public void DeleteRole_WrongScope_ReturnsForbidden()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
AssertDeleteRole(HttpStatusCode.Forbidden, existingClient.Id, existingRole.Id.ToString(), Scopes.ReadScope);
}
public void AddRolesToUser_RoleDoesNotExist_ReturnsBadRequest()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var expectedUser = CreateUser(usersModule);
var role = new Role
{
Id = Guid.NewGuid(),
Name = "test" + Guid.NewGuid(),
Grain = Domain.Defaults.Authorization.AppGrain,
SecurableItem = existingClient.TopLevelSecurableItem.Name
};
var addRolesToUserResponse = usersModule.Post($"/user/{expectedUser.IdentityProvider}/{HttpUtility.UrlEncode(expectedUser.SubjectId)}/roles", with =>
{
with.HttpRequest();
with.JsonBody(new[]
{
role
});
}).Result;
Assert.Equal(HttpStatusCode.BadRequest, addRolesToUserResponse.StatusCode);
var error = addRolesToUserResponse.Body.DeserializeJson <Error>();
Assert.Contains("There was an issue adding roles to the user. Please see the inner exception(s) for details", error.Message);
Assert.Equal($"The role: {role} with Id: {role.Id} could not be found to add to the user.", error.Details[0].Message);
Assert.Single(error.Details);
}
public void DeleteRole_Succeeds()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
AssertDeleteRole(HttpStatusCode.NoContent, existingClient.Id, existingRole.Id.ToString(), Scopes.WriteScope);
}
public void GetUserPermissions_Succeeds(
string group,
string grain,
string securableItem,
int expectedCountPermissions)
{
var existingClient = ExistingClients.First();
var existingUser = _existingUsers.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id),
new Claim(JwtClaimTypes.Role, group),
new Claim(Claims.Sub, existingUser.SubjectId),
new Claim(Claims.IdentityProvider, existingUser.IdentityProvider)
);
var result = usersModule.Get("/user/permissions", with =>
{
with.Query("grain", grain);
with.Query("securableItem", securableItem);
})
.Result;
AssertOk(result, expectedCountPermissions);
}
public void AddRolesToUser_PostSingleRole_ReturnsBadRequest()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var expectedUser = CreateUser(usersModule);
var addRolesToUserResponse = usersModule.Post($"/user/{expectedUser.IdentityProvider}/{HttpUtility.UrlEncode(expectedUser.SubjectId)}/roles", with =>
{
with.HttpRequest();
with.JsonBody(new Role
{
Id = Guid.NewGuid(),
Grain = Domain.Defaults.Authorization.AppGrain,
SecurableItem = existingClient.TopLevelSecurableItem.Name,
Name = "role" + Guid.NewGuid()
});
}).Result;
Assert.Equal(HttpStatusCode.BadRequest, addRolesToUserResponse.StatusCode);
var error = addRolesToUserResponse.Body.DeserializeJson <Error>();
Assert.Equal(UsersModule.InvalidRoleArrayMessage, error.Message);
}
public void GetRolesForUser_MultipleRoles_ReturnsOK()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var expectedUser = CreateUser(usersModule);
var newRoles = AddExistingRoles(existingClient.TopLevelSecurableItem.Name);
var addRolesToUserResponse = usersModule.Post($"/user/{expectedUser.IdentityProvider}/{HttpUtility.UrlEncode(expectedUser.SubjectId)}/roles", with =>
{
with.HttpRequest();
with.JsonBody(new[]
{
newRoles[0], newRoles[1], newRoles[3]
});
}).Result;
Assert.Equal(HttpStatusCode.OK, addRolesToUserResponse.StatusCode);
var userWithRoles = addRolesToUserResponse.Body.DeserializeJson <UserApiModel>();
Assert.Equal(3, userWithRoles.Roles.Count);
var getRolesForUser = usersModule.Get($"/user/{expectedUser.IdentityProvider}/{HttpUtility.UrlEncode(expectedUser.SubjectId)}/roles").Result;
Assert.Equal(HttpStatusCode.OK, getRolesForUser.StatusCode);
Assert.Equal(3, getRolesForUser.Body.DeserializeJson <List <RoleApiModel> >().Count);
}
public void DeleteRolesFromUser_RoleDoesNotExistForUser_ReturnsBadRequest()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var user = CreateUser(usersModule);
var deleteRolesFromUser = usersModule.Delete(
$"/user/{user.IdentityProvider}/{HttpUtility.UrlEncode(user.SubjectId)}/roles",
with =>
{
with.HttpRequest();
with.JsonBody(new []
{
new { Id = Guid.NewGuid(), Grain = Domain.Defaults.Authorization.AppGrain, SecurableItem = existingClient.Id, Name = "testRole1" },
new { Id = Guid.NewGuid(), Grain = Domain.Defaults.Authorization.AppGrain, SecurableItem = existingClient.Id, Name = "testRole2" }
});
}).Result;
Assert.Equal(HttpStatusCode.BadRequest, deleteRolesFromUser.StatusCode);
var error = deleteRolesFromUser.Body.DeserializeJson <Error>();
