public async Task WhenUserCanRefreshPublishedQaForSpecification_ShouldSucceed()
{
// Arrange
string userId = Guid.NewGuid().ToString();
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
string specification = WellKnownSpecificationId;
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanRefreshPublishedQa, specification);
EffectiveSpecificationPermission actualPermission = new EffectiveSpecificationPermission
{
CanRefreshPublishedQa = true
};
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, actualPermission));
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeTrue();
}
public async Task WhenUserIsKnown_AndHasNoPermissions_ShouldNotSucceed()
{
// Arrange
string userId = Guid.NewGuid().ToString();
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>();
specification.GetSpecificationId().Returns(WellKnownSpecificationId);
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission()));
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
IFeatureToggle features = Substitute.For <IFeatureToggle>();
features.IsRoleBasedAccessEnabled().Returns(true);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeFalse();
}
public async Task WhenUserIsNotKnownToTheSystem_ShouldNotSucceed()
{
// Arrange
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, Guid.NewGuid().ToString()) }));
string specification = WellKnownSpecificationId;
AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);
IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();
usersApiClient.GetEffectivePermissionsForUser(Arg.Any <string>(), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission()));
IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();
options.Value.Returns(actualOptions);
SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options);
// Act
await authHandler.HandleAsync(authContext);
// Assert
authContext.HasSucceeded.Should().BeFalse();
}
public async Task <EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId)
{
Guard.ArgumentNotNull(user, nameof(user));
Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId));
if (IsAdminUser(user))
{
return(new EffectiveSpecificationPermission
{
SpecificationId = specificationId,
UserId = user.GetUserProfile()?.Id,
CanAdministerFundingStream = true,
CanApproveFunding = true,
CanApproveSpecification = true,
CanChooseFunding = true,
CanCreateQaTests = true,
CanCreateSpecification = true,
CanEditCalculations = true,
CanEditQaTests = true,
CanEditSpecification = true,
CanMapDatasets = true,
CanReleaseFunding = true,
CanRefreshFunding = true,
CanDeleteCalculations = true,
CanDeleteQaTests = true,
CanDeleteSpecification = true,
CanApplyCustomProfilePattern = true,
CanApproveAnyCalculations = true,
CanApproveCalculations = true,
CanAssignProfilePattern = true,
CanApproveAllCalculations = true,
CanRefreshPublishedQa = true
});
}
string userId = VerifyObjectIdentifierClaimTypePresent(user);
ApiResponse <EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId);
if (response.StatusCode != HttpStatusCode.OK)
{
_logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode);
return(new EffectiveSpecificationPermission
{
UserId = user.GetUserProfile()?.Id,
SpecificationId = specificationId,
CanAdministerFundingStream = false,
CanApproveFunding = false,
CanApproveSpecification = false,
CanChooseFunding = false,
CanCreateQaTests = false,
CanCreateSpecification = false,
CanEditCalculations = false,
CanEditQaTests = false,
CanEditSpecification = false,
CanMapDatasets = false,
CanReleaseFunding = false,
CanRefreshFunding = false,
CanDeleteCalculations = false,
CanDeleteQaTests = false,
CanDeleteSpecification = false,
CanApplyCustomProfilePattern = false,
CanApproveAnyCalculations = false,
CanApproveCalculations = false,
CanAssignProfilePattern = false,
CanApproveAllCalculations = false,
CanRefreshPublishedQa = false
});
}
else
{
return(response.Content);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SpecificationRequirement requirement, ISpecificationAuthorizationEntity resource)
{
if (!_features.IsRoleBasedAccessEnabled())
{
context.Succeed(requirement);
return;
}
// If user belongs to the admin group then allow them access
if (context.User.HasClaim(c => c.Type == Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant()))
{
context.Succeed(requirement);
}
else
{
// Get user permissions for funding stream
if (context.User.HasClaim(c => c.Type == Constants.ObjectIdentifierClaimType))
{
string userId = context.User.FindFirst(Constants.ObjectIdentifierClaimType).Value;
ApiResponse <EffectiveSpecificationPermission> permissionResponse = await _usersApiClient.GetEffectivePermissionsForUser(userId, resource.GetSpecificationId());
if (permissionResponse == null || permissionResponse.StatusCode != HttpStatusCode.OK)
{
throw new Exception($"Error calling the permissions service - {permissionResponse.StatusCode}");
}
// Check user has permissions for funding stream
if (HasPermission(requirement.ActionType, permissionResponse.Content))
{
context.Succeed(requirement);
}
}
}
}
public async Task <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId)
{
Guard.ArgumentNotNull(user, nameof(user));
Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId));
if (user.HasClaim(c => c.Type == Common.Identity.Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant()))
{
return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission
{
CanAdministerFundingStream = true,
CanApproveFunding = true,
CanApproveSpecification = true,
CanChooseFunding = true,
CanCreateQaTests = true,
CanCreateSpecification = true,
CanEditCalculations = true,
CanEditQaTests = true,
CanEditSpecification = true,
CanMapDatasets = true,
CanPublishFunding = true,
CanRefreshFunding = true,
SpecificationId = specificationId,
UserId = user.GetUserProfile()?.Id,
});
}
string userId = VerifyObjectIdentifierClaimTypePresent(user);
ApiResponse <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId);
if (response.StatusCode != HttpStatusCode.OK)
{
_logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode);
return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission
{
CanAdministerFundingStream = false,
CanApproveFunding = false,
CanApproveSpecification = false,
CanChooseFunding = false,
CanCreateQaTests = false,
CanCreateSpecification = false,
CanEditCalculations = false,
CanEditQaTests = false,
CanEditSpecification = false,
CanMapDatasets = false,
CanPublishFunding = false,
CanRefreshFunding = false,
SpecificationId = specificationId,
UserId = user.GetUserProfile()?.Id,
});
}
else
{
return(response.Content);
}
}
