+dynamic claim variables (#855)

incl. tests
2025-04-22 18:32:51 +08:00 · 2019-04-15 10:51:34 +02:00 · 2019-04-15 10:51:34 +02:00 · 639011bc62
commit 639011bc62
parent 340d0de233
5 changed files with 127 additions and 15 deletions
--- a/src/Ocelot/Authorisation/ClaimsAuthoriser.cs
+++ b/src/Ocelot/Authorisation/ClaimsAuthoriser.cs
@ -1,6 +1,13 @@
-using System.Collections.Generic;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
 using System.Text.RegularExpressions;
 using Ocelot.DownstreamRouteFinder.UrlMatcher;
 using Ocelot.Middleware;
 using Ocelot.Responses;
 using Ocelot.Values;
 namespace Ocelot.Authorisation
 {
@ -15,8 +22,11 @@ namespace Ocelot.Authorisation
            _claimsParser = claimsParser;
        }
-        public Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, Dictionary<string, string> routeClaimsRequirement)
+        public Response<bool> Authorise(
-        {
+            ClaimsPrincipal claimsPrincipal,
            Dictionary<string, string> routeClaimsRequirement,
            List<PlaceholderNameAndValue> urlPathPlaceholderNameAndValues
        ){
            foreach (var required in routeClaimsRequirement)
            {
                var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, required.Key);
@ -28,6 +38,43 @@ namespace Ocelot.Authorisation
                if (values.Data != null)
                {
                    // dynamic claim
                    var match = Regex.Match(required.Value, @"^{(?<variable>.+)}$");
                    if (match.Success)
                    {
                        var variableName = match.Captures[0].Value;
                        var matchingPlaceholders = urlPathPlaceholderNameAndValues.Where(p => p.Name.Equals(variableName)).Take(2).ToArray();
                        if (matchingPlaceholders.Length == 1)
                        {
                            // match
                            var actualValue = matchingPlaceholders[0].Value;
                            var authorised = values.Data.Contains(actualValue);
                            if (!authorised)
                            {
                                return new ErrorResponse<bool>(new ClaimValueNotAuthorisedError(
                                    $"dynamic claim value for {variableName} of {string.Join(", ", values.Data)} is not the same as required value: {actualValue}"));
                            }
                        }
                        else
                        {
                            // config error
                            if (matchingPlaceholders.Length == 0)
                            {
                                return new ErrorResponse<bool>(new ClaimValueNotAuthorisedError(
                                    $"config error: requires variable claim value: {variableName} placeholders does not contain that variable: {string.Join(", ", urlPathPlaceholderNameAndValues.Select(p=>p.Name))}"));
                            }
                            else
                            {
                                return new ErrorResponse<bool>(new ClaimValueNotAuthorisedError(
                                    $"config error: requires variable claim value: {required.Value} but placeholders are ambiguous: {string.Join(", ", urlPathPlaceholderNameAndValues.Where(p=>p.Name.Equals(variableName)).Select(p => p.Value))}"));
                            }
                        }
                    }
                    else
                    {
                        // static claim
                        var authorised = values.Data.Contains(required.Value);
                        if (!authorised)
                        {
@ -35,6 +82,7 @@ namespace Ocelot.Authorisation
                                       $"claim value: {string.Join(", ", values.Data)} is not the same as required value: {required.Value} for type: {required.Key}"));
                        }
                    }
                }
                else
                {
                    return new ErrorResponse<bool>(new UserDoesNotHaveClaimError($"user does not have claim {required.Key}"));
--- a/src/Ocelot/Authorisation/IClaimsAuthoriser.cs
+++ b/src/Ocelot/Authorisation/IClaimsAuthoriser.cs
@ -1,5 +1,9 @@
 using System.Security.Claims;
 using Ocelot.Configuration;
 using Ocelot.DownstreamRouteFinder.UrlMatcher;
 using Ocelot.Responses;
 using Ocelot.Values;
 namespace Ocelot.Authorisation
 {
@ -7,6 +11,10 @@ namespace Ocelot.Authorisation
    public interface IClaimsAuthoriser
    {
-        Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, Dictionary<string, string> routeClaimsRequirement);
+        Response<bool> Authorise(
            ClaimsPrincipal claimsPrincipal,
            Dictionary<string, string> routeClaimsRequirement,
            List<PlaceholderNameAndValue> urlPathPlaceholderNameAndValues
        );
    }
 }
--- a/src/Ocelot/Authorisation/Middleware/AuthorisationMiddleware.cs
