...

author: crupest <crupest@outlook.com> 2020-11-12 21:38:43 +0800
committer: crupest <crupest@outlook.com> 2020-11-12 21:38:43 +0800
commit: e4c4a284571d51dcda373a0a1c047e634b17882d (patch)
tree: 2343fba4753576fd33a79e2f2d4fe1484e11f557 /BackEnd/Timeline/Auth
parent: b81a66ff49f5d9305108e92a009449ee5994862e (diff)
download: timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.tar.gz
timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.tar.bz2
timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.zip
5 files changed, 76 insertions, 29 deletions
diff --git a/BackEnd/Timeline/Auth/Attribute.cs b/BackEnd/Timeline/Auth/Attribute.cs
deleted file mode 100644
index 86d0109b..00000000
--- a/BackEnd/Timeline/Auth/Attribute.cs
+++ /dev/null
@@ -1,21 +0,0 @@
-using Microsoft.AspNetCore.Authorization;
-using Timeline.Entities;
-
-namespace Timeline.Auth
-{
-    public class AdminAuthorizeAttribute : AuthorizeAttribute
-    {
-        public AdminAuthorizeAttribute()
-        {
-            Roles = UserRoles.Admin;
-        }
-    }
-
-    public class UserAuthorizeAttribute : AuthorizeAttribute
-    {
-        public UserAuthorizeAttribute()
-        {
-            Roles = UserRoles.User;
-        }
-    }
-}
diff --git a/BackEnd/Timeline/Auth/MyAuthenticationHandler.cs b/BackEnd/Timeline/Auth/MyAuthenticationHandler.cs
index 3c97c329..b5e22a14 100644
--- a/BackEnd/Timeline/Auth/MyAuthenticationHandler.cs
+++ b/BackEnd/Timeline/Auth/MyAuthenticationHandler.cs
@@ -17,6 +17,7 @@ namespace Timeline.Auth
     {
         public const string Scheme = "Bearer";
         public const string DisplayName = "My Jwt Auth Scheme";
+        public const string PermissionClaimName = "Permission";
     }
 
     public class MyAuthenticationOptions : AuthenticationSchemeOptions
@@ -78,12 +79,12 @@ namespace Timeline.Auth
 
             try
             {
-                var userInfo = await _userTokenManager.VerifyToken(token);
+                var user = await _userTokenManager.VerifyToken(token);
 
                 var identity = new ClaimsIdentity(AuthenticationConstants.Scheme);
-                identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, userInfo.Id!.Value.ToString(CultureInfo.InvariantCulture), ClaimValueTypes.Integer64));
-                identity.AddClaim(new Claim(identity.NameClaimType, userInfo.Username, ClaimValueTypes.String));
-                identity.AddClaims(UserRoleConvert.ToArray(userInfo.Administrator!.Value).Select(role => new Claim(identity.RoleClaimType, role, ClaimValueTypes.String)));
+                identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id.ToString(CultureInfo.InvariantCulture), ClaimValueTypes.Integer64));
+                identity.AddClaim(new Claim(identity.NameClaimType, user.Username, ClaimValueTypes.String));
+                identity.AddClaims(user.Permissions.Select(permission => new Claim(AuthenticationConstants.PermissionClaimName, permission.ToString(), ClaimValueTypes.String)));
 
