Strawman for new authorization packages that can be shared between server and client

eng/ProjectReferences.props

@@ -65,6 +65,8 @@
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" ProjectPath="$(RepositoryRoot)src\Security\Authentication\OpenIdConnect\src\Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authentication\OpenIdConnect\ref\Microsoft.AspNetCore.Authentication.OpenIdConnect.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.Twitter" ProjectPath="$(RepositoryRoot)src\Security\Authentication\Twitter\src\Microsoft.AspNetCore.Authentication.Twitter.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authentication\Twitter\ref\Microsoft.AspNetCore.Authentication.Twitter.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authentication.WsFederation" ProjectPath="$(RepositoryRoot)src\Security\Authentication\WsFederation\src\Microsoft.AspNetCore.Authentication.WsFederation.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authentication\WsFederation\ref\Microsoft.AspNetCore.Authentication.WsFederation.csproj" />
+    <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authorization.Common.Abstractions" ProjectPath="$(RepositoryRoot)src\Security\Authorization\Common.Abstractions\src\Microsoft.AspNetCore.Authorization.Common.Abstractions.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authorization\Common.Abstractions\ref\Microsoft.AspNetCore.Authorization.Common.Abstractions.csproj" />
+    <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authorization.Common" ProjectPath="$(RepositoryRoot)src\Security\Authorization\Common\src\Microsoft.AspNetCore.Authorization.Common.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authorization\Common\ref\Microsoft.AspNetCore.Authorization.Common.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authorization" ProjectPath="$(RepositoryRoot)src\Security\Authorization\Core\src\Microsoft.AspNetCore.Authorization.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authorization\Core\ref\Microsoft.AspNetCore.Authorization.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Authorization.Policy" ProjectPath="$(RepositoryRoot)src\Security\Authorization\Policy\src\Microsoft.AspNetCore.Authorization.Policy.csproj" RefProjectPath="$(RepositoryRoot)src\Security\Authorization\Policy\ref\Microsoft.AspNetCore.Authorization.Policy.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.CookiePolicy" ProjectPath="$(RepositoryRoot)src\Security\CookiePolicy\src\Microsoft.AspNetCore.CookiePolicy.csproj" RefProjectPath="$(RepositoryRoot)src\Security\CookiePolicy\ref\Microsoft.AspNetCore.CookiePolicy.csproj" />

eng/SharedFramework.Local.props

@@ -10,6 +10,8 @@
     <!-- These assemblies are available as both a NuGet package and in the shared framework -->
     <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.Http.Features" />
     <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.Connections.Abstractions" />
+    <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.Authorization.Common.Abstractions" />
+    <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.Authorization.Common" />
     <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.Http.Connections.Common" />
     <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.SignalR.Protocols.Json" />
     <AspNetCoreAppReferenceAndPackage Include="Microsoft.AspNetCore.SignalR.Common" />

src/Http/Http.Abstractions/src/Microsoft.AspNetCore.Http.Abstractions.csproj

@@ -20,6 +20,7 @@ Microsoft.AspNetCore.Http.HttpResponse</Description>
   </ItemGroup>
 
   <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Authorization.Common.Abstractions" />
     <Reference Include="Microsoft.AspNetCore.Http.Features" />
     <Reference Include="Microsoft.Extensions.ActivatorUtilities.Sources" />
     <Reference Include="Microsoft.Net.Http.Headers" />

src/Security/Authorization/Common.Abstractions/src/Microsoft.AspNetCore.Authorization.Common.Abstractions.csproj

@@ -0,0 +1,9 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <IsAspNetCoreApp>true</IsAspNetCoreApp>
+    <IsShippingPackage>true</IsShippingPackage>
+  </PropertyGroup>
+
+</Project>

src/Security/Authorization/Core/src/AuthorizationHandlerContext.cs → src/Security/Authorization/Common/src/AuthorizationHandlerContext.cs

@@ -95,4 +95,4 @@ public virtual void Succeed(IAuthorizationRequirement requirement)
             _pendingRequirements.Remove(requirement);
         }
     }
-}
+}

src/Security/Authorization/Core/src/AuthorizationPolicy.cs → src/Security/Authorization/Common/src/AuthorizationPolicy.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization.Common;
 
 namespace Microsoft.AspNetCore.Authorization
 {
@@ -143,7 +144,8 @@ public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyP
                         var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
                         if (policy == null)
                         {
-                            throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
+                            throw new InvalidOperationException(
+                                string.Format(Resources.Exception_AuthorizationPolicyNotFound, authorizeDatum.Policy));
                         }
                         policyBuilder.Combine(policy);
                         useDefaultPolicy = false;
@@ -179,4 +181,4 @@ public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyP
             return policyBuilder?.Build();
         }
     }
-}
+}

src/Security/Authorization/Common/src/AuthorizationServiceCollectionCommonExtensions.cs

