public async Task TestConstructor_OnActionExecutingAsync_UserIsNotValid() { var permissionModel = new PermissionModel { Id = Permission.ViewProgram.Id, Name = Permission.ViewProgram.Value }; var id = 1; var user = GetTestUser(); userProvider.Setup(x => x.GetCurrentUser()).Returns(user); userProvider.Setup(x => x.IsUserValidAsync(It.IsAny <IWebApiUser>())).ReturnsAsync(false); permissionService.Setup(x => x.HasPermission(It.IsAny <int>(), It.IsAny <int?>(), It.IsAny <int>(), It.IsAny <List <IPermission> >())).Returns(true); var attribute = new ResourceAuthorizeAttribute(permissionModel.Name, ResourceType.Program.Value, id); var actionContext = ContextUtil.CreateActionContext(); actionContext.RequestContext.Principal = Thread.CurrentPrincipal; var exceptionCaught = false; try { var cts = new CancellationTokenSource(); await attribute.OnActionExecutingAsync(actionContext, cts.Token); } catch (HttpResponseException e) { exceptionCaught = true; Assert.AreEqual(HttpStatusCode.Forbidden, e.Response.StatusCode); } Assert.IsTrue(exceptionCaught); //make sure we do not fall into into checking permissions userProvider.Verify(x => x.GetPermissionsAsync(It.IsAny <IWebApiUser>()), Times.Never()); }
public async Task TestConstructor_OnActionExecutingAsync_UserHasPermission() { var permissionModel = new PermissionModel { Id = Permission.ViewProgram.Id, Name = Permission.ViewProgram.Value }; var id = 1; var user = GetTestUser(); var foreignResourceCache = new ForeignResourceCache(0, 1, 0, null, null, null); userProvider.Setup(x => x.GetCurrentUser()).Returns(user); userProvider.Setup(x => x.IsUserValidAsync(It.IsAny <IWebApiUser>())).ReturnsAsync(true); resourceService.Setup(x => x.GetResourceTypeId(It.IsAny <string>())).Returns(1); resourceService.Setup(x => x.GetResourceByForeignResourceIdAsync(It.IsAny <int>(), It.IsAny <int>())).ReturnsAsync(foreignResourceCache); permissionService.Setup(x => x.HasPermission(It.IsAny <int>(), It.IsAny <int?>(), It.IsAny <int>(), It.IsAny <List <IPermission> >())).Returns(true); permissionService.Setup(x => x.GetPermissionByNameAsync(It.IsAny <string>())).ReturnsAsync(permissionModel); var attribute = new ResourceAuthorizeAttribute(permissionModel.Name, ResourceType.Program.Value, id); var actionContext = ContextUtil.CreateActionContext(); actionContext.RequestContext.Principal = Thread.CurrentPrincipal; var cts = new CancellationTokenSource(); await attribute.OnActionExecutingAsync(actionContext, cts.Token); Assert.AreEqual(AuthorizationResult.Allowed, attribute.GetAuthorizationResult()); }
private List <Claim> ResourcesFromAttribute(ResourceAuthorizeAttribute attribute) { if ((attribute.Resources != null) && (attribute.Resources.Any())) { return(attribute.Resources.Select(r => new Claim("name", r)).ToList()); } return(null); }
public void TestConstructor_ActionPermission_DefaultIdActionArgument() { var permissionName = "Read"; var resourceType = "Program"; var attribute = new ResourceAuthorizeAttribute(permissionName, resourceType); Assert.IsNotNull(attribute.Permission); Assert.IsInstanceOfType(attribute.Permission, typeof(ActionPermission)); var permission = (ActionPermission)attribute.Permission; Assert.AreEqual(ResourceAuthorizeAttribute.DEFAULT_ID_ARGUMENT_NAME, permission.ArgumentName); }
public void TestConstructor_StaticPermission() { var permissionName = "read"; var resourceType = "program"; var id = 1; var attribute = new ResourceAuthorizeAttribute(permissionName, resourceType, id); Assert.IsNotNull(attribute.Permission); Assert.IsInstanceOfType(attribute.Permission, typeof(StaticPermission)); var staticPermission = (StaticPermission)attribute.Permission; Assert.AreEqual(permissionName, staticPermission.PermissionName); Assert.AreEqual(resourceType, staticPermission.ResourceType); Assert.AreEqual(id, staticPermission.ForeignResourceId); }
public void TestConstructor_ActionPermission() { var actionArgument = "id"; var permissionName = "Read"; var resourceType = "Program"; var attribute = new ResourceAuthorizeAttribute(permissionName, resourceType, actionArgument); Assert.IsNotNull(attribute.Permission); Assert.IsInstanceOfType(attribute.Permission, typeof(ActionPermission)); var permission = (ActionPermission)attribute.Permission; Assert.AreEqual(actionArgument, permission.ArgumentName); Assert.AreEqual(permissionName, permission.PermissionName); Assert.AreEqual(resourceType, permission.ResourceType); }
