tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Headless CMS and Content Managment Hub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5431 Commits
10 Branches
150 Tags
122 MiB
 
 
 
 
 
Tree: cc1db76e23
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cc1db76e23'
${ noResults }
squidex/backend/tests/Squidex.Web.Tests/ApiPermissionAttributeTests.cs

150 lines
5.5 KiB
Raw Blame History

// ==========================================================================
// Squidex Headless CMS
// ==========================================================================
// Copyright (c) Squidex UG (haftungsbeschraenkt)
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Abstractions;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using Squidex.Domain.Apps.Entities;
using Squidex.Domain.Apps.Entities.TestHelpers;
using Squidex.Infrastructure;
using Squidex.Shared;
using Squidex.Shared.Identity;
using Squidex.Web.Pipeline;
using Xunit;
#pragma warning disable IDE0017 // Simplify object initialization
namespace Squidex.Web
{
public class ApiPermissionAttributeTests
{
private readonly HttpContext httpContext = new DefaultHttpContext();
private readonly ActionExecutingContext actionExecutingContext;
private readonly ActionExecutionDelegate next;
private readonly ClaimsIdentity user = new ClaimsIdentity();
private readonly NamedId<DomainId> appId = NamedId.Of(DomainId.NewGuid(), "my-app");
private readonly NamedId<DomainId> schemaId = NamedId.Of(DomainId.NewGuid(), "my-schema");
private bool isNextCalled;
public ApiPermissionAttributeTests()
{
var actionContext = new ActionContext(httpContext, new RouteData(), new ActionDescriptor
{
FilterDescriptors = new List<FilterDescriptor>()
});
actionExecutingContext = new ActionExecutingContext(actionContext, new List<IFilterMetadata>(), new Dictionary<string, object?>(), this);
actionExecutingContext.HttpContext = httpContext;
actionExecutingContext.HttpContext.User = new ClaimsPrincipal(user);
next = () =>
{
isNextCalled = true;
return Task.FromResult<ActionExecutedContext>(null!);
};
}
[Fact]
public void Should_use_custom_authorization_scheme()
{
var sut = new ApiPermissionAttribute();
Assert.Equal(Constants.ApiSecurityScheme, sut.AuthenticationSchemes);
}
[Fact]
public async Task Should_make_permission_check_with_app_feature()
{
actionExecutingContext.HttpContext.Features.Set<IAppFeature>(new AppFeature(Mocks.App(appId)));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app"));
SetContext();
var sut = new ApiPermissionAttribute(PermissionIds.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
[Fact]
public async Task Should_make_permission_check_with_schema_feature()
{
actionExecutingContext.HttpContext.Features.Set<IAppFeature>(new AppFeature(Mocks.App(appId)));
actionExecutingContext.HttpContext.Features.Set<ISchemaFeature>(new SchemaFeature(Mocks.Schema(appId, schemaId)));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.my-app.schemas.my-schema"));
SetContext();
var sut = new ApiPermissionAttribute(PermissionIds.AppSchemasUpdate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Null(actionExecutingContext.Result);
Assert.True(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_if_user_has_wrong_permission()
{
actionExecutingContext.HttpContext.Features.Set<IAppFeature>(new AppFeature(Mocks.App(appId)));
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
SetContext();
var sut = new ApiPermissionAttribute(PermissionIds.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_if_route_data_has_no_value()
{
user.AddClaim(new Claim(SquidexClaimTypes.Permissions, "squidex.apps.other-app"));
SetContext();
var sut = new ApiPermissionAttribute(PermissionIds.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
[Fact]
public async Task Should_return_forbidden_if_user_has_no_permission()
{
SetContext();
var sut = new ApiPermissionAttribute(PermissionIds.AppSchemasCreate);
await sut.OnActionExecutionAsync(actionExecutingContext, next);
Assert.Equal(403, (actionExecutingContext.Result as StatusCodeResult)?.StatusCode);
Assert.False(isNextCalled);
}
private void SetContext()
{
var context = new Context(new ClaimsPrincipal(actionExecutingContext.HttpContext.User), null!);
actionExecutingContext.HttpContext.Features.Set(context);
}
}
}