using Admin.Core.Common; using Admin.Core.IService; using Admin.Core.Model; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Text.RegularExpressions; using System.Threading.Tasks; namespace Admin.Core.Extensions { /// /// 权限授权处理器 /// public class PermissionHandler : AuthorizationHandler { /// /// 验证方案提供对象 /// public IAuthenticationSchemeProvider Schemes { get; set; } private readonly IHttpContextAccessor _accessor; /// /// 构造函数注入 /// /// /// /// public PermissionHandler(IAuthenticationSchemeProvider schemes, IHttpContextAccessor accessor) { _accessor = accessor; Schemes = schemes; } // 重写异步处理程序 protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement) { var httpContext = _accessor.HttpContext; if (httpContext != null) { var questUrl = httpContext.Request.Path.Value.ToLower(); // 整体结构类似认证中间件UseAuthentication的逻辑,具体查看开源地址 // https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/Core/src/AuthenticationMiddleware.cs httpContext.Features.Set(new AuthenticationFeature { OriginalPath = httpContext.Request.Path, OriginalPathBase = httpContext.Request.PathBase }); // Give any IAuthenticationRequestHandler schemes a chance to handle the request // 主要作用是: 判断当前是否需要进行远程验证,如果是就进行远程验证 var handlers = httpContext.RequestServices.GetRequiredService(); foreach (var scheme in await Schemes.GetRequestHandlerSchemesAsync()) { if (await handlers.GetHandlerAsync(httpContext, scheme.Name) is IAuthenticationRequestHandler handler && await handler.HandleRequestAsync()) { context.Fail(); return; } } //判断请求是否拥有凭据,即有没有登录 var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); if (defaultAuthenticate != null) { var result = await httpContext.AuthenticateAsync(defaultAuthenticate.Name); // 是否开启测试环境 var isTestCurrent = Appsettings.app(new string[] { "AppSettings", "UseLoadTest" }).ObjToBool(); //result?.Principal不为空即登录成功 if (result?.Principal != null || isTestCurrent) { if (!isTestCurrent) httpContext.User = result.Principal; // 获取当前用户的角色信息 var currentUserRoles = new List(); if (Permissions.IsUseIds4) { currentUserRoles = (from item in httpContext.User.Claims where item.Type == "role" select item.Value).ToList(); } else { // jwt currentUserRoles = (from item in httpContext.User.Claims where item.Type == requirement.ClaimType select item.Value).ToList(); } //验证权限 if (currentUserRoles.Count <= 0) { context.Fail(); return; } var isExp = false; // ids4和jwt切换 // ids4 if (Permissions.IsUseIds4) { isExp = (httpContext.User.Claims.SingleOrDefault(s => s.Type == "exp")?.Value) != null && DateHelper.StampToDateTime(httpContext.User.Claims.SingleOrDefault(s => s.Type == "exp")?.Value) >= DateTime.Now; } else { // jwt isExp = (httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Expiration)?.Value) != null && DateTime.Parse(httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Expiration)?.Value) >= DateTime.Now; } if (isExp) { context.Succeed(requirement); } else { context.Fail(); return; } return; } } //判断没有登录时,是否访问登录的url,并且是Post请求,并且是form表单提交类型,否则为失败 if (!(questUrl.Equals(requirement.LoginPath.ToLower(), StringComparison.Ordinal) && (!httpContext.Request.Method.Equals("POST") || !httpContext.Request.HasFormContentType))) { context.Fail(); return; } } //context.Succeed(requirement); } } }