Debug (#40)

* use db in requirements
cmu-sei · Apr 3, 2024 · 6744a90 · 6744a90
1 parent cbd90fb
commit 6744a90
Show file tree

Hide file tree

Showing 17 changed files with 116 additions and 83 deletions.
diff --git a/Cite.Api/Cite.Api.csproj b/Cite.Api/Cite.Api.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <Version>1.5.0</Version>
+    <Version>1.5.1</Version>
     <TargetFramework>net6.0</TargetFramework>
     <DocumentationFile>bin\$(Configuration)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
     <NoWarn>CS1591</NoWarn>

diff --git a/Cite.Api/Infrastructure/Authorization/CanIncrementIncidentRequirement.cs b/Cite.Api/Infrastructure/Authorization/CanIncrementIncidentRequirement.cs
@@ -3,28 +3,34 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class CanIncrementMoveRequirement : IAuthorizationRequirement
     {
         public readonly Guid EvaluationId;
+        public readonly CiteContext DbContext;
 
-        public CanIncrementMoveRequirement(Guid evaluationId)
+        public CanIncrementMoveRequirement(Guid evaluationId, CiteContext dbContext)
         {
             EvaluationId = evaluationId;
+            DbContext = dbContext;
         }
     }
 
     public class CanIncrementMoveHandler : AuthorizationHandler<CanIncrementMoveRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CanIncrementMoveRequirement requirement)
         {
-            if (context.User.HasClaim(c =>
-                c.Type == CiteClaimTypes.CanIncrementMove.ToString() &&
-                c.Value.Contains(requirement.EvaluationId.ToString())
-            ))
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var canIncrement = requirement.DbContext.TeamUsers
+                .Any(tu => tu.Team.EvaluationId == requirement.EvaluationId &&
+                    tu.UserId.ToString() == userId &&
+                    tu.CanIncrementMove);
+            if (canIncrement)
             {
                 context.Succeed(requirement);
             }

diff --git a/Cite.Api/Infrastructure/Authorization/CanModifyRequirement.cs b/Cite.Api/Infrastructure/Authorization/CanModifyRequirement.cs
@@ -3,28 +3,34 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class CanModifyRequirement : IAuthorizationRequirement
     {
         public readonly Guid EvaluationId;
+        public readonly CiteContext DbContext;
 
-        public CanModifyRequirement(Guid evaluationId)
+        public CanModifyRequirement(Guid evaluationId, CiteContext dbContext)
         {
             EvaluationId = evaluationId;
+            DbContext = dbContext;
         }
     }
 
     public class CanModifyHandler : AuthorizationHandler<CanModifyRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CanModifyRequirement requirement)
         {
-            if (context.User.HasClaim(c =>
-                c.Type == CiteClaimTypes.CanModify.ToString() &&
-                c.Value.Contains(requirement.EvaluationId.ToString())
-            ))
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var canModify = requirement.DbContext.TeamUsers
+                .Any(tu => tu.Team.EvaluationId == requirement.EvaluationId &&
+                    tu.UserId.ToString() == userId &&
+                    tu.CanModify);
+            if (canModify)
             {
                 context.Succeed(requirement);
             }

diff --git a/Cite.Api/Infrastructure/Authorization/CanSubmitRequirement.cs b/Cite.Api/Infrastructure/Authorization/CanSubmitRequirement.cs
@@ -3,28 +3,34 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class CanSubmitRequirement : IAuthorizationRequirement
     {
         public readonly Guid EvaluationId;
+        public readonly CiteContext DbContext;
 
-        public CanSubmitRequirement(Guid evaluationId)
+        public CanSubmitRequirement(Guid evaluationId, CiteContext dbContext)
         {
             EvaluationId = evaluationId;
+            DbContext = dbContext;
         }
     }
 
     public class CanSubmitHandler : AuthorizationHandler<CanSubmitRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CanSubmitRequirement requirement)
         {
-            if (context.User.HasClaim(c =>
-                c.Type == CiteClaimTypes.CanSubmit.ToString() &&
-                c.Value.Contains(requirement.EvaluationId.ToString())
-            ))
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var canSubmit = requirement.DbContext.TeamUsers
+                .Any(tu => tu.Team.EvaluationId == requirement.EvaluationId &&
+                    tu.UserId.ToString() == userId &&
+                    tu.CanSubmit);
+            if (canSubmit)
             {
                 context.Succeed(requirement);
             }

diff --git a/Cite.Api/Infrastructure/Authorization/EvaluationObserverRequirement.cs b/Cite.Api/Infrastructure/Authorization/EvaluationObserverRequirement.cs
@@ -3,28 +3,34 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class EvaluationObserverRequirement : IAuthorizationRequirement
     {
         public readonly Guid EvaluationId;
+        public readonly CiteContext DbContext;
 
