Asp.Net Core Authorize你不知道的那些事(源码解读)


一、前言

IdentityServer4已经分享了一些应用实战的文章,从架构到授权中心的落地应用,也伴随着对IdentityServer4掌握了一些使用规则,但是很多原理性东西还是一知半解,故我这里持续性来带大家一起来解读它的相关源代码,本文先来看看为什么Controller或者Action中添加Authorize或者全局中添加AuthorizeFilter过滤器就可以实现该资源受到保护,需要通过access_token才能通过相关的授权呢?今天我带大家来了解AuthorizeAttributeAuthorizeFilter的关系及代码解读。

二、代码解读

解读之前我们先来看看下面两种标注授权方式的代码:

标注方式
 [Authorize]
 [HttpGet]
 public async Task Get()
 {
      var userId = User.UserId();
      return new
      {
         name = User.Name(),
         userId = userId,
         displayName = User.DisplayName(),
         merchantId = User.MerchantId(),
      };
 }

代码中通过[Authorize]标注来限制该api资源的访问

全局方式
public void ConfigureServices(IServiceCollection services)
{
     //全局添加AuthorizeFilter 过滤器方式
     services.AddControllers(options=>options.Filters.Add(new AuthorizeFilter()));

     services.AddAuthorization();
     services.AddAuthentication("Bearer")
         .AddIdentityServerAuthentication(options =>
         {
             options.Authority = "http://localhost:5000";    //配置Identityserver的授权地址
             options.RequireHttpsMetadata = false;           //不需要https    
             options.ApiName = OAuthConfig.UserApi.ApiName;  //api的name,需要和config的名称相同
         });
}

全局通过添加AuthorizeFilter过滤器方式进行全局api资源的限制

AuthorizeAttribute

先来看看AuthorizeAttribute源代码:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class AuthorizeAttribute : Attribute, IAuthorizeData
{
    /// 
    /// Initializes a new instance of the  class. 
    /// 
    public AuthorizeAttribute() { }

    /// 
    /// Initializes a new instance of the  class with the specified policy. 
    /// 
    /// The name of the policy to require for authorization.
    public AuthorizeAttribute(string policy)
    {
       Policy = policy;
    }

    /// 
    /// 收取策略
    /// 
    public string Policy { get; set; }

    /// 
    /// 授权角色
    /// 
    public string Roles { get; set; }

    /// 
    /// 授权Schemes
    /// 
    public string AuthenticationSchemes { get; set; }
}

代码中可以看到AuthorizeAttribute继承了IAuthorizeData抽象接口,该接口主要是授权数据的约束定义,定义了三个数据属性

  • Prolicy :授权策略
  • Roles : 授权角色
  • AuthenticationSchemes :授权Schemes 的支持
    Asp.Net Core 中的http中间件会根据IAuthorizeData这个来获取有哪些授权过滤器,来实现过滤器的拦截并执行相关代码。
    我们看看AuthorizeAttribute代码如下:
public interface IAuthorizeData
{
        /// 
        /// Gets or sets the policy name that determines access to the resource.
        /// 
        string Policy { get; set; }

        /// 
        /// Gets or sets a comma delimited list of roles that are allowed to access the resource.
        /// 
        string Roles { get; set; }

        /// 
        /// Gets or sets a comma delimited list of schemes from which user information is constructed.
        /// 
        string AuthenticationSchemes { get; set; }
}

我们再来看看授权中间件UseAuthorization)的核心代码:

public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
{
    if (app == null)
    {
        throw new ArgumentNullException(nameof(app));
    }

    VerifyServicesRegistered(app);

    return app.UseMiddleware();
}

代码中注册了AuthorizationMiddleware这个中间件,AuthorizationMiddleware中间件源代码如下:

 public class AuthorizationMiddleware
 {
        // Property key is used by Endpoint routing to determine if Authorization has run
        private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked";
        private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object();

        private readonly RequestDelegate _next;
        private readonly IAuthorizationPolicyProvider _policyProvider;

        public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider)
        {
            _next = next ?? throw new ArgumentNullException(nameof(next));
            _policyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));
        }

        public async Task Invoke(HttpContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var endpoint = context.GetEndpoint();

            if (endpoint != null)
            {
                // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.
                // The Authorization middleware can only make this claim if it observes an actual endpoint.
                context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;
            }

