public override void OnAuthorization(AuthorizationContext filterContext)
{
//Create permission string based on the requested controller name and action name in the format 'controllername-action'
string requiredPermission = String.Format("{0}-{1}", filterContext.ActionDescriptor.ControllerDescriptor.ControllerName, filterContext.ActionDescriptor.ActionName);
string requiredController = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
string requiredAction = filterContext.ActionDescriptor.ActionName;
var userId = filterContext.HttpContext.User.Identity.Name; // GetUserId();
var identity = ((CustomPrincipal)HttpContext.Current.User).CustomIdentity;
PermissionsService _permissionService = new PermissionsService(userId, identity.UserRoleId);
//Create an instance of our custom user authorization object passing requesting user's 'Windows Username' into constructor
//CustomMembershipUser requestingUser = new CustomMembershipUser(filterContext.RequestContext.HttpContext.User.Identity.Name);
//Check if the requesting user has the permission to run the controller's action
if (!_permissionService.HasPermission(requiredController, requiredAction))
{
//User doesn't have the required permission and is not a SysAdmin, return our custom “401 Unauthorized” access error
//Since we are setting filterContext.Result to contain an ActionResult page, the controller's action will not be run.
//The custom “401 Unauthorized” access error will be returned to the browser in response to the initial request.
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary {
{ "action", "UnAuthorized" }, { "controller", "Error" }
});
}
//If the user has the permission to run the controller's action, then filterContext.Result will be uninitialized and
//executing the controller's action is dependant on whether filterContext.Result is uninitialized.
}
public async Task PermissionsService_GetUserPermissionsForGroupAsync_ReturnsGuestIfUserNotMemberOfGroup()
{
var permissionsDataProviderLogger = new Moq.Mock <ILogger <PermissionsDataProvider> >().Object;
var permissionsServiceLogger = new Moq.Mock <ILogger <PermissionsService> >().Object;
var groupDataProvider = new Moq.Mock <IGroupDataProvider>().Object;
var cts = new CancellationTokenSource();
var cancellationToken = cts.Token;
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var rolesDataProvider = new Mock <IRolesDataProvider>();
IPermissionsDataProvider permissionsDataProvider = new PermissionsDataProvider(permissionsDataProviderLogger);
List <string>?userRolesResponse = new List <string> {
"Admin"
};
List <GroupUserRole>?groupRolesResponse = new List <GroupUserRole>();
rolesDataProvider.Setup(x =>
x.GetUserAndGroupUserRolesAsync(userId, groupId, cancellationToken))
.ReturnsAsync(new UserAndGroupRoles(userRolesResponse, groupRolesResponse));
var permissionsService = new PermissionsService(rolesDataProvider.Object, permissionsDataProvider, permissionsServiceLogger, groupDataProvider);
var userGroupPermissions = await permissionsService.GetUserPermissionsForGroupAsync(userId, groupId, string.Empty, cancellationToken);
Assert.IsTrue(userGroupPermissions.Permissions.Any(x => x == "https://schema.collaborate.future.nhs.uk/groups/v1/members/add"));
}
public void Setup()
{
var evaluator = new ConditionEvaluator();
_permissionsService = new PermissionsService(new ConditionParser(),
(new PermissionsScanner().All(typeof(Permissions))), evaluator);
}
public void PermissionsServiceTests_User_HasPermission_Success()
{
//Arrange
var permissionsService = new PermissionsService(_hive, _permissions, _membershipService);
//Assert
// Both permissions set to allow, no node inheritance
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Copy), _userId).IsAllowed());
// One permission set to allow, one deny, no node inheritance
Assert.IsFalse(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Save), _userId).IsAllowed());
Assert.IsFalse(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Publish), _userId).IsAllowed());
// One permission set to inherit, one set to allow, no node inheritance
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Hostnames), _userId).IsAllowed());
// Both permissions set to inherit, no node inheritance
Assert.IsFalse(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Move), _userId).IsAllowed());
// Both permissions set to allow, no node inheritance
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Copy), _userId, _childContentNode.Id).IsAllowed());
