public static void Register(HttpConfiguration config)
{
// Web API configuration and services
config.Filters.Add(new AuthorizeAttribute());
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
var builder = new SecurityTokenBuilder();
var jwtHandler = new JwtAuthenticationMessageHandler
{
AllowedAudience = "http://www.rac.com.au",
Issuer = "Satalyst",
SigningToken = builder.CreateFromKey(ConfigurationManager.AppSettings["ApplicationKey"])
};
config.MessageHandlers.Add(jwtHandler);
JsonMediaTypeFormatter jsonFormatter = config.Formatters.JsonFormatter;
JsonSerializerSettings settings = jsonFormatter.SerializerSettings;
settings.Formatting = Formatting.None;
settings.ContractResolver = new CamelCasePropertyNamesContractResolver();
}
public static void Register(HttpConfiguration config)
{
config.Formatters.JsonFormatter.SupportedMediaTypes.Add(new MediaTypeHeaderValue("text/html"));
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
var tokenBuilder = new SecurityTokenBuilder();
var configReader = new ConfigurationReader();
var jwtHandler = new JwtAuthenticationMessageHandler
{
AllowedAudience = configReader.AllowedAudience,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromKey(configReader.SymmetricKey),
PrincipalTransformer = new PrincipalPersonalizadoTransformer()
};
config.MessageHandlers.Add(jwtHandler);
//WebApiConfig.Register(GlobalConfiguration.Configuration);
//FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
// Uncomment the following line of code to enable query support for actions with an IQueryable or IQueryable<T> return type.
// To avoid processing unexpected or malicious queries, use the validation settings on QueryableAttribute to validate incoming queries.
// For more information, visit http://go.microsoft.com/fwlink/?LinkId=279712.
//config.EnableQuerySupport();
// To disable tracing in your application, please comment out or remove the following line of code
// For more information, refer to: http://www.asp.net/web-api
config.EnableSystemDiagnosticsTracing();
}
public void Create_WithValidPrincipal_WithRole()
{
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal>();
principalStub.Stub(stub => stub.User).Return("test.user");
var princialRoleStub = MockRepository.GenerateStub <ISecurityPrincipalRole>();
princialRoleStub.Stub(stub => stub.Group).Return("UID: testGroup");
princialRoleStub.Stub(stub => stub.Position).Return("UID: Official");
principalStub.Stub(stub => stub.Role).Return(princialRoleStub);
SecurityContext context = CreateContext();
ISecurityPrincipal principal = principalStub;
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principal, context);
var principalUser = token.Principal.User.GetObject();
Assert.That(principalUser.UserName, Is.EqualTo("test.user"));
Assert.That(token.Principal.Tenant, Is.EqualTo(principalUser.Tenant).Using(DomainObjectHandleComparer.Instance));
Assert.That(token.Principal.Roles.Count, Is.EqualTo(1));
Assert.That(token.Principal.Roles[0].Group.GetObject().UniqueIdentifier, Is.EqualTo("UID: testGroup"));
Assert.That(token.Principal.Roles[0].Position.GetObject().UniqueIdentifier, Is.EqualTo("UID: Official"));
Assert.That(token.Principal.IsNull, Is.False);
}
public void Create_WithValidPrincipal_WithSubstitutedRole()
{
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal> ();
principalStub.Stub(stub => stub.User).Return("substituting.user");
principalStub.Stub(stub => stub.SubstitutedUser).Return("test.user");
var princialSubstitutedRoleStub = MockRepository.GenerateStub <ISecurityPrincipalRole> ();
princialSubstitutedRoleStub.Stub(stub => stub.Group).Return("UID: testGroup");
princialSubstitutedRoleStub.Stub(stub => stub.Position).Return("UID: Official");
principalStub.Stub(stub => stub.SubstitutedRole).Return(princialSubstitutedRoleStub);
SecurityContext context = CreateContext();
ISecurityPrincipal principal = principalStub;
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principal, context);
Assert.That(token.Principal.User, Is.Null);
Assert.That(token.Principal.Tenant.GetObject().UniqueIdentifier, Is.EqualTo("UID: testTenant"));
Assert.That(token.Principal.Roles.Count, Is.EqualTo(1));
Assert.That(token.Principal.Roles[0].Group.GetObject().UniqueIdentifier, Is.EqualTo("UID: testGroup"));
Assert.That(token.Principal.Roles[0].Position.GetObject().UniqueIdentifier, Is.EqualTo("UID: Official"));
Assert.That(token.Principal.IsNull, Is.False);
}
public void TestOnDerive(ObjectOnDerive method)
{
var derivation = method.Derivation;
if (!this.ExistOwnerSecurityToken)
{
var mySecurityToken = new SecurityTokenBuilder(this.Strategy.Session).Build();
