public void Arrange()
{
_mockAuthenticationService = new Mock <IAuthenticationService>();
MockActionDescriptor = new Mock <ActionDescriptor>();
ActionExecutingContext = new ActionExecutingContext {
ActionDescriptor = MockActionDescriptor.Object
};
MockAuthorizationService = new Mock <IAuthorizationService>();
ActionOptions = new string[0];
ControllerOptions = new string[0];
_config = new EmployerAccountsConfiguration()
{
SupportConsoleUsers = _supportConsoleUsers
};
MockActionDescriptor.Setup(d => d.ControllerDescriptor.ControllerName).Returns(Guid.NewGuid().ToString());
MockActionDescriptor.Setup(d => d.ControllerDescriptor.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { });
MockActionDescriptor.Setup(d => d.ActionName).Returns(Guid.NewGuid().ToString());
MockActionDescriptor.Setup(d => d.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { });
AuthorizationFilter = new AuthorizationFilter(() => MockAuthorizationService.Object);
ActionOptions = new[] { "Action.Option" };
MockActionDescriptor.Setup(d => d.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { new DasAuthorizeAttribute(ActionOptions) });
mockContext.Setup(htx => htx.Request).Returns(mockRequest.Object);
mockContext.Setup(htx => htx.Response).Returns(mockResponse.Object);
}
public void TestAuthFilterWithValidHeader()
{
var logicMock = new Mock <IUserManagement>(MockBehavior.Strict);
AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object);
string token = Guid.NewGuid().ToString();
logicMock.Setup(x => x.IsLogued(token)).Returns(true);
var modelState = new ModelStateDictionary();
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers["token"] = token;
var context = new AuthorizationFilterContext(
new ActionContext(httpContext: httpContext,
routeData: new Microsoft.AspNetCore.Routing.RouteData(),
actionDescriptor: new ActionDescriptor(),
modelState: modelState),
new List <IFilterMetadata>());
authFilter.OnAuthorization(context);
ContentResult response = context.Result as ContentResult;
Assert.IsNull(response);
}
public AuthorizationFilterTests()
{
_actionInfoMock = new Mock <MethodInfo>();
_controllerInfoMock = new Mock <TypeInfo>();
_httpContextMock = new Mock <HttpContext>();
_httpRequestMock = new Mock <HttpRequest>();
_httpHeadersMock = new Mock <IHeaderDictionary>();
_claimsIdentityMock = new Mock <ClaimsIdentity>();
_accessTokenManagerMock = new Mock <IAccessTokenManager>();
_httpRequestMock.Setup(x => x.Headers).Returns(_httpHeadersMock.Object);
_httpContextMock.Setup(x => x.Request).Returns(_httpRequestMock.Object);
_actionContext = new ActionContext
{
ActionDescriptor = new ControllerActionDescriptor
{
MethodInfo = _actionInfoMock.Object,
ControllerTypeInfo = _controllerInfoMock.Object
},
HttpContext = _httpContextMock.Object,
RouteData = new RouteData()
};
_filter = new AuthorizationFilter(_accessTokenManagerMock.Object);
}
public void TestAuthFilterWithInvalidHeader()
{
var logicMock = new Mock <IUserLogic>(MockBehavior.Strict);
AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object);
string token = "qwert123yu5i4o6p87";
logicMock.Setup(x => x.IsLogued(token)).Returns(false);
var modelState = new ModelStateDictionary();
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers["token"] = "qwert123yu5i4o6p87";
var context = new AuthorizationFilterContext(
new ActionContext(httpContext: httpContext,
routeData: new Microsoft.AspNetCore.Routing.RouteData(),
actionDescriptor: new ActionDescriptor(),
modelState: modelState),
new List <IFilterMetadata>());