            // 通过终结点路由元素IAuthorizeData来获得对于的AuthorizeAttribute并关联到AuthorizeFilter中
            var authorizeData = endpoint?.Metadata.GetOrderedMetadata() ?? Array.Empty();
            var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);
            if (policy == null)
            {
                await _next(context);
                return;
            }

            // Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructor
            var policyEvaluator = context.RequestServices.GetRequiredService();

            var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);

            // Allow Anonymous skips all authorization
            if (endpoint?.Metadata.GetMetadata() != null)
            {
                await _next(context);
                return;
            }

            // Note that the resource will be null if there is no matched endpoint
            var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource: endpoint);

            if (authorizeResult.Challenged)
            {
                if (policy.AuthenticationSchemes.Any())
                {
                    foreach (var scheme in policy.AuthenticationSchemes)
                    {
                        await context.ChallengeAsync(scheme);
                    }
                }
                else
                {
                    await context.ChallengeAsync();
                }

                return;
            }
            else if (authorizeResult.Forbidden)
            {
                if (policy.AuthenticationSchemes.Any())
                {
                    foreach (var scheme in policy.AuthenticationSchemes)
                    {
                        await context.ForbidAsync(scheme);
                    }
                }
                else
                {
                    await context.ForbidAsync();
                }

                return;
            }

            await _next(context);
        }
    }

代码中核心拦截并获得AuthorizeFilter过滤器的代码

var authorizeData = endpoint?.Metadata.GetOrderedMetadata() ?? Array.Empty();

前面我分享过一篇关于 的文章里面讲解到通过EndPoint终结点路由来获取ControllerAction中的Attribute特性标注,这里也是通过该方法来拦截获取对于的AuthorizeAttribute的.
而获取到相关authorizeData授权数据后,下面的一系列代码都是通过判断来进行AuthorizeAsync授权执行的方法,这里就不详细分享它的授权认证的过程了。
细心的同学应该已经发现上面的代码有一个比较特殊的代码:

if (endpoint?.Metadata.GetMetadata() != null)
{
      await _next(context);
      return;
}

代码中通过endpoint终结点路由来获取是否标注有AllowAnonymous的特性,如果有则直接执行下一个中间件,不进行下面的AuthorizeAsync授权认证方法,
这也是为什么ControllerAction上标注AllowAnonymous可以跳过授权认证的原因了。

AuthorizeFilter 源码

有的人会问AuthorizeAttirbuteAuthorizeFilter有什么关系呢?它们是一个东西吗?
我们再来看看AuthorizeFilter源代码,代码如下:

public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{
        /// 
        /// Initializes a new  instance.
        /// 
        public AuthorizeFilter()
            : this(authorizeData: new[] { new AuthorizeAttribute() })
        {
        }

        /// 
        /// Initialize a new  instance.
        /// 
        /// Authorization policy to be used.
        public AuthorizeFilter(AuthorizationPolicy policy)
        {
            if (policy == null)
            {
                throw new ArgumentNullException(nameof(policy));
            }

            Policy = policy;
        }

        /// 
        /// Initialize a new  instance.
        /// 
        /// The  to use to resolve policy names.
        /// The  to combine into an .
        public AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable authorizeData)
            : this(authorizeData)
        {
            if (policyProvider == null)
            {
                throw new ArgumentNullException(nameof(policyProvider));
            }

            PolicyProvider = policyProvider;
        }

        /// 
        /// Initializes a new instance of .
        /// 
        /// The  to combine into an .
        public AuthorizeFilter(IEnumerable authorizeData)
        {
            if (authorizeData == null)
            {
                throw new ArgumentNullException(nameof(authorizeData));
            }

            AuthorizeData = authorizeData;
        }

        /// 
        /// Initializes a new instance of .
        /// 
        /// The name of the policy to require for authorization.
        public AuthorizeFilter(string policy)
            : this(new[] { new AuthorizeAttribute(policy) })
        {
        }

        /// 
        /// The  to use to resolve policy names.
        /// 
        public IAuthorizationPolicyProvider PolicyProvider { get; }

        /// 
        /// The  to combine into an .
        /// 
        public IEnumerable AuthorizeData { get; }

        /// 
        /// Gets the authorization policy to be used.
        /// 
        /// 
        /// Ifnull, the policy will be constructed using
        /// .
        /// 
        public AuthorizationPolicy Policy { get; }

        bool IFilterFactory.IsReusable => true;

