Merge pull request #4 from dark-loop/intgr-schemes

adding scheme integrations for attribute data

Author: artmasa

sample/DarkLoop.Azure.Functions.Authorize.SampleFunctions/DarkLoop.Azure.Functions.Authorize.SampleFunctions.csproj

@@ -5,6 +5,8 @@
     <UserSecretsId>51dc0b9d-8e74-45ec-aebc-1d3d6934faf5</UserSecretsId>
   </PropertyGroup>
   <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="3.1.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Authorization.Policy" Version="2.2.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="3.1.0" />
     <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.12" />
   </ItemGroup>

sample/DarkLoop.Azure.Functions.Authorize.SampleFunctions/Startup.cs

@@ -46,6 +46,7 @@ public override void Configure(IFunctionsHostBuilder builder)
                             //var response = x.Response;
                             //response.ContentType = "text/plain";
                             //response.ContentLength = 5;
+                            //response.StatusCode = 401;
                             //await response.WriteAsync("No go");
                             //await response.Body.FlushAsync();
                         }

src/DarkLoop.Azure.Functions.Authorize/Bindings/FunctionsAuthorizeBindingProvider.cs

@@ -21,15 +21,14 @@ public FunctionsAuthorizeBindingProvider(IFunctionsAuthorizationFilterIndex filt
             _filtersIndex = filterIndex;
         }
 
-        public async Task<IBinding> TryCreateAsync(BindingProviderContext context)
+        public async Task<IBinding?> TryCreateAsync(BindingProviderContext context)
         {
             if (context == null) throw new ArgumentNullException(nameof(context));
 
             var paramType = context.Parameter.ParameterType;
             if (paramType == typeof(HttpRequest) || paramType == typeof(HttpRequestMessage))
             {
                 await this.ProcessAuthorizationAsync(context.Parameter);
-                Console.WriteLine($"Processed auth info for {context.Parameter.Member.Name}.");
             }
 
             return null;
@@ -38,6 +37,9 @@ public async Task<IBinding> TryCreateAsync(BindingProviderContext context)
         private Task ProcessAuthorizationAsync(ParameterInfo info)
         {
             var method = info.Member as MethodInfo;
+
+            if (method == null) throw new InvalidOperationException($"Unable to bind authorization context for {info.Name}.");
+
             var cls = method.DeclaringType;
 
             var allowAnonymous = method.GetCustomAttribute<AllowAnonymousAttribute>();

src/DarkLoop.Azure.Functions.Authorize/Constants.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace DarkLoop.Azure.Functions.Authorize
+{
+    internal class Constants
+    {
+        internal const string AuthInvokedKey = "__WebJobAuthInvoked";
+        internal const string WebJobsAuthScheme = "WebJobsAuthLevel";
+    }
+}

src/DarkLoop.Azure.Functions.Authorize/DarkLoop.Azure.Functions.Authorize.csproj

@@ -7,6 +7,8 @@
         <Product>Azure Functions Authorize</Product>
         <Description>Allows same AuthorizeAttribute behavior for Azure Functions V3+</Description>
         <AzureFunctionsVersion>v3</AzureFunctionsVersion>
+        <Nullable>enable</Nullable>
+        <UserSecretsId>3472ff41-3859-4101-a2da-6c37d751fd31</UserSecretsId>
     </PropertyGroup>
 
     <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -21,10 +23,9 @@
 
     <ItemGroup>
         <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="2.2.0" />
-        <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="3.0.0" />
+        <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="3.0.3" />
         <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
         <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.Http" Version="3.0.2" />
-        <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.10.0" />
         <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.12">
             <IncludeAssets>
                 <IsPackable>true</IsPackable>

src/DarkLoop.Azure.Functions.Authorize/Filters/FunctionsAuthorizeFilter.cs

@@ -13,8 +13,6 @@ namespace DarkLoop.Azure.Functions.Authorize.Filters
 {
     internal class FunctionsAuthorizeFilter : IFunctionsAuthorizeFilter
     {
-        private const string AuthInvokedKey = "__WebJobAuthInvoked";
-
         public IEnumerable<IAuthorizeData> AuthorizeData { get; }
 