-        public EvaluationObserverRequirement(Guid evaluationId)
+        public EvaluationObserverRequirement(Guid evaluationId, CiteContext dbContext)
         {
             EvaluationId = evaluationId;
+            DbContext = dbContext;
         }
     }
 
     public class EvaluationObserverHandler : AuthorizationHandler<EvaluationObserverRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EvaluationObserverRequirement requirement)
         {
-            if (context.User.HasClaim(c =>
-                c.Type == CiteClaimTypes.EvaluationObserver.ToString() &&
-                c.Value.Contains(requirement.EvaluationId.ToString())
-            ))
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var isObserver = requirement.DbContext.TeamUsers
+                .Any(tu => tu.Team.EvaluationId == requirement.EvaluationId &&
+                    tu.UserId.ToString() == userId &&
+                    tu.IsObserver);
+            if (isObserver)
             {
                 context.Succeed(requirement);
             }

diff --git a/Cite.Api/Infrastructure/Authorization/EvaluationUserRequirement.cs b/Cite.Api/Infrastructure/Authorization/EvaluationUserRequirement.cs
@@ -3,32 +3,34 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class EvaluationUserRequirement : IAuthorizationRequirement
     {
         public readonly Guid EvaluationId;
+        public readonly CiteContext DbContext;
 
-        public EvaluationUserRequirement(Guid evaluationId)
+        public EvaluationUserRequirement(Guid evaluationId, CiteContext dbContext)
         {
             EvaluationId = evaluationId;
+            DbContext = dbContext;
         }
     }
 
     public class EvaluationUserHandler : AuthorizationHandler<EvaluationUserRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EvaluationUserRequirement requirement)
         {
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var isEvaluationUser = requirement.DbContext.TeamUsers
+                .Any(tu => tu.Team.EvaluationId == requirement.EvaluationId && tu.UserId.ToString() == userId);
             if (context.User.HasClaim(c => c.Type == CiteClaimTypes.SystemAdmin.ToString()) ||
                 context.User.HasClaim(c => c.Type == CiteClaimTypes.ContentDeveloper.ToString()) ||
-                (
-                    context.User.HasClaim(c =>
-                        c.Type == CiteClaimTypes.EvaluationUser.ToString() &&
-                        c.Value.Contains(requirement.EvaluationId.ToString())
-                    )
-                )
+                isEvaluationUser
             )
             {
                 context.Succeed(requirement);

diff --git a/Cite.Api/Infrastructure/Authorization/TeamUserRequirement.cs b/Cite.Api/Infrastructure/Authorization/TeamUserRequirement.cs
@@ -3,28 +3,32 @@
 
 using Microsoft.AspNetCore.Authorization;
 using System;
+using System.Linq;
 using System.Threading.Tasks;
+using Cite.Api.Data;
 
 namespace Cite.Api.Infrastructure.Authorization
 {
     public class TeamUserRequirement : IAuthorizationRequirement
     {
         public readonly Guid TeamId;
+        public readonly CiteContext DbContext;
 
-        public TeamUserRequirement(Guid teamId)
+        public TeamUserRequirement(Guid teamId, CiteContext dbContext)
         {
             TeamId = teamId;
+            DbContext = dbContext;
         }
     }
 
     public class TeamUserHandler : AuthorizationHandler<TeamUserRequirement>, IAuthorizationHandler
     {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TeamUserRequirement requirement)
         {
-            if (context.User.HasClaim(c =>
-                c.Type == CiteClaimTypes.TeamUser.ToString() &&
-                c.Value.Contains(requirement.TeamId.ToString()))
-            )
+            var userId = context.User.Identities.First().Claims.First(c => c.Type == "sub")?.Value;
+            var isTeamUser = requirement.DbContext.TeamUsers
+                .Any(tu => tu.TeamId == requirement.TeamId && tu.UserId.ToString() == userId);
+            if (isTeamUser)
             {
                 context.Succeed(requirement);
             }

diff --git a/Cite.Api/Infrastructure/EventHandlers/SubmissionHandler.cs b/Cite.Api/Infrastructure/EventHandlers/SubmissionHandler.cs
@@ -119,7 +119,7 @@ protected async Task<string[]> GetSignalrGroupsForSubmissionAsync(SubmissionEnti
             else if (submission.TeamId != null)
             {
                 var teamType = await _db.Teams.Select(t => t.TeamType).SingleOrDefaultAsync(t => t.Id == submission.TeamId);
-                if (teamType.ShowTeamTypeAverage)
+                if (teamType != null && teamType.ShowTeamTypeAverage)
                 {
                     // create the task to send the teamType average
                     var averageSubmission = await _submissionService.GetTypeAverageAsync(_mapper.Map<ViewModels.Submission>(submission), cancellationToken);

diff --git a/Cite.Api/Services/ActionService.cs b/Cite.Api/Services/ActionService.cs
@@ -58,8 +58,8 @@ public class ActionService : IActionService
         public async Task<IEnumerable<ViewModels.Action>> GetByEvaluationTeamAsync(Guid evaluationId, Guid teamId, CancellationToken ct)
         {
             // must be on the specified Team or an observer for the specified Evaluation
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(teamId))).Succeeded &&
-                !(await _authorizationService.AuthorizeAsync(_user, null, new EvaluationObserverRequirement(evaluationId))).Succeeded
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(teamId, _context))).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new EvaluationObserverRequirement(evaluationId, _context))).Succeeded
             )
                 throw new ForbiddenException();
 