        // Computes the actual policy for this filter using either Policy or PolicyProvider + AuthorizeData
        private Task ComputePolicyAsync()
        {
            if (Policy != null)
            {
                return Task.FromResult(Policy);
            }

            if (PolicyProvider == null)
            {
                throw new InvalidOperationException(
                    Resources.FormatAuthorizeFilter_AuthorizationPolicyCannotBeCreated(
                        nameof(AuthorizationPolicy),
                        nameof(IAuthorizationPolicyProvider)));
            }

            return AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData);
        }

        internal async Task GetEffectivePolicyAsync(AuthorizationFilterContext context)
        {
            // Combine all authorize filters into single effective policy that's only run on the closest filter
            var builder = new AuthorizationPolicyBuilder(await ComputePolicyAsync());
            for (var i = 0; i < context.Filters.Count; i++)
            {
                if (ReferenceEquals(this, context.Filters[i]))
                {
                    continue;
                }

                if (context.Filters[i] is AuthorizeFilter authorizeFilter)
                {
                    // Combine using the explicit policy, or the dynamic policy provider
                    builder.Combine(await authorizeFilter.ComputePolicyAsync());
                }
            }

            var endpoint = context.HttpContext.GetEndpoint();
            if (endpoint != null)
            {
                // When doing endpoint routing, MVC does not create filters for any authorization specific metadata i.e [Authorize] does not
                // get translated into AuthorizeFilter. Consequently, there are some rough edges when an application uses a mix of AuthorizeFilter
                // explicilty configured by the user (e.g. global auth filter), and uses endpoint metadata.
                // To keep the behavior of AuthFilter identical to pre-endpoint routing, we will gather auth data from endpoint metadata
                // and produce a policy using this. This would mean we would have effectively run some auth twice, but it maintains compat.
                var policyProvider = PolicyProvider ?? context.HttpContext.RequestServices.GetRequiredService();
                var endpointAuthorizeData = endpoint.Metadata.GetOrderedMetadata() ?? Array.Empty();

                var endpointPolicy = await AuthorizationPolicy.CombineAsync(policyProvider, endpointAuthorizeData);
                if (endpointPolicy != null)
                {
                    builder.Combine(endpointPolicy);
                }
            }

            return builder.Build();
        }

        /// 
        public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            if (!context.IsEffectivePolicy(this))
            {
                return;
            }

            // IMPORTANT: Changes to authorization logic should be mirrored in security's AuthorizationMiddleware
            var effectivePolicy = await GetEffectivePolicyAsync(context);
            if (effectivePolicy == null)
            {
                return;
            }

            var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService();

            var authenticateResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);

            // Allow Anonymous skips all authorization
            if (HasAllowAnonymous(context))
            {
                return;
            }

            var authorizeResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context);

            if (authorizeResult.Challenged)
            {
                context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());
            }
            else if (authorizeResult.Forbidden)
            {
                context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());
            }
        }

        IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider)
        {
            if (Policy != null || PolicyProvider != null)
            {
                // The filter is fully constructed. Use the current instance to authorize.
                return this;
            }

            Debug.Assert(AuthorizeData != null);
            var policyProvider = serviceProvider.GetRequiredService();
            return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData);
        }

        private static bool HasAllowAnonymous(AuthorizationFilterContext context)
        {
            var filters = context.Filters;
            for (var i = 0; i < filters.Count; i++)
            {
                if (filters[i] is IAllowAnonymousFilter)
                {
                    return true;
                }
            }

            // When doing endpoint routing, MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes that
            // were discovered on controllers and actions. To maintain compat with 2.x,
            // we'll check for the presence of IAllowAnonymous in endpoint metadata.
            var endpoint = context.HttpContext.GetEndpoint();
            if (endpoint?.Metadata?.GetMetadata() != null)
            {
                return true;
            }

            return false;
        }
    }

代码中继承了 IAsyncAuthorizationFilter, IFilterFactory两个抽象接口,分别来看看这两个抽象接口的源代码

IAsyncAuthorizationFilter源代码如下:
/// 
/// A filter that asynchronously confirms request authorization.
/// 
public interface IAsyncAuthorizationFilter : IFilterMetadata
{
    ///定义了授权的方法
    Task OnAuthorizationAsync(AuthorizationFilterContext context);
}

