public async Task <PermissionApiModel> AddPermission(string accessToken, PermissionApiModel permissionModel)
{
var message = new HttpRequestMessage(HttpMethod.Post, new PermissionRouteBuilder().Route)
.AddContent(permissionModel)
.AddAcceptHeader()
.AddBearerToken(accessToken);
return(await SendAndParseJson <PermissionApiModel>(message).ConfigureAwait(false));
}
public void Test_Delete_Success()
{
// Adding permission
var modifyPatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "modifypatient",
PermissionAction = PermissionAction.Allow
};
string subjectId = "userprincipal";
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
// Get the permissions
var get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions);
//delete the permission
this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
// Get the permissions
get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.DoesNotContain("app/userprincipal.modifypatient", permissions.Permissions);
}
public void Test_Delete_UserHasNoGranularPermissions()
{
// Get the permissions
var get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Equal(0, permissions.Permissions.Count());
var modifyPatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "modifypatient",
PermissionAction = PermissionAction.Allow
};
string subjectId = "userprincipal";
//attempt to delete a permission the user does not have
var deleteRequest = this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission
};
with.JsonBody(perms);
}).Result;
Assert.Equal(HttpStatusCode.BadRequest, deleteRequest.StatusCode);
Assert.Contains("Invalid allow permissions: app/userprincipal.modifypatient", deleteRequest.Body.AsString());
Assert.DoesNotContain("Invalid allow permission actions", deleteRequest.Body.AsString());
}
public void TestUserDeniedPermissionHasPrecedence_Success()
{
// Adding permissions
var post = this.Browser.Post("/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Grain", "app");
with.FormValue("SecurableItem", "userprincipal");
with.FormValue("Name", "viewpatient");
}).Result;
var viewPatientPermission = post.Body.DeserializeJson <PermissionApiModel>();
post = this.Browser.Post("/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Grain", "app");
with.FormValue("SecurableItem", "userprincipal");
with.FormValue("Name", "editpatient");
}).Result;
var editPatientPermission = post.Body.DeserializeJson <PermissionApiModel>();
// Adding roles
var role = new RoleApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "viewer",
Permissions = new List <PermissionApiModel> {
viewPatientPermission
}
};
post = this.Browser.Post("/roles", with => // -3
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.JsonBody(role);
}).Result;
var viewerRole = post.Body.DeserializeJson <RoleApiModel>();
post = this.Browser.Post("/roles", with => // -2
{
with.HttpRequest();
with.Header("Accept", "application/json");
role.Name = "editor";
role.Permissions = new List <PermissionApiModel> {
editPatientPermission
};
with.JsonBody(role);
}).Result;
var editorRole = post.Body.DeserializeJson <RoleApiModel>();
// Adding groups
this.Browser.Post("/groups", with =>
{
with.HttpRequest();
with.FormValue("Id", Group1);
with.FormValue("GroupName", Group1);
with.FormValue("GroupSource", Source1);
with.Header("Accept", "application/json");
}).Wait();
this.Browser.Post("/groups", with =>
{
with.HttpRequest();
with.FormValue("Id", Group2);
with.FormValue("GroupName", Group2);
with.FormValue("GroupSource", Source2);
with.Header("Accept", "application/json");
}).Wait();
this.Browser.Post($"/groups/{Group1}/roles", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Id", viewerRole.Identifier);
}).Wait();
this.Browser.Post($"/groups/{Group2}/roles", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Id", editorRole.Identifier);
}).Wait();
// Adding same permission to blacklist and whitellist
string subjectId = "userprincipal";
editPatientPermission.PermissionAction = PermissionAction.Deny;
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
editPatientPermission
};
with.JsonBody(perms);
}).Wait();
var modifyPatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "modifypatient"
};
modifyPatientPermission.PermissionAction = PermissionAction.Allow;
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
editPatientPermission, modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
// Get the permissions
var get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions); // from role
Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions); // only whitelisted
Assert.DoesNotContain("app/userprincipal.editpatient", permissions.Permissions); // from role & backlisted & whitelisted
Assert.Equal(2, permissions.Permissions.Count());
// Deny modifypatient and try again
modifyPatientPermission.PermissionAction = PermissionAction.Deny;
