public async Task FundingStreams_SecurityTrimList_WhenUserHasAccessToSome_ThenReturnSome()
{
// Arrange
IEnumerable <PolicyModels.FundingStream> fundingStreamIds = new List <PolicyModels.FundingStream>
{
new PolicyModels.FundingStream {
Id = "fs1"
},
new PolicyModels.FundingStream {
Id = "fs2"
},
new PolicyModels.FundingStream {
Id = "fs3"
}
};
string userId = "testuser";
ClaimsPrincipal user = BuildClaimsPrincipal(userId);
FundingStreamActionTypes permissionRequired = FundingStreamActionTypes.CanCreateSpecification;
ApiResponse <IEnumerable <FundingStreamPermission> > permissionsResponse =
new ApiResponse <IEnumerable <FundingStreamPermission> >(HttpStatusCode.OK,
new List <FundingStreamPermission>
{
new FundingStreamPermission {
FundingStreamId = "fs1", CanCreateSpecification = false
},
new FundingStreamPermission {
FundingStreamId = "fs2", CanCreateSpecification = true
},
new FundingStreamPermission {
FundingStreamId = "fs3", CanCreateSpecification = false
}
});
IAuthorizationService authorizationService = Substitute.For <IAuthorizationService>();
IUsersApiClient usersClient = Substitute.For <IUsersApiClient>();
usersClient
.GetFundingStreamPermissionsForUser(userId)
.Returns(permissionsResponse);
AuthorizationHelper authHelper = CreateAuthenticationHelper(authorizationService, usersClient);
// Act
IEnumerable <PolicyModels.FundingStream> results = await authHelper.SecurityTrimList(user, fundingStreamIds, permissionRequired);
// Assert
results.Should().HaveCount(1);
results.Should().Contain(r => r.Id == "fs2");
}
public async Task DoesUserHavePermission_WhenUserHasAccessToNone_ThenReturnFalse()
{
// Arrange
IEnumerable <string> fundingStreamIds = new List <string> {
"fs1", "fs2", "fs3"
};
string userId = "testuser";
ClaimsPrincipal user = BuildClaimsPrincipal(userId);
FundingStreamActionTypes permissionRequired = FundingStreamActionTypes.CanCreateSpecification;
ApiResponse <IEnumerable <Common.ApiClient.Users.Models.FundingStreamPermission> > permissionsResponse = new ApiResponse <IEnumerable <Common.ApiClient.Users.Models.FundingStreamPermission> >(System.Net.HttpStatusCode.OK, new List <Common.ApiClient.Users.Models.FundingStreamPermission>
{
new Common.ApiClient.Users.Models.FundingStreamPermission {
FundingStreamId = "fs1", CanCreateSpecification = false
},
new Common.ApiClient.Users.Models.FundingStreamPermission {
FundingStreamId = "fs2", CanCreateSpecification = false
},
new Common.ApiClient.Users.Models.FundingStreamPermission {
FundingStreamId = "fs3", CanCreateSpecification = false
}
});
IAuthorizationService authorizationService = Substitute.For <IAuthorizationService>();
IUsersApiClient usersClient = Substitute.For <IUsersApiClient>();
usersClient
.GetFundingStreamPermissionsForUser(userId)
.Returns(permissionsResponse);
AuthorizationHelper authHelper = CreateAuthenticationHelper(authorizationService, usersClient);
// Act
bool result = await authHelper.DoesUserHavePermission(user, fundingStreamIds, permissionRequired);
// Assert
result.Should().BeFalse();
}
public async Task <IEnumerable <PolicyModels.FundingStream> > SecurityTrimList(ClaimsPrincipal user,
IEnumerable <PolicyModels.FundingStream> fundingStreams, FundingStreamActionTypes permissionRequired)
{
Guard.ArgumentNotNull(user, nameof(user));
Guard.ArgumentNotNull(fundingStreams, nameof(fundingStreams));
if (IsAdminUser(user))
{
return(fundingStreams);
}
string userId = VerifyObjectIdentifierClaimTypePresent(user);
ApiResponse <IEnumerable <FundingStreamPermission> > fundingStreamPermissionsResponse =
await _usersClient.GetFundingStreamPermissionsForUser(userId);
if (fundingStreamPermissionsResponse.StatusCode != HttpStatusCode.OK)
{
_logger.Error("Failed to get funding stream permissions for user for security trimming ({user}) - {statuscode}", user.Identity.Name,
fundingStreamPermissionsResponse.StatusCode);
return(Enumerable.Empty <PolicyModels.FundingStream>());
}
IEnumerable <FundingStreamPermission> allowedFundingStreams = fundingStreamPermissionsResponse.Content;
if (permissionRequired == FundingStreamActionTypes.CanCreateSpecification)
{
allowedFundingStreams = allowedFundingStreams.Where(p => p.CanCreateSpecification);
}
else if (permissionRequired == FundingStreamActionTypes.CanChooseFunding)
{
allowedFundingStreams = allowedFundingStreams.Where(p => p.CanChooseFunding);
}
IEnumerable <string> allowedFundingStreamIds = allowedFundingStreams.Select(p => p.FundingStreamId);
return(fundingStreams.Where(fs => allowedFundingStreamIds.Contains(fs.Id)));
}
private bool HasPermissionToAllFundingStreams(IEnumerable <string> fundingStreamIds, FundingStreamActionTypes requestedPermission, IEnumerable <FundingStreamPermission> actualPermissions)
{
if (actualPermissions == null || actualPermissions.Count() == 0)
{
// No permissions to check against so can't have permission for the action
return(false);
}
return(requestedPermission switch
{
FundingStreamActionTypes.CanCreateSpecification => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanCreateSpecification)),
