Merge branch 'master' into snyk-fix-0da9a9db8cde2739a67c033a3d8747c7

# Conflicts:
#	src/backend/api/Fusion.Resources.Domain/Fusion.Resources.Domain.csproj

pipelines/function-pr-pipeline.yml

@@ -17,6 +17,7 @@ pr:
 variables:
     subscriptionService: 'PROJECT_PORTAL (63b791ae-b2bc-41a1-ac66-806c4e69bffe)'
     webPackage: '$(Pipeline.Workspace)/drop/Fusion.Resources.Functions.zip'
+    prNumber: $(System.PullRequest.PullRequestNumber)
 
 stages:
     - template: templates/build-function.yml
@@ -43,10 +44,11 @@ stages:
           runOnce:
             deploy:
               steps:
-                - template: templates/deploy-function-template.yml
+                - template: templates/deploy-function-pr-template.yml
                   parameters:
                     envName: $(environment)
                     clientId: '5a842df8-3238-415d-b168-9f16a6a6031b'
+                    pullRequestNumber: $(prNumber)
 
                 - task: AzureFunctionApp@1
                   inputs:

pipelines/templates/deploy-function-pr-template.yml

@@ -0,0 +1,94 @@
+#
+# Template for deploying pull request function app. 
+# 
+# Done this instead of making one template to include all ifs-and-buts.
+#
+
+
+parameters:
+  envName: ''
+  clientId: ''
+  pullRequestNumber: ''
+  fusionResource: '5a842df8-3238-415d-b168-9f16a6a6031b'
+  templateFile: $(Build.SourcesDirectory)/src/backend/function/Fusion.Resources.Functions/Deployment/function.template.json
+  disabledFunctionsFile: $(Build.SourcesDirectory)/src/backend/function/Fusion.Resources.Functions/Deployment/disabled-functions.json
+
+steps:
+- checkout: self
+- task: AzurePowerShell@4
+  displayName: 'Deploy Function ARM template'
+  inputs:
+    azureSubscription: 'PROJECT_PORTAL (63b791ae-b2bc-41a1-ac66-806c4e69bffe)'
+    ScriptType: 'InlineScript'
+    FailOnStandardError: true
+    azurePowerShellVersion: 'LatestVersion'
+    Inline: |
+      # 
+      # Hardcoded to PR env
+      #
+      $environment = "pr"
+      $pullRequestNumber = "${{ parameters.pullRequestNumber }}"
+      $fusionEnvironment = "ci"
+      $functionAppName = "func-fap-resources-$environment"
+      $envVaultName = "kv-fap-resources-$environment"
+      $envResourceGroup = Get-AzResourceGroup -Tag @{ "fusion-app-component" = "resources-rg-$environment" }
+
+      if ($envResourceGroup -eq $null) { throw "Cannot locate resource group for environment '$environment'" }
+
+      $resourceGroup = $envResourceGroup.ResourceGroupName
+      Write-Host "Using resource group $resourceGroup"
+
+      #
+      # Generate the app settings      
+      #
+      # Sett correct resources URI based on environment
+      $resourcesFunctionUri =  "https://resources-api-pr-$pullRequestNumber.fusion-dev.net/"
+
+      $settings = @{
+          clientId = "${{ parameters.clientId }}"
+          secretIds = @{
+              clientSecret = "https://$envVaultName.vault.azure.net:443/secrets/AzureAd--ClientSecret"
+              serviceBus = "https://$envVaultName.vault.azure.net:443/secrets/Connectionstrings--ServiceBus"
+          }
+          endpoints = @{
+              lineorg = "https://fusion-s-lineorg-$fusionEnvironment.azurewebsites.net"
+              org = "https://fusion-s-org-$fusionEnvironment.azurewebsites.net"
+              people = "https://fusion-s-people-$fusionEnvironment.azurewebsites.net"
+              resources = "$resourcesFunctionUri"
+              notifications = "https://fusion-s-notification-$fusionEnvironment.azurewebsites.net"
+              context = "https://fusion-s-context-$fusionEnvironment.azurewebsites.net"
+              portal = "https://fusion-s-portal-$fusionEnvironment.azurewebsites.net"
+          }
+          resources = @{
+              fusion = "${{ parameters.fusionResource }}"
+          }
+          queues = @{
+              provisionPosition = "provision-position"
+          }
+      }
+     
+      New-AzResourceGroupDeployment -Mode Incremental -Name "resources-function" -ResourceGroupName $resourceGroup -TemplateFile  "${{ parameters.templateFile }}" `
+          -env-name $environment `
+          -settings $settings
+
+      $functionApp = Get-AzWebApp -ResourceGroupName $resourceGroup -Name $functionAppName
+      Set-AzKeyVaultAccessPolicy -VaultName $envVaultName -ResourceGroupName $resourceGroup -ObjectId $functionApp.Identity.PrincipalId -PermissionsToSecrets get
+      
+      ## Load disabled functions
+      $disabledFunctionConfig = ConvertFrom-Json (Get-Content "${{ parameters.disabledFunctionsFile }}" -Raw)
+      $disabledFunctions = $disabledFunctionConfig | where -Property environment -eq $environment | Select -expandproperty disabledFunctions
+
+      Write-Host "Disabled functions"
+      $disabledFunctions
+
+      $settings = @{}
+      ForEach ($kvp in $functionApp.SiteConfig.AppSettings) {
+          $settings[$kvp.Name] = $kvp.Value
+      }
+
+      ## Mark functions as disabled
+      $disabledFunctions | ForEach-Object { $settings["AzureWebJobs.$_.Disabled"] = "true" }
+      
+      ## Update web app settings for function app
+      Set-AzWebApp -ResourceGroupName $resourceGroup -Name $functionAppName -AppSettings $settings
+

