Fix Orleans identity authorization review findings

Author: KSemenenko

ManagedCode.Orleans.Identity.Client/Filters/OrleansAuthorizationActionFilter.cs

@@ -1,15 +1,13 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc.Filters;
-using Orleans.Runtime;
-using ManagedCode.Orleans.Identity.Core.Constants;
 
 namespace ManagedCode.Orleans.Identity.Client.Filters;
 
 public sealed class OrleansAuthorizationActionFilter : IAsyncActionFilter
 {
-    public Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
+    public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
     {
-        RequestContext.Set(OrleansIdentityConstants.USER_CLAIMS, context.HttpContext.User);
-        return next();
+        using var requestContextScope = new OrleansRequestContextScope(context.HttpContext.User);
+        await next();
     }
-}
+}

ManagedCode.Orleans.Identity.Client/Filters/OrleansRequestContextScope.cs

@@ -0,0 +1,42 @@
+using System;
+using System.Security.Claims;
+using ManagedCode.Orleans.Identity.Core.Constants;
+using Orleans.Runtime;
+
+namespace ManagedCode.Orleans.Identity.Client.Filters;
+
+internal readonly struct OrleansRequestContextScope : IDisposable
+{
+    private readonly object? previousUser;
+    private readonly bool hasPreviousUser;
+
+    public OrleansRequestContextScope(ClaimsPrincipal? user)
+    {
+        previousUser = RequestContext.Get(OrleansIdentityConstants.USER_CLAIMS);
+        hasPreviousUser = previousUser is not null;
+
+        SetUser(user);
+    }
+
+    public void Dispose()
+    {
+        if (hasPreviousUser)
+        {
+            RequestContext.Set(OrleansIdentityConstants.USER_CLAIMS, previousUser!);
+            return;
+        }
+
+        RequestContext.Remove(OrleansIdentityConstants.USER_CLAIMS);
+    }
+
+    private static void SetUser(ClaimsPrincipal? user)
+    {
+        if (user is null)
+        {
+            RequestContext.Remove(OrleansIdentityConstants.USER_CLAIMS);
+            return;
+        }
+
+        RequestContext.Set(OrleansIdentityConstants.USER_CLAIMS, user);
+    }
+}

ManagedCode.Orleans.Identity.Client/Filters/SignalRAuthorizationFilter.cs

@@ -1,9 +1,6 @@
 using System;
-using System.Security.Claims;
 using System.Threading.Tasks;
-using ManagedCode.Orleans.Identity.Core.Constants;
 using Microsoft.AspNetCore.SignalR;
-using Orleans.Runtime;
 
 namespace ManagedCode.Orleans.Identity.Client.Filters;
 
@@ -13,8 +10,15 @@ public sealed class SignalRAuthorizationFilter : IHubFilter
         HubInvocationContext invocationContext,
         Func<HubInvocationContext, ValueTask<object?>> next)
     {
-        RequestContext.Set(OrleansIdentityConstants.USER_CLAIMS, invocationContext.Context.User!); // can be null
-        return next(invocationContext);
+        return InvokeMethodWithRequestContextAsync(invocationContext, next);
+    }
+
+    private static async ValueTask<object?> InvokeMethodWithRequestContextAsync(
+        HubInvocationContext invocationContext,
+        Func<HubInvocationContext, ValueTask<object?>> next)
+    {
+        using var requestContextScope = new OrleansRequestContextScope(invocationContext.Context.User);
+        return await next(invocationContext);
     }
 
     public Task OnConnectedAsync(HubLifetimeContext context, Func<HubLifetimeContext, Task> next)
@@ -27,4 +31,4 @@ public Task OnDisconnectedAsync(HubLifetimeContext context, Exception? exception
     {
         return next(context, exception);
     }
-} 
+}

ManagedCode.Orleans.Identity.Server/GrainCallFilter/GrainAuthorizationIncomingFilter.cs

@@ -4,54 +4,36 @@
 using System.Reflection;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using ManagedCode.Orleans.Identity.Core.Constants;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.Extensions.Logging;
-using Orleans;
 using Orleans.Runtime;
-using ManagedCode.Orleans.Identity.Core.Constants;
 
 namespace ManagedCode.Orleans.Identity.Server.GrainCallFilter;
 
 public class GrainAuthorizationIncomingFilter : IIncomingGrainCallFilter
 {
+    private const int EmptyAttributeCount = 0;
+    private const char RoleSeparator = ',';
+    private const string AccessDeniedNotAuthenticated = "Access denied. User is not authenticated.";
+    private const string AccessDeniedMissingRoles = "Access denied. User does not have required roles.";
+
     public async Task Invoke(IIncomingGrainCallContext context)
     {
-        // Check both interface method and implementation method
-        if (IsGrainAuthorized(context.ImplementationMethod, out var attributes))
+        if (IsGrainAuthorized(context, out var attributes))
         {
             var user = GetUserFromRequestContext();
-            
+
             if (user == null || user.Identity?.IsAuthenticated != true)
             {
-                throw new UnauthorizedAccessException("Access denied. User is not authenticated.");
+                throw new UnauthorizedAccessException(AccessDeniedNotAuthenticated);
             }
 