public void TestConstructor_ModelPermission() { var modelType = typeof(SorterBindingModel); var property = "direction"; var permissionName = "Read"; var resourceType = "Program"; var attribute = new ResourceAuthorizeAttribute(permissionName, resourceType, modelType, property); Assert.IsNotNull(attribute.Permission); Assert.IsInstanceOfType(attribute.Permission, typeof(ModelPermission)); var permission = (ModelPermission)attribute.Permission; Assert.AreEqual(modelType, permission.ModelType); Assert.AreEqual(property, permission.Property); Assert.AreEqual(permissionName, permission.PermissionName); Assert.AreEqual(resourceType, permission.ResourceType); }
public async Task TestConstructor_OnActionExecutingAsync_ResourceIdDoesNotExist() { var exceptionCaught = false; var id = 1; var actionArgument = "id"; var permissionModel = new PermissionModel { Id = Permission.ViewProgram.Id, Name = Permission.ViewProgram.Value }; var user = GetTestUser(); var warningMessage = string.Empty; userProvider.Setup(x => x.GetCurrentUser()).Returns(user); resourceService.Setup(x => x.GetResourceTypeId(It.IsAny <string>())).Returns(1); resourceService.Setup(x => x.GetResourceByForeignResourceIdAsync(It.IsAny <int>(), It.IsAny <int>())).ReturnsAsync(default(ForeignResourceCache)); permissionService.Setup(x => x.HasPermission(It.IsAny <int>(), It.IsAny <int?>(), It.IsAny <int>(), It.IsAny <List <IPermission> >())).Returns(true); permissionService.Setup(x => x.GetPermissionByNameAsync(It.IsAny <string>())).ReturnsAsync(permissionModel); userProvider.Setup(x => x.IsUserValidAsync(It.IsAny <IWebApiUser>())).ReturnsAsync(true); var attribute = new ResourceAuthorizeAttribute(permissionModel.Name, ResourceType.Program.Value, actionArgument); try { var actionContext = ContextUtil.CreateActionContext(); actionContext.RequestContext.Principal = Thread.CurrentPrincipal; actionContext.ActionArguments.Add(actionArgument, id); var cts = new CancellationTokenSource(); await attribute.OnActionExecutingAsync(actionContext, cts.Token); } catch (HttpResponseException e) { exceptionCaught = true; Assert.AreEqual(HttpStatusCode.Forbidden, e.Response.StatusCode); } Assert.IsTrue(exceptionCaught); Assert.AreEqual(AuthorizationResult.ResourceDoesNotExist, attribute.GetAuthorizationResult()); //make sure we fall into checking permissions userProvider.Verify(x => x.GetPermissionsAsync(It.IsAny <IWebApiUser>()), Times.Once()); }
public async Task TestConstructor_OnActionExecutingAsync_ResourceTypeIsNotKnown() { var id = 1; var foreignResourceCache = new ForeignResourceCache(0, id, 0, null, null, null); var actionArgument = "id"; var permissionModel = new PermissionModel { Id = Permission.ViewProgram.Id, Name = Permission.ViewProgram.Value }; var resourceType = "idontexist"; var user = GetTestUser(); userProvider.Setup(x => x.GetCurrentUser()).Returns(user); resourceService.Setup(x => x.GetResourceTypeId(It.IsAny <string>())).Returns(default(int?)); resourceService.Setup(x => x.GetResourceByForeignResourceIdAsync(It.IsAny <int>(), It.IsAny <int>())).ReturnsAsync(foreignResourceCache); permissionService.Setup(x => x.HasPermission(It.IsAny <int>(), It.IsAny <int?>(), It.IsAny <int>(), It.IsAny <List <IPermission> >())).Returns(true); permissionService.Setup(x => x.GetPermissionByNameAsync(It.IsAny <string>())).ReturnsAsync(permissionModel); userProvider.Setup(x => x.IsUserValidAsync(It.IsAny <IWebApiUser>())).ReturnsAsync(true); var attribute = new ResourceAuthorizeAttribute(permissionModel.Name, resourceType, actionArgument); var actionContext = ContextUtil.CreateActionContext(); actionContext.RequestContext.Principal = Thread.CurrentPrincipal; actionContext.ActionArguments.Add(actionArgument, id); var cts = new CancellationTokenSource(); var exceptionCaught = false; try { await attribute.OnActionExecutingAsync(actionContext, cts.Token); } catch (NotSupportedException e) { exceptionCaught = true; Assert.AreEqual(String.Format("The resource type name [{0}] does not have a matching resource id in CAM.", resourceType), e.Message); } Assert.IsTrue(exceptionCaught); }
private Claim ActionFromAttribute(ResourceAuthorizeAttribute attribute) { return(!string.IsNullOrWhiteSpace(attribute.Action) ? new Claim("name", attribute.Action) : null); }