Skip to main content

Custom authorization based on dotnet core policy with Attribute filter

Around 2.5 years back I had written about custom authorization on MVC  Custom authorization on class, action/function, code, area level under Asp.Net MVC application, there are few approaches which are changed in Core version for authorization. Like Authorization filter approach is discouraged since it cannot be unit tested. I believe this is right step but also global or basic authentication could still be driven by Attribute due to enhancing simplicity on codes by focusing on the primary objective rather than writing authorization check everywhere.

The whole approach and usage remain same from the original Post, in this, we would be just looking into making it compatible with dotnet Core MVC. You would need to go through earlier Post to understand the approach that was taken for authorization of a user.

Also, can go through official post: https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies to understand new approach.

More of all we need to create Requirement i:e PermissionAuthorizationRequirement, Handler for authentication and AppAuthorizeAttribute attribute.

Creating policy requirement

This can accept comparison type and PermissionRule that may be required for authorization.

   /// <summary>  
   /// Permission authorization requirement.  
   /// </summary>  
   /// <seealso cref="IAuthorizationRequirement" />  
   public class PermissionAuthorizationRequirement  
     : Microsoft.AspNetCore.Authorization.IAuthorizationRequirement  
   {  
     /// <summary>  
     /// Gets or sets the comparison mode.  
     /// </summary>  
     /// <value>  
     /// The comparison mode.  
     /// </value>  
     public ComparisonType ComparisonMode { get; set; }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement"/> class.  
     /// </summary>  
     public PermissionAuthorizationRequirement()  
     {  
       ComparisonMode = ComparisonType.All;  
     }  
     /// <summary>  
     /// Initializes a new instance of the <see cref="PermissionAuthorizationRequirement" /> class.  
     /// </summary>  
     /// <param name="permissions">The permissions.</param>  
     /// <param name="comparisonType">Type of the comparison.</param>  
     public PermissionAuthorizationRequirement(PermissionRule[] permissions, ComparisonType comparisonType)  
     {  
       Permissions = permissions;  
       ComparisonMode = comparisonType;  
     }  
     /// <summary>  
     /// Gets the permissions.  
     /// </summary>  
     /// <value>  
     /// The permissions.  
     /// </value>  
     public PermissionRule[] Permissions { get; private set; }  
   }  

Handler for authorization check of user

This would authorize the user based on saved permissions from DB and required permission to access the requested resource.

 using System.Linq;  
 /// <summary>  
 /// Permission authorization handler.  
 /// </summary>  
 /// <seealso cref="Microsoft.AspNetCore.Authorization.AuthorizationHandler{PermissionsAuthorizationRequirement}" />  
 public class PermissionAuthorizationHandler  
 : Microsoft.AspNetCore.Authorization.AuthorizationHandler<PermissionAuthorizationRequirement>  
 {  
   public PermissionAuthorizationHandler(ISecurityUserRepository securityUserRepository)  
   {  
     // Dependency injection to get value from repository.  
     SecurityUserRepository = securityUserRepository;  
   }  
   /// <summary>  
   /// Gets the security user repository.  
   /// </summary>  
   /// <value>  
   /// The security user repository.  
   /// </value>  
   public ISecurityUserRepository SecurityUserRepository { get; }  
   /// <summary>  
   /// Makes a decision if authorization is allowed based on a specific requirement.  
   /// </summary>  
   /// <param name="context">The authorization context.</param>  
   /// <param name="requirement">The requirement to evaluate.</param>  
   /// <returns>Permission check for user based on Permission requirement.</returns>  
   /// <exception cref="ArgumentException">New comparison type need to be included</exception>  
   protected override async System.Threading.Tasks.Task HandleRequirementAsync(  
     Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context,  
     PermissionAuthorizationRequirement requirement)  
   {  
     if (!context.User.Identity.IsAuthenticated)  
     {  
       return;  
     }  
     // Getting user id from claims  
     if (!int.TryParse(context.User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value, out int userId))  
     {  
       return;  
     }  
     // TODO: Implement caching for this  
     var userPermissions = await SecurityUserRepository.GetUserPermissions(userId);  
     var hasPermission = false;  
     switch (requirement.ComparisonMode)  
     {  
       case ComparisonType.All:  
         {  
           hasPermission = requirement.Permissions.All(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       case ComparisonType.Any:  
         {  
           hasPermission = requirement.Permissions.Any(reqPerm => userPermissions.Any(usrPerm => usrPerm == reqPerm));  
           break;  
         }  
       default:  
         {  
           throw new System.ArgumentException("New comparison type need to be included");  
         }  
     }  
     if (hasPermission)  
     {  
       context.Succeed(requirement);  
     }  
   }  
 }  

