public void Arrange() { _mockAuthenticationService = new Mock <IAuthenticationService>(); MockActionDescriptor = new Mock <ActionDescriptor>(); ActionExecutingContext = new ActionExecutingContext { ActionDescriptor = MockActionDescriptor.Object }; MockAuthorizationService = new Mock <IAuthorizationService>(); ActionOptions = new string[0]; ControllerOptions = new string[0]; _config = new EmployerAccountsConfiguration() { SupportConsoleUsers = _supportConsoleUsers }; MockActionDescriptor.Setup(d => d.ControllerDescriptor.ControllerName).Returns(Guid.NewGuid().ToString()); MockActionDescriptor.Setup(d => d.ControllerDescriptor.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { }); MockActionDescriptor.Setup(d => d.ActionName).Returns(Guid.NewGuid().ToString()); MockActionDescriptor.Setup(d => d.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { }); AuthorizationFilter = new AuthorizationFilter(() => MockAuthorizationService.Object); ActionOptions = new[] { "Action.Option" }; MockActionDescriptor.Setup(d => d.GetCustomAttributes(typeof(DasAuthorizeAttribute), true)).Returns(new object[] { new DasAuthorizeAttribute(ActionOptions) }); mockContext.Setup(htx => htx.Request).Returns(mockRequest.Object); mockContext.Setup(htx => htx.Response).Returns(mockResponse.Object); }
public void TestAuthFilterWithValidHeader() { var logicMock = new Mock <IUserManagement>(MockBehavior.Strict); AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object); string token = Guid.NewGuid().ToString(); logicMock.Setup(x => x.IsLogued(token)).Returns(true); var modelState = new ModelStateDictionary(); var httpContext = new DefaultHttpContext(); httpContext.Request.Headers["token"] = token; var context = new AuthorizationFilterContext( new ActionContext(httpContext: httpContext, routeData: new Microsoft.AspNetCore.Routing.RouteData(), actionDescriptor: new ActionDescriptor(), modelState: modelState), new List <IFilterMetadata>()); authFilter.OnAuthorization(context); ContentResult response = context.Result as ContentResult; Assert.IsNull(response); }
public AuthorizationFilterTests() { _actionInfoMock = new Mock <MethodInfo>(); _controllerInfoMock = new Mock <TypeInfo>(); _httpContextMock = new Mock <HttpContext>(); _httpRequestMock = new Mock <HttpRequest>(); _httpHeadersMock = new Mock <IHeaderDictionary>(); _claimsIdentityMock = new Mock <ClaimsIdentity>(); _accessTokenManagerMock = new Mock <IAccessTokenManager>(); _httpRequestMock.Setup(x => x.Headers).Returns(_httpHeadersMock.Object); _httpContextMock.Setup(x => x.Request).Returns(_httpRequestMock.Object); _actionContext = new ActionContext { ActionDescriptor = new ControllerActionDescriptor { MethodInfo = _actionInfoMock.Object, ControllerTypeInfo = _controllerInfoMock.Object }, HttpContext = _httpContextMock.Object, RouteData = new RouteData() }; _filter = new AuthorizationFilter(_accessTokenManagerMock.Object); }
public void TestAuthFilterWithInvalidHeader() { var logicMock = new Mock <IUserLogic>(MockBehavior.Strict); AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object); string token = "qwert123yu5i4o6p87"; logicMock.Setup(x => x.IsLogued(token)).Returns(false); var modelState = new ModelStateDictionary(); var httpContext = new DefaultHttpContext(); httpContext.Request.Headers["token"] = "qwert123yu5i4o6p87"; var context = new AuthorizationFilterContext( new ActionContext(httpContext: httpContext, routeData: new Microsoft.AspNetCore.Routing.RouteData(), actionDescriptor: new ActionDescriptor(), modelState: modelState), new List <IFilterMetadata>()); authFilter.OnAuthorization(context); ContentResult response = context.Result as ContentResult; Assert.AreEqual(403, response.StatusCode); }
