WebApi v0.2.5.7 提供禁止外部访问配置

Author: JeffreySu

src/Senparc.CO2NET.WebApi/ActionFilters/ForbiddenExternalAccessAsyncFilter.cs

@@ -0,0 +1,58 @@
+using Microsoft.AspNetCore.Mvc.Filters;
+using Senparc.CO2NET.WebApi.Exceptions;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Senparc.CO2NET.WebApi.ActionFilters
+{
+    /// <summary>
+    /// 外部访问屏蔽特性
+    /// </summary>
+    public class ForbiddenExternalAccessAsyncFilter : IAsyncActionFilter
+    {
+        private readonly bool _forbiddenExternalAccess;
+
+        public ForbiddenExternalAccessAsyncFilter()
+        {
+            _forbiddenExternalAccess = Register.ForbiddenExternalAccess;
+        }
+
+        public ForbiddenExternalAccessAsyncFilter(bool forbiddenExternalAccess)
+        {
+            this._forbiddenExternalAccess = forbiddenExternalAccess;
+        }
+
+        public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
+        {
+            if (!_forbiddenExternalAccess && context.HttpContext.Request.IsLocal())
+            {
+                throw new ForbiddenExternalAccessException();
+            }
+            await next();
+        }
+    }
+
+    // 二选一
+
+    //public class ForbiddenExternalAccessFilter : IActionFilter
+    //{
+    //    public void OnActionExecuted(ActionExecutedContext context)
+    //    {
+    //        if (!Register.ForbiddenExternalAccess && context.HttpContext.Request.IsLocal())
+    //        {
+    //            throw new ForbiddenExternalAccessException();
+    //        }
+    //    }
+
+    //    public void OnActionExecuting(ActionExecutingContext context)
+    //    {
+    //        if (!Register.ForbiddenExternalAccess && context.HttpContext.Request.IsLocal())
+    //        {
+    //            throw new ForbiddenExternalAccessException();
+    //        }
+    //    }
+    //}
+}

src/Senparc.CO2NET.WebApi/ActionFilters/ForbiddenExternalAccessFilter.cs

@@ -0,0 +1,8 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Senparc.CO2NET.WebApi.Exceptions;
+
+namespace Senparc.CO2NET.WebApi.ActionFilters
+{
+    
+}

src/Senparc.CO2NET.WebApi/Exceptions/ForbiddenExternalAccessException.cs

@@ -0,0 +1,18 @@
+using Senparc.CO2NET.Exceptions;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Senparc.CO2NET.WebApi.Exceptions
+{
+    /// <summary>
+    /// 禁止外部访问
+    /// </summary>
+    public class ForbiddenExternalAccessException : BaseException
+    {
+        public ForbiddenExternalAccessException(string message = "WebApiEngine 已禁止外部访问", bool logged = false) : base(message, logged)
+        {
+        }
+
+    }
+}

src/Senparc.CO2NET.WebApi/Register.cs

@@ -44,6 +44,11 @@ public static class Register
         /// </summary>
         public static Dictionary<Type, string> AdditionalClasses = new Dictionary<Type, string>();
 
+        /// <summary>
+        /// 是否禁止外部访问
+        /// </summary>
+        public static bool ForbiddenExternalAccess = false;
+
         /// <summary>
         /// RegisterApiBind 执行锁
         /// </summary>

src/Senparc.CO2NET.WebApi/Senparc.CO2NET.WebApi.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
 		<TargetFrameworks>netcoreapp3.1;net5.0;net6.0</TargetFrameworks>
-		<Version>0.2.5.6-preview3</Version>
+		<Version>0.2.5.8-preview3</Version>
 		<LangVersion>latest</LangVersion>
 		<AssemblyName>Senparc.CO2NET.WebApi</AssemblyName>
 		<RootNamespace>Senparc.CO2NET.WebApi</RootNamespace>
@@ -27,6 +27,7 @@
 			v0.2.3 完成 WebApiEngine 第二代核心版本，全面支持动态 API 集成和集成和对应 XML 生成
 			v0.2.4 添加可额外注入的类或方法
 			v0.2.5 优化异步线程执行
+			v0.2.5.7 添加 ForbiddenExternalAccess 参数，设置是否允许外部访问
 		</PackageReleaseNotes>
 	</PropertyGroup>
 	<PropertyGroup Condition=" '$(Configuration)' == 'Release' ">
@@ -56,6 +57,7 @@
 		<PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="6.1.4" />
 	</ItemGroup>
 	<ItemGroup>
+		<ProjectReference Include="..\Senparc.CO2NET.AspNet\Senparc.CO2NET.AspNet.csproj" />
 		<ProjectReference Include="..\Senparc.CO2NET\Senparc.CO2NET.csproj" />
 	</ItemGroup>
 </Project>

