Merge AuthZ ToString PR (dotnet#15350)

Rebased verison of dotnet#10822

src/Security/Authorization/Core/ref/Microsoft.AspNetCore.Authorization.netcoreapp.cs

@@ -177,29 +177,34 @@ public AssertionRequirement(System.Func<Microsoft.AspNetCore.Authorization.Autho
         public System.Func<Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext, System.Threading.Tasks.Task<bool>> Handler { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         [System.Diagnostics.DebuggerStepThroughAttribute]
         public System.Threading.Tasks.Task HandleAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class ClaimsAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues) { }
         public System.Collections.Generic.IEnumerable<string> AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         public string ClaimType { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class DenyAnonymousAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public DenyAnonymousAuthorizationRequirement() { }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class NameAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.NameAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public NameAuthorizationRequirement(string requiredName) { }
         public string RequiredName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.NameAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class OperationAuthorizationRequirement : Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public OperationAuthorizationRequirement() { }
         public string Name { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
+        public override string ToString() { throw null; }
     }
     public partial class PassThroughAuthorizationHandler : Microsoft.AspNetCore.Authorization.IAuthorizationHandler
     {
@@ -212,6 +217,7 @@ public partial class RolesAuthorizationRequirement : Microsoft.AspNetCore.Author
         public RolesAuthorizationRequirement(System.Collections.Generic.IEnumerable<string> allowedRoles) { }
         public System.Collections.Generic.IEnumerable<string> AllowedRoles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
 }
 namespace Microsoft.Extensions.DependencyInjection

src/Security/Authorization/Core/ref/Microsoft.AspNetCore.Authorization.netstandard2.0.cs

@@ -177,29 +177,34 @@ public AssertionRequirement(System.Func<Microsoft.AspNetCore.Authorization.Autho
         public System.Func<Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext, System.Threading.Tasks.Task<bool>> Handler { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         [System.Diagnostics.DebuggerStepThroughAttribute]
         public System.Threading.Tasks.Task HandleAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class ClaimsAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public ClaimsAuthorizationRequirement(string claimType, System.Collections.Generic.IEnumerable<string> allowedValues) { }
         public System.Collections.Generic.IEnumerable<string> AllowedValues { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         public string ClaimType { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.ClaimsAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class DenyAnonymousAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public DenyAnonymousAuthorizationRequirement() { }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.DenyAnonymousAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class NameAuthorizationRequirement : Microsoft.AspNetCore.Authorization.AuthorizationHandler<Microsoft.AspNetCore.Authorization.Infrastructure.NameAuthorizationRequirement>, Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public NameAuthorizationRequirement(string requiredName) { }
         public string RequiredName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.NameAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
     public partial class OperationAuthorizationRequirement : Microsoft.AspNetCore.Authorization.IAuthorizationRequirement
     {
         public OperationAuthorizationRequirement() { }
         public string Name { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute]set { } }
+        public override string ToString() { throw null; }
     }
     public partial class PassThroughAuthorizationHandler : Microsoft.AspNetCore.Authorization.IAuthorizationHandler
     {
@@ -212,6 +217,7 @@ public partial class RolesAuthorizationRequirement : Microsoft.AspNetCore.Author
         public RolesAuthorizationRequirement(System.Collections.Generic.IEnumerable<string> allowedRoles) { }
         public System.Collections.Generic.IEnumerable<string> AllowedRoles { [System.Runtime.CompilerServices.CompilerGeneratedAttribute]get { throw null; } }
         protected override System.Threading.Tasks.Task HandleRequirementAsync(Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext context, Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement requirement) { throw null; }
+        public override string ToString() { throw null; }
     }
 }
 namespace Microsoft.Extensions.DependencyInjection

src/Security/Authorization/Core/src/AssertionRequirement.cs

@@ -56,5 +56,10 @@ public async Task HandleAsync(AuthorizationHandlerContext context)
                 context.Succeed(this);
             }
         }
+
+        public override string ToString()
+        {
+            return $"{nameof(Handler)} assertion should evaluate to true.";
+        }
     }
 }

src/Security/Authorization/Core/src/ClaimsAuthorizationRequirement.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 
 namespace Microsoft.AspNetCore.Authorization.Infrastructure
@@ -69,5 +70,14 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             }
             return Task.CompletedTask;
         }
+
+        public override string ToString()
+        {
+            var value = (AllowedValues == null || !AllowedValues.Any())
+                ? string.Empty
+                : $" and Claim.Value is one of the following values: ({string.Join("|", AllowedValues)})";
+
+            return $"{nameof(ClaimsAuthorizationRequirement)}:Claim.Type={ClaimType}{value}";
+        }
     }
 }

src/Security/Authorization/Core/src/DefaultAuthorizationService.cs

@@ -102,7 +102,7 @@ public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, obje
             }
             else
             {
-                _logger.UserAuthorizationFailed();
+                _logger.UserAuthorizationFailed(result.Failure);
             }
             return result;
         }
@@ -132,4 +132,4 @@ public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, obje
             return await this.AuthorizeAsync(user, resource, policy);
         }
     }
-}
+}

src/Security/Authorization/Core/src/DenyAnonymousAuthorizationRequirement.cs

@@ -29,5 +29,10 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             }
             return Task.CompletedTask;
         }
+
+        public override string ToString()
+        {
+            return $"{nameof(DenyAnonymousAuthorizationRequirement)}:Requires an authenticated user.";
+        }
     }
 }

src/Security/Authorization/Core/src/LoggingExtensions.cs

@@ -2,12 +2,13 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using Microsoft.AspNetCore.Authorization;
 