@@ -0,0 +1,64 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Microsoft.AspNetCore.Authorization.Policy;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    /// <summary>
+    /// Extension methods for setting up authorization services in an <see cref="IServiceCollection" />.
+    /// </summary>
+    public static class AuthorizationServiceCollectionCommonExtensions
+    {
+        /// <summary>
+        /// Adds authorization services to the specified <see cref="IServiceCollection" />. 
+        /// </summary>
+        /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+        /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+        public static IServiceCollection AddAuthorizationCommon(this IServiceCollection services)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            services.TryAdd(ServiceDescriptor.Transient<IAuthorizationService, DefaultAuthorizationService>());
+            services.TryAdd(ServiceDescriptor.Transient<IAuthorizationPolicyProvider, DefaultAuthorizationPolicyProvider>());
+            services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerProvider, DefaultAuthorizationHandlerProvider>());
+            services.TryAdd(ServiceDescriptor.Transient<IAuthorizationEvaluator, DefaultAuthorizationEvaluator>());
+            services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerContextFactory, DefaultAuthorizationHandlerContextFactory>());
+            services.TryAddEnumerable(ServiceDescriptor.Transient<IAuthorizationHandler, PassThroughAuthorizationHandler>());
+
+            // Policy
+            services.TryAdd(ServiceDescriptor.Transient<ICommonPolicyEvaluator, CommonPolicyEvaluator>());
+
+            return services;
+        }
+
+        /// <summary>
+        /// Adds authorization services to the specified <see cref="IServiceCollection" />. 
+        /// </summary>
+        /// <param name="services">The <see cref="IServiceCollection" /> to add services to.</param>
+        /// <param name="configure">An action delegate to configure the provided <see cref="AuthorizationOptions"/>.</param>
+        /// <returns>The <see cref="IServiceCollection"/> so that additional calls can be chained.</returns>
+        public static IServiceCollection AddAuthorizationCommon(this IServiceCollection services, Action<AuthorizationOptions> configure)
+        {
+            if (services == null)
+            {
+                throw new ArgumentNullException(nameof(services));
+            }
+
+            if (configure == null)
+            {
+                throw new ArgumentNullException(nameof(configure));
+            }
+
+            services.Configure(configure);
+            return services.AddAuthorizationCommon();
+        }
+    }
+}

src/Security/Authorization/Core/src/DefaultAuthorizationService.cs → src/Security/Authorization/Common/src/DefaultAuthorizationService.cs

@@ -132,4 +132,4 @@ public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, obje
             return await this.AuthorizeAsync(user, resource, policy);
         }
     }
-}
+}

src/Security/Authorization/Common/src/Microsoft.AspNetCore.Authorization.Common.csproj

@@ -0,0 +1,28 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <IsAspNetCoreApp>true</IsAspNetCoreApp>
+    <IsShippingPackage>true</IsShippingPackage>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Authorization.Common.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Logging.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Options" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Update="Resources.Designer.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>Resources.resx</DependentUpon>
+    </Compile>
+
+    <EmbeddedResource Update="Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+
+</Project>

src/Security/Authorization/Common/src/Policy/CommonPolicyEvaluator.cs

@@ -0,0 +1,60 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Authorization.Policy
+{
+    public class CommonPolicyEvaluator : ICommonPolicyEvaluator
+    {
+        private readonly IAuthorizationService _authorization;
+
+        /// <summary>
+        /// Constructor
+        /// </summary>
+        /// <param name="authorization">The authorization service.</param>
+        public CommonPolicyEvaluator(IAuthorizationService authorization)
+        {
+            _authorization = authorization;
+        }
+
+        /// <summary>
+        /// Attempts authorization for a policy using <see cref="IAuthorizationService"/>.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="authenticationSucceeded">True if authentication succeeded, otherwise false.</param>
+        /// <param name="user">The <see cref="ClaimsPrincipal"/>.</param>
+        /// <param name="resource">
+        /// An optional resource the policy should be checked with.
+        /// If a resource is not required for policy evaluation you may pass null as the value.
+        /// </param>
+        /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
+        /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
+        /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
+        public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, bool authenticationSucceeded, ClaimsPrincipal user, object resource)
+        {
+            if (policy == null)
+            {
+                throw new ArgumentNullException(nameof(policy));
+            }
+
+            if (user == null)
+            {
+                throw new ArgumentNullException(nameof(user));
+            }
+
+            var result = await _authorization.AuthorizeAsync(user, resource, policy);
+            if (result.Succeeded)
+            {
+                return PolicyAuthorizationResult.Success();
+            }
+
+            // If authentication was successful, return forbidden, otherwise challenge
+            return authenticationSucceeded
+                ? PolicyAuthorizationResult.Forbid()
+                : PolicyAuthorizationResult.Challenge();
+        }
+    }
+}

src/Security/Authorization/Common/src/Policy/ICommonPolicyEvaluator.cs

@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Authorization.Policy
+{
+    public interface ICommonPolicyEvaluator
+    {
+        /// <summary>
+        /// Attempts authorization for a policy using <see cref="IAuthorizationService"/>.
+        /// </summary>
+        /// <param name="policy">The <see cref="AuthorizationPolicy"/>.</param>
+        /// <param name="authenticationSucceeded">True if authentication succeeded, otherwise false.</param>
+        /// <param name="user">The <see cref="ClaimsPrincipal"/>.</param>
+        /// <param name="resource">
+        /// An optional resource the policy should be checked with.
+        /// If a resource is not required for policy evaluation you may pass null as the value.
+        /// </param>
+        /// <returns>Returns <see cref="PolicyAuthorizationResult.Success"/> if authorization succeeds.
+        /// Otherwise returns <see cref="PolicyAuthorizationResult.Forbid"/> if <see cref="AuthenticateResult.Succeeded"/>, otherwise
+        /// returns  <see cref="PolicyAuthorizationResult.Challenge"/></returns>
+        Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, bool authenticationSucceeded, ClaimsPrincipal user, object resource);
+    }
+}

src/Security/Authorization/Core/src/Policy/PolicyAuthorizationResult.cs → src/Security/Authorization/Common/src/Policy/PolicyAuthorizationResult.cs

@@ -32,4 +32,4 @@ public static PolicyAuthorizationResult Success()
             => new PolicyAuthorizationResult { Succeeded = true };
 
     }
-}
+}