public async Task <PermissionApiModel> AddPermission(string accessToken, PermissionApiModel permissionModel) { var message = new HttpRequestMessage(HttpMethod.Post, new PermissionRouteBuilder().Route) .AddContent(permissionModel) .AddAcceptHeader() .AddBearerToken(accessToken); return(await SendAndParseJson <PermissionApiModel>(message).ConfigureAwait(false)); }
public void Test_Delete_Success() { // Adding permission var modifyPatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "modifypatient", PermissionAction = PermissionAction.Allow }; string subjectId = "userprincipal"; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission }; with.JsonBody(perms); }).Wait(); // Get the permissions var get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions); //delete the permission this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission }; with.JsonBody(perms); }).Wait(); // Get the permissions get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.DoesNotContain("app/userprincipal.modifypatient", permissions.Permissions); }
public void Test_Delete_UserHasNoGranularPermissions() { // Get the permissions var get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Equal(0, permissions.Permissions.Count()); var modifyPatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "modifypatient", PermissionAction = PermissionAction.Allow }; string subjectId = "userprincipal"; //attempt to delete a permission the user does not have var deleteRequest = this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission }; with.JsonBody(perms); }).Result; Assert.Equal(HttpStatusCode.BadRequest, deleteRequest.StatusCode); Assert.Contains("Invalid allow permissions: app/userprincipal.modifypatient", deleteRequest.Body.AsString()); Assert.DoesNotContain("Invalid allow permission actions", deleteRequest.Body.AsString()); }
public void TestUserDeniedPermissionHasPrecedence_Success() { // Adding permissions var post = this.Browser.Post("/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Grain", "app"); with.FormValue("SecurableItem", "userprincipal"); with.FormValue("Name", "viewpatient"); }).Result; var viewPatientPermission = post.Body.DeserializeJson <PermissionApiModel>(); post = this.Browser.Post("/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Grain", "app"); with.FormValue("SecurableItem", "userprincipal"); with.FormValue("Name", "editpatient"); }).Result; var editPatientPermission = post.Body.DeserializeJson <PermissionApiModel>(); // Adding roles var role = new RoleApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "viewer", Permissions = new List <PermissionApiModel> { viewPatientPermission } }; post = this.Browser.Post("/roles", with => // -3 { with.HttpRequest(); with.Header("Accept", "application/json"); with.JsonBody(role); }).Result; var viewerRole = post.Body.DeserializeJson <RoleApiModel>(); post = this.Browser.Post("/roles", with => // -2 { with.HttpRequest(); with.Header("Accept", "application/json"); role.Name = "editor"; role.Permissions = new List <PermissionApiModel> { editPatientPermission }; with.JsonBody(role); }).Result; var editorRole = post.Body.DeserializeJson <RoleApiModel>(); // Adding groups this.Browser.Post("/groups", with => { with.HttpRequest(); with.FormValue("Id", Group1); with.FormValue("GroupName", Group1); with.FormValue("GroupSource", Source1); with.Header("Accept", "application/json"); }).Wait(); this.Browser.Post("/groups", with => { with.HttpRequest(); with.FormValue("Id", Group2); with.FormValue("GroupName", Group2); with.FormValue("GroupSource", Source2); with.Header("Accept", "application/json"); }).Wait(); this.Browser.Post($"/groups/{Group1}/roles", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Id", viewerRole.Identifier); }).Wait(); this.Browser.Post($"/groups/{Group2}/roles", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Id", editorRole.Identifier); }).Wait(); // Adding same permission to blacklist and whitellist string subjectId = "userprincipal"; editPatientPermission.PermissionAction = PermissionAction.Deny; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { editPatientPermission }; with.JsonBody(perms); }).Wait(); var modifyPatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "modifypatient" }; modifyPatientPermission.PermissionAction = PermissionAction.Allow; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { editPatientPermission, modifyPatientPermission }; with.JsonBody(perms); }).Wait(); // Get the permissions var get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions); // from role Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions); // only whitelisted Assert.DoesNotContain("app/userprincipal.editpatient", permissions.Permissions); // from role & backlisted & whitelisted Assert.Equal(2, permissions.Permissions.Count()); // Deny modifypatient and try again modifyPatientPermission.PermissionAction = PermissionAction.Deny; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel>() { editPatientPermission, modifyPatientPermission }; with.JsonBody(perms); }).Wait(); get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions); // from role Assert.DoesNotContain("app/userprincipal.modifypatient", permissions.Permissions); // backlisted & whitelisted Assert.DoesNotContain("app/userprincipal.editpatient", permissions.Permissions); // from role & backlisted & whitelisted Assert.Equal(1, permissions.Permissions.Count()); }
