security working on endpoints

AJEETX · AJEETX · commit 3df8f74c1ac8 · 2021-03-08T19:39:55.000+11:00
diff --git a/src/Api/Endpoints/V1/Products/Create.cs b/src/Api/Endpoints/V1/Products/Create.cs
@@ -26,7 +26,7 @@ public ProductsController(Database db)
         /// <param name="product">Enter the product</param>
         /// <param name="culture">Enter the culture</param>
         /// <returns></returns>
-        [Authorize]
+        [Authorize(Policy = "ShouldBeAnAdmin")]
         [FeatureGate(Features.PRODUCT)]
         [ApiVersion(ApiVersionNumbers.V1)]
         [HttpPost("", Name = RouteNames.PostAsync)]
diff --git a/src/Api/Endpoints/V1/Products/Delete.cs b/src/Api/Endpoints/V1/Products/Delete.cs
@@ -1,4 +1,5 @@
-﻿using Microsoft.AspNetCore.Http;
+﻿using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using System;
 using System.Threading.Tasks;
@@ -18,6 +19,7 @@ public partial class ProductsController
         /// <param name="id">Enter the product id</param>
         /// <param name="culture"></param>
         /// <returns></returns>
+        [Authorize(Policy = "ShouldBeAnAdmin")]
         [ApiVersion(ApiVersionNumbers.V1)]
         [HttpDelete("{id}", Name = RouteNames.DeleteAsync)]
         [ProducesResponseType(StatusCodes.Status204NoContent)]
diff --git a/src/Api/Endpoints/V1/Products/Read.cs b/src/Api/Endpoints/V1/Products/Read.cs
@@ -1,4 +1,5 @@
-﻿using Microsoft.AspNetCore.Http;
+﻿using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using System;
@@ -17,6 +18,7 @@ public partial class ProductsController
         /// List of products.
         /// </summary>
         /// <returns>Returns list of products</returns>
+        [Authorize(Policy = "ShouldBeAReader")]
         [ApiVersion(ApiVersionNumbers.V1)]
         [HttpGet("", Name = RouteNames.GetAsync)]
         [ProducesResponseType(StatusCodes.Status200OK, Type = typeof(List<ProductDTO>))]
@@ -44,6 +46,7 @@ public async Task<IActionResult> GetAsync(string culture = "en-US")
         /// </summary>
         /// <param name="id">Enter the id of product</param>
         /// <returns>Returns list of products</returns>
+        [Authorize(Policy = "ShouldBeAReader")]
         [ApiVersion(ApiVersionNumbers.V1)]
         [HttpGet("{id}", Name = RouteNames.GetByIdAsync)]
         [ProducesResponseType(StatusCodes.Status200OK, Type = typeof(ProductDTO))]
diff --git a/src/Api/Endpoints/V1/Products/Update.cs b/src/Api/Endpoints/V1/Products/Update.cs
@@ -1,4 +1,5 @@
-﻿using Microsoft.AspNetCore.Http;
+﻿using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using System;
 using System.Threading.Tasks;
@@ -17,6 +18,7 @@ public partial class ProductsController
         /// <param name="product">Enter the product</param>
         /// <param name="culture"></param>
         /// <returns></returns>
+        [Authorize(Policy = "ShouldBeAReader")]
         [ApiVersion(ApiVersionNumbers.V1)]
         [HttpPut("{id}", Name = RouteNames.PutAsync)]
         [ProducesResponseType(StatusCodes.Status204NoContent)]
diff --git a/src/Api/Product.db b/src/Api/Product.db
diff --git a/src/Api/Xero.Demo.Domain/Services/UserService.cs b/src/Api/Xero.Demo.Domain/Services/UserService.cs
@@ -47,7 +47,7 @@ private string GenerateJWTToken(User userInfo)
                             new Claim("id", userInfo.Id.ToString()),
                             new Claim(JwtRegisteredClaimNames.Sub, userInfo.Username),
                             new Claim("Name", userInfo.Name+userInfo.Name.ToString()),
-                            new Claim("Role",userInfo.Role),
+                            new Claim(ClaimTypes.Role,userInfo.Role),
                             new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
                         },
                 expires: DateTime.Now.AddMinutes(10),
diff --git a/src/Api/Xero.Demo.Infrastructure/Setup/AddAuthorizationExtension.cs b/src/Api/Xero.Demo.Infrastructure/Setup/AddAuthorizationExtension.cs
@@ -1,9 +1,12 @@
 ﻿using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.IdentityModel.Tokens;
 using System;
+using System.Security.Claims;
 using System.Text;
+using Xero.Demo.Api.Domain.Security;
 using Xero.Demo.Api.Xero.Demo.Domain.Services;
 
 namespace Xero.Demo.Api.Domain.Infrastructure
@@ -32,7 +35,40 @@ public static IServiceCollection AddSecurity(this IServiceCollection services, I
                             };
                         });
 
-            services.AddAuthorization();
+            services.AddAuthorization(
+                config =>
+                {
+                    config.AddPolicy("ShouldBeAnAdmin", options =>
+                    {
+                        options.RequireAuthenticatedUser();
+                        options.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+                        options.Requirements.Add(new ShouldBeAnAdminRequirement());
+                    });
+
+                    config.AddPolicy("ShouldBeAnEditor", options =>
+                    {
+                        options.RequireClaim(ClaimTypes.Role);
+                        options.RequireRole("Reader");
+                        options.RequireAuthenticatedUser();
+                        options.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+                        options.Requirements.Add(new ShouldBeAnEditorRequirement());
+                    });
+
+                    config.AddPolicy("ShouldBeAReader", options =>
+                    {
+                        options.RequireClaim(ClaimTypes.Role);
+                        options.RequireRole("Reader");
+                        options.RequireAuthenticatedUser();
+                        options.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
+                        options.Requirements.Add(new ShouldBeAReaderRequirement());
+                    });
+
+                    config.AddPolicy("ShouldContainRole", options =>
+                        options.RequireClaim(ClaimTypes.Role));
+                });
+            services.AddScoped<IAuthorizationHandler, ShouldBeAnAdminRequirementHandler>();
+            services.AddScoped<IAuthorizationHandler, ShouldBeAReaderAuthorizationHandler>();
+            services.AddScoped<IAuthorizationHandler, ShouldBeAnEditorRequirementHandler>();
             return services;
         }
     }