Attribute filter for invoking implementation

This would allow us to pass permission rule and optional ComparisionType for authorization of a user.

 using Microsoft.AspNetCore.Authorization;  
 using Microsoft.AspNetCore.Mvc;  
 using Microsoft.AspNetCore.Mvc.Filters;  
 using System;  
 using System.Threading.Tasks;  
 /// <summary>  
 /// Application authorization  
 /// </summary>  
 /// <seealso cref="TypeFilterAttribute" />  
 public sealed class AppAuthorizeAttribute  
   : TypeFilterAttribute  
 {  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, ComparisonType.All) };  
   }  
   /// <summary>  
   /// Initializes a new instance of the <see cref="AppAuthorizeAttribute"/> class.  
   /// </summary>  
   /// <param name="comparisonType">Type of the comparison.</param>  
   /// <param name="permissions">The permissions.</param>  
   public AppAuthorizeAttribute(ComparisonType comparisonType = ComparisonType.All, params PermissionRule[] permissions)  
     : base(typeof(AppAuthorizeExecuteAttribute))  
   {  
     Arguments = new[] { new PermissionAuthorizationRequirement(permissions, comparisonType) };  
   }  
   /// <summary>  
   /// App authorize execution.  
   /// </summary>  
   /// <seealso cref="Attribute" />  
   /// <seealso cref="IAsyncResourceFilter" />  
   private sealed class AppAuthorizeExecuteAttribute  
     : Attribute, IAsyncResourceFilter  
   {  
     /// <summary>  
     /// The authorization service  
     /// </summary>  
     private readonly IAuthorizationService AuthorizationService;  
     /// <summary>  
     /// The required permissions  
     /// </summary>  
     private readonly PermissionAuthorizationRequirement RequiredPermissions;  
     /// <summary>  
     /// Initializes a new instance of the <see cref="AppAuthorizeExecuteAttribute" /> class.  
     /// </summary>  
     /// <param name="requiredPermissions">The required permissions.</param>  
     /// <param name="authorizationService">The authorization service.</param>  
     public AppAuthorizeExecuteAttribute(  
           PermissionAuthorizationRequirement requiredPermissions,  
           IAuthorizationService authorizationService)  
     {  
       RequiredPermissions = requiredPermissions;  
       AuthorizationService = authorizationService;  
     }  
     /// <summary>  
     /// Called asynchronously before the rest of the pipeline.  
     /// </summary>  
     /// <param name="context">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutingContext" />.</param>  
     /// <param name="next">The <see cref="T:Microsoft.AspNetCore.Mvc.Filters.ResourceExecutionDelegate" />. Invoked to execute the next resource filter or the remainder  
     /// of the pipeline.</param>  
     /// <returns>  
     /// A <see cref="T:System.Threading.Tasks.Task" /> which will complete when the remainder of the pipeline completes.  
     /// </returns>  
     public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)  
     {  
       var authResult = await AuthorizationService.AuthorizeAsync(  
               context.HttpContext.User,  
               null,  
               new PermissionAuthorizationRequirement(RequiredPermissions.Permissions, RequiredPermissions.ComparisonMode));  
       if (!authResult.Succeeded)  
       {  
         context.Result = new ChallengeResult();  
         return;  
       }  
       await next?.Invoke();  
     }  
   }  
 }  

Registering handler and requirement in MVC

There could be multiple requirements that could be added to it, but for our global one, we need only one.

 service.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();  
 service.AddAuthorization(options =>  
 {  
   options.AddPolicy("PermissionAuthorization", policy =>  
     policy.Requirements.Add(new PermissionAuthorizationRequirement()));  
 });  

Usage

Applying authorization to action is much more straightforward.