this.OwnerSecurityToken = mySecurityToken;
}
if (!Users.GuestUserName.Equals(this.UserName) && !Users.AdministratorUserName.Equals(this.UserName))
{
derivation.Log.AssertExists(this, Persons.Meta.LastName);
}
if (this.ExistFirstName && this.ExistLastName)
{
this.FullName = this.FirstName + " " + this.LastName;
}
else if (this.ExistFirstName)
{
this.FullName = this.FirstName;
}
else
{
this.FullName = this.LastName;
}
var template = Singleton.Instance(this.Strategy.Session).PersonTemplate;
this.PrintContent = template.Apply(new Dictionary<string, object> { { "this", this } });
}
private void RegisterHandlers()
{
var logManager = WebContainerManager.Get <ILogManager>();
var userSession = WebContainerManager.Get <IUserSession>();
GlobalConfiguration.Configuration.MessageHandlers.Add(
new BasicAuthenticationMessageHandler(logManager,
WebContainerManager.Get <IBasicSecurityService>()));
GlobalConfiguration.Configuration.MessageHandlers.Add(new TaskDataSecurityMessageHandler(logManager,
userSession));
GlobalConfiguration.Configuration.MessageHandlers.Add(new PagedTaskDataSecurityMessageHandler(logManager,
userSession));
var builder = new SecurityTokenBuilder();
var reader = new ConfigurationReader();
GlobalConfiguration.Configuration.MessageHandlers.Add(
new JwtAuthenticationMessageHandler
{
AllowedAudience = reader.AllowedAudience,
Issuer = reader.Issuer,
SigningToken = builder.CreateFromKey(reader.SymmetricKey)
});
}
public void Create_WithNotExistingAbstractRole()
{
SecurityContext context = CreateContext(ProjectRoles.Developer, UndefinedAbstractRoles.Undefined, ProjectRoles.QualityManager);
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
builder.CreateToken(CreateTestPrincipal(), context);
}
public void Create_WithNotExistingOwningUser()
{
SecurityContext context = CreateContextWithNotExistingOwningUser();
ISecurityPrincipal user = CreateTestPrincipal();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
builder.CreateToken(user, context);
}
public void Create_WithValidAbstractRoles()
{
SecurityContext context = CreateContext(ProjectRoles.QualityManager, ProjectRoles.Developer);
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(CreateTestPrincipal(), context);
Assert.That(token.AbstractRoles.Count, Is.EqualTo(2));
}
public void Create_AbstractRolesEmpty()
{
SecurityContext context = CreateContext();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(CreateTestPrincipal(), context);
Assert.That(token.AbstractRoles, Is.Empty);
}
public void Create_WithInvalidPrincipal_EmptyUserName()
{
SecurityContext context = CreateContext();
ISecurityPrincipal principal = CreatePrincipal("");
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
builder.CreateToken(principal, context);
}
public void Create_WithoutOwningUser()
{
SecurityContext context = CreateContextWithoutOwningUser();
ISecurityPrincipal user = CreateTestPrincipal();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(user, context);
Assert.That(token.OwningUser, Is.Null);
}
public void Create_WithValidAbstractRole()
{
SecurityContext context = CreateContext(ProjectRoles.QualityManager);
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(CreateTestPrincipal(), context);
Assert.That(token.AbstractRoles.Count, Is.EqualTo(1));
Assert.That(
token.AbstractRoles[0].GetObject().Name,
Is.EqualTo("QualityManager|Remotion.SecurityManager.UnitTests.TestDomain.ProjectRoles, Remotion.SecurityManager.UnitTests"));
}
public void Create_WithInactiveTransaction()
{
SecurityContext context = CreateContext();
ISecurityPrincipal principal = CreateTestPrincipal();
using (ClientTransactionTestHelper.MakeInactive(ClientTransactionScope.CurrentTransaction))
{
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principal, context);
Assert.That(token.Principal.IsNull, Is.False);
}
}
public void Create_WithValidOwningGroup()
{
SecurityContext context = CreateContext();
ISecurityPrincipal user = CreateTestPrincipal();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(user, context);
var group = token.OwningGroup;
Assert.That(group, Is.Not.Null);
Assert.That(group.GetObject().UniqueIdentifier, Is.EqualTo("UID: testOwningGroup"));
}
public void Create_WithValidOwningUser()
{
SecurityContext context = CreateContext();
ISecurityPrincipal user = CreateTestPrincipal();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(user, context);
var owningUser = token.OwningUser;
Assert.That(owningUser, Is.Not.Null);
Assert.That(owningUser.GetObject().UserName, Is.EqualTo("group0/user1"));
}
public void Create_WithNullPrincipal()
{
SecurityContext context = CreateContext();
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal> ();
