diff --git a/src/BuildingBlocks/Shared/CustomTypes/AuthorizationPolicy.cs b/src/BuildingBlocks/Shared/CustomTypes/AuthorizationPolicy.cs new file mode 100644 index 0000000..07db1d4 --- /dev/null +++ b/src/BuildingBlocks/Shared/CustomTypes/AuthorizationPolicy.cs @@ -0,0 +1,9 @@ +namespace Shared.CustomTypes; + +public struct AuthorizationPolicy +{ + public const string ADMIN_ACCESS = nameof(ADMIN_ACCESS); + public const string MEMBER_ACCESS = nameof(MEMBER_ACCESS); + + public const string ADMIN_MEMBER_ACCESS = nameof(ADMIN_MEMBER_ACCESS); +} \ No newline at end of file diff --git a/src/MasterData/MasterData.Api/Extensions.cs b/src/MasterData/MasterData.Api/Extensions.cs index e5c2892..8a5d795 100644 --- a/src/MasterData/MasterData.Api/Extensions.cs +++ b/src/MasterData/MasterData.Api/Extensions.cs @@ -12,7 +12,6 @@ using MassTransit; using MasterData.Api.Options; using MasterData.Boundaries.Grpc; -using MasterData.Common.Constants; using MasterData.Data; using MasterData.IntegrationEvents.Consumers; using MediatR; @@ -74,9 +73,9 @@ public static WebApplication ConfigurePipeline(this WebApplication app) .UseEndpoints(endpoints => { endpoints.MapGrpcService(); - + endpoints.MapGraphQL(); - + endpoints .MapBananaCakePop() .WithOptions(new GraphQLToolOptions @@ -286,12 +285,23 @@ private static IServiceCollection AddAuthentication(this IServiceCollection serv services.AddAuthorization(o => { - o.AddPolicy(AuthorizationPolicy.ADMIN, + o.AddPolicy(AuthorizationPolicy.ADMIN_ACCESS, policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME)); }); + + o.AddPolicy(AuthorizationPolicy.MEMBER_ACCESS, + policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); }); + + o.AddPolicy(AuthorizationPolicy.ADMIN_MEMBER_ACCESS, + policy => + { + policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) + || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME) + || c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); + }); }); services diff --git a/src/MasterData/MasterData.Api/appsettings.json b/src/MasterData/MasterData.Api/appsettings.json index 8929080..8f13e8b 100644 --- a/src/MasterData/MasterData.Api/appsettings.json +++ b/src/MasterData/MasterData.Api/appsettings.json @@ -61,7 +61,7 @@ } }, "Redis": { - "Enabled": false, + "Enabled": true, "Configuration": "localhost:6379", "InstanceName": "Promag_", "SlidingExpirationInSecond": 3600 diff --git a/src/MasterData/MasterData/Boundaries/GraphQl/Query.cs b/src/MasterData/MasterData/Boundaries/GraphQl/Query.cs index cf82732..aad5e7d 100644 --- a/src/MasterData/MasterData/Boundaries/GraphQl/Query.cs +++ b/src/MasterData/MasterData/Boundaries/GraphQl/Query.cs @@ -7,7 +7,6 @@ using MasterData.Boundaries.GraphQl.Dtos; using MasterData.Boundaries.GraphQl.Filters; using MasterData.Boundaries.GraphQl.ObjectTypes; -using MasterData.Common.Constants; using MasterData.UseCases.Queries; using MediatR; using Microsoft.Extensions.Caching.Distributed; @@ -15,6 +14,7 @@ using Promag.Protobuf.Commons.V1; using Shared; using Shared.Caching; +using Shared.CustomTypes; using Shared.Serialization; namespace MasterData.Boundaries.GraphQl; @@ -23,14 +23,14 @@ namespace MasterData.Boundaries.GraphQl; [SuppressMessage("ReSharper", "ClassNeverInstantiated.Global")] public class Query { - [GraphQLName("Ping")] + [GraphQLName("MasterDataPing")] public async Task Ping([Service] ISender mediator) { return await mediator.Send(new PingQuery()); } [GraphQLName("Countries")] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetCountries( [Service] ISender mediator, [Service] IDistributedCache distributedCache, @@ -46,7 +46,7 @@ public async Task> GetCountries( } [GraphQLName("Languages")] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetLanguages( [Service] ISender mediator, [Service] IDistributedCache distributedCache, @@ -62,7 +62,7 @@ public async