public async Task WhenUserCanRefreshPublishedQaForSpecification_ShouldSucceed() { // Arrange string userId = Guid.NewGuid().ToString(); ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) })); string specification = WellKnownSpecificationId; AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanRefreshPublishedQa, specification); EffectiveSpecificationPermission actualPermission = new EffectiveSpecificationPermission { CanRefreshPublishedQa = true }; IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>(); usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, actualPermission)); IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >(); options.Value.Returns(actualOptions); SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options); // Act await authHandler.HandleAsync(authContext); // Assert authContext.HasSucceeded.Should().BeTrue(); }
public async Task WhenUserIsKnown_AndHasNoPermissions_ShouldNotSucceed() { // Arrange string userId = Guid.NewGuid().ToString(); ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) })); ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>(); specification.GetSpecificationId().Returns(WellKnownSpecificationId); AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification); IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>(); usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission())); IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >(); options.Value.Returns(actualOptions); IFeatureToggle features = Substitute.For <IFeatureToggle>(); features.IsRoleBasedAccessEnabled().Returns(true); SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features); // Act await authHandler.HandleAsync(authContext); // Assert authContext.HasSucceeded.Should().BeFalse(); }
public async Task WhenUserIsNotKnownToTheSystem_ShouldNotSucceed() { // Arrange ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, Guid.NewGuid().ToString()) })); string specification = WellKnownSpecificationId; AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification); IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>(); usersApiClient.GetEffectivePermissionsForUser(Arg.Any <string>(), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission())); IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >(); options.Value.Returns(actualOptions); SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options); // Act await authHandler.HandleAsync(authContext); // Assert authContext.HasSucceeded.Should().BeFalse(); }
public async Task <EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId) { Guard.ArgumentNotNull(user, nameof(user)); Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId)); if (IsAdminUser(user)) { return(new EffectiveSpecificationPermission { SpecificationId = specificationId, UserId = user.GetUserProfile()?.Id, CanAdministerFundingStream = true, CanApproveFunding = true, CanApproveSpecification = true, CanChooseFunding = true, CanCreateQaTests = true, CanCreateSpecification = true, CanEditCalculations = true, CanEditQaTests = true, CanEditSpecification = true, CanMapDatasets = true, CanReleaseFunding = true, CanRefreshFunding = true, CanDeleteCalculations = true, CanDeleteQaTests = true, CanDeleteSpecification = true, CanApplyCustomProfilePattern = true, CanApproveAnyCalculations = true, CanApproveCalculations = true, CanAssignProfilePattern = true, CanApproveAllCalculations = true, CanRefreshPublishedQa = true }); } string userId = VerifyObjectIdentifierClaimTypePresent(user); ApiResponse <EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId); if (response.StatusCode != HttpStatusCode.OK) { _logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode); return(new EffectiveSpecificationPermission { UserId = user.GetUserProfile()?.Id, SpecificationId = specificationId, CanAdministerFundingStream = false, CanApproveFunding = false, CanApproveSpecification = false, CanChooseFunding = false, CanCreateQaTests = false, CanCreateSpecification = false, CanEditCalculations = false, CanEditQaTests = false, CanEditSpecification = false, CanMapDatasets = false, CanReleaseFunding = false, CanRefreshFunding = false, CanDeleteCalculations = false, CanDeleteQaTests = false, CanDeleteSpecification = false, CanApplyCustomProfilePattern = false, CanApproveAnyCalculations = false, CanApproveCalculations = false, CanAssignProfilePattern = false, CanApproveAllCalculations = false, CanRefreshPublishedQa = false }); } else { return(response.Content); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SpecificationRequirement requirement, ISpecificationAuthorizationEntity resource) { if (!_features.IsRoleBasedAccessEnabled()) { context.Succeed(requirement); return; } // If user belongs to the admin group then allow them access if (context.User.HasClaim(c => c.Type == Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant())) { context.Succeed(requirement); } else { // Get user permissions for funding stream if (context.User.HasClaim(c => c.Type == Constants.ObjectIdentifierClaimType)) { string userId = context.User.FindFirst(Constants.ObjectIdentifierClaimType).Value; ApiResponse <EffectiveSpecificationPermission> permissionResponse = await _usersApiClient.GetEffectivePermissionsForUser(userId, resource.GetSpecificationId()); if (permissionResponse == null || permissionResponse.StatusCode != HttpStatusCode.OK) { throw new Exception($"Error calling the permissions service - {permissionResponse.StatusCode}"); } // Check user has permissions for funding stream if (HasPermission(requirement.ActionType, permissionResponse.Content)) { context.Succeed(requirement); } } } }
public async Task <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId) { Guard.ArgumentNotNull(user, nameof(user)); Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId)); if (user.HasClaim(c => c.Type == Common.Identity.Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant())) { return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission { CanAdministerFundingStream = true, CanApproveFunding = true, CanApproveSpecification = true, CanChooseFunding = true, CanCreateQaTests = true, CanCreateSpecification = true, CanEditCalculations = true, CanEditQaTests = true, CanEditSpecification = true, CanMapDatasets = true, CanPublishFunding = true, CanRefreshFunding = true, SpecificationId = specificationId, UserId = user.GetUserProfile()?.Id, }); } string userId = VerifyObjectIdentifierClaimTypePresent(user); ApiResponse <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId); if (response.StatusCode != HttpStatusCode.OK) { _logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode); return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission { CanAdministerFundingStream = false, CanApproveFunding = false, CanApproveSpecification = false, CanChooseFunding = false, CanCreateQaTests = false, CanCreateSpecification = false, CanEditCalculations = false, CanEditQaTests = false, CanEditSpecification = false, CanMapDatasets = false, CanPublishFunding = false, CanRefreshFunding = false, SpecificationId = specificationId, UserId = user.GetUserProfile()?.Id, }); } else { return(response.Content); } }