Add support for read-only role on backend

Author: olaals

backend/api.test/Services/AccessRoleService.cs

@@ -0,0 +1,114 @@
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Api.Database.Context;
+using Api.Database.Models;
+using Api.Services;
+using Api.Test.Database;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Testcontainers.PostgreSql;
+using Xunit;
+
+namespace Api.Test.Services;
+
+public class AccessRoleServiceTest : IAsyncLifetime
+{
+    public required DatabaseUtilities DatabaseUtilities;
+    public required PostgreSqlContainer Container;
+    public required IAccessRoleService AccessRoleService;
+    public required FlotillaDbContext Context;
+
+    public async Task InitializeAsync()
+    {
+        (Container, string cs, var _) = await TestSetupHelpers.ConfigurePostgreSqlDatabase();
+
+        var factory = TestSetupHelpers.ConfigureWebApplicationFactory(
+            postgreSqlConnectionString: cs
+        );
+        var sp = TestSetupHelpers.ConfigureServiceProvider(factory);
+
+        Context = TestSetupHelpers.ConfigurePostgreSqlContext(cs);
+        DatabaseUtilities = new DatabaseUtilities(Context);
+        AccessRoleService = sp.GetRequiredService<IAccessRoleService>();
+
+        var http = sp.GetRequiredService<IHttpContextAccessor>();
+        http.HttpContext = new DefaultHttpContext
+        {
+            User = new ClaimsPrincipal(
+                new ClaimsIdentity([new Claim(ClaimTypes.Role, "Role.Admin")], "TestAuth")
+            ),
+        };
+
+        var installationHUA = await DatabaseUtilities.NewInstallation("HUA");
+        await AccessRoleService.Create(
+            installationHUA,
+            "Role.ReadOnly.HUA",
+            RoleAccessLevel.READ_ONLY
+        );
+        await AccessRoleService.Create(installationHUA, "Role.User.HUA", RoleAccessLevel.USER);
+    }
+
+    public Task DisposeAsync() => Task.CompletedTask;
+
+    [Fact]
+    public async Task GetAllowedInstallationCodes_ReadMode_WithReadOnlyRole_ReturnsHUA()
+    {
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Role, "Role.ReadOnly.HUA")],
+            "TestAuth"
+        );
+
+        var user = new ClaimsPrincipal(identity);
+
+        var result = await AccessRoleService.GetAllowedInstallationCodes(user, AccessMode.Read);
+
+        Assert.Single(result);
+        Assert.Equal("HUA", result[0]);
+    }
+
+    [Fact]
+    public async Task GetAllowedInstallationCodes_ReadMode_WithUserRole_ReturnsHUA()
+    {
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Role, "Role.User.HUA")],
+            "TestAuth"
+        );
+
+        var user = new ClaimsPrincipal(identity);
+
+        var result = await AccessRoleService.GetAllowedInstallationCodes(user, AccessMode.Read);
+
+        Assert.Single(result);
+        Assert.Equal("HUA", result[0]);
+    }
+
+    [Fact]
+    public async Task GetAllowedInstallationCodes_WriteMode_WithUserRole_ReturnsHUA()
+    {
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Role, "Role.User.HUA")],
+            "TestAuth"
+        );
+
+        var user = new ClaimsPrincipal(identity);
+
+        var result = await AccessRoleService.GetAllowedInstallationCodes(user, AccessMode.Write);
+
+        Assert.Single(result);
+        Assert.Equal("HUA", result[0]);
+    }
+
+    [Fact]
+    public async Task GetAllowedInstallationCodes_WriteMode_WithReadOnlyRole_ReturnsEmpty()
+    {
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Role, "Role.ReadOnly.HUA")],
+            "TestAuth"
+        );
+        var user = new ClaimsPrincipal(identity);
+
+        var result = await AccessRoleService.GetAllowedInstallationCodes(user, AccessMode.Write);
+
+        Assert.Empty(result);
+    }
+}

backend/api/Database/Context/InitDb.cs

@@ -29,14 +29,21 @@ private static List<Inspection> GetInspections()
 
         private static List<AccessRole> GetAccessRoles()
         {
-            var accessRole1 = new AccessRole
+            var userAccessRole = new AccessRole
             {
                 Installation = installations[0],
                 AccessLevel = RoleAccessLevel.ADMIN,
                 RoleName = "Role.User.HUA",
             };
 
