public async Task WhenUserCanRefreshPublishedQaForSpecification_ShouldSucceed()
        {
            // Arrange
            string                      userId        = Guid.NewGuid().ToString();
            ClaimsPrincipal             principal     = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
            string                      specification = WellKnownSpecificationId;
            AuthorizationHandlerContext authContext   = CreateAuthenticationContext(principal, SpecificationActionTypes.CanRefreshPublishedQa, specification);

            EffectiveSpecificationPermission actualPermission = new EffectiveSpecificationPermission
            {
                CanRefreshPublishedQa = true
            };

            IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();

            usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, actualPermission));

            IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();

            options.Value.Returns(actualOptions);

            SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options);

            // Act
            await authHandler.HandleAsync(authContext);

            // Assert
            authContext.HasSucceeded.Should().BeTrue();
        }
        public async Task WhenUserIsKnown_AndHasNoPermissions_ShouldNotSucceed()
        {
            // Arrange
            string          userId    = Guid.NewGuid().ToString();
            ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, userId) }));
            ISpecificationAuthorizationEntity specification = Substitute.For <ISpecificationAuthorizationEntity>();

            specification.GetSpecificationId().Returns(WellKnownSpecificationId);
            AuthorizationHandlerContext authContext = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);

            IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();

            usersApiClient.GetEffectivePermissionsForUser(Arg.Is(userId), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission()));

            IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();

            options.Value.Returns(actualOptions);

            IFeatureToggle features = Substitute.For <IFeatureToggle>();

            features.IsRoleBasedAccessEnabled().Returns(true);

            SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options, features);

            // Act
            await authHandler.HandleAsync(authContext);

            // Assert
            authContext.HasSucceeded.Should().BeFalse();
        }
        public async Task WhenUserIsNotKnownToTheSystem_ShouldNotSucceed()
        {
            // Arrange
            ClaimsPrincipal             principal     = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(Constants.ObjectIdentifierClaimType, Guid.NewGuid().ToString()) }));
            string                      specification = WellKnownSpecificationId;
            AuthorizationHandlerContext authContext   = CreateAuthenticationContext(principal, SpecificationActionTypes.CanApproveFunding, specification);

            IUsersApiClient usersApiClient = Substitute.For <IUsersApiClient>();

            usersApiClient.GetEffectivePermissionsForUser(Arg.Any <string>(), Arg.Is(WellKnownSpecificationId)).Returns(new ApiResponse <EffectiveSpecificationPermission>(HttpStatusCode.OK, new EffectiveSpecificationPermission()));
            IOptions <PermissionOptions> options = Substitute.For <IOptions <PermissionOptions> >();

            options.Value.Returns(actualOptions);

            SpecificationPermissionHandler authHandler = new SpecificationPermissionHandler(usersApiClient, options);

            // Act
            await authHandler.HandleAsync(authContext);

            // Assert
            authContext.HasSucceeded.Should().BeFalse();
        }
        public async Task <EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId)
        {
            Guard.ArgumentNotNull(user, nameof(user));
            Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId));

            if (IsAdminUser(user))
            {
                return(new EffectiveSpecificationPermission
                {
                    SpecificationId = specificationId,
                    UserId = user.GetUserProfile()?.Id,
                    CanAdministerFundingStream = true,
                    CanApproveFunding = true,
                    CanApproveSpecification = true,
                    CanChooseFunding = true,
                    CanCreateQaTests = true,
                    CanCreateSpecification = true,
                    CanEditCalculations = true,
                    CanEditQaTests = true,
                    CanEditSpecification = true,
                    CanMapDatasets = true,
                    CanReleaseFunding = true,
                    CanRefreshFunding = true,
                    CanDeleteCalculations = true,
                    CanDeleteQaTests = true,
                    CanDeleteSpecification = true,
                    CanApplyCustomProfilePattern = true,
                    CanApproveAnyCalculations = true,
                    CanApproveCalculations = true,
                    CanAssignProfilePattern = true,
                    CanApproveAllCalculations = true,
                    CanRefreshPublishedQa = true
                });
            }

            string userId = VerifyObjectIdentifierClaimTypePresent(user);

