AuthZ PolicyEvalutor should take resource

HaoK · HaoK · commit 869d98e28d60 · 2017-07-20T21:18:20.000-07:00
diff --git a/src/Microsoft.AspNetCore.Authorization.Policy/IPolicyEvaluator.cs b/src/Microsoft.AspNetCore.Authorization.Policy/IPolicyEvaluator.cs
@@ -28,9 +28,13 @@ public interface IPolicyEvaluator
         /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
         /// <param name="authenticationResult">The result of a call to <see cref="AuthenticateAsync(AuthorizationPolicy, HttpContext)"/>.</param>
         /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <param name="resource">
+        /// An optional resource the policy should be checked with.
+        /// If a resource is not required for policy evaluation you may pass null as the value.
+        /// </param>
         /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
         /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
         /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
-        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context);
+        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
     }
 }
diff --git a/src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs b/src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs
@@ -67,17 +67,21 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPol
         /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
         /// <param name="authenticationResult">The result of a call to <see cref="AuthenticateAsync(AuthorizationPolicy, HttpContext)"/>.</param>
         /// <param name="context">The <see cref="HttpContext"/>.</param>
+        /// <param name="resource">
+        /// An optional resource the policy should be checked with.
+        /// If a resource is not required for policy evaluation you may pass null as the value.
+        /// </param>
         /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
         /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
         /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
-        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context)
+        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
         {
             if (policy == null)
             {
                 throw new ArgumentNullException(nameof(policy));
             }
 
-            var result = await _authorization.AuthorizeAsync(context.User, context, policy);
+            var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
             if (result.Succeeded)
             {
                 return PolicyAuthorizationResult.Success();
diff --git a/test/Microsoft.AspNetCore.Authorization.Test/PolicyEvaluatorTests.cs b/test/Microsoft.AspNetCore.Authorization.Test/PolicyEvaluatorTests.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
@@ -18,7 +19,7 @@ public class PolicyEvaluatorTests
         public async Task AuthenticateFailsIfNoPrincipalReturned()
         {
             // Arrange
-            var evaluator = new PolicyEvaluator(new HappyAuthorization());
+            var evaluator = BuildEvaluator();
             var context = new DefaultHttpContext();
             var services = new ServiceCollection().AddSingleton<IAuthenticationService, SadAuthentication>();
             context.RequestServices = services.BuildServiceProvider();
@@ -35,7 +36,7 @@ public async Task AuthenticateFailsIfNoPrincipalReturned()
         public async Task AuthenticateMergeSchemes()
         {
             // Arrange
-            var evaluator = new PolicyEvaluator(new HappyAuthorization());
+            var evaluator = BuildEvaluator();
             var context = new DefaultHttpContext();
             var services = new ServiceCollection().AddSingleton<IAuthenticationService, EchoAuthentication>();
             context.RequestServices = services.BuildServiceProvider();
@@ -54,29 +55,47 @@ public async Task AuthenticateMergeSchemes()
         public async Task AuthorizeSucceedsEvenIfAuthenticationFails()
         {
             // Arrange
-            var evaluator = new PolicyEvaluator(new HappyAuthorization());
+            var evaluator = BuildEvaluator();
             var context = new DefaultHttpContext();
             var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build();
 
             // Act
-            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Fail("Nooo"), context);
+            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Fail("Nooo"), context, resource: null);
 
             // Assert
             Assert.True(result.Succeeded);
             Assert.False(result.Challenged);
             Assert.False(result.Forbidden);
         }
 
+        [Fact]
+        public async Task AuthorizeSucceedsOnlyIfResourceSpecified()
+        {
+            // Arrange
+            var evaluator = BuildEvaluator();
+            var context = new DefaultHttpContext();
+            var policy = new AuthorizationPolicyBuilder().RequireAssertion(c => c.Resource != null).Build();
+            var success = AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(), "whatever"));
+
+            // Act
+            var result = await evaluator.AuthorizeAsync(policy, success, context, resource: null);
+            var result2 = await evaluator.AuthorizeAsync(policy, success, context, resource: new object());
+
+            // Assert
+            Assert.False(result.Succeeded);
+            Assert.True(result2.Succeeded);
+        }
+
         [Fact]
         public async Task AuthorizeChallengesIfAuthenticationFails()
         {
             // Arrange
-            var evaluator = new PolicyEvaluator(new SadAuthorization());
+            var evaluator = BuildEvaluator();
             var context = new DefaultHttpContext();
-            var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build();
+            var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ => false).Build();
 
             // Act
-            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Fail("Nooo"), context);
+            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Fail("Nooo"), context, resource: null);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -88,19 +107,30 @@ public async Task AuthorizeChallengesIfAuthenticationFails()
         public async Task AuthorizeForbidsIfAuthenticationSuceeds()
         {
             // Arrange
-            var evaluator = new PolicyEvaluator(new SadAuthorization());
+            var evaluator = BuildEvaluator();
             var context = new DefaultHttpContext();
-            var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build();
+            var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ => false).Build();
 
             // Act
-            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(), "scheme")), context);
+            var result = await evaluator.AuthorizeAsync(policy, AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(), "scheme")), context, resource: null);
 
             // Assert
             Assert.False(result.Succeeded);
             Assert.False(result.Challenged);
             Assert.True(result.Forbidden);
         }
 
+        private IPolicyEvaluator BuildEvaluator(Action<IServiceCollection> setupServices = null)
+        {
+            var services = new ServiceCollection()
+                .AddAuthorization()
+                .AddAuthorizationPolicyEvaluator()
+                .AddLogging()
+                .AddOptions();
+            setupServices?.Invoke(services);
+            return services.BuildServiceProvider().GetRequiredService<IPolicyEvaluator>();
+        }
+
         public class HappyAuthorization : IAuthorizationService
         {
             public Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)

Original file line number	Diff line number	Diff line change
`@@ -67,17 +67,21 @@ public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPol`
`67`	`67`	`/// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>`
`68`	`68`	`/// <param name="authenticationResult">The result of a call to <see cref="AuthenticateAsync(AuthorizationPolicy, HttpContext)"/>.</param>`
`69`	`69`	`/// <param name="context">The <see cref="HttpContext"/>.</param>`
	`70`	`+ /// <param name="resource">`
	`71`	`+ /// An optional resource the policy should be checked with.`
	`72`	`+ /// If a resource is not required for policy evaluation you may pass null as the value.`
	`73`	`+ /// </param>`
`70`	`74`	`/// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.`
`71`	`75`	`/// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise`
`72`	`76`	`/// returns <see cref="PolicyAuthorizationResult.Challenge"/></returns>`
`73`		`- public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context)`
	`77`	`+ public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)`
`74`	`78`	`{`
`75`	`79`	`if (policy == null)`
`76`	`80`	`{`
`77`	`81`	`throw new ArgumentNullException(nameof(policy));`
`78`	`82`	`}`
`79`	`83`
`80`		`- var result = await _authorization.AuthorizeAsync(context.User, context, policy);`
	`84`	`+ var result = await _authorization.AuthorizeAsync(context.User, resource, policy);`
`81`	`85`	`if (result.Succeeded)`
`82`	`86`	`{`
`83`	`87`	`return PolicyAuthorizationResult.Success();`