-            return new List<AccessRole>([accessRole1]);
+            var readOnlyAccessRole = new AccessRole
+            {
+                Installation = installations[0],
+                AccessLevel = RoleAccessLevel.READ_ONLY,
+                RoleName = "Role.ReadOnly.HUA",
+            };
+
+            return new List<AccessRole>([userAccessRole, readOnlyAccessRole]);
         }
 
         private static List<Installation> GetInstallations()

backend/api/Services/AccessRoleService.cs

@@ -5,10 +5,19 @@
 
 namespace Api.Services
 {
+    public enum AccessMode
+    {
+        Read,
+        Write,
+    }
+
     public interface IAccessRoleService
     {
-        public Task<List<string>> GetAllowedInstallationCodes();
-        public Task<List<string>> GetAllowedInstallationCodes(ClaimsPrincipal user);
+        public Task<List<string>> GetAllowedInstallationCodes(AccessMode accessMode);
+        public Task<List<string>> GetAllowedInstallationCodes(
+            ClaimsPrincipal user,
+            AccessMode accessMode
+        );
         public bool IsUserAdmin();
         public bool IsAuthenticationAvailable();
         public Task<AccessRole> Create(
@@ -33,14 +42,17 @@ private IQueryable<AccessRole> GetAccessRoles(bool readOnly = true)
             return readOnly ? context.AccessRoles.AsNoTracking() : context.AccessRoles.AsTracking();
         }
 
-        public async Task<List<string>> GetAllowedInstallationCodes()
+        public async Task<List<string>> GetAllowedInstallationCodes(AccessMode accessMode)
         {
             var user = httpContextAccessor.HttpContext?.User;
 
-            return await GetAllowedInstallationCodes(user);
+            return await GetAllowedInstallationCodes(user, accessMode);
         }
 
-        public async Task<List<string>> GetAllowedInstallationCodes(ClaimsPrincipal? user)
+        public async Task<List<string>> GetAllowedInstallationCodes(
+            ClaimsPrincipal? user,
+            AccessMode accessMode
+        )
         {
             if (user == null)
                 return await context
@@ -58,18 +70,83 @@ public async Task<List<string>> GetAllowedInstallationCodes(ClaimsPrincipal? use
                 .Claims.Where(c => c.Type == ClaimTypes.Role)
                 .Select(c => c.Value)
                 .ToList();
-            return await GetAllowedInstallationCodes(userRoles);
+
+            var allowedInstallationCodes = await GetAllowedInstallationCodes(userRoles, accessMode);
+
+            return allowedInstallationCodes;
         }
 
-        public async Task<List<string>> GetAllowedInstallationCodes(List<string> roles)
+        private async Task<List<string>> EnsureUserRolesExistInDatabase(List<string> roles)
         {
-            return await GetAccessRoles(readOnly: true)
+            var dbRoles = await GetAccessRoles(readOnly: true)
                 .Include(r => r.Installation)
-                .Where(r => roles.Contains(r.RoleName))
-                .Select(r =>
-                    r.Installation != null ? r.Installation.InstallationCode.ToUpperInvariant() : ""
-                )
+                .Select(r => r.RoleName)
                 .ToListAsync();
+
+            var intersection = roles.Intersect(dbRoles, StringComparer.OrdinalIgnoreCase).ToList();
+
+            return intersection;
+        }
+
+        private static List<string> GetInstallationCodesByAccessMode(
+            List<string> roles,
+            AccessMode accessMode
+        )
+        {
+            List<string> permittedInstallationCodes = [];
+
+            foreach (var role in roles)
+            {
+                switch (accessMode)
+                {
+                    case AccessMode.Read:
+                        if (role.StartsWith("Role.ReadOnly.") || role.StartsWith("Role.User."))
+                        {
+                            var installationCode = TryExtractInstallationCode(role);
+                            if (installationCode is null)
+                                continue;
+                            permittedInstallationCodes.Add(installationCode);
+                        }
+                        break;
+
+                    case AccessMode.Write:
+                        if (role.StartsWith("Role.User."))
+                        {
+                            var installationCode = TryExtractInstallationCode(role);
+                            if (installationCode is null)
+                                continue;
+                            permittedInstallationCodes.Add(installationCode);
+                        }
+                        break;
+                }
+            }
+
+            return [.. permittedInstallationCodes.Distinct()];
+        }
+
+        private static string? TryExtractInstallationCode(string role)
+        {
+            var parts = role.Split('.');
+            if (parts.Length != 3)
+                return null;
+
+            var code = parts[2];
+            return code.Length == 3 ? code : null;
+        }
+
+        public async Task<List<string>> GetAllowedInstallationCodes(
+            List<string> roles,
+            AccessMode accessMode
+        )
+        {
+            var rolesInUserAndDb = await EnsureUserRolesExistInDatabase(roles);
+
+            var permittedInstallationCodes = GetInstallationCodesByAccessMode(
+                rolesInUserAndDb,
+                accessMode
+            );
+
+            return permittedInstallationCodes;
         }
 