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel>()
{
editPatientPermission, modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions); // from role
Assert.DoesNotContain("app/userprincipal.modifypatient", permissions.Permissions); // backlisted & whitelisted
Assert.DoesNotContain("app/userprincipal.editpatient", permissions.Permissions); // from role & backlisted & whitelisted
Assert.Equal(1, permissions.Permissions.Count());
}
public void TestUserWhitelist_Success()
{
// Adding permissions
var post = this.Browser.Post("/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Grain", "app");
with.FormValue("SecurableItem", "userprincipal");
with.FormValue("Name", "viewpatient");
}).Result;
var viewPatientPermission = post.Body.DeserializeJson <PermissionApiModel>();
post = this.Browser.Post("/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Grain", "app");
with.FormValue("SecurableItem", "userprincipal");
with.FormValue("Name", "editpatient");
}).Result;
var editPatientPermission = post.Body.DeserializeJson <PermissionApiModel>();
// Adding roles
var role = new RoleApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "viewer",
Permissions = new List <PermissionApiModel> {
viewPatientPermission
}
};
post = this.Browser.Post("/roles", with => // -3
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.JsonBody(role);
}).Result;
var viewerRole = post.Body.DeserializeJson <RoleApiModel>();
post = this.Browser.Post("/roles", with => // -2
{
with.HttpRequest();
with.Header("Accept", "application/json");
role.Name = "editor";
role.Permissions = new List <PermissionApiModel> {
editPatientPermission
};
with.JsonBody(role);
}).Result;
var editorRole = post.Body.DeserializeJson <RoleApiModel>();
// Adding groups
this.Browser.Post("/groups", with =>
{
with.HttpRequest();
with.FormValue("Id", Group1);
with.FormValue("GroupName", Group1);
with.FormValue("GroupSource", Source1);
with.Header("Accept", "application/json");
}).Wait();
this.Browser.Post("/groups", with =>
{
with.HttpRequest();
with.FormValue("Id", Group2);
with.FormValue("GroupName", Group2);
with.FormValue("GroupSource", Source2);
with.Header("Accept", "application/json");
}).Wait();
this.Browser.Post($"/groups/{Group1}/roles", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Id", viewerRole.Identifier);
}).Wait();
this.Browser.Post($"/groups/{Group2}/roles", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
with.FormValue("Id", editorRole.Identifier);
}).Wait();
// Adding permission (user also can modify patient, even though role doesn't)
var modifyPatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "modifypatient",
PermissionAction = PermissionAction.Allow
};
string subjectId = "userprincipal";
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
// Get the permissions
var get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Contains("app/userprincipal.editpatient", permissions.Permissions);
Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions);
Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions);
Assert.Equal(3, permissions.Permissions.Count());
}
public void Test_Delete_WrongPermissionAction_InvalidPermission()
{
var modifyPatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "modifypatient",
PermissionAction = PermissionAction.Allow
};
string subjectId = "userprincipal";
this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission
};
with.JsonBody(perms);
}).Wait();
// Get the permissions
var get = this.Browser.Get("/user/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
}).Result;
Assert.Equal(HttpStatusCode.OK, get.StatusCode);
var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>();
Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions);
//attempt to delete modifyPatientPermission with permission action Deny and include an invalid permission
modifyPatientPermission.PermissionAction = PermissionAction.Deny;
var deletePatientPermission = new PermissionApiModel()
{
Grain = "app",
SecurableItem = "userprincipal",
Name = "deletepatient",
PermissionAction = PermissionAction.Allow
};
var deleteRequest = this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with =>
{
with.HttpRequest();
with.Header("Accept", "application/json");
var perms = new List <PermissionApiModel> {
modifyPatientPermission, deletePatientPermission
};
with.JsonBody(perms);
}).Result;
Assert.Equal(HttpStatusCode.BadRequest, deleteRequest.StatusCode);
Assert.Contains("Invalid deny permission actions: app/userprincipal.modifypatient", deleteRequest.Body.AsString());
Assert.DoesNotContain("Invalid deny permissions", deleteRequest.Body.AsString());
Assert.Contains("Invalid allow permissions: app/userprincipal.deletepatient", deleteRequest.Body.AsString());
Assert.DoesNotContain("Invalid allow permission actions", deleteRequest.Body.AsString());
}
