Cache effective policy in endpoint metadata (#43124)

Author: HaoK

src/Security/Authorization/Core/src/DefaultAuthorizationPolicyProvider.cs

@@ -71,4 +71,11 @@ public Task<AuthorizationPolicy> GetDefaultPolicyAsync()
         // A change to either of these behaviors would require shipping a patch of MVC as well.
         return Task.FromResult(_options.GetPolicy(policyName));
     }
+
+#if NETCOREAPP
+    /// <summary>
+    /// Determines if policies from this provider can be cached, which is true only for this type.
+    /// </summary>
+    public virtual bool CanCachePolicy => GetType() == typeof(DefaultAuthorizationPolicyProvider);
+#endif
 }

src/Security/Authorization/Core/src/IAuthorizationPolicyProvider.cs

@@ -28,4 +28,11 @@ public interface IAuthorizationPolicyProvider
     /// </summary>
     /// <returns>The fallback authorization policy.</returns>
     Task<AuthorizationPolicy?> GetFallbackPolicyAsync();
+
+#if NETCOREAPP
+    /// <summary>
+    /// Determines if policies from this provider can be cached, defaults to false.
+    /// </summary>
+    bool CanCachePolicy => false;
+#endif
 }

src/Security/Authorization/Core/src/Microsoft.AspNetCore.Authorization.csproj

@@ -20,4 +20,9 @@ Microsoft.AspNetCore.Authorization.AuthorizeAttribute</Description>
     <Reference Include="Microsoft.Extensions.Options" />
   </ItemGroup>
 
+  <ItemGroup>
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Unshipped.txt" />
+  </ItemGroup>
+  
 </Project>

src/Security/Authorization/Core/src/PublicAPI.Shipped.txt renamed to src/Security/Authorization/Core/src/PublicAPI/net462/PublicAPI.Shipped.txt

@@ -0,0 +1,17 @@
+#nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationBuilder
+Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AuthorizationBuilder(Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> void
+Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider.CanCachePolicy.get -> bool
+Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler.PassThroughAuthorizationHandler(Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions!>! options) -> void
+static Microsoft.AspNetCore.Authorization.AuthorizationPolicy.CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData!>! authorizeData, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.AuthorizationPolicy!>! policies) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?>!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddDefaultPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddDefaultPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddFallbackPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddFallbackPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.Services.get -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetDefaultPolicy(Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetFallbackPolicy(Microsoft.AspNetCore.Authorization.AuthorizationPolicy? policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetInvokeHandlersAfterFailure(bool invoke) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.DefaultAuthorizationPolicyProvider.CanCachePolicy.get -> bool

src/Security/Authorization/Core/src/PublicAPI.Unshipped.txt renamed to src/Security/Authorization/Core/src/PublicAPI/net462/PublicAPI.Unshipped.txt

@@ -0,0 +1,15 @@
+#nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationBuilder
+Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AuthorizationBuilder(Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> void
+Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler.PassThroughAuthorizationHandler(Microsoft.Extensions.Options.IOptions<Microsoft.AspNetCore.Authorization.AuthorizationOptions!>! options) -> void
+static Microsoft.AspNetCore.Authorization.AuthorizationPolicy.CombineAsync(Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.IAuthorizeData!>! authorizeData, System.Collections.Generic.IEnumerable<Microsoft.AspNetCore.Authorization.AuthorizationPolicy!>! policies) -> System.Threading.Tasks.Task<Microsoft.AspNetCore.Authorization.AuthorizationPolicy?>!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddDefaultPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddDefaultPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddFallbackPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddFallbackPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddPolicy(string! name, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.AddPolicy(string! name, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.Services.get -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetDefaultPolicy(Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetFallbackPolicy(Microsoft.AspNetCore.Authorization.AuthorizationPolicy? policy) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!
+virtual Microsoft.AspNetCore.Authorization.AuthorizationBuilder.SetInvokeHandlersAfterFailure(bool invoke) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!

src/Security/Authorization/Core/src/PublicAPI/net7.0/PublicAPI.Shipped.txt

@@ -23,6 +23,8 @@ public class AuthorizationMiddleware
 
     private readonly RequestDelegate _next;
     private readonly IAuthorizationPolicyProvider _policyProvider;
+    private readonly bool _canCache;
+    private readonly AuthorizationPolicyCache? _policyCache;
 
     /// <summary>
     /// Initializes a new instance of <see cref="AuthorizationMiddleware"/>.
@@ -33,6 +35,24 @@ public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvide
     {
         _next = next ?? throw new ArgumentNullException(nameof(next));
         _policyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));
+        _canCache = false;
+    }
+
+    /// <summary>
+    /// Initializes a new instance of <see cref="AuthorizationMiddleware"/>.
+    /// </summary>
+    /// <param name="next">The next middleware in the application middleware pipeline.</param>
+    /// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/>.</param>
+    /// <param name="services">The <see cref="IServiceProvider"/>.</param>
+    public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider, IServiceProvider services) : this(next, policyProvider)
+    {
+        ArgumentNullException.ThrowIfNull(services);
+
+        if (_policyProvider.CanCachePolicy)
+        {
+            _policyCache = services.GetService<AuthorizationPolicyCache>();
+            _canCache = _policyCache != null;
+        }
     }
 