IAsyncAuthorizationFilter代码中继承了IFilterMetadata接口,同时定义了OnAuthorizationAsync抽象方法,子类需要实现该方法,然而AuthorizeFilter中也已经实现了该方法,稍后再来详细讲解该方法,我们再继续看看IFilterFactory抽象接口,代码如下:

public interface IFilterFactory : IFilterMetadata
 {
       
    bool IsReusable { get; }

    //创建IFilterMetadata 对象方法
    IFilterMetadata CreateInstance(IServiceProvider serviceProvider);
}

我们回到AuthorizeFilter 源代码中,该源代码中提供了四个构造初始化方法同时包含了AuthorizeDataPolicy属性,我们看看它的默认构造方法代码

public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{
        public IEnumerable AuthorizeData { get; }

        //默认构造函数中默认创建了AuthorizeAttribute 对象
        public AuthorizeFilter()
            : this(authorizeData: new[] { new AuthorizeAttribute() })
        {
        }

        //赋值AuthorizeData
        public AuthorizeFilter(IEnumerable authorizeData)
        {
            if (authorizeData == null)
            {
                throw new ArgumentNullException(nameof(authorizeData));
            }

            AuthorizeData = authorizeData;
        }
}

上面的代码中默认的构造函数默认给构建了一个AuthorizeAttribute对象,并且赋值给了IEnumerable的集合属性;
好了,看到这里AuthorizeFilter过滤器也是默认构造了一个AuthorizeAttribute的对象,也就是构造了授权所需要的IAuthorizeData信息.
同时AuthorizeFilter实现的OnAuthorizationAsync方法中通过GetEffectivePolicyAsync这个方法获得有效的授权策略,并且进行下面的授权AuthenticateAsync的执行
AuthorizeFilter代码中提供了HasAllowAnonymous方法来实现是否Controller或者Action上标注了AllowAnonymous特性,用于跳过授权
HasAllowAnonymous代码如下:

private static bool HasAllowAnonymous(AuthorizationFilterContext context)
{
     var filters = context.Filters;
     for (var i = 0; i < filters.Count; i++)
     {
        if (filters[i] is IAllowAnonymousFilter)
        {
           return true;
        }
     }
     //同样通过上下文的endpoint 来获取是否标注了AllowAnonymous特性
     var endpoint = context.HttpContext.GetEndpoint();
     if (endpoint?.Metadata?.GetMetadata() != null)
     {
        return true;
     }

     return false;
}

到这里我们再回到全局添加过滤器的方式代码:

 services.AddControllers(options=>options.Filters.Add(new AuthorizeFilter()));

分析到这里 ,我很是好奇,它是怎么全局添加进去的呢?我打开源代码看了下,源代码如下:

public class MvcOptions : IEnumerable
{

        public MvcOptions()
        {
            CacheProfiles = new Dictionary(StringComparer.OrdinalIgnoreCase);
            Conventions = new List();
            Filters = new FilterCollection();
            FormatterMappings = new FormatterMappings();
            InputFormatters = new FormatterCollection();
            OutputFormatters = new FormatterCollection();
            ModelBinderProviders = new List();
            ModelBindingMessageProvider = new DefaultModelBindingMessageProvider();
            ModelMetadataDetailsProviders = new List();
            ModelValidatorProviders = new List();
            ValueProviderFactories = new List();
        }

        //过滤器集合
        public FilterCollection Filters { get; }
}

FilterCollection相关核心代码如下:

public class FilterCollection : Collection
{
        
        public IFilterMetadata Add() where TFilterType : IFilterMetadata
        {
            return Add(typeof(TFilterType));
        }

        //其他核心代码为贴出来
}

代码中提供了Add方法,约束了IFilterMetadata类型的对象,这也是上面的过滤器中为什么都继承了IFilterMetadata的原因。
到这里代码解读和实现原理已经分析完了,如果有分析不到位之处还请多多指教!!!

结论:授权中间件通过获取IAuthorizeData来获取AuthorizeAttribute对象相关的授权信息,并构造授权策略对象进行授权认证的,而AuthorizeFilter过滤器也会默认添加AuthorizeAttribute的授权相关数据IAuthorizeData并实现OnAuthorizationAsync方法,同时中间件中通过授权策略提供者IAuthorizationPolicyProvider来获得对于的授权策略进行授权认证.