 [AppAuthorize(ComparisonType.Any, PermissionRule.CanAddBlog, PermissionRule.CanEditBlog)]  
 public ActionResult ViewBlog()  
 {  
 }  

Authorization on code level

This is code on custom BaseController to authorize specific area of codes. This is same as the previous post just that new dotnet core custom policy is used.

 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="comparisonType">Type of the comparison.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
     Func<IActionResult> func,  
     ComparisonType comparisonType,  
     params PermissionRule[] permissions)  
 {  
   var authResult = await AuthorizationService.AuthorizeAsync(  
     User, null, new PermissionAuthorizationRequirement(permissions, comparisonType));  
   if (authResult.Succeeded)  
   {  
     return func?.Invoke();  
   }  
   return Json(authResult);  
 }  
 /// <summary>  
 /// Executes passed function once authorization is successful.  
 /// </summary>  
 /// <param name="func">The function.</param>  
 /// <param name="permissions">The permissions.</param>  
 /// <returns>Result based on passed function if authorization is successful.</returns>  
 public async Task<IActionResult> OnSuccessAuthAsync(  
   Func<IActionResult> func,  
   params PermissionRule[] permissions)  
 {  
   return await OnSuccessAuthAsync(func, ComparisonType.All, permissions);  
 }  




Comments

Popular posts from this blog

Making FluentValidation compatible with Swagger including Enum or fixed List support

FluentValidation is not directly compatible with Swagger API to validate models. But they do provide an interface through which we can compose Swagger validation manually. That means we look under FluentValidation validators and compose Swagger validator properties to make it compatible. More of all mapping by reading information from FluentValidation and setting it to Swagger Model Schema. These can be done on any custom validation from FluentValidation too just that proper schema property has to be available from Swagger. Custom validation from Enum/List values on FluentValidation using FluentValidation.Validators; using System.Collections.Generic; using System.Linq; using static System.String; /// <summary> /// Validator as per list of items. /// </summary> /// <seealso cref="PropertyValidator" /> public class FixedListValidator : PropertyValidator { /// <summary> /// Gets the valid items /// <

Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers. Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer. The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work. With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones. These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to be able to use global

Data seed for the application with EF, MongoDB or any other ORM.

Most of ORMs has moved to Code first approach where everything is derived/initialized from codes rather than DB side. In this situation, it is better to set data through codes only. We would be looking through simple technique where we would be Seeding data through Codes. I would be using UnitOfWork and Repository pattern for implementing Data Seeding technique. This can be applied to any data source MongoDB, EF, or any other ORM or DB. Things we would be doing. - Creating a base class for easy usage. - Interface for Seed function for any future enhancements. - Individual seed classes. - Configuration to call all seeds. - AspNet core configuration to Seed data through Seed configuration. Creating a base class for easy usage public abstract class BaseSeed<TModel> where TModel : class { protected readonly IMyProjectUnitOfWork MyProjectUnitOfWork; public BaseSeed(IMyProjectUnitOfWork MyProjectUnitOfWork) { MyProject

Channel, ChannelReader and ChannelWriter to manage data streams in multi-threading environment

I came across Channel class while working with SignalR which looks really interesting. By looking into NuGet packages ( https://www.nuget.org/packages/System.Threading.Channels ), it seems just 4 months old. The Channel class provides infrastructure to have multiple reads and write simuletensely through it's Reader and Writer properties. This is where it is handy in case of SignalR where data streaming needs to be done but is not just limited to that but wherever something needs to be read/write/combination of both in a multi-threading environment. In my case with SignalR, I had to stream stock data at a regular interval of time. public ChannelReader<StockData> StreamStock() { var channel = Channel.CreateUnbounded<StockData>(); _stockManager.OnStockData = stockData => { channel.Writer.TryWrite(stockData); }; return channel.Reader; } The SignalR keeps return type of ChannelReader<StockData> open so that whatev

Handling JSON DateTime format on Asp.Net Core

This is a very simple trick to handle JSON date format on AspNet Core by global settings. This can be applicable for the older version as well. In a newer version by default, .Net depends upon Newtonsoft to process any JSON data. Newtonsoft depends upon Newtonsoft.Json.Converters.IsoDateTimeConverter class for processing date which in turns adds timezone for JSON data format. There is a global setting available for same that can be adjusted according to requirement. So, for example, we want to set default formatting to US format, we just need this code. services.AddMvc() .AddJsonOptions(options => { options.SerializerSettings.DateTimeZoneHandling = "MM/dd/yyyy HH:mm:ss"; });

