Added Policy Project

Author: mckaragoz

UltimateAuth.slnx

@@ -24,6 +24,7 @@
   <Project Path="src/credentials/CodeBeam.UltimateAuth.Credentials.InMemory/CodeBeam.UltimateAuth.Credentials.InMemory.csproj" Id="62ee7b1d-46ce-4f2e-985d-1e794f891b8b" />
   <Project Path="src/credentials/CodeBeam.UltimateAuth.Credentials.Reference/CodeBeam.UltimateAuth.Credentials.Reference.csproj" Id="ca03a140-f3dc-4a21-9b7d-895a3b10808b" />
   <Project Path="src/credentials/CodeBeam.UltimateAuth.Credentials/CodeBeam.UltimateAuth.Credentials.csproj" Id="2281c3b5-1d60-4542-a673-553f96eed25b" />
+  <Project Path="src/policies/CodeBeam.UltimateAuth.Policies/CodeBeam.UltimateAuth.Policies.csproj" Id="b37c337f-2446-4f54-8684-b72fa83ac444" />
   <Project Path="src/security/CodeBeam.UltimateAuth.Security.Argon2/CodeBeam.UltimateAuth.Security.Argon2.csproj" Id="6abfb7a6-ea36-42db-a843-38054dd40fd8" />
   <Project Path="src/sessions/CodeBeam.UltimateAuth.Sessions.EntityFrameworkCore/CodeBeam.UltimateAuth.Sessions.EntityFrameworkCore.csproj" Id="5b9a090d-1689-4a81-9dfa-3ba69f0bda38" />
   <Project Path="src/sessions/CodeBeam.UltimateAuth.Sessions.InMemory/CodeBeam.UltimateAuth.Sessions.InMemory.csproj" Id="fc9bfef0-8a89-4639-81ee-3f84f6e33816" />

src/CodeBeam.UltimateAuth.Server/CodeBeam.UltimateAuth.Server.csproj

@@ -23,6 +23,7 @@
 		<ProjectReference Include="..\CodeBeam.UltimateAuth.Core\CodeBeam.UltimateAuth.Core.csproj" />
 		<ProjectReference Include="..\credentials\CodeBeam.UltimateAuth.Credentials.Contracts\CodeBeam.UltimateAuth.Credentials.Contracts.csproj" />
 		<ProjectReference Include="..\credentials\CodeBeam.UltimateAuth.Credentials\CodeBeam.UltimateAuth.Credentials.csproj" />
+		<ProjectReference Include="..\policies\CodeBeam.UltimateAuth.Policies\CodeBeam.UltimateAuth.Policies.csproj" />
 		<ProjectReference Include="..\users\CodeBeam.UltimateAuth.Users.Contracts\CodeBeam.UltimateAuth.Users.Contracts.csproj" />
 		<ProjectReference Include="..\users\CodeBeam.UltimateAuth.Users\CodeBeam.UltimateAuth.Users.csproj" />
 	</ItemGroup>

src/CodeBeam.UltimateAuth.Server/Defaults/UAuthActions.cs

@@ -35,5 +35,15 @@ public static class Credentials
             public const string Delete = "credentials.delete";
         }
 
+        public static class Authorization
+        {
+            public static class Roles
+            {
+                public const string Read = "authorization.roles.read";
+                public const string Assign = "authorization.roles.assign";
+                public const string Remove = "authorization.roles.remove";
+            }
+        }
+
     }
 }

src/CodeBeam.UltimateAuth.Server/Endpoints/UAuthEndpointRegistrar.cs

@@ -173,6 +173,9 @@ public void MapEndpoints(RouteGroupBuilder rootGroup, UAuthServerOptions options
                 authz.MapPost("/check", async ([FromServices] IAuthorizationEndpointHandler h, HttpContext ctx)
                     => await h.CheckAsync(ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.AuthorizationManagement));
 
+                authz.MapGet("/users/{userKey}/roles", async ([FromServices] IAuthorizationEndpointHandler h, UserKey userKey, HttpContext ctx)
+                    => await h.GetRolesAsync(userKey, ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.AuthorizationManagement));
+
                 authz.MapPost("/users/{userKey}/roles", async ([FromServices] IAuthorizationEndpointHandler h, UserKey userKey, HttpContext ctx)
                     => await h.AssignRoleAsync(userKey, ctx)).WithMetadata(new AuthFlowMetadata(AuthFlowType.AuthorizationManagement));
 

src/CodeBeam.UltimateAuth.Server/Extensions/UAuthServerServiceCollectionExtensions.cs