public AuthorizationFilterTests() { ActionContext action = new ActionContext(Substitute.For <HttpContext>(), new RouteData(), new ActionDescriptor()); context = new ResourceExecutingContext(action, Array.Empty <IFilterMetadata>(), Array.Empty <IValueProviderFactory>()); authorization = Substitute.For <IAuthorization>(); filter = new AuthorizationFilter(authorization); }
public AuthorizationFilterTests() { ActionContext action = new(Substitute.For <HttpContext>(), new RouteData(), new ActionDescriptor()); context = new AuthorizationFilterContext(action, Array.Empty <IFilterMetadata>()); authorization = Substitute.For <IAuthorization>(); filter = new AuthorizationFilter(authorization); }
private static int _id; //to generate unique key #endregion Fields #region Constructors public DynamicActivityGrant(Activity activity, AuthorizationFilter filter = null, string documentKey = null, AuthorizationFilter initialCheckFilter = null) : base(activity, filter) { DocumentKey = documentKey; InitialCheckFilter = initialCheckFilter; Key = "%%AuthDynamicEnablement%%" + Activity.Name; Key += "." + (_id++); //to garantee uniqueness }
public void Grant(AuthorizationFilter filter, params Permission[] permissions) { Util.Check(permissions != null && permissions.Length > 0, "Role.Grant: Permission list is empty"); // Create an activity var name = permissions[0].Name; if (permissions.Length > 1) name += "**"; var act = new Activity(name, permissions); Grant(filter, act); }
public void OnAuthorization(AuthorizationContext filterContext) { var metadata = LogCall(Guid); var watch = new Stopwatch(); watch.Start(); AuthorizationFilter.OnAuthorization(filterContext); watch.Stop(); metadata.ExecutionTime = watch.Elapsed; }
public AuthorizationFilterFacts() { _context = new Mock <IOwinContext>(); _authentication = new Mock <IAuthenticationManager>(); _principal = new ClaimsPrincipal(); _authentication.Setup(x => x.User).Returns(_principal); _context.Setup(x => x.Authentication).Returns(_authentication.Object); _filter = new AuthorizationFilter(x => _context.Object); }
public void OnActionExecuting_WhenActionIsExecutingAndControllerIsDecoratedWithDasAuthorizeAttributeAndControllerOptionsAreNotAuthorized_ThenReturnStatusCodeForbidden(string role) { //Arrange _mockAuthenticationService.Setup(m => m.HasClaim(ClaimsIdentity.DefaultRoleClaimType, role)).Returns(true); //Act AuthorizationFilter.OnActionExecuting(ActionExecutingContext); //Assert var httpStatusCodeResult = ActionExecutingContext.Result as HttpStatusCodeResult; Assert.That(httpStatusCodeResult, Is.Not.Null); Assert.AreEqual(httpStatusCodeResult.StatusCode, (int)HttpStatusCode.Forbidden); }
public void OnAuthorizationDoesNotTouchResultIfRequestIsAuthenticated() { AuthorizationContext context = new AuthorizationContext() { HttpContext = new FakeHttpContext("~/Secure") }; (context.HttpContext.Request as FakeHttpRequest).RequestIsAuthenticated = true; AuthorizationFilter filter = new AuthorizationFilter(new RouteCollection()); filter.OnAuthorization(context); Assert.Null(context.Result); }
public void OnAuthorization(AuthorizationContext filterContext) { var metadata = LogCall(Guid); var watch = new Stopwatch(); watch.Start(); using (GlimpseTimer.Start("Executing: Authorization Filter", "Filter", AuthorizationFilter.GetType().Name)) { AuthorizationFilter.OnAuthorization(filterContext); } watch.Stop(); metadata.ExecutionTime = watch.Elapsed; }