// One permission set to allow, one deny, node inheritance
Assert.IsFalse(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Save), _userId, _childContentNode.Id).IsAllowed());
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Publish), _userId, _childContentNode.Id).IsAllowed()); // In this instance, becuase the deny permission is inherited, the allow permission takes precedence
// One permission set to inherit, one set to allow, node inheritance
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Hostnames), _userId, _childContentNode.Id).IsAllowed());
// Both permissions set to inherit, node inheritance
Assert.IsFalse(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.Move), _userId, _childContentNode.Id).IsAllowed());
}
private async void AddNewFileExe()
{
if (await PermissionsService.GetStoragePermissionsAsync())
{
SelectFile();
}
}
public async Task PermissionsService_GetUserPermissionsAsync_ReturnsGuestRoleIfUserNotFound()
{
var permissionsDataProviderLogger = new Moq.Mock <ILogger <PermissionsDataProvider> >().Object;
var permissionsServiceLogger = new Moq.Mock <ILogger <PermissionsService> >().Object;
var groupDataProvider = new Moq.Mock <IGroupDataProvider>().Object;
var cts = new CancellationTokenSource();
var cancellationToken = cts.Token;
var userId = Guid.NewGuid();
var rolesDataProvider = new Mock <IRolesDataProvider>();
IPermissionsDataProvider permissionsDataProvider = new PermissionsDataProvider(permissionsDataProviderLogger);
List <string>?userRolesResponse = null;
rolesDataProvider.Setup(x =>
x.GetUserRolesAsync(userId, cancellationToken))
.ReturnsAsync(userRolesResponse);
var permissionsService = new PermissionsService(rolesDataProvider.Object, permissionsDataProvider, permissionsServiceLogger, groupDataProvider);
var permissions = await permissionsService.GetUserPermissionsAsync(userId, cancellationToken);
Assert.IsTrue(permissions is null);
}
public async Task OpensAppSettings()
{
ViewModel.RequestAccess.Execute(Unit.Default);
TestScheduler.Start();
PermissionsService.Received().OpenAppSettings();
}
public void TestDuplicateIndexes()
{
var evaluator = new ConditionEvaluator();
var sut = new PermissionsService(new ConditionParser(), (new PermissionsScanner().All(typeof(Permissions))), evaluator);
sut.InsertSerialized(new GrantStub
{
GrantType = GrantType.Allow,
Index = 1,
NodeKey = Permissions.Product.Create.Key,
PermissionType = PermissionType.Generic,
Identifier = 1,
PermissionChain = PermissionChainName
});
sut.InsertSerialized(new GrantStub
{
GrantType = GrantType.Allow,
Index = 1,
NodeKey = Permissions.Product.Buy.Key,
PermissionType = PermissionType.ResourceBound,
Identifier = 1,
PermissionChain = PermissionChainName
});
sut.GetResultUsingChain(PermissionChainName, Permissions.Product.Create, 1).ShouldBe(PermissionResult.Allowed);
sut.GetResultUsingChain(PermissionChainName, Permissions.Product.Buy, 1).ShouldBe(PermissionResult.Allowed);
}
public static IServiceCollection AddGranularPermissions(this IServiceCollection collection,
Type basePermissionsClass)
{
collection.AddTransient <IPermissionsScanner, PermissionsScanner>();
collection.AddScoped <IConditionEvaluator, ConditionEvaluator>();
collection.AddScoped <IConditionParser, ConditionParser>();
collection.AddScoped <IPermissionAuditLogCollector, PermissionAuditLogCollector>();
Func <IServiceProvider, PermissionsService> serviceBuilder = sp =>
{
using (var scope = sp.CreateScope())
{
var dictionary = scope.ServiceProvider.GetService <IPermissionsScanner>().All(basePermissionsClass);
var parser = scope.ServiceProvider.GetService <IConditionParser>();
var evaluator = scope.ServiceProvider.GetService <IConditionEvaluator>();
var grantProvider = scope.ServiceProvider.GetService <IPermissionGrantProvider>();
var instance = new PermissionsService(parser, dictionary, evaluator);
var list = grantProvider.AllGrants();
foreach (var permissionGrant in list)
{
instance.InsertSerialized(permissionGrant);
}
return(instance);
}
};
collection.AddSingleton <IPermissionsService>(serviceBuilder);
// not pretty
collection.AddSingleton <IPermissionsEventBroadcaster>(x => x.GetService <IPermissionsService>() as IPermissionsEventBroadcaster);
return(collection);
}
public async Task PermissionsService_GetUserPermissionsAsync_ReturnsMultipleRolesAndPermissionsForUser()
{
var permissionsDataProviderLogger = new Moq.Mock <ILogger <PermissionsDataProvider> >().Object;