public void TestUserWhitelist_Success() { // Adding permissions var post = this.Browser.Post("/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Grain", "app"); with.FormValue("SecurableItem", "userprincipal"); with.FormValue("Name", "viewpatient"); }).Result; var viewPatientPermission = post.Body.DeserializeJson <PermissionApiModel>(); post = this.Browser.Post("/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Grain", "app"); with.FormValue("SecurableItem", "userprincipal"); with.FormValue("Name", "editpatient"); }).Result; var editPatientPermission = post.Body.DeserializeJson <PermissionApiModel>(); // Adding roles var role = new RoleApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "viewer", Permissions = new List <PermissionApiModel> { viewPatientPermission } }; post = this.Browser.Post("/roles", with => // -3 { with.HttpRequest(); with.Header("Accept", "application/json"); with.JsonBody(role); }).Result; var viewerRole = post.Body.DeserializeJson <RoleApiModel>(); post = this.Browser.Post("/roles", with => // -2 { with.HttpRequest(); with.Header("Accept", "application/json"); role.Name = "editor"; role.Permissions = new List <PermissionApiModel> { editPatientPermission }; with.JsonBody(role); }).Result; var editorRole = post.Body.DeserializeJson <RoleApiModel>(); // Adding groups this.Browser.Post("/groups", with => { with.HttpRequest(); with.FormValue("Id", Group1); with.FormValue("GroupName", Group1); with.FormValue("GroupSource", Source1); with.Header("Accept", "application/json"); }).Wait(); this.Browser.Post("/groups", with => { with.HttpRequest(); with.FormValue("Id", Group2); with.FormValue("GroupName", Group2); with.FormValue("GroupSource", Source2); with.Header("Accept", "application/json"); }).Wait(); this.Browser.Post($"/groups/{Group1}/roles", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Id", viewerRole.Identifier); }).Wait(); this.Browser.Post($"/groups/{Group2}/roles", with => { with.HttpRequest(); with.Header("Accept", "application/json"); with.FormValue("Id", editorRole.Identifier); }).Wait(); // Adding permission (user also can modify patient, even though role doesn't) var modifyPatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "modifypatient", PermissionAction = PermissionAction.Allow }; string subjectId = "userprincipal"; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission }; with.JsonBody(perms); }).Wait(); // Get the permissions var get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Contains("app/userprincipal.editpatient", permissions.Permissions); Assert.Contains("app/userprincipal.viewpatient", permissions.Permissions); Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions); Assert.Equal(3, permissions.Permissions.Count()); }
public void Test_Delete_WrongPermissionAction_InvalidPermission() { var modifyPatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "modifypatient", PermissionAction = PermissionAction.Allow }; string subjectId = "userprincipal"; this.Browser.Post($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission }; with.JsonBody(perms); }).Wait(); // Get the permissions var get = this.Browser.Get("/user/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); }).Result; Assert.Equal(HttpStatusCode.OK, get.StatusCode); var permissions = get.Body.DeserializeJson <UserPermissionsApiModel>(); Assert.Contains("app/userprincipal.modifypatient", permissions.Permissions); //attempt to delete modifyPatientPermission with permission action Deny and include an invalid permission modifyPatientPermission.PermissionAction = PermissionAction.Deny; var deletePatientPermission = new PermissionApiModel() { Grain = "app", SecurableItem = "userprincipal", Name = "deletepatient", PermissionAction = PermissionAction.Allow }; var deleteRequest = this.Browser.Delete($"/user/{IdentityProvider}/{subjectId}/permissions", with => { with.HttpRequest(); with.Header("Accept", "application/json"); var perms = new List <PermissionApiModel> { modifyPatientPermission, deletePatientPermission }; with.JsonBody(perms); }).Result; Assert.Equal(HttpStatusCode.BadRequest, deleteRequest.StatusCode); Assert.Contains("Invalid deny permission actions: app/userprincipal.modifypatient", deleteRequest.Body.AsString()); Assert.DoesNotContain("Invalid deny permissions", deleteRequest.Body.AsString()); Assert.Contains("Invalid allow permissions: app/userprincipal.deletepatient", deleteRequest.Body.AsString()); Assert.DoesNotContain("Invalid allow permission actions", deleteRequest.Body.AsString()); }