ASP.NET Core MVC 授权的扩展：自定义 Authorize Attribute 和 IApplicationModelProvide

一、概述

ASP.NET Core MVC 提供了基于角色( Role )、声明( Chaim ) 和策略 ( Policy ) 等的授权方式。在实际应用中，可能采用部门（ Department , 本文采用用户组 Group ）、职位 ( 可继续沿用 Role )、权限( Permission )的方式进行授权。要达到这个目的，仅仅通过自定义 IAuthorizationPolicyProvider 是不行的。本文通过自定义 IApplicationModelProvide 进行扩展。

二、PermissionAuthorizeAttribute : IPermissionAuthorizeData

AuthorizeAttribute 类实现了 IAuthorizeData 接口：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

namespace Microsoft.AspNetCore.Authorization { /// <summary> /// Defines the set of data required to apply authorization rules to a resource. /// </summary> public interface IAuthorizeData { /// <summary> /// Gets or sets the policy name that determines access to the resource. /// </summary> string Policy { get; set; } /// <summary> /// Gets or sets a comma delimited list of roles that are allowed to access the resource. /// </summary> string Roles { get; set; } /// <summary> /// Gets or sets a comma delimited list of schemes from which user information is constructed. /// </summary> string AuthenticationSchemes { get; set; } } }

使用 AuthorizeAttribute 不外乎如下几种形式：

1 2 3 4

[Authorize] [Authorize("SomePolicy")] [Authorize(Roles = "角色1,角色2")] [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

当然，参数还可以组合起来。另外，Roles 和 AuthenticationSchemes 的值以半角逗号分隔，是 Or 的关系；多个 Authorize 是 And 的关系；Policy 、Roles 和 AuthenticationSchemes 如果同时使用，也是 And 的关系。

如果要扩展 AuthorizeAttribute，先扩展 IAuthorizeData 增加新的属性：

1 2 3 4 5

public interface IPermissionAuthorizeData : IAuthorizeData { string Groups { get; set; } string Permissions { get; set; } }

然后定义 AuthorizeAttribute:

1 2 3 4 5 6 7 8 9

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)] public class PermissionAuthorizeAttribute : Attribute, IPermissionAuthorizeData { public string Policy { get; set; } public string Roles { get; set; } public string AuthenticationSchemes { get; set; } public string Groups { get; set; } public string Permissions { get; set; } }

现在，在 Controller 或 Action 上就可以这样使用了：

1 2 3

[PermissionAuthorize(Roles = "经理,副经理")] // 经理或部门经理 [PermissionAuthorize(Groups = "研发部,生产部", Roles = "经理"] // 研发部经理或生成部经理。Groups 和 Roles 是 `And` 的关系。 [PermissionAuthorize(Groups = "研发部,生产部", Roles = "经理", Permissions = "请假审批"] // 研发部经理或生成部经理，并且有请假审批的权限。Groups 、Roles 和 Permission 是 `And` 的关系。

数据已经准备好，下一步就是怎么提取出来。通过扩展 AuthorizationApplicationModelProvider 来实现。

三、PermissionAuthorizationApplicationModelProvider : IApplicationModelProvider

AuthorizationApplicationModelProvider 类的作用是构造 AuthorizeFilter 对象放入 ControllerModel 或 ActionModel 的 Filters 属性中。具体过程是先提取 Controller 和 Action 实现了 IAuthorizeData 接口的 Attribute，如果使用的是默认的DefaultAuthorizationPolicyProvider，则会先创建一个 AuthorizationPolicy 对象作为 AuthorizeFilter 构造函数的参数。
创建 AuthorizationPolicy 对象是由 AuthorizationPolicy 的静态方法 public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) 来完成的。该静态方法会解析 IAuthorizeData 的数据，但不懂解析 IPermissionAuthorizeData。

因为 AuthorizationApplicationModelProvider 类对 AuthorizationPolicy.CombineAsync 静态方法有依赖，这里不得不做一个类似的 PermissionAuthorizationApplicationModelProvider 类，在本类实现 CombineAsync 方法。暂且不论该方法放在本类是否合适的问题。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

public static AuthorizeFilter GetFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authData) { // The default policy provider will make the same policy for given input, so make it only once. // This will always execute synchronously. if (policyProvider.GetType() == typeof(DefaultAuthorizationPolicyProvider)) { var policy = CombineAsync(policyProvider, authData).GetAwaiter().GetResult(); return new AuthorizeFilter(policy); } else { return new AuthorizeFilter(policyProvider, authData); } } private static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } var policyBuilder = new AuthorizationPolicyBuilder(); var any = false; foreach (var authorizeDatum in authorizeData) { any = true; var useDefaultPolicy = true; if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy)) { var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy); if (policy == null) { //throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy)); throw new InvalidOperationException(nameof(authorizeDatum.Policy)); } policyBuilder.Combine(policy); useDefaultPolicy = false; } var rolesSplit = authorizeDatum.Roles?.Split(','); if (rolesSplit != null && rolesSplit.Any()) { var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireRole(trimmedRolesSplit); useDefaultPolicy = false; } if(authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum ) { var groupsSplit = permissionAuthorizeDatum.Groups?.Split(','); if (groupsSplit != null && groupsSplit.Any()) { var trimmedGroupsSplit = groupsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim("Group", trimmedGroupsSplit); // TODO: 注意硬编码 useDefaultPolicy = false; } var permissionsSplit = permissionAuthorizeDatum.Permissions?.Split(','); if (permissionsSplit != null && permissionsSplit.Any()) { var trimmedPermissionsSplit = permissionsSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim()); policyBuilder.RequireClaim("Permission", trimmedPermissionsSplit);// TODO: 注意硬编码 useDefaultPolicy = false; } } var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(','); if (authTypesSplit != null && authTypesSplit.Any()) { foreach (var authType in authTypesSplit) { if (!string.IsNullOrWhiteSpace(authType)) { policyBuilder.AuthenticationSchemes.Add(authType.Trim()); } } } if (useDefaultPolicy) { policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync()); } } return any ? policyBuilder.Build() : null; }

