public void NamespaceBasedAuthorization_MatchOnNamespace_ShouldThrowNoExceptions()
{
//Arrange
var strategy = new NamespaceBasedAuthorizationStrategy();
var claims = new List <Claim>
{
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi.org/"),
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi-2.org/")
};
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(claims, EdFiAuthenticationTypes.OAuth));
string resource = @"http://ed-fi.org/ods/identity/claims/academicSubjectDescriptor";
string action = @"http://ed-fi.org/ods/actions/manage";
var data = new NamespaceBasedAuthorizationContextData
{
Namespace = @"uri://ed-fi.org/"
};
//Act
strategy.AuthorizeSingleItemAsync(new List <Claim>(), new EdFiAuthorizationContext(principal, new[] { resource }, action, data), CancellationToken.None)
.WaitSafely();
//Assert
}
public void NamespaceBasedAuthorization_EmptyResourceNamespace()
{
//Arrange
var strategy = new NamespaceBasedAuthorizationStrategy();
var claims = new List <Claim>
{
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi.org/"),
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi-2.org/")
};
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(claims, EdFiAuthenticationTypes.OAuth));
string resource = @"http://ed-fi.org/ods/identity/claims/academicSubjectDescriptor";
string action = @"http://ed-fi.org/ods/actions/manage";
var data = new NamespaceBasedAuthorizationContextData
{
Namespace = @""
};
//Act
var filterDefinition = strategy.CreateAuthorizationFilterDefinitions().Single();
var result = filterDefinition.AuthorizeInstance(
new EdFiAuthorizationContext(new ApiKeyContext(), principal, new[] { resource }, action, data),
new AuthorizationFilterContext());
//Assert
result.Exception.ShouldBeExceptionType <EdFiSecurityException>();
result.Exception.Message.ShouldBe("Access to the resource item could not be authorized because the Namespace of the resource is empty.");
}
public void NamespaceBasedAuthorization_EmptyResourceNamespace()
{
//Arrange
var strategy = new NamespaceBasedAuthorizationStrategy();
var claims = new List <Claim>
{
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi.org/"),
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, @"uri://ed-fi-2.org/")
};
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(claims, EdFiAuthenticationTypes.OAuth));
string resource = @"http://ed-fi.org/ods/identity/claims/academicSubjectDescriptor";
string action = @"http://ed-fi.org/ods/actions/manage";
var data = new NamespaceBasedAuthorizationContextData
{
Namespace = @""
};
//Act
var exception = Assert.Throws <EdFiSecurityException>(
() => strategy.AuthorizeSingleItemAsync(
new List <Claim>(), new EdFiAuthorizationContext(principal, new[] { resource }, action, data), CancellationToken.None)
.WaitSafely());
exception.Message.ShouldBe("Access to the resource item could not be authorized because the Namespace of the resource is empty.");
//Assert
}
public void NamespaceBasedAuthorization_EmptyNamespaceClaim()
{
//Arrange
var strategy = new NamespaceBasedAuthorizationStrategy();
var claims = new List <Claim>
{
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, string.Empty),
new Claim(EdFiOdsApiClaimTypes.NamespacePrefix, string.Empty)
};
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(claims, EdFiAuthenticationTypes.OAuth));
string resource = @"http://ed-fi.org/ods/identity/claims/academicSubjectDescriptor";
string action = @"http://ed-fi.org/ods/actions/manage";
var data = new NamespaceBasedAuthorizationContextData
{
Namespace = @"uri://ed-fi.org/"
};
//Act
var exception = Assert.Throws <EdFiSecurityException>(
() => strategy.GetAuthorizationStrategyFiltering(
new List <Claim>(), new EdFiAuthorizationContext(new ApiKeyContext(), principal, new[] { resource }, action, data)));
exception.Message.ShouldBe(
"Access to the resource could not be authorized because the caller did not have any NamespacePrefix claims ('"
+ EdFiOdsApiClaimTypes.NamespacePrefix + "') or the claim values were all empty.");
//Assert
}