Task> GetLanguages( } [GraphQLName("Timezones")] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetTimeZones( [Service] ISender mediator, [Service] IDistributedCache distributedCache, @@ -78,7 +78,7 @@ public async Task> GetTimeZones( } [GraphQLName("Currencies")] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetCurrencies( [Service] ISender mediator, [Service] IDistributedCache distributedCache, @@ -96,7 +96,7 @@ public async Task> GetCurrencies( [GraphQLName("ActivityLogs")] [UseOffsetPaging(typeof(ActivityLogType))] [UseFiltering(typeof(ActivityLogFilterInputType))] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task> GetActivityLogs([Service] ISender mediator) { return await mediator.Send(new GetActivityLogsQuery()); @@ -104,7 +104,7 @@ public async Task> GetActivityLogs([Service] ISender [GraphQLName("ActivityLog")] [GraphQLType(typeof(ActivityLogType))] - [Authorize(AuthorizationPolicy.ADMIN)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task GetActivityLogById(Guid id, [Service] ISender mediator) { return await mediator.Send(new GetActivityLogByIdQuery(id)); diff --git a/src/MasterData/MasterData/Common/Constants/AuthorizationPolicy.cs b/src/MasterData/MasterData/Common/Constants/AuthorizationPolicy.cs deleted file mode 100644 index 46907bb..0000000 --- a/src/MasterData/MasterData/Common/Constants/AuthorizationPolicy.cs +++ /dev/null @@ -1,6 +0,0 @@ -namespace MasterData.Common.Constants; - -public struct AuthorizationPolicy -{ - public const string ADMIN = nameof(ADMIN); -} \ No newline at end of file diff --git a/src/PersonalData/PersonalData.Api/Extensions.cs b/src/PersonalData/PersonalData.Api/Extensions.cs index e97faa6..0fdd803 100644 --- a/src/PersonalData/PersonalData.Api/Extensions.cs +++ b/src/PersonalData/PersonalData.Api/Extensions.cs @@ -21,7 +21,6 @@ using OpenTelemetry.Trace; using PersonalData.Api.Options; using PersonalData.Boundaries.Grpc; -using PersonalData.Common.Constants; using PersonalData.Data; using PersonalData.Data.Audit; using PersonalData.Data.Filters; @@ -315,38 +314,23 @@ private static IServiceCollection AddAuthentication(this IServiceCollection serv services.AddAuthorization(o => { - o.AddPolicy(AuthorizationPolicy.CAN_VIEW_USER, policy => - { - policy.RequireAssertion(ctx => ctx.User - .HasClaim(claim => - claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.USER_VIEW or Permissions.USER_FULL } - ) - ); - }); - o.AddPolicy(AuthorizationPolicy.CAN_EDIT_USER, policy => - { - policy.RequireAssertion(ctx => ctx.User - .HasClaim(claim => - claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.USER_CREATE or Permissions.USER_FULL } - ) - ); - }); - o.AddPolicy(AuthorizationPolicy.CAN_VIEW_ROLE, policy => - { - policy.RequireAssertion(ctx => ctx.User - .HasClaim(claim => - claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.ROLE_VIEW or Permissions.ROLE_FULL } - ) - ); - }); - o.AddPolicy(AuthorizationPolicy.CAN_EDIT_ROLE, policy => - { - policy.RequireAssertion(ctx => ctx.User - .HasClaim(claim => - claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.ROLE_CREATE or Permissions.ROLE_FULL } - ) - ); - }); + o.AddPolicy(AuthorizationPolicy.ADMIN_ACCESS, + policy => + { + policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) + || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME)); + }); + + o.AddPolicy(AuthorizationPolicy.MEMBER_ACCESS, + policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); }); + + o.AddPolicy(AuthorizationPolicy.ADMIN_MEMBER_ACCESS, + policy => + { + policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) + || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME) + || c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); + }); }); services diff --git a/src/PersonalData/PersonalData.Api/appsettings.json b/src/PersonalData/PersonalData.Api/appsettings.json index a4781b9..1f570ef 100644 --- a/src/PersonalData/PersonalData.Api/appsettings.json +++ b/src/PersonalData/PersonalData.Api/appsettings.json @@ -75,7 +75,7 @@ } }, "Redis": { - "Enabled": false, + "Enabled": true, "Configuration": "localhost:6379", "InstanceName": "Promag", "SlidingExpirationInSecond": 3600 diff --git a/src/PersonalData/PersonalData/Boundaries/GraphQl/Mutation.cs b/src/PersonalData/PersonalData/Boundaries/GraphQl/Mutation.cs index feba5fe..7987fe7 100644 --- a/src/PersonalData/PersonalData/Boundaries/GraphQl/Mutation.cs +++ b/src/PersonalData/PersonalData/Boundaries/GraphQl/Mutation.cs @@ -6,18 +6,18 @@ using PersonalData.Boundaries.GraphQl.Dtos; using PersonalData.Boundaries.GraphQl.InputObjectTypes; using PersonalData.Boundaries.GraphQl.ObjectTypes; -using PersonalData.Common.Constants; using PersonalData.UseCases.Commands; using PersonalData.UseCases.Responses; using Shared; using Shared.Caching; +using Shared.CustomTypes; namespace PersonalData.Boundaries.GraphQl; public class Mutation { [GraphQLType(typeof(PersonType))] - [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task EditUser( [GraphQLType(typeof(EditUserInputType))] EditUserCommand editUserInput, @@ -37,7 +37,7 @@ public async Task EditUser( } [GraphQLType(typeof(InviteUserResponseType))] - [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task InviteUser( [GraphQLType(typeof(InviteUserInputType))] InviteUserCommand inviteUserInput, @@ -46,7 +46,7 @@ public async Task InviteUser( return await mediator.Send(inviteUserInput); } - [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task UnlockUser( [GraphQLType(typeof(UnlockUserInputType))] UnlockUserCommand unlockUserInput, @@ -65,7 +65,7 @@ public async Task UnlockUser( return result; } - [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task LockUser( [GraphQLType(typeof(LockUserInputType))] LockUserCommand lockUserInput, @@ -84,7 +84,7 @@ public async Task LockUser( return result; } - [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_ACCESS)] public async Task UpdateRolePermissions(UpdateRolePermissionsCommand updatePermissionsInput, [Service] ISender mediator) { return await mediator.Send(updatePermissionsInput); diff --git a/src/PersonalData/PersonalData/Boundaries/GraphQl/Query.cs b/src/PersonalData/PersonalData/Boundaries/GraphQl/Query.cs index d764e55..fe16892 100644 --- a/src/PersonalData/PersonalData/Boundaries/GraphQl/Query.cs +++ b/src/PersonalData/PersonalData/Boundaries/GraphQl/Query.cs @@ -12,23 +12,29 @@ using PersonalData.Boundaries.GraphQl.Dtos; using PersonalData.Boundaries.GraphQl.Filters; using PersonalData.Boundaries.GraphQl.ObjectTypes; -using PersonalData.Common.Constants; -using PersonalData.Common.Enums; using PersonalData.Services; using PersonalData.UseCases.Queries; +using Promag.Protobuf.Commons.V1; using Promag.Protobuf.Identity.V1; using Shared; using Shared.Caching; using Shared.CustomTypes; +using UserType = PersonalData.Common.Enums.UserType; namespace PersonalData.Boundaries.GraphQl; public class Query { + [GraphQLName("PersonalDataPing")] + public async Task Ping([Service] ISender mediator) + { + return await mediator.Send(new PingQuery()); + } + [GraphQLName("Users")] [UseOffsetPaging(typeof(PersonType))] [UseFiltering(typeof(PersonFilterType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_USER)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetUsers([Service] IMediator mediator) { return await mediator.Send(new GetPeopleQuery(UserType.User)); @@ -36,7 +42,7 @@ public async Task> GetUsers([Service] IMediator mediator) [GraphQLName("Person")] [GraphQLType(typeof(PersonType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_USER)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task GetPersonById( Guid personId, [Service] ISender mediator, @@ -75,7 +81,7 @@ public async Task> GetUsers([Service] IMediator mediator) [GraphQLName("Me")] [GraphQLType(typeof(PersonType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_USER)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task