principalStub.Stub(stub => stub.IsNull).Return(true);
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principalStub, context);
Assert.That(token.Principal.User, Is.Null);
Assert.That(token.Principal.Tenant, Is.Null);
Assert.That(token.Principal.Roles, Is.Empty);
Assert.That(token.Principal.IsNull, Is.True);
}
public void Create_WithValidPrincipal()
{
SecurityContext context = CreateContext();
ISecurityPrincipal principal = CreateTestPrincipal();
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principal, context);
var user = token.Principal.User.GetObject();
Assert.That(user.UserName, Is.EqualTo("test.user"));
Assert.That(token.Principal.Tenant, Is.EqualTo(user.Tenant).Using(DomainObjectHandleComparer.Instance));
Assert.That(token.Principal.Roles, Is.Not.Empty);
Assert.That(token.Principal.Roles, Is.EquivalentTo(user.Roles).Using(PrincipalRoleComparer.Instance));
Assert.That(token.Principal.IsNull, Is.False);
}
public static void Register(HttpConfiguration config)
{
//Register CacheCow
var cacheCow = new CacheCow.Server.CachingHandler(config, "");
config.MessageHandlers.Add(cacheCow);
//Enable CORS
//http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
//var cors = new EnableCorsAttribute(ConfigurationManager.AppSettings["CORSSites"].ToString(), "*", "*");
//cors.SupportsCredentials = true; //the HTTP response will include an 'Access-Control-Allow-Credentials' header
//config.EnableCors(cors);
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
var tokenBuilder = new SecurityTokenBuilder();
var configReader = new ConfigurationReader();
//var jwtHandlerCert = new JwtAuthenticationMessageHandler
//{
// AllowedAudience = configReader.AllowedAudience,
// AllowedAudiences = configReader.AllowedAudiences,
// Issuer = configReader.Issuer,
// SigningToken = tokenBuilder.CreateFromCertificate(configReader.SubjectCertificateName),
// PrincipalTransformer = new SamplePrincipalTransformer()
//};
var jwtHandlerSharedKey = new JwtAuthenticationMessageHandler
{
AllowedAudience = configReader.AllowedAudience,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromKey(configReader.SymmetricKey),
PrincipalTransformer = new SamplePrincipalTransformer(),
CookieNameToCheckForToken = configReader.CookieNameToCheckForToken
};
//config.MessageHandlers.Add(jwtHandlerCert);
config.MessageHandlers.Add(jwtHandlerSharedKey);
}
public void BuildOwnerSecurityToken()
{
if (!this.ExistOwnerSecurityToken)
{
var mySecurityToken = new SecurityTokenBuilder(this.Strategy.Session).Build();
this.OwnerSecurityToken = mySecurityToken;
if (!this.ExistAccessControlsWhereSubject)
{
new AccessControlBuilder(this.Strategy.Session)
.WithRole(new Roles(this.Strategy.Session).Owner)
.WithSubject(this)
.WithObject(this.OwnerSecurityToken)
.Build();
}
}
}
public void Create_WithValidPrincipal_WithInvalidSubstitutedUser()
{
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal> ();
principalStub.Stub(stub => stub.User).Return("substituting.user");
principalStub.Stub(stub => stub.SubstitutedUser).Return("notexisting.user");
SecurityContext context = CreateContext();
ISecurityPrincipal principal = principalStub;
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
SecurityToken token = builder.CreateToken(principal, context);
Assert.That(token.Principal.User, Is.Null);
Assert.That(token.Principal.Tenant.GetObject().UniqueIdentifier, Is.EqualTo("UID: testTenant"));
Assert.That(token.Principal.Roles, Is.Empty);
Assert.That(token.Principal.IsNull, Is.False);
}
public static void Register(HttpConfiguration config)
{
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
var tokenBuilder = new SecurityTokenBuilder();
var configReader = new ConfigurationReader();
var jwtHandlerCert = new JwtAuthenticationMessageHandler(Logger.Instance)
{
AllowedAudience = configReader.AllowedAudience,
AllowedAudiences = configReader.AllowedAudiences,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromCertificate(configReader.SubjectCertificateName),
PrincipalTransformer = new SamplePrincipalTransformer()
};
var jwtHandlerSharedKey = new JwtAuthenticationMessageHandler(Logger.Instance)
{
AllowedAudience = configReader.AllowedAudience,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromKey(configReader.SymmetricKey),
PrincipalTransformer = new SamplePrincipalTransformer(),
CookieNameToCheckForToken = configReader.CookieNameToCheckForToken
};
config.MessageHandlers.Add(jwtHandlerCert);
config.MessageHandlers.Add(jwtHandlerSharedKey);
// Uncomment the following line of code to enable query support for actions with an IQueryable or IQueryable<T> return type.
