我需要在本地数据库中管理我们用户的角色,而不是在 Azure AD 中管理。但是,因为我们有管理员和客户区域,我也需要基于策略的授权来控制控制器。
为了处理这个问题,我添加了一个授权过滤器,从Session或数据库中加载用户的角色,将一个Identity添加到Principal,然后继续执行。此Identity添加了一个适当的RoleClaim。
在离开授权过滤器之前,IsInRole正如预期般返回了true,并且有两个Identities。
我的授权过滤器看起来像这样:
public class MyAuthFilter : IAsyncAuthorizationFilter
{
private readonly IUserService userService;
public MyAuthFilter(IUserService userService)
{
this.userService = userService;
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
if (user.Identity.IsAuthenticated)
{
AuthUserViewModel authUserViewModel;
var sessionViewModelJson = context.HttpContext.Session.GetString(user.AzureObjectId());
if (string.IsNullOrEmpty(sessionViewModelJson))
{
authUserViewModel = await ConstructSessionViewModel(context);
}
else
{
authUserViewModel = JsonConvert.DeserializeObject<AuthUserViewModel>(sessionViewModelJson);
}
user.AddIdentity(authUserViewModel?.Role);
}
}
private async Task<AuthUserViewModel> ConstructSessionViewModel(AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
var parsedObjectId = Guid.Parse(user.AzureObjectId());
var findUserResult = await userService.FindByAzureObjectId(new FindByAzureObjectIdRequest
{
AzureObjectId = parsedObjectId
});
if (findUserResult.Success)
{
var userModel = findUserResult.User;
var viewModel = new AuthUserViewModel
{
AzureObjectId = parsedObjectId,
UserId = userModel.Id,
SchoolId = userModel.SchoolId.GetValueOrDefault(),
Name = userModel.Name,
Email = userModel.Email,
PhoneNumber = userModel.PhoneNumber,
Role = userModel.Role
};
context.HttpContext.Session.SetString(user.AzureObjectId(), JsonConvert.SerializeObject(viewModel));
return viewModel;
}
return null;
}
}
AddIdentity 扩展方法的代码如下:
public static void AddIdentity(this ClaimsPrincipal principal, string role)
{
if (string.IsNullOrWhiteSpace(role) || principal.IsInRole(role))
{
return;
}
switch (role)
{
case Roles.School:
principal.AddIdentity(new SchoolIdentity());
break;
case Roles.Admin:
principal.AddIdentity(new AdminIdentity());
break;
}
}
在这种情况下,SchoolIdentity 是需要添加的内容,它看起来像这样:
public class SchoolIdentity : ClaimsIdentity
{
public SchoolIdentity()
{
AddClaim(new SchoolPortalClaim());
}
}
最终,SchoolPortalClaim 的样子如下:
public class SchoolPortalClaim : Claim
{
public SchoolPortalClaim() : base(ClaimTypes.Role, "School")
{
}
public SchoolPortalClaim(BinaryReader reader) : base(reader)
{
}
public SchoolPortalClaim(BinaryReader reader, ClaimsIdentity subject) : base(reader, subject)
{
}
protected SchoolPortalClaim(Claim other) : base(other)
{
}
protected SchoolPortalClaim(Claim other, ClaimsIdentity subject) : base(other, subject)
{
}
public SchoolPortalClaim(string type, string value) : base(type, value)
{
}
public SchoolPortalClaim(string type, string value, string valueType) : base(type, value, valueType)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer) : base(type, value, valueType, issuer)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer, string originalIssuer) : base(type, value, valueType, issuer, originalIssuer)
{
}
public SchoolPortalClaim(string type, string value, string valueType, string issuer, string originalIssuer, ClaimsIdentity subject) : base(type, value, valueType, issuer, originalIssuer, subject)
{
}
}
问题出现在策略执行时:
services.AddAuthorization(options =>
{
options.AddPolicy(Policies.School,
policy => policy.RequireAssertion(
context => context.User.IsInRole(Roles.School)));
});
context.User没有由授权过滤器添加的Identity。
我该如何使其向下传递?
相关的Controller 如下:
[Area(Areas.School)]
[Authorize(Policy = Policies.School)]
public class HomeController : BaseController
{
public HomeController(IUserService userService) :
base(userService)
{
}
public IActionResult Index()
{
return RedirectToAction("Index", "Presentation", new {Area = "School"});
}
}