Add suport for asp.net core policies (CarterCommunity#193)

Author: jchannon

samples/CarterAndMVC/CarterAndMVC.csproj

@@ -3,6 +3,7 @@
     <TargetFramework>netcoreapp2.2</TargetFramework>
     <AssemblyName>CarterAndMVC</AssemblyName>
     <OutputType>Exe</OutputType>
+    <LangVersion>latest</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.2.0" />

src/Carter.csproj

@@ -16,6 +16,7 @@
     </PropertyGroup>
     <ItemGroup>
         <PackageReference Include="FluentValidation" Version="8.1.3" />
+        <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="2.2.0" />
         <PackageReference Include="Microsoft.AspNetCore.Http.Extensions" Version="2.2.0" />
         <PackageReference Include="Microsoft.AspNetCore.Routing" Version="2.2.2" />
         <PackageReference Include="Microsoft.Extensions.DependencyModel" Version="2.1.0" />

src/CarterModuleSecurity.cs

@@ -4,6 +4,8 @@
     using System.Linq;
     using System.Security.Claims;
     using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Authorization;
+    using Microsoft.Extensions.DependencyInjection;
 
     /// <summary>
     /// <see cref="CarterModule"/> extensions to provide security mechanisms
@@ -23,6 +25,7 @@ public static void RequiresAuthentication(this CarterModule module)
                 {
                     context.Response.StatusCode = 401;
                 }
+
                 return Task.FromResult(authenticated);
             };
         }
@@ -42,8 +45,34 @@ public static void RequiresClaims(this CarterModule module, params Predicate<Cla
                 {
                     context.Response.StatusCode = 401;
                 }
+
                 return Task.FromResult(validClaims);
             };
         }
+
+        /// <summary>
+        /// A way to require policies for your <see cref="CarterModule"/>
+        /// </summary>
+        /// <param name="module">Current <see cref="CarterModule"/></param>
+        /// <param name="policyNames">The policies required for the routes in your <see cref="CarterModule"/></param>
+        public static void RequiresPolicy(this CarterModule module, params string[] policyNames)
+        {
+            module.RequiresAuthentication();
+            module.Before += async context =>
+            {
+                var authorizationService = context.RequestServices.GetRequiredService<IAuthorizationService>();
+                foreach (var policy in policyNames)
+                {
+                    var result = await authorizationService.AuthorizeAsync(context.User, policy);
+                    if (!result.Succeeded)
+                    {
+                        context.Response.StatusCode = 401;
+                        return false;
+                    }
+                }
+
+                return true;
+            };
+        }
     }
 }

test/Carter.Tests/Security/SecureMultiPolicyModule.cs

@@ -0,0 +1,14 @@
+namespace Carter.Tests.Security
+{
+    using Microsoft.AspNetCore.Http;
+
+    public class SecureMultiPolicyModule : CarterModule
+    {
+        public SecureMultiPolicyModule()
+        {
+            this.RequiresPolicy("reallysecurepolicy", "reallysecuresecondpolicy");
+
+            this.Get("/securemultipolicy", async (request, response, routeData) => { await response.WriteAsync("secure"); });
+        }
+    }
+}

test/Carter.Tests/Security/SecureSinglePolicyModule.cs

@@ -0,0 +1,14 @@
+namespace Carter.Tests.Security
+{
+    using Microsoft.AspNetCore.Http;
+
+    public class SecureSinglePolicyModule : CarterModule
+    {
+        public SecureSinglePolicyModule()
+        {
+            this.RequiresPolicy("reallysecurepolicy");
+
+            this.Get("/securepolicy", async (request, response, routeData) => { await response.WriteAsync("secure"); });
+        }
+    }
+}

test/Carter.Tests/Security/SecurityTests.cs

@@ -8,6 +8,7 @@
     using Microsoft.AspNetCore.Builder;
     using Microsoft.AspNetCore.Hosting;
     using Microsoft.AspNetCore.TestHost;
+    using Microsoft.Extensions.DependencyInjection;
     using Xunit;
 