authFilter.OnAuthorization(context);
ContentResult response = context.Result as ContentResult;
Assert.AreEqual(403, response.StatusCode);
}
public AuthorizationFilterTests()
{
ActionContext action = new ActionContext(Substitute.For <HttpContext>(), new RouteData(), new ActionDescriptor());
context = new ResourceExecutingContext(action, Array.Empty <IFilterMetadata>(), Array.Empty <IValueProviderFactory>());
authorization = Substitute.For <IAuthorization>();
filter = new AuthorizationFilter(authorization);
}
public AuthorizationFilterTests()
{
ActionContext action = new(Substitute.For <HttpContext>(), new RouteData(), new ActionDescriptor());
context = new AuthorizationFilterContext(action, Array.Empty <IFilterMetadata>());
authorization = Substitute.For <IAuthorization>();
filter = new AuthorizationFilter(authorization);
}
private static int _id; //to generate unique key
#endregion Fields
#region Constructors
public DynamicActivityGrant(Activity activity, AuthorizationFilter filter = null,
string documentKey = null, AuthorizationFilter initialCheckFilter = null)
: base(activity, filter)
{
DocumentKey = documentKey;
InitialCheckFilter = initialCheckFilter;
Key = "%%AuthDynamicEnablement%%" + Activity.Name;
Key += "." + (_id++); //to garantee uniqueness
}
public void Grant(AuthorizationFilter filter, params Permission[] permissions)
{
Util.Check(permissions != null && permissions.Length > 0, "Role.Grant: Permission list is empty");
// Create an activity
var name = permissions[0].Name;
if (permissions.Length > 1)
name += "**";
var act = new Activity(name, permissions);
Grant(filter, act);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
var metadata = LogCall(Guid);
var watch = new Stopwatch();
watch.Start();
AuthorizationFilter.OnAuthorization(filterContext);
watch.Stop();
metadata.ExecutionTime = watch.Elapsed;
}
public AuthorizationFilterFacts()
{
_context = new Mock <IOwinContext>();
_authentication = new Mock <IAuthenticationManager>();
_principal = new ClaimsPrincipal();
_authentication.Setup(x => x.User).Returns(_principal);
_context.Setup(x => x.Authentication).Returns(_authentication.Object);
_filter = new AuthorizationFilter(x => _context.Object);
}
public void OnActionExecuting_WhenActionIsExecutingAndControllerIsDecoratedWithDasAuthorizeAttributeAndControllerOptionsAreNotAuthorized_ThenReturnStatusCodeForbidden(string role)
{
//Arrange
_mockAuthenticationService.Setup(m => m.HasClaim(ClaimsIdentity.DefaultRoleClaimType, role)).Returns(true);
//Act
AuthorizationFilter.OnActionExecuting(ActionExecutingContext);
//Assert
var httpStatusCodeResult = ActionExecutingContext.Result as HttpStatusCodeResult;
Assert.That(httpStatusCodeResult, Is.Not.Null);
Assert.AreEqual(httpStatusCodeResult.StatusCode, (int)HttpStatusCode.Forbidden);
}
public void OnAuthorizationDoesNotTouchResultIfRequestIsAuthenticated()
{
AuthorizationContext context = new AuthorizationContext()
{
HttpContext = new FakeHttpContext("~/Secure")
};
(context.HttpContext.Request as FakeHttpRequest).RequestIsAuthenticated = true;
AuthorizationFilter filter = new AuthorizationFilter(new RouteCollection());
filter.OnAuthorization(context);
Assert.Null(context.Result);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
var metadata = LogCall(Guid);
var watch = new Stopwatch();
watch.Start();
using (GlimpseTimer.Start("Executing: Authorization Filter", "Filter", AuthorizationFilter.GetType().Name))
{
AuthorizationFilter.OnAuthorization(filterContext);
}
watch.Stop();
