public void EvaluateSucceedsWhenNotEnabled()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = false
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
policy.Evaluate(actionContext).Should().BeNull("because the policy should always be satisfied if not enabled");
}
public void EvaluateFailsWhenTheClaimIsHeldWithADifferentCase()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = true
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
var identity = new ClaimsIdentity(new Claim[] { new Claim(CustomClaimTypes.MayAccessPriviledgedOperations.ToUpper(), "true") });
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
actionContext.RequestContext.Principal = new ClaimsPrincipal(identity);
policy.Evaluate(actionContext).Should().Be(HttpStatusCode.Forbidden, "because the policy should fail when the principal holds the required claim but there is a case mismatch");
}
public void EvaluateSucceedsWhenTheClaimIsHeld()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = true
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
var identity = new ClaimsIdentity(new Claim[] { new Claim(CustomClaimTypes.MayAccessPriviledgedOperations, "true") });
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
actionContext.RequestContext.Principal = new ClaimsPrincipal(identity);
policy.Evaluate(actionContext).Should().BeNull("because the policy should be satisfied when the principal holds the required claim");
}
public void EvaluateFailsWhenThereIsNoSudoClaim()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = true
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
var identity = new ClaimsIdentity(new Claim[] { new Claim(CustomClaimTypes.IdentityType, "UnitTest") });
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
routeData.Values.Add(ActionArguments.Partner, "SQUIRE");
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
actionContext.RequestContext.Principal = new ClaimsPrincipal(identity);
policy.Evaluate(actionContext).Should().Be(HttpStatusCode.Forbidden, "because the policy should fail when the principal does not hold the required claim");
}
public void EvaluateFailsWhenThereIsNoPrincipal()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = true
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
actionContext.RequestContext.Principal = null;
policy.Evaluate(actionContext).Should().Be(HttpStatusCode.Forbidden, "because the policy should fail when no principal is present");
}
public void EnabledPropertyIsConfigured()
{
var config = new PriviledgedOperationAuthorizationPolicyConfiguration {
Enabled = true
};
var policy = new PriviledgedOperationAuthorizationPolicy(config);
policy.Enabled.Should().Be(config.Enabled, "because the Enabled property should be driven by configuration");
}
/// <summary>
/// Initializes a new instance of the <see cref="PriviledgedOperationAuthorizationPolicy"/> class.
/// </summary>
///
/// <param name="configuration">The configuration to use for the policy.</param>
///
public PriviledgedOperationAuthorizationPolicy(PriviledgedOperationAuthorizationPolicyConfiguration configuration)
{
this.configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
}
