前往小程序,Get更优阅读体验!
立即前往
文档建议反馈控制台
首页
学习
活动
专区
工具
TVP
最新优惠活动
文章/答案/技术大牛
发布
首页
学习
活动
专区
工具
TVP最新优惠活动
返回腾讯云官网
社区首页 >专栏 >.NET 云原生架构师训练营(权限系统 代码重构)--学习笔记

.NET 云原生架构师训练营(权限系统 代码重构)--学习笔记

原创
作者头像
郑子铭
修改2022-02-24 10:08:56
2880
修改2022-02-24 10:08:56
举报
文章被收录于专栏:DotNet NB && CloudNativeDotNet NB && CloudNative

目录

  • 模块拆分
  • 代码重构

模块拆分

image.png
image.png

代码重构

  • AuthenticationController
  • PermissionController
  • IAuthorizationMiddlewareResultHandler
  • ISaveChangesInterceptor

AuthenticationController

新增 AuthenticationController 用于登录和注册;登录会颁发 jwt token,包含用户的 claims 和 role 的 claims

登录

代码语言:txt
复制
[HttpPost]  
[Route("login")]  
public async Task<IActionResult> Login([FromBody] LoginRequest.LoginModel model)  
{  
    var user = await _userManager.FindByNameAsync(model.Username);
    var userClaims = await _userManager.GetClaimsAsync(user);

    if (user != null && await _userManager.CheckPasswordAsync(user, model.Password))  
    {  
        var userRoles = await _userManager.GetRolesAsync(user);  

        var authClaims = new List<Claim>  
        {  
            new Claim(ClaimTypes.Name, user.UserName),  
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),  
        };  

        foreach (var userRole in userRoles)  
        {  
            authClaims.Add(new Claim(ClaimTypes.Role, userRole));

            var role = await _roleManager.FindByNameAsync(userRole);
            var roleClaims = await _roleManager.GetClaimsAsync(role);
            authClaims.AddRange(roleClaims);
        }

        authClaims.AddRange(userClaims);
        var authSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JWT:Secret"]));  

        var token = new JwtSecurityToken(  
            issuer: _configuration["JWT:ValidIssuer"],  
            audience: _configuration["JWT:ValidAudience"],  
            expires: DateTime.Now.AddHours(3),  
            claims: authClaims,  
            signingCredentials: new SigningCredentials(authSigningKey, SecurityAlgorithms.HmacSha256)  
        );  

        return Ok(new  
        {  
            token = new JwtSecurityTokenHandler().WriteToken(token),  
            expiration = token.ValidTo  
        });  
    }  
    return Unauthorized();  
}

注册

代码语言:txt
复制
[HttpPost]  
[Route("register")]  
public async Task<IActionResult> Register([FromBody] RegisterRequest model)  
{  
    var userExists = await _userManager.FindByNameAsync(model.Username);  
    if (userExists != null)  
        return StatusCode(StatusCodes.Status500InternalServerError, "User already exist");  

    var user = new IdentityUser()  
    {  
        Email = model.Email,  
        SecurityStamp = Guid.NewGuid().ToString(),  
        UserName = model.Username  
    };  
    var result = await _userManager.CreateAsync(user, model.Password);  
    if (!result.Succeeded)  
        return StatusCode(StatusCodes.Status500InternalServerError, result.Errors);  

    return Ok();  
}

PermissionController

PermissionController 新增 创建实体权限,用户角色相关接口

代码语言:txt
复制
[Route("entity")]
[HttpPost]
public async Task<IActionResult> CreateEntityPermission([FromBody] CreateEntityPermissionRequest request)
{
    var permission = new Permission()
    {
        Data = request.Data,
        Description = request.Description,
        DisplayName = request.DisplayName,
        Key = request.Key,
        Group = request.Group,
        Resources = request.resources.Select(r => new EntityResource() { Key = r })
    };

    await _permissionManager.CreateAsync(permission);
    return Ok();
}

[Route("user/{username}")]
[HttpGet]
public async Task<IActionResult> FindUserPermission(string username)
{
    return Ok(await _userPermission.FindUserPermission(username));
}

