dcovington
/
Campaign_Tracker
1
0
Fork 0
Code Issues 4 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 Commits
2 Branches
17MB
Tree: 748dff81e4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '748dff81e4'
${ noResults }
Campaign_Tracker/Campaign_Tracker.Server.Tests/ApplicationAuthorizationTes...

195 lines
8.0KB
Raw Blame History 

  1. using System.IdentityModel.Tokens.Jwt;

  2. using System.Net;

  3. using System.Net.Http.Headers;

  4. using System.Security.Claims;

  5. using System.Text;

  6. using Campaign_Tracker.Server.Authentication;

  7. using Campaign_Tracker.Server.Authorization;

  8. using Microsoft.AspNetCore.Mvc.Testing;

  9. using Microsoft.Extensions.DependencyInjection;

  10. using Microsoft.IdentityModel.Tokens;

  11. 

  12. namespace Campaign_Tracker.Server.Tests;

  13. 

  14. public sealed class ApplicationAuthorizationTests : IClassFixture<WebApplicationFactory<Program>>

  15. {

  16.     private const string Issuer = "http://kci-app01.ntp.kentcommunications.com:8180/realms/KCI";

  17.     private const string ClientId = "canopy-web";

  18.     private const string SigningKey = "test-signing-key-with-at-least-32-characters";

  19. 

  20.     private readonly WebApplicationFactory<Program> _factory;

  21. 

  22.     public ApplicationAuthorizationTests(WebApplicationFactory<Program> factory)

  23.     {

  24.         Environment.SetEnvironmentVariable("Keycloak__Authority", Issuer);

  25.         Environment.SetEnvironmentVariable("Keycloak__ValidIssuer", Issuer);

  26.         Environment.SetEnvironmentVariable("Keycloak__PublicAuthority", Issuer);

  27.         Environment.SetEnvironmentVariable("Keycloak__ClientId", ClientId);

  28.         Environment.SetEnvironmentVariable("Keycloak__DisableHttpsMetadata", "true");

  29.         Environment.SetEnvironmentVariable("Keycloak__TestSigningKey", SigningKey);

  30. 

  31.         _factory = factory;

  32.     }

  33. 

  34.     [Fact]

  35.     public async Task ClientServices_CanAccessMunicipalityAndCycleRoutes_ButNotAdminOrProduction()

  36.     {

  37.         using var client = CreateClientWithRole("ClientServices");

  38. 

  39.         Assert.Equal(HttpStatusCode.OK, (await client.GetAsync("/api/municipalities/profile")).StatusCode);

  40.         Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/election-cycles", null)).StatusCode);

  41.         Assert.Equal(HttpStatusCode.Forbidden, (await client.GetAsync("/api/admin/settings")).StatusCode);

  42.         Assert.Equal(HttpStatusCode.Forbidden, (await client.GetAsync("/api/production/work-queue")).StatusCode);

  43.     }

  44. 

  45.     [Fact]

  46.     public async Task Admin_CanAccessAllApplicationRoutes()

  47.     {

  48.         using var client = CreateClientWithRole("Admin");

  49. 

  50.         Assert.Equal(HttpStatusCode.OK, (await client.GetAsync("/api/municipalities/profile")).StatusCode);

  51.         Assert.Equal(HttpStatusCode.OK, (await client.PostAsync("/api/election-cycles", null)).StatusCode);

  52.         Assert.Equal(HttpStatusCode.OK, (await client.GetAsync("/api/admin/settings")).StatusCode);

  53.         Assert.Equal(HttpStatusCode.OK, (await client.GetAsync("/api/production/work-queue")).StatusCode);

  54.     }

  55. 

  56.     [Fact]

  57.     public async Task KeycloakRealmAccessRole_IsMappedToApplicationPolicy()

  58.     {

  59.         var client = _factory.CreateClient();

  60.         client.DefaultRequestHeaders.Authorization =

  61.             new AuthenticationHeaderValue("Bearer", CreateTokenWithRealmAccessRole("daniel@example.test", "ClientServices"));

  62. 

  63.         var response = await client.GetAsync("/api/municipalities/profile");

  64. 

  65.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  66.     }

  67. 

  68.     [Fact]

  69.     public async Task UnrecognizedRole_ReceivesForbidden_AndAuditCapturesActor()

  70.     {

  71.         using var client = CreateClientWithRole("SeasonalViewer", "unknown@example.test");

  72. 

  73.         var response = await client.GetAsync("/api/municipalities/profile");

  74.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  75. 

  76.         Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);

  77.         Assert.Contains(auditStore.Events, audit =>

  78.             audit.EventType == AuthenticationAuditEventType.AuthorizationDenied &&

  79.             audit.Subject == "unknown@example.test" &&

  80.             audit.Resource == "/api/municipalities/profile");

  81.     }

  82. 

