我有一个项目,我使用IdentityServer4和PolicyServer.Local。 IdentityServer4已经有一个实现,用于将必要的数据存储在数据库中,但PolicyServer不会。
所以我试图自己实现它,并且成功,但从某种意义上说,我认为我已经取代了大部分的PolicyServers代码。
例如,我已经替换了所有的PolicyServers实体类(策略,权限,角色)并添加了我自己的类,因此我可以解析列表属性,因为实体框架基本上不能映射List。
我还添加了自己的PolicyServerRuntimeClient,因为我需要将Evaluate-Methods调整为新的Entity类。
我的第一个Startup.cs:
services.AddDbContext<AuthorizeDbContext>(builder =>
builder.UseSqlite(csAuthorizeContext, sqlOptions =>
sqlOptions.MigrationsAssembly(migrationsAssembly)));
services.AddScoped<IAuthorizeService, AuthorizeService>()
.AddTransient<IPolicyServerRuntimeClient, CustomPolicyServerRuntimeClient>()
.AddScoped(provider => provider.GetRequiredService<IOptionsSnapshot<Policy>>().Value);
new PolicyServerBuilder(services).AddAuthorizationPermissionPolicies();
(AuthorizeService用于从数据库中获取值)
例如,这是我的Permission-,Roles-以及解决m-n关系的PermissionRoles类。
public class Permission
{
[Key]
public string Id { get; set; }
[Required]
public string Name { get; set; }
[Required]
[ForeignKey("Policy")]
public string PolicyId { get; set; }
public IList<PermissionRole> PermissionRoles { get; set; }
}
public class PermissionRole
{
[Key]
public string Id { get; set; }
[Required]
public string PermissionId { get; set; }
public Permission Permission { get; set; }
[Required]
public string RoleId { get; set; }
public Role Role { get; set; }
}
public class Role
{
[Key]
public string Id { get; set; }
[Required]
public string Name { get; set; }
public IList<PermissionRole> PermissionRoles { get; set; }
}
这将是我在CustomPolicy ServerRuntime客户端中的Evaluate-Methods:
public async Task<PolicyResult> EvaluateAsync(ClaimsPrincipal user)
{
if (user == null)
throw new ArgumentNullException(nameof(user));
var sub = user.FindFirst("sub")?.Value;
if (String.IsNullOrWhiteSpace(sub))
return null;
var roles = _auth.Roles
.ToList()
.Where(x => EvaluateRole(x, user))
.Select(x => x.Name)
.ToArray();
var permissions = _auth.Permissions
.ToList()
.Where(x => EvaluatePermission(x, roles))
.Select(x => x.Name)
.ToArray();
var result = new PolicyResult()
{
Roles = roles.Distinct(),
Permissions = permissions.Distinct()
};
return await Task.FromResult(result);
}
internal bool EvaluateRole(Role role, ClaimsPrincipal user)
{
if (user == null)
throw new ArgumentNullException(nameof(user));
var subClaim = user.FindFirst("sub")?.Value;
var subjectsOfDbRole = _auth.UserDetails
.ToList()
.Where(x => x.RoleId.Equals(role.Id))
.Select(x => x.Subject)
.ToList();
return subjectsOfDbRole.Contains(subClaim);
}
public bool EvaluatePermission(Permission permission, IEnumerable<string> roles)
{
if (roles == null)
throw new ArgumentNullException(nameof(roles));
var permissionRoles = _auth.PermissionRoles
.ToList()
.Where(y => y.PermissionId.Equals(permission.Id))
.ToList();
if (permissionRoles.Any(x => roles.Contains(x.Role.Name)))
return true;
return false;
}
这些是我为使其发挥作用所做的主要改变。
在我弄清楚如何正确地做这件事之前,我不想在后端做很多工作。
预期的结果是我可能只需要更换
services.Configure<Policy>(configuration);
但最终我确实取代了比预期更多的方式。
您不必在PolicyServer中更改任何内容,只需添加一个返回所需设置的新配置提供程序。 PolicyServer从.NET Core的配置基础结构中读取其配置。它与appsettings.json无关。