[Route("role/{roleName}")]
[HttpGet]
public async Task<IActionResult> FindRolePermission(string roleName)
{
    return Ok(await _rolePermission.FindRolePermission(roleName));
}

[Route("addtorole")]
[HttpPost]
public async Task<IActionResult> AddToRole([FromQuery] string role, [FromQuery] string permission)
{
    await _rolePermission.AddRolePermission(role, permission);
    return Ok();
}

[Route("addtouser")]
[HttpPost]
public async Task<IActionResult> AddToUser([FromQuery] string username, [FromQuery] string permission)
{
    await _userPermission.AddUserPermission(username, permission);
    return Ok();
}

IAuthorizationMiddlewareResultHandler

在 asp .net core 3.1 之后 ActionAuthorizationFilter 已经没用了,需要使用 IAuthorizationMiddlewareResultHandler

IAuthorizationMiddlewareResultHandler 是授权管理里面的一个 Handler,可以从 endpoint 的 Metadata 获取到 ControllerActionDescriptor,从而获取到 permissionKey

authorizeResult.Challenged:未登录返回401

authorizeResult.Forbidden:未授权返回403

需要将 Challenged 放在 Forbidden 之前,不然未登录也返回 403

代码语言:txt
复制
public class DotNetNBAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    public async Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy,
        PolicyAuthorizationResult authorizeResult)
    {
        var endpoint = context.GetEndpoint();
        var actionDescriptor = endpoint.Metadata.GetMetadata<ControllerActionDescriptor>();
        if (actionDescriptor != null)
        {
            var permissions = context.User.Claims.Where(c => c.Type == Core.ClaimsTypes.Permission);
            var permissionKey = actionDescriptor.GetPermissionKey();
            var values = permissions.Select(p => p.Value);
            if (!values.Contains(permissionKey))
            {

                await context.ForbidAsync();
                return;
            }
        }
        
        if (authorizeResult.Challenged)
        {
            if (policy.AuthenticationSchemes.Count > 0)
            {
                foreach (var scheme in policy.AuthenticationSchemes)
                {
                    await context.ChallengeAsync(scheme);
                }
            }
            else
            {
                await context.ChallengeAsync();
            }

            return;
        }
        else if (authorizeResult.Forbidden)
        {
            if (policy.AuthenticationSchemes.Count > 0)
            {
                foreach (var scheme in policy.AuthenticationSchemes)
                {
                    await context.ForbidAsync(scheme);
                }
            }
            else
            {
                await context.ForbidAsync();
            }

            return;
        }
        
        await next(context);
    }
}

ISaveChangesInterceptor

ISaveChangesInterceptor 是 entity 操作的拦截器,获取 Added,Deleted,Modified 三种状态的实体

新增和删除分别获取对应的 permission key 与用户的 permission 对比

更新需要遍历获取每个实体更新的 member 的 permission key 与用户的 permission 对比

代码语言:txt
复制
public class SavingChangeInterceptor: ISaveChangesInterceptor
{
    ...

    public async ValueTask<InterceptionResult<int>> SavingChangesAsync(DbContextEventData eventData, InterceptionResult<int> result,
        CancellationToken cancellationToken = new CancellationToken())
    {
        var contextName = eventData.Context.GetType().Name;
        var permissions = await _permissionManager.GetByGroupAsync(contextName);
        var entityPermissions = permissions.Select(p => new EntityPermission(p)).ToList();

        
        if (permissions==null || !permissions.Any())
            return result;

        var addedEntities = eventData.Context.ChangeTracker.Entries().Where(e => e.State == EntityState.Added);
        var deletedEntties = eventData.Context.ChangeTracker.Entries().Where(e => e.State == EntityState.Deleted);
        var modifiedEntities = eventData.Context.ChangeTracker.Entries().Where(e => e.State == EntityState.Modified);

        await CheckAddedEntitiesAsync(addedEntities, entityPermissions);
        await CheckDeletedEntitiesAsync(deletedEntties,entityPermissions);
        await CheckModifiedEntitiesAsync(modifiedEntities,entityPermissions);
        
