Add authorization metrics

Author: MackinnonBuck

src/Security/Authorization/Core/src/AuthorizationMetrics.cs

@@ -0,0 +1,48 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Diagnostics.Metrics;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.Authorization;
+
+internal sealed class AuthorizationMetrics : IDisposable
+{
+    public const string MeterName = "Microsoft.AspNetCore.Authorization";
+
+    private readonly Meter _meter;
+    private readonly Counter<long> _authorizeCount;
+
+    public AuthorizationMetrics(IMeterFactory meterFactory)
+    {
+        _meter = meterFactory.Create(MeterName);
+
+        _authorizeCount = _meter.CreateCounter<long>(
+            "aspnetcore.authorization.authorized_requests",
+            unit: "{request}",
+            description: "The total number of requests requiring authorization");
+    }
+
+    public void AuthorizedRequest(string? policyName, AuthorizationResult result)
+    {
+        if (_authorizeCount.Enabled)
+        {
+            var resultTagValue = result.Succeeded ? "success" : "failure";
+
+            _authorizeCount.Add(1, [
+                new("aspnetcore.authorization.policy", policyName),
+                new("aspnetcore.authorization.result", resultTagValue),
+            ]);
+        }
+    }
+
+    public void Dispose()
+    {
+        _meter.Dispose();
+    }
+}

src/Security/Authorization/Core/src/AuthorizationServiceCollectionExtensions.cs

@@ -27,6 +27,9 @@ public static IServiceCollection AddAuthorizationCore(this IServiceCollection se
         // aren't included by default.
         services.AddOptions();
 
+        services.AddMetrics();
+
+        services.TryAdd(ServiceDescriptor.Singleton<AuthorizationMetrics, AuthorizationMetrics>());
         services.TryAdd(ServiceDescriptor.Transient<IAuthorizationService, DefaultAuthorizationService>());
         services.TryAdd(ServiceDescriptor.Transient<IAuthorizationPolicyProvider, DefaultAuthorizationPolicyProvider>());
         services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerProvider, DefaultAuthorizationHandlerProvider>());

src/Security/Authorization/Core/src/DefaultAuthorizationService.cs

@@ -6,6 +6,7 @@
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Shared;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -17,6 +18,7 @@ namespace Microsoft.AspNetCore.Authorization;
 public class DefaultAuthorizationService : IAuthorizationService
 {
     private readonly AuthorizationOptions _options;
+    private readonly AuthorizationMetrics? _metrics;
     private readonly IAuthorizationHandlerContextFactory _contextFactory;
     private readonly IAuthorizationHandlerProvider _handlers;
     private readonly IAuthorizationEvaluator _evaluator;
@@ -32,7 +34,35 @@ public class DefaultAuthorizationService : IAuthorizationService
     /// <param name="contextFactory">The <see cref="IAuthorizationHandlerContextFactory"/> used to create the context to handle the authorization.</param>
     /// <param name="evaluator">The <see cref="IAuthorizationEvaluator"/> used to determine if authorization was successful.</param>
     /// <param name="options">The <see cref="AuthorizationOptions"/> used.</param>
-    public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IAuthorizationHandlerProvider handlers, ILogger<DefaultAuthorizationService> logger, IAuthorizationHandlerContextFactory contextFactory, IAuthorizationEvaluator evaluator, IOptions<AuthorizationOptions> options)
+    public DefaultAuthorizationService(
+        IAuthorizationPolicyProvider policyProvider,
+        IAuthorizationHandlerProvider handlers,
+        ILogger<DefaultAuthorizationService> logger,
+        IAuthorizationHandlerContextFactory contextFactory,
+        IAuthorizationEvaluator evaluator,
+        IOptions<AuthorizationOptions> options)
+        : this(policyProvider, handlers, logger, contextFactory, evaluator, options, services: null)
+    {
+    }
+
+    /// <summary>
+    /// Creates a new instance of <see cref="DefaultAuthorizationService"/>.
+    /// </summary>
+    /// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> used to provide policies.</param>
+    /// <param name="handlers">The handlers used to fulfill <see cref="IAuthorizationRequirement"/>s.</param>
+    /// <param name="logger">The logger used to log messages, warnings and errors.</param>
+    /// <param name="contextFactory">The <see cref="IAuthorizationHandlerContextFactory"/> used to create the context to handle the authorization.</param>
+    /// <param name="evaluator">The <see cref="IAuthorizationEvaluator"/> used to determine if authorization was successful.</param>
+    /// <param name="options">The <see cref="AuthorizationOptions"/> used.</param>
+    /// <param name="services">The <see cref="IServiceProvider"/> used to provide other services.</param>
+    public DefaultAuthorizationService(
+        IAuthorizationPolicyProvider policyProvider,
+        IAuthorizationHandlerProvider handlers,
+        ILogger<DefaultAuthorizationService> logger,
+        IAuthorizationHandlerContextFactory contextFactory,
+        IAuthorizationEvaluator evaluator,
+        IOptions<AuthorizationOptions> options,
+        IServiceProvider? services)
     {
         ArgumentNullThrowHelper.ThrowIfNull(options);
         ArgumentNullThrowHelper.ThrowIfNull(policyProvider);
@@ -47,6 +77,7 @@ public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider,
         _logger = logger;
         _evaluator = evaluator;
         _contextFactory = contextFactory;
+        _metrics = services?.GetService<AuthorizationMetrics>();
     }
 
