Complain if auth hasn't been set up correctly

Fixes #9041

Author: pranavkm

…uthorization/Core/src/IAllowAnonymous.cs …Http.Abstractions/src/IAllowAnonymous.cssrc/Security/Authorization/Core/src/IAllowAnonymous.cs renamed to src/Http/Http.Abstractions/src/IAllowAnonymous.cs src/Security/Authorization/Core/src/IAllowAnonymous.cs renamed to src/Http/Http.Abstractions/src/IAllowAnonymous.cs

@@ -4,7 +4,7 @@
 namespace Microsoft.AspNetCore.Authorization
 {
     /// <summary>
-    /// Marker interface to enable the <see cref="AllowAnonymousAttribute"/>.
+    /// Marker interface to allow anonymous.
     /// </summary>
     public interface IAllowAnonymous
     {

…Authorization/Core/src/IAuthorizeData.cs …/Http.Abstractions/src/IAuthorizeData.cssrc/Security/Authorization/Core/src/IAuthorizeData.cs renamed to src/Http/Http.Abstractions/src/IAuthorizeData.cs src/Security/Authorization/Core/src/IAuthorizeData.cs renamed to src/Http/Http.Abstractions/src/IAuthorizeData.cs

@@ -1,8 +1,11 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Runtime.CompilerServices;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.Logging;
@@ -11,6 +14,9 @@ namespace Microsoft.AspNetCore.Routing
 {
     internal sealed class EndpointMiddleware
     {
+        internal const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareInvoked";
+        internal const string CorsMiddlewareInvokedKey = "__CorsMiddlewareInvoked";
+
         private readonly ILogger _logger;
         private readonly RequestDelegate _next;
 
@@ -35,6 +41,8 @@ public async Task Invoke(HttpContext httpContext)
             var endpoint = httpContext.Features.Get<IEndpointFeature>()?.Endpoint;
             if (endpoint?.RequestDelegate != null)
             {
+                EnsureRequisiteMiddlewares(httpContext, endpoint);
+
                 Log.ExecutingEndpoint(_logger, endpoint);
 
                 try
@@ -52,6 +60,34 @@ public async Task Invoke(HttpContext httpContext)
             await _next(httpContext);
         }
 
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static void EnsureRequisiteMiddlewares(HttpContext httpContext, Endpoint endpoint)
+        {
+            if (endpoint.Metadata.GetMetadata<IAuthorizeData>() != null &&
+                !httpContext.Items.ContainsKey(AuthorizationMiddlewareInvokedKey))
+            {
+                ThrowMissingAuthMiddlewareException(endpoint);
+            }
+
+            if (endpoint.Metadata.GetMetadata<ICorsMetadata>() != null &&
+                !httpContext.Items.ContainsKey(CorsMiddlewareInvokedKey))
+            {
+                ThrowMissingCorsMiddlewareException(endpoint);
+            }
+        }
+
+        private static void ThrowMissingAuthMiddlewareException(Endpoint endpoint)
+        {
+            throw new InvalidOperationException($"Endpoint {endpoint.DisplayName} contains authorization metadata, " +
+                "but a middleware was not found that supports authorization.");
+        }
+
+        private static void ThrowMissingCorsMiddlewareException(Endpoint endpoint)
+        {
+            throw new InvalidOperationException($"Endpoint {endpoint.DisplayName} contains CORS metadata, " +
+                "but a middleware was not found that supports CORS.");
+        }
+
         private static class Log
         {
             private static readonly Action<ILogger, string, Exception> _executingEndpoint = LoggerMessage.Define<string>(

…CORS/src/Infrastructure/ICorsMetadata.cs …p/Http.Abstractions/src/ICorsMetadata.cssrc/Middleware/CORS/src/Infrastructure/ICorsMetadata.cs renamed to src/Http/Http.Abstractions/src/ICorsMetadata.cs src/Middleware/CORS/src/Infrastructure/ICorsMetadata.cs renamed to src/Http/Http.Abstractions/src/ICorsMetadata.cs

@@ -1,11 +1,14 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
 using Xunit;
 
 namespace Microsoft.AspNetCore.Routing
@@ -90,6 +93,100 @@ public async Task Invoke_WithEndpoint_InvokesDelegate()
             Assert.True(invoked);
         }
 