metadata.ExecutionTime = watch.Elapsed;
}
public void OnAuthorizationRedirectsToSignInWithReturnUrlIfRequestIsNotAuthenticated()
{
AuthorizationContext context = new AuthorizationContext()
{
HttpContext = new FakeHttpContext(new Uri("http://foo.com/Secure"), "~/Secure")
};
RouteCollection routes = new RouteCollection();
routes.Add("SignIn", new Route("SignIn", null));
AuthorizationFilter filter = new AuthorizationFilter(routes);
filter.OnAuthorization(context);
RedirectResult result = context.Result as RedirectResult;
Assert.NotNull(result);
Assert.Equal("/SignIn?ReturnUrl=%2FSecure", result.Url);
}
public void TestAuthFilterWithoutHeader()
{
var logicMock = new Mock <ISessionLogic>(MockBehavior.Strict);
AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object);
var modelState = new ModelStateDictionary();
var httpContext = new DefaultHttpContext();
var context = new AuthorizationFilterContext(
new ActionContext(httpContext: httpContext,
routeData: new Microsoft.AspNetCore.Routing.RouteData(),
actionDescriptor: new ActionDescriptor(),
modelState: modelState),
new List <IFilterMetadata>());
authFilter.OnAuthorization(context);
ContentResult response = context.Result as ContentResult;
Assert.AreEqual(401, response.StatusCode);
}
public readonly Role SelfServiceEditor; // can edit his/her own login
#endregion Fields
#region Constructors
internal LoginAuthorization()
{
AdministrationControllerPermission = new ObjectAccessPermission("LoginAdministrationControllerPermission", AccessType.ApiAll, typeof(LoginAdministrationController));
// entities we need to protect - only user himself (or superadmin) can edit these:
var myLoginData = new EntityGroupResource("LoginEntities",
typeof(ILogin), typeof(ILoginExtraFactor), typeof(ITrustedDevice), typeof(ISecretQuestionAnswer));
var myLoginDataFilter = new AuthorizationFilter("MyLoginData");
myLoginDataFilter.Add<ILogin, Guid>((lg, userId) => lg.UserId == userId);
myLoginDataFilter.Add<ILoginExtraFactor, Guid>((f, userId) => f.Login.UserId == userId);
myLoginDataFilter.Add<ITrustedDevice, Guid>((d, userId) => d.Login.UserId == userId);
myLoginDataFilter.Add<ISecretQuestionAnswer, Guid>((a, userId) => a.Login.UserId == userId);
var selfServiceEditPermission = new EntityGroupPermission("LoginSelfServiceEdit", AccessType.CRUD, myLoginData);
LoginEditActivity = new Activity("LoginEdit", selfServiceEditPermission);
SelfServiceEditor = new Role("LoginSelfServiceEditor");
SelfServiceEditor.Grant(myLoginDataFilter, LoginEditActivity);
LoginAdministrator = new Role("LoginAdministrator", LoginEditActivity); // unrestricted edit of any record
LoginAdministrator.Grant(AdministrationControllerPermission);
//Api
}
internal LoginAuthorizationRoles()
{
AdministrationControllerPermission = new ObjectAccessPermission("LoginAdministrationControllerPermission", AccessType.ApiAll, typeof(LoginAdministrationController));
// entities we need to protect - only user himself (or superadmin) can edit these:
var myLoginData = new EntityGroupResource("LoginEntities",
typeof(ILogin), typeof(ILoginExtraFactor), typeof(ITrustedDevice), typeof(ISecretQuestionAnswer), typeof(IPasswordHistory));
var myLoginDataFilter = new AuthorizationFilter("MyLoginData");
myLoginDataFilter.Add <ILogin, Guid>((lg, userId) => lg.UserId == userId);
myLoginDataFilter.Add <ILoginExtraFactor, Guid>((f, userId) => f.Login.UserId == userId);
myLoginDataFilter.Add <IPasswordHistory, Guid>((ph, userId) => ph.Login.UserId == userId);