if(authorizeDatum is IPermissionAuthorizeData permissionAuthorizeDatum ) 为扩展部分。

四、Startup

注册 PermissionAuthorizationApplicationModelProvider 服务，需要在 AddMvc 之后替换掉 AuthorizationApplicationModelProvider 服务。

1 2	services.AddMvc(); services.Replac(ServiceDescriptor.Transient<IApplicationModelProvider,PermissionAuthorizationApplicationModelProvider>());

五、Jwt 示例

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

[Route("api/[controller]")] [ApiController] public class ValuesController : ControllerBase { private readonly JwtSecurityTokenHandler _tokenHandler = new JwtSecurityTokenHandler(); [HttpGet] [Route("SignIn")] public async Task<ActionResult<string>> SignIn() { var user = new ClaimsPrincipal(new ClaimsIdentity(new[] { // 备注：Claim Type: Group 和 Permission 这里使用的是硬编码，应该定义为类似于 ClaimTypes.Role 的常量；另外，下列模拟数据不一定合逻辑。 new Claim(ClaimTypes.Name, "Bob"), new Claim(ClaimTypes.Role, "经理"), // 注意：不能使用逗号分隔来达到多个角色的目的，下同。 new Claim(ClaimTypes.Role, "副经理"), new Claim("Group", "研发部"), new Claim("Group", "生产部"), new Claim("Permission", "请假审批"), new Claim("Permission", "权限1"), new Claim("Permission", "权限2"), }, JwtBearerDefaults.AuthenticationScheme)); var token = new JwtSecurityToken( "SignalRAuthenticationSample", "SignalRAuthenticationSample", user.Claims, expires: DateTime.UtcNow.AddDays(30), signingCredentials: SignatureHelper.GenerateSigningCredentials("1234567890123456")); return _tokenHandler.WriteToken(token); } [HttpGet] [Route("Test")] [PermissionAuthorize(Groups = "研发部,生产部", Roles = "经理", Permissions = "请假审批"] // 研发部经理或生成部经理，并且有请假审批的权限。Groups 、Roles 和 Permission 是 `And` 的关系。 public async Task<ActionResult<IEnumerable<string>>> Test() { var user = HttpContext.User; return new string[] { "value1", "value2" }; } }

六、问题

AuthorizeFilter 类显示实现了 IFilterFactory 接口的 CreateInstance 方法：

1 2 3 4 5 6 7 8 9 10 11 12

IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider) { if (Policy != null || PolicyProvider != null) { // The filter is fully constructed. Use the current instance to authorize. return this; } Debug.Assert(AuthorizeData != null); var policyProvider = serviceProvider.GetRequiredService<IAuthorizationPolicyProvider>(); return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData); }

竟然对 AuthorizationApplicationModelProvider.GetFilter 静态方法产生了依赖。庆幸的是，如果通过 AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) 或 AuthorizeFilter(AuthorizationPolicy policy) 创建 AuthorizeFilter 对象不会产生什么不良影响。

七、下一步

[PermissionAuthorize(Groups = "研发部,生产部", Roles = "经理", Permissions = "请假审批"] 这种形式还是不够灵活，哪怕用多个 Attribute, And 和 Or 的逻辑组合不一定能满足需求。可以在 IPermissionAuthorizeData 新增一个 Rule 属性，实现类似的效果：

1	[PermissionAuthorize(Rule = "(Groups:研发部,生产部)&&(Roles:请假审批||Permissions:超级权限)"]

通过 Rule 计算复杂的授权。

八、如果通过自定义 IAuthorizationPolicyProvider 实现？

另一种方式是自定义 IAuthorizationPolicyProvider ，不过还需要自定义 AuthorizeFilter。因为当不是使用 DefaultAuthorizationPolicyProvider 而是自定义 IAuthorizationPolicyProvider 时，AuthorizationApplicationModelProvider（或前文定义的 PermissionAuthorizationApplicationModelProvider）会使用 AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) 创建 AuthorizeFilter 对象，而不是 AuthorizeFilter(AuthorizationPolicy policy)。这会造成 AuthorizeFilter 对象在 OnAuthorizationAsync 时会间接调用 AuthorizationPolicy.CombineAsync 静态方法。

这可以说是一个设计上的缺陷，不应该让 AuthorizationPolicy.CombineAsync 静态方法存在，哪怕提供个 IAuthorizationPolicyCombiner 也好。另外，上文提到的 AuthorizationApplicationModelProvider.GetFilter 静态方法同样不是一种好的设计。等微软想通吧。

参考资料

https://docs.microsoft.com/zh-cn/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-2.1

排版问题：http://blog.tubumu.com/2018/11/28/aspnetcore-mvc-extend-authorization/