                 var principal = new ClaimsPrincipal();
                 principal.AddIdentity(identity);
diff --git a/BackEnd/Timeline/Auth/PermissionAuthorizeAttribute.cs b/BackEnd/Timeline/Auth/PermissionAuthorizeAttribute.cs
new file mode 100644
index 00000000..3df8dee5
--- /dev/null
+++ b/BackEnd/Timeline/Auth/PermissionAuthorizeAttribute.cs
@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authorization;
+using System;
+using System.Linq;
+using Timeline.Services;
+
+namespace Timeline.Auth
+{
+    public class PermissionAuthorizeAttribute : AuthorizeAttribute
+    {
+        public PermissionAuthorizeAttribute()
+        {
+
+        }
+
+        public PermissionAuthorizeAttribute(params UserPermission[] permissions)
+        {
+            Permissions = permissions;
+        }
+
+        public UserPermission[] Permissions
+        {
+            get => Policy == null ? Array.Empty<UserPermission>() : Policy[PermissionPolicyProvider.PolicyPrefix.Length..].Split(',')
+                .Select(s => Enum.Parse<UserPermission>(s)).ToArray();
+            set
+            {
+                Policy = $"{PermissionPolicyProvider.PolicyPrefix}{string.Join(',', value)}";
+            }
+        }
+    }
+}
diff --git a/BackEnd/Timeline/Auth/PermissionPolicyProvider.cs b/BackEnd/Timeline/Auth/PermissionPolicyProvider.cs
new file mode 100644
index 00000000..12a4fcd5
--- /dev/null
+++ b/BackEnd/Timeline/Auth/PermissionPolicyProvider.cs
@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using System;
+using System.Threading.Tasks;
+
+namespace Timeline.Auth
+{
+    public class PermissionPolicyProvider : IAuthorizationPolicyProvider
+    {
+        public const string PolicyPrefix = "Permission-";
+
+        public Task<AuthorizationPolicy> GetDefaultPolicyAsync()
+        {
+            return Task.FromResult(new AuthorizationPolicyBuilder(AuthenticationConstants.Scheme).RequireAuthenticatedUser().Build());
+        }
+
+        public Task<AuthorizationPolicy?> GetFallbackPolicyAsync()
+        {
+            return Task.FromResult<AuthorizationPolicy?>(null);
+        }
+
+        public Task<AuthorizationPolicy?> GetPolicyAsync(string policyName)
+        {
+            if (policyName.StartsWith(PolicyPrefix, StringComparison.OrdinalIgnoreCase))
+            {
+                var permissions = policyName[PolicyPrefix.Length..].Split(',');
+
+                var policy = new AuthorizationPolicyBuilder(AuthenticationConstants.Scheme);
+                policy.AddRequirements(new ClaimsAuthorizationRequirement(AuthenticationConstants.PermissionClaimName, permissions));
+                return Task.FromResult<AuthorizationPolicy?>(policy.Build());
+            }
+            return Task.FromResult<AuthorizationPolicy?>(null);
+        }
+    }
+}
diff --git a/BackEnd/Timeline/Auth/PrincipalExtensions.cs b/BackEnd/Timeline/Auth/PrincipalExtensions.cs
index ad7a887f..9f86e8ac 100644
--- a/BackEnd/Timeline/Auth/PrincipalExtensions.cs
+++ b/BackEnd/Timeline/Auth/PrincipalExtensions.cs
@@ -1,13 +1,15 @@
-using System.Security.Principal;
-using Timeline.Entities;
+using System;
+using System.Security.Claims;
+using Timeline.Services;
 
 namespace Timeline.Auth
 {
     internal static class PrincipalExtensions
     {
-        internal static bool IsAdministrator(this IPrincipal principal)
+        internal static bool HasPermission(this ClaimsPrincipal principal, UserPermission permission)
         {
-            return principal.IsInRole(UserRoles.Admin);
+            return principal.HasClaim(
+                claim => claim.Type == AuthenticationConstants.PermissionClaimName && string.Equals(claim.Value, permission.ToString(), StringComparison.InvariantCultureIgnoreCase));
         }
     }
 }
author	crupest <crupest@outlook.com>	2020-11-12 21:38:43 +0800
committer	crupest <crupest@outlook.com>	2020-11-12 21:38:43 +0800
commit	e4c4a284571d51dcda373a0a1c047e634b17882d (patch)
tree	2343fba4753576fd33a79e2f2d4fe1484e11f557 /BackEnd/Timeline/Auth
parent	b81a66ff49f5d9305108e92a009449ee5994862e (diff)
download	timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.tar.gz timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.tar.bz2 timeline-e4c4a284571d51dcda373a0a1c047e634b17882d.zip