src/backend/Fusion.Resources.Authorization/Fusion.Resources.Authorization.csproj

@@ -13,7 +13,7 @@
     </Content>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Fusion.Integration.Authorization" Version="6.10.6" />
+    <PackageReference Include="Fusion.Integration.Authorization" Version="7.0.4" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\api\Fusion.Resources.Database\Fusion.Resources.Database.csproj" />

src/backend/api/Fusion.Resources.Api/Controllers/AdminController.cs

@@ -1,4 +1,8 @@
-using Fusion.Resources.Domain;
+using Fusion.AspNetCore.FluentAuthorization;
+using Fusion.Authorization;
+using Fusion.Integration.Profile.Internal;
+using Fusion.Resources.Domain;
+using MediatR;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using System.Threading.Tasks;
@@ -12,22 +16,69 @@ public class AdminController : ResourceControllerBase
     {
 
         private readonly IOrgUnitCache orgUnitCache;
+        private readonly IMediator mediator;
 
-        public AdminController(IOrgUnitCache orgUnitCache)
+        public AdminController(IOrgUnitCache orgUnitCache, IMediator mediator)
         {
 
             this.orgUnitCache = orgUnitCache;
+            this.mediator = mediator;
         }
 
         [HttpGet("admin/cache/org-units")]
 
         public async Task<ActionResult> CleareCache()
         {
+            #region Authorization
+
+            var authResult = await Request.RequireAuthorizationAsync(r =>
+            {
+                r.AlwaysAccessWhen().FullControl().FullControlInternal();
+                r.AnyOf(or =>
+                {
+                    or.FullControl();
+                    or.FullControlInternal();
+                    or.BeTrustedApplication();
+                });
+            });
+
+            if (authResult.Unauthorized)
+                return authResult.CreateForbiddenResponse();
+
+            #endregion Authorization
+
             await orgUnitCache.ClearOrgUnitCacheAsync();
 
             return Ok();
         }
 
+
+        [HttpPost("admin/cache/reset-internal-cache")]
+        public async Task<ActionResult> ClearInternalCache()
+        {
+            #region Authorization
+
+            var authResult = await Request.RequireAuthorizationAsync(r =>
+            {
+                r.AlwaysAccessWhen().FullControl().FullControlInternal();
+                r.AnyOf(or =>
+                {
+                    or.FullControl();
+                    or.FullControlInternal();
+                    or.BeTrustedApplication();
+                });
+            });
+
+            if (authResult.Unauthorized)
+                return authResult.CreateForbiddenResponse();
+
+            #endregion Authorization
+
+            await mediator.Publish(new DistributedEvents.ResetCacheNotification());
+
+            return new OkObjectResult(new { message = "Cache reset has been queued for all instances."});
+        }
+
 
     }
 }

src/backend/api/Fusion.Resources.Api/Controllers/Departments/DepartmentsController.cs

