Merge pull request #6 from fmichellonet/features/Authorize_on_roles

Support role and policy

Author: fmichellonet

src/AzureFunctions.Extensions.OpenIDConnect.Tests/AuthorizationServiceShould.cs

@@ -0,0 +1,55 @@
+using System;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using AzureFunctions.Extensions.OpenIDConnect.Configuration;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Microsoft.Azure.WebJobs.Host;
+using Microsoft.Extensions.DependencyInjection;
+using NSubstitute;
+using NUnit.Framework;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Tests
+{
+    [TestFixture]
+    public class AuthorizationServiceShould
+    {
+        
+        [TestCase("locale", "fr", "fr", true)]
+        [TestCase("locale", "it", "fr", false)]
+        public async Task ApplyPolicyRequirements(string claimType, string claimValue, string claimRequiredValue, bool isAuthorized)
+        {
+            // Arrange
+            var policyName = "my policy";
+            var localeClaim = new Claim(claimType, claimValue);
+             
+            var collection = ServiceCollectionFixture.MinimalAzFunctionsServices();
+
+            collection.AddOpenIDConnect(builder =>
+            {
+                builder.SetIssuerBaseUrlConfiguration("https://issuer.com/");
+                builder.SetTokenValidation("issuer", "audience");
+                builder.SetTypeCrawler(() => new Type[] { });
+                builder.AddPolicy(policyName, policy => policy.Requirements.Add(new ClaimsAuthorizationRequirement(claimType, new []{ claimRequiredValue }) ));
+            });
+            
+            var provider = collection.BuildServiceProvider();
+
+            var retriever = provider.GetService<IAuthorizationRequirementsRetriever>();
+            var authorizationService = provider.GetService<IAuthorizationService>();
+
+            var user = Substitute.For<ClaimsPrincipal>();
+            user.Claims.Returns(new List<Claim> {localeClaim});
+            
+            
+            // Act
+            var requirements = retriever.ForAttribute(new AuthorizeAttribute(policyName));
+            var authResult = await authorizationService.AuthorizeAsync(user, null, requirements);
+
+            // Assert
+            authResult.Succeeded.Should().Be(isAuthorized);
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect.Tests/AzureFunctions.Extensions.OpenIDConnect.Tests.csproj

@@ -8,6 +8,7 @@
     <PackageReference Include="FluentAssertions" Version="5.10.3" />
     <PackageReference Include="Microsoft.Azure.WebJobs" Version="3.0.25" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.8.3" />
+    <PackageReference Include="NSubstitute" Version="4.2.2" />
     <PackageReference Include="NUnit" Version="3.13.1" />
     <PackageReference Include="NUnit3TestAdapter" Version="3.17.0" />
   </ItemGroup>

src/AzureFunctions.Extensions.OpenIDConnect.Tests/DependencyInjectionShould.cs

@@ -13,7 +13,7 @@ public class DependencyInjectionShould
         [Test]
         public void Be_Resolvable()
         {
-            var collection = new ServiceCollection();
+            var collection = ServiceCollectionFixture.MinimalAzFunctionsServices();
             collection.AddOpenIDConnect(builder =>
             {
                 builder.SetIssuerBaseUrlConfiguration("https://issuer.com/");

src/AzureFunctions.Extensions.OpenIDConnect.Tests/PolicyBuilderShould.cs

@@ -0,0 +1,29 @@
+using System;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using NUnit.Framework;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Tests
+{
+    [TestFixture]
+    public class PolicyBuilderShould
+    {
+        [Test]
+        public void Register_Created_Policies()
+        {
+            // Arrange
+            var claim = new ClaimsAuthorizationRequirement("locale", new[] {"fr"});
+            Action<AuthorizationPolicyBuilder> configurePolicy = policyBuilder => policyBuilder.Requirements.Add(claim);
+            var policyBuilder = new AuthorizationPolicyBuilder();
+
+            // Act
+            configurePolicy(policyBuilder);
+            var res = policyBuilder.Build();
+
+            // Assert
+            res.Requirements.Should().HaveCount(1);
+            res.Requirements.Should().BeEquivalentTo(claim);
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect.Tests/RouteGuardianShould.cs

@@ -1,5 +1,4 @@
-using System.Threading.Tasks;
-using FluentAssertions;
+using FluentAssertions;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
@@ -17,65 +16,65 @@ namespace AzureFunctions.Extensions.OpenIDConnect.Tests
     public class RouteGuardianShould
     {
         [Test]
-        public async Task Not_Authorize_When_Not_HttpTrigger()
+        public void Not_Authorize_When_Not_HttpTrigger()
         {
             // Arrange
             var guardian = new RouteGuardian(() => new List<Type>{ typeof(Not_HttpTrigger) });
 
             // Act
-            var result = await guardian.ShouldAuthorize("Not_HttpTrigger");
+            var result = guardian.IsProtectedRoute("Not_HttpTrigger");
 
             // Assert
             result.Should().Be(false);
         }
 
         [Test]
-        public async Task Not_Authorize_When_No_Authorize_Attribute_On_Method_And_Type()
+        public void Not_Authorize_When_No_Authorize_Attribute_On_Method_And_Type()
         {
             // Arrange
             var guardian = new RouteGuardian(() => new List<Type> { typeof(No_Authorize_Attribute_On_Method_And_Type) });
 
             // Act
-            var result = await guardian.ShouldAuthorize("No_Authorize_Attribute_On_Method_And_Type");
+            var result = guardian.IsProtectedRoute("No_Authorize_Attribute_On_Method_And_Type");
 
             // Assert
             result.Should().Be(false);
         }
 
         [Test]
-        public async Task Authorize_When_Authorize_Attribute_Is_On_Method()
+        public void Authorize_When_Authorize_Attribute_Is_On_Method()
         {
             // Arrange
             var guardian = new RouteGuardian(() => new List<Type> { typeof(Authorize_Attribute_Is_On_Method) });
 
             // Act
-            var result = await guardian.ShouldAuthorize("Authorize_Attribute_Is_On_Method");
+            var result = guardian.IsProtectedRoute("Authorize_Attribute_Is_On_Method");
 
             // Assert
             result.Should().Be(true);
         }
 
         [Test]
-        public async Task Authorize_When_Authorize_Attribute_Is_On_Class()
+        public void Authorize_When_Authorize_Attribute_Is_On_Class()
         {
             // Arrange
             var guardian = new RouteGuardian(() => new List<Type> { typeof(Authorize_Attribute_Is_On_Class) });
 
             // Act
-            var result = await guardian.ShouldAuthorize("Authorize_Attribute_Is_On_Class");
+            var result = guardian.IsProtectedRoute("Authorize_Attribute_Is_On_Class");
 
             // Assert
             result.Should().Be(true);
         }
 
         [Test]
-        public async Task NotAuthorize_When_Authorize_Attribute_Is_On_Class_But_AllowAnonimous_On_Method()
+        public void NotAuthorize_When_Authorize_Attribute_Is_On_Class_But_AllowAnonimous_On_Method()
         {
             // Arrange
             var guardian = new RouteGuardian(() => new List<Type> { typeof(Attribute_Is_On_Class_But_AllowAnonimous_On_Method) });
 
             // Act
-            var result = await guardian.ShouldAuthorize("Attribute_Is_On_Class_But_AllowAnonimous_On_Method");
+            var result = guardian.IsProtectedRoute("Attribute_Is_On_Class_But_AllowAnonimous_On_Method");
 
             // Assert
             result.Should().Be(false);

src/AzureFunctions.Extensions.OpenIDConnect.Tests/ServiceCollectionFixture.cs

@@ -0,0 +1,28 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+
+namespace AzureFunctions.Extensions.OpenIDConnect.Tests
+{
+    public static class ServiceCollectionFixture
+    {
+        public static ServiceCollection MinimalAzFunctionsServices(ServiceCollection collection = null)
+        {
+            collection ??= new ServiceCollection();
+
+            collection.AddSingleton<IAuthorizationHandlerContextFactory, DefaultAuthorizationHandlerContextFactory>();
+            collection.AddSingleton<IAuthorizationEvaluator, DefaultAuthorizationEvaluator>();
+
+            var authorizationOptions = Substitute.For<IOptions<AuthorizationOptions>>();
+            authorizationOptions.Value.Returns(new AuthorizationOptions { InvokeHandlersAfterFailure = false });
+            collection.AddSingleton(authorizationOptions);
+
+            var logger = Substitute.For<ILogger<DefaultAuthorizationService>>();
+            collection.AddSingleton<ILogger<DefaultAuthorizationService>>(logger);
+
+            return collection;
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/AuthorizationRequierementsRetriever.cs