public void OnAuthorizationRedirectsToSignInWithReturnUrlIfRequestIsNotAuthenticated() { AuthorizationContext context = new AuthorizationContext() { HttpContext = new FakeHttpContext(new Uri("http://foo.com/Secure"), "~/Secure") }; RouteCollection routes = new RouteCollection(); routes.Add("SignIn", new Route("SignIn", null)); AuthorizationFilter filter = new AuthorizationFilter(routes); filter.OnAuthorization(context); RedirectResult result = context.Result as RedirectResult; Assert.NotNull(result); Assert.Equal("/SignIn?ReturnUrl=%2FSecure", result.Url); }
public void TestAuthFilterWithoutHeader() { var logicMock = new Mock <ISessionLogic>(MockBehavior.Strict); AuthorizationFilter authFilter = new AuthorizationFilter(logicMock.Object); var modelState = new ModelStateDictionary(); var httpContext = new DefaultHttpContext(); var context = new AuthorizationFilterContext( new ActionContext(httpContext: httpContext, routeData: new Microsoft.AspNetCore.Routing.RouteData(), actionDescriptor: new ActionDescriptor(), modelState: modelState), new List <IFilterMetadata>()); authFilter.OnAuthorization(context); ContentResult response = context.Result as ContentResult; Assert.AreEqual(401, response.StatusCode); }
public readonly Role SelfServiceEditor; // can edit his/her own login #endregion Fields #region Constructors internal LoginAuthorization() { AdministrationControllerPermission = new ObjectAccessPermission("LoginAdministrationControllerPermission", AccessType.ApiAll, typeof(LoginAdministrationController)); // entities we need to protect - only user himself (or superadmin) can edit these: var myLoginData = new EntityGroupResource("LoginEntities", typeof(ILogin), typeof(ILoginExtraFactor), typeof(ITrustedDevice), typeof(ISecretQuestionAnswer)); var myLoginDataFilter = new AuthorizationFilter("MyLoginData"); myLoginDataFilter.Add<ILogin, Guid>((lg, userId) => lg.UserId == userId); myLoginDataFilter.Add<ILoginExtraFactor, Guid>((f, userId) => f.Login.UserId == userId); myLoginDataFilter.Add<ITrustedDevice, Guid>((d, userId) => d.Login.UserId == userId); myLoginDataFilter.Add<ISecretQuestionAnswer, Guid>((a, userId) => a.Login.UserId == userId); var selfServiceEditPermission = new EntityGroupPermission("LoginSelfServiceEdit", AccessType.CRUD, myLoginData); LoginEditActivity = new Activity("LoginEdit", selfServiceEditPermission); SelfServiceEditor = new Role("LoginSelfServiceEditor"); SelfServiceEditor.Grant(myLoginDataFilter, LoginEditActivity); LoginAdministrator = new Role("LoginAdministrator", LoginEditActivity); // unrestricted edit of any record LoginAdministrator.Grant(AdministrationControllerPermission); //Api }
internal LoginAuthorizationRoles() { AdministrationControllerPermission = new ObjectAccessPermission("LoginAdministrationControllerPermission", AccessType.ApiAll, typeof(LoginAdministrationController)); // entities we need to protect - only user himself (or superadmin) can edit these: var myLoginData = new EntityGroupResource("LoginEntities", typeof(ILogin), typeof(ILoginExtraFactor), typeof(ITrustedDevice), typeof(ISecretQuestionAnswer), typeof(IPasswordHistory)); var myLoginDataFilter = new AuthorizationFilter("MyLoginData"); myLoginDataFilter.Add <ILogin, Guid>((lg, userId) => lg.UserId == userId); myLoginDataFilter.Add <ILoginExtraFactor, Guid>((f, userId) => f.Login.UserId == userId); myLoginDataFilter.Add <IPasswordHistory, Guid>((ph, userId) => ph.Login.UserId == userId); myLoginDataFilter.Add <ITrustedDevice, Guid>((d, userId) => d.Login.UserId == userId); myLoginDataFilter.Add <ISecretQuestionAnswer, Guid>((a, userId) => a.Login.UserId == userId); var selfServiceEditPermission = new EntityGroupPermission("LoginSelfServiceEdit", AccessType.CRUD, myLoginData); LoginEditActivity = new Activity("LoginEdit", selfServiceEditPermission); SelfServiceEditor = new Role("LoginSelfServiceEditor"); SelfServiceEditor.Grant(myLoginDataFilter, LoginEditActivity); LoginAdministrator = new Role("LoginAdministrator", LoginEditActivity); // unrestricted edit of any record LoginAdministrator.Grant(AdministrationControllerPermission); //Api }
