorizationPolicyProvider : DefaultAuthorizationPolicyProvider
|
public class AuthorizationPolicyProvider : DefaultAuthorizationPolicyProvider
|
||||||
{
|
{
|
||||||
private readonly AuthorizationOptions _options;
|
private readonly AuthorizationOptions _options;
|
||||||
private readonly IConfiguration _configuration;
|
|
||||||
|
|
||||||
public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options, IConfiguration configuration) : base(options)
|
public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options) : base(options)
|
||||||
{
|
{
|
||||||
_options = options.Value;
|
_options = options.Value;
|
||||||
_configuration = configuration;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override async Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
|
public override async Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
|
||||||
@ -25,18 +23,25 @@ namespace Oqtane.Security
|
|||||||
|
|
||||||
if (policy == null)
|
if (policy == null)
|
||||||
{
|
{
|
||||||
// policy names must be in the form of "Entity:Permission" ie. "User:Read"
|
if (policyName.Contains(':'))
|
||||||
if (policyName.Contains(":"))
|
|
||||||
{
|
{
|
||||||
var entityName = policyName.Split(':')[0];
|
// policy names must be in the form of "EntityName:PermissionName:Roles" ie. "Module:Edit:Administrators" (roles are comma delimited)
|
||||||
var permissionName = policyName.Split(':')[1];
|
var policySegments = policyName.Split(':');
|
||||||
|
if (policySegments.Length >= 3)
|
||||||
|
{
|
||||||
|
// check for optional RequireEntityId segment
|
||||||
|
var requireEntityId = false;
|
||||||
|
if (policySegments.Length == 4 && policySegments[3] == Constants.RequireEntityId)
|
||||||
|
{
|
||||||
|
requireEntityId = true;
|
||||||
|
}
|
||||||
|
policy = new AuthorizationPolicyBuilder()
|
||||||
|
.AddRequirements(new PermissionRequirement(policySegments[0], policySegments[1], policySegments[2], requireEntityId))
|
||||||
|
.Build();
|
||||||
|
|
||||||
policy = new AuthorizationPolicyBuilder()
|
// add policy to the AuthorizationOptions
|
||||||
.AddRequirements(new PermissionRequirement(entityName, permissionName))
|
_options.AddPolicy(policyName, policy);
|
||||||
.Build();
|
}
|
||||||
|
|
||||||
// add policy to the AuthorizationOptions
|
|
||||||
_options.AddPolicy(policyName, policy);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -46,8 +51,8 @@ namespace Oqtane.Security
|
|||||||
private string GetPolicyName(string policyName)
|
private string GetPolicyName(string policyName)
|
||||||
{
|
{
|
||||||
// backward compatibility for legacy static policy names
|
// backward compatibility for legacy static policy names
|
||||||
if (policyName == PolicyNames.ViewModule) policyName = "Module:View";
|
if (policyName == PolicyNames.ViewModule) policyName = $"{EntityNames.Module}:{PermissionNames.View}:{RoleNames.Admin}:{Constants.RequireEntityId}";
|
||||||
if (policyName == PolicyNames.EditModule) policyName = "Module:Edit";
|
if (policyName == PolicyNames.EditModule) policyName = $"{EntityNames.Module}:{PermissionNames.Edit}:{RoleNames.Admin}:{Constants.RequireEntityId}";
|
||||||
return policyName;
|
return policyName;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -33,30 +33,33 @@ namespace Oqtane.Security
|
|||||||
siteId = ctx.GetAlias().SiteId;
|
siteId = ctx.GetAlias().SiteId;
|
||||||
}
|
}
|
||||||
|
|
||||||
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
|
|
||||||
int entityId = -1;
|
int entityId = -1;
|
||||||
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
|
if (requirement.RequireEntityId)
|
||||||
{
|
{
|
||||||
if (!int.TryParse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
|
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
|
||||||
|
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
|
||||||
{
|
{
|
||||||
entityId = -1;
|
if (!int.TryParse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
|
|
||||||
if (entityId == -1)
|
|
||||||
{
|
|
||||||
if (ctx.Request.Query.ContainsKey("entityid"))
|
|
||||||
{
|
|
||||||
if (!int.TryParse(ctx.Request.Query["entityid"], out entityId))
|
|
||||||
{
|
{
|
||||||
entityId = -1;
|
entityId = -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
|
||||||
|
if (entityId == -1)
|
||||||
|
{
|
||||||
|
if (ctx.Request.Query.ContainsKey("entityid"))
|
||||||
|
{
|
||||||
|
if (!int.TryParse(ctx.Request.Query["entityid"], out entityId))
|
||||||
|
{
|
||||||
|
entityId = -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// validate permissions
|
// validate permissions
|
||||||
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName))
|
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName, requirement.Roles))
|
||||||
{
|
{
|
||||||
context.Succeed(requirement);
|
context.Succeed(requirement);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
using Microsoft.AspNetCore.Authorization;
|
using Microsoft.AspNetCore.Authorization;
|
||||||
|
|
||||||
namespace Oqtane.Security
|
namespace Oqtane.Security
|
||||||
{
|
{
|
||||||
@ -8,10 +8,16 @@ namespace Oqtane.Security
|
|||||||
|
|
||||||
public string PermissionName { get; }
|
public string PermissionName { get; }
|
||||||
|
|
||||||
public PermissionRequirement(string entityName, string permissionName)
|
public string Roles { get; }
|
||||||
|
|
||||||
|
public bool RequireEntityId { get; }
|
||||||
|
|
||||||
|
public PermissionRequirement(string entityName, string permissionName, string roles, bool requireEntityId)
|
||||||
{
|
{
|
||||||
EntityName = entityName;
|
EntityName = entityName;
|
||||||
PermissionName = permissionName;
|
PermissionName = permissionName;
|
||||||
|
Roles = roles;
|
||||||
|
RequireEntityId = requireEntityId;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -10,6 +10,7 @@ namespace Oqtane.Security
|
|||||||
{
|
{
|
||||||
public interface IUserPermissions
|
public interface IUserPermissions
|
||||||
{
|
{
|
||||||
|
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName, string roles);
|
||||||
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName);
|
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName);
|
||||||
bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions);
|
bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions);
|
||||||
User GetUser(ClaimsPrincipal user);
|
User GetUser(ClaimsPrincipal user);
|
||||||
@ -30,6 +31,19 @@ namespace Oqtane.Security
|
|||||||
_accessor = accessor;
|
_accessor = accessor;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName, string roles)
|
||||||
|
{
|
||||||
|
var permissions = _permissions.GetPermissions(siteId, entityName, entityId, permissionName).ToList();
|
||||||
|
if (permissions != null && permissions.Count != 0)
|
||||||
|
{
|
||||||
|
return IsAuthorized(principal, permissionName, permissions.EncodePermissions());
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
return UserSecurity.IsAuthorized(GetUser(principal), roles.Replace(",",";"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName)
|
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName)
|
||||||
{
|
{
|
||||||
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(siteId, entityName, entityId, permissionName)?.EncodePermissions());
|
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(siteId, entityName, entityId, permissionName)?.EncodePermissions());
|
||||||
|
|||||||
@ -74,6 +74,8 @@ namespace Oqtane.Shared
|
|||||||
|
|
||||||
public static readonly string MauiUserAgent = "MAUI";
|
public static readonly string MauiUserAgent = "MAUI";
|
||||||
|
|
||||||
|
public static readonly string RequireEntityId = "RequireEntityId";
|
||||||
|
|
||||||
// Obsolete constants
|
// Obsolete constants
|
||||||
|
|
||||||
const string RoleObsoleteMessage = "Use the corresponding member from Oqtane.Shared.RoleNames";
|
const string RoleObsoleteMessage = "Use the corresponding member from Oqtane.Shared.RoleNames";
|
||||||
|
|||||||
@ -1,11 +1,15 @@
|
|||||||
namespace Oqtane.Shared
|
namespace Oqtane.Shared
|
||||||
{
|
{
|
||||||
public class PermissionNames
|
public class PermissionNames
|
||||||
{
|
{
|
||||||
public const string Browse = "Browse";
|
// UI permissions
|
||||||
public const string View = "View";
|
public const string View = "View";
|
||||||
public const string Edit = "Edit";
|
public const string Edit = "Edit";
|
||||||
|
public const string Browse = "Browse";
|
||||||
public const string Utilize = "Utilize";
|
public const string Utilize = "Utilize";
|
||||||
|
|
||||||
|
// API permissions
|
||||||
|
public const string Read = "Read";
|
||||||
|
public const string Write = "Write";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user