myLoginDataFilter.Add <ITrustedDevice, Guid>((d, userId) => d.Login.UserId == userId);
myLoginDataFilter.Add <ISecretQuestionAnswer, Guid>((a, userId) => a.Login.UserId == userId);
var selfServiceEditPermission = new EntityGroupPermission("LoginSelfServiceEdit", AccessType.CRUD, myLoginData);
LoginEditActivity = new Activity("LoginEdit", selfServiceEditPermission);
SelfServiceEditor = new Role("LoginSelfServiceEditor");
SelfServiceEditor.Grant(myLoginDataFilter, LoginEditActivity);
LoginAdministrator = new Role("LoginAdministrator", LoginEditActivity); // unrestricted edit of any record
LoginAdministrator.Grant(AdministrationControllerPermission);
//Api
}
public void Grant(AuthorizationFilter filter, params Activity[] activities)
{
foreach (var act in activities)
ActivityGrants.Add(new ActivityGrant(act, filter));
}
public void TestInitialize()
{
AuthorizationFilter = new AuthorizationFilter();
}
//LoginModule is used to retrieve some authorization roles of login module and add them to book store role(s)
public BooksAuthorization(BooksEntityApp app, LoginModule loginModule)
{
_app = app;
// Data filters
// 'userid' value will be automatically injected by runtime when evaluating lambdas
var userDataFilter = new AuthorizationFilter("UserData");
userDataFilter.Add<IUser, Guid>((u, userId) => u.Id == userId);
userDataFilter.Add<IBookOrder, Guid>((bo, userId) => bo.User.Id == userId);
userDataFilter.Add<IBookOrderLine, Guid>((ol, userId) => ol.Order.User.Id == userId);
userDataFilter.Add<IBookReview, Guid>((r, userId) => r.User.Id == userId);
// Author data filter.
var authorDataFilter = new AuthorizationFilter("AuthorData");
// Simple case. IAuthor record is matched by filter if IAuthor.User.Id == Current-user-Id
// Note that IAuthor.User might be null - but it's OK to use 'a.User.Id' - the lambda is rewritten
// with extra safe conditionals to allow these expressions
authorDataFilter.Add<IAuthor, Guid>((a, userId) => a.User.Id == userId);
// More complex case. We provide an expression that checks if userId matches Id of any author of a book.
// Option 1 - checking book.Authors list, this requires loading list of ALL authors
// authorDataFilter.Add<IBook, Guid>((b, userId) => (b.Authors.Any(a => a.User.Id == userId)));
// Option 2 - Making LINQ query, using Exists<> helper method, it loads a single record
authorDataFilter.Add<IBook, OperationContext, Guid>((b, ctx, userId) => ctx.Exists<IBookAuthor>(
ba => ba.Author.User.Id == userId && ba.Book.Id == b.Id));
// BookOrder filter for adjusting order by StoreManager
var adjustOrderFilter = new AuthorizationFilter("OrderToAdjust");
adjustOrderFilter.Add<IBookOrder, Guid>((bo, adjustedOrderId) => bo.Id == adjustedOrderId);
adjustOrderFilter.Add<IBookOrderLine, Guid>((line, adjustedOrderId) => line.Order.Id == adjustedOrderId);
// Customer/users data filter. CustomerSupport role allows access only to users who are Customers or Authors (not employees)
// Here we demo use of data filter expression for pre-filtering users in queries.
// When customer support person queries users, the filter 'u.Type==UserType.Customer' will be automatically injected into the LINQ query
// We also add another filter for authors - the final filter will be OR of both
var custSupportUserFilter = new AuthorizationFilter("CustomerSupportUsers");
custSupportUserFilter.Add<IUser>(u => u.Type == UserType.Customer, FilterUse.Entities | FilterUse.Query);
// just for testing filter combinations, we add another filter for users that are authors.
