Fix Orleans authorization policy handling

Author: KSemenenko

.github/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
       run: dotnet build ManagedCode.Orleans.Identity.sln --configuration Release --no-restore -p:RunAnalyzers=true
 
     - name: Test
-      run: dotnet test ManagedCode.Orleans.Identity.sln --configuration Release --no-build --verbosity normal -p:CollectCoverage=true -p:CoverletOutput=coverage/ -p:CoverletOutputFormat=opencover
+      run: dotnet test ManagedCode.Orleans.Identity.sln --configuration Release --no-build --verbosity normal -p:CollectCoverage=true -p:CoverletOutput=coverage/ -p:CoverletOutputFormat=opencover -p:Threshold=85 -p:ThresholdType=line -p:ThresholdStat=total
 
     - name: Upload coverage reports to Codecov
       uses: codecov/codecov-action@v5

.github/workflows/release.yml

@@ -39,7 +39,7 @@ jobs:
       run: dotnet build ManagedCode.Orleans.Identity.sln --configuration Release --no-restore
 
     - name: Test
-      run: dotnet test ManagedCode.Orleans.Identity.sln --configuration Release --no-build --verbosity normal
+      run: dotnet test ManagedCode.Orleans.Identity.sln --configuration Release --no-build --verbosity normal -p:CollectCoverage=true -p:CoverletOutput=coverage/ -p:CoverletOutputFormat=opencover -p:Threshold=85 -p:ThresholdType=line -p:ThresholdStat=total
 
     - name: Pack NuGet packages
       run: dotnet pack ManagedCode.Orleans.Identity.sln -p:IncludeSymbols=false -p:SymbolPackageFormat=snupkg --configuration Release --no-build --output ./artifacts

ManagedCode.Orleans.Identity.Server/Extensions/SiloBuilderExtensions.cs

@@ -1,9 +1,7 @@
 using ManagedCode.Orleans.Identity.Server.GrainCallFilter;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Logging;
-using Orleans;
 using Orleans.Hosting;
-using Orleans.Runtime;
 
 namespace ManagedCode.Orleans.Identity.Server.Extensions;
 
@@ -16,7 +14,20 @@ public static class SiloBuilderExtensions
     /// <returns></returns>
     public static ISiloBuilder AddOrleansIdentity(this ISiloBuilder siloBuilder)
     {
+        ArgumentNullException.ThrowIfNull(siloBuilder);
+
+        siloBuilder.Services.AddAuthorizationCore();
+        siloBuilder.AddIncomingGrainCallFilter<GrainAuthorizationIncomingFilter>();
+        return siloBuilder;
+    }
+
+    public static ISiloBuilder AddOrleansIdentity(this ISiloBuilder siloBuilder, Action<AuthorizationOptions> configureOptions)
+    {
+        ArgumentNullException.ThrowIfNull(siloBuilder);
+        ArgumentNullException.ThrowIfNull(configureOptions);
+
+        siloBuilder.Services.AddAuthorizationCore(configureOptions);
         siloBuilder.AddIncomingGrainCallFilter<GrainAuthorizationIncomingFilter>();
         return siloBuilder;
     }
-}
+}

ManagedCode.Orleans.Identity.Server/GrainCallFilter/GrainAuthorizationIncomingFilter.cs

@@ -10,16 +10,19 @@
 
 namespace ManagedCode.Orleans.Identity.Server.GrainCallFilter;
 
-public class GrainAuthorizationIncomingFilter : IIncomingGrainCallFilter
+public class GrainAuthorizationIncomingFilter(
+    IAuthorizationService authorizationService,
+    IAuthorizationPolicyProvider policyProvider) : IIncomingGrainCallFilter
 {
     private const int EmptyAttributeCount = 0;
-    private const char RoleSeparator = ',';
     private const string AccessDeniedNotAuthenticated = "Access denied. User is not authenticated.";
-    private const string AccessDeniedMissingRoles = "Access denied. User does not have required roles.";
+    private const string AccessDeniedNotAuthorized = "Access denied. User is not authorized.";
+    private const string UnsupportedAuthenticationSchemes =
+        "AuthorizeAttribute.AuthenticationSchemes is not supported by Orleans grain authorization.";
 
     public async Task Invoke(IIncomingGrainCallContext context)
     {
-        if (IsGrainAuthorized(context, out var attributes))
+        if (IsGrainAuthorized(context, out var authorizeData))
         {
             var user = GetUserFromRequestContext();
 