// To avoid processing unexpected or malicious queries, use the validation settings on QueryableAttribute to validate incoming queries.
// For more information, visit http://go.microsoft.com/fwlink/?LinkId=279712.
//config.EnableQuerySupport();
// To disable tracing in your application, please comment out or remove the following line of code
// For more information, refer to: http://www.asp.net/web-api
config.EnableSystemDiagnosticsTracing();
}
public void Create_WithInvalidPrincipal_WithSubstitutedRoleButNoSubstitutedUser()
{
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal> ();
principalStub.Stub(stub => stub.User).Return("substituting.user");
principalStub.Stub(stub => stub.SubstitutedUser).Return(null);
var princialSubstitutedRoleStub = MockRepository.GenerateStub <ISecurityPrincipalRole> ();
princialSubstitutedRoleStub.Stub(stub => stub.Group).Return("UID: testGroup");
princialSubstitutedRoleStub.Stub(stub => stub.Position).Return("UID: Official");
principalStub.Stub(stub => stub.SubstitutedRole).Return(princialSubstitutedRoleStub);
SecurityContext context = CreateContext();
ISecurityPrincipal principal = principalStub;
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
builder.CreateToken(principal, context);
}
public void GivenAnAccessListWhenRemovingUserFromACLThenUserHasNoAccessToThePermissionsInTheRole()
{
var permission = this.FindPermission(M.Organisation.Name, Operations.Read);
var role = new RoleBuilder(this.Session).WithName("Role").WithPermission(permission).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
var person2 = new PersonBuilder(this.Session).WithFirstName("Jane").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithSubject(person).WithRole(role).Build();
this.Session.Derive();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
this.Session.Derive();
var acl = new AccessControlLists(person)[organisation];
accessControl.RemoveSubject(person);
accessControl.AddSubject(person2);
this.Session.Derive();
acl = new AccessControlLists(person)[organisation];
Assert.False(acl.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenNoAccessControlWhenCreatingAnAccessControlWithoutARoleThenAccessControlIsInvalid()
{
var userGroup = new UserGroupBuilder(this.Session).WithName("UserGroup").Build();
var securityToken = new SecurityTokenBuilder(this.Session).Build();
securityToken.AddAccessControl(new AccessControlBuilder(this.Session)
.WithSubjectGroup(userGroup)
.Build());
var validation = this.Session.Derive(false);
Assert.True(validation.HasErrors);
Assert.Equal(1, validation.Errors.Length);
var derivationError = validation.Errors[0];
Assert.Equal(1, derivationError.Relations.Length);
Assert.Equal(typeof(DerivationErrorRequired), derivationError.GetType());
Assert.Equal(M.AccessControl.Role, derivationError.Relations[0].RoleType);
}
public static void Register(HttpConfiguration config)
{
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new {id = RouteParameter.Optional}
);
var tokenBuilder = new SecurityTokenBuilder();
var configReader = new ConfigurationReader();
var jwtHandlerCert = new JwtAuthenticationMessageHandler
{
AllowedAudience = configReader.AllowedAudience,
AllowedAudiences = configReader.AllowedAudiences,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromCertificate(configReader.SubjectCertificateName),
PrincipalTransformer = new SamplePrincipalTransformer()
};
var jwtHandlerSharedKey = new JwtAuthenticationMessageHandler
{
AllowedAudience = configReader.AllowedAudience,
Issuer = configReader.Issuer,
SigningToken = tokenBuilder.CreateFromKey(configReader.SymmetricKey),
PrincipalTransformer = new SamplePrincipalTransformer(),
CookieNameToCheckForToken = configReader.CookieNameToCheckForToken
};
config.MessageHandlers.Add(jwtHandlerCert);
config.MessageHandlers.Add(jwtHandlerSharedKey);
// Uncomment the following line of code to enable query support for actions with an IQueryable or IQueryable<T> return type.