// both filters will be combined (using OR), and whenever customer support person queries users, he will get only Customer and Author users
var custSupportAuthorUserFilter = new AuthorizationFilter("CustomerSupportAuthorUsers");
custSupportAuthorUserFilter.Add<IUser>(u => u.Type == UserType.Author, FilterUse.All);
//Entity resources
var books = new EntityGroupResource("Books", typeof(IBook), typeof(IBookAuthor), typeof(IAuthor), typeof(IImage));
var publishers = new EntityGroupResource("Publishers", typeof(IPublisher));
var orders = new EntityGroupResource("Orders", typeof(IBookOrder), typeof(IBookOrderLine));
var reviews = new EntityGroupResource("BookReviews", typeof(IBookReview));
var users = new EntityGroupResource("Users", typeof(IUser));
var authorEditData = new EntityGroupResource("AuthorEditData");
authorEditData.Add(typeof(IAuthor), "Bio");
authorEditData.Add<IBook>(b => b.Description, b => b.Abstract);
//authorEditData.Add(typeof(IBook), "Description,Abstract"); //-- alternative way
var coupons = new EntityGroupResource("Coupons", typeof(ICoupon));
var couponAppliedOn = new EntityGroupResource("CouponAppliedOn");
couponAppliedOn.Add<ICoupon>(c => c.AppliedOn);
//Permissions
var browseBooks = new EntityGroupPermission("BrowseBooks", AccessType.Read, books, publishers);
var createOrders = new EntityGroupPermission("CreateOrders", AccessType.CRUD, orders);
var viewOrders = new EntityGroupPermission("ViewOrders", AccessType.Read, orders);
var browseReviews = new EntityGroupPermission("BrowseReviews", AccessType.Read, reviews);
var writeReviews = new EntityGroupPermission("WriteReviews", AccessType.CRUD, reviews);
var editBooks = new EntityGroupPermission("EditBooks", AccessType.CRUD, books);
var deleteReviews = new EntityGroupPermission("DeleteReviews", AccessType.Read | AccessType.Delete, reviews);
var editPublishers = new EntityGroupPermission("EditPublishers", AccessType.CRUD, publishers);
var editByAuthor = new EntityGroupPermission("EditByAuthor", AccessType.Update, authorEditData);
var editUsers = new EntityGroupPermission("EditUsers", AccessType.CRUD, users);
var viewUsers = new EntityGroupPermission("ViewUsers", AccessType.Read, users);
var adjustOrder = new EntityGroupPermission("AdjustOrder", AccessType.Read | AccessType.Update | AccessType.Delete, orders);
// We grant Peek permission here for Coupons. The app code can find a coupon by code, but user cannot see it
// (no READ permission) or see any coupons. User receives coupon in email, and uses it when buying a book.
// System looks up the coupon code and applies the discount. But user cannot never see any coupons in the system.
var lookupCoupon = new EntityGroupPermission("LookupCoupon", AccessType.Peek, coupons);
//permission to update ICoupon.AppliedOn property - we set it when user uses coupon
var useCoupon = new EntityGroupPermission("UseCoupon", AccessType.UpdateStrict, couponAppliedOn);
var manageCoupons = new EntityGroupPermission("ManageCoupons", AccessType.CRUD, coupons);
//Activities
var browsing = new Activity("Browsing", browseBooks, browseReviews);
var shopping = new Activity("Shopping", createOrders, lookupCoupon, useCoupon);
var writingReviews = new Activity("Reviewing", writeReviews);
var editingUserInfo = new Activity("EditingUserInfo", editUsers);
var viewingUserInfo = new Activity("ViewingUserInfo", editUsers);
var viewingOrders = new Activity("ViewingOrders", viewOrders, lookupCoupon);
var bookEditing = new Activity("BookEditing", editBooks);
var editingByAuthor = new Activity("EditingByAuthor", editByAuthor);
var managingStore = new Activity("ManagingStore", editPublishers, manageCoupons);
var moderatingReviews = new Activity("ModeratingReviews", deleteReviews);
var adjustingOrders = new Activity("AdjustingOrders", adjustOrder);
// Controller permissions
CallUserAccountController = new ObjectAccessPermission("CallUserAccountController", AccessType.ApiAll,
typeof(Vita.Samples.BookStore.Api.UserAccountController));
//Roles
//Browse books and reviews;
AnonymousUser = new Role("AnonymousUser", browsing);
// Customer - view/edit orders only for current user; edit reviews only created by current user
Customer = new Role("Customer");
Customer.ChildRoles.Add(AnonymousUser);
Customer.Grant(CallUserAccountController);
Customer.Grant(userDataFilter, shopping, writingReviews, editingUserInfo);
BookEditor = new Role("BookEditor", browsing, bookEditing);
Author = new Role("Author");
Author.ChildRoles.Add(Customer); //author can act as a customer and buy a book
//We save the grant in static field, to explicitly enable the activity at runtime for limited scope
AuthorEditGrant = Author.GrantDynamic(authorDataFilter, editingByAuthor);
//Customer support can view orders and users (only users that are customers!)
