upd SecurityPathRestriction (#525)

Luxoft · Nov 18, 2024 · 7a4fce8 · 7a4fce8
1 parent 72d9414
commit 7a4fce8
Show file tree

Hide file tree

Showing 18 changed files with 55 additions and 34 deletions.
diff --git a/src/Framework.SecuritySystem.Abstract/SecurityPath/SecurityPathRestriction.cs b/src/Framework.SecuritySystem.Abstract/SecurityPath/SecurityPathRestriction.cs
@@ -22,7 +22,9 @@ public SecurityPathRestriction(
 
     public IEnumerable<Type>? SecurityContextTypes => this.SecurityContextRestrictions?.Select(v => v.Type);
 
-    public static SecurityPathRestriction Empty { get; } = new(null, Array.Empty<Type>(), []);
+    public static SecurityPathRestriction Disabled { get; } = new(null, Array.Empty<Type>(), []);
+
+    public static SecurityPathRestriction Empty { get; } = new([], Array.Empty<Type>(), []);
 
     public SecurityPathRestriction Add<TSecurityContext>(bool required = false, string? key = null)
         where TSecurityContext : ISecurityContext =>
@@ -43,8 +45,8 @@ public SecurityPathRestriction AddConditionFactory(Type conditionFactoryType) =>
         new(this.SecurityContextRestrictions, this.ConditionFactoryTypes.Concat([conditionFactoryType]), this.RelativeConditions);
 
     public static SecurityPathRestriction Create<TSecurityContext>(bool required = false, string? key = null)
-        where TSecurityContext : ISecurityContext => Empty.Add<TSecurityContext>(required, key);
+        where TSecurityContext : ISecurityContext => Disabled.Add<TSecurityContext>(required, key);
 
     public static SecurityPathRestriction Create<TDomainObject>(Expression<Func<TDomainObject, bool>> condition) =>
-        Empty.AddRelativeCondition(condition);
+        Disabled.AddRelativeCondition(condition);
 }
diff --git a/src/Framework.SecuritySystem.Abstract/SecurityRole/SecurityRoleInfo.cs b/src/Framework.SecuritySystem.Abstract/SecurityRole/SecurityRoleInfo.cs
@@ -6,7 +6,7 @@ public record SecurityRoleInfo(Guid Id)
 {
     public HierarchicalExpandType? CustomExpandType { get; init; } = null;
 
-    public SecurityPathRestriction Restriction { get; init; } = SecurityPathRestriction.Empty;
+    public SecurityPathRestriction Restriction { get; init; } = SecurityPathRestriction.Disabled;
 
     public IReadOnlyList<SecurityOperation> Operations { get; init; } = [];
 

diff --git a/src/Framework.SecuritySystem.DiTests/SecurityPathTests.cs b/src/Framework.SecuritySystem.DiTests/SecurityPathTests.cs
@@ -102,7 +102,7 @@ public void EmptySecurityPathRestriction_SecurityPathNotModified()
 
         var testSecurityPath = baseSecurityPath.And(altSecurityPath);
 
-        var restriction = SecurityPathRestriction.Empty;
+        var restriction = SecurityPathRestriction.Disabled;
 
         //Act
         var result = service.ApplyRestriction(testSecurityPath, restriction);

diff --git a/src/Framework.SecuritySystem/DependencyInjection/ISecuritySystemSettings.cs b/src/Framework.SecuritySystem/DependencyInjection/ISecuritySystemSettings.cs
@@ -11,7 +11,7 @@ namespace Framework.SecuritySystem.DependencyInjection;
 
 public interface ISecuritySystemSettings
 {
-    bool InitializeAdministratorRole { get; set; }
+    bool InitializeDefaultRoles { get; set; }
 
     ISecuritySystemSettings AddSecurityContext<TSecurityContext>(
         Guid ident,

diff --git a/src/Framework.SecuritySystem/DependencyInjection/InitializedSecurityRoleSource.cs b/src/Framework.SecuritySystem/DependencyInjection/InitializedSecurityRoleSource.cs
@@ -7,17 +7,27 @@ public IEnumerable<FullSecurityRole> GetSecurityRoles()
         return securityRoles.Select(sr => this.GetInitializedRole(sr.FullSecurityRole));
     }
 