@@ -7,10 +7,12 @@
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using CodeBeam.UltimateAuth.Core.Options;
 using CodeBeam.UltimateAuth.Credentials;
+using CodeBeam.UltimateAuth.Policies.Abstractions;
+using CodeBeam.UltimateAuth.Policies.Defaults;
+using CodeBeam.UltimateAuth.Policies.Registry;
 using CodeBeam.UltimateAuth.Server.Abstactions;
 using CodeBeam.UltimateAuth.Server.Abstractions;
 using CodeBeam.UltimateAuth.Server.Auth;
-using CodeBeam.UltimateAuth.Server.Auth.Context;
 using CodeBeam.UltimateAuth.Server.Cookies;
 using CodeBeam.UltimateAuth.Server.Endpoints;
 using CodeBeam.UltimateAuth.Server.Infrastructure;
@@ -23,7 +25,6 @@
 using CodeBeam.UltimateAuth.Server.Options;
 using CodeBeam.UltimateAuth.Server.Services;
 using CodeBeam.UltimateAuth.Server.Stores;
-using CodeBeam.UltimateAuth.Users;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
@@ -39,6 +40,7 @@ public static IServiceCollection AddUltimateAuthServer(this IServiceCollection s
             services.AddUltimateAuth();
             AddUsersInternal(services);
             AddCredentialsInternal(services);
+            AddUltimateAuthPolicies(services);
             return services.AddUltimateAuthServerInternal();
         }
 
@@ -47,6 +49,7 @@ public static IServiceCollection AddUltimateAuthServer(this IServiceCollection s
             services.AddUltimateAuth(configuration);
             AddUsersInternal(services);
             AddCredentialsInternal(services);
+            AddUltimateAuthPolicies(services);
             services.Configure<UAuthServerOptions>(configuration.GetSection("UltimateAuth:Server"));
 
             return services.AddUltimateAuthServerInternal();
@@ -57,6 +60,7 @@ public static IServiceCollection AddUltimateAuthServer(this IServiceCollection s
             services.AddUltimateAuth();
             AddUsersInternal(services);
             AddCredentialsInternal(services);
+            AddUltimateAuthPolicies(services);
             services.Configure(configure);
 
             return services.AddUltimateAuthServerInternal();
@@ -248,14 +252,40 @@ private static IServiceCollection AddUltimateAuthServerInternal(this IServiceCol
             //services.TryAddScoped<ITokenEndpointHandler, TokenEndpointHandler>();
             //services.TryAddScoped<IUserInfoEndpointHandler, UserInfoEndpointHandler>();
 
-            services.ConfigureHttpJsonOptions(o =>
+            return services;
+        }
+
+        internal static IServiceCollection AddUltimateAuthPolicies(this IServiceCollection services, Action<AccessPolicyRegistry>? configure = null)
+        {
+            if (services.Any(d => d.ServiceType == typeof(AccessPolicyRegistry)))
+                throw new InvalidOperationException("UltimateAuth policies already registered.");
+
+            var registry = new AccessPolicyRegistry();
+
+            DefaultPolicySet.Register(registry);
+            configure?.Invoke(registry);
+            services.AddSingleton(registry);
+            services.AddSingleton<IAccessPolicyProvider>(sp =>
+            {
+                var compiled = registry.Build();
+                return new DefaultAccessPolicyProvider(compiled, sp);
+            });
+
+            services.TryAddScoped<IAccessAuthority>(sp =>
             {
-                o.SerializerOptions.Converters.Add(new UserKeyJsonConverter());
+                var invariants = sp.GetServices<IAccessInvariant>();
+                var globalPolicies = sp.GetServices<IAccessPolicy>();
+
+                return new DefaultAccessAuthority(invariants, globalPolicies);
             });
 
+            services.TryAddScoped<IAccessOrchestrator, UAuthAccessOrchestrator>();
+
+
             return services;
         }
 
+
         // =========================
         // USERS (FRAMEWORK-REQUIRED)
         // =========================

src/CodeBeam.UltimateAuth.Server/Infrastructure/DefaultAccessPolicyProvider.cs

@@ -0,0 +1,21 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Policies.Abstractions;
+using CodeBeam.UltimateAuth.Policies.Defaults;
+
+namespace CodeBeam.UltimateAuth.Server.Infrastructure;
+
+internal sealed class DefaultAccessPolicyProvider : IAccessPolicyProvider
+{
+    private readonly CompiledAccessPolicySet _set;
+    private readonly IServiceProvider _services;
+
+    public DefaultAccessPolicyProvider(CompiledAccessPolicySet set, IServiceProvider services)
+    {
+        _set = set;
+        _services = services;
+    }
+
+    public IReadOnlyCollection<IAccessPolicy> GetPolicies(AccessContext context) => _set.Resolve(context, _services);
+
+}

src/CodeBeam.UltimateAuth.Server/Infrastructure/Orchestrator/IAccessCommand.cs

@@ -1,18 +1,13 @@
-using CodeBeam.UltimateAuth.Core.Abstractions;
-using CodeBeam.UltimateAuth.Core.Contracts;
-
-namespace CodeBeam.UltimateAuth.Server.Infrastructure
+namespace CodeBeam.UltimateAuth.Server.Infrastructure
 {
     public interface IAccessCommand
     {
-        IEnumerable<IAccessPolicy> GetPolicies(AccessContext context);
         Task ExecuteAsync(CancellationToken ct = default);
     }
 
