AzureFunctions.Extensions.OpenIDConnect/src/AzureFunctions.Extensions.OpenIDConnect.InProcess/AuthorizeFilter.cs at 8307a0b2e7326974b8f4c02a0e237191c2db253f · fmichellonet/AzureFunctions.Extensions.OpenIDConnect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
using System;
using System.Net;
using System.Threading;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.Azure.WebJobs.Host;

namespace AzureFunctions.Extensions.OpenIDConnect.InProcess
{
    public class AuthorizeFilter : FunctionInvocationFilterAttribute
    {
        private readonly IHttpContextAccessor _httpContextAccessor;
        private readonly IAuthenticationService _authenticationService;
        private readonly IRouteGuardian _routeGuardian;
        private readonly IAuthorizationService _authorizationService;
        private readonly IAuthorizationRequirementsRetriever _requirementsRetriever;

        public AuthorizeFilter(IHttpContextAccessor httpContextAccessor,
            IAuthenticationService authenticationService, IRouteGuardian routeGuardian,
            IAuthorizationService authorizationService, IAuthorizationRequirementsRetriever requirementsRetriever)
        {
            _httpContextAccessor = httpContextAccessor;
            _authenticationService = authenticationService;
            _routeGuardian = routeGuardian;
            _authorizationService = authorizationService;
            _requirementsRetriever = requirementsRetriever;
        }

        public override async Task OnExecutingAsync(FunctionExecutingContext executingContext, CancellationToken cancellationToken)
        {
            if (_routeGuardian.IsProtectedRoute(executingContext.FunctionName))
            {
                var httpContext = _httpContextAccessor.HttpContext;

                // Authenticate the user
                var authenticationResult = await _authenticationService.AuthenticateAsync(httpContext.Request.Headers);

                if (authenticationResult.Failed)
                {
                    await Unauthorized(httpContext, cancellationToken);
                    return;
                }

                httpContext.User = authenticationResult.User;

                var attribute = _routeGuardian.GetAuthorizationConfiguration(executingContext.FunctionName);
                var requirements = _requirementsRetriever.ForAttribute(attribute);

                if (requirements != null)
                {
                    var authorizationResult = await _authorizationService.AuthorizeAsync(httpContext.User, executingContext, requirements);
                    if (!authorizationResult.Succeeded)
                    {
                        await Forbidden(httpContext, authorizationResult.Failure, cancellationToken);
                        return;
                    }
                }

            }
            await base.OnExecutingAsync(executingContext, cancellationToken);
        }

        private async Task Unauthorized(HttpContext httpContext, CancellationToken cancellationToken)
        {
            httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            await httpContext.Response.WriteAsync(string.Empty, cancellationToken);
            throw new UnauthorizedAccessException();
        }

        private async Task Forbidden(HttpContext httpContext, AuthorizationFailure failure, CancellationToken cancellationToken)
        {
            httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
            await httpContext.Response.WriteAsync(failure.FailedRequirements.ToString(), cancellationToken);
            throw new UnauthorizedAccessException();
        }
    }
}