-    protected virtual IReadOnlyList<SecurityRole> ExceptChildren { get; } = [SecurityRole.Administrator, SecurityRole.SystemIntegration];
+    protected virtual IReadOnlyList<SecurityRole> ExceptAdministratorRoles { get; } = [SecurityRole.Administrator, SecurityRole.SystemIntegration];
 
     private FullSecurityRole GetInitializedRole(FullSecurityRole securityRole)
     {
         if (securityRole == SecurityRole.Administrator)
         {
             var info = securityRole.Information;
 
-            var otherRoles = securityRoles.Select(sr => sr.FullSecurityRole).Except(this.ExceptChildren);
+            var otherRoles = securityRoles.Select(sr => sr.FullSecurityRole).Except(this.ExceptAdministratorRoles);
 
-            var newInfo = securityRole.Information with { Children = info.Children.Concat(otherRoles).Distinct().ToList() };
+            var newInfo = securityRole.Information with
+                          {
+                              Children = info.Children.Concat(otherRoles).Distinct().ToList(),
+                              Restriction = SecurityPathRestriction.Empty
+                          };
+
+            return new FullSecurityRole(securityRole.Name, newInfo);
+        }
+        else if (securityRole == SecurityRole.SystemIntegration)
+        {
+            var newInfo = securityRole.Information with { Restriction = SecurityPathRestriction.Empty };
 
             return new FullSecurityRole(securityRole.Name, newInfo);
         }

diff --git a/src/Framework.SecuritySystem/DependencyInjection/SecuritySystemSettings.cs b/src/Framework.SecuritySystem/DependencyInjection/SecuritySystemSettings.cs
@@ -29,7 +29,7 @@ public class SecuritySystemSettings : ISecuritySystemSettings
 
     private Type? securityAccessorInfinityStorageType;
 
-    public bool InitializeAdministratorRole { get; set; } = true;
+    public bool InitializeDefaultRoles { get; set; } = true;
 
     public ISecuritySystemSettings AddSecurityContext<TSecurityContext>(
         Guid ident,
@@ -192,7 +192,7 @@ public void Initialize(IServiceCollection services)
         this.registerUserSourceAction(services);
         this.registerRunAsManagerAction(services);
 
-        if (this.InitializeAdministratorRole)
+        if (this.InitializeDefaultRoles)
         {
             services.AddSingleton<IInitializedSecurityRoleSource, InitializedSecurityRoleSource>();
             services.AddSingletonFrom((IInitializedSecurityRoleSource source) => source.GetSecurityRoles());
@@ -217,7 +217,7 @@ public void Initialize(IServiceCollection services)
 
     private void AddSecurityRole(IServiceCollection serviceCollection, FullSecurityRole fullSecurityRole)
     {
-        if (this.InitializeAdministratorRole)
+        if (this.InitializeDefaultRoles)
         {
             serviceCollection.AddSingleton(new PreInitializerFullSecurityRole(fullSecurityRole));
         }

diff --git a/src/_SampleSystem/SampleSystem.Security.Abstract/SampleSystemSecurityRole.cs b/src/_SampleSystem/SampleSystem.Security.Abstract/SampleSystemSecurityRole.cs
@@ -25,4 +25,6 @@ public static class SampleSystemSecurityRole
     public static SecurityRole TestVirtualRole2 { get; } = new(nameof(TestVirtualRole2));
 
     public static SecurityRole PermissionAdministrator { get; } = new(nameof(PermissionAdministrator));
+
+    public static SecurityRole TestPerformance { get; } = new(nameof(TestPerformance));
 }
diff --git a/src/_SampleSystem/SampleSystem.Security/SampleSystemDomainSecurityServiceExtensions.cs b/src/_SampleSystem/SampleSystem.Security/SampleSystemDomainSecurityServiceExtensions.cs
@@ -108,7 +108,7 @@ private static ISecuritySystemSettings RegisterMainDomainSecurityServices(this I
                             .SetPath(SecurityPath<TestRootSecurityObj>.Create(v => v.BusinessUnit).And(v => v.Location)))
 