@@ -0,0 +1,52 @@
+using System;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace AzureFunctions.Extensions.OpenIDConnect
+{
+    public class AuthorizationRequirementsRetriever : IAuthorizationRequirementsRetriever
+    {
+        private readonly IDictionary<string, AuthorizationPolicy> _policyMap;
+
+        public AuthorizationRequirementsRetriever(IDictionary<string, AuthorizationPolicy> policyMap)
+        {
+            _policyMap = policyMap;
+        }
+
+        public IEnumerable<IAuthorizationRequirement> ForAttribute(AuthorizeAttribute attribute)
+        {
+            if (!string.IsNullOrEmpty(attribute.Roles))
+            {
+                return ForRoleAttribute(attribute);
+            }
+
+            if (!string.IsNullOrEmpty(attribute.Policy))
+            {
+                return ForPolicyAttribute(attribute);
+            }
+
+            return null;
+        }
+
+        private IEnumerable<IAuthorizationRequirement> ForRoleAttribute(AuthorizeAttribute attribute)
+        {
+            var requirements = new List<RolesAuthorizationRequirement>
+            {
+                new RolesAuthorizationRequirement(attribute.Roles.Split(','))
+            };
+
+            return requirements;
+        }
+
+        private IEnumerable<IAuthorizationRequirement> ForPolicyAttribute(AuthorizeAttribute attribute)
+        {
+            if (!_policyMap.ContainsKey(attribute.Policy))
+            {
+                throw new ArgumentException($"{attribute.Policy} policy has not been registered");
+            }
+
+            return _policyMap[attribute.Policy].Requirements;
+        }
+    }
+}

src/AzureFunctions.Extensions.OpenIDConnect/AuthorizeFilter.cs

@@ -1,4 +1,6 @@
-namespace AzureFunctions.Extensions.OpenIDConnect
+using Microsoft.AspNetCore.Authorization;
+
+namespace AzureFunctions.Extensions.OpenIDConnect
 {
     using System.Net;
     using System.Threading;
@@ -11,28 +13,49 @@ public class AuthorizeFilter : FunctionInvocationFilterAttribute
         private readonly IHttpContextAccessor _httpContextAccessor;
         private readonly IAuthenticationService _authenticationService;
         private readonly IRouteGuardian _routeGuardian;
+        private readonly IAuthorizationService _authorizationService;
+        private readonly IAuthorizationRequirementsRetriever _requirementsRetriever;
 
-        public AuthorizeFilter(IHttpContextAccessor httpContextAccessor, IAuthenticationService authenticationService, IRouteGuardian routeGuardian)
+        public AuthorizeFilter(IHttpContextAccessor httpContextAccessor, 
+            IAuthenticationService authenticationService, IRouteGuardian routeGuardian,
+            IAuthorizationService authorizationService, IAuthorizationRequirementsRetriever requirementsRetriever)
         {
             _httpContextAccessor = httpContextAccessor;
             _authenticationService = authenticationService;
             _routeGuardian = routeGuardian;
+            _authorizationService = authorizationService;
+            _requirementsRetriever = requirementsRetriever;
         }
 
         public override async Task OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)
         {
-            if (await _routeGuardian.ShouldAuthorize(executingContext.FunctionName))
+            if (_routeGuardian.IsProtectedRoute(executingContext.FunctionName))
             {
                 var httpContext = _httpContextAccessor.HttpContext;
 
                 // Authenticate the user
-                var authResult = await _authenticationService.AuthenticateAsync(httpContext.Request.Headers);
-
-                if (authResult.Failed)
+                var authenticationResult = await _authenticationService.AuthenticateAsync(httpContext.Request.Headers);
+                
+                if (authenticationResult.Failed)
                 {
                     await Unauthorized(httpContext, cancellationToken);
                     return;
                 }
+
+                httpContext.User = authenticationResult.User;
+
+                var attribute = _routeGuardian.GetAuthorizationConfiguration(executingContext.FunctionName);
+                var requirements = _requirementsRetriever.ForAttribute(attribute);
+
+                if (requirements != null)
+                {
+                    var authorizationResult = await _authorizationService.AuthorizeAsync(httpContext.User, null, requirements);
+                    if (!authorizationResult.Succeeded)
+                    {
+                        await Forbidden(httpContext, authorizationResult.Failure, cancellationToken);
+                    }
+                }
+                
             }
             await base.OnExecutingAsync(executingContext, cancellationToken);
         }
@@ -42,5 +65,11 @@ private async Task Unauthorized(HttpContext httpContext, CancellationToken cance
             httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
             await httpContext.Response.WriteAsync(string.Empty, cancellationToken);
         }
+
+        private async Task Forbidden(HttpContext httpContext, AuthorizationFailure failure, CancellationToken cancellationToken)
+        {
+            httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+            await httpContext.Response.WriteAsync(failure.FailedRequirements.ToString(), cancellationToken);
+        }
     }
 }