first commit

Author: derisen

5-AccessControl/1-call-api-roles/API/TodoListAPI.Tests/ConfigurationTests.cs

@@ -1,6 +1,5 @@
 using System;
 using Xunit;
-using System.Text.RegularExpressions;
 using Microsoft.Extensions.Configuration;
 
 namespace TodoListAPI.Tests
@@ -17,37 +16,30 @@ public static IConfiguration InitConfiguration()
  }
 
  [Fact]
- public void ShouldNotContainClientId()
+ public void ShouldContainClientId()
  {
  var myConfiguration = ConfigurationTests.InitConfiguration();
- string clientId = myConfiguration.GetSection("AzureAd")["ClientId"];
+ var clientId = myConfiguration.GetSection("AzureAd")["ClientId"];
 
- string pattern = @"(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}";
- var regex = new Regex(pattern);
- Assert.DoesNotMatch(regex, clientId);
+ Assert.True(Guid.TryParse(clientId, out var theGuid));
  }
 
  [Fact]
- public void ShouldNotContainTenantId()
+ public void ShouldContainTenantId()
  {
  var myConfiguration = ConfigurationTests.InitConfiguration();
- string tenantId = myConfiguration.GetSection("AzureAd")["TenantId"];
+ var tenantId = myConfiguration.GetSection("AzureAd")["TenantId"];
 
- string pattern = @"(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}";
- var regex = new Regex(pattern);
- Assert.DoesNotMatch(regex, tenantId);
+ Assert.True(Guid.TryParse(tenantId, out var theGuid));
  }
 
  [Fact]
- public void ShouldNotContainDomain()
+ public void ShouldContainDomain()
  {
  var myConfiguration = ConfigurationTests.InitConfiguration();
- string domain = myConfiguration.GetSection("AzureAd")["Domain"];
+ var domain = $"https://{myConfiguration.GetSection("AzureAd")["Domain"]}";
 
- string pattern = @"(^http[s]?:\/\/|[a-z]*\.[a-z]{3}\.[a-z]{2})|([a-z]*\.[a-z]{3}$)";
- var regex = new Regex(pattern);
-
- Assert.DoesNotMatch(regex, domain);
+ Assert.True(Uri.TryCreate(domain, UriKind.Absolute, out var uri));
  }
  }
 }

5-AccessControl/1-call-api-roles/API/TodoListAPI.Tests/TodoListAPI.Tests.csproj

@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
  <PropertyGroup>
- <TargetFramework>netcoreapp3.1</TargetFramework>
+ <TargetFramework>net6.0</TargetFramework>
 
  <IsPackable>false</IsPackable>
  </PropertyGroup>

5-AccessControl/1-call-api-roles/API/TodoListAPI.sln

@@ -3,29 +3,29 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 16
 VisualStudioVersion = 16.0.31005.135
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI.Tests", "TodoListAPI.Tests\TodoListAPI.Tests.csproj", "{4B329B4A-AA8B-4FF0-857C-507A5D308D55}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI", "TodoListAPI\TodoListAPI.csproj", "{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI", "TodoListAPI\TodoListAPI.csproj", "{D6DE3BD7-4A2F-4CD7-9F32-6529F1C2DE57}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TodoListAPI.Tests", "TodoListAPI.Tests\TodoListAPI.Tests.csproj", "{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}"
 EndProject
 Global
 GlobalSection(SolutionConfigurationPlatforms) = preSolution
 Debug|Any CPU = Debug|Any CPU
 Release|Any CPU = Release|Any CPU
 EndGlobalSection
 GlobalSection(ProjectConfigurationPlatforms) = postSolution
-{4B329B4A-AA8B-4FF0-857C-507A5D308D55}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-{4B329B4A-AA8B-4FF0-857C-507A5D308D55}.Debug|Any CPU.Build.0 = Debug|Any CPU
-{4B329B4A-AA8B-4FF0-857C-507A5D308D55}.Release|Any CPU.ActiveCfg = Release|Any CPU
-{4B329B4A-AA8B-4FF0-857C-507A5D308D55}.Release|Any CPU.Build.0 = Release|Any CPU
-{D6DE3BD7-4A2F-4CD7-9F32-6529F1C2DE57}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-{D6DE3BD7-4A2F-4CD7-9F32-6529F1C2DE57}.Debug|Any CPU.Build.0 = Debug|Any CPU
-{D6DE3BD7-4A2F-4CD7-9F32-6529F1C2DE57}.Release|Any CPU.ActiveCfg = Release|Any CPU
-{D6DE3BD7-4A2F-4CD7-9F32-6529F1C2DE57}.Release|Any CPU.Build.0 = Release|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+{3E0BC18D-E25D-4E0E-9F6C-712C30350DF8}.Release|Any CPU.Build.0 = Release|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Debug|Any CPU.Build.0 = Debug|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Release|Any CPU.ActiveCfg = Release|Any CPU
+{FD40F6A5-7735-4AA5-ACA8-ADE3FBE65378}.Release|Any CPU.Build.0 = Release|Any CPU
 EndGlobalSection
 GlobalSection(SolutionProperties) = preSolution
 HideSolutionNode = FALSE
 EndGlobalSection
 GlobalSection(ExtensibilityGlobals) = postSolution
-SolutionGuid = {A4F71EA5-B405-4289-A85E-CB882FA2D9C8}
+SolutionGuid = {44AB506D-AF3A-4AE5-90E9-CFECC92533A6}
 EndGlobalSection
 EndGlobal