Assert.Contains("There was an issue deleting roles for the user. Please see the inner exception(s) for the details.", error.Message);
Assert.Equal(2, error.Details.Length);
}
public void GetRoles_ReturnsNotAllowedForIncorrectCredentials(string scope, string clientId)
{
var existingClient = ExistingClients.First();
var rolesModule = CreateBrowser(new Claim(Claims.Scope, scope),
new Claim(Claims.ClientId, clientId));
var result = rolesModule.Get($"/roles/app/{existingClient.Id}").Result;
Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
}
public void AddRole_ReturnsForbidden(RoleApiModel roleToPost, string scope)
{
var existingClient = ExistingClients.First();
var rolesModule = CreateBrowser(new Claim(Claims.Scope, scope),
new Claim(Claims.ClientId, existingClient.Id));
var result = rolesModule.Post($"/roles", with => with.JsonBody(roleToPost)).Result;
Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
}
public void AddUser_NewUser_ReturnsCreated()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, existingClient.Id)
);
CreateUser(usersModule);
}
public void DeleteRole_WrongClient_ReturnsForbidden(string cliendId)
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, cliendId));
var result = rolesModule.Delete($"/roles/{existingRole.Id}").Result;
Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
}
public void DeletePermissionFromRole_PermissionNotFound()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
DeletePermissionAndAssert(existingClient.Id, existingRole.Id.ToString(), existingPermission, HttpStatusCode.NotFound);
}
public void DeletePermissionFromRole_Forbidden()
{
var existingClient = ExistingClients.First();
var notFoundRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == notFoundRole.Grain &&
p.SecurableItem == notFoundRole.SecurableItem);
DeletePermissionAndAssert("sourcemartdesigner", notFoundRole.Id.ToString(), existingPermission, HttpStatusCode.Forbidden);
}
public void DeletePermissionFromRole_WrongScope_Forbidden()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
DeletePermissionAndAssert(existingClient.Id, existingRole.Id.ToString(), existingPermission, HttpStatusCode.Forbidden, Scopes.ReadScope);
}
public void DeletePermissionFromRole_BadRequest()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
DeletePermissionAndAssert(existingClient.Id, "notaguid", existingPermission, HttpStatusCode.BadRequest, Scopes.WriteScope);
}
public void AddPermissionsToRole_IncompatiblePermission_WrongSecurable()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem != existingRole.SecurableItem);
PostPermissionAndAssert(existingRole, existingPermission, existingClient.Id, HttpStatusCode.BadRequest);
}
public void AddPermissionsToRole_IncompatiblePermission_PermissionAlreadyExists()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
existingRole.Permissions.Add(existingPermission);
PostPermissionAndAssert(existingRole, existingPermission, existingClient.Id, HttpStatusCode.Conflict);
}
public void GetRoles_ReturnsRoleForRoleName()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
Assert.NotNull(existingRole);
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id));
var result = rolesModule.Get($"/roles/app/{existingRole.SecurableItem}/{existingRole.Name}").Result;
AssertRolesOK(result, 1, existingRole.Id);
}
public void GetRolesForUser_UserDoesNotExist_ReturnsNotFound()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var getRolesForUser = usersModule.Get($"/user/windows/nouser/roles").Result;
Assert.Equal(HttpStatusCode.NotFound, getRolesForUser.StatusCode);
}
public void GetRolesForUser_UserHasNoRoles_ReturnsEmptyArray()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var user = CreateUser(usersModule);
var getRolesForUser = usersModule.Get($"/user/{user.IdentityProvider}/{HttpUtility.UrlEncode(user.SubjectId)}/roles").Result;
Assert.Equal(HttpStatusCode.OK, getRolesForUser.StatusCode);
Assert.Empty(getRolesForUser.Body.DeserializeJson <List <RoleApiModel> >());
}
public void AddPermissionsToRole_PermissionNotFound()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var permission = new Permission
{
Id = Guid.NewGuid(),
Grain = "app",
SecurableItem = "patientsafety",
Name = "notfound"
};
PostPermissionAndAssert(existingRole, permission, existingClient.Id, HttpStatusCode.NotFound);
}
public void AddPermissionsToRole_BadRequest()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, existingClient.Id));