// To avoid processing unexpected or malicious queries, use the validation settings on QueryableAttribute to validate incoming queries.
// For more information, visit http://go.microsoft.com/fwlink/?LinkId=279712.
//config.EnableQuerySupport();
// To disable tracing in your application, please comment out or remove the following line of code
// For more information, refer to: http://www.asp.net/web-api
config.EnableSystemDiagnosticsTracing();
}
public void DeniedPermissions()
{
var readOrganisationName = this.FindPermission(Organisations.Meta.Name, Operation.Read);
var databaseRole = new RoleBuilder(this.DatabaseSession).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.DatabaseSession).WithFirstName("John").WithLastName("Doe").Build();
this.DatabaseSession.Derive(true);
this.DatabaseSession.Commit();
new AccessControlBuilder(this.DatabaseSession).WithRole(databaseRole).WithSubject(person).Build();
this.DatabaseSession.Commit();
var sessions = new ISession[] { this.DatabaseSession, this.CreateWorkspaceSession() };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.DatabaseSession).FindBy(Roles.Meta.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
accessControl.AddObject(token);
Assert.IsFalse(this.DatabaseSession.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsTrue(accessList.CanRead(Organisations.Meta.Name));
organisation.AddDeniedPermission(readOrganisationName);
accessList = new AccessControlList(organisation, person);
Assert.IsFalse(accessList.CanRead(Organisations.Meta.Name));
session.Rollback();
}
}
public void GivenAnotherUserGroupAndAnAccessControlledObjectWhenGettingTheAccessListThenUserHasAccessToThePermissionsInTheRole()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new UserGroupBuilder(this.Session).WithName("Group").WithMember(person).Build();
var anotherUserGroup = new UserGroupBuilder(this.Session).WithName("AnotherGroup").Build();
this.Session.Derive(true);
this.Session.Commit();
new AccessControlBuilder(this.Session).WithSubjectGroup(anotherUserGroup).WithRole(databaseRole).Build();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.IsFalse(this.Session.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsFalse(accessList.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void DeniedPermissions()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithRole(databaseRole).WithSubject(person).Build();
this.Session.Derive(true);
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.IsFalse(this.Session.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsTrue(accessList.CanRead(M.Organisation.Name));
organisation.AddDeniedPermission(readOrganisationName);
accessList = new AccessControlList(organisation, person);
Assert.IsFalse(accessList.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenNoAccessControlWhenCreatingAAccessControlWithoutARoleThenAccessControlIsInvalid()
{
var userGroup = new UserGroupBuilder(this.DatabaseSession).WithName("UserGroup").Build();
var securityToken = new SecurityTokenBuilder(this.DatabaseSession).Build();
new AccessControlBuilder(this.DatabaseSession)
.WithSubjectGroup(userGroup)
.WithObject(securityToken)
.Build();
var derivationLog = this.DatabaseSession.Derive();
Assert.IsTrue(derivationLog.HasErrors);
Assert.AreEqual(1, derivationLog.Errors.Length);
var derivationError = derivationLog.Errors[0];
Assert.AreEqual(1, derivationError.Relations.Length);
Assert.AreEqual(typeof(DerivationErrorRequired), derivationError.GetType());
Assert.AreEqual((RoleType)AccessControls.Meta.Role, derivationError.Relations[0].RoleType);
}
public void Create_WithValidPrincipal_WithInvalidSubstitutedRoleFromPosition_ThrowsAccessControlException()
{
var principalStub = MockRepository.GenerateStub <ISecurityPrincipal>();
principalStub.Stub(stub => stub.User).Return("substituting.user");
principalStub.Stub(stub => stub.SubstitutedUser).Return("test.user");