@@ -28,10 +31,8 @@ public async Task Invoke(IIncomingGrainCallContext context)
                 throw new UnauthorizedAccessException(AccessDeniedNotAuthenticated);
             }
 
-            if (!HasRequiredRoles(attributes, user))
-            {
-                throw new UnauthorizedAccessException(AccessDeniedMissingRoles);
-            }
+            ThrowIfUnsupportedAuthenticationSchemes(authorizeData);
+            await AuthorizeAsync(context, user, authorizeData);
         }
 
         await context.Invoke();
@@ -43,18 +44,18 @@ public async Task Invoke(IIncomingGrainCallContext context)
         return requestContext as ClaimsPrincipal;
     }
 
-    private static bool IsGrainAuthorized(IIncomingGrainCallContext context, out List<AuthorizeAttribute> attributes)
+    private static bool IsGrainAuthorized(IIncomingGrainCallContext context, out List<AuthorizeAttribute> authorizeData)
     {
-        attributes = [];
+        authorizeData = [];
         var members = GetAuthorizationMembers(context);
 
         if (members.Any(HasAllowAnonymousAttribute))
         {
             return false;
         }
 
-        attributes.AddRange(members.SelectMany(GetAuthorizeAttributes));
-        return attributes.Count != EmptyAttributeCount;
+        authorizeData.AddRange(members.SelectMany(GetAuthorizeAttributes));
+        return authorizeData.Count != EmptyAttributeCount;
     }
 
     private static IReadOnlyList<MemberInfo> GetAuthorizationMembers(IIncomingGrainCallContext context)
@@ -89,25 +90,30 @@ private static IEnumerable<AuthorizeAttribute> GetAuthorizeAttributes(MemberInfo
             .Cast<AuthorizeAttribute>();
     }
 
-    private static bool HasRequiredRoles(IEnumerable<AuthorizeAttribute> attributes, ClaimsPrincipal user)
+    private static void ThrowIfUnsupportedAuthenticationSchemes(IEnumerable<AuthorizeAttribute> authorizeData)
     {
-        return attributes
-            .Where(attribute => !string.IsNullOrWhiteSpace(attribute.Roles))
-            .All(attribute => HasAnyRequiredRole(attribute, user));
+        if (authorizeData.Any(attribute => !string.IsNullOrWhiteSpace(attribute.AuthenticationSchemes)))
+        {
+            throw new InvalidOperationException(UnsupportedAuthenticationSchemes);
+        }
     }
 
-    private static bool HasAnyRequiredRole(AuthorizeAttribute attribute, ClaimsPrincipal user)
+    private async Task AuthorizeAsync(
+        IIncomingGrainCallContext context,
+        ClaimsPrincipal user,
+        IEnumerable<IAuthorizeData> authorizeData)
     {
-        if (string.IsNullOrWhiteSpace(attribute.Roles))
+        var authorizationPolicy = await AuthorizationPolicy.CombineAsync(policyProvider, authorizeData);
+        if (authorizationPolicy is null)
         {
-            return true;
+            return;
         }
 
-        var roles = attribute.Roles.Split(
-            RoleSeparator,
-            StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries
-        );
+        var authorizationResult = await authorizationService.AuthorizeAsync(user, context, authorizationPolicy);
 
-        return roles.Any(user.IsInRole);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new UnauthorizedAccessException(AccessDeniedNotAuthorized);
+        }
     }
 }