-            // Check if any attribute requires specific roles
-            var rolesRequired = attributes.Any(attr => !string.IsNullOrWhiteSpace(attr.Roles));
-            
-            if (rolesRequired)
+            if (!HasRequiredRoles(attributes, user))
             {
-                var userRoles = user.FindAll(ClaimTypes.Role).Select(c => c.Value).ToHashSet();
-                
-                // Check if user has any of the required roles from any attribute
-                var hasRequiredRole = attributes.Any(attribute =>
-                {
-                    if (string.IsNullOrWhiteSpace(attribute.Roles))
-                        return true; // No specific role required by this attribute
-                    
-                    var requiredRoles = attribute.Roles.Split(',', StringSplitOptions.RemoveEmptyEntries)
-                        .Select(r => r.Trim());
-                    
-                    return requiredRoles.Any(role => userRoles.Contains(role));
-                });
-
-                if (!hasRequiredRole)
-                {
-                    throw new UnauthorizedAccessException("Access denied. User does not have required roles.");
-                }
+                throw new UnauthorizedAccessException(AccessDeniedMissingRoles);
             }
         }
-        
+
         await context.Invoke();
     }
 
@@ -61,28 +43,71 @@ public async Task Invoke(IIncomingGrainCallContext context)
         return requestContext as ClaimsPrincipal;
     }
 
-    private static bool IsGrainAuthorized(MemberInfo methodInfo, out List<AuthorizeAttribute> attributes)
+    private static bool IsGrainAuthorized(IIncomingGrainCallContext context, out List<AuthorizeAttribute> attributes)
     {
         attributes = [];
+        var members = GetAuthorizationMembers(context);
 
-        if (Attribute.IsDefined(methodInfo, typeof(AllowAnonymousAttribute)))
+        if (members.Any(HasAllowAnonymousAttribute))
         {
             return false;
         }
 
-        if (methodInfo.DeclaringType != null && Attribute.IsDefined(methodInfo.DeclaringType, typeof(AuthorizeAttribute)))
+        attributes.AddRange(members.SelectMany(GetAuthorizeAttributes));
+        return attributes.Count != EmptyAttributeCount;
+    }
+
+    private static IReadOnlyList<MemberInfo> GetAuthorizationMembers(IIncomingGrainCallContext context)
+    {
+        var members = new List<MemberInfo>();
+
+        if (context.InterfaceMethod.DeclaringType is { } interfaceType)
+        {
+            members.Add(interfaceType);
+        }
+
+        if (context.ImplementationMethod.DeclaringType is { } implementationType)
         {
-            attributes.AddRange(Attribute.GetCustomAttributes(methodInfo.DeclaringType, typeof(AuthorizeAttribute))
-                .Cast<AuthorizeAttribute>());
+            members.Add(implementationType);
         }
 
-        if (Attribute.IsDefined(methodInfo, typeof(AuthorizeAttribute)))
+        members.Add(context.InterfaceMethod);
+        members.Add(context.ImplementationMethod);
+
+        return members;
+    }
+
+    private static bool HasAllowAnonymousAttribute(MemberInfo memberInfo)
+    {
+        return Attribute.IsDefined(memberInfo, typeof(AllowAnonymousAttribute), inherit: true);
+    }
+
+    private static IEnumerable<AuthorizeAttribute> GetAuthorizeAttributes(MemberInfo memberInfo)
+    {
+        return Attribute
+            .GetCustomAttributes(memberInfo, typeof(AuthorizeAttribute), inherit: true)
+            .Cast<AuthorizeAttribute>();
+    }
+
+    private static bool HasRequiredRoles(IEnumerable<AuthorizeAttribute> attributes, ClaimsPrincipal user)
+    {
+        return attributes
+            .Where(attribute => !string.IsNullOrWhiteSpace(attribute.Roles))
+            .All(attribute => HasAnyRequiredRole(attribute, user));
+    }
+
+    private static bool HasAnyRequiredRole(AuthorizeAttribute attribute, ClaimsPrincipal user)
+    {
+        if (string.IsNullOrWhiteSpace(attribute.Roles))
         {
-            attributes.AddRange(Attribute.GetCustomAttributes(methodInfo, typeof(AuthorizeAttribute))
-                .Cast<AuthorizeAttribute>());
             return true;
         }
 
