fix: move Authorization Policy to Shared and update policy of services

src/BuildingBlocks/Shared/CustomTypes/AuthorizationPolicy.cs

@@ -0,0 +1,9 @@
+namespace Shared.CustomTypes;
+
+public struct AuthorizationPolicy
+{
+    public const string ADMIN_ACCESS = nameof(ADMIN_ACCESS);
+    public const string MEMBER_ACCESS = nameof(MEMBER_ACCESS);
+
+    public const string ADMIN_MEMBER_ACCESS = nameof(ADMIN_MEMBER_ACCESS);
+}

src/MasterData/MasterData.Api/Extensions.cs

@@ -12,7 +12,6 @@
 using MassTransit;
 using MasterData.Api.Options;
 using MasterData.Boundaries.Grpc;
-using MasterData.Common.Constants;
 using MasterData.Data;
 using MasterData.IntegrationEvents.Consumers;
 using MediatR;
@@ -74,9 +73,9 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
             .UseEndpoints(endpoints =>
                 {
                     endpoints.MapGrpcService<MasterDataService>();
-                    
+
                     endpoints.MapGraphQL();
-                    
+
                     endpoints
                         .MapBananaCakePop()
                         .WithOptions(new GraphQLToolOptions
@@ -286,12 +285,23 @@ private static IServiceCollection AddAuthentication(this IServiceCollection serv
 
         services.AddAuthorization(o =>
         {
-            o.AddPolicy(AuthorizationPolicy.ADMIN,
+            o.AddPolicy(AuthorizationPolicy.ADMIN_ACCESS,
                 policy =>
                 {
                     policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME)
                                                  || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME));
                 });
+
+            o.AddPolicy(AuthorizationPolicy.MEMBER_ACCESS,
+                policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); });
+
+            o.AddPolicy(AuthorizationPolicy.ADMIN_MEMBER_ACCESS,
+                policy =>
+                {
+                    policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME)
+                                                 || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME)
+                                                 || c.User.IsInRole(Roles.MEMBER_ROLE_NAME));
+                });
         });
 
         services

src/MasterData/MasterData.Api/appsettings.json

@@ -61,7 +61,7 @@
     }
   },
   "Redis": {
-    "Enabled": false,
+    "Enabled": true,
     "Configuration": "localhost:6379",
     "InstanceName": "Promag_",
     "SlidingExpirationInSecond": 3600

src/MasterData/MasterData/Boundaries/GraphQl/Query.cs

@@ -7,14 +7,14 @@
 using MasterData.Boundaries.GraphQl.Dtos;
 using MasterData.Boundaries.GraphQl.Filters;
 using MasterData.Boundaries.GraphQl.ObjectTypes;
-using MasterData.Common.Constants;
 using MasterData.UseCases.Queries;
 using MediatR;
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Configuration;
 using Promag.Protobuf.Commons.V1;
 using Shared;
 using Shared.Caching;
+using Shared.CustomTypes;
 using Shared.Serialization;
 
 namespace MasterData.Boundaries.GraphQl;
@@ -23,14 +23,14 @@ namespace MasterData.Boundaries.GraphQl;
 [SuppressMessage("ReSharper", "ClassNeverInstantiated.Global")]
 public class Query
 {
-    [GraphQLName("Ping")]
+    [GraphQLName("MasterDataPing")]
     public async Task<PongReply> Ping([Service] ISender mediator)
     {
         return await mediator.Send(new PingQuery());
     }
 
     [GraphQLName("Countries")]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<IList<CountryDto>> GetCountries(
         [Service] ISender mediator,
         [Service] IDistributedCache distributedCache,
@@ -46,7 +46,7 @@ public async Task<IList<CountryDto>> GetCountries(
     }
 
     [GraphQLName("Languages")]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<IList<LanguageDto>> GetLanguages(
         [Service] ISender mediator,
         [Service] IDistributedCache distributedCache,
@@ -62,7 +62,7 @@ public async Task<IList<LanguageDto>> GetLanguages(
     }
 
     [GraphQLName("Timezones")]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<IList<TimezoneDto>> GetTimeZones(
         [Service] ISender mediator,
         [Service] IDistributedCache distributedCache,
@@ -78,7 +78,7 @@ public async Task<IList<TimezoneDto>> GetTimeZones(
     }
 
