public void Check_ApplyCanMutateCheckedClaims()
{
// Arrange
var user = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[] { new Claim("Permission", "CanDeleteComments") }, "Basic")
);
var policies = new IAuthorizationPolicy[] {
new FakePolicy()
{
ApplyAsyncAction = (context) => {
// for instance, if user owns the comment
if (!context.Claims.Any(claim => claim.Type == "Permission" && claim.Value == "CanDeleteComments"))
{
context.Claims.Add(new Claim("Permission", "CanDeleteComments"));
context.Retry = true;
}
}
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty <Claim>(), user);
// Assert
Assert.True(allowed);
}
public void Check_PoliciesCanMutateUsersClaims()
{
// Arrange
var user = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[0], "Basic")
);
var policies = new IAuthorizationPolicy[] {
new FakePolicy()
{
ApplyAsyncAction = (context) => {
if (!context.Authorized)
{
context.UserClaims.Add(new Claim("Permission", "CanDeleteComments"));
context.Retry = true;
}
}
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(new Claim("Permission", "CanDeleteComments"), user);
// Assert
Assert.True(allowed);
}
public void Check_ShouldApplyPoliciesInOrder()
{
// Arrange
string result = "";
var policies = new IAuthorizationPolicy[] {
new FakePolicy()
{
Order = 20,
ApplyingAsyncAction = (context) => { result += "20"; }
},
new FakePolicy()
{
Order = -1,
ApplyingAsyncAction = (context) => { result += "-1"; }
},
new FakePolicy()
{
Order = 30,
ApplyingAsyncAction = (context) => { result += "30"; }
},
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty <Claim>(), null);
// Assert
Assert.Equal("-12030", result);
}
public void Check_ShouldNotAllowIfUserIsNull()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty <IAuthorizationPolicy>());
ClaimsPrincipal user = null;
// Act
var allowed = authorizationService.Authorize(new Claim[] { new Claim("Permission", "CanViewPage") }, user);
// Assert
Assert.False(allowed);
}
public async Task NoRequirementTest()
{
var bus = A.Fake <IServiceBus>();
var user = A.Fake <ClaimsPrincipal>();
var message = A.Fake <IMessage>();
var options = new AuthorizationOptions();
var service = new DefaultAuthorizationService(options, new IAuthorizationHandler[0]);
await Assert.ThrowsAsync <InvalidOperationException>(() =>
{
return(service.Authorize(bus, user, message, "CustomPolicy"));
});
}
public void Check_ShouldAllowIfClaimIsPresent()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty <IAuthorizationPolicy>());
var user = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[] { new Claim("Permission", "CanViewPage") }, "Basic")
);
// Act
var allowed = authorizationService.Authorize(new Claim[] { new Claim("Permission", "CanViewPage") }, user);
// Assert
Assert.True(allowed);
}
public async Task FailedRequirementTest()
{
var bus = A.Fake <IServiceBus>();
var user = A.Fake <ClaimsPrincipal>();
var handler = new FailingAuthorizationHandler();
var requirement = new FailingRequirement();
var message = A.Fake <IMessage>();
var options = new AuthorizationOptions();
options.AddPolicy("CustomPolicy", p => p.AddRequirements(requirement));
var service = new DefaultAuthorizationService(options, new IAuthorizationHandler[] { handler });
Assert.False(await service.Authorize(bus, user, message, "CustomPolicy"));
}
public async Task Invoke_SingleValidClaimShouldSucceed()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty <IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute("Permission", "CanViewComment", "CanViewPage");
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance <IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty <IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute();
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance <IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_NullPoliciesShouldNotFail()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(policies: null);
var authorizeAttribute = new AuthorizeAttribute("Permission", "CanViewPage");
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance <IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public void Check_ShouldThrowWhenPoliciesDontStop()
{
// Arrange
var policies = new IAuthorizationPolicy[] {
new FakePolicy()
{
ApplyAsyncAction = (context) => { context.Retry = true; }
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
// Assert
Exception ex = Assert.Throws <InvalidOperationException>(() => authorizationService.Authorize(Enumerable.Empty <Claim>(), null));
}
public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty <IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute();
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance <IAuthorizationService>(authorizationService),
anonymous: true
);
authorizationContext.Filters.Add(new AllowAnonymousAttribute());
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public void Check_ShouldConvertNullClaimsToEmptyList()
{
// Arrange
IList <Claim> claims = null;
var policies = new IAuthorizationPolicy[] {
new FakePolicy()
{
Order = 20,
ApplyingAsyncAction = (context) => { claims = context.Claims; }
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty <Claim>(), null);
// Assert
Assert.NotNull(claims);
Assert.Equal(0, claims.Count);
}
public NoOpAuthorization(DefaultAuthorizationService defaultAuthorizationService)
{
_defaultAuthorizationService = defaultAuthorizationService;
}
public InspectAuthorizationService(DefaultAuthorizationService defaultAuthorizationService, IAuthorizationHandlerContextFactory contextFactory, ILogger <InspectAuthorizationService> logger)
{
_defaultAuthorizationService = defaultAuthorizationService;
_contextFactory = contextFactory;
_logger = logger;
}
