Proposal for how we handle more metadata for auth

src/Security/Authorization/Core/src/AuthorizationPolicy.cs

@@ -108,7 +108,27 @@ public static AuthorizationPolicy Combine(IEnumerable<AuthorizationPolicy> polic
     /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
     /// authorization policies provided by the specified <paramref name="policyProvider"/>.
     /// </returns>
-    public static async Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
+    public static Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider,
+        IEnumerable<IAuthorizeData> authorizeData) => CombineAsync(policyProvider, authorizeData,
+            Enumerable.Empty<AuthorizationPolicy>(),
+            Enumerable.Empty<IAuthorizationRequirement>());
+
+    /// <summary>
+    /// Combines the <see cref="AuthorizationPolicy"/> provided by the specified
+    /// <paramref name="policyProvider"/>.
+    /// </summary>
+    /// <param name="policyProvider">A <see cref="IAuthorizationPolicyProvider"/> which provides the policies to combine.</param>
+    /// <param name="authorizeData">A collection of authorization data used to apply authorization to a resource.</param>
+    /// <param name="policies">A collection of <see cref="AuthorizationPolicy"/> policies to combine.</param>
+    /// <param name="requirements">A collection of <see cref="IAuthorizationRequirement"/>s to add to the auth policy.</param>
+    /// <returns>
+    /// A new <see cref="AuthorizationPolicy"/> which represents the combination of the
+    /// authorization policies provided by the specified <paramref name="policyProvider"/>.
+    /// </returns>
+    public static async Task<AuthorizationPolicy?> CombineAsync(IAuthorizationPolicyProvider policyProvider,
+        IEnumerable<IAuthorizeData> authorizeData,
+        IEnumerable<AuthorizationPolicy> policies,
+        IEnumerable<IAuthorizationRequirement> requirements)
     {
         if (policyProvider == null)
         {
@@ -120,6 +140,9 @@ public static AuthorizationPolicy Combine(IEnumerable<AuthorizationPolicy> polic
             throw new ArgumentNullException(nameof(authorizeData));
         }
 
+        var anyPolicies = policies.Any();
+        var anyRequirements = requirements.Any();
+
         // Avoid allocating enumerator if the data is known to be empty
         var skipEnumeratingData = false;
         if (authorizeData is IList<IAuthorizeData> dataList)
@@ -137,7 +160,7 @@ public static AuthorizationPolicy Combine(IEnumerable<AuthorizationPolicy> polic
                     policyBuilder = new AuthorizationPolicyBuilder();
                 }
 
-                var useDefaultPolicy = true;
+                var useDefaultPolicy = !(anyPolicies || anyRequirements);
                 if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
                 {
                     var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
@@ -176,6 +199,26 @@ public static AuthorizationPolicy Combine(IEnumerable<AuthorizationPolicy> polic
             }
         }
 
+        if (anyPolicies)
+        {
+            policyBuilder ??= new();
+
+            foreach (var policy in policies)
+            {
+                policyBuilder.Combine(policy);
+            }
+        }
+
+        if (anyRequirements)
+        {
+            policyBuilder ??= new();
+
+            foreach (var requirement in requirements)
+            {
+                policyBuilder.Requirements.Add(requirement);
+            }
+        }
+
         // If we have no policy by now, use the fallback policy if we have one
         if (policyBuilder == null)
         {

src/Security/Authorization/Core/src/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.AspNetCore.Authorization.AuthorizationPolicy.CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData!>! authorizeData, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.AuthorizationPolicy!>! policies, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizationRequirement!>! requirements) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?>!

src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs

@@ -57,7 +57,12 @@ public async Task Invoke(HttpContext context)
 
         // IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter
         var authorizeData = endpoint?.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>();
-        var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);
+
+        var policies = endpoint?.Metadata.GetOrderedMetadata<AuthorizationPolicy>() ?? Array.Empty<AuthorizationPolicy>();
+        var reqirements = endpoint?.Metadata.GetOrderedMetadata<IAuthorizationRequirement>() ?? Array.Empty<IAuthorizationRequirement>();
+
+        var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData, policies, reqirements);
+
         if (policy == null)
         {
             await _next(context);

src/Security/Authorization/test/AuthorizationMiddlewareTests.cs

@@ -207,6 +207,64 @@ public async Task OnAuthorizationAsync_WillCallPolicyProvider()
         Assert.Equal(3, next.CalledCount);
     }
 
+    [Fact]
+    public async Task CanApplyPolicyDirectlyToEndpoint()
+    {
+        // Arrange
+        var calledPolicy = false;
+        var policy = new AuthorizationPolicyBuilder().RequireAssertion(_ =>
+        {
+            calledPolicy = true;
+            return true;
+        }).Build();
+
+        var policyProvider = new Mock<IAuthorizationPolicyProvider>();
+        policyProvider.Setup(p => p.GetDefaultPolicyAsync()).ReturnsAsync(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
+        var next = new TestRequestDelegate();
+        var middleware = CreateMiddleware(next.Invoke, policyProvider.Object);
+        var context = GetHttpContext(anonymous: false, endpoint: CreateEndpoint(new AuthorizeAttribute(), policy));
+
+        // Act & Assert
+        await middleware.Invoke(context);
+        Assert.True(calledPolicy);
+    }
+
+    [Fact]
+    public async Task CanApplyAdditonalRequirementsToEndpoint()
+    {
+        // Arrange
+        var policyProvider = new Mock<IAuthorizationPolicyProvider>();
+        policyProvider.Setup(p => p.GetDefaultPolicyAsync()).ReturnsAsync(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
+        var next = new TestRequestDelegate();
+        var middleware = CreateMiddleware(next.Invoke, policyProvider.Object);
+        var context = GetHttpContext(anonymous: false, registerServices: services =>
+        {
+            services.AddSingleton<IAuthorizationHandler, CustomAuthHandler>();
+        },
+        endpoint: CreateEndpoint(new AuthorizeAttribute(), new CustomRequirement("This")));
+
+        // Act & Assert
+        await middleware.Invoke(context);
+    }
+
+    class CustomAuthHandler : AuthorizationHandler<CustomRequirement>
+    {
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomRequirement requirement)
+        {
+            return Task.CompletedTask;
+        }
+    }
+
+    class CustomRequirement : IAuthorizationRequirement
+    {
+        public string Data { get; init; }
+
+        public CustomRequirement(string data)
+        {
+            Data = data;
+        }
+    }
+
     [Fact]
     public async Task Invoke_ValidClaimShouldNotFail()
     {

src/Security/Authorization/test/AuthorizationPolicyFacts.cs

@@ -43,6 +43,29 @@ public async Task CanCombineAuthorizeAttributes()
         Assert.Single(combined.Requirements.OfType<RolesAuthorizationRequirement>());
     }
 
+    [Fact]
+    public async Task CanReplaceDefaultPolicyDirectly()
+    {
+        // Arrange
+        var attributes = new AuthorizeAttribute[] {
+            new AuthorizeAttribute(),
+            new AuthorizeAttribute(),
+        };
+
+        var policies = new[] { new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build() };
+
+        var options = new AuthorizationOptions();
+
+        var provider = new DefaultAuthorizationPolicyProvider(Options.Create(options));
+
+        // Act
+        var combined = await AuthorizationPolicy.CombineAsync(provider, attributes, policies, Enumerable.Empty<IAuthorizationRequirement>());
+
+        // Assert
+        Assert.Equal(1, combined.Requirements.Count);
+        Assert.Empty(combined.Requirements.OfType<DenyAnonymousAuthorizationRequirement>());
+    }
+
     [Fact]
     public async Task CanReplaceDefaultPolicy()
     {