tests/Umbraco.Tests.Integration/ManagementApi/Policies/ByKeyAuditLogControllerTests.cs

using System.Linq.Expressions;
using System.Net;
using System.Net.Http.Headers;
using NUnit.Framework;
using Umbraco.Cms.Api.Management.Controllers.AuditLog;
using Umbraco.Cms.Core;

namespace Umbraco.Cms.Tests.Integration.ManagementApi.Policies;

/// <summary>
///
/// </summary>
[TestFixture]
public class ByKeyAuditLogControllerTests : ManagementApiTest<ByKeyAuditLogController>
{
    protected override Expression<Func<ByKeyAuditLogController, object>> MethodSelector =>
        x => x.ByKey(Constants.Security.SuperUserKey, Direction.Ascending, null, 0, 100);

    [Test]
    public virtual async Task As_Admin_I_Have_Access()
    {
        await AuthenticateClientAsync(Client, "admin@umbraco.com", "1234567890", true);

        var response = await Client.GetAsync(Url);

        Assert.AreEqual(HttpStatusCode.OK, response.StatusCode,  await response.Content.ReadAsStringAsync());
    }

    [Test]
    public virtual async Task As_Editor_I_Have_Access()
    {
        await AuthenticateClientAsync(Client, "editor@umbraco.com", "1234567890", false);

        var response = await Client.GetAsync(Url);

        Assert.AreEqual(HttpStatusCode.OK, response.StatusCode,  await response.Content.ReadAsStringAsync());
    }

    [Test]
    public virtual async Task Unauthourized_when_no_token_is_provided()
    {
        var response = await Client.GetAsync(Url);

        Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode, await response.Content.ReadAsStringAsync());
    }
}
V14: Add authorization policies to Management API controllers - p2 (#15211) * Making ProblemDetails details more generic * Adding authorizer that can be replaces for external authz in handlers. Adding handler and requirement for UserBelongsToUserGroupInRequest policy * Adding method to get the GUID from claims * Adding service methods to check user group authz * Porting MustSatisfyRequirementAuthorizationHandler * Adding controllers authz * Fix return status code + produced response type * Moving to folder * Adding DenyLocalLogin policy scaffold * Implement a temp DenyLocalLoginHandler * Introducing a new Fobidden result * Fix comment * Introducing a helper class for authorizers * Changed nullability for GetCurrentUser * Changes from Attempt to Status + FIXME comments * Create a UserGroupAuthorizationStatus to be used in the future * Introduces a new authz status for checking media acess * Introducing a new permission service for media * Adding fixme * Adding more policy configurations * Adding Media policy requirement and handler * Adding media authorizer * Fix order of params * Adding duplicate code comment * Adding authz to media controllers * Migrating more logic from MediaPermissions.cs * Adding more MediaAuthorizationStatus-es * Handling of new authorization status * Fix comment * Adding NotFound case * Adding NewDenyLocalLoginIfConfigured policy && commenting [AllowAnonymous] where the policy is applied since it is already handled * Changed Forbid() to Forbidden() to get the correct status code * Remove policy that is applied on the base controller already * Implement and apply NewUmbracoFeatureEnabled policy * Renaming classes to add Permission in the name * Register permission services * Add FIXME * Introduce new IUserGroupPermissionService and refactor accordingly * Add single overload with default implementation * Adding user permission policy and related * Applying admin policy * Register all new policies * Better wording * Add default implementation for a single overload * Adding remarks to IContentPermissionService.cs * Supporting null as key in ContentPermissionService * Fix namespace * Reverting back to not supporting null as content key, but having dedicated implementation * Adding content authorizer with null values to represent root item * Removing null key support and adding dedicated implementation * Removing remarks * Adding content resource with null support * Removing null support * Adding requirement and status * Adding content authorizer + handlers * Applying policies to content controllers * Update comment * Handling of Authorization Statuses * More authz in controllers * Fix comments * New branch handler * Obsolete old implementation * Adding dedicated policies to root and bin * Adding a branch specific namespace * Bin specific requirement and namespace * Root specific requirement and namespace * Changing to new root policy * Refactoring * Save policies * Fix null check/reference * Add TODO comment * Create media root- and bin-specific policies, handlers, etc. * Apply correct policy in create and update media controllers * Apply root policy to move and sort controllers * Fix wording * Adding UserGroupAuthorizationStatusResult * Remove all AuthorizationStatusResult as we cannot get the specific AuthorizationStatus * Fixing Umbraco feature policy * Fix allow anonymous endpoints - the value returned from DenyLocalLoginHandler wasn't enough, we need to succeed DenyAnonymousAuthorizationRequirement as it is required for some of the endpoints that had the attribute * Apply DenyLocalLoginIfConfigured policy to corresponding re-implementation of PostSetInvitedUserPassword * Fix comment * Renaming performingUser to user and fixing comments * Rename helper method * Fix references * Re-add merge conflict deletion * Adding Backoffice requirement and relevant * Registering * Added a simple policy test * Fixed small test things and clean up * Temp solution * Added one more test and fix another static issue * Fix another merge conflict * Remove BackOfficePermissionRequirement and handler as they might not be necessary * Comment out again [AllowAnonymous] * Remove AuthorizationPolicies.BackOfficeAccessWithoutApproval policy as it might not be necessary * Fix temp implementation * Fix reference to correct handler * Apply authz policy to new publish/unpublish controllers * Fix comments * Removing duplicate ProducesResponseTypes * Added swagger documentation about the 401 and 403 * Added Resources to Media, User and UserGroup * Handle root, recycle bin and branch in the same handler * Handle both parent and target when moving * Check Ids for all sort requests * Xml docs * Clean up * Clean up * Fix build * Cleanup * Remove TODO * Added missing overload * Use yield * Adding some keys to check --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk> Co-authored-by: Andreas Zerbst <andr317c@live.dk> 2023-12-11 08:25:29 +01:00			`using System.Linq.Expressions;`
			`using System.Net;`
			`using System.Net.Http.Headers;`
			`using NUnit.Framework;`
			`using Umbraco.Cms.Api.Management.Controllers.AuditLog;`
			`using Umbraco.Cms.Core;`

			`namespace Umbraco.Cms.Tests.Integration.ManagementApi.Policies;`

			`/// <summary>`
			`///`
			`/// </summary>`
			`[TestFixture]`
			`public class ByKeyAuditLogControllerTests : ManagementApiTest<ByKeyAuditLogController>`
			`{`
			`protected override Expression<Func<ByKeyAuditLogController, object>> MethodSelector =>`
			`x => x.ByKey(Constants.Security.SuperUserKey, Direction.Ascending, null, 0, 100);`

			`[Test]`
			`public virtual async Task As_Admin_I_Have_Access()`
			`{`
			`await AuthenticateClientAsync(Client, "admin@umbraco.com", "1234567890", true);`

			`var response = await Client.GetAsync(Url);`

			`Assert.AreEqual(HttpStatusCode.OK, response.StatusCode, await response.Content.ReadAsStringAsync());`
			`}`

			`[Test]`
			`public virtual async Task As_Editor_I_Have_Access()`
			`{`
			`await AuthenticateClientAsync(Client, "editor@umbraco.com", "1234567890", false);`

			`var response = await Client.GetAsync(Url);`

			`Assert.AreEqual(HttpStatusCode.OK, response.StatusCode, await response.Content.ReadAsStringAsync());`
			`}`

			`[Test]`
			`public virtual async Task Unauthourized_when_no_token_is_provided()`
			`{`
			`var response = await Client.GetAsync(Url);`

			`Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode, await response.Content.ReadAsStringAsync());`
			`}`
			`}`