                   .Add<TestPerformanceObject>(
-                      b => b.SetView(SampleSystemSecurityOperation.EmployeeView)
+                      b => b.SetView(SampleSystemSecurityRole.TestPerformance)
                             .SetPath(
                                 SecurityPath<TestPerformanceObject>.Create(v => v.Location, SingleSecurityMode.Strictly)
                                                                    .And(v => v.Employee, SingleSecurityMode.Strictly)
@@ -123,7 +123,7 @@ private static ISecuritySystemSettings RegisterMainDomainSecurityServices(this I
                                                                       SecurityPath<TestItemAuthObject>.Create(i => i.BusinessUnit).And(i => i.ManagementUnit)))))
 
                   .Add<AuthPerformanceObject>(
-                      b => b.SetView(SampleSystemSecurityOperation.BusinessUnitView)
+                      b => b.SetView(SampleSystemSecurityRole.TestPerformance)
                             .SetPath(
                                 SecurityPath<AuthPerformanceObject>.Create(v => v.BusinessUnit)
                                                                    .And(v => v.ManagementUnit)

diff --git a/src/_SampleSystem/SampleSystem.Security/SampleSystemSecuritySystemExtensions.cs b/src/_SampleSystem/SampleSystem.Security/SampleSystemSecuritySystemExtensions.cs
@@ -31,7 +31,8 @@ public static ISecuritySystemSettings AddSecurityRoles(this ISecuritySystemSetti
                    SampleSystemSecurityRole.SeManager,
                    new SecurityRoleInfo(new Guid("dbf3556d-7106-4175-b5e4-a32d00bd857a"))
                    {
-                       Children = [SampleSystemSecurityRole.TestVirtualRole]
+                       Children = [SampleSystemSecurityRole.TestVirtualRole],
+                       Operations = [SampleSystemSecurityOperation.BusinessUnitEdit]
                    })
 
                .AddSecurityRole(
@@ -87,13 +88,17 @@ public static ISecuritySystemSettings AddSecurityRoles(this ISecuritySystemSetti
                    SampleSystemSecurityRole.TestVirtualRole2,
                    new SecurityRoleInfo(new Guid("{649DE6F3-A943-46A3-9E81-AA056D24B52D}")) { IsVirtual = true, })
 
+               .AddSecurityRole(
+                   SampleSystemSecurityRole.TestPerformance,
+                   new SecurityRoleInfo(new Guid("{B1A5B1B6-F92D-4367-B7EC-200179E80308}")))
+
                .AddSecurityRole(
                    SampleSystemSecurityRole.PermissionAdministrator,
                    new SecurityRoleInfo(new Guid("{1E101597-E722-4650-BED1-5A1025540897}")))
 
                .AddSecurityRole(
                    SecurityRole.SystemIntegration,
-                   new SecurityRoleInfo(new Guid("df74d544-5945-4380-944e-a3a9001252be")))
+                   new SecurityRoleInfo(new Guid("df74d544-5945-4380-944e-a3a9001252be")) { Restriction = SecurityPathRestriction.Empty })
 
                .AddSecurityRole(
                    SecurityRole.Administrator,

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/AuthPerfomanceTest.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/AuthPerfomanceTest.cs
@@ -12,6 +12,7 @@
 using SampleSystem.Domain;
 using SampleSystem.Generated.DTO;
 using SampleSystem.IntegrationTests.__Support.TestData;
+using SampleSystem.Security;
 
 namespace SampleSystem.IntegrationTests;
 
@@ -76,7 +77,7 @@ from location in this.locationSource
 
                       from employee in this.employeeSource
 
-                      select (TestPermission)new SampleSystemTestPermission(SecurityRole.Administrator, fbu, mbu, location, employee);
+                      select (TestPermission)new SampleSystemTestPermission(SampleSystemSecurityRole.TestPerformance, fbu, mbu, location, employee);
 
         this.AuthHelper.SetUserRole(PrincipalName, request.ToArray());
     }

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/AuthPerformanceTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/AuthPerformanceTests.cs
@@ -10,6 +10,7 @@
 
 using SampleSystem.Domain;
 using SampleSystem.IntegrationTests.__Support.TestData;
+using SampleSystem.Security;
 using SampleSystem.WebApiCore.Controllers.Main;
 
 using PersistentDomainObjectBase = SampleSystem.Domain.PersistentDomainObjectBase;
@@ -59,7 +60,7 @@ from mbuIdent in genMbu
 
                                                 var testPrincipal = new Principal { Name = TestUser };
 
-                                                var adminRole = ctx.Authorization.Logics.BusinessRole.GetByName(SecurityRole.Administrator.Name);
+                                                var adminRole = ctx.Authorization.Logics.BusinessRole.GetByName(SampleSystemSecurityRole.TestPerformance.Name);
 
                                                 foreach (var genObjectSubEnumerable in genObjects.Split(SplitBy))
                                                 {

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/BusinessUnitTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/BusinessUnitTests.cs
@@ -122,7 +122,7 @@ public void LoadTreeWithMiddlePermission_RootParentLoadedWithViewMode()
 
         var userId = this.AuthHelper.SetUserRole(
             TextRandomizer.RandomString(10),
-            new SampleSystemTestPermission(SecurityRole.Administrator, childBu));
+            new SampleSystemTestPermission(SampleSystemSecurityRole.SeManager, childBu));
 
         // Act
         var result = this.Evaluate(

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/DependencySecurityTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/DependencySecurityTests.cs
@@ -1,14 +1,14 @@
-using Automation.ServiceEnvironment;
+
+using Automation.ServiceEnvironment;
 
 using FluentAssertions;
 
-using Framework.SecuritySystem;
-
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
 using SampleSystem.Domain;
 using SampleSystem.Generated.DTO;
 using SampleSystem.IntegrationTests.__Support.TestData;
+using SampleSystem.Security;
 using SampleSystem.WebApiCore.Controllers.Main;
 
 namespace SampleSystem.IntegrationTests;
@@ -45,7 +45,7 @@ public void SetUp()
 
         this.DataHelper.SaveEmployee(login: TestEmployeeLogin);
 
-        this.AuthHelper.SetUserRole(TestEmployeeLogin, new SampleSystemTestPermission(SecurityRole.Administrator, this.bu2Ident, null, null));
+        this.AuthHelper.SetUserRole(TestEmployeeLogin, new SampleSystemTestPermission(SampleSystemSecurityRole.SeManager, this.bu2Ident));
 
         this.EvaluateWrite(
                            context =>

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/EmployeeProjectionTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/EmployeeProjectionTests.cs
@@ -1,7 +1,6 @@
 using FluentAssertions;
 
 using Framework.Core;
-using Framework.SecuritySystem;
 
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
@@ -50,7 +49,7 @@ public void SetUp()
         this.AuthHelper.SetUserRole(
             ProjectionPrincipalName,
             new SampleSystemTestPermission(
-                SecurityRole.Administrator,
+                SampleSystemSecurityRole.SeManager,
                 new BusinessUnitIdentityDTO(DefaultConstants.BUSINESS_UNIT_PARENT_PC_ID)));
 
         this.AuthHelper.SetUserRole(TestEmployee1Login, SampleSystemSecurityRole.TestRole1);

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/ExtraQueryableSecurityPathTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/ExtraQueryableSecurityPathTests.cs
@@ -50,8 +50,8 @@ public void SetUp()
 
         this.AuthHelper.SetUserRole(
             this.TestEmployee.Id,
-            new SampleSystemTestPermission(SecurityRole.Administrator, this.bu2Ident, null, this.loc1Ident),
-            new SampleSystemTestPermission(SecurityRole.Administrator, this.bu2Ident, null, this.loc2Ident));
+            new SampleSystemTestPermission(SampleSystemSecurityRole.SeManager, this.bu2Ident, null, this.loc1Ident),
+            new SampleSystemTestPermission(SampleSystemSecurityRole.SeManager, this.bu2Ident, null, this.loc2Ident));
 
         this.TestEmp1 = this.DataHelper.SaveEmployee(coreBusinessUnit: this.bu1Ident, location: this.loc1Ident);
 

diff --git a/...mpleSystem/_Tests/SampleSystem.IntegrationTests/ManualAndLegacyProjectionSecurityTests.cs b/...mpleSystem/_Tests/SampleSystem.IntegrationTests/ManualAndLegacyProjectionSecurityTests.cs
@@ -12,6 +12,7 @@
 using SampleSystem.Generated.DTO;
 using SampleSystem.IntegrationTests.__Support.TestData;
 using SampleSystem.Domain.ManualProjections;
+using SampleSystem.Security;
 using SampleSystem.WebApiCore.Controllers.MainQuery;
 
 namespace SampleSystem.IntegrationTests;
@@ -39,7 +40,7 @@ public void SetUp()
 
         this.DataHelper.SaveEmployee(login: TestEmployeeLogin);
 
-        this.AuthHelper.SetUserRole(TestEmployeeLogin, new SampleSystemTestPermission(SecurityRole.Administrator, this.bu2Ident, null, null));
+        this.AuthHelper.SetUserRole(TestEmployeeLogin, new SampleSystemTestPermission(SampleSystemSecurityRole.SeManager, this.bu2Ident, null, null));
 
         this.TestEmp1 = this.DataHelper.SaveEmployee(coreBusinessUnit: this.bu1Ident);
 

diff --git a/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/PrincipalWithInitTests.cs b/src/_SampleSystem/_Tests/SampleSystem.IntegrationTests/PrincipalWithInitTests.cs
@@ -6,12 +6,12 @@
 using Framework.Core;
 using Framework.DomainDriven;
 using Framework.DomainDriven.BLL;
-using Framework.SecuritySystem;
 
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 
 using SampleSystem.Generated.DTO;
 using SampleSystem.IntegrationTests.__Support.TestData;
+using SampleSystem.Security;
 
 namespace SampleSystem.IntegrationTests;
 
@@ -49,15 +49,15 @@ public void SetUp()
         this.AuthHelper.SetUserRole(
             TestPrincipalName,
             new SampleSystemTestPermission(
-                SecurityRole.Administrator,
+                SampleSystemSecurityRole.TestPerformance,
                 new BusinessUnitIdentityDTO(DefaultConstants.BUSINESS_UNIT_PARENT_PC_ID)) { Period = this.testPeriod });
     }
 
     [TestMethod]
     public void CreateDuplicatePermission_ValidationError()
     {
         // Arrange
-        var expectedErrorMessage = $"Principal \"{TestPrincipalName}\" has duplicate permissions: (Role: {SecurityRole.Administrator} | Period: {this.testPeriod} | BusinessUnits: {DefaultConstants.BUSINESS_UNIT_PARENT_PC_NAME})";
+        var expectedErrorMessage = $"Principal \"{TestPrincipalName}\" has duplicate permissions: (Role: {SampleSystemSecurityRole.TestPerformance} | Period: {this.testPeriod} | BusinessUnits: {DefaultConstants.BUSINESS_UNIT_PARENT_PC_NAME})";
 
         // Act
         var call = () =>

diff --git a/src/__SolutionItems/CommonAssemblyInfo.cs b/src/__SolutionItems/CommonAssemblyInfo.cs
@@ -4,9 +4,9 @@
 [assembly: AssemblyCompany("Luxoft")]
 [assembly: AssemblyCopyright("Copyright © Luxoft 2009-2024")]
 
-[assembly: AssemblyVersion("22.5.5.0")]
-[assembly: AssemblyFileVersion("22.5.5.0")]
-[assembly: AssemblyInformationalVersion("22.5.5.0")]
+[assembly: AssemblyVersion("22.5.6.0")]
+[assembly: AssemblyFileVersion("22.5.6.0")]
+[assembly: AssemblyInformationalVersion("22.5.6.0")]
 
 #if DEBUG
 [assembly: AssemblyConfiguration("Debug")]