         private void ThrowExceptionIfNotAdmin()

backend/api/Services/ExclusionAreaService.cs

@@ -279,7 +279,7 @@ public async Task<ExclusionArea> Update(ExclusionArea exclusionArea)
         private IQueryable<ExclusionArea> GetExclusionAreas(bool readOnly = true)
         {
             var accessibleInstallationCodes = accessRoleService
-                .GetAllowedInstallationCodes()
+                .GetAllowedInstallationCodes(AccessMode.Read)
                 .Result;
             var query = context
                 .ExclusionAreas.Include(p => p.Plant)
@@ -293,7 +293,9 @@ private IQueryable<ExclusionArea> GetExclusionAreas(bool readOnly = true)
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(

backend/api/Services/InspectionAreaService.cs

@@ -282,7 +282,7 @@ public async Task<InspectionArea> Update(InspectionArea inspectionArea)
         private IQueryable<InspectionArea> GetInspectionAreas(bool readOnly = true)
         {
             var accessibleInstallationCodes = accessRoleService
-                .GetAllowedInstallationCodes()
+                .GetAllowedInstallationCodes(AccessMode.Read)
                 .Result;
             var query = context
                 .InspectionAreas.Include(p => p.Plant)
@@ -296,7 +296,9 @@ private IQueryable<InspectionArea> GetInspectionAreas(bool readOnly = true)
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(

backend/api/Services/InspectionService.cs

@@ -91,7 +91,9 @@ AnalysisResult analysisResult
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(

backend/api/Services/InstallationService.cs

@@ -55,7 +55,9 @@ public async Task<IList<Installation>> ReadAll(bool readOnly = true)
 
         private IQueryable<Installation> GetInstallations(bool readOnly = true)
         {
-            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Read
+            );
             var query = context.Installations.Where(i =>
                 accessibleInstallationCodes.Result.Contains(i.InstallationCode.ToUpper())
             );
@@ -69,7 +71,9 @@ private async Task ApplyUnprotectedDatabaseUpdate()
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(

backend/api/Services/MissionDefinitionService.cs

@@ -228,7 +228,9 @@ public async Task<MissionDefinition> Update(MissionDefinition missionDefinition)
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(
@@ -246,7 +248,9 @@ private IQueryable<MissionDefinition> GetMissionDefinitionsWithSubModels(
             bool readOnly = true
         )
         {
-            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Read
+            );
             var query = context
                 .MissionDefinitions.Include(missionDefinition =>
                     missionDefinition.AutoScheduleFrequency

backend/api/Services/MissionRunService.cs

@@ -310,7 +310,9 @@ public async Task UpdateWithInspections(MissionRun missionRun)
 
         private IQueryable<MissionRun> GetMissionRunsWithSubModels(bool readOnly = true)
         {
-            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Read
+            );
             var query = context
                 .MissionRuns.Include(missionRun => missionRun.InspectionArea)
                 .ThenInclude(inspectionArea => inspectionArea != null ? inspectionArea.Plant : null)
@@ -346,7 +348,9 @@ protected virtual void OnMissionRunCreated(MissionRunCreatedEventArgs e)
 
         private async Task ApplyDatabaseUpdate(Installation? installation)
         {
-            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes();
+            var accessibleInstallationCodes = await accessRoleService.GetAllowedInstallationCodes(
+                AccessMode.Write
+            );
             if (
                 installation == null
                 || accessibleInstallationCodes.Contains(