Trim text in MVC Core through Model Binder

Trimming text can be done on client side codes, but I believe it is most suitable on MVC Model Binder since it would be at one place on infrastructure level which would be free from any manual intervention of developer. This would allow every post request to be processed and converted to a trimmed string. Let us start by creating Model binder using Microsoft.AspNetCore.Mvc.ModelBinding; using System; using System.Threading.Tasks; public class TrimmingModelBinder : IModelBinder { private readonly IModelBinder FallbackBinder; public TrimmingModelBinder(IModelBinder fallbackBinder) { FallbackBinder = fallbackBinder ?? throw new ArgumentNullException(nameof(fallbackBinder)); } public Task BindModelAsync(ModelBindingContext bindingContext) { if (bindingContext == null) { throw new ArgumentNullException(nameof(bindingContext)); } var valueProviderResult = bindingContext.ValueProvider.GetValue(bin

Efficient custom mapping from data model to ViewModel/Dto or vice versa with LINQ support

How many lines of codes we waste on mapping from one source to a destination like DataModel to ViewModel.  There are well-known Mappers available to do the same but nothing can come close in terms of performance by using manual mapping just that we need to write at too many places or takes a huge chunk of code lines in our main codes, may be under controllers, services or where ever you prefer projection in code. The idea is to develop a proper way to deal with mappings. Some time back I had written code for manual mapping under LINQ queries.  Manual model mapping - LINQ projection technique , this still works great. The idea is to create a cleaner solution as a whole new package for handling Mapping which can support general mappings between models and support of LINQ projection to select the limited number of rows as required. Primary objectives of the implementation. - A Data model to view model/DTO/or any other. - view model/DTO/or any other to a data model. - Support of LI

Kendo MVC Grid DataSourceRequest with AutoMapper

Kendo Grid does not work directly with AutoMapper but could be managed by simple trick using mapping through ToDataSourceResult. The solution works fine until different filters are applied. The problems occurs because passed filters refer to view model properties where as database model properties are required after AutoMapper is implemented. So, the plan is to intercept DataSourceRequest  and modify names based on database model. To do that we are going to create implementation of  CustomModelBinderAttribute to catch calls and have our own implementation of DataSourceRequestAttribute from Kendo MVC. I will be using same source code from Kendo but will replace column names for different criteria for sort, filters, group etc. Let's first look into how that will be implemented. public ActionResult GetRoles([MyDataSourceRequest(GridId.RolesUserGrid)] DataSourceRequest request) { if (request == null) { throw new ArgumentNullExce

Storing and restoring Kendo Grid state from Database

There is no any built in way to store entire grid state into database and restore back again with all filters, groups, aggregates, page and page size. At first, I was trying to restore only filters by looking through DataSourceRequest. DataSourceRequest is kind of communication medium between client and server for the operation we do on grid. All the request comes via DataSourceRequest. In previous approach, I was trying to store IFileDescriptor interface which come with class FileDescriptor by looping through filters and serializing into string for saving into database but this IFileDescriptor can also contain CompositeFilterDescriptor which can be nested in nested object which are very tricky to handle. So, I had decompiled entire Kendo.MVC library and found out that all Kendo MVC controls are derived from “JsonObject”. It is there own implementation with ”Serialize” abstract function and “ToJson” function. In controls they are overriding “Serialize” method which depicts t

Using Redis distributed cache in dotnet core with helper extension methods

Redis cache is out process cache provider for a distributed environment. It is popular in Azure Cloud solution, but it also has a standalone application to operate upon in case of small enterprises application. How to install Redis Cache on a local machine? Redis can be used as a local cache server too on our local machines. At first install, Chocolatey https://chocolatey.org/ , to make installation of Redis easy. Also, the version under Chocolatey supports more commands and compatible with Official Cache package from Microsoft. After Chocolatey installation hit choco install redis-64 . Once the installation is done, we can start the server by running redis-server . Distributed Cache package and registration dotnet core provides IDistributedCache interface which can be overrided with our own implementation. That is one of the beauties of dotnet core, having DI implementation at heart of framework. There is already nuget package available to override IDistributedCache i