ASP.NET 5 针对两个或多个策略进行授权（OR 组合策略）

不是你想要的方式；政策的设计是累积性的。例如，如果您使用两个单独的属性，那么它们必须都通过。

您必须评估单个策略中的 OR 条件。 但是您不必在单个处理程序中将其编码为 OR。您的需求可能有多个处理程序。如果任一处理程序标记成功，则满足要求。请参阅我的授权研讨会中的步骤 6。

设置新策略“LimitedOrFull”（假设它们与声明类型名称匹配）后，创建如下要求：

options.AddPolicy("LimitedOrFull", policy =>
    policy.RequireAssertion(context =>
        context.User.HasClaim(c =>
            (c.Type == "Limited" ||
             c.Type == "Full"))));

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1#using-a-func-to-fulfill-a-policy

Net Core 可以选择拥有多个具有相同 AuthorizationRequirement 类型的 AuthorizationHandler。其中只有其中之一必须成功通过授权 https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1#why-would-i-want-multiple-handlers-for-a-requirement

使用动态创建的按需需求的解决方案最适合我：

1. 创建单独的“有限”和“完整”策略要求的接口：

    public interface ILimitedRequirement : IAuthorizationRequirement { }
    public interface IFullRequirement : IAuthorizationRequirement { }

2. 创建授权自定义属性：

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)]
    public class AuthorizeAnyAttribute : AuthorizeAttribute {

        public string[] Policies { get; }

        public AuthorizeAnyAttribute(params string[] policies) : base(String.Join("Or", policies))
            => Policies = policies;
    }

3. 为

   ILimitedRequirement

   和

   IFullRequirement

   创建授权处理程序（请注意，这些处理程序处理接口，而不是类）：

    public class LimitedRequirementHandler : AuthorizationHandler<ILimitedRequirement> {

        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ILimitedRequirement requirement) {
            if(limited){
                context.Succeed(requirement);
            }
        }
    }

    public class FullRequirementHandler : AuthorizationHandler<IFullRequirement> {

        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IFullRequirement requirement) {
            if(full){
                context.Succeed(requirement);
            }
        }
    }

4. 如果您的授权处理程序很繁重（例如，其中一个访问数据库），并且您不希望其中一个处理程序在另一个处理程序已成功或失败时进行授权检查，则可以使用下一个解决方法（请记住处理程序的顺序）注册直接决定了它们在请求管道中的执行顺序）：

    public static class AuthorizationExtensions {

        public static bool IsAlreadyDetermined<TRequirement>(this AuthorizationHandlerContext context)
            where TRequirement : IAuthorizationRequirement
            => context.HasFailed || context.HasSucceeded
                || !context.PendingRequirements.Any(x => x is TRequirement);

    }


    public class LimitedRequirementHandler : AuthorizationHandler<ILimitedRequirement> {

        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ILimitedRequirement requirement) {
            if(context.IsAlreadyDetermined<ILimitedRequirement>())
                return;

            if(limited){
                context.Succeed(requirement);
            }
        }
    }

    public class FullRequirementHandler : AuthorizationHandler<IFullRequirement> {

        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IFullRequirement requirement) {
            if(context.IsAlreadyDetermined<IFullRequirement>())
                return;

            if(full){
                context.Succeed(requirement);
            }
        }
    }

5. 注册授权处理程序（请注意，没有“LimiterOrFullRequirementHandler”，这两个处理程序将处理组合策略要求）：

    //Order of handlers is important - it determines their execution order in request pipeline
    services.AddScoped<IAuthorizationHandler, LimitedRequirementHandler>();
    services.AddScoped<IAuthorizationHandler, FullRequirementHandler>();

6. 现在我们需要检索所有

   AuthorizeAny

   属性并使用 ImpromptuInterface（或用于动态创建类型实例的任何其他工具）动态创建它们的需求：

    using ImpromptuInterface;

    List<AuthorizeAnyAttribute> attributes  = new List<AuthorizeAnyAttribute>();

    foreach(Type type in Assembly.GetExecutingAssembly().GetTypes().Where(type => type.IsAssignableTo(typeof(ControllerBase)))) {
        attributes.AddRange(Attribute.GetCustomAttributes(type , typeof(AuthorizeAnyAttribute))
            .Cast<AuthorizeAnyAttribute>()
            .Where(x => x.Policy != null));
        foreach(var methodInfo in type.GetMethods()) {
            attributes.AddRange(Attribute.GetCustomAttributes(methodInfo , typeof(AuthorizeAnyAttribute))
            .Cast<AuthorizeAnyAttribute>()
            .Where(x => x.Policy != null));
        }
    }
    
    //Add base requirement interface from which all requirements will be created on demand
    Dictionary<string, Type> baseRequirementTypes = new();
    baseRequirementTypes.Add("Limited", typeof(ILimitedRequirement));
    baseRequirementTypes.Add("Full", typeof(IFullRequirement));
    
    Dictionary<string, IAuthorizationRequirement> requirements = new();
    
    foreach(var attribute in attributes) {
        if(!requirements.ContainsKey(attribute.Policy)) {
            Type[] requirementTypes = new Type[attribute.Policies.Length];
            for(int i = 0; i < attribute.Policies.Length; i++) {
                if(!baseRequirementTypes.TryGetValue(attribute.Policies[i], out Type requirementType))
                    throw new ArgumentException($"Requirement for {attribute.Policies[i]} policy doesn't exist");
                requirementTypes[i] = requirementType;
            }
            //Creating instance of combined requirement dynamically
            IAuthorizationRequirement newRequirement = new { }.ActLike(requirementTypes);
            requirements.Add(attribute.Policy, newRequirement);
        }
    }

7. 注册所有创建的需求

    services.AddAuthorization(options => {
        foreach(KeyValuePair<string, IAuthorizationRequirement> item in requirements) {
             options.AddPolicy(item.Key, x => x.AddRequirements(item.Value));
        }
    }

如果默认

AuthorizeAttribute

AuthorizeAnyAttribute

如果上述解决方案太过分了，则始终可以使用手动组合类型创建和注册：

1. 创建组合的“有限或全部”保单要求：

    public class LimitedOrFullRequirement : ILimitedRequirement, IFullRequirement { }

2. 如果这两个需求还必须单独使用（除了使用组合的“有限或完整”策略之外），请为单个需求创建接口实现：

    public class LimitedRequirement : ILimitedRequirement { }
    public class FullRequirement : IFullRequirement { }

3. 注册策略（请注意，注释掉的策略是完全可选注册）：

    services.AddAuthorization(options => {
                options.AddPolicy("Limited Or Full",
                    policy => policy.AddRequirements(new LimitedOrFullRequirement()));
                //If these policies also have single use, they need to be registered as well
                //options.AddPolicy("Limited",
                //  policy => policy.AddRequirements(new LimitedRequirement()));
                //options.AddPolicy("Full",
                //  policy => policy.AddRequirements(new FullRequirement()));
            });

我使用策略和角色：

[Authorize(Policy = "ManagerRights", Roles = "Administrator")]

这是使用自定义授权属性的解决方案，IMO，这是迄今为止最干净的方法。

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MultiPolicyAuthorizeAttribute : Attribute, IAsyncAuthorizationFilter
{
    private readonly string[] _policies;

    public AmfAuthorizeAttribute(params string[] policies)
    {
        _policies = policies;
    }

    public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        var authService = context.HttpContext.RequestServices.GetService<IAuthorizationService>();

        if (authService == null)
        {
            context.Result = new ForbidResult();
            return;
        }

        bool isAuthorized = false;
        foreach (var policy in _policies)
        {
            var authorized = await authService.AuthorizeAsync(context.HttpContext.User, policy);
            if (authorized.Succeeded)
            {
                isAuthorized = true;
                break;
            }
        }

        if (!isAuthorized)
        {
            context.Result = new ForbidResult();
        }
    }
}

请注意，扩展此属性以基于指定的策略或角色执行任意逻辑并不难。