All geek questions in one place

IP-based authorization policy with attributes

I am trying to protect the REST API based on the client IP address.

Introduce the blogging application with these sample requests:

/post/list               // Everyone     should see the posts
/post/create             // Only Authors should create a post
/post/update/42          // Only Authors should update a post
/post/delete/42          // Only Admins  should delete a post
/comment/42/list         // Everyone     should see a post comments
/comment/42/create       // Everyone     should create a comment
/comment/42/delete/1337  // Only Admins  should delete a comment

IP whitelists defined in appsettings.json :

"IpSecurity": {
  "Author": "123.456.789.43,123.456.789.44",
  "Admin": "123.456.789.42"
}

Here are examples of actions with the corresponding attributes RequireRolethat I would like to implement:

[HttpGet("post/list")]
public List<Post> List()
// ...

[RequireRole("Author")]
[HttpGet("post/create")]
public StandardResponse Create([FromBody]Post post)
// ...

[RequireRole("Admin")]
[HttpGet("post/delete/{id}")]
public StandardResponse Delete(int id)
// ...

Specific Injection from Launch

var IpSecurity = Configuration.GetSection("IpSecurity");
services.Configure<IpSecurityConfig>(IpSecurity);

Does this sound like a good idea?

Do I have to implement a custom authorization policy, middleware and / or filter for this?

How to implement an attribute RequireRole?

, IP, , t .

+4
3

, , .

, , , "" . "MachineRole" ? ( [Authorize(Roles="..."])

AspNetCore , MVC4, - Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    //after services.AddMvc() :

    services.AddAuthorization(o => { o.AddPolicy(MachineRole.AuthorMachine, p => p.RequireClaim(nameof(MachineRole), MachineRole.AuthorMachine));  });
    services.AddAuthorization(o => { o.AddPolicy(MachineRole.AdminMachine,  p => p.RequireClaim(nameof(MachineRole), MachineRole.AdminMachine)); });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    // ...

    app.UseClaimsTransformation( AddMachineRoleClaims );

    // app.UseMvc( ... );
    // ...etc...
}

public Task<ClaimsPrincipal> AddMachineRoleClaims(ClaimsTransformationContext ctx)
{
    var connectionRemoteIpAddress = ctx.Context.Connection.RemoteIpAddress.MapToIPv4();
    if (Configuration.GetSection("IpSecurity")["Author"].Contains(connectionRemoteIpAddress.ToString()))
    {
        ctx.Principal.AddIdentity(new ClaimsIdentity(new[] { new Claim(nameof(MachineRole), MachineRole.AuthorMachine) }));
    }
    if (Configuration.GetSection("IpSecurity")["Admin"].Contains(connectionRemoteIpAddress.ToString()))
    {
        ctx.Principal.AddIdentity(new ClaimsIdentity(new[] { new Claim( nameof(MachineRole), MachineRole.AdminMachine) }));
    }

    return Task.FromResult(ctx.Principal);
}

public static class MachineRole
{
    public const string AuthorMachine = "AuthorMachine";
    public const string AdminMachine = "AdminMachine";
}


[Authorize(Policy = MachineRole.AdminMachine)]
+4

, , , , MVC4, https://github.com/chrisfcarroll/RequireClaimAttributeAspNetCore, :

    [RequireClaim("ClaimType",Value = "RequiredValue")]
    public IActionResult Action(){}
+1

, IP-, , , ...

I would suggest creating middleware that assigns claims, or at least identifies (so the user authenticates). Then use either the applications (which you assigned to the identifier in the middleware) or the authorization policies ( https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies ). You can then reject each request based on the IP addresses associated with the policy:

[Authorize(Policy="AuthorIp")]
[HttpGet("post/create")]
public StandardResponse Create([FromBody]Post post)
0
source

Source: https://habr.com/ru/post/1683819/

More articles:


All Articles