CustomerSupport = new Role("CustomerSupport", viewingOrders);
CustomerSupport.Grant(custSupportUserFilter, viewingUserInfo);
CustomerSupport.Grant(custSupportAuthorUserFilter, viewingUserInfo);
//Store manager
StoreManager = new Role("StoreManager", browsing, managingStore, moderatingReviews);
// Store manager is able to adjust orders, but only in the context of dynamic (explicitly started) activity
// When adjusting activity starts, it saves order Id in user context under AdjustedOrderIdKey.
// All records being edited are then verified against this order Id.
// This garantees that during adjustment editing we modify only data for the order that we started adjustment for.
ManagerAdjustOrderGrant = StoreManager.GrantDynamic(adjustOrderFilter, adjustingOrders, AdjustedOrderIdKey);
//Add permission to access LoginAdministration API controller
StoreManager.ChildRoles.Add(loginModule.Authorization.LoginAdministrator);
StoreManager.ChildRoles.Add(Vita.Modules.Logging.LoggingAuthorizationRoles.Instance.LogDataViewerRole);
}
public void ReturnOneMethod(IProxyFactory proxyFactory)
{
AlternateType <IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory);
Assert.Equal(1, sut.AllMethods.Count());
}
//LoginModule is used to retrieve some authorization roles of login module and add them to book store role(s)
public BooksAuthorization(BooksEntityApp app)
{
_app = app;
var loginRoles = app.GetModule <LoginModule>().Roles;
// Data filters
// 'userid' value will be automatically injected by runtime when evaluating lambdas
var userDataFilter = new AuthorizationFilter("UserData");
userDataFilter.Add <IUser, Guid>((u, userId) => u.Id == userId);
userDataFilter.Add <IBookOrder, Guid>((bo, userId) => bo.User.Id == userId);
userDataFilter.Add <IBookOrderLine, Guid>((ol, userId) => ol.Order.User.Id == userId);
userDataFilter.Add <IBookReview, Guid>((r, userId) => r.User.Id == userId);
// Author data filter.
var authorDataFilter = new AuthorizationFilter("AuthorData");
// Simple case. IAuthor record is matched by filter if IAuthor.User.Id == Current-user-Id
// Note that IAuthor.User might be null - but it's OK to use 'a.User.Id' - the lambda is rewritten
// with extra safe conditionals to allow these expressions
authorDataFilter.Add <IAuthor, Guid>((a, userId) => a.User.Id == userId);
// More complex case. We provide an expression that checks if userId matches Id of any author of a book.
// Option 1 - checking book.Authors list, this requires loading list of ALL authors
// authorDataFilter.Add<IBook, Guid>((b, userId) => (b.Authors.Any(a => a.User.Id == userId)));
// Option 2 - Making LINQ query, using Exists<> helper method, it loads a single record
authorDataFilter.Add <IBook, OperationContext, Guid>((b, ctx, userId) => ctx.Exists <IBookAuthor>(
ba => ba.Author.User.Id == userId && ba.Book.Id == b.Id));
// BookOrder filter for adjusting order by StoreManager
var adjustOrderFilter = new AuthorizationFilter("OrderToAdjust");
adjustOrderFilter.Add <IBookOrder, Guid>((bo, adjustedOrderId) => bo.Id == adjustedOrderId);
adjustOrderFilter.Add <IBookOrderLine, Guid>((line, adjustedOrderId) => line.Order.Id == adjustedOrderId);
// Customer/users data filter. CustomerSupport role allows access only to users who are Customers or Authors (not employees)
// Here we demo use of data filter expression for pre-filtering users in queries.
