jasontaylordev · aybezz · Apr 21, 2020 · Apr 22, 2020
diff --git a/src/Application/Common/Behaviours/AuthorizationBehaviour.cs b/src/Application/Common/Behaviours/AuthorizationBehaviour.cs
@@ -0,0 +1,71 @@
+using CleanArchitecture.Application.Common.Interfaces;
+using CleanArchitecture.Application.Common.Security;
+using MediatR;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Linq;
+using System.Reflection;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace CleanArchitecture.Application.Common.Behaviours
+{
+    public class AuthorizationBehaviour<TRequest, TResponse> : IPipelineBehavior<TRequest, TResponse>
+    {
+        private readonly ILogger<TRequest> _logger;
+        private readonly ICurrentUserService _currentUserService;
+        private readonly IIdentityService _identityService;
+
+        public AuthorizationBehaviour(
+            ILogger<TRequest> logger,
+            ICurrentUserService currentUserService,
+            IIdentityService identityService)
+        {
+            _logger = logger;
+            _currentUserService = currentUserService;
+            _identityService = identityService;
+        }
+
+        public async Task<TResponse> Handle(TRequest request, CancellationToken cancellationToken, RequestHandlerDelegate<TResponse> next)
+        {
+            var authorizeAttributes = request.GetType().GetCustomAttributes<AuthorizeAttribute>();
+
+            if (!authorizeAttributes.Any())
+            {
+                // Must be authenticated user
+                if (_currentUserService.UserId == null)
+                {
+                    throw new UnauthorizedAccessException();
+                }
+
+                var authorizeAttributesWithRoles = authorizeAttributes.Where(a => !string.IsNullOrWhiteSpace(a.Roles));
+
+                if (authorizeAttributesWithRoles.Any())
+                {
+                    foreach (var roles in authorizeAttributesWithRoles.Select(a => a.Roles.Split(',')))
+                    {
+                        var authorized = false;
+                        foreach (var role in roles)
+                        {
+                            var isInRole = await _identityService.UserIsInRole(_currentUserService.UserId, role.Trim());
+                            if (isInRole)
+                            {
+                                authorized = true;
+                                continue;
+                            }
+                        }
+
+                        // Must be a member of at least one role in roles
+                        if (!authorized)
+                        {
+                            throw new UnauthorizedAccessException();
+                        }
+                    }
+                }
+            }
+
+            // User is authorized / authorization not required
+            return await next();
+        }
+    }
+}
diff --git a/src/Application/Common/Interfaces/IIdentityService.cs b/src/Application/Common/Interfaces/IIdentityService.cs
@@ -7,6 +7,8 @@ public interface IIdentityService
     {
         Task<string> GetUserNameAsync(string userId);
 
+        Task<bool> UserIsInRole(string userId, string role);
+
         Task<(Result Result, string UserId)> CreateUserAsync(string userName, string password);
 
         Task<Result> DeleteUserAsync(string userId);

diff --git a/src/Application/Common/Security/AuthorizeAttribute.cs b/src/Application/Common/Security/AuthorizeAttribute.cs
@@ -0,0 +1,21 @@
+using System;
+
+namespace CleanArchitecture.Application.Common.Security
+{
+    /// <summary>
+    /// Specifies the class this attribute is applied to requires authorization.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class, AllowMultiple = true, Inherited = true)]
+    public class AuthorizeAttribute : Attribute
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="AuthorizeAttribute"/> class. 
+        /// </summary>
+        public AuthorizeAttribute() { }
+
+        /// <summary>
+        /// Gets or sets a comma delimited list of roles that are allowed to access the resource.
+        /// </summary>
+        public string Roles { get; set; }
+    }
+}
diff --git a/src/Application/DependencyInjection.cs b/src/Application/DependencyInjection.cs
@@ -14,6 +14,7 @@ public static IServiceCollection AddApplication(this IServiceCollection services
             services.AddAutoMapper(Assembly.GetExecutingAssembly());
             services.AddValidatorsFromAssembly(Assembly.GetExecutingAssembly());
             services.AddMediatR(Assembly.GetExecutingAssembly());
+            services.AddTransient(typeof(IPipelineBehavior<,>), typeof(AuthorizationBehaviour<,>));
             services.AddTransient(typeof(IPipelineBehavior<,>), typeof(RequestPerformanceBehaviour<,>));
             services.AddTransient(typeof(IPipelineBehavior<,>), typeof(RequestValidationBehavior<,>));
             services.AddTransient(typeof(IPipelineBehavior<,>), typeof(UnhandledExceptionBehaviour<,>));