     // For get commands
     public interface IAccessCommand<TResult>
     {
-        IEnumerable<IAccessPolicy> GetPolicies(AccessContext context);
         Task<TResult> ExecuteAsync(CancellationToken ct = default);
     }
 

src/CodeBeam.UltimateAuth.Server/Infrastructure/Orchestrator/UAuthAccessOrchestrator.cs

@@ -1,46 +1,42 @@
 using CodeBeam.UltimateAuth.Core.Abstractions;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Errors;
+using CodeBeam.UltimateAuth.Policies.Abstractions;
 
 namespace CodeBeam.UltimateAuth.Server.Infrastructure
 {
     public sealed class UAuthAccessOrchestrator : IAccessOrchestrator
     {
         private readonly IAccessAuthority _authority;
-        private bool _executed;
+        private readonly IAccessPolicyProvider _policyProvider;
 
-        public UAuthAccessOrchestrator(IAccessAuthority authority)
+        public UAuthAccessOrchestrator(IAccessAuthority authority, IAccessPolicyProvider policyProvider)
         {
             _authority = authority;
+            _policyProvider = policyProvider;
         }
 
         public async Task ExecuteAsync(AccessContext context, IAccessCommand command, CancellationToken ct = default)
         {
-            if (_executed)
-                throw new InvalidOperationException("Access orchestrator can only be executed once.");
+            ct.ThrowIfCancellationRequested();
 
-            _executed = true;
-
-            var policies = command.GetPolicies(context) ?? Array.Empty<IAccessPolicy>();
+            var policies = _policyProvider.GetPolicies(context);
             var decision = _authority.Decide(context, policies);
 
             if (!decision.IsAllowed)
                 throw new UAuthAuthorizationException(decision.DenyReason);
 
             if (decision.RequiresReauthentication)
-                throw new InvalidOperationException("Requires reuthenticate.");
+                throw new InvalidOperationException("Requires reauthentication.");
 
             await command.ExecuteAsync(ct);
         }
 
         public async Task<TResult> ExecuteAsync<TResult>(AccessContext context, IAccessCommand<TResult> command, CancellationToken ct = default)
         {
-            if (_executed)
-                throw new InvalidOperationException("Access orchestrator can only be executed once.");
+            ct.ThrowIfCancellationRequested();
 
-            _executed = true;
-
-            var policies = command.GetPolicies(context) ?? Array.Empty<IAccessPolicy>();
+            var policies = _policyProvider.GetPolicies(context);
             var decision = _authority.Decide(context, policies);
 
             if (!decision.IsAllowed)
@@ -51,6 +47,5 @@ public async Task<TResult> ExecuteAsync<TResult>(AccessContext context, IAccessC
 
             return await command.ExecuteAsync(ct);
         }
-
     }
 }

src/authorization/CodeBeam.UltimateAuth.Authorization.Reference/Commands/AssignUserRoleCommand.cs

@@ -0,0 +1,22 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Server.Infrastructure;
+
+namespace CodeBeam.UltimateAuth.Authorization.Reference
+{
+    internal sealed class AssignUserRoleCommand : IAccessCommand
+    {
+        private readonly Func<CancellationToken, Task> _execute;
+        private readonly IEnumerable<IAccessPolicy> _policies;
+
+        public AssignUserRoleCommand(IEnumerable<IAccessPolicy> policies, Func<CancellationToken, Task> execute)
+        {
+            _policies = policies;
+            _execute = execute;
+        }
+
+        public IEnumerable<IAccessPolicy> GetPolicies(AccessContext context) => _policies;
+
+        public Task ExecuteAsync(CancellationToken ct = default) => _execute(ct);
+    }
+}

src/authorization/CodeBeam.UltimateAuth.Authorization.Reference/Commands/GetUserRolesCommand.cs

@@ -0,0 +1,22 @@
+using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Contracts;
+using CodeBeam.UltimateAuth.Server.Infrastructure;
+
+namespace CodeBeam.UltimateAuth.Authorization.Reference
+{
+    internal sealed class GetUserRolesCommand : IAccessCommand<IReadOnlyCollection<string>>
+    {
+        private readonly IEnumerable<IAccessPolicy> _policies;
+        private readonly Func<CancellationToken, Task<IReadOnlyCollection<string>>> _execute;
+
+        public GetUserRolesCommand(IEnumerable<IAccessPolicy> policies, Func<CancellationToken, Task<IReadOnlyCollection<string>>> execute)
+        {
+            _policies = policies;
+            _execute = execute;
+        }
+
+        public IEnumerable<IAccessPolicy> GetPolicies(AccessContext context) => _policies;
+
+        public Task<IReadOnlyCollection<string>> ExecuteAsync(CancellationToken ct = default) => _execute(ct);
+    }
+}