c# - Identity 3 MVC 6 中的授权策略

Question

我已经做了很多研究，但仍然不确定我这样做是否正确。我找到的最好的资源就在这里

http://leastprivilege.com/2015/10/12/the-state-of-security-in-asp-net-5-and-mvc-6-authorization/

鉴于 ApplicationUser 类扩展为包括授权帐号列表，我想限制用户仅查看基于其授权帐户的报表(和其他操作)。我认为这是一种非常常见的设计，但是网上的大多数文章都引用了以前版本的身份。

(PS 我在 Controller 构造函数中注入(inject) UserManager)

这是我的 Action

public IActionResult GetStatement(int accountNo,DateTime startDate,DateTime endDate)
{
    var user = userManager.Users
        .Include(u => u.AuthorisedAccounts)
        .Where(u => u.Id == User.GetUserId())
        .FirstOrDefault();
    if (user.AuthorisedAccounts != null)
    {
        foreach (var account in user.AuthorisedAccounts)
        {
            if (account.AccountNo == accountNo)
                return View(statementService.GetStatement(accountNo, startDate, endDate, 0));
        }
    }
    return HttpUnauthorized();
}

我不禁觉得有更好的方法吗？ 基本上我想根据操作参数进行授权。“accountNo”

有关采取何种方法的任何提示。

Answer 1

在这种情况下，您将使用基于资源的方式，帐户就是资源。此文档位于 https://docs.asp.net/en/latest/security/authorization/resourcebased.html。

首先，您需要定义一个读取操作，

public static class Operations
{
    public static OperationAuthorizationRequirement Read =
        new OperationAuthorizationRequirement   { Name = "Read" };
}

现在您将拥有一个 AccountAccess 策略

public class AccountAuthorizationHandler : AuthorizationHandler<
    OperationAuthorizationRequirement, Account>
{
    IUserManager _userManager;

    public AccountAuthorizationHandler(IUserManager userManager)
    {
        _userManager = userManager;
    }

    protected override void Handle(AuthorizationContext context,
                                   OperationAuthorizationRequirement requirement,
                                   Account resource)
    {
        // Pull the user ID claim out from the context.User
        var userId = context.User.....
        // Get the current user's account numbers.       
        var user = userManager.Users
            .Include(u => u.AuthorisedAccounts)
            .Where(u => u.Id == userId)
            .FirstOrDefault();
    }

    // Now check if the user's account numbers match the resource accountNumber, and 
    // also check the operation type, in case you want to vary based on create, view etc.
    if (user.AuthorisedAccounts.Contains(resource.AccountId &&
        requirement.Name == "View")
   {
      context.Succeed(requirement);
   } 
}

之后，在配置服务中的 DI 容器中注册您的策略；

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthorization();

    services.AddSingleton<IAuthorizationHandler,
                          AccountAuthorizationHandler>();
}

在您的 Controller 中注入(inject) AuthorizationService；

public class AccountController : Controller
{
    IAuthorizationService _authorizationService;

    public AccountController(IAuthorizationService authorizationService)
    {
        _authorizationService = authorizationService;
    }
}

然后，在您的 Controller 中，在您加载帐户资源之后，您可以执行如下操作

public async Task<IActionResult> View(int accountId)
{
    Account account = accountManager.Find(accountId);

    if (account == null)
    {
        return new HttpNotFoundResult();
    }

    if (await _authorizationService.AuthorizeAsync(User, account, Operations.Read))
    {
        return View(account);
    }
    else
    {
        return new ChallengeResult();
    }
}