var permissionsServiceLogger = new Moq.Mock <ILogger <PermissionsService> >().Object;
var groupDataProvider = new Moq.Mock <IGroupDataProvider>().Object;
var cts = new CancellationTokenSource();
var cancellationToken = cts.Token;
var userId = Guid.NewGuid();
var rolesDataProvider = new Mock <IRolesDataProvider>();
IPermissionsDataProvider permissionsDataProvider = new PermissionsDataProvider(permissionsDataProviderLogger);
var userRolesResponse = new List <string> {
"Standard Members", "Admin"
};
rolesDataProvider.Setup(x =>
x.GetUserRolesAsync(userId, cancellationToken))
.ReturnsAsync(userRolesResponse);
var permissionsService = new PermissionsService(rolesDataProvider.Object, permissionsDataProvider, permissionsServiceLogger, groupDataProvider);
var permissions = await permissionsService.GetUserPermissionsAsync(userId, cancellationToken);
Assert.IsTrue(permissions.Any(x => x == "https://schema.collaborate.future.nhs.uk/admin/v1/view"));
}
public async Task RequestsCalendarPermission()
{
ViewModel.GetStarted.Execute();
TestScheduler.Start();
await PermissionsService.Received().RequestCalendarAuthorization();
}
private void GetAccessToken(HttpContext context)
{
GetAccessTokenRequest gat = new GetAccessTokenRequest();
String token = context.Request.Params["txtrequest_token"];
String verifier = context.Request.Params["txtverification_code"];
gat.token = token;
gat.verifier = verifier;
gat.requestEnvelope = new RequestEnvelope("en_US");
GetAccessTokenResponse gats = null;
try
{
PermissionsService service = new PermissionsService();
gats = service.GetAccessToken(gat);
context.Response.Write("<html><body><textarea rows=30 cols=80>");
ObjectDumper.Write(gats, 5, context.Response.Output);
context.Response.Write("</textarea></body></html>");
}
catch (System.Exception e)
{
context.Response.Write(e.Message);
}
}
private void AssertPermissionLevels(IEnumerable <User> owners, User user, PermissionLevel expectedLevel)
{
Assert.Equal(expectedLevel, PermissionsService.GetPermissionLevel(owners, user));
var principal = GetPrincipal(user);
Assert.Equal(expectedLevel, PermissionsService.GetPermissionLevel(owners, principal));
}
public async Task NavigatesToTheCalendarPermissionDeniedViewModelWhenPermissionIsDenied()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
ViewModel.GetStarted.Execute();
NavigationService.Received().Navigate <CalendarPermissionDeniedViewModel, Unit>();
}
public async Task TracksTheCalendarOnbardingStartedEvent()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
await ViewModel.GetStartedAction.Execute(Unit.Default);
AnalyticsService.CalendarOnboardingStarted.Received().Track();
}
public async Task TracksTheCalendarOnbardingStartedEvent()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
ViewModel.GetStarted.Execute();
TestScheduler.Start();
AnalyticsService.CalendarOnboardingStarted.Received().Track();
}
/// <summary>
/// Регистрация разрешений для текущего пользователя
/// </summary>
/// <param name="kernel">Ядро ninject</param>
/// <param name="user">Пользователь</param>
public void RegisterPermissionsForUser(IKernel kernel, UserModel user)
{
CurrentUser = user;
IMapperInject mapper = kernel.Get <IMapperInject>();
UserPermissions = mapper.Map <List <PermissionDataContract>, List <PermissionModel> >(
PermissionsService.GetPermissionsCollectionByPosition(mapper
.Map <PositionModel, PositionDataContract>(user.Position)).Result.ToList());
}
public async Task DoesNotRequestNotificationsPermissionIfCalendarPermissionWasNotGranted()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
NavigationService.Navigate <SelectUserCalendarsViewModel, string[]>().Returns(new string[0]);
await ViewModel.GetStartedAction.Execute(Unit.Default);
await PermissionsService.DidNotReceive().RequestNotificationAuthorization();
}
public async Task SetsCalendarOnboardingAsCompletedIfUserWantsToContinueWithoutGivingPermission()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
NavigationService.Navigate <CalendarPermissionDeniedViewModel, Unit>().Returns(Unit.Default);
await ViewModel.GetStartedAction.Execute(Unit.Default);
OnboardingStorage.Received().SetCompletedCalendarOnboarding();
}
public ActionResult <Appointment> UpdateAppointment(string id, Appointment appointment)
{
if (PermissionsService.AllowEditAppointment(CurrentUser, appointment))
{
DataStorage.UpdateAppointment(appointment);
return(Ok(new { Message = "Success" }));
}
return(BadRequest(new { ErrorText = "Not Allowed" }));
}