var result = rolesModule.Post($"/roles/{existingRole.Id}/permissions",
with => with.JsonBody(existingPermission))
.Result;
Assert.Equal(HttpStatusCode.BadRequest, result.StatusCode);
}
public void AddRole_ReturnsBadRequest(RoleApiModel roleToPost, int errorCount)
{
var existingClient = ExistingClients.First();
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, existingClient.Id));
var result = rolesModule.Post($"/roles", with => with.JsonBody(roleToPost)).Result;
Assert.Equal(HttpStatusCode.BadRequest, result.StatusCode);
var error = result.Body.DeserializeJson <Error>();
Assert.NotNull(error);
if (errorCount > 0)
{
Assert.Equal(errorCount, error.Details.Length);
}
}
public void GetUserPermissions_Forbidden(string securableItem, string scope)
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(new Claim(Claims.Scope, scope),
new Claim(Claims.ClientId, existingClient.Id),
new Claim(JwtClaimTypes.Role, @"Fabric\Health Catalyst Admin"));
var result = usersModule.Get("/user/permissions", with =>
{
with.Query("grain", "app");
with.Query("securableItem", securableItem);
})
.Result;
Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
}
public void GetUserPermissions_NoParameters_DefaultsToTopLevel()
{
var existingClient = ExistingClients.First();
var existingUser = _existingUsers.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id),
new Claim(JwtClaimTypes.Role, @"Fabric\Health Catalyst Admin"),
new Claim(Claims.Sub, existingUser.SubjectId),
new Claim(Claims.IdentityProvider, existingUser.IdentityProvider)
);
var result = usersModule.Get("/user/permissions").Result;
AssertOk(result, 3);
}
public void AddPermissionsToRole_RoleNotFound()
{
var existingClient = ExistingClients.First();
var role = new Role
{
Id = Guid.NewGuid(),
Grain = "app",
SecurableItem = "patientsafety",
Name = "notfound"
};
var existingPermission =
ExistingPermissions.First(p => p.Grain == role.Grain &&
p.SecurableItem == role.SecurableItem);
PostPermissionAndAssert(role, existingPermission, existingClient.Id, HttpStatusCode.NotFound);
}
public void AddPermissionsToRole_Succeeds()
{
var existingClient = ExistingClients.First();
var existingRole = ExistingRoles.First(r => r.SecurableItem == existingClient.Id);
var existingPermission =
ExistingPermissions.First(p => p.Grain == existingRole.Grain &&
p.SecurableItem == existingRole.SecurableItem);
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, existingClient.Id));
var result = rolesModule.Post($"/roles/{existingRole.Id}/permissions",
with => with.JsonBody(new List <Permission> {
existingPermission
}))
.Result;
AssertRoleOK(result, 1);
}
public void GetUser_ExistingUser_ReturnsOk()
{
var existingClient = ExistingClients.First();
var usersModule = CreateBrowser(
new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.Scope, Scopes.ReadScope),
new Claim(Claims.ClientId, existingClient.Id)
);
var expectedUser = CreateUser(usersModule);
var actualUserResponse = usersModule.Get($"/user/{expectedUser.IdentityProvider}/{HttpUtility.UrlEncode(expectedUser.SubjectId)}").Result;
Assert.Equal(HttpStatusCode.OK, actualUserResponse.StatusCode);
var actualUser = actualUserResponse.Body.DeserializeJson <UserApiModel>();
Assert.Equal(expectedUser.IdentityProvider, actualUser.IdentityProvider);
Assert.Equal(expectedUser.SubjectId, actualUser.SubjectId);
}
public void DeletePermissionFromRole_RoleNotFound()
{
var existingClient = ExistingClients.First();
var notFoundRole = new Role
{
Id = Guid.NewGuid(),
Grain = "app",
SecurableItem = existingClient.Id,
Name = "notfound"
};
var existingPermission =
ExistingPermissions.First(p => p.Grain == notFoundRole.Grain &&
p.SecurableItem == notFoundRole.SecurableItem);
notFoundRole.Permissions.Add(existingPermission);
DeletePermissionAndAssert(existingClient.Id, notFoundRole.Id.ToString(), existingPermission, HttpStatusCode.NotFound);
}
public void AddRole_Succeeds()
{
var existingClient = ExistingClients.First();
var rolesModule = CreateBrowser(new Claim(Claims.Scope, Scopes.WriteScope),
new Claim(Claims.ClientId, existingClient.Id));
var roleToPost = new RoleApiModel
{
Grain = "app",
SecurableItem = existingClient.Id,
Name = "test"
};
var result = rolesModule.Post($"/roles", with => with.JsonBody(roleToPost)).Result;
Assert.Equal(HttpStatusCode.Created, result.StatusCode);
var newRole = result.Body.DeserializeJson <RoleApiModel>();
Assert.Equal(roleToPost.Name, newRole.Name);
Assert.NotNull(newRole.Id);
}