     /// <summary>
@@ -47,20 +67,36 @@ public async Task Invoke(HttpContext context)
         }
 
         var endpoint = context.GetEndpoint();
-
         if (endpoint != null)
         {
             // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.
             // The Authorization middleware can only make this claim if it observes an actual endpoint.
             context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;
         }
 
-        // IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter
-        var authorizeData = endpoint?.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>();
+        // Use the computed policy for this endpoint if we can
+        AuthorizationPolicy? policy = null;
+        var canCachePolicy = _canCache && endpoint != null;
+        if (canCachePolicy)
+        {
+            policy = _policyCache!.Lookup(endpoint!);
+        }
+
+        if (policy == null)
+        {
+            // IMPORTANT: Changes to authorization logic should be mirrored in MVC's AuthorizeFilter
+            var authorizeData = endpoint?.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>();
 
-        var policies = endpoint?.Metadata.GetOrderedMetadata<AuthorizationPolicy>() ?? Array.Empty<AuthorizationPolicy>();
+            var policies = endpoint?.Metadata.GetOrderedMetadata<AuthorizationPolicy>() ?? Array.Empty<AuthorizationPolicy>();
 
-        var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData, policies);
+            policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData, policies);
+
+            // Cache the computed policy
+            if (policy != null && canCachePolicy)
+            {
+                _policyCache!.Store(endpoint!, policy);
+            }
+        }
 
         if (policy == null)
         {
@@ -108,4 +144,5 @@ public async Task Invoke(HttpContext context)
         var authorizationMiddlewareResultHandler = context.RequestServices.GetRequiredService<IAuthorizationMiddlewareResultHandler>();
         await authorizationMiddlewareResultHandler.HandleAsync(_next, context, policy, authorizeResult);
     }
+
 }

src/Security/Authorization/Core/src/PublicAPI/net7.0/PublicAPI.Unshipped.txt

@@ -0,0 +1,42 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Collections.Concurrent;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+
+namespace Microsoft.AspNetCore.Authorization.Policy;
+
+internal sealed class AuthorizationPolicyCache : IDisposable
+{
+    // Caches AuthorizationPolicy instances
+    private readonly DataSourceDependentCache<ConcurrentDictionary<Endpoint, AuthorizationPolicy>> _policyCache;
+
+    public AuthorizationPolicyCache(EndpointDataSource dataSource)
+    {
+        // We cache AuthorizationPolicy instances per-Endpoint for performance, but we want to wipe out
+        // that cache if the endpoints change so that we don't allow unbounded memory growth.
+        _policyCache = new DataSourceDependentCache<ConcurrentDictionary<Endpoint, AuthorizationPolicy>>(dataSource, (_) =>
+        {
+            // We don't eagerly fill this cache because there's no real reason to.
+            return new ConcurrentDictionary<Endpoint, AuthorizationPolicy>();
+        });
+        _policyCache.EnsureInitialized();
+    }
+
+    public AuthorizationPolicy? Lookup(Endpoint endpoint)
+    {
+        _policyCache.Value!.TryGetValue(endpoint, out var policy);
+        return policy;
+    }
+
+    public void Store(Endpoint endpoint, AuthorizationPolicy policy)
+    {
+        _policyCache.Value![endpoint] = policy;
+    }
+
+    public void Dispose()
+    {
+        _policyCache.Dispose();
+    }
+}

src/Security/Authorization/Core/src/PublicAPI/netstandard2.0/PublicAPI.Shipped.txt

@@ -12,6 +12,7 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)SecurityHelper\**\*.cs" />
+    <Compile Include="..\..\..\..\Http\Routing\src\DataSourceDependentCache.cs" Link="DataSourceDependentCache.cs" />
   </ItemGroup>
 
   <ItemGroup>

src/Security/Authorization/Core/src/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -52,6 +52,7 @@ public static IServiceCollection AddAuthorization(this IServiceCollection servic
 
         services.AddAuthorizationCore();
         services.AddAuthorizationPolicyEvaluator();
+        services.AddSingleton<AuthorizationPolicyCache>();
         return services;
     }
 
@@ -70,6 +71,7 @@ public static IServiceCollection AddAuthorization(this IServiceCollection servic
 
         services.AddAuthorizationCore(configure);
         services.AddAuthorizationPolicyEvaluator();
+        services.AddSingleton<AuthorizationPolicyCache>();
         return services;
     }
 }

src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs

@@ -1,4 +1,5 @@
 #nullable enable
+Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.AuthorizationMiddleware(Microsoft.AspNetCore.Http.RequestDelegate! next, Microsoft.AspNetCore.Authorization.IAuthorizationPolicyProvider! policyProvider, System.IServiceProvider! services) -> void
 static Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization<TBuilder>(this TBuilder builder, Microsoft.AspNetCore.Authorization.AuthorizationPolicy! policy) -> TBuilder
 static Microsoft.AspNetCore.Builder.AuthorizationEndpointConventionBuilderExtensions.RequireAuthorization<TBuilder>(this TBuilder builder, System.Action<Microsoft.AspNetCore.Authorization.AuthorizationPolicyBuilder!>! configurePolicy) -> TBuilder
 static Microsoft.Extensions.DependencyInjection.PolicyServiceCollectionExtensions.AddAuthorizationBuilder(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services) -> Microsoft.AspNetCore.Authorization.AuthorizationBuilder!