@@ -166,7 +166,7 @@ public async Task<ActionResult<ApiDepartmentResponsible>> AddDelegatedResourceOw
                     UpdatedByAzureUniqueId = User.GetAzureUniqueId() ?? User.GetApplicationId()
                 }.WithReason(request.Reason);
 
-                await DispatchAsync(command);
+                await DispatchCommandAsync(command);
 
             }
             catch (RoleDelegationExistsError ex)

src/backend/api/Fusion.Resources.Api/Controllers/Person/PersonAbsenceController.cs

@@ -352,7 +352,7 @@ public async Task<ActionResult> DeletePersonAbsence([FromRoute] string personId,
             #endregion
 
 
-            await DispatchAsync(new DeletePersonAbsence(id, absenceId));
+            await DispatchCommandAsync(new DeletePersonAbsence(id, absenceId));
 
             return NoContent();
         }

src/backend/api/Fusion.Resources.Api/Controllers/Person/PersonController.cs

@@ -249,7 +249,7 @@ public async Task<ActionResult> DeletePersonalNote(string personId, Guid noteId)
             if (!notes.Any(n => n.Id == noteId))
                 return ApiErrors.NotFound("Could not locate note for user");
 
-            await DispatchAsync(new Domain.Commands.DeletePersonNote(noteId, user.azureId));
+            await DispatchCommandAsync(new Domain.Commands.DeletePersonNote(noteId, user.azureId));
 
             return NoContent();
         }

src/backend/api/Fusion.Resources.Api/Controllers/Personnel/InternalPersonnelController.cs

@@ -270,7 +270,7 @@ public async Task<ActionResult> ResetAllocationState(string fullDepartmentString
                 return ApiErrors.NotFound("Could not locate allocation on person");
 
 
-            await DispatchAsync(new Domain.Commands.ResetAllocationState(allocation.Project.OrgProjectId, allocation.PositionId, instanceId));
+            await DispatchCommandAsync(new Domain.Commands.ResetAllocationState(allocation.Project.OrgProjectId, allocation.PositionId, instanceId));
 
             return NoContent();
         }

src/backend/api/Fusion.Resources.Api/Controllers/Requests/InternalRequestsController.cs

@@ -109,6 +109,10 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> CreateProjectAlloc
 
                 return Created($"/projects/{projectIdentifier}/requests/{newRequest!.RequestId}", new ApiResourceAllocationRequest(newRequest));
             }
+            catch (InvalidOperationException iv)
+            {
+                return ApiErrors.InvalidOperation(iv);
+            }
             catch (ValidationException ex)
             {
                 return ApiErrors.InvalidOperation(ex);
@@ -193,6 +197,10 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> CreateProjectAlloc
                 // Using the requests for position endpoint as created ref.. This is not completely accurate as it could return more than those created. Best option though.
                 return Created($"/projects/{projectIdentifier}/positions/{request.OrgPositionId}/requests", requests.Select(x => new ApiResourceAllocationRequest(x)).ToList());
             }
+            catch (InvalidOperationException iv)
+            {
+                return ApiErrors.InvalidOperation(iv);
+            }
             catch (ValidationException ex)
             {
                 return ApiErrors.InvalidOperation(ex);
@@ -287,6 +295,10 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> CreateResourceOwne
 
                 return Created($"/departments/{departmentPath}/resources/requests/{newRequest!.RequestId}", new ApiResourceAllocationRequest(newRequest));
             }
+            catch (InvalidOperationException iv)
+            {
+                return ApiErrors.InvalidOperation(iv);
+            }
             catch (ValidationException ex)
             {
                 return ApiErrors.InvalidOperation(ex);
@@ -363,6 +375,10 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> PatchInternalReque
 
                 return new ApiResourceAllocationRequest(updatedRequest!);
             }
+            catch (InvalidOperationException iv)
+            {
+                return ApiErrors.InvalidOperation(iv);
+            }
             catch (ValidationException ve)
             {
                 return ApiErrors.InvalidOperation(ve);
@@ -770,7 +786,7 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> StartProjectReques
 
