AuthZ API review changes

src/Microsoft.AspNet.Authorization/AuthorizationPolicyBuilder.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using Microsoft.AspNet.Authorization.Infrastructure;
 
 namespace Microsoft.AspNet.Authorization
 {

src/Microsoft.AspNet.Authorization/AuthorizationServiceCollectionExtensions.cs

@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.AspNet.Authorization;
+using Microsoft.AspNet.Authorization.Infrastructure;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 
 namespace Microsoft.Extensions.DependencyInjection

src/Microsoft.AspNet.Authorization/DefaultAuthorizationService.cs

@@ -37,7 +37,6 @@ namespace Microsoft.AspNet.Authorization
             _logger = logger;
         }
 
-
         public async Task<bool> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
         {
             if (requirements == null)
@@ -71,9 +70,11 @@ namespace Microsoft.AspNet.Authorization
             }
 
             var policy = _options.GetPolicy(policyName);
-            return (policy == null)
-                ? Task.FromResult(false)
-                : this.AuthorizeAsync(user, resource, policy);
+            if (policy == null)
+            {
+                throw new InvalidOperationException($"No policy found: {policyName}.");
+            }
+            return this.AuthorizeAsync(user, resource, policy);
         }
     }
 }

src/Microsoft.AspNet.Authorization/Infrastructure/ClaimsAuthorizationRequirement.cs

@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     // Must contain a claim with the specified name, and at least one of the required values
     // If AllowedValues is null or empty, that means any claim is valid

src/Microsoft.AspNet.Authorization/Infrastructure/DelegateRequirement.cs

@@ -3,7 +3,7 @@
 
 using System;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     public class DelegateRequirement : AuthorizationHandler<DelegateRequirement>, IAuthorizationRequirement
     {

src/Microsoft.AspNet.Authorization/Infrastructure/DenyAnonymousAuthorizationRequirement.cs

@@ -3,7 +3,7 @@
 
 using System.Linq;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     public class DenyAnonymousAuthorizationRequirement : AuthorizationHandler<DenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement
     {

src/Microsoft.AspNet.Authorization/Infrastructure/NameAuthorizationRequirement.cs

@@ -4,7 +4,7 @@
 using System;
 using System.Linq;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     /// <summary>
     /// Requirement that ensures a specific Name

src/Microsoft.AspNet.Authorization/Infrastructure/OperationAuthorizationRequirement.cs

@@ -1,7 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     public class OperationAuthorizationRequirement : IAuthorizationRequirement
     {

src/Microsoft.AspNet.Authorization/Infrastructure/PassThroughAuthorizationHandler.cs

@@ -4,7 +4,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     public class PassThroughAuthorizationHandler : IAuthorizationHandler
     {

src/Microsoft.AspNet.Authorization/Infrastructure/RolesAuthorizationRequirement.cs

@@ -5,7 +5,7 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 
-namespace Microsoft.AspNet.Authorization
+namespace Microsoft.AspNet.Authorization.Infrastructure
 {
     // Must belong to with one of specified roles
     // If AllowedRoles is null or empty, that means any role is valid

test/Microsoft.AspNet.Authorization.Test/AuthorizationPolicyFacts.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Linq;
 using Microsoft.AspNet.Authorization;
+using Microsoft.AspNet.Authorization.Infrastructure;
 using Xunit;
 
 namespace Microsoft.AspNet.Authroization.Test

test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs

@@ -6,6 +6,7 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using Microsoft.AspNet.Authorization.Infrastructure;
 using Microsoft.Extensions.DependencyInjection;
 using Xunit;
 
@@ -268,23 +269,15 @@ namespace Microsoft.AspNet.Authorization.Test
         }
 
         [Fact]
-        public async Task Authorize_ShouldNotAllowIfUnknownPolicy()
+        public async Task Authorize_ThrowsWithUnknownPolicy()
         {
             // Arrange
             var authorizationService = BuildAuthorizationService();
-            var user = new ClaimsPrincipal(
-                new ClaimsIdentity(
-                    new Claim[] {
-                        new Claim("Permission", "CanViewComment"),
-                    },
-                    null)
-                );
 
             // Act
-            var allowed = await authorizationService.AuthorizeAsync(user, "Basic");
-
             // Assert
-            Assert.False(allowed);
+            var exception = await Assert.ThrowsAsync<InvalidOperationException>(() => authorizationService.AuthorizeAsync(new ClaimsPrincipal(), "whatever", "BogusPolicy"));
+            Assert.Equal("No policy found: BogusPolicy.", exception.Message);
         }
 
         [Fact]
@@ -459,7 +452,7 @@ namespace Microsoft.AspNet.Authorization.Test
                 );
 
             // Act
-            var allowed = await authorizationService.AuthorizeAsync(user, "Any");
+            var allowed = await authorizationService.AuthorizeAsync(user, "Hao");
 
             // Assert
             Assert.False(allowed);