ManagedCode.Orleans.Identity.Tests/AuthenticationIntegrationTests.cs

@@ -18,6 +18,11 @@ namespace ManagedCode.Orleans.Identity.Tests;
 [Collection(nameof(TestClusterApplication))]
 public class AuthenticationIntegrationTests
 {
+    private const int SignalRMessageTimeoutSeconds = 5;
+    private const string ReceiveMessageMethod = "ReceiveMessage";
+    private const string SendAuthorizedMessageMethod = "SendAuthorizedMessage";
+    private const string SignalRMessageText = "test message";
+
     private readonly ITestOutputHelper _outputHelper;
     private readonly TestClusterApplication _testApp;
     private readonly IJwtService _jwtService;
@@ -72,26 +77,21 @@ public async Task JWT_Authentication_FullFlow_Test()
             })
             .Build();
 
-        var messageReceived = false;
-        var receivedMessage = string.Empty;
-        
-        hubConnection.On<string>("ReceiveMessage", message =>
+        var messageCompletion = new TaskCompletionSource<string>(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        hubConnection.On<string>(ReceiveMessageMethod, message =>
         {
-            receivedMessage = message;
-            messageReceived = true;
+            messageCompletion.TrySetResult(message);
             _outputHelper.WriteLine($"SignalR received: {message}");
         });
 
         await hubConnection.StartAsync();
         _outputHelper.WriteLine("SignalR connected with JWT");
 
         // Send message that triggers grain call
-        await hubConnection.InvokeAsync("SendAuthorizedMessage", "test message");
-        
-        // Wait for response
-        await Task.Delay(500);
-        
-        messageReceived.ShouldBeTrue();
+        await hubConnection.InvokeAsync(SendAuthorizedMessageMethod, SignalRMessageText);
+
+        var receivedMessage = await messageCompletion.Task.WaitAsync(TimeSpan.FromSeconds(SignalRMessageTimeoutSeconds));
         receivedMessage.ShouldContain("admin");
         receivedMessage.ShouldContain("authorized message");
 

ManagedCode.Orleans.Identity.Tests/Cluster/Grains/IUserGrain.cs

@@ -14,4 +14,10 @@ public interface IUserGrain : IGrainWithStringKey
 
     [Authorize(Roles = TestRoles.ADMIN)]
     Task<string> GetInterfaceAdminInfo();
+
+    [Authorize(Policy = TestAuthorizationPolicies.RequireAdminDepartment)]
+    Task<string> GetPolicyInfo();
+
+    [Authorize(AuthenticationSchemes = TestAuthorizationPolicies.UnsupportedAuthenticationScheme)]
+    Task<string> GetAuthenticationSchemeInfo();
 }

ManagedCode.Orleans.Identity.Tests/Cluster/Grains/UserGrain.cs

@@ -1,4 +1,3 @@
-using System.Linq;
 using ManagedCode.Orleans.Identity.Core.Extensions;
 using ManagedCode.Orleans.Identity.Tests.Constants;
 using Microsoft.AspNetCore.Authorization;
@@ -9,33 +8,14 @@ namespace ManagedCode.Orleans.Identity.Tests.Cluster.Grains;
 [Authorize]
 public class UserGrain : Grain, IUserGrain
 {
+    private const string AuthenticationSchemeInfo = "Authentication scheme info";
     private const string InterfaceAdminInfoPrefix = "Interface admin info for ";
+    private const string PolicyInfoPrefix = "Policy info for ";
     private const string UnknownUserName = "Unknown";
 