     /// <summary>
@@ -59,7 +90,33 @@ public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider,
     /// A flag indicating whether authorization has succeeded.
     /// This value is <c>true</c> when the user fulfills the policy, otherwise <c>false</c>.
     /// </returns>
-    public virtual async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, IEnumerable<IAuthorizationRequirement> requirements)
+    public virtual Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, IEnumerable<IAuthorizationRequirement> requirements)
+        => AuthorizeCoreAsync(user, resource, requirements, policyName: null);
+
+    /// <summary>
+    /// Checks if a user meets a specific authorization policy.
+    /// </summary>
+    /// <param name="user">The user to check the policy against.</param>
+    /// <param name="resource">The resource the policy should be checked with.</param>
+    /// <param name="policyName">The name of the policy to check against a specific context.</param>
+    /// <returns>
+    /// A flag indicating whether authorization has succeeded.
+    /// This value is <c>true</c> when the user fulfills the policy otherwise <c>false</c>.
+    /// </returns>
+    public virtual async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, string policyName)
+    {
+        ArgumentNullThrowHelper.ThrowIfNull(policyName);
+
+        var policy = await _policyProvider.GetPolicyAsync(policyName).ConfigureAwait(false);
+        if (policy == null)
+        {
+            throw new InvalidOperationException($"No policy found: {policyName}.");
+        }
+
+        return await AuthorizeCoreAsync(user, resource, policy.Requirements, policyName).ConfigureAwait(false);
+    }
+
+    private async Task<AuthorizationResult> AuthorizeCoreAsync(ClaimsPrincipal user, object? resource, IEnumerable<IAuthorizationRequirement> requirements, string? policyName)
     {
         ArgumentNullThrowHelper.ThrowIfNull(requirements);
 
@@ -75,6 +132,9 @@ public virtual async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal us
         }
 
         var result = _evaluator.Evaluate(authContext);
+
+        _metrics?.AuthorizedRequest(policyName, result);
+
         if (result.Succeeded)
         {
             _logger.UserAuthorizationSucceeded();
@@ -83,28 +143,7 @@ public virtual async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal us
         {
             _logger.UserAuthorizationFailed(result.Failure);
         }
-        return result;
-    }
 
-    /// <summary>
-    /// Checks if a user meets a specific authorization policy.
-    /// </summary>
-    /// <param name="user">The user to check the policy against.</param>
-    /// <param name="resource">The resource the policy should be checked with.</param>
-    /// <param name="policyName">The name of the policy to check against a specific context.</param>
-    /// <returns>
-    /// A flag indicating whether authorization has succeeded.
-    /// This value is <c>true</c> when the user fulfills the policy otherwise <c>false</c>.
-    /// </returns>
-    public virtual async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object? resource, string policyName)
-    {
-        ArgumentNullThrowHelper.ThrowIfNull(policyName);
-
-        var policy = await _policyProvider.GetPolicyAsync(policyName).ConfigureAwait(false);
-        if (policy == null)
-        {
-            throw new InvalidOperationException($"No policy found: {policyName}.");
-        }
-        return await this.AuthorizeAsync(user, resource, policy).ConfigureAwait(false);
+        return result;
     }
 }

src/Security/Authorization/Core/src/Microsoft.AspNetCore.Authorization.csproj

@@ -17,6 +17,7 @@ Microsoft.AspNetCore.Authorization.AuthorizeAttribute</Description>
   <ItemGroup>
     <Reference Include="Microsoft.AspNetCore.Metadata" />
     <Reference Include="Microsoft.Extensions.Logging.Abstractions" />
+    <Reference Include="Microsoft.Extensions.Diagnostics" />
     <Reference Include="Microsoft.Extensions.Options" />
   </ItemGroup>
 
