一、概述 ASP.NET Core
提供了基于角色( Role
)、声明( Chaim
) 和策略 ( Policy
) 等的授权方式。在实际应用中,可能采用部门( Department
, 本文采用用户组 Group
)、职位 ( 可继续沿用 Role
)、权限( Permission
)的方式进行授权。要达到这个目的,仅仅通过自定义 IAuthorizationPolicyProvider
是不行的。本文通过自定义 IApplicationModelProvide
进行扩展。
二、PermissionAuthorizeAttribute : IPermissionAuthorizeData AuthorizeAttribute
类实现了 IAuthorizeData
接口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 namespace Microsoft.AspNetCore.Authorization { public interface IAuthorizeData { string Policy { get ; set ; } string Roles { get ; set ; } string AuthenticationSchemes { get ; set ; } } }
使用 AuthorizeAttribute
不外乎如下几种形式:
1 2 3 4 [Authorize ] [Authorize("SomePolicy" ) ] [Authorize(Roles = "角色1,角色2" ) ] [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme) ]
当然,参数还可以组合起来。另外,Roles
和 AuthenticationSchemes
的值以半角逗号分隔,是 Or
的关系;多个 Authorize
是 And
的关系;Policy
、Roles
和 AuthenticationSchemes
如果同时使用,也是 And
的关系。
如果要扩展 AuthorizeAttribute
,先扩展 IAuthorizeData
增加新的属性:
1 2 3 4 5 public interface IPermissionAuthorizeData : IAuthorizeData { string Groups { get ; set ; } string Permissions { get ; set ; } }
然后定义 AuthorizeAttribute:
1 2 3 4 5 6 7 8 9 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true) ] public class PermissionAuthorizeAttribute : Attribute , IPermissionAuthorizeData { public string Policy { get ; set ; } public string Roles { get ; set ; } public string AuthenticationSchemes { get ; set ; } public string Groups { get ; set ; } public string Permissions { get ; set ; } }
现在,在 Controller
或 Action
上就可以这样使用了:
1 2 3 [PermissionAuthorize(Roles = "经理,副经理" ) ] [PermissionAuthorize(Groups = "研发部,生产部" , Roles = "经理" ] [PermissionAuthorize(Groups = "研发部,生产部" , Roles = "经理" , Permissions = "请假审批" ]
数据已经准备好,下一步就是怎么提取出来。通过扩展 AuthorizationApplicationModelProvider
来实现。
三、PermissionAuthorizationApplicationModelProvider : IApplicationModelProvider AuthorizationApplicationModelProvider
类的作用是构造 AuthorizeFilter
对象放入 ControllerModel
或 ActionModel
的 Filters
属性中。具体过程是先提取 Controller
和 Action
实现了 IAuthorizeData
接口的 Attribute
,如果使用的是默认的 DefaultAuthorizationPolicyProvider
,则会先创建一个 AuthorizationPolicy
对象作为 AuthorizeFilter
构造函数的参数。 创建 AuthorizationPolicy
对象是由 AuthorizationPolicy
的静态方法 public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
来完成的。该静态方法会解析 IAuthorizeData
的数据,但不懂解析 IPermissionAuthorizeData
。
因为 AuthorizationApplicationModelProvider
类对 AuthorizationPolicy.CombineAsync
静态方法有依赖,这里不得不做一个类似的 PermissionAuthorizationApplicationModelProvider
类,在本类实现 CombineAsync
方法。暂且不论该方法放在本类是否合适的问题。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 public static AuthorizeFilter GetFilter (IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authData ){ if (policyProvider.GetType() == typeof (DefaultAuthorizationPolicyProvider)) { var policy = CombineAsync(policyProvider, authData).GetAwaiter().GetResult(); return new AuthorizeFilter(policy); } else { return new AuthorizeFilter(policyProvider, authData); } } private static async Task<AuthorizationPolicy> CombineAsync (IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData ){ if (policyProvider == null ) { throw new ArgumentNullException(nameof (policyProvider)); } if (authorizeData == null ) { throw new ArgumentNullException(nameof (authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false ; foreach (var authorizeDatum in authorizeData) { any = true ; var useDefaultPolicy = true ; if (!string .IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy); if (policy == null ) { throw new InvalidOperationException(nameof (authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false ; } var rolesSplit = authorizeDatum.Roles?.Split(',' ); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string .IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false ; } if (authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum ) { var groupsSplit = permissionAuthorizeDatum.Groups?.Split(',' ); if (groupsSplit != null && groupsSplit.Any()) { var trimmedGroupsSplit = groupsSplit.Where(r => !string .IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim("Group" , trimmedGroupsSplit); useDefaultPolicy = false ; } var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(',' ); if (permissionsSplit != null && permissionsSplit.Any()) { var trimmedPermissionsSplit = permissionsSplit.Where(r => !string .IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim("Permission" , trimmedPermissionsSplit); useDefaultPolicy = false ; } } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',' ); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string .IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return any ? policyBuilder.Build() : null ; }