     public class SecurityTests
@@ -20,9 +21,18 @@ private void ConfigureServer(bool authedUser = false, IEnumerable<Claim> claims
                 new WebHostBuilder()
                     .ConfigureServices(x =>
                     {
+                        x.AddAuthorization(options =>
+                        {
+                            options.AddPolicy("reallysecurepolicy", policy => { policy.RequireClaim(ClaimTypes.Actor); });
+                            options.AddPolicy("reallysecuresecondpolicy", policy => { policy.RequireClaim(ClaimTypes.Email); });
+                        });
+
                         x.AddCarter(configurator: c =>
                             c.WithModule<SecurityClaimsModule>()
-                             .WithModule<SecurityModule>());
+                                .WithModule<SecurityModule>()
+                                .WithModule<SecureSinglePolicyModule>()
+                                .WithModule<SecureMultiPolicyModule>()
+                        );
                     })
                     .Configure(x =>
                     {
@@ -65,6 +75,7 @@ public async Task Should_return_200_when_valid_claims()
         {
             //Given
             this.ConfigureServer(true, new[] { new Claim(ClaimTypes.Actor, "Christian Slater") });
+
             //When
             var response = await this.httpClient.GetAsync("/secureclaim");
             var body = response.StatusCode;
@@ -92,6 +103,7 @@ public async Task Should_return_401_when_invalid_claims()
         {
             //Given
             this.ConfigureServer(true, new[] { new Claim(ClaimTypes.Thumbprint, "Zebra") });
+
             //When
             var response = await this.httpClient.GetAsync("/secureclaim");
             var body = response.StatusCode;
@@ -105,6 +117,7 @@ public async Task Should_return_401_when_no_claims()
         {
             //Given
             this.ConfigureServer(true);
+
             //When
             var response = await this.httpClient.GetAsync("/secureclaim");
             var body = response.StatusCode;
@@ -118,12 +131,70 @@ public async Task Should_return_401_when_not_authed_user_but_module_requires_cla
         {
             //Given
             this.ConfigureServer();
+
             //When
             var response = await this.httpClient.GetAsync("/secureclaim");
             var body = response.StatusCode;
 
             //Then
             Assert.Equal(401, (int)body);
         }
+
+        [Fact]
+        public async Task Should_return_200_when_valid_policy()
+        {
+            //Given
+            this.ConfigureServer(authedUser: true, new[] { new Claim(ClaimTypes.Actor, "Nicholas Cage") });
+
+            //When
+            var response = await this.httpClient.GetAsync("/securepolicy");
+            var body = response.StatusCode;
+
+            //Then
+            Assert.Equal(200, (int)body);
+        }
+
+        [Fact]
+        public async Task Should_return_401_when_invalid_policy()
+        {
+            //Given
+            this.ConfigureServer(authedUser: true);
+
+            //When
+            var response = await this.httpClient.GetAsync("/securepolicy");
+            var body = response.StatusCode;
+
+            //Then
+            Assert.Equal(401, (int)body);
+        }
+
+        [Fact]
+        public async Task Should_return_200_when_valid_on_multiple_policies()
+        {
+            //Given
+            this.ConfigureServer(authedUser: true, new[] { new Claim(ClaimTypes.Actor, "Nicholas Cage"), new Claim(ClaimTypes.Email, "[email protected]") });
+
+            //When
+            var response = await this.httpClient.GetAsync("/securemultipolicy");
+            var body = response.StatusCode;
+
+            //Then
+            Assert.Equal(200, (int)body);
+        }
+        
+        [Fact]
+        public async Task Should_return_401_when_invalid_on_multiple_policies()
+        {
+            //Given
+            this.ConfigureServer(authedUser: true, new[] { new Claim(ClaimTypes.Actor, "Nicholas Cage") });
+
+            //When
+            var response = await this.httpClient.GetAsync("/securemultipolicy");
+            var body = response.StatusCode;
+
+            //Then
+            Assert.Equal(401, (int)body);
+        }
+
     }
 }

test/Directory.Build.props

@@ -1,7 +1,8 @@
 <Project>
     <PropertyGroup>
-        <TargetFramework>netcoreapp2.1</TargetFramework>
+        <TargetFramework>netcoreapp2.2</TargetFramework>
         <GenerateRuntimeConfigurationFiles>true</GenerateRuntimeConfigurationFiles>
+        <LangVersion>latest</LangVersion>
     </PropertyGroup>
     <ItemGroup>
         <PackageReference Include="Microsoft.AspNetCore.TestHost" Version="2.2.0" />