tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Headless CMS and Content Managment Hub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3919 Commits
10 Branches
150 Tags
122 MiB
 
 
 
 
 
Tree: 59f87bb49b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '59f87bb49b'
${ noResults }
squidex/backend/tests/Squidex.Web.Tests/ApiPermissionAttributeTests.cs

113 lines
4.0 KiB
Raw Blame History

// ==========================================================================
// Squidex Headless CMS
// ==========================================================================
// Copyright (c) Squidex UG (haftungsbeschraenkt)
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Abstractions;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using Squidex.Shared;
using Squidex.Shared.Identity;
using Xunit;
#pragma warning disable IDE0017 // Simplify object initialization
namespace Squidex.Web
{
public class ApiPermissionAttributeTests
{
private readonly HttpContext httpContext = new DefaultHttpContext();
private readonly ActionExecutingContext actionExecutingContext;
private readonly ActionExecutionDelegate next;
private readonly ClaimsIdentity user = new ClaimsIdentity();
private bool isNextCalled;
public ApiPermissionAttributeTests()
{
var actionContext = new ActionContext(httpContext, new RouteData(), new ActionDescriptor
{
FilterDescriptors = new List<FilterDescriptor>()
});
actionExecutingContext = new ActionExecutingContext(actionContext, new List<IFilterMetadata>(), new Dictionary<string, object>(), this);
actionExecutingContext.HttpContext = httpContext;
actionExecutingContext.HttpContext.User = new ClaimsPrincipal(user);
next = () =>
{
isNextCalled = true;
return Task.FromResult<ActionExecutedContext?>(null);
};
}
[Fact]
public void Should_use_bearer_schemes()
{
var sut = new ApiPermissionAttribute();
Assert.Equal("Bearer", sut.AuthenticationSchemes);
}
[Fact]
public async Task Should_call_next_when_user_has_correct_permission()
{
actionExecutingContext.RouteData.Values["app"] = "my-app";
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_when_user_has_wrong_permission()
{
actionExecutingContext.RouteData.Values["app"] = "my-app";
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_when_route_data_has_no_value()
{
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_when_user_has_no_permission()
{
var sut = new ApiPermissionAttribute(Permissions.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
}
}