Changes per PR comments

pranavkm · pranavkm · commit 63ac5f02d5d8 · 2019-09-25T11:25:53.000-07:00
diff --git a/src/Http/HttpAbstractions.sln b/src/Http/HttpAbstractions.sln
@@ -113,6 +113,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Server
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.WebUtilities.Performance", "WebUtilities\perf\Microsoft.AspNetCore.WebUtilities.Performance\Microsoft.AspNetCore.WebUtilities.Performance.csproj", "{21AC56E7-4E77-4B0E-B63E-C8E836E4D14E}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Authorization.Policy", "..\Security\Authorization\Policy\src\Microsoft.AspNetCore.Authorization.Policy.csproj", "{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Cors", "..\Middleware\CORS\src\Microsoft.AspNetCore.Cors.csproj", "{09168958-FD5B-4D25-8FBF-75E2C80D903B}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -603,6 +607,30 @@ Global
 		{21AC56E7-4E77-4B0E-B63E-C8E836E4D14E}.Release|x64.Build.0 = Release|Any CPU
 		{21AC56E7-4E77-4B0E-B63E-C8E836E4D14E}.Release|x86.ActiveCfg = Release|Any CPU
 		{21AC56E7-4E77-4B0E-B63E-C8E836E4D14E}.Release|x86.Build.0 = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|x64.Build.0 = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Debug|x86.Build.0 = Debug|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|x64.ActiveCfg = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|x64.Build.0 = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|x86.ActiveCfg = Release|Any CPU
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B}.Release|x86.Build.0 = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|x64.Build.0 = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Debug|x86.Build.0 = Debug|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|x64.ActiveCfg = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|x64.Build.0 = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|x86.ActiveCfg = Release|Any CPU
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -651,6 +679,8 @@ Global
 		{611794D2-EF3A-422A-A077-23E61C7ADE49} = {793FFE24-138A-4C3D-81AB-18D625E36230}
 		{1062FCDE-E145-40EC-B175-FDBCAA0C59A0} = {793FFE24-138A-4C3D-81AB-18D625E36230}
 		{21AC56E7-4E77-4B0E-B63E-C8E836E4D14E} = {80A090C8-ED02-4DE3-875A-30DCCDBD84BA}
+		{8BCAA9EC-0ACD-435C-BF8A-8C843499FF7B} = {793FFE24-138A-4C3D-81AB-18D625E36230}
+		{09168958-FD5B-4D25-8FBF-75E2C80D903B} = {793FFE24-138A-4C3D-81AB-18D625E36230}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {85B5E151-2E9D-419C-83DD-0DDCF446C83A}
diff --git a/src/Http/Routing/src/EndpointMiddleware.cs b/src/Http/Routing/src/EndpointMiddleware.cs
@@ -6,16 +6,15 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Routing
 {
     internal sealed class EndpointMiddleware
     {
-        internal const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareInvoked";
-        internal const string CorsMiddlewareInvokedKey = "__CorsMiddlewareInvoked";
+        internal const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareWithEndpointInvoked";
+        internal const string CorsMiddlewareInvokedKey = "__CorsMiddlewareWithEndpointInvoked";
 
         private readonly ILogger _logger;
         private readonly RequestDelegate _next;
diff --git a/src/Http/Routing/test/FunctionalTests/EndpointRoutingIntegrationTest.cs b/src/Http/Routing/test/FunctionalTests/EndpointRoutingIntegrationTest.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Net;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
@@ -51,6 +52,31 @@ public async Task AuthorizationMiddleware_WhenNoAuthMetadataIsConfigured()
             response.EnsureSuccessStatusCode();
         }
 
+        [Fact]
+        public async Task AuthorizationMiddleware_WhenEndpointIsNotFound()
+        {
+            // Arrange
+            var builder = new WebHostBuilder();
+            builder.Configure(app =>
+            {
+                app.UseRouting();
+                app.UseAuthorization();
+                app.UseEndpoints(b => b.Map("/", TestDelegate));
+
+            })
+           .ConfigureServices(services =>
+           {
+               services.AddAuthorization();
+               services.AddRouting();
+           });
+
+            using var server = new TestServer(builder);
+
+            var response = await server.CreateRequest("/not-found").SendAsync("GET");
+
+            Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+        }
+
         [Fact]
         public async Task AuthorizationMiddleware_WithAuthorizedEndpoint()
         {
@@ -99,6 +125,29 @@ public async Task AuthorizationMiddleware_NotConfigured_Throws()
             Assert.Equal(AuthErrorMessage, ex.Message);
         }
 