        return result;
    }
    
    private async Task CheckAddedEntitiesAsync(IEnumerable<EntityEntry> entities,IEnumerable<EntityPermission> permissions)
    {
        foreach (var entity in entities)
        {
            var entityName = entity.Metadata.Name;
            var entityPermissions = permissions.Where(p => p.Data.EntityName == entityName);
            
            if(!entityPermissions.Any())
                continue;

            var user = _contextAccessor.HttpContext.User;
            if (!user.Identity.IsAuthenticated)
                throw new AuthenticationException();

            var createPermission = entityPermissions.Where(e => e.Data.Create).Select(e => e.Key);
            var claimValues = user.Claims.Where(c => c.Type == ClaimsTypes.Permission).Select(c => c.Value);
            if (!createPermission.Intersect(claimValues).Any())
                throw new AuthorizationException();

        }
    }

    private async Task CheckDeletedEntitiesAsync(IEnumerable<EntityEntry> entities,IEnumerable<EntityPermission> permissions)
    {
        foreach (var entity in entities)
        {
            var entityName = entity.Metadata.Name;
            var entityPermissions = permissions.Where(p => p.Data.EntityName == entityName);
            
            if(!entityPermissions.Any())
                continue;

            var user = _contextAccessor.HttpContext.User;
            if (!user.Identity.IsAuthenticated)
                throw new AuthenticationException();

            var deletePermission = entityPermissions.Where(e => e.Data.Delete).Select(e => e.Key);
            var claimValues = user.Claims.Where(c => c.Type == ClaimsTypes.Permission).Select(c => c.Value);
            if (!deletePermission.Intersect(claimValues).Any())
                throw new AuthorizationException();

        }
    }

    private async Task CheckModifiedEntitiesAsync(IEnumerable<EntityEntry> entities,IEnumerable<EntityPermission> permissions)
    {
        foreach (var entity in entities)
        {
            var entityName = entity.Metadata.Name;
            var entityPermissions = permissions.Where(p => p.Data.EntityName == entityName);
            
            if(!entityPermissions.Any())
                continue;

            var user = _contextAccessor.HttpContext.User;
            if (!user.Identity.IsAuthenticated)
                throw new AuthenticationException();
            
            var modifiedMembers = entity.Members.Where(m => m.IsModified).Select(m => m.Metadata.Name);
            var canUpdatePermissionKeys = new List<string>();

            foreach (var permission in entityPermissions)
            {
                var definedMembers = permission.Data.Members.Where(m => m.Update && modifiedMembers.Contains(m.MemberName));
                if(definedMembers.Any())
                    canUpdatePermissionKeys.Add((permission.Key));
            }

            var claimValues = user.Claims.Where(c => c.Type == ClaimsTypes.Permission).Select(c => c.Value);
            if (!canUpdatePermissionKeys.Intersect(claimValues).Any())
                throw new AuthorizationException();
        }
    }
    
    ...
}

GitHub源码链接:

https://github.com/MingsonZheng/dotnetnb.security refactor 分支

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

.net

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

.net
评论
登录后参与评论
0 条评论
热度
最新
登录 后参与评论
推荐阅读
LV.
文章
0
获赞
0
目录
  • 目录
    • 模块拆分
      • 代码重构
        • AuthenticationController
        • PermissionController
        • IAuthorizationMiddlewareResultHandler
        • ISaveChangesInterceptor
      • GitHub源码链接:
      领券

      腾讯云开发者

      扫码关注腾讯云开发者

      扫码关注腾讯云开发者

      领取腾讯云代金券

      热门产品

      热门推荐

      更多推荐

      Copyright ? 2013 - 2024 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有?

      深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059?深公网安备号 44030502008569

      腾讯云计算(北京)有限责任公司 京ICP证150476号 | ?京ICP备11018762号 | 京公网安备号11010802020287

      问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档

      Copyright ? 2013 - 2024 Tencent Cloud.

      All Rights Reserved. 腾讯云 版权所有

      登录 后参与评论
      http://www.vxiaotou.com