if(authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum )
是对 AuthorizationPolicy.CombineAsync
方法的扩展;其余部分和 AuthorizationApplicationModelProvider
相同。
四、Startup 注册 PermissionAuthorizationApplicationModelProvider
服务,需要在 AddMvc
之后替换掉 AuthorizationApplicationModelProvider
服务。
1 2 3 4 5 6 7 services.AddMvc(); var registeredServiceDescriptor = services.FirstOrDefault(s => s.Lifetime == ServiceLifetime.Transient && s.ServiceType == typeof (IApplicationModelProvider) && s.ImplementationType == typeof (AuthorizationApplicationModelProvider));if (registeredServiceDescriptor != null ){ services.Remove(registeredServiceDescriptor); } services.AddTransient<IApplicationModelProvider, PermissionAuthorizationApplicationModelProvider>();
注:这里没有使用 services.Replace
方法,以确保替换的的确是 AuthorizationApplicationModelProvider
服务。
五、Jwt 示例 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 [Route("api/[controller]" ) ] [ApiController ] public class ValuesController : ControllerBase { private readonly JwtSecurityTokenHandler _tokenHandler = new JwtSecurityTokenHandler(); [HttpGet ] [Route("SignIn" ) ] public async Task<ActionResult<string >> SignIn() { var user = new ClaimsPrincipal(new ClaimsIdentity(new [] { new Claim(ClaimTypes.Name, "Bob" ), new Claim(ClaimTypes.Role, "经理" ), new Claim(ClaimTypes.Role, "副经理" ), new Claim("Group" , "研发部" ), new Claim("Group" , "生产部" ), new Claim("Permission" , "请假审批" ), new Claim("Permission" , "权限1" ), new Claim("Permission" , "权限2" ), }, JwtBearerDefaults.AuthenticationScheme)); var token = new JwtSecurityToken( "SignalRAuthenticationSample" , "SignalRAuthenticationSample" , user.Claims, expires: DateTime.UtcNow.AddDays(30 ), signingCredentials: SignatureHelper.GenerateSigningCredentials("1234567890123456" )); return _tokenHandler.WriteToken(token); } [HttpGet ] [Route("Test" ) ] [PermissionAuthorize(Groups = "研发部,生产部" , Roles = "经理" , Permissions = "请假审批" ] public async Task<ActionResult<IEnumerable<string >>> Test() { var user = HttpContext.User; return new string [] { "value1" , "value2" }; } }
六、问题 AuthorizeFilter
类显示实现了 IFilterFactory
接口的 CreateInstance
方法:
1 2 3 4 5 6 7 8 9 10 11 12 IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider) { if (Policy != null || PolicyProvider != null ) { return this ; } Debug.Assert(AuthorizeData != null ); var policyProvider = serviceProvider.GetRequiredService<IAuthorizationPolicyProvider>(); return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData); }
竟然对 AuthorizationApplicationModelProvider.GetFilter
静态方法产生了依赖。庆幸的是,如果通过 AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
或 AuthorizeFilter(AuthorizationPolicy policy)
创建 AuthorizeFilter
对象不会产生什么不良影响。
七、下一步 [PermissionAuthorize(Groups = "研发部,生产部", Roles = "经理", Permissions = "请假审批"]
这种形式还是不够灵活,哪怕用多个 Attribute
, And
和 Or
的逻辑组合不一定能满足需求。可以在 IPermissionAuthorizeData
新增一个 Rule
属性,实现类似的效果:
1 [PermissionAuthorize(Rule = "(Groups:研发部,生产部)&&(Roles:请假审批||Permissions:超级权限)" ]
通过 Rule
计算复杂的授权。
八、如何通过自定义 IAuthorizationPolicyProvider 实现? 另一种方式是自定义 IAuthorizationPolicyProvider
,不过还需要自定义 AuthorizeFilter
。因为当不是使用 DefaultAuthorizationPolicyProvider
而是自定义 IAuthorizationPolicyProvider
时,AuthorizationApplicationModelProvider
(或前文定义的 PermissionAuthorizationApplicationModelProvider
)会使用 AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
创建 AuthorizeFilter
对象,而不是 AuthorizeFilter(AuthorizationPolicy policy)
。这会造成 AuthorizeFilter
对象在 OnAuthorizationAsync
时会间接调用 AuthorizationPolicy.CombineAsync
静态方法。
AuthorizeFilter.OnAuthorizationAsync
-> AuthorizeFilter.GetEffectivePolicyAsync
-> AuthorizeFilter.ComputePolicyAsync
-> AuthorizationPolicy.CombineAsync
这可以说是一个设计上的缺陷,不应该让 AuthorizationPolicy.CombineAsync
静态方法存在,哪怕提供个 IAuthorizationPolicyCombiner
也好。另外,上文提到的 AuthorizationApplicationModelProvider.GetFilter
静态方法同样不是一种好的设计。等微软想通吧。
参考资料