src/Senparc.CO2NET.WebApi/WebApiEngines/WebApiEngine.cs

@@ -10,6 +10,7 @@
 ----------------------------------------------------------------*/
 
 using Microsoft.AspNetCore.Mvc;
+using Senparc.CO2NET.WebApi.ActionFilters;
 using Swashbuckle.AspNetCore.Annotations;
 using System;
 using System.Collections.Concurrent;
@@ -62,15 +63,17 @@ public partial class WebApiEngine
         /// <param name="showDetailApiLog"></param>
         /// <param name="copyCustomAttributes"></param>
         /// <param name="defaultAction">默认请求类型，如 Post，Get</param>
-        public WebApiEngine(string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, bool copyCustomAttributes = true, int taskCount = 4, bool showDetailApiLog = false)
+        /// <param name="forbiddenExternalAccess">是否允许外部访问，默认为 false，只允许本机访问相关 API</param>
+        public WebApiEngine(string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, bool copyCustomAttributes = true, int taskCount = 4, bool showDetailApiLog = false, bool forbiddenExternalAccess = true)
         {
             _docXmlPath = docXmlPath;
             _findWeixinApiService = new Lazy<FindApiService>(new FindApiService());
             _defaultRequestMethod = defaultRequestMethod;
+            _baseApiControllerType = baseApiControllerType ?? typeof(ControllerBase);
             _copyCustomAttributes = copyCustomAttributes;
             _taskCount = taskCount;
             _showDetailApiLog = showDetailApiLog;
-            _baseApiControllerType = baseApiControllerType ?? typeof(ControllerBase);
+            Register.ForbiddenExternalAccess = forbiddenExternalAccess;
         }
 
         /// <summary>
@@ -587,6 +590,16 @@ IEnumerable<DropIndex> drop_indexes
             var t2 = typeof(RouteAttribute);
             tb.SetCustomAttribute(new CustomAttributeBuilder(t2.GetConstructor(new Type[] { typeof(string) }), new object[] { $"/api/{controllerKeyName}" }));
 
+            //TODO:Unit Test
+            //[ForbiddenExternalAccess]
+            if (Register.ForbiddenExternalAccess)
+            {
+                var forbiddenExternalAsyncAttr = typeof(ForbiddenExternalAccessAsyncFilter);
+                tb.SetCustomAttribute(new CustomAttributeBuilder(forbiddenExternalAsyncAttr.GetConstructor(new Type[0]), new object[0] { }));//只需要一个，和ForbiddenExternalAccessFilter两者可互换
+                //var forbiddenExternalAttr = typeof(ForbiddenExternalAccessFilter);
+                //tb.SetCustomAttribute(new CustomAttributeBuilder(forbiddenExternalAttr.GetConstructor(new Type[0]), new object[0] { }));
+            }
+
             //添加Controller级别的分类（暂时无效果）
 
             //TODO:外部注入

src/Senparc.CO2NET.WebApi/WebApiEngines/WebApiEngineExtensions.cs

@@ -1,5 +1,4 @@
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection;
 using Senparc.CO2NET.ApiBind;
 using Senparc.CO2NET.Trace;
 using System;
@@ -8,7 +7,6 @@
 using System.Linq;
 using System.Reflection;
 using System.Reflection.Emit;
-using System.Text;
 using System.Threading.Tasks;
 
 namespace Senparc.CO2NET.WebApi.WebApiEngines
@@ -31,10 +29,11 @@ public static class WebApiEngineExtensions
         /// <param name="additionalAttributes"></param>
         /// <param name="buildXml">是否创建动态 API 对应的 XML 注释文件</param>
         /// <param name="additionalAttributeFunc">是否复制自定义特性（AppBindAttribute 除外）</param>
+        /// <param name="forbiddenExternalAccess">是否允许外部访问，默认为 false，只允许本机访问相关 API</param>
         public static void AddAndInitDynamicApi(this IServiceCollection services, IMvcCoreBuilder builder,
-            string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null)
+            string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null, bool forbiddenExternalAccess = true)
         {
-            AddAndInitDynamicApi(services, (builder, null), docXmlPath, defaultRequestMethod, baseApiControllerType, taskCount, showDetailApiLog, copyCustomAttributes, additionalAttributeFunc);
+            AddAndInitDynamicApi(services, (builder, null), docXmlPath, defaultRequestMethod, baseApiControllerType, taskCount, showDetailApiLog, copyCustomAttributes, additionalAttributeFunc, forbiddenExternalAccess);
         }
 
 
@@ -50,10 +49,11 @@ public static void AddAndInitDynamicApi(this IServiceCollection services, IMvcCo
         /// <param name="taskCount"></param>
         /// <param name="additionalAttributes"></param>
         /// <param name="additionalAttributeFunc">是否复制自定义特性（AppBindAttribute 除外）</param>
+        /// <param name="forbiddenExternalAccess">是否允许外部访问，默认为 false，只允许本机访问相关 API</param>
         public static void AddAndInitDynamicApi(this IServiceCollection services, IMvcBuilder builder,
-            string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null)
+            string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null, int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null, bool forbiddenExternalAccess = true)
         {
-            AddAndInitDynamicApi(services, (null, builder), docXmlPath, defaultRequestMethod, baseApiControllerType, taskCount, showDetailApiLog, copyCustomAttributes, additionalAttributeFunc);
+            AddAndInitDynamicApi(services, (null, builder), docXmlPath, defaultRequestMethod, baseApiControllerType, taskCount, showDetailApiLog, copyCustomAttributes, additionalAttributeFunc, forbiddenExternalAccess);
         }
 
         /// <summary>
@@ -68,9 +68,10 @@ public static void AddAndInitDynamicApi(this IServiceCollection services, IMvcBu
         /// <param name="taskCount"></param>
         /// <param name="additionalAttributes"></param>
         /// <param name="additionalAttributeFunc">是否复制自定义特性（AppBindAttribute 除外）</param>
+        /// <param name="forbiddenExternalAccess">是否允许外部访问，默认为 false，只允许本机访问相关 API</param>
         private static void AddAndInitDynamicApi(this IServiceCollection services, (IMvcCoreBuilder coreBuilder, IMvcBuilder builder) builder,
             string docXmlPath, ApiRequestMethod defaultRequestMethod = ApiRequestMethod.Post, Type baseApiControllerType = null,
-            int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null)
+            int taskCount = 4, bool showDetailApiLog = false, bool copyCustomAttributes = true, Func<MethodInfo, IEnumerable<CustomAttributeBuilder>> additionalAttributeFunc = null, bool forbiddenExternalAccess = true)
         {
             _ = defaultRequestMethod != ApiRequestMethod.GlobalDefault ? true : throw new Exception($"{nameof(defaultRequestMethod)} 不能作为默认请求类型！");
 
@@ -79,7 +80,7 @@ private static void AddAndInitDynamicApi(this IServiceCollection services, (IMvc
 
             WebApiEngine.AdditionalAttributeFunc = additionalAttributeFunc;
 
-            var webApiEngine = new WebApiEngine(docXmlPath, defaultRequestMethod, baseApiControllerType, copyCustomAttributes, taskCount, showDetailApiLog);
+            var webApiEngine = new WebApiEngine(docXmlPath, defaultRequestMethod, baseApiControllerType, copyCustomAttributes, taskCount, showDetailApiLog, forbiddenExternalAccess);
 
             bool preLoad = true;