@@ -31,4 +32,8 @@ Microsoft.AspNetCore.Authorization.AuthorizeAttribute</Description>
     <Compile Include="$(SharedSourceRoot)Debugger\DebuggerHelpers.cs" LinkBase="Shared" />
   </ItemGroup>
 
+  <ItemGroup>
+    <InternalsVisibleTo Include="Microsoft.AspNetCore.Authorization.Test" />
+  </ItemGroup>
+
 </Project>

src/Security/Authorization/Core/src/PublicAPI/net10.0/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.DefaultAuthorizationService(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider! handlers, Microsoft.Extensions.Logging.ILogger<Microsoft.AspNetCore.Authorization.DefaultAuthorizationService!>! logger, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory! contextFactory, Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator! evaluator, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions!>! options, System.IServiceProvider? services) -> void

src/Security/Authorization/Core/src/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.DefaultAuthorizationService(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider! handlers, Microsoft.Extensions.Logging.ILogger<Microsoft.AspNetCore.Authorization.DefaultAuthorizationService!>! logger, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory! contextFactory, Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator! evaluator, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions!>! options, System.IServiceProvider? services) -> void

src/Security/Authorization/Core/src/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.DefaultAuthorizationService(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerProvider! handlers, Microsoft.Extensions.Logging.ILogger<Microsoft.AspNetCore.Authorization.DefaultAuthorizationService!>! logger, Microsoft.AspNetCore.Authorization.IAuthorizationHandlerContextFactory! contextFactory, Microsoft.AspNetCore.Authorization.IAuthorizationEvaluator! evaluator, Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions!>! options, System.IServiceProvider? services) -> void

