enhance dynamic authorization policies to support default role specification
This commit is contained in:
Shaun Walker
@ -9,12 +9,10 @@ namespace Oqtane.Security
|
||||
public class AuthorizationPolicyProvider : DefaultAuthorizationPolicyProvider
|
||||
{
|
||||
private readonly AuthorizationOptions _options;
|
||||
private readonly IConfiguration _configuration;
|
||||
|
||||
public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options, IConfiguration configuration) : base(options)
|
||||
public AuthorizationPolicyProvider(IOptions<AuthorizationOptions> options) : base(options)
|
||||
{
|
||||
_options = options.Value;
|
||||
_configuration = configuration;
|
||||
}
|
||||
|
||||
public override async Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
|
||||
@ -25,18 +23,25 @@ namespace Oqtane.Security
|
||||
|
||||
if (policy == null)
|
||||
{
|
||||
// policy names must be in the form of "Entity:Permission" ie. "User:Read"
|
||||
if (policyName.Contains(":"))
|
||||
if (policyName.Contains(':'))
|
||||
{
|
||||
var entityName = policyName.Split(':')[0];
|
||||
var permissionName = policyName.Split(':')[1];
|
||||
// policy names must be in the form of "EntityName:PermissionName:Roles" ie. "Module:Edit:Administrators" (roles are comma delimited)
|
||||
var policySegments = policyName.Split(':');
|
||||
if (policySegments.Length >= 3)
|
||||
{
|
||||
// check for optional RequireEntityId segment
|
||||
var requireEntityId = false;
|
||||
if (policySegments.Length == 4 && policySegments[3] == Constants.RequireEntityId)
|
||||
{
|
||||
requireEntityId = true;
|
||||
}
|
||||
policy = new AuthorizationPolicyBuilder()
|
||||
.AddRequirements(new PermissionRequirement(policySegments[0], policySegments[1], policySegments[2], requireEntityId))
|
||||
.Build();
|
||||
|
||||
policy = new AuthorizationPolicyBuilder()
|
||||
.AddRequirements(new PermissionRequirement(entityName, permissionName))
|
||||
.Build();
|
||||
|
||||
// add policy to the AuthorizationOptions
|
||||
_options.AddPolicy(policyName, policy);
|
||||
// add policy to the AuthorizationOptions
|
||||
_options.AddPolicy(policyName, policy);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -46,8 +51,8 @@ namespace Oqtane.Security
|
||||
private string GetPolicyName(string policyName)
|
||||
{
|
||||
// backward compatibility for legacy static policy names
|
||||
if (policyName == PolicyNames.ViewModule) policyName = "Module:View";
|
||||
if (policyName == PolicyNames.EditModule) policyName = "Module:Edit";
|
||||
if (policyName == PolicyNames.ViewModule) policyName = $"{EntityNames.Module}:{PermissionNames.View}:{RoleNames.Admin}:{Constants.RequireEntityId}";
|
||||
if (policyName == PolicyNames.EditModule) policyName = $"{EntityNames.Module}:{PermissionNames.Edit}:{RoleNames.Admin}:{Constants.RequireEntityId}";
|
||||
return policyName;
|
||||
}
|
||||
}
|
||||
|
||||
@ -33,30 +33,33 @@ namespace Oqtane.Security
|
||||
siteId = ctx.GetAlias().SiteId;
|
||||
}
|
||||
|
||||
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
|
||||
int entityId = -1;
|
||||
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
|
||||
if (requirement.RequireEntityId)
|
||||
{
|
||||
if (!int.TryParse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
|
||||
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
|
||||
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
|
||||
{
|
||||
entityId = -1;
|
||||
}
|
||||
}
|
||||
|
||||
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
|
||||
if (entityId == -1)
|
||||
{
|
||||
if (ctx.Request.Query.ContainsKey("entityid"))
|
||||
{
|
||||
if (!int.TryParse(ctx.Request.Query["entityid"], out entityId))
|
||||
if (!int.TryParse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
|
||||
{
|
||||
entityId = -1;
|
||||
}
|
||||
}
|
||||
|
||||
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
|
||||
if (entityId == -1)
|
||||
{
|
||||
if (ctx.Request.Query.ContainsKey("entityid"))
|
||||
{
|
||||
if (!int.TryParse(ctx.Request.Query["entityid"], out entityId))
|
||||
{
|
||||
entityId = -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// validate permissions
|
||||
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName))
|
||||
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName, requirement.Roles))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Oqtane.Security
|
||||
{
|
||||
@ -8,10 +8,16 @@ namespace Oqtane.Security
|
||||
|
||||
public string PermissionName { get; }
|
||||
|
||||
public PermissionRequirement(string entityName, string permissionName)
|
||||
public string Roles { get; }
|
||||
|
||||
public bool RequireEntityId { get; }
|
||||
|
||||
public PermissionRequirement(string entityName, string permissionName, string roles, bool requireEntityId)
|
||||
{
|
||||
EntityName = entityName;
|
||||
PermissionName = permissionName;
|
||||
Roles = roles;
|
||||
RequireEntityId = requireEntityId;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -10,6 +10,7 @@ namespace Oqtane.Security
|
||||
{
|
||||
public interface IUserPermissions
|
||||
{
|
||||
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName, string roles);
|
||||
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName);
|
||||
bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions);
|
||||
User GetUser(ClaimsPrincipal user);
|
||||
@ -30,6 +31,19 @@ namespace Oqtane.Security
|
||||
_accessor = accessor;
|
||||
}
|
||||
|
||||
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName, string roles)
|
||||
{
|
||||
var permissions = _permissions.GetPermissions(siteId, entityName, entityId, permissionName).ToList();
|
||||
if (permissions != null && permissions.Count != 0)
|
||||
{
|
||||
return IsAuthorized(principal, permissionName, permissions.EncodePermissions());
|
||||
}
|
||||
else
|
||||
{
|
||||
return UserSecurity.IsAuthorized(GetUser(principal), roles.Replace(",",";"));
|
||||
}
|
||||
}
|
||||
|
||||
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName)
|
||||
{
|
||||
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(siteId, entityName, entityId, permissionName)?.EncodePermissions());
|
||||
|
||||
Reference in New Issue
Block a user