         public IAuthenticationSchemeProvider SchemeProvider { get; }
@@ -23,99 +21,67 @@ internal class FunctionsAuthorizeFilter : IFunctionsAuthorizeFilter
 
         public AuthorizationPolicy Policy { get; }
 
-        public FunctionsAuthorizeFilter(IEnumerable<IAuthorizeData> authorizeData)
-        {
-            this.AuthorizeData = authorizeData;
-        }
-
         public FunctionsAuthorizeFilter(
             IAuthenticationSchemeProvider schemeProvider,
             IAuthorizationPolicyProvider policyProvider,
             IEnumerable<IAuthorizeData> authorizeData)
-            : this(authorizeData)
         {
             this.SchemeProvider = schemeProvider;
             this.PolicyProvider = policyProvider;
-        }
-
-        public FunctionsAuthorizeFilter(string policy)
-#pragma warning disable CS0618 // Type or member is obsolete
-            : this(new[] { new FunctionAuthorizeAttribute(policy) }) { }
-#pragma warning restore CS0618 // Type or member is obsolete
+            this.AuthorizeData = authorizeData;
 
-        public async Task AuthorizeAsync(FunctionAuthorizationContext context)
+            this.IntegrateSchemes();
+            this.Policy = this.ComputePolicyAsync().GetAwaiter().GetResult();
+        }
+        
+        private void IntegrateSchemes()
         {
-            if (context is null) throw new ArgumentNullException(nameof(context));
+            var schemes = this.SchemeProvider.GetAllSchemesAsync().GetAwaiter().GetResult();
+            var strSchemes = string.Join(',',
+                from scheme in schemes
+                where scheme.Name != Constants.WebJobsAuthScheme
+                select scheme.Name);
 
-            if (context.HttpContext.Items.ContainsKey(AuthInvokedKey))
+            foreach (var data in this.AuthorizeData)
             {
-                return;
+                // only setting auth schemes if they have not been specified already
+                if (string.IsNullOrWhiteSpace(data.AuthenticationSchemes))
+                {
+                    data.AuthenticationSchemes = strSchemes;
+                }
             }
+        }
 
-            var effectivePolicy = await this.ComputePolicyAsync();
+        public async Task AuthorizeAsync(FunctionAuthorizationContext context)
+        {
+            if (context is null) throw new ArgumentNullException(nameof(context));
 
-            if (effectivePolicy is null)
+            if (context.HttpContext.Items.ContainsKey(Constants.AuthInvokedKey))
             {
                 return;
             }
 
             var httpContext = context.HttpContext;
-            await this.AuthenticateRequestAsync(context);
             var evaluator = httpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
-            var authenticateResult = await evaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
-            var authorizeResult = await evaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context);
+            var authenticateResult = await evaluator.AuthenticateAsync(this.Policy, httpContext);
+            var authorizeResult = await evaluator.AuthorizeAsync(this.Policy, authenticateResult, httpContext, context);
 
             if (authorizeResult.Challenged)
             {
-                context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());
+                context.Result = new ChallengeResult(this.Policy.AuthenticationSchemes.ToArray());
             }
             else if (authorizeResult.Forbidden)
             {
-                context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());
+                context.Result = new ForbidResult(this.Policy.AuthenticationSchemes.ToArray());
             }
-
-        }
-
-        private async Task<AuthenticateResult> AuthenticateRequestAsync(FunctionAuthorizationContext context)
-        {
-            var httpContext = context.HttpContext;
-            var handlers = httpContext.RequestServices.GetService<IAuthenticationHandlerProvider>();
-
-            foreach (var scheme in await this.SchemeProvider.GetRequestHandlerSchemesAsync())
+            else if (!authorizeResult.Succeeded)
             {
-                var handler = await handlers.GetHandlerAsync(httpContext, scheme.Name) as IAuthenticationRequestHandler;
-                if (handler != null)
-                {
-                    var result = await handler.AuthenticateAsync();
-                    if (result.Succeeded)
-                    {
-                        httpContext.User = result.Principal;
-                        return result;
-                    }
-                }
+                context.Result = new UnauthorizedResult();
             }
-
-            var defaultAuthenticate = await this.SchemeProvider.GetDefaultAuthenticateSchemeAsync();
-            if (defaultAuthenticate != null)
-            {
-                var result = await httpContext.AuthenticateAsync(defaultAuthenticate.Name);
-                if (result?.Principal != null)
-                {
-                    httpContext.User = result.Principal;
-                    return result;
-                }
-            }
-
-            return AuthenticateResult.NoResult();
         }
 