src/Security/Authorization/test/AuthorizationMetricsTest.cs

@@ -0,0 +1,138 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Security.Claims;
+using Microsoft.AspNetCore.InternalTesting;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.Metrics.Testing;
+
+namespace Microsoft.AspNetCore.Authorization.Test;
+
+public class AuthorizationMetricsTest
+{
+    [Fact]
+    public async Task Authorize_WithPolicyName_Success()
+    {
+        // Arrange
+        var meterFactory = new TestMeterFactory();
+        var authorizationService = BuildAuthorizationService(meterFactory);
+        var meter = meterFactory.Meters.Single();
+        var user = new ClaimsPrincipal(new ClaimsIdentity([new Claim("Permission", "CanViewPage")]));
+
+        using var authorizedRequestsCollector = new MetricCollector<long>(meterFactory, AuthorizationMetrics.MeterName, "aspnetcore.authorization.authorized_requests");
+
+        // Act
+        await authorizationService.AuthorizeAsync(user, "Basic");
+
+        // Assert
+        Assert.Equal(AuthorizationMetrics.MeterName, meter.Name);
+        Assert.Null(meter.Version);
+
+        var measurement = Assert.Single(authorizedRequestsCollector.GetMeasurementSnapshot());
+        Assert.Equal(1, measurement.Value);
+        Assert.Equal("Basic", (string)measurement.Tags["aspnetcore.authorization.policy"]);
+        Assert.Equal("success", (string)measurement.Tags["aspnetcore.authorization.result"]);
+    }
+
+    [Fact]
+    public async Task Authorize_WithPolicyName_Failure()
+    {
+        // Arrange
+        var meterFactory = new TestMeterFactory();
+        var authorizationService = BuildAuthorizationService(meterFactory);
+        var meter = meterFactory.Meters.Single();
+        var user = new ClaimsPrincipal(new ClaimsIdentity([])); // Will fail due to missing required claim
+
+        using var authorizedRequestsCollector = new MetricCollector<long>(meterFactory, AuthorizationMetrics.MeterName, "aspnetcore.authorization.authorized_requests");
+
+        // Act
+        await authorizationService.AuthorizeAsync(user, "Basic");
+
+        // Assert
+        Assert.Equal(AuthorizationMetrics.MeterName, meter.Name);
+        Assert.Null(meter.Version);
+
+        var measurement = Assert.Single(authorizedRequestsCollector.GetMeasurementSnapshot());
+        Assert.Equal(1, measurement.Value);
+        Assert.Equal("Basic", (string)measurement.Tags["aspnetcore.authorization.policy"]);
+        Assert.Equal("failure", (string)measurement.Tags["aspnetcore.authorization.result"]);
+    }
+
+    [Fact]
+    public async Task Authorize_WithoutPolicyName_Success()
+    {
+        // Arrange
+        var meterFactory = new TestMeterFactory();
+        var authorizationService = BuildAuthorizationService(meterFactory, services =>
+        {
+            services.AddSingleton<IAuthorizationHandler>(new AlwaysHandler(succeed: true));
+        });
+        var meter = meterFactory.Meters.Single();
+        var user = new ClaimsPrincipal(new ClaimsIdentity([]));
+
+        using var authorizedRequestsCollector = new MetricCollector<long>(meterFactory, AuthorizationMetrics.MeterName, "aspnetcore.authorization.authorized_requests");
+
+        // Act
+        await authorizationService.AuthorizeAsync(user, resource: null, new TestRequirement());
+
+        // Assert
+        Assert.Equal(AuthorizationMetrics.MeterName, meter.Name);
+        Assert.Null(meter.Version);
+
+        var measurement = Assert.Single(authorizedRequestsCollector.GetMeasurementSnapshot());
+        Assert.Equal(1, measurement.Value);
+        Assert.Null(measurement.Tags["aspnetcore.authorization.policy"]);
+        Assert.Equal("success", (string)measurement.Tags["aspnetcore.authorization.result"]);
+    }
+
+    [Fact]
+    public async Task Authorize_WithoutPolicyName_Failure()
+    {
+        // Arrange
+        var meterFactory = new TestMeterFactory();
+        var authorizationService = BuildAuthorizationService(meterFactory); // Will fail because there is no handler registered
+        var meter = meterFactory.Meters.Single();
+        var user = new ClaimsPrincipal(new ClaimsIdentity([]));
+
+        using var authorizedRequestsCollector = new MetricCollector<long>(meterFactory, AuthorizationMetrics.MeterName, "aspnetcore.authorization.authorized_requests");
+
+        // Act
+        await authorizationService.AuthorizeAsync(user, resource: null, new TestRequirement());
+
+        // Assert
+        Assert.Equal(AuthorizationMetrics.MeterName, meter.Name);
+        Assert.Null(meter.Version);
+
+        var measurement = Assert.Single(authorizedRequestsCollector.GetMeasurementSnapshot());
+        Assert.Equal(1, measurement.Value);
+        Assert.Null(measurement.Tags["aspnetcore.authorization.policy"]);
+        Assert.Equal("failure", (string)measurement.Tags["aspnetcore.authorization.result"]);
+    }
+
+    private static IAuthorizationService BuildAuthorizationService(TestMeterFactory meterFactory, Action<IServiceCollection> setupServices = null)
+    {
+        var services = new ServiceCollection();
+        services.AddSingleton(new AuthorizationMetrics(meterFactory));
+        services.AddAuthorizationBuilder()
+            .AddPolicy("Basic", policy => policy.RequireClaim("Permission", "CanViewPage"));
+        services.AddLogging();
+        services.AddOptions();
+        setupServices?.Invoke(services);
+        return services.BuildServiceProvider().GetRequiredService<IAuthorizationService>();
+    }
+
+    private sealed class AlwaysHandler(bool succeed) : AuthorizationHandler<TestRequirement>
+    {
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TestRequirement requirement)
+        {
+            if (succeed)
+            {
+                context.Succeed(requirement);
+            }
+
+            return Task.CompletedTask;
+        }
+    }
+
+    private sealed class TestRequirement : IAuthorizationRequirement;
+}

src/Security/Authorization/test/Microsoft.AspNetCore.Authorization.Test.csproj

@@ -10,7 +10,12 @@
     <Reference Include="Microsoft.AspNetCore.Authorization.Policy" />
     <Reference Include="Microsoft.AspNetCore.Http" />
     <Reference Include="Microsoft.Extensions.DependencyInjection" />
+    <Reference Include="Microsoft.Extensions.Diagnostics.Testing" />
     <Reference Include="Microsoft.Extensions.Logging" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)Metrics\TestMeterFactory.cs" />
+  </ItemGroup>
+
 </Project>