feature/custom policies (#13)

* added the possibility to register custom authorization policies * removed commented code * introduced ApiGroup Constants * added examples in code comment for Policy options * updated notes.txt Co-authored-by: Thomas Duft <[email protected]>
thomasduft · Dec 15, 2021 · 1a0e720 · 1a0e720
1 parent 7d7df60
commit 1a0e720
Show file tree

Hide file tree

Showing 16 changed files with 198 additions and 124 deletions.
diff --git a/notes.txt b/notes.txt
@@ -4,6 +4,20 @@ TODO:
   - https://github.com/openiddict/openiddict-samples/tree/dev/samples/Contruum/Contruum.Server
 
 
+- migrate to .net Program.cs file
+  - refactor DB-migrations in sample server
+
+
+- load options.Permissions from database instead of configuring it
+
+
+- client refactoring
+  - split identity, openiddict => create libs
+  - better Client deployment
+    - introduce deploy.js
+    - check server stylings not removed
+
+
 - organize APIs a bit more by feature
   - i.e. identity -> AccountController
     - AccountController
@@ -36,14 +50,6 @@ TODO:
     - PolicyClient
 
 
-- load options.Permissions from database instead of configuring it
-
-
-- better Client deployment
-  - introduce deploy.js
-  - check server stylings not removed
-
-
 - better ux for applications.permissions
   - sth. like the approach of OrchardCore ID UI
 

diff --git a/src/identity/OpenIddict.UI.Identity.Api/Account/AccountController.cs b/src/identity/OpenIddict.UI.Identity.Api/Account/AccountController.cs
@@ -3,13 +3,11 @@
 using Microsoft.AspNetCore.Mvc;
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using tomware.OpenIddict.UI.Suite.Api;
 
 namespace tomware.OpenIddict.UI.Identity.Api
 {
   [Route("accounts")]
-  [ApiExplorerSettings(GroupName = "openiddict-ui-identity")]
-  public class AccountController : ApiControllerBase
+  public class AccountController : IdentityApiController
   {
     private readonly IAccountApiService _service;
 
@@ -41,7 +39,7 @@ public async Task<IActionResult> Register([FromBody] RegisterUserViewModel model
 
     [HttpPost("changepassword")]
     [ProducesResponseType(typeof(IdentityResult), StatusCodes.Status200OK)]
-    public async Task<IActionResult> ChangePassword([FromBody]ChangePasswordViewModel model)
+    public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordViewModel model)
     {
       if (model == null) return BadRequest();
       if (ModelState.IsValid)

diff --git a/src/identity/OpenIddict.UI.Identity.Api/ClaimType/ClaimTypeController.cs b/src/identity/OpenIddict.UI.Identity.Api/ClaimType/ClaimTypeController.cs
@@ -3,13 +3,11 @@
 using System;
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using tomware.OpenIddict.UI.Suite.Api;
 
 namespace tomware.OpenIddict.UI.Identity.Api
 {
   [Route("claimtypes")]
-  [ApiExplorerSettings(GroupName = "openiddict-ui-identity")]
-  public class ClaimTypeController : ApiControllerBase
+  public class ClaimTypeController : IdentityApiController
   {
     private readonly IClaimTypeApiService _service;
 

diff --git a/src/identity/OpenIddict.UI.Identity.Api/Common/Constants.cs b/src/identity/OpenIddict.UI.Identity.Api/Common/Constants.cs
@@ -0,0 +1,12 @@
+namespace tomware.OpenIddict.UI.Identity.Api
+{
+  public static class Policies
+  {
+    public const string OPENIDDICT_UI_IDENTITY_API_POLICY = "OpenIddictUiIdentityApiPolicy";
+  }
+
+  public static class ApiGroups
+  {
+    public const string OPENIDDICT_UI_IDENTITY_GROUP = "openiddict-ui-identity";
+  }
+}
diff --git a/src/identity/OpenIddict.UI.Identity.Api/Common/IdentityApiController.cs b/src/identity/OpenIddict.UI.Identity.Api/Common/IdentityApiController.cs
@@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Validation.AspNetCore;
+using tomware.OpenIddict.UI.Suite.Api;
+
+namespace tomware.OpenIddict.UI.Identity.Api
+{
+  [ApiExplorerSettings(GroupName = ApiGroups.OPENIDDICT_UI_IDENTITY_GROUP)]
+  [Authorize(
+    Policies.OPENIDDICT_UI_IDENTITY_API_POLICY,
+    AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
+  )]
+  public class IdentityApiController : ApiControllerBase
+  {
+  }
+}
diff --git a/src/identity/OpenIddict.UI.Identity.Api/DependencyInjection.cs b/src/identity/OpenIddict.UI.Identity.Api/DependencyInjection.cs
@@ -3,8 +3,7 @@
 using System.Diagnostics.CodeAnalysis;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.DependencyInjection;
-
-using tomware.OpenIddict.UI.Suite.Core;
+using Microsoft.AspNetCore.Authorization;
 using tomware.OpenIddict.UI.Suite.Api;
 
 namespace tomware.OpenIddict.UI.Identity.Api
@@ -23,6 +22,8 @@ public static OpenIddictBuilder AddUIIdentityApis<TApplicationUser>(
 
       builder.Services.AddApiServices<TApplicationUser>();
 