         private Task<AuthorizationPolicy> ComputePolicyAsync()
         {
-            if (this.Policy != null)
-            {
-                return Task.FromResult(this.Policy);
-            }
-
             if (this.PolicyProvider == null)
             {
                 throw new InvalidOperationException("Policy cannot be created.");

src/DarkLoop.Azure.Functions.Authorize/FunctionAuthorizeAttribute.cs

@@ -22,11 +22,11 @@ public FunctionAuthorizeAttribute(string policy)
             this.Policy = policy;
         }
 
-        public string Policy { get; set; }
+        public string? Policy { get; set; }
 
-        public string Roles { get; set; }
+        public string? Roles { get; set; }
 
-        public string AuthenticationSchemes { get; set; }
+        public string? AuthenticationSchemes { get; set; }
 
         async Task IFunctionInvocationFilter.OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)
         {
@@ -53,7 +53,7 @@ private bool IsProcessed(FunctionExecutingContext context)
             return (bool)value;
         }
 
-        private HttpContext GetHttpContext(FunctionExecutingContext context)
+        private HttpContext? GetHttpContext(FunctionExecutingContext context)
         {
             var requestOrMessage = context.Arguments.Values.FirstOrDefault(x => x is HttpRequest || x is HttpRequestMessage);
 

src/DarkLoop.Azure.Functions.Authorize/Handlers/AuthenticationRequestHandler.cs

@@ -12,7 +12,7 @@ namespace DarkLoop.Azure.Functions.Authorize.Handlers
 {
     public static class AuthenticationRequestHandler
     {
-        public static async Task<IActionResult> HandleAuthenticateAsync(HttpContext context, string scheme)
+        public static async Task<IActionResult?> HandleAuthenticateAsync(HttpContext context, string scheme)
         {
             var handler = await GetSchemeHandler(context, scheme);
             if(await handler.HandleRequestAsync())

src/DarkLoop.Azure.Functions.Authorize/Security/AuthenticationExtensions.cs

@@ -2,6 +2,7 @@
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
+using DarkLoop.Azure.Functions.Authorize;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Azure.Functions.Extensions.DependencyInjection;
@@ -26,14 +27,14 @@ public static AuthenticationBuilder AddAuthentication(this IFunctionsHostBuilder
         }
 
         public static AuthenticationBuilder AddAuthentication(
-            this IFunctionsHostBuilder builder, Action<AuthenticationOptions> configure)
+            this IFunctionsHostBuilder builder, Action<AuthenticationOptions>? configure)
         {
             if (builder == null)
             {
                 throw new ArgumentNullException(nameof(builder));
             }
 
-            if(configure!=null)
+            if (configure != null)
             {
                 builder.Services.AddSingleton<IConfigureOptions<AuthenticationOptions>>(provider =>
                     new ConfigureOptions<AuthenticationOptions>(options =>
@@ -49,7 +50,7 @@ public static AuthenticationBuilder AddAuthentication(
 
         private static AuthenticationBuilder AddScriptFunctionsJwtBearer(this AuthenticationBuilder builder)
         {
-            return builder.AddJwtBearer("WebJobsAuthLevel", options =>
+            return builder.AddJwtBearer(Constants.WebJobsAuthScheme, options =>
             {
                 options.Events = new JwtBearerEvents
                 {

src/DarkLoop.Azure.Functions.Authorize/Security/FunctionAuthorizationContext.cs

@@ -15,6 +15,6 @@ public FunctionAuthorizationContext(HttpContext httpContext)
 
         public HttpContext HttpContext { get; }
 
-        public IActionResult Result { get; internal set; }
+        public IActionResult? Result { get; internal set; }
     }
 }