5-AccessControl/1-call-api-roles/API/TodoListAPI/Controllers/TodoListController.cs

@@ -1,12 +1,11 @@
-using System;
+using System.Linq;
 using System.Collections.Generic;
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.EntityFrameworkCore;
-using System.Security.Claims;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Resource;
 using TodoListAPI.Models;
 using TodoListAPI.Utils;
@@ -18,12 +17,11 @@ namespace TodoListAPI.Controllers
  [ApiController]
  public class TodoListController : ControllerBase
  {
- // The Web API will only accept tokens 1) for users, and 
- // 2) having the access_as_user scope for this API
- static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };
-
  private readonly TodoContext _context;
 
+ private const string _todoListRead = "TodoList.Read";
+ private const string _todoListReadWrite = "TodoList.ReadWrite";
+
  public TodoListController(TodoContext context)
  {
  _context = context;
@@ -33,117 +31,142 @@ public TodoListController(TodoContext context)
  [HttpGet]
  [Route("getAll")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskAdminRoleRequired)]
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListRead }
+ )]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetAll()
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
  return await _context.TodoItems.ToListAsync();
  }
 
- // GET: api/todolist
+ // GET: api/TodoItems
  [HttpGet]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
+ /// <summary>
+ /// Access tokens that have neither the 'scp' (for delegated permissions) nor
+ /// 'roles' (for application permissions) claim are not to be honored.
+ ///
+ /// An access token issued by Azure AD will have at least one of the two claims. Access tokens
+ /// issued to a user will have the 'scp' claim. Access tokens issued to an application will have
+ /// the roles claim. Access tokens that contain both claims are issued only to users, where the scp
+ /// claim designates the delegated permissions, while the roles claim designates the user's role.
+ ///
+ /// To determine whether an access token was issued to a user (i.e delegated) or an application
+ /// more easily, we recommend enabling the optional claim 'idtyp'. For more information, see:
+ /// https://docs.microsoft.com/azure/active-directory/develop/access-tokens#user-and-application-tokens
+ /// </summary>
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListRead, _todoListReadWrite }
+ )]
  public async Task<ActionResult<IEnumerable<TodoItem>>> GetTodoItems()
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- string owner = User.FindFirst("preferred_username")?.Value;
- return await _context.TodoItems.Where(item => item.Owner == owner).ToListAsync();
+ /// <summary>
+ /// The 'oid' (object id) is the only claim that should be used to uniquely identify
+ /// a user in an Azure AD tenant. The token might have one or more of the following claim,
+ /// that might seem like a unique identifier, but is not and should not be used as such:
+ ///
+ /// - upn (user principal name): might be unique amongst the active set of users in a tenant
+ /// but tend to get reassigned to new employees as employees leave the organization and others
+ /// take their place or might change to reflect a personal change like marriage.
+ ///
+ /// - email: might be unique amongst the active set of users in a tenant but tend to get reassigned
+ /// to new employees as employees leave the organization and others take their place.
+ /// </summary>
+ return await _context.TodoItems.Where(x => x.Owner == HttpContext.User.GetObjectId()).ToListAsync();
  }
 