  83.     [Fact]

  84.     public async Task PrivilegedOperation_AuditsAllowedAuthorizationResultActorAndResource()

  85.     {

  86.         using var client = CreateClientWithRole("Admin", "admin@example.test");

  87. 

  88.         var response = await client.PostAsync("/api/admin/privileged-operation", null);

  89.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  90. 

  91.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  92.         Assert.Contains(auditStore.Events, audit =>

  93.             audit.EventType == AuthenticationAuditEventType.AuthorizationAllowed &&

  94.             audit.Subject == "admin@example.test" &&

  95.             audit.Resource == "/api/admin/privileged-operation");

  96.     }

  97. 

  98.     [Fact]

  99.     public async Task AllowedPermissionCheck_AuditsAuthorizationAllowedCentrally()

  100.     {

  101.         using var client = CreateClientWithRole("ClientServices", "client@example.test");

  102. 

  103.         var response = await client.GetAsync("/api/municipalities/profile");

  104.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  105. 

  106.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  107.         Assert.Contains(auditStore.Events, audit =>

  108.             audit.EventType == AuthenticationAuditEventType.AuthorizationAllowed &&

  109.             audit.Subject == "client@example.test" &&

  110.             audit.Resource == "/api/municipalities/profile");

  111.     }

  112. 

  113.     [Fact]

  114.     public async Task AnonymousPermissionCheck_AuditsAuthorizationDenied()

  115.     {

  116.         using var client = _factory.CreateClient();

  117. 

  118.         var response = await client.GetAsync("/api/municipalities/profile");

  119.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  120. 

  121.         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);

  122.         Assert.Contains(auditStore.Events, audit =>

  123.             audit.EventType == AuthenticationAuditEventType.AuthorizationDenied &&

  124.             audit.Subject == "anonymous" &&

  125.             audit.Resource == "/api/municipalities/profile");

  126.     }

  127. 

  128.     [Fact]

  129.     public void RoleExtraction_WhenKeycloakJsonClaimIsMalformed_IgnoresClaim()

  130.     {

  131.         var roles = ApplicationRole.ExtractKeycloakRoles(

  132.             [new Claim("realm_access", "{not-json")],

  133.             ClientId);

  134. 

  135.         Assert.Empty(roles);

  136.     }

  137. 

  138.     [Fact]

  139.     public void WorkspaceResolver_WhenUserHasMultipleRoles_UsesStablePriority()

  140.     {

  141.         var path = RoleWorkspaceResolver.ResolveWorkspacePath(

  142.             [ApplicationRole.Production, ApplicationRole.Admin]);

  143. 

  144.         Assert.Equal("/workspace/admin", path);

  145.     }

  146. 

  147.     private HttpClient CreateClientWithRole(string role, string subject = "daniel@example.test")

  148.     {

  149.         var client = _factory.CreateClient();

  150.         client.DefaultRequestHeaders.Authorization =

  151.             new AuthenticationHeaderValue("Bearer", CreateToken(subject, role));

  152.         return client;

  153.     }

  154. 

  155.     private static string CreateToken(string subject, string role)

  156.     {

  157.         var credentials = new SigningCredentials(

  158.             new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SigningKey)),

  159.             SecurityAlgorithms.HmacSha256);

  160.         var token = new JwtSecurityToken(

  161.             issuer: Issuer,

  162.             audience: ClientId,

  163.             claims:

  164.             [

  165.                 new Claim(JwtRegisteredClaimNames.Sub, subject),

  166.                 new Claim(ClaimTypes.Name, subject),

  167.                 new Claim(ClaimTypes.Role, role),

  168.             ],

  169.             expires: DateTime.UtcNow.AddMinutes(10),

  170.             signingCredentials: credentials);

  171. 

  172.         return new JwtSecurityTokenHandler().WriteToken(token);

  173.     }

  174. 

  175.     private static string CreateTokenWithRealmAccessRole(string subject, string role)

  176.     {

  177.         var credentials = new SigningCredentials(

  178.             new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SigningKey)),

  179.             SecurityAlgorithms.HmacSha256);

  180.         var token = new JwtSecurityToken(

  181.             issuer: Issuer,

  182.             audience: ClientId,

  183.             claims:

  184.             [

  185.                 new Claim(JwtRegisteredClaimNames.Sub, subject),

  186.                 new Claim(ClaimTypes.Name, subject),

  187.                 new Claim("realm_access", $$"""{"roles":["{{role}}"]}""", JsonClaimValueTypes.Json),

  188.             ],

  189.             expires: DateTime.UtcNow.AddMinutes(10),

  190.             signingCredentials: credentials);

  191. 

  192.         return new JwtSecurityTokenHandler().WriteToken(token);

  193.     }

  194. }

Powered by TurnKey Linux.