Add another policies if I have Admin policy

Question

I have a controller with authorize attribute:

Authorize(AuthorizationPolicies.Viewer)]
[HttpGet("retrieve/{id}")]
public ActionResult<ISomeInterface> Retrieve(int id)

And have authorization policies:

public static void AddViewerPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Viewer, p => BuildPolicy(p, Permissions.Viewer));
}

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, Permissions.Admin));
}

I need to get access to controller that marked with "Viewer" authorization policy if I had an "Admin" policy.

I've tried this:

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, Permissions.Admin));

    options.AddPolicy(AuthorizationPolicies.Viewer, p => BuildPolicy(p, Permissions.Viewer));
}

Here's BuildPolicy:

private static void BuildPolicy(AuthorizationPolicyBuilder policy, int permission)
{
    policy.AddAuthenticationSchemes(Defaults.SchemeName); 
    policy.AddRequirements(new AuthorizationRequirement
    {
        Require = Access.Always,
        PermissionsRequired = new[] { permission }
    });
}

    public class AuthorizationHandler
  {
    protected override Task HandleRequirementAsync(
      AuthorizationHandlerContext context,
      AuthorizationRequirement requirement)
    {
      ClaimsPrincipal user = context.User;
      if (user == null)
      {
        context.Fail();
        return Task.CompletedTask;
      }
      Identity Identity = user.Identities.OfType<Identity>().FirstOrDefault<Identity>();

      if (requirement.PermissionsRequired != null && ((IEnumerable<int>) requirement.PermissionsRequired).Any<int>())
      {
        if (requirement.Require != Access.Always)
        {
          context.Fail();
          return Task.CompletedTask;
        }
        Client client;
        if (!user.TryGetClient(out client))
        {
          context.Fail();
          return Task.CompletedTask;
        }
        if (client.Permissions == null)
        {
          context.Fail();
          return Task.CompletedTask;
        }
        if (!((IEnumerable<int>) requirement.PermissionsRequired).Any<int>((Func<int, bool>) (rap => client.Permissions.Contains(rap))))
        {
          context.Fail();
          return Task.CompletedTask;
        }
      }
      if (requirement.AllowImpersonatedUser && Identity.Client != null && Identity.IsImpersonated)
      {
    context.Succeed((IAuthorizationRequirement) requirement);
    return Task.CompletedTask;
      }
      context.Fail();
      return Task.CompletedTask;
    }
  }

But the result is 403 error. So may be you have another, better idea?

Have you run it through the debugger? Which call to `context.Fail()` is being hit? — Kirk Larkin, Jul 12 '19 at 13:43

score 0 · Answer 1 · answered Jul 12 '19 at 14:22

Instead of adding two policies, both with one permission ID, have you tried adding one policy with both permission IDs as an array?

public static void AddAdminPolicy(AuthorizationOptions options)
{
    options.AddPolicy(AuthorizationPolicies.Admin, p => BuildPolicy(p, new [] { Permissions.Admin, Permissions.Viewer }));
}

private static void BuildPolicy(AuthorizationPolicyBuilder policy, int[] permissions)
{
    policy.AddAuthenticationSchemes(Defaults.SchemeName); 
    policy.AddRequirements(new AuthorizationRequirement
    {
        Require = Access.Always,
        PermissionsRequired = permissions
    });
}

Add another policies if I have Admin policy

1 Answers1