+++ b/src/Ocelot/Authorisation/Middleware/AuthorisationMiddleware.cs
@ -58,7 +58,7 @@
            {
                Logger.LogInformation("route is authorised");
-                var authorised = _claimsAuthoriser.Authorise(context.HttpContext.User, context.DownstreamReRoute.RouteClaimsRequirement);
+                var authorised = _claimsAuthoriser.Authorise(context.HttpContext.User, context.DownstreamReRoute.RouteClaimsRequirement, context.TemplatePlaceholderNameAndValues);
                if (authorised.IsError)
                {
--- a/test/Ocelot.UnitTests/Authorization/AuthorisationMiddlewareTests.cs
+++ b/test/Ocelot.UnitTests/Authorization/AuthorisationMiddlewareTests.cs
@ -69,15 +69,21 @@ namespace Ocelot.UnitTests.Authorization
        private void GivenTheAuthServiceReturns(Response<bool> expected)
        {
            _authService
-                .Setup(x => x.Authorise(It.IsAny<ClaimsPrincipal>(), It.IsAny<Dictionary<string, string>>()))
+                .Setup(x => x.Authorise(
                           It.IsAny<ClaimsPrincipal>(),
                           It.IsAny<Dictionary<string, string>>(),
                           It.IsAny<List<PlaceholderNameAndValue>>()))
                .Returns(expected);
        }
        private void ThenTheAuthServiceIsCalledCorrectly()
        {
            _authService
-                .Verify(x => x.Authorise(It.IsAny<ClaimsPrincipal>(),
+                .Verify(x => x.Authorise(
-                It.IsAny<Dictionary<string, string>>()), Times.Once);
+                    It.IsAny<ClaimsPrincipal>(),
                    It.IsAny<Dictionary<string, string>>(),
                    It.IsAny<List<PlaceholderNameAndValue>>())
                        , Times.Once);
        }
    }
 }
--- a/test/Ocelot.UnitTests/Authorization/ClaimsAuthoriserTests.cs
+++ b/test/Ocelot.UnitTests/Authorization/ClaimsAuthoriserTests.cs
@ -1,7 +1,11 @@
 using System.Collections.Generic;
 using System.Security.Claims;
 using Ocelot.Authorisation;
 using Ocelot.Configuration;
 using Ocelot.DownstreamRouteFinder.UrlMatcher;
 using Ocelot.Responses;
 using Ocelot.Values;
 using Shouldly;
 using TestStack.BDDfy;
 using Xunit;
@ -15,6 +19,7 @@ namespace Ocelot.UnitTests.Authorization
        private readonly ClaimsAuthoriser _claimsAuthoriser;
        private ClaimsPrincipal _claimsPrincipal;
        private Dictionary<string, string> _requirement;
        private List<PlaceholderNameAndValue> _urlPathPlaceholderNameAndValues;
        private Response<bool> _result;
        public ClaimsAuthoriserTests()
@ -38,6 +43,46 @@ namespace Ocelot.UnitTests.Authorization
                .BDDfy();
        }
        [Fact]
        public void should_authorize_dynamic_user()
        {
            this.Given(x => x.GivenAClaimsPrincipal(new ClaimsPrincipal(new ClaimsIdentity(new List<Claim>
                {
                    new Claim("userid", "14"),
                }))))
               .And(x => x.GivenARouteClaimsRequirement(new Dictionary<string, string>
                {
                    {"userid", "{userId}"}
                }))
               .And(x => x.GivenAPlaceHolderNameAndValueList(new List<PlaceholderNameAndValue>
                {
                   new PlaceholderNameAndValue("{userId}", "14")
                }))
               .When(x => x.WhenICallTheAuthoriser())
               .Then(x => x.ThenTheUserIsAuthorised())
               .BDDfy();
        }
        [Fact]
        public void should_not_authorize_dynamic_user()
        {
            this.Given(x => x.GivenAClaimsPrincipal(new ClaimsPrincipal(new ClaimsIdentity(new List<Claim>
                {
                    new Claim("userid", "15"),
                }))))
               .And(x => x.GivenARouteClaimsRequirement(new Dictionary<string, string>
                {
                    {"userid", "{userId}"}
                }))
               .And(x => x.GivenAPlaceHolderNameAndValueList(new List<PlaceholderNameAndValue>
                {
                    new PlaceholderNameAndValue("{userId}", "14")
                }))
               .When(x => x.WhenICallTheAuthoriser())
               .Then(x => x.ThenTheUserIsntAuthorised())
               .BDDfy();
        }
        [Fact]
        public void should_authorise_user_multiple_claims_of_same_type()
        {
@ -78,9 +123,14 @@ namespace Ocelot.UnitTests.Authorization
            _requirement = requirement;
        }
        private void GivenAPlaceHolderNameAndValueList(List<PlaceholderNameAndValue> urlPathPlaceholderNameAndValues)
        {
            _urlPathPlaceholderNameAndValues = urlPathPlaceholderNameAndValues;
        }
        private void WhenICallTheAuthoriser()
        {
-            _result = _claimsAuthoriser.Authorise(_claimsPrincipal, _requirement);
+            _result = _claimsAuthoriser.Authorise(_claimsPrincipal, _requirement, _urlPathPlaceholderNameAndValues);
        }
        private void ThenTheUserIsAuthorised()