public async Task SetsCalendarOnboardingAsCompletedIfUserGrantsAccess()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(true));
NavigationService.Navigate <SelectUserCalendarsViewModel, string[]>().Returns(new string[0]);
ViewModel.GetStarted.Execute(Unit.Default);
OnboardingStorage.Received().SetCompletedCalendarOnboarding();
}
public async Task SetsTheNotificationPropertyAfterAskingForPermission(bool permissionWasGiven)
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(true));
NavigationService.Navigate <SelectUserCalendarsViewModel, string[]>().Returns(new string[0]);
PermissionsService.RequestNotificationAuthorization().Returns(Observable.Return(permissionWasGiven));
await ViewModel.GetStartedAction.Execute(Unit.Default);
UserPreferences.Received().SetCalendarNotificationsEnabled(Arg.Is(permissionWasGiven));
}
public async Task RequestsNotificationsPermissionIfCalendarPermissionWasGranted()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(true));
NavigationService.Navigate <SelectUserCalendarsViewModel, string[]>().Returns(new string[0]);
ViewModel.GetStarted.Execute(Unit.Default);
TestScheduler.Start();
await PermissionsService.Received().RequestNotificationAuthorization();
}
public void PermissionsService_GetUserPermissionsForGroupAsync_ThrowsIfPermissionsDataProviderNull()
{
var permissionsDataProviderLogger = new Moq.Mock <ILogger <PermissionsDataProvider> >().Object;
var permissionsServiceLogger = new Moq.Mock <ILogger <PermissionsService> >().Object;
var groupDataProvider = new Moq.Mock <IGroupDataProvider>().Object;
var rolesDataProvider = new Moq.Mock <IRolesDataProvider>().Object;
_ = new PermissionsService(rolesDataProvider, null, permissionsServiceLogger, groupDataProvider);
}
public ActionResult <Appointment> DeleteAppointment(string id)
{
var appointment = DataStorage.GetAppointment(id);
if (PermissionsService.AllowEditAppointment(CurrentUser, appointment))
{
DataStorage.DeleteAppointment(appointment);
return(Ok(new { Message = "Success" }));
}
return(BadRequest(new { ErrorText = "Not Allowed" }));
}
public async Task DoesNotNavigateToTheSelectUserCalendarsViewModelWhenThereAreNoCalendars()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(true));
InteractorFactory.GetUserCalendars().Execute().Returns(
Observable.Return(new UserCalendar[0])
);
await ViewModel.GetStartedAction.Execute(Unit.Default);
await NavigationService.DidNotReceive().Navigate <SelectUserCalendarsViewModel, string[]>();
}
public void PermissionsServiceTests_Non_Entity_Actions_Dont_Check_Id()
{
//Arrange
var permissionsService = new PermissionsService(_hive, _permissions, _membershipService);
//Assert
// Child content node has a BackOffice permission defined and set to Deny where system root has one set to Allow
// because BackOfficeAccess permission is not an entity action, it should go straight to checking the system root
// so should come back as allow.
Assert.IsTrue(permissionsService.GetEffectivePermission(new Guid(FixedPermissionIds.BackOfficeAccess), _userId, _childContentNode.Id).IsAllowed());
}
public HwiServer(ITransport transport,
IPermissionPrompt permissionPrompt,
RateLimitService rateLimitService,
PermissionsService permissionsService,
ILoggerFactory loggerFactory)
{
Transport = transport;
_permissionPrompt = permissionPrompt;
_rateLimitService = rateLimitService;
_permissionsService = permissionsService;
_logger = loggerFactory.CreateLogger(LoggerNames.HwiServer);
}
public async Task NavigatesToTheSelectUserCalendarsViewModelWhenThereAreCalendars()
{
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(true));
InteractorFactory.GetUserCalendars().Execute().Returns(
Observable.Return(new UserCalendar[] { new UserCalendar() })
);
await ViewModel.GetStartedAction.Execute(Unit.Default);
await NavigationService
.Received()
.Navigate <SelectUserCalendarsViewModel, bool, string[]>(Arg.Any <bool>());
}
public async Task EmitsFalseWhenUserWantsToContinueWithoutCalendarAccess()
{
OnboardingStorage.CompletedCalendarOnboarding().Returns(false);
var observer = TestScheduler.CreateObserver <bool>();
ViewModel.ShouldShowOnboarding.Subscribe(observer);
PermissionsService.RequestCalendarAuthorization().Returns(Observable.Return(false));
NavigationService.Navigate <CalendarPermissionDeniedViewModel, Unit>().Returns(Unit.Default);
ViewModel.GetStarted.Execute();
TestScheduler.Start();
observer.Messages.Select(message => message.Value.Value).AssertEqual(true, false);
}