var princialSubstitutedRoleStub = MockRepository.GenerateStub <ISecurityPrincipalRole>();
princialSubstitutedRoleStub.Stub(stub => stub.Group).Return("UID: testGroup");
princialSubstitutedRoleStub.Stub(stub => stub.Position).Return("UID: notexisting.position");
principalStub.Stub(stub => stub.SubstitutedRole).Return(princialSubstitutedRoleStub);
SecurityContext context = CreateContext();
ISecurityPrincipal principal = principalStub;
SecurityTokenBuilder builder = CreateSecurityTokenBuilder();
Assert.That(
() => builder.CreateToken(principal, context),
Throws.TypeOf <AccessControlException>().With.Message.EqualTo("The position 'UID: notexisting.position' could not be found."));
}
public void GivenNoAccessControlWhenCreatingAAccessControlWithoutAUserOrUserGroupThenAccessControlIsInvalid()
{
var securityToken = new SecurityTokenBuilder(this.DatabaseSession).Build();
var role = new RoleBuilder(this.DatabaseSession).WithName("Role").Build();
new AccessControlBuilder(this.DatabaseSession)
.WithObject(securityToken)
.WithRole(role)
.Build();
var derivationLog = this.DatabaseSession.Derive();
Assert.IsTrue(derivationLog.HasErrors);
Assert.AreEqual(1, derivationLog.Errors.Length);
var derivationError = derivationLog.Errors[0];
Assert.AreEqual(2, derivationError.Relations.Length);
Assert.AreEqual(typeof(DerivationErrorAtLeastOne), derivationError.GetType());
Assert.IsTrue(new ArrayList(derivationError.RoleTypes).Contains((RoleType)AccessControls.Meta.Subjects));
Assert.IsTrue(new ArrayList(derivationError.RoleTypes).Contains((RoleType)AccessControls.Meta.SubjectGroups));
}
public void GivenNoAccessControlWhenCreatingAAccessControlWithoutAUserOrUserGroupThenAccessControlIsInvalid()
{
var securityToken = new SecurityTokenBuilder(this.Session).Build();
var role = new RoleBuilder(this.Session).WithName("Role").Build();
securityToken.AddAccessControl(
new AccessControlBuilder(this.Session)
.WithRole(role)
.Build());
var validation = this.Session.Derive(false);
Assert.True(validation.HasErrors);
Assert.Equal(1, validation.Errors.Length);
var derivationError = validation.Errors[0];
Assert.Equal(2, derivationError.Relations.Length);
Assert.Equal(typeof(DerivationErrorAtLeastOne), derivationError.GetType());
Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.Subjects));
Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.SubjectGroups));
}
public void AppsOnDerive(ObjectOnDerive method)
{
var derivation = method.Derivation;
this.PartyName = this.Name;
if (this.ExistPreviousCurrency)
{
derivation.Validation.AssertAreEqual(this, InternalOrganisations.Meta.PreferredCurrency, InternalOrganisations.Meta.PreviousCurrency);
}
else
{
this.PreviousCurrency = this.PreferredCurrency;
}
this.BillingAddress = null;
this.BillingInquiriesFax = null;
this.BillingInquiriesPhone = null;
this.CellPhoneNumber = null;
this.GeneralFaxNumber = null;
this.GeneralPhoneNumber = null;
this.HeadQuarter = null;
this.HomeAddress = null;
this.InternetAddress = null;
this.OrderAddress = null;
this.OrderInquiriesFax = null;
this.OrderInquiriesPhone = null;
this.PersonalEmailAddress = null;
this.SalesOffice = null;
this.ShippingAddress = null;
this.ShippingInquiriesFax = null;
this.ShippingAddress = null;
foreach (PartyContactMechanism partyContactMechanism in this.PartyContactMechanisms)
{
if (partyContactMechanism.UseAsDefault)
{
if (partyContactMechanism.ContactPurpose.IsBillingAddress)
{
this.BillingAddress = partyContactMechanism.ContactMechanism;
continue;
}
if (partyContactMechanism.ContactPurpose.IsBillingInquiriesFax)
{
this.BillingInquiriesFax = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsBillingInquiriesPhone)
{
this.BillingInquiriesPhone = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsCellPhoneNumber)
{
this.CellPhoneNumber = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsGeneralFaxNumber)
{
this.GeneralFaxNumber = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsGeneralPhoneNumber)
{