            ApiResponse <EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId);

            if (response.StatusCode != HttpStatusCode.OK)
            {
                _logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode);

                return(new EffectiveSpecificationPermission
                {
                    UserId = user.GetUserProfile()?.Id,
                    SpecificationId = specificationId,
                    CanAdministerFundingStream = false,
                    CanApproveFunding = false,
                    CanApproveSpecification = false,
                    CanChooseFunding = false,
                    CanCreateQaTests = false,
                    CanCreateSpecification = false,
                    CanEditCalculations = false,
                    CanEditQaTests = false,
                    CanEditSpecification = false,
                    CanMapDatasets = false,
                    CanReleaseFunding = false,
                    CanRefreshFunding = false,
                    CanDeleteCalculations = false,
                    CanDeleteQaTests = false,
                    CanDeleteSpecification = false,
                    CanApplyCustomProfilePattern = false,
                    CanApproveAnyCalculations = false,
                    CanApproveCalculations = false,
                    CanAssignProfilePattern = false,
                    CanApproveAllCalculations = false,
                    CanRefreshPublishedQa = false
                });
            }
            else
            {
                return(response.Content);
            }
        }
Exemplo n.º 5
0
        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, SpecificationRequirement requirement, ISpecificationAuthorizationEntity resource)
        {
            if (!_features.IsRoleBasedAccessEnabled())
            {
                context.Succeed(requirement);
                return;
            }

            // If user belongs to the admin group then allow them access
            if (context.User.HasClaim(c => c.Type == Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant()))
            {
                context.Succeed(requirement);
            }
            else
            {
                // Get user permissions for funding stream
                if (context.User.HasClaim(c => c.Type == Constants.ObjectIdentifierClaimType))
                {
                    string userId = context.User.FindFirst(Constants.ObjectIdentifierClaimType).Value;
                    ApiResponse <EffectiveSpecificationPermission> permissionResponse = await _usersApiClient.GetEffectivePermissionsForUser(userId, resource.GetSpecificationId());

                    if (permissionResponse == null || permissionResponse.StatusCode != HttpStatusCode.OK)
                    {
                        throw new Exception($"Error calling the permissions service - {permissionResponse.StatusCode}");
                    }

                    // Check user has permissions for funding stream
                    if (HasPermission(requirement.ActionType, permissionResponse.Content))
                    {
                        context.Succeed(requirement);
                    }
                }
            }
        }
Exemplo n.º 6
0
        public async Task <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> GetEffectivePermissionsForUser(ClaimsPrincipal user, string specificationId)
        {
            Guard.ArgumentNotNull(user, nameof(user));
            Guard.IsNullOrWhiteSpace(specificationId, nameof(specificationId));

            if (user.HasClaim(c => c.Type == Common.Identity.Constants.GroupsClaimType && c.Value.ToLowerInvariant() == _permissionOptions.AdminGroupId.ToString().ToLowerInvariant()))
            {
                return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission
                {
                    CanAdministerFundingStream = true,
                    CanApproveFunding = true,
                    CanApproveSpecification = true,
                    CanChooseFunding = true,
                    CanCreateQaTests = true,
                    CanCreateSpecification = true,
                    CanEditCalculations = true,
                    CanEditQaTests = true,
                    CanEditSpecification = true,
                    CanMapDatasets = true,
                    CanPublishFunding = true,
                    CanRefreshFunding = true,
                    SpecificationId = specificationId,
                    UserId = user.GetUserProfile()?.Id,
                });
            }

            string userId = VerifyObjectIdentifierClaimTypePresent(user);

            ApiResponse <Common.ApiClient.Users.Models.EffectiveSpecificationPermission> response = await _usersClient.GetEffectivePermissionsForUser(userId, specificationId);

            if (response.StatusCode != HttpStatusCode.OK)
            {
                _logger.Error("Failed to get effective permissions for user ({user}) - {statuscode}", user.Identity.Name, response.StatusCode);


                return(new Common.ApiClient.Users.Models.EffectiveSpecificationPermission
                {
                    CanAdministerFundingStream = false,
                    CanApproveFunding = false,
                    CanApproveSpecification = false,
                    CanChooseFunding = false,
                    CanCreateQaTests = false,
                    CanCreateSpecification = false,
                    CanEditCalculations = false,
                    CanEditQaTests = false,
                    CanEditSpecification = false,
                    CanMapDatasets = false,
                    CanPublishFunding = false,
                    CanRefreshFunding = false,
                    SpecificationId = specificationId,
                    UserId = user.GetUserProfile()?.Id,
                });
            }
            else
            {
                return(response.Content);
            }
        }