public void Check_ApplyCanMutateCheckedClaims()
{
// Arrange
var user = new ClaimsPrincipal(
new ClaimsIdentity( new Claim[] { new Claim("Permission", "CanDeleteComments") }, "Basic")
);
var policies = new IAuthorizationPolicy[] {
new FakePolicy() {
ApplyAsyncAction = (context) => {
// for instance, if user owns the comment
if(!context.Claims.Any(claim => claim.Type == "Permission" && claim.Value == "CanDeleteComments"))
{
context.Claims.Add(new Claim("Permission", "CanDeleteComments"));
context.Retry = true;
}
}
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty<Claim>(), user);
// Assert
Assert.True(allowed);
}
public void Check_PoliciesCanMutateUsersClaims()
{
// Arrange
var user = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[0], "Basic")
);
var policies = new IAuthorizationPolicy[] {
new FakePolicy() {
ApplyAsyncAction = (context) => {
if (!context.Authorized)
{
context.UserClaims.Add(new Claim("Permission", "CanDeleteComments"));
context.Retry = true;
}
}
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(new Claim("Permission", "CanDeleteComments"), user);
// Assert
Assert.True(allowed);
}
public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute();
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance<IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_ValidClaimShouldNotFail()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute("Permission", "CanViewPage");
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance<IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
var authorizeAttribute = new AuthorizeAttribute();
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance<IAuthorizationService>(authorizationService),
anonymous: true
);
authorizationContext.Filters.Add(new AllowAnonymousAttribute());
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public void Check_ShouldAllowIfClaimIsAmongValues()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
var user = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[] {
new Claim("Permission", "CanViewPage"),
new Claim("Permission", "CanViewAnything")
},
"Basic")
);
// Act
var allowed = authorizationService.Authorize(new Claim[] { new Claim("Permission", "CanViewPage") }, user);
// Assert
Assert.True(allowed);
}
public void Check_ShouldThrowWhenPoliciesDontStop()
{
// Arrange
var policies = new IAuthorizationPolicy[] {
new FakePolicy() {
ApplyAsyncAction = (context) => { context.Retry = true; }
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
// Assert
Exception ex = Assert.Throws<AggregateException>(() => authorizationService.Authorize(Enumerable.Empty<Claim>(), null));
}
public void Check_ShouldNotAllowIfUserIsNull()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
ClaimsPrincipal user = null;
// Act
var allowed = authorizationService.Authorize(new Claim[] { new Claim("Permission", "CanViewPage") }, user);
// Assert
Assert.False(allowed);
}
public void Check_ShouldNotAllowIfNoClaims()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(Enumerable.Empty<IAuthorizationPolicy>());
var user = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[0],
"Basic")
);
// Act
var allowed = authorizationService.Authorize(new Claim[] { new Claim("Permission", "CanViewPage") }, user);
// Assert
Assert.False(allowed);
}
public void Check_ShouldInvokeApplyingApplyAppliedInOrder()
{
// Arrange
string result = "";
var policies = new IAuthorizationPolicy[] {
new FakePolicy() {
Order = 20,
ApplyingAsyncAction = (context) => { result += "Applying20"; },
ApplyAsyncAction = (context) => { result += "Apply20"; },
AppliedAsyncAction = (context) => { result += "Applied20"; }
},
new FakePolicy() {
Order = -1,
ApplyingAsyncAction = (context) => { result += "Applying-1"; },
ApplyAsyncAction = (context) => { result += "Apply-1"; },
AppliedAsyncAction = (context) => { result += "Applied-1"; }
},
new FakePolicy() {
Order = 30,
ApplyingAsyncAction = (context) => { result += "Applying30"; },
ApplyAsyncAction = (context) => { result += "Apply30"; },
AppliedAsyncAction = (context) => { result += "Applied30"; }
},
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty<Claim>(), null);
// Assert
Assert.Equal("Applying-1Applying20Applying30Apply-1Apply20Apply30Applied-1Applied20Applied30", result);
}
public void Check_ShouldConvertNullClaimsToEmptyList()
{
// Arrange
IList<Claim> claims = null;
var policies = new IAuthorizationPolicy[] {
new FakePolicy() {
Order = 20,
ApplyingAsyncAction = (context) => { claims = context.Claims; }
}
};
var authorizationService = new DefaultAuthorizationService(policies);
// Act
var allowed = authorizationService.Authorize(Enumerable.Empty<Claim>(), null);
// Assert
Assert.NotNull(claims);
Assert.Equal(0, claims.Count);
}
public async Task Invoke_NullPoliciesShouldNotFail()
{
// Arrange
var authorizationService = new DefaultAuthorizationService(policies: null);
var authorizeAttribute = new AuthorizeAttribute("Permission", "CanViewPage");
var authorizationContext = GetAuthorizationContext(services =>
services.AddInstance<IAuthorizationService>(authorizationService)
);
// Act
await authorizeAttribute.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