-    // Manual authorization check until grain filters work in Orleans 9
-    private void CheckAuthorization(params string[] requiredRoles)
-    {
-        var user = this.GetCurrentUser();
-        
-        if (user == null || user.Identity?.IsAuthenticated != true)
-        {
-            throw new UnauthorizedAccessException("Access denied. User is not authenticated.");
-        }
-        
-        if (requiredRoles.Length > 0)
-        {
-            var userRoles = user.FindAll(System.Security.Claims.ClaimTypes.Role).Select(c => c.Value).ToHashSet();
-            if (!requiredRoles.Any(role => userRoles.Contains(role)))
-            {
-                throw new UnauthorizedAccessException("Access denied. User does not have required roles.");
-            }
-        }
-    }
-    
     [Authorize]
     public Task<string> GetUser()
     {
-        CheckAuthorization(); // Manual check
         var user = this.GetCurrentUser();
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"Hello, {username}!");
@@ -44,7 +24,6 @@ public Task<string> GetUser()
     [Authorize(Roles = TestRoles.ADMIN)]
     public Task<string> BanUser()
     {
-        CheckAuthorization(TestRoles.ADMIN); // Manual check for admin role
         var user = this.GetCurrentUser();
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"User {username} is banned");
@@ -53,7 +32,6 @@ public Task<string> BanUser()
     [Authorize(Roles = TestRoles.ADMIN)]
     public Task<string> GetAdminInfo()
     {
-        CheckAuthorization(TestRoles.ADMIN); // Manual check for admin role
         var user = this.GetCurrentUser();
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"Admin info for {username}: You have admin privileges");
@@ -62,22 +40,19 @@ public Task<string> GetAdminInfo()
     [AllowAnonymous]
     public Task<string> GetPublicInfo()
     {
-        // No authorization check for anonymous methods
         return Task.FromResult("This is public information - no authorization required");
     }
 
     [Authorize(Roles = TestRoles.MODERATOR)]
     public Task<string> ModifyUser()
     {
-        CheckAuthorization(TestRoles.MODERATOR); // Manual check for moderator role
         var user = this.GetCurrentUser();
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"User {username} has been modified");
     }
 
     public Task<string> AddToList()
     {
-        CheckAuthorization(); // Manual check - requires authentication (class has [Authorize])
         var user = this.GetCurrentUser();
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"User {username} added to list");
@@ -89,4 +64,16 @@ public Task<string> GetInterfaceAdminInfo()
         var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
         return Task.FromResult($"{InterfaceAdminInfoPrefix}{username}");
     }
+
+    public Task<string> GetPolicyInfo()
+    {
+        var user = this.GetCurrentUser();
+        var username = user.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value ?? UnknownUserName;
+        return Task.FromResult($"{PolicyInfoPrefix}{username}");
+    }
+
+    public Task<string> GetAuthenticationSchemeInfo()
+    {
+        return Task.FromResult(AuthenticationSchemeInfo);
+    }
 }

ManagedCode.Orleans.Identity.Tests/Cluster/TestSiloConfigurations.cs

@@ -1,4 +1,5 @@
 using ManagedCode.Orleans.Identity.Server.Extensions;
+using ManagedCode.Orleans.Identity.Tests.Constants;
 using Orleans.TestingHost;
 
 namespace ManagedCode.Orleans.Identity.Tests.Cluster;
@@ -7,10 +8,21 @@ public class TestSiloConfigurations : ISiloConfigurator
 {
     public void Configure(ISiloBuilder siloBuilder)
     {
-        // Add Orleans Identity server-side components
-        siloBuilder.AddOrleansIdentity();
+        siloBuilder.AddOrleansIdentity(options =>
+        {
+            options.AddPolicy(
+                TestAuthorizationPolicies.RequireAdminDepartment,
+                policy =>
+                {
+                    policy.RequireClaim(
+                        TestAuthorizationPolicies.DepartmentClaimType,
+                        TestAuthorizationPolicies.AdminDepartment
+                    );
+                }
+            );
+        });
 
         // For test purpose - in-memory reminder service
         siloBuilder.UseInMemoryReminderService();
     }
-}
+}

ManagedCode.Orleans.Identity.Tests/Constants/TestAuthorizationPolicies.cs

@@ -0,0 +1,9 @@
+namespace ManagedCode.Orleans.Identity.Tests.Constants;
+
+public static class TestAuthorizationPolicies
+{
+    public const string AdminDepartment = "administration";
+    public const string DepartmentClaimType = "department";
+    public const string RequireAdminDepartment = "RequireAdminDepartment";
+    public const string UnsupportedAuthenticationScheme = "UnsupportedScheme";
+}