@@ -92,7 +92,7 @@ public async Task<IEnumerable<ViewModels.Action>> GetByEvaluationMoveAsync(Guid
 
         public async Task<IEnumerable<ViewModels.Action>> GetByEvaluationMoveTeamAsync(Guid evaluationId, int moveNumber, Guid teamId, CancellationToken ct)
         {
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(teamId))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(teamId, _context))).Succeeded)
                 throw new ForbiddenException();
 
             var actionEntities = await _context.Actions
@@ -114,7 +114,7 @@ public async Task<ViewModels.Action> GetAsync(Guid id, CancellationToken ct)
             if (item == null)
                 throw new EntityNotFoundException<ActionEntity>();
 
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(item.TeamId))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(item.TeamId, _context))).Succeeded)
                 throw new ForbiddenException();
 
             return _mapper.Map<ViewModels.Action>(item);
@@ -124,7 +124,7 @@ public async Task<ViewModels.Action> CreateAsync(ViewModels.Action action, Cance
         {
             // user must be on the requested team or a content developer
             if (
-                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(action.TeamId))).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(action.TeamId, _context))).Succeeded &&
                 !(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded
             )
                 throw new ForbiddenException();
@@ -147,7 +147,7 @@ public async Task<ViewModels.Action> UpdateAsync(Guid id, ViewModels.Action acti
         {
             // user must be on the requested team or a content developer
             if (
-                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(action.TeamId))).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(action.TeamId, _context))).Succeeded &&
                 !(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded
             )
                 throw new ForbiddenException();
@@ -175,7 +175,7 @@ public async Task<ViewModels.Action> SetIsCheckedAsync(Guid id, bool value, Canc
                 throw new EntityNotFoundException<ActionEntity>();
 
             // user must be on the requested team
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(actionToUpdate.TeamId))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(actionToUpdate.TeamId, _context))).Succeeded)
                 throw new ForbiddenException();
 
             actionToUpdate.IsChecked = value;
@@ -194,7 +194,7 @@ public async Task<bool> DeleteAsync(Guid id, CancellationToken ct)
 
             // user must be on the requested team or a content developer
             if (
-                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(actionToDelete.TeamId))).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new TeamUserRequirement(actionToDelete.TeamId, _context))).Succeeded &&
                 !(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded
             )
                 throw new ForbiddenException();

diff --git a/Cite.Api/Services/EvaluationService.cs b/Cite.Api/Services/EvaluationService.cs
@@ -195,7 +195,8 @@ public async Task<ViewModels.Evaluation> CreateAsync(ViewModels.Evaluation evalu
 
         public async Task<ViewModels.Evaluation> UpdateAsync(Guid id, ViewModels.Evaluation evaluation, CancellationToken ct)
         {
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id, _context))).Succeeded)
                 throw new ForbiddenException();
 
             var evaluationToUpdate = await _context.Evaluations.SingleOrDefaultAsync(v => v.Id == id, ct);
@@ -267,7 +268,8 @@ public async Task<ViewModels.Evaluation> UpdateAsync(Guid id, ViewModels.Evaluat
 
         public async Task<ViewModels.Evaluation> UpdateSituationAsync(Guid id, EvaluationSituation evaluationSituation, CancellationToken ct)
         {
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id, _context))).Succeeded)
                 throw new ForbiddenException();
 
             var evaluationToUpdate = await _context.Evaluations.SingleOrDefaultAsync(v => v.Id == id, ct);
@@ -287,7 +289,8 @@ public async Task<ViewModels.Evaluation> UpdateSituationAsync(Guid id, Evaluatio
 
         public async Task<ViewModels.Evaluation> SetCurrentMoveAsync(Guid id, int moveNumber, CancellationToken ct)
         {
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new ContentDeveloperRequirement())).Succeeded &&
+                !(await _authorizationService.AuthorizeAsync(_user, null, new CanIncrementMoveRequirement(id, _context))).Succeeded)
                 throw new ForbiddenException();
 
             var evaluationToUpdate = await _context.Evaluations

diff --git a/Cite.Api/Services/MoveService.cs b/Cite.Api/Services/MoveService.cs
@@ -51,7 +51,7 @@ public class MoveService : IMoveService
 
         public async Task<IEnumerable<ViewModels.Move>> GetByEvaluationAsync(Guid evaluationId, CancellationToken ct)
         {
-            if (!(await _authorizationService.AuthorizeAsync(_user, null, new EvaluationUserRequirement(evaluationId))).Succeeded)
+            if (!(await _authorizationService.AuthorizeAsync(_user, null, new EvaluationUserRequirement(evaluationId, _context))).Succeeded)
                 throw new ForbiddenException();
 
             var moveEntities = await _context.Moves