// When customer support person queries users, the filter 'u.Type==UserType.Customer' will be automatically injected into the LINQ query
// We also add another filter for authors - the final filter will be OR of both
var custSupportUserFilter = new AuthorizationFilter("CustomerSupportUsers");
custSupportUserFilter.Add <IUser>(u => u.Type == UserType.Customer, FilterUse.Entities | FilterUse.Query);
// just for testing filter combinations, we add another filter for users that are authors.
// both filters will be combined (using OR), and whenever customer support person queries users, he will get only Customer and Author users
var custSupportAuthorUserFilter = new AuthorizationFilter("CustomerSupportAuthorUsers");
custSupportAuthorUserFilter.Add <IUser>(u => u.Type == UserType.Author, FilterUse.All);
//Entity resources
var books = new EntityGroupResource("Books", typeof(IBook), typeof(IBookAuthor), typeof(IAuthor), typeof(IImage));
var publishers = new EntityGroupResource("Publishers", typeof(IPublisher));
var orders = new EntityGroupResource("Orders", typeof(IBookOrder), typeof(IBookOrderLine));
var reviews = new EntityGroupResource("BookReviews", typeof(IBookReview));
var users = new EntityGroupResource("Users", typeof(IUser));
var authorEditData = new EntityGroupResource("AuthorEditData");
authorEditData.Add(typeof(IAuthor), "Bio");
authorEditData.Add <IBook>(b => b.Description, b => b.Abstract);
//authorEditData.Add(typeof(IBook), "Description,Abstract"); //-- alternative way
var coupons = new EntityGroupResource("Coupons", typeof(ICoupon));
var couponAppliedOn = new EntityGroupResource("CouponAppliedOn");
couponAppliedOn.Add <ICoupon>(c => c.AppliedOn);
//Permissions
var browseBooks = new EntityGroupPermission("BrowseBooks", AccessType.Read, books, publishers);
var createOrders = new EntityGroupPermission("CreateOrders", AccessType.CRUD, orders);
var viewOrders = new EntityGroupPermission("ViewOrders", AccessType.Read, orders);
var browseReviews = new EntityGroupPermission("BrowseReviews", AccessType.Read, reviews);
var writeReviews = new EntityGroupPermission("WriteReviews", AccessType.CRUD, reviews);
var editBooks = new EntityGroupPermission("EditBooks", AccessType.CRUD, books);
var deleteReviews = new EntityGroupPermission("DeleteReviews", AccessType.Read | AccessType.Delete, reviews);
var editPublishers = new EntityGroupPermission("EditPublishers", AccessType.CRUD, publishers);
var editByAuthor = new EntityGroupPermission("EditByAuthor", AccessType.Update, authorEditData);
var editUsers = new EntityGroupPermission("EditUsers", AccessType.CRUD, users);
var viewUsers = new EntityGroupPermission("ViewUsers", AccessType.Read, users);
var adjustOrder = new EntityGroupPermission("AdjustOrder", AccessType.Read | AccessType.Update | AccessType.Delete, orders);
// We grant Peek permission here for Coupons. The app code can find a coupon by code, but user cannot see it
// (no READ permission) or see any coupons. User receives coupon in email, and uses it when buying a book.