-        return attributes.Count != 0;
+        var roles = attribute.Roles.Split(
+            RoleSeparator,
+            StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries
+        );
+
+        return roles.Any(user.IsInRole);
     }
 }

ManagedCode.Orleans.Identity.Tests/ClientFilterTests.cs

@@ -0,0 +1,95 @@
+using System.Security.Claims;
+using ManagedCode.Orleans.Identity.Client.Filters;
+using ManagedCode.Orleans.Identity.Core.Constants;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Abstractions;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Routing;
+using Orleans.Runtime;
+using Shouldly;
+using Xunit;
+
+namespace ManagedCode.Orleans.Identity.Tests;
+
+public class ClientFilterTests
+{
+    private const string AuthenticationType = "Test";
+    private const string CurrentUserName = "current-user";
+    private const string PreviousUserName = "previous-user";
+
+    [Fact]
+    public async Task OrleansAuthorizationActionFilter_RestoresPreviousRequestContext()
+    {
+        try
+        {
+            var previousUser = CreatePrincipal(PreviousUserName);
+            var currentUser = CreatePrincipal(CurrentUserName);
+            var context = CreateActionExecutingContext(currentUser);
+            var filter = new OrleansAuthorizationActionFilter();
+
+            RequestContext.Set(OrleansIdentityConstants.USER_CLAIMS, previousUser);
+
+            await filter.OnActionExecutionAsync(
+                context,
+                () =>
+                {
+                    RequestContext.Get(OrleansIdentityConstants.USER_CLAIMS).ShouldBeSameAs(currentUser);
+                    return Task.FromResult(CreateActionExecutedContext(context));
+                }
+            );
+
+            RequestContext.Get(OrleansIdentityConstants.USER_CLAIMS).ShouldBeSameAs(previousUser);
+        }
+        finally
+        {
+            RequestContext.Clear();
+        }
+    }
+
+    [Fact]
+    public async Task OrleansAuthorizationActionFilter_ClearsRequestContextWhenNoPreviousValue()
+    {
+        try
+        {
+            var currentUser = CreatePrincipal(CurrentUserName);
+            var context = CreateActionExecutingContext(currentUser);
+            var filter = new OrleansAuthorizationActionFilter();
+
+            RequestContext.Remove(OrleansIdentityConstants.USER_CLAIMS);
+
+            await filter.OnActionExecutionAsync(
+                context,
+                () =>
+                {
+                    RequestContext.Get(OrleansIdentityConstants.USER_CLAIMS).ShouldBeSameAs(currentUser);
+                    return Task.FromResult(CreateActionExecutedContext(context));
+                }
+            );
+
+            RequestContext.Get(OrleansIdentityConstants.USER_CLAIMS).ShouldBeNull();
+        }
+        finally
+        {
+            RequestContext.Clear();
+        }
+    }
+
+    private static ClaimsPrincipal CreatePrincipal(string userName)
+    {
+        return new ClaimsPrincipal(new ClaimsIdentity([new Claim(ClaimTypes.Name, userName)], AuthenticationType));
+    }
+
+    private static ActionExecutingContext CreateActionExecutingContext(ClaimsPrincipal user)
+    {
+        var httpContext = new DefaultHttpContext { User = user };
+        var actionContext = new ActionContext(httpContext, new RouteData(), new ActionDescriptor());
+
+        return new ActionExecutingContext(actionContext, [], new Dictionary<string, object?>(), new object());
+    }
+
+    private static ActionExecutedContext CreateActionExecutedContext(ActionExecutingContext context)
+    {
+        return new ActionExecutedContext(context, [], context.Controller);
+    }
+}

ManagedCode.Orleans.Identity.Tests/Cluster/Grains/IUserGrain.cs

@@ -1,3 +1,6 @@
+using ManagedCode.Orleans.Identity.Tests.Constants;
+using Microsoft.AspNetCore.Authorization;
+
 namespace ManagedCode.Orleans.Identity.Tests.Cluster.Grains;
 
 public interface IUserGrain : IGrainWithStringKey
@@ -8,4 +11,7 @@ public interface IUserGrain : IGrainWithStringKey
     Task<string> GetPublicInfo();
     Task<string> ModifyUser();
     Task<string> AddToList();
-}
+
+    [Authorize(Roles = TestRoles.ADMIN)]
+    Task<string> GetInterfaceAdminInfo();
+}