public async Task TestAccessControlChecks()
{
var log = new LoggerConfiguration()
.WriteTo.Debug()
.CreateLogger();
var loggy = new Loggy(log);
var access = new AccessControl(loggy, new MemoryObjectStore());
var contextUserId = "[test]";
// add test security principles
var allPrinciples = GetTestSecurityPrinciples();
foreach (var p in allPrinciples)
{
_ = await access.AddSecurityPrinciple(p, contextUserId, bypassIntegrityCheck : true);
}
// assign resource roles per principle
var allResourceProfiles = GetTestResourceProfiles();
foreach (var r in allResourceProfiles)
{
_ = await access.AddResourceProfile(r, contextUserId, bypassIntegrityCheck : true);
}
// assert
var hasAccess = await access.IsPrincipleInRole("admin_01", StandardRoles.Administrator.Id, contextUserId);
Assert.IsTrue(hasAccess, "User should be in role");
hasAccess = await access.IsPrincipleInRole("admin_02", StandardRoles.Administrator.Id, contextUserId);
Assert.IsFalse(hasAccess, "User should not be in role");
// check user can consume a cert for a given domain
var isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "www.example.com", contextUserId);
Assert.IsTrue(isAuthorised, "User should be a cert consumer for this domain");
// check user can't consume a cert for a subdomain they haven't been granted
isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "secure.example.com", contextUserId);
Assert.IsFalse(isAuthorised, "User should not be a cert consumer for this domain");
// check user can consume any subdomain via a granted wildcard
isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "random.microsoft.com", contextUserId);
Assert.IsTrue(isAuthorised, "User should be a cert consumer for this subdomain via wildcard");
// check user can't consume a random wildcard
isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "* lkjhasdf98862364", contextUserId);
Assert.IsFalse(isAuthorised, "User should not be a cert consumer for random wildcard");
// check user can't consume a random wildcard
isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, " lkjhasdf98862364.*.microsoft.com", contextUserId);
Assert.IsFalse(isAuthorised, "User should not be a cert consumer for random wildcard");
// random user should not be authorised
isAuthorised = await access.IsAuthorised("randomuser", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "random.microsoft.com", contextUserId);
Assert.IsFalse(isAuthorised, "Unknown user should not be a cert consumer for this subdomain via wildcard");
}