this.GeneralPhoneNumber = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsHeadQuarters)
{
this.HeadQuarter = partyContactMechanism.ContactMechanism;
continue;
}
if (partyContactMechanism.ContactPurpose.IsHomeAddress)
{
this.HomeAddress = partyContactMechanism.ContactMechanism;
continue;
}
if (partyContactMechanism.ContactPurpose.IsInternetAddress)
{
this.InternetAddress = partyContactMechanism.ContactMechanism as ElectronicAddress;
continue;
}
if (partyContactMechanism.ContactPurpose.IsOrderAddress)
{
this.OrderAddress = partyContactMechanism.ContactMechanism;
continue;
}
if (partyContactMechanism.ContactPurpose.IsOrderInquiriesFax)
{
this.OrderInquiriesFax = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsOrderInquiriesPhone)
{
this.OrderInquiriesPhone = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsPersonalEmailAddress)
{
this.PersonalEmailAddress = partyContactMechanism.ContactMechanism as ElectronicAddress;
continue;
}
if (partyContactMechanism.ContactPurpose.IsSalesOffice)
{
this.SalesOffice = partyContactMechanism.ContactMechanism;
continue;
}
if (partyContactMechanism.ContactPurpose.IsShippingAddress)
{
this.ShippingAddress = partyContactMechanism.ContactMechanism as PostalAddress;
continue;
}
if (partyContactMechanism.ContactPurpose.IsShippingInquiriesFax)
{
this.ShippingInquiriesFax = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
continue;
}
if (partyContactMechanism.ContactPurpose.IsShippingInquiriesPhone)
{
this.ShippingInquiriesPhone = partyContactMechanism.ContactMechanism as TelecommunicationsNumber;
}
}
}
if (this.ExistDefaultPaymentMethod && !this.PaymentMethods.Contains(this.DefaultPaymentMethod))
{
this.AddPaymentMethod(this.DefaultPaymentMethod);
}
if (!this.ExistDefaultPaymentMethod && this.PaymentMethods.Count == 1)
{
this.DefaultPaymentMethod = this.PaymentMethods.First;
}
if (!this.ExistOwnerSecurityToken)
{
var securityToken = new SecurityTokenBuilder(this.Strategy.Session).Build();
this.OwnerSecurityToken = securityToken;
this.AddSecurityToken(this.OwnerSecurityToken);
this.AddSecurityToken(Singleton.Instance(this.Strategy.Session).DefaultSecurityToken);
}
this.AppsOnDeriveEmployeeUserGroups(derivation);
}
public async Task <IActionResult> LoginUser(LoginUserModel model)
{
if (model.Mode.ToLowerInvariant().Equals(LoginModeType.Password.ToString().ToLowerInvariant()) &&
(string.IsNullOrEmpty(model.Login) || string.IsNullOrEmpty(model.Password)))
{
return(ReturnBadRequest("login or password is empty"));
}
var refreshTokenBuilder = new SecurityTokenBuilder()
.AddConfiguration(_configuration)
.AddEncriptionKey(Constants.JwtRefreshEncriptionKey)
.AddIssuerKey(Constants.JwtIssuer)
.AddAudienceKey(Constants.JwtAudience)
.AddExpiryKey(Constants.JwtRefreshTokenExpiration);
var tokenBuilder = new SecurityTokenBuilder()
.AddConfiguration(_configuration)
.AddEncriptionKey(Constants.JwtEncryptionKey)
.AddIssuerKey(Constants.JwtIssuer)
.AddAudienceKey(Constants.JwtAudience)
.AddExpiryKey(Constants.JwtExpiryTime);
switch (model.Mode.ToLowerInvariant())
{
case "password":
var result = await _usersRepository.LoginUserAsync(model.Login, CryptoHelper.GetSha256String(model.Password));
if (result.User != null)
{
string refreshToken = string.Empty;
if (result.LoginResult)
{
tokenBuilder.AddClaims(CryptoHelper.GetUserClaims(result.User));
refreshTokenBuilder.AddClaims(CryptoHelper.GetRefreshUserClaims(result.User));
HttpContext.Response.Cookies.Append(_configuration.GetValue <string>(Constants.JwtCookieToken),
tokenBuilder.BuildAccessToken(),
new CookieOptions
{
MaxAge = TimeSpan.FromMinutes(_configuration.GetValue <int>(Constants.JwtExpiryTime)),
HttpOnly = true
});
refreshToken = refreshTokenBuilder.BuildAccessToken();
var refreshTokenModel = new RefreshToken
{
UserId = result.User.Id,
Token = refreshToken,
ValidTo = DateTime.UtcNow.AddMinutes(_configuration.GetValue <double>(Constants.JwtRefreshTokenExpiration))
};