diff --git a/src/Application/TodoLists/Queries/GetTodos/GetTodosQuery.cs b/src/Application/TodoLists/Queries/GetTodos/GetTodosQuery.cs
@@ -1,6 +1,7 @@
 using AutoMapper;
 using AutoMapper.QueryableExtensions;
 using CleanArchitecture.Application.Common.Interfaces;
+using CleanArchitecture.Application.Common.Security;
 using CleanArchitecture.Domain.Enums;
 using MediatR;
 using Microsoft.EntityFrameworkCore;
@@ -11,6 +12,7 @@
 
 namespace CleanArchitecture.Application.TodoLists.Queries.GetTodos
 {
+    [Authorize]
     public class GetTodosQuery : IRequest<TodosVm>
     {
     }

diff --git a/src/Infrastructure/DependencyInjection.cs b/src/Infrastructure/DependencyInjection.cs
@@ -4,6 +4,7 @@
 using CleanArchitecture.Infrastructure.Persistence;
 using CleanArchitecture.Infrastructure.Services;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -30,6 +31,7 @@ public static IServiceCollection AddInfrastructure(this IServiceCollection servi
             services.AddScoped<IApplicationDbContext>(provider => provider.GetService<ApplicationDbContext>());
 
                 services.AddDefaultIdentity<ApplicationUser>()
+                    .AddRoles<IdentityRole>()
                     .AddEntityFrameworkStores<ApplicationDbContext>();
 
             services.AddIdentityServer()

diff --git a/src/Infrastructure/Identity/IdentityService.cs b/src/Infrastructure/Identity/IdentityService.cs
@@ -35,6 +35,13 @@ public async Task<string> GetUserNameAsync(string userId)
             return (result.ToApplicationResult(), user.Id);
         }
 
+        public async Task<bool> UserIsInRole(string userId, string role)
+        {
+            var user = _userManager.Users.SingleOrDefault(u => u.Id == userId);
+
+            return await _userManager.IsInRoleAsync(user, role);
+        }
+
         public async Task<Result> DeleteUserAsync(string userId)
         {
             var user = _userManager.Users.SingleOrDefault(u => u.Id == userId);

diff --git a/tests/Applicaton.IntegrationTests/Testing.cs b/tests/Applicaton.IntegrationTests/Testing.cs
@@ -95,10 +95,16 @@ public static async Task<string> RunAsUserAsync(string userName, string password
 
         var userManager = scope.ServiceProvider.GetService<UserManager<ApplicationUser>>();
 
+        var roleManager = scope.ServiceProvider.GetService<RoleManager<IdentityRole>>();
+
+        await roleManager.CreateAsync(new IdentityRole("Admin"));
+
         var user = new ApplicationUser { UserName = userName, Email = userName };
 
         var result = await userManager.CreateAsync(user, password);
 
+        await userManager.AddToRoleAsync(user, "Admin");
+
         _currentUserId = user.Id;
 
         return _currentUserId;

diff --git a/tests/Applicaton.IntegrationTests/TodoLists/Queries/GetTodosTests.cs b/tests/Applicaton.IntegrationTests/TodoLists/Queries/GetTodosTests.cs
@@ -1,7 +1,9 @@
-using CleanArchitecture.Application.TodoLists.Queries.GetTodos;
+using CleanArchitecture.Application.Common.Security;
+using CleanArchitecture.Application.TodoLists.Queries.GetTodos;
 using CleanArchitecture.Domain.Entities;
 using FluentAssertions;
 using NUnit.Framework;
+using System;
 using System.Linq;
 using System.Threading.Tasks;
 
@@ -14,6 +16,8 @@ public class GetTodosTests : TestBase
         [Test]
         public async Task ShouldReturnPriorityLevels()
         {
+            await RunAsDefaultUserAsync();
+
             var query = new GetTodosQuery();
 
             var result = await SendAsync(query);
@@ -24,6 +28,8 @@ public async Task ShouldReturnPriorityLevels()
         [Test]
         public async Task ShouldReturnAllListsAndItems()
         {
+            await RunAsDefaultUserAsync();
+
             await AddAsync(new TodoList
             {
                 Title = "Shopping",
@@ -46,5 +52,16 @@ await AddAsync(new TodoList
             result.Lists.Should().HaveCount(1);
             result.Lists.First().Items.Should().HaveCount(7);
         }
+
+        [Test]
+        public void ShouldRequireAuthorization()
+        {
+            var query = new GetTodosQuery();
+
+            query.GetType().Should().BeDecoratedWith<AuthorizeAttribute>();
+
+            FluentActions.Invoking(() =>
+                SendAsync(query)).Should().Throw<UnauthorizedAccessException>();
+        }
     }
 }