- // GET: api/todolist/5
+ // GET: api/TodoItems/5
  [HttpGet("{id}")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListRead, _todoListReadWrite }
+ )]
  public async Task<ActionResult<TodoItem>> GetTodoItem(int id)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
- 
- var todoItem = await _context.TodoItems.FindAsync(id);
-
- if (todoItem == null)
- {
- return NotFound();
- }
-
- return todoItem;
+ return await _context.TodoItems.FirstOrDefaultAsync(t => t.Id == id && t.Owner == HttpContext.User.GetObjectId());
  }
 
- // PUT: api/todolist/5
+ // PUT: api/TodoItems/5
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPut("{id}")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListReadWrite }
+ )]
  public async Task<IActionResult> PutTodoItem(int id, TodoItem todoItem)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
- if (id != todoItem.Id)
+ if (id != todoItem.Id || !_context.TodoItems.Any(x => x.Id == id))
  {
- return BadRequest();
+ return NotFound();
  }
 
- _context.Entry(todoItem).State = EntityState.Modified;
 
- try
- {
- await _context.SaveChangesAsync();
- }
- catch (DbUpdateConcurrencyException)
+ if (_context.TodoItems.Any(x => x.Id == id && x.Owner == HttpContext.User.GetObjectId()))
  {
- if (!TodoItemExists(id))
+ _context.Entry(todoItem).State = EntityState.Modified;
+
+ try
  {
- return NotFound();
+ await _context.SaveChangesAsync();
  }
- else
+ catch (DbUpdateConcurrencyException)
  {
- throw;
+ if (!_context.TodoItems.Any(e => e.Id == id))
+ {
+ return NotFound();
+ }
+ else
+ {
+ throw;
+ }
  }
  }
 
  return NoContent();
  }
 
- // POST: api/todolist
+ // POST: api/TodoItems
  // To protect from overposting attacks, please enable the specific properties you want to bind to, for
  // more details see https://aka.ms/RazorPagesCRUD.
  [HttpPost]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListReadWrite }
+ )]
  public async Task<ActionResult<TodoItem>> PostTodoItem(TodoItem todoItem)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
- string owner = User.FindFirst("preferred_username")?.Value;
- todoItem.Owner = owner;
-
+ todoItem.Owner = HttpContext.User.GetObjectId();
  todoItem.Status = false;
 
-
  _context.TodoItems.Add(todoItem);
  await _context.SaveChangesAsync();
 
  return CreatedAtAction("GetTodoItem", new { id = todoItem.Id }, todoItem);
  }
 
- // DELETE: api/todolist/5
+ // DELETE: api/TodoItems/5
  [HttpDelete("{id}")]
  [Authorize(Policy = AuthorizationPolicies.AssignmentToTaskUserRoleRequired)]
+ [RequiredScopeOrAppPermission(
+ AcceptedScope = new string[] { _todoListReadWrite }
+ )]
  public async Task<ActionResult<TodoItem>> DeleteTodoItem(int id)
  {
- HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+ TodoItem todoItem = await _context.TodoItems.FindAsync(id);
 
- var todoItem = await _context.TodoItems.FindAsync(id);
  if (todoItem == null)
  {
  return NotFound();
  }
 
- _context.TodoItems.Remove(todoItem);
- await _context.SaveChangesAsync();
-
- return todoItem;
- }
+ if (_context.TodoItems.Any(x => x.Id == id && x.Owner == HttpContext.User.GetObjectId()))
+ {
+ _context.TodoItems.Remove(todoItem);
+  await _context.SaveChangesAsync();
+  }
 
- private bool TodoItemExists(int id)
- {
- return _context.TodoItems.Any(e => e.Id == id);
+ return NoContent();
  }
  }
 }