Added frontend security testing

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.Tests/Dfe.ManageFreeSchoolProjects.Tests.csproj

@@ -11,6 +11,7 @@
 
   <ItemGroup>
     <PackageReference Include="AutoFixture" Version="4.18.1" />
+    <PackageReference Include="DfE.CoreLibs.Testing" Version="1.1.9" />
     <PackageReference Include="FluentAssertions" Version="6.12.1" />
     <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
     <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
@@ -31,4 +32,10 @@
     <ProjectReference Include="..\Dfe.ManageFreeSchoolProjects\Dfe.ManageFreeSchoolProjects.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <None Update="ExpectedSecurityConfig.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
 </Project>

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.Tests/ExpectedSecurityConfig.json

@@ -0,0 +1,16 @@
+{
+  "Endpoints": [
+    {
+      "Route": "/Public/AccessibilityStatement",
+      "ExpectedSecurity": "AllowAnonymous"
+    },
+    {
+      "Route": "/Public/Cookies",
+      "ExpectedSecurity": "AllowAnonymous"
+    },
+    {
+      "Route": "/Account/AccessDenied",
+      "ExpectedSecurity": "AllowAnonymous"
+    }
+  ]
+}

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects.Tests/Pages/PageSecurityTests.cs

@@ -0,0 +1,50 @@
+using Microsoft.AspNetCore.Routing;
+using DfE.CoreLibs.Testing.Authorization;
+using DfE.CoreLibs.Testing.Mocks.WebApplicationFactory;
+using Microsoft.Extensions.DependencyInjection;
+using DfE.CoreLibs.Testing.Authorization.Helpers;
+
+namespace Dfe.ManageFreeSchoolProjects.Tests.Pages
+{
+    public class PageSecurityTests
+    {
+        private readonly AuthorizationTester _validator;
+        private static readonly Lazy<IEnumerable<RouteEndpoint>> _endpoints = new(InitializeEndpoints);
+        private const bool _globalAuthorizationEnabled = true;
+
+        public PageSecurityTests()
+        {
+            _validator = new AuthorizationTester(_globalAuthorizationEnabled);
+        }
+
+        [Theory]
+        [MemberData(nameof(GetPageSecurityTestData))]
+        public void ValidatePageSecurity(string route, string expectedSecurity)
+        {
+            var result = _validator.ValidatePageSecurity(route, expectedSecurity, _endpoints.Value);
+            Assert.Null(result.Message);
+        }
+
+        public static IEnumerable<object[]> GetPageSecurityTestData()
+        {
+            var configFilePath = "ExpectedSecurityConfig.json";
+            var pages = EndpointTestDataProvider.GetPageSecurityTestDataFromFile(configFilePath, _endpoints.Value, _globalAuthorizationEnabled);
+            return pages;
+        }
+
+        private static IEnumerable<RouteEndpoint> InitializeEndpoints()
+        {
+            // Using a temporary factory to access the EndpointDataSource for lazy initialization
+            var factory = new CustomWebApplicationFactory<Startup>();
+            var endpointDataSource = factory.Services.GetRequiredService<EndpointDataSource>();
+
+            var endpoints = endpointDataSource.Endpoints
+               .OfType<RouteEndpoint>()
+               .Where(x => !x.RoutePattern.RawText!.Contains("MicrosoftIdentity") &&
+                           !x.RoutePattern.RawText.Equals("/") &&
+                           !x.Metadata.Any(m => m is RouteNameMetadata && ((RouteNameMetadata)m).RouteName == "default"));
+
+            return endpoints;
+        }
+    }
+}

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Areas/MicrosoftIdentity/Pages/Account/AccessDenied.cshtml

@@ -1,4 +1,6 @@
 @page "/access-denied"
+@using Microsoft.AspNetCore.Authorization
+@attribute [AllowAnonymous]
 @inject Microsoft.Extensions.Configuration.IConfiguration _configuration
 @model Microsoft.Identity.Web.UI.Areas.MicrosoftIdentity.Pages.Account.AccessDeniedModel
 @{

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Public/AccessibilityStatement.cshtml

@@ -1,5 +1,6 @@
 @page "/accessibility-statement"
-
+@using Microsoft.AspNetCore.Authorization
+@attribute [AllowAnonymous]
 @inject Microsoft.Extensions.Configuration.IConfiguration _configuration
 
 @{

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Pages/Public/Cookies.cshtml

@@ -1,4 +1,6 @@
 @page "/public/cookies"
+@using Microsoft.AspNetCore.Authorization
+@attribute [AllowAnonymous]
 @model Dfe.ManageFreeSchoolProjects.Pages.Public.Cookies
 
 @{

Dfe.ManageFreeSchoolProjects/Dfe.ManageFreeSchoolProjects/Startup.cs

@@ -69,7 +69,10 @@ public void ConfigureServices(IServiceCollection services)
            .AddRazorPages(options =>
            {
                options.Conventions.AuthorizeFolder("/");
-           })
+               options.Conventions.AllowAnonymousToPage("/Public/AccessibilityStatement");
+               options.Conventions.AllowAnonymousToPage("/Public/Cookies");
+               options.Conventions.AllowAnonymousToPage("/Account/AccessDenied");
+           }) 
            .AddViewOptions(options =>
            {
                options.HtmlHelperOptions.ClientValidationEnabled = false;