Skip to content

Commit

Permalink
Updated old auth usage
Browse files Browse the repository at this point in the history
  • Loading branch information
@HansDahle
HansDahle committed Nov 15, 2024
1 parent ac1053d commit 2b7247b
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 41 deletions.
41 changes: 41 additions & 0 deletions src/backend/Fusion.Resources.Authorization/IAuthorizationRequirementExtensions.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
using Fusion.AspNetCore.FluentAuthorization;
using Fusion.Resources.Api.Authorization.Requirements;
using Fusion.Resources.Authorization.Requirements;

namespace Fusion.Resources
{
public static class IAuthorizationRequirementExtensions
{
public static IAuthorizationRequirementRule GlobalRoleAccess(this IAuthorizationRequirementRule builder, params string[] roles)
{
return builder.AddRule(new GlobalRoleRequirement(roles));
}
public static IAuthorizationRequirementRule AllGlobalRoleAccess(this IAuthorizationRequirementRule builder, params string[] roles)
{
return builder.AddRule(new GlobalRoleRequirement(GlobalRoleRequirement.RoleRequirement.All, roles));
}

/// <summary>
/// Require that the user is a resource owner.
/// The check uses the resource owner claims in the user profile.
/// </summary>
/// <remarks>
/// <para>
/// To include additional local adjustments a local claims transformer can be used to add new claims.
/// Type="http://schemas.fusion.equinor.com/identity/claims/resourceowner" value="MY DEP PATH"
/// </para>
/// <para>
/// The parents check will only work for the direct path. Other resource owners in sibling departments of a parent will not have access.
/// Ex. Check "L1 L2.1 L3.1 L4.1", owner in L2.1 L3.1, L2.1, L1 will have access, but ex. L2.2 will not have.
/// </para>
/// </remarks>
/// <param name="builder"></param>
/// <param name="includeParents">Should resource owners in any of the direct parent departments have access</param>
/// <param name="includeDescendants">Should anyone that is a resource owner in any of the sub departments have access</param>
public static IAuthorizationRequirementRule BeResourceOwnerForDepartment(this IAuthorizationRequirementRule builder, string department, bool includeParents = false, bool includeDescendants = false)
{
builder.AddRule(new BeResourceOwnerRequirement(department, includeParents, includeDescendants));
return builder;
}
}
}
2 changes: 1 addition & 1 deletion ...ion/Requirements/GlobalRoleRequirement.cs → ...ion/Requirements/GlobalRoleRequirement.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
using Fusion.Authorization;
using Microsoft.AspNetCore.Authorization;

namespace Fusion.Resources.Api.Authorization
namespace Fusion.Resources.Api.Authorization.Requirements
{
public class GlobalRoleRequirement : FusionAuthorizationRequirement, IAuthorizationHandler
{
Expand Down
32 changes: 0 additions & 32 deletions ...ackend/api/Fusion.Resources.Api/Authorization/Extensions/RequirementsBuilderExtensions.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,6 @@ public static IAuthorizationRequirementRule FullControlExternal(this IAuthorizat
return builder;
}

public static IAuthorizationRequirementRule GlobalRoleAccess(this IAuthorizationRequirementRule builder, params string[] roles)
{
return builder.AddRule(new GlobalRoleRequirement(roles));
}
public static IAuthorizationRequirementRule AllGlobalRoleAccess(this IAuthorizationRequirementRule builder, params string[] roles)
{
return builder.AddRule(new GlobalRoleRequirement(GlobalRoleRequirement.RoleRequirement.All, roles));
}
public static IAuthorizationRequirementRule OrgChartPositionWriteAccess(this IAuthorizationRequirementRule builder, Guid orgProjectId, Guid orgPositionId)
{
return builder.AddRule(OrgPositionAccessRequirement.OrgPositionWrite(orgProjectId, orgPositionId));
Expand All @@ -72,30 +64,6 @@ public static IAuthorizationRequirementRule RequireConversationForResourceOwner(
return builder.AddRule(new AssertionRequirement(_ => recipient == QueryMessageRecipient.ResourceOwner));
}

/// <summary>
/// Require that the user is a resource owner.
/// The check uses the resource owner claims in the user profile.
/// </summary>
/// <remarks>
/// <para>
/// To include additional local adjustments a local claims transformer can be used to add new claims.
/// Type="http://schemas.fusion.equinor.com/identity/claims/resourceowner" value="MY DEP PATH"
/// </para>
/// <para>
/// The parents check will only work for the direct path. Other resource owners in sibling departments of a parent will not have access.
/// Ex. Check "L1 L2.1 L3.1 L4.1", owner in L2.1 L3.1, L2.1, L1 will have access, but ex. L2.2 will not have.
/// </para>
/// </remarks>
/// <param name="builder"></param>
/// <param name="departmentPath">The full department path</param>
/// <param name="includeParents">Should resource owners in any of the direct parent departments have access</param>
/// <param name="includeDescendants">Should anyone that is a resource owner in any of the sub departments have access</param>
public static IAuthorizationRequirementRule BeResourceOwnerForDepartment(this IAuthorizationRequirementRule builder, string department, bool includeParents = false, bool includeDescendants = false)
{
builder.AddRule(new BeResourceOwnerRequirement(department, includeParents, includeDescendants));
return builder;
}

/// <summary>
/// Requires the user to be resource owner for any department
/// </summary>
Expand Down
14 changes: 6 additions & 8 deletions src/backend/api/Fusion.Resources.Logic/Requests/Authorization/CanApproveStepHandlerBase.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@
using Fusion.Resources.Database.Entities;
using Fusion.Resources.Domain;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Infrastructure;
using Microsoft.AspNetCore.Http;
using System;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;

Expand All @@ -36,8 +34,8 @@ protected async Task CheckAccess(DbResourceAllocationRequest request, WorkflowAc
builder.AlwaysAccessWhen(or =>
{
or.BeTrustedApplication();
or.AddRule(new AssertionRequirement(ctx => ctx.User.IsInRole("Fusion.Resources.FullControl")));
or.AddRule(new AssertionRequirement(ctx => ctx.User.IsInRole("Fusion.Resources.Internal.FullControl")));
or.GlobalRoleAccess("Fusion.Resources.FullControl");
or.GlobalRoleAccess("Fusion.Resources.Internal.FullControl");
});

builder.AnyOf(or =>
Expand All @@ -47,17 +45,17 @@ protected async Task CheckAccess(DbResourceAllocationRequest request, WorkflowAc
var path = new DepartmentPath(request.AssignedDepartment);

if (row.IsAllResourceOwnersAllowed)
or.BeResourceOwner(path.GoToLevel(2), includeDescendants: true);
or.BeResourceOwnerForDepartment(path.GoToLevel(2), includeDescendants: true);

if (row.IsParentResourceOwnerAllowed)
or.BeResourceOwner(path.Parent(), includeDescendants: false);
or.BeResourceOwnerForDepartment(path.Parent(), includeDescendants: false);

if (row.IsSiblingResourceOwnerAllowed)
or.BeResourceOwner(path.Parent(), includeDescendants: true);
or.BeResourceOwnerForDepartment(path.Parent(), includeDescendants: true);

if (row.IsResourceOwnerAllowed)
{
or.BeResourceOwner(request.AssignedDepartment, includeDescendants: false);
or.BeResourceOwnerForDepartment(request.AssignedDepartment, includeDescendants: false);
or.HaveOrgUnitScopedRole(DepartmentId.FromFullPath(request.AssignedDepartment), AccessRoles.ResourceOwner);
}
}
Expand Down

0 comments on commit 2b7247b

Please sign in to comment.