                 await using var eventTransaction = await notificationClient.BeginTransactionAsync();
                 await using var transaction = await BeginTransactionAsync();
-                await DispatchAsync(new Logic.Commands.ResourceAllocationRequest.Initialize(requestId));
+                await DispatchCommandAsync(new Logic.Commands.ResourceAllocationRequest.Initialize(requestId));
                 await transaction.CommitAsync();
                 await eventTransaction.CommitAsync();
             }
@@ -817,7 +833,7 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> StartResourceOwner
             {
                 await using var eventTransaction = await notificationClient.BeginTransactionAsync();
                 await using var transaction = await BeginTransactionAsync();
-                await DispatchAsync(new Logic.Commands.ResourceAllocationRequest.Initialize(requestId));
+                await DispatchCommandAsync(new Logic.Commands.ResourceAllocationRequest.Initialize(requestId));
                 await transaction.CommitAsync();
                 await eventTransaction.CommitAsync();
             }
@@ -865,7 +881,7 @@ public async Task<ActionResult> DeleteAllocationRequest(Guid requestId)
 
             await using var eventTransaction = await notificationClient.BeginTransactionAsync();
             await using var transaction = await BeginTransactionAsync();
-            await DispatchAsync(new DeleteInternalRequest(requestId));
+            await DispatchCommandAsync(new DeleteInternalRequest(requestId));
 
             await transaction.CommitAsync();
             await eventTransaction.CommitAsync();
@@ -905,7 +921,7 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> ProvisionProjectAl
                 await using var eventTransaction = await notificationClient.BeginTransactionAsync();
                 await using var scope = await BeginTransactionAsync();
 
-                await DispatchAsync(new Logic.Commands.ResourceAllocationRequest.Provision(requestId)
+                await DispatchCommandAsync(new Logic.Commands.ResourceAllocationRequest.Provision(requestId)
                 {
                     ForceProvision = force
                 });
@@ -940,7 +956,7 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> ApproveProjectAllo
 
             try
             {
-                await DispatchAsync(new Logic.Commands.ResourceAllocationRequest.Approve(requestId));
+                await DispatchCommandAsync(new Logic.Commands.ResourceAllocationRequest.Approve(requestId));
                 await scope.CommitAsync();
                 await eventTransaction.CommitAsync();
             }
@@ -979,7 +995,7 @@ public async Task<ActionResult<ApiResourceAllocationRequest>> ApproveProjectAllo
 
             try
             {
-                await DispatchAsync(new Logic.Commands.ResourceAllocationRequest.Approve(requestId));
+                await DispatchCommandAsync(new Logic.Commands.ResourceAllocationRequest.Approve(requestId));
                 await scope.CommitAsync();
                 await eventTransaction.CommitAsync();
             }
@@ -1265,7 +1281,7 @@ public async Task<ActionResult<ApiRequestComment>> UpdateRequestComment(Guid req
 
             #endregion Authorization
 
-            await DispatchAsync(new UpdateComment(commentId, update.Content));
+            await DispatchCommandAsync(new UpdateComment(commentId, update.Content));
 
             comment = await DispatchAsync(new GetRequestComment(commentId));
             return new ApiRequestComment(comment!);
@@ -1305,7 +1321,7 @@ public async Task<ActionResult> DeleteRequestComment(Guid requestId, Guid commen
 
             #endregion Authorization
 
-            await DispatchAsync(new DeleteComment(commentId));
+            await DispatchCommandAsync(new DeleteComment(commentId));
 
             return NoContent();
         }

src/backend/api/Fusion.Resources.Api/Controllers/ResourceControllerBase.cs

@@ -57,7 +57,7 @@ protected Task<IDbContextTransaction> BeginTransactionAsync()
             return scope.BeginTransactionAsync();
         }
 
-        protected Task DispatchAsync(IRequest command)
+        protected Task DispatchCommandAsync(IRequest command)
         {
             var mediator = HttpContext.RequestServices.GetRequiredService<IMediator>();
             return mediator.Send(command);

src/backend/api/Fusion.Resources.Api/Controllers/ResponsibilityMatrix/ResponsibilityMatrixController.cs

@@ -226,7 +226,7 @@ public async Task<ActionResult> DeleteResponsibilityMatrix(Guid matrixId)
             if (responsibilityMatrix == null)
                 return FusionApiError.NotFound(matrixId, "Could not locate responsibility matrix");
 
-            await DispatchAsync(new DeleteResponsibilityMatrix(matrixId));
+            await DispatchCommandAsync(new DeleteResponsibilityMatrix(matrixId));
 
             return NoContent();
         }