+      builder.Services.AddAuthorizationServices(options.Policy);
+
       return builder;
     }
 
@@ -48,22 +49,19 @@ this IServiceCollection services
       services.AddTransient<IRoleService, RoleService>();
       services.AddTransient<IClaimTypeApiService, ClaimTypeApiService>();
 
-      services.AddAuthorizationServices();
-
       return services;
     }
 
     private static IServiceCollection AddAuthorizationServices(
-      this IServiceCollection services
+      this IServiceCollection services,
+      Action<AuthorizationPolicyBuilder> policy
     )
     {
       services.AddAuthorization(options =>
       {
         options.AddPolicy(
-          Policies.ADMIN_POLICY,
-          policy => policy
-            .RequireAuthenticatedUser()
-            .RequireRole(Roles.ADMINISTRATOR_ROLE)
+          Policies.OPENIDDICT_UI_IDENTITY_API_POLICY,
+          policy
         );
       });
 

diff --git a/src/identity/OpenIddict.UI.Identity.Api/Options/OpenIddictUIIdentityApiOptions.cs b/src/identity/OpenIddict.UI.Identity.Api/Options/OpenIddictUIIdentityApiOptions.cs
@@ -1,3 +1,7 @@
+using System;
+using Microsoft.AspNetCore.Authorization;
+using tomware.OpenIddict.UI.Suite.Core;
+
 namespace tomware.OpenIddict.UI.Identity.Api
 {
   public class OpenIddictUIIdentityApiOptions
@@ -6,5 +10,20 @@ public class OpenIddictUIIdentityApiOptions
     /// Registers a conventional route prefix for the API controllers. Defaults to "api/".
     /// </summary>
     public string RoutePrefix { get; set; } = "api/";
+
+    /// <summary>
+    /// Allows to register custom authorization policies for accessing OpenIddict-UI Identity API's.
+    /// <example>Defaults to:
+    /// <code>
+    /// policy
+    ///   .RequireAuthenticatedUser()
+    ///   .RequireRole(Roles.ADMINISTRATOR_ROLE);
+    /// </code>
+    /// </example>
+    /// </summary>
+    public Action<AuthorizationPolicyBuilder> Policy { get; set; } = policy =>
+      policy
+        .RequireAuthenticatedUser()
+        .RequireRole(Roles.ADMINISTRATOR_ROLE);
   }
 }
diff --git a/src/identity/OpenIddict.UI.Identity.Api/Role/RoleController.cs b/src/identity/OpenIddict.UI.Identity.Api/Role/RoleController.cs
@@ -2,13 +2,11 @@
 using Microsoft.AspNetCore.Mvc;
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using tomware.OpenIddict.UI.Suite.Api;
 
 namespace tomware.OpenIddict.UI.Identity.Api
 {
   [Route("roles")]
-  [ApiExplorerSettings(GroupName = "openiddict-ui-identity")]
-  public class RoleController : ApiControllerBase
+  public class RoleController : IdentityApiController
   {
     private readonly IRoleService _service;
 

diff --git a/src/openiddict/OpenIddict.UI.Api/Application/ApplicationController.cs b/src/openiddict/OpenIddict.UI.Api/Application/ApplicationController.cs
@@ -3,13 +3,11 @@
 using Microsoft.AspNetCore.Mvc;
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using tomware.OpenIddict.UI.Suite.Api;
 
 namespace tomware.OpenIddict.UI.Api
 {
   [Route("application")]
-  [ApiExplorerSettings(GroupName = "openiddict-ui-api")]
-  public class ApplicationController : ApiControllerBase
+  public class ApplicationController : OpenIddictApiController
   {
     private readonly IApplicationApiService _service;
 

diff --git a/src/openiddict/OpenIddict.UI.Api/Common/Constants.cs b/src/openiddict/OpenIddict.UI.Api/Common/Constants.cs
@@ -0,0 +1,12 @@
+namespace tomware.OpenIddict.UI.Api
+{
+  public static class Policies
+  {
+    public const string OPENIDDICT_UI_API_POLICY = "OpenIddictUiApiPolicy";
+  }
+
+  public static class ApiGroups
+  {
+    public const string OPENIDDICT_UI_GROUP = "openiddict-ui-api";
+  }
+}
diff --git a/src/openiddict/OpenIddict.UI.Api/Common/OpenIddictApiController.cs b/src/openiddict/OpenIddict.UI.Api/Common/OpenIddictApiController.cs
@@ -0,0 +1,16 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Validation.AspNetCore;
+using tomware.OpenIddict.UI.Suite.Api;
+
+namespace tomware.OpenIddict.UI.Api
+{
+  [ApiExplorerSettings(GroupName = ApiGroups.OPENIDDICT_UI_GROUP)]
+  [Authorize(
+    Policies.OPENIDDICT_UI_API_POLICY,
+    AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme
+  )]
+  public class OpenIddictApiController : ApiControllerBase
+  {
+  }
+}