     [GraphQLName("Currencies")]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<IList<CurrencyDto>> GetCurrencies(
         [Service] ISender mediator,
         [Service] IDistributedCache distributedCache,
@@ -96,15 +96,15 @@ public async Task<IList<CurrencyDto>> GetCurrencies(
     [GraphQLName("ActivityLogs")]
     [UseOffsetPaging(typeof(ActivityLogType))]
     [UseFiltering(typeof(ActivityLogFilterInputType))]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<IQueryable<ActivityLogDto>> GetActivityLogs([Service] ISender mediator)
     {
         return await mediator.Send(new GetActivityLogsQuery());
     }
 
     [GraphQLName("ActivityLog")]
     [GraphQLType(typeof(ActivityLogType))]
-    [Authorize(AuthorizationPolicy.ADMIN)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<ActivityLogDto> GetActivityLogById(Guid id, [Service] ISender mediator)
     {
         return await mediator.Send(new GetActivityLogByIdQuery(id));

src/PersonalData/PersonalData.Api/Extensions.cs

@@ -21,7 +21,6 @@
 using OpenTelemetry.Trace;
 using PersonalData.Api.Options;
 using PersonalData.Boundaries.Grpc;
-using PersonalData.Common.Constants;
 using PersonalData.Data;
 using PersonalData.Data.Audit;
 using PersonalData.Data.Filters;
@@ -315,38 +314,23 @@ private static IServiceCollection AddAuthentication(this IServiceCollection serv
 
         services.AddAuthorization(o =>
         {
-            o.AddPolicy(AuthorizationPolicy.CAN_VIEW_USER, policy =>
-            {
-                policy.RequireAssertion(ctx => ctx.User
-                    .HasClaim(claim =>
-                        claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.USER_VIEW or Permissions.USER_FULL }
-                    )
-                );
-            });
-            o.AddPolicy(AuthorizationPolicy.CAN_EDIT_USER, policy =>
-            {
-                policy.RequireAssertion(ctx => ctx.User
-                    .HasClaim(claim =>
-                        claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.USER_CREATE or Permissions.USER_FULL }
-                    )
-                );
-            });
-            o.AddPolicy(AuthorizationPolicy.CAN_VIEW_ROLE, policy =>
-            {
-                policy.RequireAssertion(ctx => ctx.User
-                    .HasClaim(claim =>
-                        claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.ROLE_VIEW or Permissions.ROLE_FULL }
-                    )
-                );
-            });
-            o.AddPolicy(AuthorizationPolicy.CAN_EDIT_ROLE, policy =>
-            {
-                policy.RequireAssertion(ctx => ctx.User
-                    .HasClaim(claim =>
-                        claim is { Type: Permissions.PERMISSION_CLAIM_TYPE, Value: Permissions.ROLE_CREATE or Permissions.ROLE_FULL }
-                    )
-                );
-            });
+            o.AddPolicy(AuthorizationPolicy.ADMIN_ACCESS,
+                policy =>
+                {
+                    policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME)
+                                                 || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME));
+                });
+
+            o.AddPolicy(AuthorizationPolicy.MEMBER_ACCESS,
+                policy => { policy.RequireAssertion(c => c.User.IsInRole(Roles.MEMBER_ROLE_NAME)); });
+
+            o.AddPolicy(AuthorizationPolicy.ADMIN_MEMBER_ACCESS,
+                policy =>
+                {
+                    policy.RequireAssertion(c => c.User.IsInRole(Roles.ADMIN_ROLE_NAME)
+                                                 || c.User.IsInRole(Roles.SUPER_USER_ROLE_NAME)
+                                                 || c.User.IsInRole(Roles.MEMBER_ROLE_NAME));
+                });
         });
 
         services

src/PersonalData/PersonalData.Api/appsettings.json

@@ -75,7 +75,7 @@
     }
   },
   "Redis": {
-    "Enabled": false,
+    "Enabled": true,
     "Configuration": "localhost:6379",
     "InstanceName": "Promag",
     "SlidingExpirationInSecond": 3600

src/PersonalData/PersonalData/Boundaries/GraphQl/Mutation.cs

@@ -6,18 +6,18 @@
 using PersonalData.Boundaries.GraphQl.Dtos;
 using PersonalData.Boundaries.GraphQl.InputObjectTypes;
 using PersonalData.Boundaries.GraphQl.ObjectTypes;
-using PersonalData.Common.Constants;
 using PersonalData.UseCases.Commands;
 using PersonalData.UseCases.Responses;
 using Shared;
 using Shared.Caching;
+using Shared.CustomTypes;
 
 namespace PersonalData.Boundaries.GraphQl;
 
 public class Mutation
 {
     [GraphQLType(typeof(PersonType))]
-    [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<PersonDto> EditUser(
         [GraphQLType(typeof(EditUserInputType))]
         EditUserCommand editUserInput,
@@ -37,7 +37,7 @@ public async Task<PersonDto> EditUser(
     }
 
