Add AuthorizationPolicyBuilder.RequireClaim overload that take a Predicate<Claim>

Author: joegoldman2

src/Security/Authorization/Core/src/AuthorizationPolicyBuilder.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 using Microsoft.AspNetCore.Shared;
@@ -141,6 +142,20 @@ public AuthorizationPolicyBuilder RequireClaim(string claimType)
         return this;
     }
 
+    /// <summary>
+    /// Adds a <see cref="ClaimsAuthorizationRequirement"/> to the current instance which requires
+    /// that the current user has a claim that satisfies the specified predicate.
+    /// </summary>
+    /// <param name="match">The predicate to evaluate the claims.</param>
+    /// <returns>A reference to this instance after the operation has completed.</returns>
+    public AuthorizationPolicyBuilder RequireClaim(Predicate<Claim> match)
+    {
+        ArgumentNullThrowHelper.ThrowIfNull(match);
+
+        Requirements.Add(new ClaimsAuthorizationRequirement(match));
+        return this;
+    }
+
     /// <summary>
     /// Adds a <see cref="RolesAuthorizationRequirement"/> to the current instance which enforces that the current user
     /// must have at least one of the specified roles.

src/Security/Authorization/Core/src/ClaimsAuthorizationRequirement.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Shared;
 
@@ -32,17 +33,35 @@ public ClaimsAuthorizationRequirement(string claimType, IEnumerable<string>? all
         _emptyAllowedValues = AllowedValues == null || !AllowedValues.Any();
     }
 
+    /// <summary>
+    /// Creates a new instance of <see cref="ClaimsAuthorizationRequirement"/>.
+    /// </summary>
+    /// <param name="match">The predicate to evaluate the claims.</param>
+    public ClaimsAuthorizationRequirement(Predicate<Claim> match)
+    {
+        ArgumentNullThrowHelper.ThrowIfNull(match);
+
+        Match = match;
+        _emptyAllowedValues = true;
+    }
+
     /// <summary>
     /// Gets the claim type that must be present.
     /// </summary>
-    public string ClaimType { get; }
+    public string? ClaimType { get; }
 
     /// <summary>
     /// Gets the optional list of claim values, which, if present,
     /// the claim must match.
     /// </summary>
     public IEnumerable<string>? AllowedValues { get; }
 
+    /// <summary>
+    ///  A predicate to evaluate the claims.
+    ///  Used if specified instead of <see cref="ClaimType"/> and <see cref="AllowedValues"/>.
+    /// </summary>
+    public Predicate<Claim>? Match { get; }
+
     /// <summary>
     /// Makes a decision if authorization is allowed based on the claims requirements specified.
     /// </summary>
@@ -53,7 +72,12 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
         if (context.User != null)
         {
             var found = false;
-            if (requirement._emptyAllowedValues)
+
+            if (requirement.Match != null)
+            {
+                found = context.User.HasClaim(requirement.Match);
+            }
+            else if (requirement._emptyAllowedValues)
             {
                 foreach (var claim in context.User.Claims)
                 {
@@ -76,17 +100,24 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
                     }
                 }
             }
+
             if (found)
             {
                 context.Succeed(requirement);
             }
         }
+
         return Task.CompletedTask;
     }
 
     /// <inheritdoc />
     public override string ToString()
     {
+        if (Match != null)
+        {
+            return $"{nameof(ClaimsAuthorizationRequirement)}:Evaluates using a custom predicate";
+        }
+
         var value = (_emptyAllowedValues)
             ? string.Empty
             : $" and Claim.Value is one of the following values: ({string.Join("|", AllowedValues!)})";

src/Security/Authorization/Core/src/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -1 +1,6 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireClaim(System.Predicate<System.Security.Claims.Claim!>! match) -> Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimsAuthorizationRequirement(System.Predicate<System.Security.Claims.Claim!>! match) -> void
+*REMOVED*Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string?
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.Match.get -> System.Predicate<System.Security.Claims.Claim!>?

src/Security/Authorization/Core/src/PublicAPI/net9.0/PublicAPI.Unshipped.txt

@@ -1 +1,6 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireClaim(System.Predicate<System.Security.Claims.Claim!>! match) -> Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimsAuthorizationRequirement(System.Predicate<System.Security.Claims.Claim!>! match) -> void
+*REMOVED*Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string?
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.Match.get -> System.Predicate<System.Security.Claims.Claim!>?