 namespace Microsoft.Extensions.Logging
 {
     internal static class LoggingExtensions
     {
-        private static Action<ILogger, Exception> _userAuthorizationFailed;
+        private static Action<ILogger, string, Exception> _userAuthorizationFailed;
         private static Action<ILogger, Exception> _userAuthorizationSucceeded;
 
         static LoggingExtensions()
@@ -16,16 +17,22 @@ static LoggingExtensions()
                 eventId: new EventId(1, "UserAuthorizationSucceeded"),
                 logLevel: LogLevel.Information,
                 formatString: "Authorization was successful.");
-            _userAuthorizationFailed = LoggerMessage.Define(
+            _userAuthorizationFailed = LoggerMessage.Define<string>(
                 eventId: new EventId(2, "UserAuthorizationFailed"),
                 logLevel: LogLevel.Information,
-                formatString: "Authorization failed.");
+                formatString: "Authorization failed for {0}");
         }
 
         public static void UserAuthorizationSucceeded(this ILogger logger)
             => _userAuthorizationSucceeded(logger, null);
 
-        public static void UserAuthorizationFailed(this ILogger logger)
-            => _userAuthorizationFailed(logger, null);
+        public static void UserAuthorizationFailed(this ILogger logger, AuthorizationFailure failure)
+        {
+            var reason = failure.FailCalled
+                ? "Fail() was explicitly called."
+                : "These requirements were not met:" + Environment.NewLine + string.Join(Environment.NewLine, failure.FailedRequirements);
+
+            _userAuthorizationFailed(logger, reason, null);
+        }
     }
 }

src/Security/Authorization/Core/src/NameAuthorizationRequirement.cs

@@ -48,5 +48,10 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             }
             return Task.CompletedTask;
         }
+
+        public override string ToString()
+        {
+            return $"{nameof(NameAuthorizationRequirement)}:Requires a user identity with Name equal to {RequiredName}";
+        }
     }
 }

src/Security/Authorization/Core/src/OperationAuthorizationRequirement.cs

@@ -13,5 +13,10 @@ public class OperationAuthorizationRequirement : IAuthorizationRequirement
         /// The name of this instance of <see cref="IAuthorizationRequirement"/>.
         /// </summary>
         public string Name { get; set; }
+
+        public override string ToString()
+        {
+            return $"{nameof(OperationAuthorizationRequirement)}:Name={Name}";
+        }
     }
 }

src/Security/Authorization/Core/src/RolesAuthorizationRequirement.cs

@@ -64,5 +64,11 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
             return Task.CompletedTask;
         }
 
+        public override string ToString()
+        {
+            var roles = $"User.IsInRole must be true for one of the following roles: ({string.Join("|", AllowedRoles)})";
+
+            return $"{nameof(RolesAuthorizationRequirement)}:{roles}";
+        }
     }
 }

src/Security/Authorization/test/AssertionRequirementsTests.cs

@@ -0,0 +1,32 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Xunit;
+
+namespace Microsoft.AspNetCore.Authorization.Test
+{
+    public class AssertionRequirementsTests
+    {
+        private AssertionRequirement CreateRequirement()
+        {
+            return new AssertionRequirement(context => true);
+        }
+
+        [Fact]
+        public void ToString_ShouldReturnFormatValue()
+        {
+            // Arrange
+            var requirement = new AssertionRequirement(context => true);
+
+            // Act
+            var formattedValue = requirement.ToString();
+
+            // Assert
+            Assert.Equal("Handler assertion should evaluate to true.", formattedValue);
+        }
+    }
+}

src/Security/Authorization/test/ClaimsAuthorizationRequirementTests.cs

@@ -0,0 +1,58 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Xunit;
+
+namespace Microsoft.AspNetCore.Authorization.Test
+{
+    public class ClaimsAuthorizationRequirementTests
+    {
+        public ClaimsAuthorizationRequirement CreateRequirement(string claimType, params string[] allowedValues)
+        {
+            return new ClaimsAuthorizationRequirement(claimType, allowedValues);
+        }
+
+        [Fact]
+        public void ToString_ShouldReturnAndDescriptionWhenAllowedValuesNotNull()
+        {
+            // Arrange
+            var requirement = CreateRequirement("Custom", "CustomValue1", "CustomValue2");
+
+            // Act
+            var formattedValue = requirement.ToString();
+
+            // Assert
+            Assert.Equal("ClaimsAuthorizationRequirement:Claim.Type=Custom and Claim.Value is one of the following values: (CustomValue1|CustomValue2)", formattedValue);
+        }
+
+        [Fact]
+        public void ToString_ShouldReturnWithoutAllowedDescriptionWhenAllowedValuesIsNull()
+        {
+            // Arrange
+            var requirement = CreateRequirement("Custom", (string[])null);
+
+            // Act
+            var formattedValue = requirement.ToString();
+
+            // Assert
+            Assert.Equal("ClaimsAuthorizationRequirement:Claim.Type=Custom", formattedValue);
+        }
+
+        [Fact]
+        public void ToString_ShouldReturnWithoutAllowedDescriptionWhenAllowedValuesIsEmpty()
+        {
+            // Arrange
+            var requirement = CreateRequirement("Custom", Array.Empty<string>());
+
+            // Act
+            var formattedValue = requirement.ToString();
+
+            // Assert
+            Assert.Equal("ClaimsAuthorizationRequirement:Claim.Type=Custom", formattedValue);
+        }
+    }
+}