// System looks up the coupon code and applies the discount. But user cannot never see any coupons in the system.
var lookupCoupon = new EntityGroupPermission("LookupCoupon", AccessType.Peek, coupons);
//permission to update ICoupon.AppliedOn property - we set it when user uses coupon
var useCoupon = new EntityGroupPermission("UseCoupon", AccessType.UpdateStrict, couponAppliedOn);
var manageCoupons = new EntityGroupPermission("ManageCoupons", AccessType.CRUD, coupons);
//Activities
var browsing = new Activity("Browsing", browseBooks, browseReviews);
var shopping = new Activity("Shopping", createOrders, lookupCoupon, useCoupon);
var writingReviews = new Activity("Reviewing", writeReviews);
var editingUserInfo = new Activity("EditingUserInfo", editUsers);
var viewingUserInfo = new Activity("ViewingUserInfo", editUsers);
var viewingOrders = new Activity("ViewingOrders", viewOrders, lookupCoupon);
var bookEditing = new Activity("BookEditing", editBooks);
var editingByAuthor = new Activity("EditingByAuthor", editByAuthor);
var managingStore = new Activity("ManagingStore", editPublishers, manageCoupons);
var moderatingReviews = new Activity("ModeratingReviews", deleteReviews);
var adjustingOrders = new Activity("AdjustingOrders", adjustOrder);
// Controller permissions
CallUserAccountController = new ObjectAccessPermission("CallUserAccountController", AccessType.ApiAll,
typeof(Vita.Samples.BookStore.Api.UserAccountController));
//Roles
//Browse books and reviews;
AnonymousUser = new Role("AnonymousUser", browsing);
// Customer - view/edit orders only for current user; edit reviews only created by current user
Customer = new Role("Customer");
Customer.AddChildRoles(AnonymousUser, loginRoles.SelfServiceEditor);
Customer.Grant(CallUserAccountController);
Customer.Grant(userDataFilter, shopping, writingReviews, editingUserInfo);
BookEditor = new Role("BookEditor", browsing, bookEditing);
Author = new Role("Author");
Author.ChildRoles.Add(Customer); //author can act as a customer and buy a book
//We save the grant in static field, to explicitly enable the activity at runtime for limited scope
AuthorEditGrant = Author.GrantDynamic(authorDataFilter, editingByAuthor);
//Customer support can view orders and users (only users that are customers!)
CustomerSupport = new Role("CustomerSupport", viewingOrders);
CustomerSupport.Grant(custSupportUserFilter, viewingUserInfo);
CustomerSupport.Grant(custSupportAuthorUserFilter, viewingUserInfo);
//Store manager
StoreManager = new Role("StoreManager", browsing, managingStore, moderatingReviews);
// Store manager is able to adjust orders, but only in the context of dynamic (explicitly started) activity
// When adjusting activity starts, it saves order Id in user context under AdjustedOrderIdKey.
// All records being edited are then verified against this order Id.
// This garantees that during adjustment editing we modify only data for the order that we started adjustment for.
ManagerAdjustOrderGrant = StoreManager.GrantDynamic(adjustOrderFilter, adjustingOrders, AdjustedOrderIdKey);
//Add permission to access LoginAdministration functions, calendar entities
StoreManager.AddChildRoles(loginRoles.LoginAdministrator);
StoreManager.ChildRoles.Add(Vita.Modules.Logging.LoggingAuthorizationRoles.Instance.LogDataViewerRole);
}
public void SetProxyFactory(IProxyFactory proxyFactory)
{
AlternateType<IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory);
Assert.Equal(proxyFactory, sut.ProxyFactory);
}
public DynamicActivityGrant GrantDynamic(AuthorizationFilter filter, Activity activity,
string documentKey = null, AuthorizationFilter documentFilter = null)
{
var grant = new DynamicActivityGrant(activity, filter, documentKey, documentFilter);
ActivityGrants.Add(grant);
return grant;
}
public void ReturnOneMethod(IProxyFactory proxyFactory)
{
AlternateType<IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory);
Assert.Equal(1, sut.AllMethods.Count());
}
public void SetProxyFactory(IProxyFactory proxyFactory)
{
AlternateType <IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory);
Assert.Equal(proxyFactory, sut.ProxyFactory);
}