public void Grant(AuthorizationFilter filter, params Activity[] activities) { foreach (var act in activities) ActivityGrants.Add(new ActivityGrant(act, filter)); }
public void TestInitialize() { AuthorizationFilter = new AuthorizationFilter(); }
//LoginModule is used to retrieve some authorization roles of login module and add them to book store role(s) public BooksAuthorization(BooksEntityApp app, LoginModule loginModule) { _app = app; // Data filters // 'userid' value will be automatically injected by runtime when evaluating lambdas var userDataFilter = new AuthorizationFilter("UserData"); userDataFilter.Add<IUser, Guid>((u, userId) => u.Id == userId); userDataFilter.Add<IBookOrder, Guid>((bo, userId) => bo.User.Id == userId); userDataFilter.Add<IBookOrderLine, Guid>((ol, userId) => ol.Order.User.Id == userId); userDataFilter.Add<IBookReview, Guid>((r, userId) => r.User.Id == userId); // Author data filter. var authorDataFilter = new AuthorizationFilter("AuthorData"); // Simple case. IAuthor record is matched by filter if IAuthor.User.Id == Current-user-Id // Note that IAuthor.User might be null - but it's OK to use 'a.User.Id' - the lambda is rewritten // with extra safe conditionals to allow these expressions authorDataFilter.Add<IAuthor, Guid>((a, userId) => a.User.Id == userId); // More complex case. We provide an expression that checks if userId matches Id of any author of a book. // Option 1 - checking book.Authors list, this requires loading list of ALL authors // authorDataFilter.Add<IBook, Guid>((b, userId) => (b.Authors.Any(a => a.User.Id == userId))); // Option 2 - Making LINQ query, using Exists<> helper method, it loads a single record authorDataFilter.Add<IBook, OperationContext, Guid>((b, ctx, userId) => ctx.Exists<IBookAuthor>( ba => ba.Author.User.Id == userId && ba.Book.Id == b.Id)); // BookOrder filter for adjusting order by StoreManager var adjustOrderFilter = new AuthorizationFilter("OrderToAdjust"); adjustOrderFilter.Add<IBookOrder, Guid>((bo, adjustedOrderId) => bo.Id == adjustedOrderId); adjustOrderFilter.Add<IBookOrderLine, Guid>((line, adjustedOrderId) => line.Order.Id == adjustedOrderId); // Customer/users data filter. CustomerSupport role allows access only to users who are Customers or Authors (not employees) // Here we demo use of data filter expression for pre-filtering users in queries. // When customer support person queries users, the filter 'u.Type==UserType.Customer' will be automatically injected into the LINQ query // We also add another filter for authors - the final filter will be OR of both var custSupportUserFilter = new AuthorizationFilter("CustomerSupportUsers"); custSupportUserFilter.Add<IUser>(u => u.Type == UserType.Customer, FilterUse.Entities | FilterUse.Query); // just for testing filter combinations, we add another filter for users that are authors. // both filters will be combined (using OR), and whenever customer support person queries users, he will get only Customer and Author users var custSupportAuthorUserFilter = new AuthorizationFilter("CustomerSupportAuthorUsers"); custSupportAuthorUserFilter.Add<IUser>(u => u.Type == UserType.Author, FilterUse.All); //Entity resources var books = new EntityGroupResource("Books", typeof(IBook), typeof(IBookAuthor), typeof(IAuthor), typeof(IImage)); var publishers = new EntityGroupResource("Publishers", typeof(IPublisher)); var orders = new EntityGroupResource("Orders", typeof(IBookOrder), typeof(IBookOrderLine)); var reviews = new EntityGroupResource("BookReviews", typeof(IBookReview)); var users = new EntityGroupResource("Users", typeof(IUser)); var authorEditData = new EntityGroupResource("AuthorEditData"); authorEditData.Add(typeof(IAuthor), "Bio"); authorEditData.Add<IBook>(b => b.Description, b => b.Abstract); //authorEditData.Add(typeof(IBook), "Description,Abstract"); //-- alternative way var coupons = new EntityGroupResource("Coupons", typeof(ICoupon)); var couponAppliedOn = new EntityGroupResource("CouponAppliedOn"); couponAppliedOn.Add<ICoupon>(c => c.AppliedOn); //Permissions var browseBooks = new EntityGroupPermission("BrowseBooks", AccessType.Read, books, publishers); var createOrders = new EntityGroupPermission("CreateOrders", AccessType.CRUD, orders); var viewOrders = new EntityGroupPermission("ViewOrders", AccessType.Read, orders); var browseReviews = new EntityGroupPermission("BrowseReviews", AccessType.Read, reviews); var writeReviews = new EntityGroupPermission("WriteReviews", AccessType.CRUD, reviews); var editBooks = new EntityGroupPermission("EditBooks", AccessType.CRUD, books); var deleteReviews = new EntityGroupPermission("DeleteReviews", AccessType.Read | AccessType.Delete, reviews); var editPublishers = new EntityGroupPermission("EditPublishers", AccessType.CRUD, publishers); var editByAuthor = new EntityGroupPermission("EditByAuthor", AccessType.Update, authorEditData); var editUsers = new EntityGroupPermission("EditUsers", AccessType.CRUD, users); var viewUsers = new EntityGroupPermission("ViewUsers", AccessType.Read, users); var adjustOrder = new EntityGroupPermission("AdjustOrder", AccessType.Read | AccessType.Update | AccessType.Delete, orders); // We grant Peek permission here for Coupons. The app code can find a coupon by code, but user cannot see it // (no READ permission) or see any coupons. User receives coupon in email, and uses it when buying a book. // System looks up the coupon code and applies the discount. But user cannot never see any coupons in the system. var lookupCoupon = new EntityGroupPermission("LookupCoupon", AccessType.Peek, coupons); //permission to update ICoupon.AppliedOn property - we set it when user uses coupon var useCoupon = new EntityGroupPermission("UseCoupon", AccessType.UpdateStrict, couponAppliedOn); var manageCoupons = new EntityGroupPermission("ManageCoupons", AccessType.CRUD, coupons); //Activities var browsing = new Activity("Browsing", browseBooks, browseReviews); var shopping = new Activity("Shopping", createOrders, lookupCoupon, useCoupon); var writingReviews = new Activity("Reviewing", writeReviews); var editingUserInfo = new Activity("EditingUserInfo", editUsers); var viewingUserInfo = new Activity("ViewingUserInfo", editUsers); var viewingOrders = new Activity("ViewingOrders", viewOrders, lookupCoupon); var bookEditing = new Activity("BookEditing", editBooks); var editingByAuthor = new Activity("EditingByAuthor", editByAuthor); var managingStore = new Activity("ManagingStore", editPublishers, manageCoupons); var moderatingReviews = new Activity("ModeratingReviews", deleteReviews); var adjustingOrders = new Activity("AdjustingOrders", adjustOrder); // Controller permissions CallUserAccountController = new ObjectAccessPermission("CallUserAccountController", AccessType.ApiAll, typeof(Vita.Samples.BookStore.Api.UserAccountController)); //Roles //Browse books and reviews; AnonymousUser = new Role("AnonymousUser", browsing); // Customer - view/edit orders only for current user; edit reviews only created by current user Customer = new Role("Customer"); Customer.ChildRoles.Add(AnonymousUser); Customer.Grant(CallUserAccountController); Customer.Grant(userDataFilter, shopping, writingReviews, editingUserInfo); BookEditor = new Role("BookEditor", browsing, bookEditing); Author = new Role("Author"); Author.ChildRoles.Add(Customer); //author can act as a customer and buy a book //We save the grant in static field, to explicitly enable the activity at runtime for limited scope AuthorEditGrant = Author.GrantDynamic(authorDataFilter, editingByAuthor); //Customer support can view orders and users (only users that are customers!) CustomerSupport = new Role("CustomerSupport", viewingOrders); CustomerSupport.Grant(custSupportUserFilter, viewingUserInfo); CustomerSupport.Grant(custSupportAuthorUserFilter, viewingUserInfo); //Store manager StoreManager = new Role("StoreManager", browsing, managingStore, moderatingReviews); // Store manager is able to adjust orders, but only in the context of dynamic (explicitly started) activity // When adjusting activity starts, it saves order Id in user context under AdjustedOrderIdKey. // All records being edited are then verified against this order Id. // This garantees that during adjustment editing we modify only data for the order that we started adjustment for. ManagerAdjustOrderGrant = StoreManager.GrantDynamic(adjustOrderFilter, adjustingOrders, AdjustedOrderIdKey); //Add permission to access LoginAdministration API controller StoreManager.ChildRoles.Add(loginModule.Authorization.LoginAdministrator); StoreManager.ChildRoles.Add(Vita.Modules.Logging.LoggingAuthorizationRoles.Instance.LogDataViewerRole); }
public void ReturnOneMethod(IProxyFactory proxyFactory) { AlternateType <IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory); Assert.Equal(1, sut.AllMethods.Count()); }
//LoginModule is used to retrieve some authorization roles of login module and add them to book store role(s) public BooksAuthorization(BooksEntityApp app) { _app = app; var loginRoles = app.GetModule <LoginModule>().Roles; // Data filters // 'userid' value will be automatically injected by runtime when evaluating lambdas var userDataFilter = new AuthorizationFilter("UserData"); userDataFilter.Add <IUser, Guid>((u, userId) => u.Id == userId); userDataFilter.Add <IBookOrder, Guid>((bo, userId) => bo.User.Id == userId); userDataFilter.Add <IBookOrderLine, Guid>((ol, userId) => ol.Order.User.Id == userId); userDataFilter.Add <IBookReview, Guid>((r, userId) => r.User.Id == userId); // Author data filter. var authorDataFilter = new AuthorizationFilter("AuthorData"); // Simple case. IAuthor record is matched by filter if IAuthor.User.Id == Current-user-Id // Note that IAuthor.User might be null - but it's OK to use 'a.User.Id' - the lambda is rewritten // with extra safe conditionals to allow these expressions authorDataFilter.Add <IAuthor, Guid>((a, userId) => a.User.Id == userId); // More complex case. We provide an expression that checks if userId matches Id of any author of a book. // Option 1 - checking book.Authors list, this requires loading list of ALL authors // authorDataFilter.Add<IBook, Guid>((b, userId) => (b.Authors.Any(a => a.User.Id == userId))); // Option 2 - Making LINQ query, using Exists<> helper method, it loads a single record authorDataFilter.Add <IBook, OperationContext, Guid>((b, ctx, userId) => ctx.Exists <IBookAuthor>( ba => ba.Author.User.Id == userId && ba.Book.Id == b.Id)); // BookOrder filter for adjusting order by StoreManager var adjustOrderFilter = new AuthorizationFilter("OrderToAdjust"); adjustOrderFilter.Add <IBookOrder, Guid>((bo, adjustedOrderId) => bo.Id == adjustedOrderId); adjustOrderFilter.Add <IBookOrderLine, Guid>((line, adjustedOrderId) => line.Order.Id == adjustedOrderId); // Customer/users data filter. CustomerSupport role allows access only to users who are Customers or Authors (not employees) // Here we demo use of data filter expression for pre-filtering users in queries. // When customer support person queries users, the filter 'u.Type==UserType.Customer' will be automatically injected into the LINQ query // We also add another filter for authors - the final filter will be OR of both var custSupportUserFilter = new AuthorizationFilter("CustomerSupportUsers"); custSupportUserFilter.Add <IUser>(u => u.Type == UserType.Customer, FilterUse.Entities | FilterUse.Query); // just for testing filter combinations, we add another filter for users that are authors. // both filters will be combined (using OR), and whenever customer support person queries users, he will get only Customer and Author users var custSupportAuthorUserFilter = new AuthorizationFilter("CustomerSupportAuthorUsers"); custSupportAuthorUserFilter.Add <IUser>(u => u.Type == UserType.Author, FilterUse.All); //Entity resources var books = new EntityGroupResource("Books", typeof(IBook), typeof(IBookAuthor), typeof(IAuthor), typeof(IImage)); var publishers = new EntityGroupResource("Publishers", typeof(IPublisher)); var orders = new EntityGroupResource("Orders", typeof(IBookOrder), typeof(IBookOrderLine)); var reviews = new EntityGroupResource("BookReviews", typeof(IBookReview)); var users = new EntityGroupResource("Users", typeof(IUser)); var authorEditData = new EntityGroupResource("AuthorEditData"); authorEditData.Add(typeof(IAuthor), "Bio"); authorEditData.Add <IBook>(b => b.Description, b => b.Abstract); //authorEditData.Add(typeof(IBook), "Description,Abstract"); //-- alternative way var coupons = new EntityGroupResource("Coupons", typeof(ICoupon)); var couponAppliedOn = new EntityGroupResource("CouponAppliedOn"); couponAppliedOn.Add <ICoupon>(c => c.AppliedOn); //Permissions var browseBooks = new EntityGroupPermission("BrowseBooks", AccessType.Read, books, publishers); var createOrders = new EntityGroupPermission("CreateOrders", AccessType.CRUD, orders); var viewOrders = new EntityGroupPermission("ViewOrders", AccessType.Read, orders); var browseReviews = new EntityGroupPermission("BrowseReviews", AccessType.Read, reviews); var writeReviews = new EntityGroupPermission("WriteReviews", AccessType.CRUD, reviews); var editBooks = new EntityGroupPermission("EditBooks", AccessType.CRUD, books); var deleteReviews = new EntityGroupPermission("DeleteReviews", AccessType.Read | AccessType.Delete, reviews); var editPublishers = new EntityGroupPermission("EditPublishers", AccessType.CRUD, publishers); var editByAuthor = new EntityGroupPermission("EditByAuthor", AccessType.Update, authorEditData); var editUsers = new EntityGroupPermission("EditUsers", AccessType.CRUD, users); var viewUsers = new EntityGroupPermission("ViewUsers", AccessType.Read, users); var adjustOrder = new EntityGroupPermission("AdjustOrder", AccessType.Read | AccessType.Update | AccessType.Delete, orders); // We grant Peek permission here for Coupons. The app code can find a coupon by code, but user cannot see it // (no READ permission) or see any coupons. User receives coupon in email, and uses it when buying a book. // System looks up the coupon code and applies the discount. But user cannot never see any coupons in the system. var lookupCoupon = new EntityGroupPermission("LookupCoupon", AccessType.Peek, coupons); //permission to update ICoupon.AppliedOn property - we set it when user uses coupon var useCoupon = new EntityGroupPermission("UseCoupon", AccessType.UpdateStrict, couponAppliedOn); var manageCoupons = new EntityGroupPermission("ManageCoupons", AccessType.CRUD, coupons); //Activities var browsing = new Activity("Browsing", browseBooks, browseReviews); var shopping = new Activity("Shopping", createOrders, lookupCoupon, useCoupon); var writingReviews = new Activity("Reviewing", writeReviews); var editingUserInfo = new Activity("EditingUserInfo", editUsers); var viewingUserInfo = new Activity("ViewingUserInfo", editUsers); var viewingOrders = new Activity("ViewingOrders", viewOrders, lookupCoupon); var bookEditing = new Activity("BookEditing", editBooks); var editingByAuthor = new Activity("EditingByAuthor", editByAuthor); var managingStore = new Activity("ManagingStore", editPublishers, manageCoupons); var moderatingReviews = new Activity("ModeratingReviews", deleteReviews); var adjustingOrders = new Activity("AdjustingOrders", adjustOrder); // Controller permissions CallUserAccountController = new ObjectAccessPermission("CallUserAccountController", AccessType.ApiAll, typeof(Vita.Samples.BookStore.Api.UserAccountController)); //Roles //Browse books and reviews; AnonymousUser = new Role("AnonymousUser", browsing); // Customer - view/edit orders only for current user; edit reviews only created by current user Customer = new Role("Customer"); Customer.AddChildRoles(AnonymousUser, loginRoles.SelfServiceEditor); Customer.Grant(CallUserAccountController); Customer.Grant(userDataFilter, shopping, writingReviews, editingUserInfo); BookEditor = new Role("BookEditor", browsing, bookEditing); Author = new Role("Author"); Author.ChildRoles.Add(Customer); //author can act as a customer and buy a book //We save the grant in static field, to explicitly enable the activity at runtime for limited scope AuthorEditGrant = Author.GrantDynamic(authorDataFilter, editingByAuthor); //Customer support can view orders and users (only users that are customers!) CustomerSupport = new Role("CustomerSupport", viewingOrders); CustomerSupport.Grant(custSupportUserFilter, viewingUserInfo); CustomerSupport.Grant(custSupportAuthorUserFilter, viewingUserInfo); //Store manager StoreManager = new Role("StoreManager", browsing, managingStore, moderatingReviews); // Store manager is able to adjust orders, but only in the context of dynamic (explicitly started) activity // When adjusting activity starts, it saves order Id in user context under AdjustedOrderIdKey. // All records being edited are then verified against this order Id. // This garantees that during adjustment editing we modify only data for the order that we started adjustment for. ManagerAdjustOrderGrant = StoreManager.GrantDynamic(adjustOrderFilter, adjustingOrders, AdjustedOrderIdKey); //Add permission to access LoginAdministration functions, calendar entities StoreManager.AddChildRoles(loginRoles.LoginAdministrator); StoreManager.ChildRoles.Add(Vita.Modules.Logging.LoggingAuthorizationRoles.Instance.LogDataViewerRole); }
public void SetProxyFactory(IProxyFactory proxyFactory) { AlternateType<IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory); Assert.Equal(proxyFactory, sut.ProxyFactory); }
public DynamicActivityGrant GrantDynamic(AuthorizationFilter filter, Activity activity, string documentKey = null, AuthorizationFilter documentFilter = null) { var grant = new DynamicActivityGrant(activity, filter, documentKey, documentFilter); ActivityGrants.Add(grant); return grant; }
public void ReturnOneMethod(IProxyFactory proxyFactory) { AlternateType<IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory); Assert.Equal(1, sut.AllMethods.Count()); }
public void SetProxyFactory(IProxyFactory proxyFactory) { AlternateType <IAuthorizationFilter> sut = new AuthorizationFilter(proxyFactory); Assert.Equal(proxyFactory, sut.ProxyFactory); }