public static void AddScriptPolicies()

in src/WebJobs.Script.WebHost/Security/Authorization/Policies/AuthorizationOptionsExtensions.cs [18:109]

• 81 lines of code
• 14 McCabe index (conditional complexity)

        public static void AddScriptPolicies(this AuthorizationOptions options)
        {
            options.AddPolicy(PolicyNames.AdminAuthLevel, p =>
            {
                p.AddScriptAuthenticationSchemes();
                p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.Admin));
                p.RequireAssertion(c =>
                {
                    if (c.Resource is AuthorizationFilterContext filterContext)
                    {
                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: false))
                        {
                            return false;
                        }
                    }

                    return true;
                });
            });

            options.AddPolicy(PolicyNames.SystemAuthLevel, p =>
            {
                p.AddScriptAuthenticationSchemes();
                p.AddRequirements(new AuthLevelRequirement(AuthorizationLevel.System));
            });

            options.AddPolicy(PolicyNames.AdminAuthLevelOrInternal, p =>
            {
                p.AddScriptAuthenticationSchemes();
                p.RequireAssertion(async c =>
                {
                    if (c.Resource is AuthorizationFilterContext filterContext)
                    {
                        if (!CheckPlatformInternal(filterContext.HttpContext, allowAppServiceInternal: true))
                        {
                            return false;
                        }

                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
                        {
                            return true;
                        }

                        var authorizationService = filterContext.HttpContext.RequestServices.GetRequiredService<IAuthorizationService>();
                        AuthorizationResult result = await authorizationService.AuthorizeAsync(c.User, PolicyNames.AdminAuthLevel);

                        return result.Succeeded;
                    }

                    return false;
                });
            });

            options.AddPolicy(PolicyNames.SystemKeyAuthLevel, p =>
            {
                p.AddScriptAuthenticationSchemes();
                p.RequireAssertion(c =>
                {
                    if (c.Resource is AuthorizationFilterContext filterContext)
                    {
                        if (filterContext.HttpContext.Request.IsAppServiceInternalRequest() &&
                            filterContext.HttpContext.Request.IsInternalAuthAllowed())
                        {
                            return true;
                        }

                        string keyName = null;
                        object keyNameObject = filterContext.RouteData.Values["extensionName"];
                        if (keyNameObject != null)
                        {
                            keyName = DefaultScriptWebHookProvider.GetKeyName(keyNameObject.ToString());
                        }
                        else
                        {
                            keyNameObject = filterContext.RouteData.Values["keyName"];
                            if (keyNameObject != null)
                            {
                                keyName = keyNameObject.ToString();
                            }
                        }

                        if (!string.IsNullOrEmpty(keyName) && AuthUtility.PrincipalHasAuthLevelClaim(filterContext.HttpContext.User, AuthorizationLevel.System, keyName))
                        {
                            return true;
                        }
                    }

                    return false;
                });
            });
        }