GetMyProfile( [Service] IHttpContextAccessor contextAccessor, [Service] ISender mediator) @@ -94,7 +100,7 @@ public async Task> GetUsers([Service] IMediator mediator) [GraphQLName("Roles")] [GraphQLType(typeof(ListType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetRoles( [Service] IHttpContextAccessor contextAccessor, [Service] IIdentityService identityService) @@ -119,7 +125,7 @@ superRole is not null && [GraphQLName("Role")] [GraphQLType(typeof(RoleType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task GetRoleById( Guid roleId, [Service] IIdentityService identityService) @@ -131,7 +137,7 @@ superRole is not null && [GraphQLName("Permissions")] [GraphQLType(typeof(ListType))] - [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)] + [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)] public async Task> GetRolePermissions( Guid roleId, [Service] ISender mediator) diff --git a/src/PersonalData/PersonalData/Common/Constants/AuthorizationPolicy.cs b/src/PersonalData/PersonalData/Common/Constants/AuthorizationPolicy.cs deleted file mode 100644 index bf06191..0000000 --- a/src/PersonalData/PersonalData/Common/Constants/AuthorizationPolicy.cs +++ /dev/null @@ -1,9 +0,0 @@ -namespace PersonalData.Common.Constants; - -public static class AuthorizationPolicy -{ - public const string CAN_VIEW_USER = "CanViewUser"; - public const string CAN_EDIT_USER = "CanEditUser"; - public const string CAN_VIEW_ROLE = "CanViewRole"; - public const string CAN_EDIT_ROLE = "CanEditRole"; -} \ No newline at end of file diff --git a/src/Portal/Portal.Api/Extensions.cs b/src/Portal/Portal.Api/Extensions.cs index 03b9e93..31a81d5 100644 --- a/src/Portal/Portal.Api/Extensions.cs +++ b/src/Portal/Portal.Api/Extensions.cs @@ -21,7 +21,6 @@ using OpenTelemetry.Trace; using Portal.Api.Options; using Portal.Boundaries.Grpc; -using Portal.Common.Constants; using Portal.Data; using Portal.Data.Audit; using Promag.Protobuf.MasterData.V1; @@ -294,14 +293,23 @@ private static IServiceCollection AddAuthentication(this IServiceCollection serv services.AddAuthorization(o => { - o.AddPolicy(AuthorizationPolicy.CAN_VIEW_PORTAL_DATA, policy => - { - policy.RequireAssertion(ctx => ctx.User - .HasClaim(claim => - claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.USER_VIEW or Permissions.USER_FULL } - ) - ); - }); + o.AddPolicy(AuthorizationPolicy.ADMIN_ACCESS, + policy => + { + policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) + || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME)); + }); + + o.AddPolicy(AuthorizationPolicy.MEMBER_ACCESS, + policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); }); + + o.AddPolicy(AuthorizationPolicy.ADMIN_MEMBER_ACCESS, + policy => + { + policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME) + || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME) + || c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); + }); }); services diff --git a/src/Portal/Portal/Boundaries/GraphQL/Query.cs b/src/Portal/Portal/Boundaries/GraphQL/Query.cs index fca3655..58696d9 100644 --- a/src/Portal/Portal/Boundaries/GraphQL/Query.cs +++ b/src/Portal/Portal/Boundaries/GraphQL/Query.cs @@ -7,7 +7,7 @@ namespace Portal.Boundaries.GraphQL; public class Query { - [GraphQLName("Ping")] + [GraphQLName("PortalPing")] public async Task Ping([Service] ISender mediator) { return await mediator.Send(new PingQuery()); diff --git a/src/Portal/Portal/Common/Constants/AuthorizationPolicy.cs b/src/Portal/Portal/Common/Constants/AuthorizationPolicy.cs deleted file mode 100644 index 761e067..0000000 --- a/src/Portal/Portal/Common/Constants/AuthorizationPolicy.cs +++ /dev/null @@ -1,6 +0,0 @@ -namespace Portal.Common.Constants; - -public static class AuthorizationPolicy -{ - public const string CAN_VIEW_PORTAL_DATA = "CanViewPortalData"; -} \ No newline at end of file