FundingStreamActionTypes.CanChooseFunding => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanChooseFunding)),
FundingStreamActionTypes.CanCreateTemplates => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanCreateTemplates)),
FundingStreamActionTypes.CanEditTemplates => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanEditTemplates)),
FundingStreamActionTypes.CanDeleteTemplates => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanDeleteTemplates)),
FundingStreamActionTypes.CanApproveTemplates => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanApproveTemplates)),
FundingStreamActionTypes.CanCreateProfilePattern => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanCreateProfilePattern)),
FundingStreamActionTypes.CanEditProfilePattern => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanEditProfilePattern)),
FundingStreamActionTypes.CanDeleteProfilePattern => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanDeleteProfilePattern)),
FundingStreamActionTypes.CanAssignProfilePattern => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanAssignProfilePattern)),
FundingStreamActionTypes.CanApplyCustomProfilePattern => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanApplyCustomProfilePattern)),
FundingStreamActionTypes.CanApproveCalculations => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanApproveCalculations)),
FundingStreamActionTypes.CanApproveAnyCalculations => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanApproveAnyCalculations)),
FundingStreamActionTypes.CanRefreshPublishedQa => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanRefreshPublishedQa)),
FundingStreamActionTypes.CanUploadDataSourceFiles => fundingStreamIds.All(fs => actualPermissions.Any(p => p.FundingStreamId == fs && p.CanUploadDataSourceFiles)),
_ => false,
});
public async Task <IEnumerable <FundingStream> > SecurityTrimList(ClaimsPrincipal user, IEnumerable <FundingStream> fundingStreams, FundingStreamActionTypes permissionRequired)
{
Guard.ArgumentNotNull(user, nameof(user));
Guard.ArgumentNotNull(fundingStreams, nameof(fundingStreams));
return(await Task.FromResult(fundingStreams));
}
public async Task <bool> DoesUserHavePermission(ClaimsPrincipal user, IEnumerable <string> fundingStreamIds, FundingStreamActionTypes permissionRequired)
{
return(await Task.FromResult(true));
}
private bool HasPermissionToAllFundingStreams(IEnumerable <string> fundingStreamIds, FundingStreamActionTypes requestedPermission, IEnumerable <FundingStreamPermission> actualPermissions)
{
if (actualPermissions == null || actualPermissions.Count() == 0)
{
// No permissions to check against so can't have permission for the action
return(false);
}
if (requestedPermission == FundingStreamActionTypes.CanCreateSpecification)
{
foreach (string item in fundingStreamIds)
{
FundingStreamPermission foundPermission = actualPermissions.FirstOrDefault(p => p.FundingStreamId == item && p.CanCreateSpecification);
if (foundPermission == null)
{
// A required permission is missing so can't succeed
return(false);
}
}
return(true);
}
else
{
return(false);
}
}
private AuthorizationHandlerContext CreateAuthenticationContext(ClaimsPrincipal principal, FundingStreamActionTypes permissionRequired, IEnumerable <string> resource)
{
FundingStreamRequirement requirement = new FundingStreamRequirement(permissionRequired);
return(new AuthorizationHandlerContext(new[] { requirement }, principal, resource));
}
public FundingStreamRequirement(FundingStreamActionTypes fundingStreamAction)
{
ActionType = fundingStreamAction;
}
public async Task <bool> DoesUserHavePermission(ClaimsPrincipal user, IEnumerable <string> fundingStreamIds, FundingStreamActionTypes permissionRequired)
{
Guard.ArgumentNotNull(user, nameof(user));
Guard.ArgumentNotNull(fundingStreamIds, nameof(fundingStreamIds));
if (user.HasClaim(c => c.Type == Common.Identity.Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant()))
{
return(true);
}
string userId = VerifyObjectIdentifierClaimTypePresent(user);
ApiResponse <IEnumerable <Common.ApiClient.Users.Models.FundingStreamPermission> > fundingStreamPermissionsResponse = await _usersClient.GetFundingStreamPermissionsForUser(userId);
if (fundingStreamPermissionsResponse.StatusCode != HttpStatusCode.OK)
{
_logger.Error("Failed to get funding stream permissions for user ({user}) - {statuscode}", user.Identity.Name, fundingStreamPermissionsResponse.StatusCode);
return(false);
}
IEnumerable <Common.ApiClient.Users.Models.FundingStreamPermission> allowedFundingStreams = fundingStreamPermissionsResponse.Content;
if (permissionRequired == FundingStreamActionTypes.CanCreateSpecification)
{
allowedFundingStreams = allowedFundingStreams.Where(p => p.CanCreateSpecification);
}
else if (permissionRequired == FundingStreamActionTypes.CanChooseFunding)
{
allowedFundingStreams = allowedFundingStreams.Where(p => p.CanChooseFunding);
}
IEnumerable <string> allowedFundingStreamIds = allowedFundingStreams.Select(p => p.FundingStreamId);
return(!fundingStreamIds.Except(allowedFundingStreamIds).Any());
}