c# - ASP.NET Core 2.1 中的策略和声明

Question

我正在创建一个 API，我对声明/政策有一些疑问。在开发中使用声明注册策略相对容易，我创建了一个包含 X 声明的策略并将该策略添加到 Controller /方法中，任何拥有这些声明的人都可以访问。问题是:

1) 如何在生产中创建策略并授予其访问特定位置的权限？这是可能的？或者我唯一需要做的就是向用户添加 X 声明，这就足够了吗？

2)在足够的情况下，是否应该创建一个表来存储声明(仅声明)以获得声明列表，然后将它们分配给用户(aspNetUserClaims 表)？

3) 如果我在生产中创建一个角色并分配声明，然后将该角色分配给一个用户，这是否足以访问上述 Controller /方法？或者在登录时，我是否需要明确地捕获角色声明并将其添加到用户？

提前致谢!问候!

Answer 1

一旦用户访问网站，用户就会得到一组声明。声明属于角色或用户。但策略是一组规则，它与角色或用户没有任何关系。一项政策是从任何资源验证的，不仅是 2 个 claim 表，它取决于您的代码。这是基于策略的授权的完整示例:https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1

1) How do I create a policy in production and give it permission to access a certain place? It's possible? Or the only thing I have to do is add X claims to a user and is that enough?

3 个问题:是、是、否。

由于身份框架中不存在 ClaimAuthorizeAttribute，您有 2 个选择:

1. 实现 ClaimAuthorizeAttribute: https://github.com/jayway/JayLabs.Owin.OAuthAuthorization/blob/master/src/JayLabs.Owin.OAuthAuthorization/ClaimAuthorizeAttribute.cs

2. 使用Policy来申请Claims(本人推荐)。

   public void ConfigureServices(IServiceCollection services)
   {
       services.AddAuthorization(options =>
       {
           options.AddPolicy("EmployeeOnly", policy =>
           {
               policy.RequireAssertion(context =>
               {
                  //Here you can get many resouces from context, i get a claim here for example
                  var yourvalue = context.User.Claims.FirstOrDefault(x => x.Type == "yourType")?.Value;
                  //here you can access DB or any other API to do anything if you don't mind performance issues.
                  var user = new DefaultContext().AspNetUsers.FirstOrDefaultAsync(x =>
                                               x.UserName == yourvalue);
                  //return a boolen to end validation.
                  return user != null;
              });
          });
      });
   }
   
   [Authorize(Policy = "EmployeeOnly")]
   public IActionResult VacationBalance()
   {
      return View();
   }
   

这是动态应用策略的完整解决方案: https://www.jerriepelser.com/blog/creating-dynamic-authorization-policies-aspnet-core/

2) In the case that is enough, should create a table to store claims (only claims) to have a list of claims and then assign them to users (aspNetUserClaims table)?

是&否，你应该有表，但它没有分配给用户，而是存储策略要求的其他地方(在我的以下代码中是 AspNetPolicyRequirement)。

3) If I create a role in production and assign claims and then assign that role to a user, with that is enough to access the controller / methods mentioned above? or when logging in, explicitly do I need to capture the claims of a role and add them to the user?

2个问题:是的，是的。自定义声明必须明确分配给用户才能在登录时使用功能，除非您希望每次需要时都从数据库访问它。

回到你的第一个问题。

如果您想按条件启用/禁用策略，可以很容易地从数据库 中进行。

设置:

首先在 Startup.cs 中注入(inject) IHostingEnvironment

public class Startup
{
    private readonly IHostingEnvironment _environment;

    public Startup(IHostingEnvironment environment, ...)
    {
        _environment = environment;
        ....
    }
    ....
}

然后在public void ConfigureServices(IServiceCollection services)中添加如下代码

if (_environment.IsProduction())
        {
            services.AddAuthorization(options =>
            {
                options.AddPolicy("AtLeast21", policy =>
                    policy.Requirements.Add(new MinimumAgeRequirement(21)));
            });
        }

或

services.AddAuthorization(options =>
{
    if (_environment.IsProduction())
    {
        options.AddPolicy("AtLeast21", policy =>
                policy.Requirements.Add(new MinimumAgeRequirement(21)));
    }

});

下一步:目前不存在AspNetUserPolicy 或WhateverPolicy 表，我认为它不会存在于框架级别。如果您的保单仅来自 claim ，没有任何其他保单，您可以只使用 2 个 claim 表来注册保单，但我不推荐这样做，因为它是 Policy 的反设计。

通常，它可能遵循以下设计:

/****** Object:  Table [dbo].[AspNetPolicy]******/

CREATE TABLE [dbo].[AspNetPolicy](
    [Id] [int] IDENTITY(1,1) NOT NULL,
    [Name] [nvarchar](150) NOT NULL,
    [Enabled] [bit] NOT NULL,
 CONSTRAINT [PK_AspNetPolicy] PRIMARY KEY CLUSTERED 
(
    [Id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
/****** Object:  Table [dbo].[AspNetPolicyRequirement]******/
CREATE TABLE [dbo].[AspNetPolicyRequirement](
    [Id] [int] NOT NULL,
    [AspNetPolicyId] [int] NOT NULL,
    [RequirementType] [int] NOT NULL,
    [RequirementName] [nvarchar](150) NOT NULL,
    [Enabled] [bit] NOT NULL,
 CONSTRAINT [PK_AspNetPolicyRequirement] PRIMARY KEY CLUSTERED 
(
    [Id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
ALTER TABLE [dbo].[AspNetPolicy] ADD  CONSTRAINT [DF_AspNetPolicy_Enabled]  DEFAULT ((1)) FOR [Enabled]
GO
ALTER TABLE [dbo].[AspNetPolicyRequirement] ADD  CONSTRAINT [DF_AspNetPolicyRequirement_Enabled]  DEFAULT ((1)) FOR [Enabled]
GO
ALTER TABLE [dbo].[AspNetPolicyRequirement]  WITH CHECK ADD  CONSTRAINT [FK_AspNetPolicyRequirement_AspNetPolicy] FOREIGN KEY([AspNetPolicyId])
REFERENCES [dbo].[AspNetPolicy] ([Id])
GO
ALTER TABLE [dbo].[AspNetPolicyRequirement] CHECK CONSTRAINT [FK_AspNetPolicyRequirement_AspNetPolicy]
GO

那么您的实体将是:

public partial class AspNetPolicy
{
    public AspNetPolicy()
    {
        AspNetPolicyRequirement = new HashSet<AspNetPolicyRequirement>();
    }

    public int Id { get; set; }
    [Required]
    [StringLength(50)]
    public string Name { get; set; }

    [Required]
    public bool Enabled { get; set; } = true;

    [InverseProperty("AspNetPolicy")]
    public ICollection<AspNetPolicyRequirement> AspNetPolicyRequirement { get; set; }
}
public partial class AspNetPolicyRequirement
{
    public int Id { get; set; }
    public int AspNetPolicyId { get; set; }
    public RequirementType RequirementType { get; set; }
    [Required]
    [StringLength(150)]
    public string RequirementName { get; set; }
    [Required]
    public bool Enabled { get; set; } = true;

    [ForeignKey("AspNetPolicyId")]
    [InverseProperty("AspNetPolicyRequirement")]
    public AspNetPolicy AspNetPolicy { get; set; }
}
public enum RequirementType
{
    Custom = 0,
    Claim = 1,
    Role = 2,
    UserName = 3,
    AuthenticatedUser = 4,
    Assertion = 5,
}

通过以下代码启用策略:

private void ConfigurePolicies(IServiceCollection services)
{
    //get data by your way, here is only an example.
    var policies = new DefaultContext().AspNetPolicy
        .Include(x => x.AspNetPolicyRequirement)
        .Where(x => x.Enabled)
        .ToList();

    //map them to real policies
    services.AddAuthorization(options =>
    {
        policies.ForEach(aspNetPolicy =>
        {
            options.AddPolicy(aspNetPolicy.Name, policy =>
            {
                foreach (var aspNetPolicyRequirement in aspNetPolicy.AspNetPolicyRequirement.Where(x=>x.Enabled))
                {
                    switch (aspNetPolicyRequirement.RequirementType)
                    {
                        case RequirementType.Claim:
                        {
                            policy.RequireClaim(aspNetPolicyRequirement.RequirementName);
                            break;
                        }
                        case RequirementType.UserName:
                        {
                            policy.RequireUserName(aspNetPolicyRequirement.RequirementName);
                            break;
                        }
                        case RequirementType.Role:
                        {
                            policy.RequireRole(aspNetPolicyRequirement.RequirementName);
                            break;
                        }
                        case RequirementType.AuthenticatedUser:
                        {
                            policy.RequireAuthenticatedUser();
                            break;
                        }
                        case RequirementType.Assertion:
                        {
                            //policy.RequireAssertion(...);//To Do
                            break;
                        }
                    }
                }
            });

        });
    });
}

您必须按照自己的设计完成其余工作。