+        [Fact]
+        public async Task Invoke_WithEndpoint_ThrowsIfAuthAttributesWereFound_ButAuthMiddlewareNotInvoked()
+        {
+            // Arrange
+            var httpContext = new DefaultHttpContext
+            {
+                RequestServices = new ServiceProvider()
+            };
+
+            httpContext.Features.Set<IEndpointFeature>(new EndpointSelectorContext()
+            {
+                Endpoint = new Endpoint(_ => Task.CompletedTask, new EndpointMetadataCollection(Mock.Of<IAuthorizeData>()), "Test"),
+            });
+
+            var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, _ => Task.CompletedTask);
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => middleware.Invoke(httpContext));
+
+            // Assert
+            Assert.Equal("Endpoint Test contains authorization metadata, but a middleware was not found that supports authorization.", ex.Message);
+        }
+
+        [Fact]
+        public async Task Invoke_WithEndpoint_WorksIfAuthAttributesWereFound_AndAuthMiddlewareInvoked()
+        {
+            // Arrange
+            var httpContext = new DefaultHttpContext
+            {
+                RequestServices = new ServiceProvider()
+            };
+
+            httpContext.Features.Set<IEndpointFeature>(new EndpointSelectorContext()
+            {
+                Endpoint = new Endpoint(_ => Task.CompletedTask, new EndpointMetadataCollection(Mock.Of<IAuthorizeData>()), "Test"),
+            });
+
+            httpContext.Items[EndpointMiddleware.AuthorizationMiddlewareInvokedKey] = true;
+
+            var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, _ => Task.CompletedTask);
+
+            // Act & Assert
+            await middleware.Invoke(httpContext);
+
+            // If we got this far, we can sound the everything's OK alarm.
+        }
+
+        [Fact]
+        public async Task Invoke_WithEndpoint_ThrowsIfCorsMetadataWasFound_ButCorsMiddlewareNotInvoked()
+        {
+            // Arrange
+            var httpContext = new DefaultHttpContext
+            {
+                RequestServices = new ServiceProvider()
+            };
+
+            httpContext.Features.Set<IEndpointFeature>(new EndpointSelectorContext()
+            {
+                Endpoint = new Endpoint(_ => Task.CompletedTask, new EndpointMetadataCollection(Mock.Of<ICorsMetadata>()), "Test"),
+            });
+
+            var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, _ => Task.CompletedTask);
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => middleware.Invoke(httpContext));
+
+            // Assert
+            Assert.Equal("Endpoint Test contains CORS metadata, but a middleware was not found that supports CORS.", ex.Message);
+        }
+
+        [Fact]
+        public async Task Invoke_WithEndpoint_WorksIfCorsMetadataWasFound_AndCorsMiddlewareInvoked()
+        {
+            // Arrange
+            var httpContext = new DefaultHttpContext
+            {
+                RequestServices = new ServiceProvider()
+            };
+
+            httpContext.Features.Set<IEndpointFeature>(new EndpointSelectorContext()
+            {
+                Endpoint = new Endpoint(_ => Task.CompletedTask, new EndpointMetadataCollection(Mock.Of<ICorsMetadata>()), "Test"),
+            });
+
+            httpContext.Items[EndpointMiddleware.CorsMiddlewareInvokedKey] = true;
+
+            var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, _ => Task.CompletedTask);
+
+            // Act & Assert
+            await middleware.Invoke(httpContext);
+
+            // If we got this far, we can sound the everything's OK alarm.
+        }
+
         private class ServiceProvider : IServiceProvider
         {
             public object GetService(Type serviceType)

src/Http/Routing/src/EndpointMiddleware.cs

@@ -4,3 +4,4 @@
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("Microsoft.AspNetCore.Cors.Test,PublicKey=0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb")]
+

src/Http/Routing/test/UnitTests/EndpointMiddlewareTest.cs

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <Description>ASP.NET Core authorization classes.
@@ -14,6 +14,7 @@ Microsoft.AspNetCore.Authorization.AuthorizeAttribute</Description>
   </PropertyGroup>
 
   <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Http.Abstractions" />
     <Reference Include="Microsoft.Extensions.Logging.Abstractions" />
     <Reference Include="Microsoft.Extensions.Options" />
   </ItemGroup>

src/Middleware/CORS/src/Properties/AssemblyInfo.cs

@@ -0,0 +1,8 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Runtime.CompilerServices;
+using Microsoft.AspNetCore.Authorization;
+
+[assembly: TypeForwardedTo(typeof(IAuthorizeData))]
+[assembly: TypeForwardedTo(typeof(IAllowAnonymous))]