     [GraphQLType(typeof(InviteUserResponseType))]
-    [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<InviteUserResponse> InviteUser(
         [GraphQLType(typeof(InviteUserInputType))]
         InviteUserCommand inviteUserInput,
@@ -46,7 +46,7 @@ public async Task<InviteUserResponse> InviteUser(
         return await mediator.Send(inviteUserInput);
     }
 
-    [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<bool> UnlockUser(
         [GraphQLType(typeof(UnlockUserInputType))]
         UnlockUserCommand unlockUserInput,
@@ -65,7 +65,7 @@ public async Task<bool> UnlockUser(
         return result;
     }
 
-    [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<bool> LockUser(
         [GraphQLType(typeof(LockUserInputType))]
         LockUserCommand lockUserInput,
@@ -84,7 +84,7 @@ public async Task<bool> LockUser(
         return result;
     }
 
-    [Authorize(AuthorizationPolicy.CAN_EDIT_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_ACCESS)]
     public async Task<bool> UpdateRolePermissions(UpdateRolePermissionsCommand updatePermissionsInput, [Service] ISender mediator)
     {
         return await mediator.Send(updatePermissionsInput);

src/PersonalData/PersonalData/Boundaries/GraphQl/Query.cs

@@ -12,31 +12,37 @@
 using PersonalData.Boundaries.GraphQl.Dtos;
 using PersonalData.Boundaries.GraphQl.Filters;
 using PersonalData.Boundaries.GraphQl.ObjectTypes;
-using PersonalData.Common.Constants;
-using PersonalData.Common.Enums;
 using PersonalData.Services;
 using PersonalData.UseCases.Queries;
+using Promag.Protobuf.Commons.V1;
 using Promag.Protobuf.Identity.V1;
 using Shared;
 using Shared.Caching;
 using Shared.CustomTypes;
+using UserType = PersonalData.Common.Enums.UserType;
 
 namespace PersonalData.Boundaries.GraphQl;
 
 public class Query
 {
+    [GraphQLName("PersonalDataPing")]
+    public async Task<PongReply> Ping([Service] ISender mediator)
+    {
+        return await mediator.Send(new PingQuery());
+    }
+
     [GraphQLName("Users")]
     [UseOffsetPaging(typeof(PersonType))]
     [UseFiltering(typeof(PersonFilterType))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_USER)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<IQueryable<PersonDto>> GetUsers([Service] IMediator mediator)
     {
         return await mediator.Send(new GetPeopleQuery(UserType.User));
     }
 
     [GraphQLName("Person")]
     [GraphQLType(typeof(PersonType))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_USER)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<PersonDto?> GetPersonById(
         Guid personId,
         [Service] ISender mediator,
@@ -75,7 +81,7 @@ public async Task<IQueryable<PersonDto>> GetUsers([Service] IMediator mediator)
 
     [GraphQLName("Me")]
     [GraphQLType(typeof(PersonType))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_USER)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<PersonDto?> GetMyProfile(
         [Service] IHttpContextAccessor contextAccessor,
         [Service] ISender mediator)
@@ -94,7 +100,7 @@ public async Task<IQueryable<PersonDto>> GetUsers([Service] IMediator mediator)
 
     [GraphQLName("Roles")]
     [GraphQLType(typeof(ListType<RoleType>))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<List<RoleDto>> GetRoles(
         [Service] IHttpContextAccessor contextAccessor,
         [Service] IIdentityService identityService)
@@ -119,7 +125,7 @@ superRole is not null &&
 
     [GraphQLName("Role")]
     [GraphQLType(typeof(RoleType))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<RoleDto?> GetRoleById(
         Guid roleId,
         [Service] IIdentityService identityService)
@@ -131,7 +137,7 @@ superRole is not null &&
 
     [GraphQLName("Permissions")]
     [GraphQLType(typeof(ListType<StringType>))]
-    [Authorize(AuthorizationPolicy.CAN_VIEW_ROLE)]
+    [Authorize(AuthorizationPolicy.ADMIN_MEMBER_ACCESS)]
     public async Task<List<string>> GetRolePermissions(
         Guid roleId,
         [Service] ISender mediator)