[Exploratory Testing] Add Operation based extension methods/Overloads for the Authorization service and Options.

[harshgMSFT]

Today there is no simple way of registering requirements based on operations and then authorizing based on whether a particular user satisfies the requirement for an operation on a resource.
For instance, an admin(The identity) is allowed to edit (The operation based requirement) the price of an album (The resource).
The suggested experience should be something like :
This will add a policy called ApiOperations with an edit requirement on the Album resource.

options.AddPolicy("ApiOperations", policyBuilder => policyBuilder.AddRequirement<Album>("Edit"));
OR
options.AddPolicy("ApiOperations", policyBuilder => policyBuilder.AddRequirement<Album>(new OperationRequirement { OpeartionKey = "Edit" }));

On calling Authorize on the Authorization service like so

_authorizationService.AuthorizeAsync("ApiOperations", context, album);

which finally calls into handler which has the following method

 public override Task<bool> CheckAsync<TResource, TRequirement>(AuthorizationContext context, TRequirement requirement)
        {     
        }

This item needs more thought and design. Some of the other thoughts were to skip creation of the policy altogether and create it as an anonymous policy.

[HaoK]

I chatted with @lodejard and here's what where we ended up for current proposal for the next iteration:

cc @blowdart @yishaigalatzer

Updated service interface:

    public interface IAuthorizationService
        Task<bool> AuthorizeAsync(ClaimsPrincipal user, object resource, params IAuthorizationRequirement[] requirements);

        Task<bool> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);

        public static Task<bool> AuthorizeAsync([NotNull] this IAuthorizationService service, ClaimsPrincipal user, object resource, [NotNull] AuthorizationPolicy policy)

Example of what operations would look like

public static class Operations {
    public static OperationRequirement Edit = new OperationRequirement("Edit");
    public static OperationRequirement Create = new OperationRequirement("Create");
    public static OperationRequirement Delete = new OperationRequirement("Delete");
}

public class ExpenseReportAuthorizationHandler : AuthorizationHandler<OperationRequirement, ExpenseReport> {
    public void HandleAsync(AuthorizationContext context, OperationRequirement req, ExpenseReport resource) 
    {
        if (Repo.CanDo(req.Name, resource)) {
            context.Succeed(req);
        }
    }
}

public class SuperUserHandler : AuthorizationHandler<OperationRequirement> {
    public void HandleAsync(AuthorizationContext context, OperationRequirement req) 
    {
         if (IsSuperUser(context.User) {
            context.Succeed(req);
         }
    }
}

public class ExpenseReportService {
   public ExpenseReportService(IAuthorizationService authService);

   public void Approve(ExpenseReport report, ClaimsPrincipal user) {
       if (!authService.Authorize(user, report, Operations.Approve)) {
          throw new Exception("Unauthorized");
       }
   }