.NET Core can read configuration来自任何来源,通过providers。那些提供者没有做任何复杂的事情,他们“只是”阅读他们的实际来源,并在表单中产生键/值字符串对:
"array:entries:0"= "value0"
"array:entries:1"= "value1"
"array:entries:2"= "value2"
"array:entries:4"= "value4"
"array:entries:5"= "value5"
appsettings.json没有特殊含义,它只是一个JSON文件,.NET Core的JSON configuration provider从中读取键/值设置。该文件可以任意命名。可以从字典,数据库,远程配置服务等加载相同的数据。
这本字典例如:
public static Dictionary<string, string> arrayDict = new Dictionary<string, string>
{
{"array:entries:0", "value0"},
{"array:entries:1", "value1"},
{"array:entries:2", "value2"},
{"array:entries:4", "value4"},
{"array:entries:5", "value5"}
};
提供与此JSON文件相同的配置数据:
{
"array" : {
"entries" : [
"value1",
"value2",
"value3",
"value4",
"value5"
]
}
}
使用字典
您可以使用Memory configuration provider从字典加载PolicyServer的设置。在您的配置部分中,:
public static readonly Dictionary<string, string> _dict =
new Dictionary<string, string>
{
{"Policy:roles:0:name", "doctor"},
{"Policy:roles:0:subjects:0", "1"},
{"Policy:roles:0:subjects:1", "2"},
{"Policy:roles:1:name", "patient"},
{"Policy:roles:1:identityRoles:0", "customer"},
};
public static void Main(string[] args)
{
CreateWebHostBuilder(args).Build().Run();
}
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((hostingContext, config) =>
{
config.AddInMemoryCollection(_dict);
})
.UseStartup<Startup>();
当您在服务注册码中调用AddPolicyServerClient(Configuration.GetSection("Policy"))时,设置将来自该词典。
使用原始表
您可以创建自己的配置提供程序,如Custom Configuration Provider中所示,它从ID/Value表中检索设置。您必须将完整密钥存储在ID字段中,这可能有点烦人,例如:
CREATE TABLE MyPolicySettings (ID varchar(200) PRIMARY KEY,value varchar(200))
INSERT INTO TABLE MyPolicySettings (ID,Value)
VALUES
("Policy:roles:0:name", "doctor"},
("Policy:roles:0:subjects:0", "1"),
("Policy:roles:0:subjects:1", "2"),
("Policy:roles:1:name", "patient"),
("Policy:roles:1:identityRoles:0", "customer");
使用EF
另一种选择是将您的设置存储在适当的表格中,例如Roles,Subjects,IdentityRoles,并使用ORM加载整个结构。一旦你拥有它,你将不得不重现密钥结构,例如通过迭代迭代器中的对象:
public IEnumerable<KeyValuePair<string,string>> FlattenRoles(IEnumerable<MyRole> roles)
{
int iRole=0;
foreach(var role in roles)
{
var rolePart=$"Policy:roles:{i}";
var namePair=new KeyValuePair($"{rolePart}:name",role.Name);
yield return namePair;
int iSubject=0;
foreach(var subjectPair in FlattenSubjects(role.Subject))
{
yield return subjectPair
}
//Same for identity roles etc
iRole++;
}
}
public IEnumerable<KeyValuePair<string,string>> FlattenSubjects(IEnumerable<MySubject> subjects,string rolePart)
{
var pairs=subjects.Select((subject,idx)=>
new KeyValuePair($"{rolePart}:subjects:{idx}",subject.Value);
return pairs;
}
您的自定义配置提供程序可以使用它来从数据库加载强类型类,展平它们并将它们转换为字典,例如:
public class MyPolicyConfigurationProvider: ConfigurationProvider
{
public MyPolicyConfigurationProvider(Action<DbContextOptionsBuilder> optionsAction)
{
OptionsAction = optionsAction;
}
Action<DbContextOptionsBuilder> OptionsAction { get; }
// Load config data from EF DB.
public override void Load()
{
var builder = new DbContextOptionsBuilder<MyPoliciesContext>();
OptionsAction(builder);
using (var dbContext = new MyPoliciesContext(builder.Options))
{
var keys=FlattenRoles(dbContext.Roles);
Data=new Dictionary<string,string>(keys);
}
}
}