+        [Fact]
+        public async Task AuthorizationMiddleware_NotConfigured_WhenEndpointIsNotFound()
+        {
+            // Arrange
+            var builder = new WebHostBuilder();
+            builder.Configure(app =>
+            {
+                app.UseRouting();
+                app.UseEndpoints(b => b.Map("/", TestDelegate).RequireAuthorization());
+
+            })
+           .ConfigureServices(services =>
+           {
+               services.AddRouting();
+           });
+
+            using var server = new TestServer(builder);
+
+            var response = await server.CreateRequest("/not-found").SendAsync("GET");
+
+            Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+        }
+
         [Fact]
         public async Task AuthorizationMiddleware_ConfiguredBeforeRouting_Throws()
         {
diff --git a/src/Http/Routing/test/UnitTests/EndpointMiddlewareTest.cs b/src/Http/Routing/test/UnitTests/EndpointMiddlewareTest.cs
@@ -101,7 +101,8 @@ public async Task Invoke_WithEndpoint_ThrowsIfAuthAttributesWereFound_ButAuthMid
             // Arrange
             var expected = "Endpoint Test contains authorization metadata, but a middleware was not found that supports authorization." +
                 Environment.NewLine +
-                "Configure your application startup by adding app.UseAuthorization() inside the call to Configure(..) in the application startup code.";
+                "Configure your application startup by adding app.UseAuthorization() inside the call to Configure(..) in the application startup code. " +
+                "The call to app.UseAuthorization() must appear between app.UseRouting() and app.UseEndpoints(...).";
             var httpContext = new DefaultHttpContext
             {
                 RequestServices = new ServiceProvider()
@@ -197,7 +198,8 @@ public async Task Invoke_WithEndpoint_ThrowsIfCorsMetadataWasFound_ButCorsMiddle
             // Arrange
             var expected = "Endpoint Test contains CORS metadata, but a middleware was not found that supports CORS." +
                 Environment.NewLine +
-                "Configure your application startup by adding app.UseCors() inside the call to Configure(..) in the application startup code.";
+                "Configure your application startup by adding app.UseCors() inside the call to Configure(..) in the application startup code. " +
+                "The call to app.UseAuthorization() must appear between app.UseRouting() and app.UseEndpoints(...).";
             var httpContext = new DefaultHttpContext
             {
                 RequestServices = new ServiceProvider()
diff --git a/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
@@ -14,8 +14,8 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     public class CorsMiddleware
     {
         // Property key is used by other systems, e.g. MVC, to check if CORS middleware has run
-        private const string CorsMiddlewareInvokedKey = "__CorsMiddlewareInvoked";
-        private static readonly object CorsMiddlewareInvokedValue = new object();
+        private const string CorsMiddlewareWithEndpointInvokedKey = "__CorsMiddlewareWithEndpointInvoked";
+        private static readonly object CorsMiddlewareWithEndpointInvokedValue = new object();
 
         private readonly Func<object, Task> OnResponseStartingDelegate = OnResponseStarting;
         private readonly RequestDelegate _next;
@@ -127,10 +127,9 @@ public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
 
             if (endpoint != null)
             {
-                // Flag to indicate to the system that the middleware was run in the context of endpoint routing.
-                // Setting this flag allows a check in EndpointRoutingMiddleware that verifies if the middleware
-                // pipeline is wired correctly to succeed.
-                context.Items[CorsMiddlewareInvokedKey] = CorsMiddlewareInvokedValue;
+                // EndpointRoutingMiddleware uses this flag to check if the CORS middleware processed CORS metadata on the endpoint.
+                // The CORS middleware can only make this claim if it observes an actual endpoint.
+                context.Items[CorsMiddlewareWithEndpointInvokedKey] = CorsMiddlewareWithEndpointInvokedValue;
             }
 
             if (!context.Request.Headers.ContainsKey(CorsConstants.Origin))
diff --git a/src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs b/src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs
@@ -13,9 +13,9 @@ namespace Microsoft.AspNetCore.Authorization
 {
     public class AuthorizationMiddleware
     {
-        // Property key is used by other systems, e.g. MVC, to check if authorization middleware has run
-        private const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareInvoked";
-        private static readonly object AuthorizationMiddlewareInvokedValue = new object();
+        // Property key is used by Endpoint routing to determine if Authorization has run
+        private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked";
+        private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object();
 
         private readonly RequestDelegate _next;
         private readonly IAuthorizationPolicyProvider _policyProvider;
@@ -37,10 +37,9 @@ public async Task Invoke(HttpContext context)
 
             if (endpoint != null)
             {
-                // Flag to indicate to the system that the middleware was run in the context of endpoint routing.
-                // Setting this flag allows a check in EndpointRoutingMiddleware that verifies if the middleware
-                // pipeline is wired correctly to succeed.
-                context.Items[AuthorizationMiddlewareInvokedKey] = AuthorizationMiddlewareInvokedValue;
+                // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.
+                // The Authorization middleware can only make this claim if it observes an actual endpoint.
+                context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;
             }
 
             // IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,9 @@ namespace Microsoft.AspNetCore.Authorization`
`13`	`13`	`{`
`14`	`14`	`public class AuthorizationMiddleware`
`15`	`15`	`{`
`16`		`- // Property key is used by other systems, e.g. MVC, to check if authorization middleware has run`
`17`		`- private const string AuthorizationMiddlewareInvokedKey = "__AuthorizationMiddlewareInvoked";`
`18`		`- private static readonly object AuthorizationMiddlewareInvokedValue = new object();`
	`16`	`+ // Property key is used by Endpoint routing to determine if Authorization has run`
	`17`	`+ private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked";`
	`18`	`+ private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object();`
`19`	`19`
`20`	`20`	`private readonly RequestDelegate _next;`
`21`	`21`	`private readonly IAuthorizationPolicyProvider _policyProvider;`
`@@ -37,10 +37,9 @@ public async Task Invoke(HttpContext context)`
`37`	`37`
`38`	`38`	`if (endpoint != null)`
`39`	`39`	`{`
`40`		`- // Flag to indicate to the system that the middleware was run in the context of endpoint routing.`
`41`		`- // Setting this flag allows a check in EndpointRoutingMiddleware that verifies if the middleware`
`42`		`- // pipeline is wired correctly to succeed.`
`43`		`- context.Items[AuthorizationMiddlewareInvokedKey] = AuthorizationMiddlewareInvokedValue;`
	`40`	`+ // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.`
	`41`	`+ // The Authorization middleware can only make this claim if it observes an actual endpoint.`
	`42`	`+ context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;`
`44`	`43`	`}`
`45`	`44`
`46`	`45`	`// IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter`