public async Task WhenUserIsKnown_AndHasNoPermissions_ShouldNotSucceed()
{
// Arrange
string userId = Guid.NewGuid().ToString();
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>();
specification.GetSpecificationId().Returns(WellKnownSpecificationId);
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission()));
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
IFeatureToggle features = Substitute.For <IFeatureToggle>();
features.IsRoleBasedAccessEnabled().Returns(true);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeFalse();
}
public async Task WhenRoleBasedFeatureIsNotEnabled_AndUserIsNotKnownToTheSystem_ShouldSucceed()
{
// Arrange
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, Guid.NewGuid().ToString()) }));
ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>();
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
IFeatureToggle features = Substitute.For <IFeatureToggle>();
features.IsRoleBasedAccessEnabled().Returns(false);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeTrue();
}
public async Task WhenUserIsNotKnown_ShouldNotSucceed()
{
// Arrange
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity());
ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>();
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
IFeatureToggle features = Substitute.For <IFeatureToggle>();
features.IsRoleBasedAccessEnabled().Returns(true);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeFalse();
}
public async Task WhenUserIsNotKnown_ShouldSucceed()
{
// Arrange
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity());
ISpecificationAuthorizationEntity spec = Substitute.For <ISpecificationAuthorizationEntity>();
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, spec);
AlwaysAllowedPermissionHandler authHandler = new AlwaysAllowedPermissionHandler();
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeTrue();
}
public async Task WhenUserIsKnown_AndHasNoPermissions_ShouldSucceed()
{
// Arrange
string userId = Guid.NewGuid().ToString();
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
ISpecificationAuthorizationEntity spec = Substitute.For <ISpecificationAuthorizationEntity>();
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, spec);
AlwaysAllowedPermissionHandler authHandler = new AlwaysAllowedPermissionHandler();
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeTrue();
}
private AuthorizationHandlerContext CreateAuthenticationContext(ClaimsPrincipal principal, SpecificationActionTypes permissionRequired, ISpecificationAuthorizationEntity resource)
{
SpecificationRequirement requirement = new SpecificationRequirement(permissionRequired);
return(new AuthorizationHandlerContext(new[] { requirement }, principal, resource));
}
public async Task <bool> DoesUserHavePermission(ClaimsPrincipal user, ISpecificationAuthorizationEntity specification, SpecificationActionTypes permissionRequired)
{
AuthorizationResult authorizationResult = await _authorizationService.AuthorizeAsync(user, specification, new SpecificationRequirement(permissionRequired));
return(authorizationResult.Succeeded);
}