src/Security/Authorization/Core/src/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -1 +1,6 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder.RequireClaim(System.Predicate<System.Security.Claims.Claim!>! match) -> Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimsAuthorizationRequirement(System.Predicate<System.Security.Claims.Claim!>! match) -> void
+*REMOVED*Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string!
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.ClaimType.get -> string?
+Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement.Match.get -> System.Predicate<System.Security.Claims.Claim!>?

src/Security/Authorization/test/ClaimsAuthorizationRequirementTests.cs

@@ -1,17 +1,13 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 
 namespace Microsoft.AspNetCore.Authorization.Test;
 
 public class ClaimsAuthorizationRequirementTests
 {
-    public ClaimsAuthorizationRequirement CreateRequirement(string claimType, params string[] allowedValues)
-    {
-        return new ClaimsAuthorizationRequirement(claimType, allowedValues);
-    }
-
     [Fact]
     public void ToString_ShouldReturnAndDescriptionWhenAllowedValuesNotNull()
     {
@@ -50,4 +46,28 @@ public void ToString_ShouldReturnWithoutAllowedDescriptionWhenAllowedValuesIsEmp
         // Assert
         Assert.Equal("ClaimsAuthorizationRequirement:Claim.Type=Custom", formattedValue);
     }
+
+    [Fact]
+    public void ToString_ShouldReturnPredicateDescriptionWhenPredicateIsUsed()
+    {
+        // Arrange
+        Predicate<Claim> claimPredicate = claim => claim.Type == "Permissions" && claim.Value.Contains("CanViewPage");
+        var requirement = CreateRequirement(claimPredicate);
+
+        // Act
+        var formattedValue = requirement.ToString();
+
+        // Assert
+        Assert.Equal("ClaimsAuthorizationRequirement:Evaluates using a custom predicate", formattedValue);
+    }
+
+    private ClaimsAuthorizationRequirement CreateRequirement(string claimType, params string[] allowedValues)
+    {
+        return new ClaimsAuthorizationRequirement(claimType, allowedValues);
+    }
+
+    private ClaimsAuthorizationRequirement CreateRequirement(Predicate<Claim> match)
+    {
+        return new ClaimsAuthorizationRequirement(match);
+    }
 }

src/Security/Authorization/test/DefaultAuthorizationServiceTests.cs

@@ -90,6 +90,27 @@ public async Task Authorize_ShouldAllowIfClaimIsAmongValues()
         Assert.True(allowed.Succeeded);
     }
 
+    [Fact]
+    public async Task Authorize_ShouldAllowIfClaimMatchesPredicate()
+    {
+        // Arrange
+        var authorizationService = BuildAuthorizationService(services =>
+        {
+            services.AddAuthorizationBuilder().AddPolicy("Basic", policy =>
+            {
+                policy.AddAuthenticationSchemes("Basic");
+                policy.RequireClaim(claim => claim.Type == "Permission" && claim.Value == "CanViewPage");
+            });
+        });
+        var user = new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("Permission", "CanViewPage") }, "Basic"));
+
+        // Act
+        var allowed = await authorizationService.AuthorizeAsync(user, "Basic");
+
+        // Assert
+        Assert.True(allowed.Succeeded);
+    }
+
     [Fact]
     public async Task Authorize_ShouldInvokeAllHandlersByDefault()
     {
@@ -260,6 +281,27 @@ public async Task Authorize_ShouldNotAllowIfClaimValueIsNotPresent()
         Assert.False(allowed.Succeeded);
     }
 
+    [Fact]
+    public async Task Authorize_ShouldNotAllowIfClaimDoesNotMatchPredicate()
+    {
+        // Arrange
+        var authorizationService = BuildAuthorizationService(services =>
+        {
+            services.AddAuthorizationBuilder().AddPolicy("Basic", policy =>
+            {
+                policy.AddAuthenticationSchemes("Basic");
+                policy.RequireClaim(claim => claim.Type == "Permission" && claim.Value == "CanViewAnything");
+            });
+        });
+        var user = new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("Permission", "CanViewPage") }, "Basic"));
+
+        // Act
+        var allowed = await authorizationService.AuthorizeAsync(user, "Basic");
+
+        // Assert
+        Assert.False(allowed.Succeeded);
+    }
+
     [Fact]
     public async Task Authorize_ShouldNotAllowIfNoClaims()
     {