var _ = await _usersRepository.RefreshToken(model.Login, refreshTokenModel);
}
return(result.LoginResult ? Ok(CryptoHelper.GetUserToken(result.User, tokenBuilder, refreshToken)) : ReturnBadRequest("login failed"));
}
else
{
return(ReturnBadRequest("user not found"));
}
case "refresh":
refreshTokenBuilder.AddAccessToken(model.RefreshToken);
var userId = refreshTokenBuilder.GetUserId();
var userResult = await _usersRepository.CheckUserRefreshTokenAsync(userId, model.RefreshToken);
if (userResult.LoginResult)
{
var user = userResult.User;
refreshTokenBuilder.AddClaims(CryptoHelper.GetRefreshUserClaims(user));
refreshTokenBuilder.SetCreateNew();
var refreshToken = refreshTokenBuilder.BuildAccessToken();
var refreshTokenModel = new RefreshToken
{
UserId = user.Id,
Token = refreshToken,
ValidTo = DateTime.UtcNow.AddMinutes(_configuration.GetValue <double>(Constants.JwtRefreshTokenExpiration))
};
var _ = await _usersRepository.RefreshToken(userId, refreshTokenModel);
tokenBuilder.AddClaims(CryptoHelper.GetUserClaims(user));
return(Ok(CryptoHelper.GetUserToken(user, tokenBuilder, refreshToken)));
}
else
{
return(Unauthorized("refreshToken not valid"));
}
default:
return(Unauthorized("mode is not found"));
}
}
public void GivenAWorkspaceNewAccessControlledObjectWhenGettingTheAccessControlListThenUserHasAccessToThePermissionsInTheRole()
{
var readOrganisationName = this.FindPermission(Organisations.Meta.Name, Operation.Read);
var databaseRole = new RoleBuilder(this.DatabaseSession).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.DatabaseSession).WithFirstName("John").WithLastName("Doe").Build();
this.DatabaseSession.Derive(true);
this.DatabaseSession.Commit();
new AccessControlBuilder(this.DatabaseSession).WithSubject(person).WithRole(databaseRole).Build();
this.DatabaseSession.Commit();
var workspaceSession = this.CreateWorkspaceSession();
var organisation = new OrganisationBuilder(workspaceSession).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(workspaceSession).Build();
organisation.AddSecurityToken(token);
var role = (Role)workspaceSession.Instantiate(new Roles(this.DatabaseSession).FindBy(Roles.Meta.Name, "Role"));
var accessControl = (AccessControl)workspaceSession.Instantiate(role.AccessControlsWhereRole.First);
accessControl.AddObject(token);
Assert.IsFalse(this.DatabaseSession.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
accessList.CanRead(Organisations.Meta.Name);
}
public void AppsOnDerive(ObjectOnDerive method)
{
var derivation = method.Derivation;
this.PartyName = this.Name;
if (!this.ExistOwnerSecurityToken)
{
var securityToken = new SecurityTokenBuilder(this.Strategy.Session).Build();
this.OwnerSecurityToken = securityToken;
this.AddSecurityToken(this.OwnerSecurityToken);
}
this.AppsOnDeriveUserGroups(derivation);
this.AppsOnDeriveCurrentContacts(derivation);
this.AppsOnDeriveInactiveContacts(derivation);
this.AppsOnDeriveCurrentOrganisationContactRelationships(derivation);
this.AppsOnDeriveInactiveOrganisationContactRelationships(derivation);
this.AppsOnDeriveCurrentPartyContactMechanisms(derivation);
this.AppsOnDeriveInactivePartyContactMechanisms(derivation);
}
public void GivenAUserGroupAndAnAccessControlledObjectWhenGettingTheAccessListThenUserHasAccessToThePermissionsInTheRole()
{
var readOrganisationName = this.FindPermission(Organisations.Meta.Name, Operation.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new UserGroupBuilder(this.Session).WithName("Group").WithMember(person).Build();
this.Session.Derive(true);
this.Session.Commit();
new AccessControlBuilder(this.Session).WithSubject(person).WithRole(databaseRole).Build();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(Roles.Meta.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
accessControl.AddObject(token);
Assert.IsFalse(this.Session.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsTrue(accessList.CanRead(Organisations.Meta.Name));
session.Rollback();
}
}
