25598088569

Committed 09 May 2026 09:48AM UTC coverage: 94.662% (+1.1%) from 93.559%

Build # 25598088569

Build Type

Pull #2388

github

Committed by

web-flow

Commit Message

Merge 7837ec610 into fe672ec02

Pull Request Pull Request #2388: #2378 Deprecate `Ocelot.Provider.Consul` project

Coverage Stats

6419 of 6781 relevant lines covered (94.66%)

4123.05 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

76.0

src/Ocelot/Authorization/AuthorizationMiddleware.cs

﻿using Microsoft.AspNetCore.Http;
using Ocelot.Errors;
using Ocelot.Infrastructure.Extensions;
using Ocelot.Logging;
using Ocelot.Middleware;

namespace Ocelot.Authorization;

public class AuthorizationMiddleware : OcelotMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IClaimsAuthorizer _claimsAuthorizer;
    private readonly IScopesAuthorizer _scopesAuthorizer;

    public AuthorizationMiddleware(RequestDelegate next,
        IClaimsAuthorizer claimsAuthorizer,
        IScopesAuthorizer scopesAuthorizer,
        IOcelotLoggerFactory loggerFactory)
        : base(loggerFactory.CreateLogger<AuthorizationMiddleware>())
    {
        _next = next;
        _claimsAuthorizer = claimsAuthorizer;
        _scopesAuthorizer = scopesAuthorizer;
    }

    public async Task Invoke(HttpContext context)
    {
        var route = context.Items.DownstreamRoute();

        if (!context.IsOptionsMethod() && route.IsAuthenticated)
        {
            var authorized = _scopesAuthorizer.Authorize(context.User, route.AuthenticationOptions.AllowedScopes);
            if (authorized.IsError)
            {
#if DEBUG
                Logger.LogWarning(() => $"The '{route.Name()}' route encountered authorization errors due to user scopes:{authorized.Errors.ToErrorString(true)}");
#endif
                context.Items.UpsertErrors(authorized.Errors);
                return;
            }

            if (!authorized.Data) // TODO: Looks like this is never called due to the current ScopesAuthorizer design :D Definitely a good reason to refactor
            {
                var error = new UnauthorizedError($"{context.User.Identity.Name} unable to access route {route.Name()}");
#if DEBUG
                Logger.LogInformation(error.ToString);
#endif
                context.Items.SetError(error);
            }
        }

        if (!context.IsOptionsMethod() && route.IsAuthorized)
        {
            var authorized = _claimsAuthorizer.Authorize(context.User, route.RouteClaimsRequirement, context.Items.TemplatePlaceholderNameAndValues());
            if (authorized.IsError)
            {
#if DEBUG
                Logger.LogWarning(() => $"Error whilst authorizing {context.User.Identity.Name} in route {route.Name()}:{authorized.Errors.ToErrorString(true)}");
#endif
                context.Items.UpsertErrors(authorized.Errors);
                return;
            }

            if (authorized.Data)
            {
#if DEBUG
                Logger.LogInformation(() => $"{context.User.Identity.Name} has successfully been authorized for {route.Name()}.");
#endif
                await _next.Invoke(context);
            }
            else
            {
                var error = new UnauthorizedError($"{context.User.Identity.Name} is not authorized to access '{route.Name()}' route. Setting pipeline error.");
#if DEBUG
                Logger.LogInformation(error.ToString);
#endif
                context.Items.SetError(error);
            }
        }
        else
        {
#if DEBUG
            Logger.LogDebug(() => $"No authorization needed for the route: {route.Name()}");
#endif
            await _next.Invoke(context);
        }
    }
}

1	using Microsoft.AspNetCore.Http;
2	using Ocelot.Errors;
3	using Ocelot.Infrastructure.Extensions;
4	using Ocelot.Logging;
5	using Ocelot.Middleware;
6
7	namespace Ocelot.Authorization;
8
9	public class AuthorizationMiddleware : OcelotMiddleware
10	{
11	private readonly RequestDelegate _next;
12	private readonly IClaimsAuthorizer _claimsAuthorizer;
13	private readonly IScopesAuthorizer _scopesAuthorizer;
14
15	public AuthorizationMiddleware(RequestDelegate next,
16	IClaimsAuthorizer claimsAuthorizer,
17	IScopesAuthorizer scopesAuthorizer,
18	IOcelotLoggerFactory loggerFactory)
19	: base(loggerFactory.CreateLogger<AuthorizationMiddleware>())	9✔
20	{
21	_next = next;	9✔
22	_claimsAuthorizer = claimsAuthorizer;	9✔
23	_scopesAuthorizer = scopesAuthorizer;	9✔
24	}	9✔
25
26	public async Task Invoke(HttpContext context)
27	{
28	var route = context.Items.DownstreamRoute();	3✔
29
30	if (!context.IsOptionsMethod() && route.IsAuthenticated)	3✔
31	{
32	var authorized = _scopesAuthorizer.Authorize(context.User, route.AuthenticationOptions.AllowedScopes);	2✔
33	if (authorized.IsError)	2✔
34	{
35	#if DEBUG
36	Logger.LogWarning(() => $"The '{route.Name()}' route encountered authorization errors due to user scopes:{authorized.Errors.ToErrorString(true)}");
37	#endif
38	context.Items.UpsertErrors(authorized.Errors);	1✔
39	return;	1✔
40	}
41
42	if (!authorized.Data) // TODO: Looks like this is never called due to the current ScopesAuthorizer design :D Definitely a good reason to refactor	1✔
43	{
44	var error = new UnauthorizedError($"{context.User.Identity.Name} unable to access route {route.Name()}");	×
45	#if DEBUG
46	Logger.LogInformation(error.ToString);
47	#endif
48	context.Items.SetError(error);	×
49	}
50	}
51
52	if (!context.IsOptionsMethod() && route.IsAuthorized)	2✔
53	{
54	var authorized = _claimsAuthorizer.Authorize(context.User, route.RouteClaimsRequirement, context.Items.TemplatePlaceholderNameAndValues());	1✔
55	if (authorized.IsError)	1✔
56	{
57	#if DEBUG
58	Logger.LogWarning(() => $"Error whilst authorizing {context.User.Identity.Name} in route {route.Name()}:{authorized.Errors.ToErrorString(true)}");
59	#endif
60	context.Items.UpsertErrors(authorized.Errors);	×
61	return;	×
62	}
63
64	if (authorized.Data)	1✔
65	{
66	#if DEBUG
67	Logger.LogInformation(() => $"{context.User.Identity.Name} has successfully been authorized for {route.Name()}.");
68	#endif
69	await _next.Invoke(context);	1✔
70	}
71	else
72	{
73	var error = new UnauthorizedError($"{context.User.Identity.Name} is not authorized to access '{route.Name()}' route. Setting pipeline error.");	×
74	#if DEBUG
75	Logger.LogInformation(error.ToString);
76	#endif
77	context.Items.SetError(error);	×
78	}
79	}
80	else
81	{
82	#if DEBUG
83	Logger.LogDebug(() => $"No authorization needed for the route: {route.Name()}");
84	#endif
85	await _next.Invoke(context);	1✔
86	}
87	}	3✔
88	}

ThreeMammals / Ocelot / 25598088569

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous