feat: Refactor authorization checks to use game-scoped claims and add unit tests for AdminActionsAuthHandler

Author: frasermolyneux

src/XtremeIdiots.Portal.Web.Tests/Auth/Handlers/AdminActionsAuthHandlerTests.cs

@@ -0,0 +1,149 @@
+using Microsoft.AspNetCore.Authorization;
+using System.Security.Claims;
+using XtremeIdiots.Portal.Repository.Abstractions.Constants.V1;
+using XtremeIdiots.Portal.Web.Auth.Constants;
+using XtremeIdiots.Portal.Web.Auth.Handlers;
+using XtremeIdiots.Portal.Web.Auth.Requirements;
+
+namespace XtremeIdiots.Portal.Web.Tests.Auth.Handlers;
+
+public class AdminActionsAuthHandlerTests
+{
+    [Fact]
+    public async Task HandleAsync_Create_SucceedsForCod4ClaimOnCod4xResource()
+    {
+        var requirement = new AdminActionsCreate();
+        var user = CreateUser(new Claim(UserProfileClaimType.GameAdmin, GameType.CallOfDuty4.ToString()));
+        var context = new AuthorizationHandlerContext([requirement], user, (GameType.CallOfDuty4x, AdminActionType.Ban));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_Create_SucceedsForCod4PermissionClaimOnCod4xResource()
+    {
+        var requirement = new AdminActionsCreate();
+        var user = CreateUser(new Claim(AuthPolicies.AdminActions_Create, GameType.CallOfDuty4.ToString()));
+        var context = new AuthorizationHandlerContext([requirement], user, (GameType.CallOfDuty4x, AdminActionType.Ban));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_Create_SucceedsForCod4xClaimOnCod4Resource()
+    {
+        var requirement = new AdminActionsCreate();
+        var user = CreateUser(new Claim(UserProfileClaimType.GameAdmin, GameType.CallOfDuty4x.ToString()));
+        var context = new AuthorizationHandlerContext([requirement], user, (GameType.CallOfDuty4, AdminActionType.Ban));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_Create_DoesNotSucceedForDifferentGame()
+    {
+        var requirement = new AdminActionsCreate();
+        var user = CreateUser(new Claim(UserProfileClaimType.GameAdmin, GameType.Insurgency.ToString()));
+        var context = new AuthorizationHandlerContext([requirement], user, (GameType.CallOfDuty4x, AdminActionType.Ban));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_EditObservation_SucceedsForCod4ModeratorOnCod4xWhenOwner()
+    {
+        var requirement = new AdminActionsEdit();
+        var ownerId = "owner-1";
+        var user = CreateUser(
+            new Claim(UserProfileClaimType.Moderator, GameType.CallOfDuty4.ToString()),
+            new Claim(UserProfileClaimType.XtremeIdiotsId, ownerId));
+
+        var context = new AuthorizationHandlerContext(
+            [requirement],
+            user,
+            (GameType.CallOfDuty4x, AdminActionType.Observation, ownerId));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_EditObservation_DoesNotSucceedForCod4ModeratorOnCod4xWhenNotOwner()
+    {
+        var requirement = new AdminActionsEdit();
+        var ownerId = "owner-1";
+        var user = CreateUser(
+            new Claim(UserProfileClaimType.Moderator, GameType.CallOfDuty4.ToString()),
+            new Claim(UserProfileClaimType.XtremeIdiotsId, "different-owner"));
+
+        var context = new AuthorizationHandlerContext(
+            [requirement],
+            user,
+            (GameType.CallOfDuty4x, AdminActionType.Observation, ownerId));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_Lift_SucceedsForCod4GameAdminOnCod4xWhenOwner()
+    {
+        var requirement = new AdminActionsLift();
+        var ownerId = "owner-2";
+        var user = CreateUser(
+            new Claim(UserProfileClaimType.GameAdmin, GameType.CallOfDuty4.ToString()),
+            new Claim(UserProfileClaimType.XtremeIdiotsId, ownerId));
+
+        var context = new AuthorizationHandlerContext(
+            [requirement],
+            user,
+            (GameType.CallOfDuty4x, ownerId));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleAsync_Lift_DoesNotSucceedForCod4GameAdminOnCod4xWhenNotOwner()
+    {
+        var requirement = new AdminActionsLift();
+        var ownerId = "owner-2";
+        var user = CreateUser(
+            new Claim(UserProfileClaimType.GameAdmin, GameType.CallOfDuty4.ToString()),
+            new Claim(UserProfileClaimType.XtremeIdiotsId, "different-owner"));
+
+        var context = new AuthorizationHandlerContext(
+            [requirement],
+            user,
+            new Tuple<GameType, string>(GameType.CallOfDuty4x, ownerId));
+
+        var sut = new AdminActionsAuthHandler();
+        await sut.HandleAsync(context);
+
+        Assert.False(context.HasSucceeded);
+    }
+
+    private static ClaimsPrincipal CreateUser(params Claim[] claims)
+    {
+        var identity = new ClaimsIdentity(claims, authenticationType: "TestAuthType");
+        return new ClaimsPrincipal(identity);
+    }
+}

src/XtremeIdiots.Portal.Web/Auth/Handlers/AdminActionsAuthHandler.cs

@@ -113,14 +113,14 @@ private static void HandleLift(AuthorizationHandlerContext context, IAuthorizati
         if (context.Resource is Tuple<GameType, string> refTuple)
         {
             BaseAuthorizationHelper.CheckHeadAdminAccess(context, requirement, refTuple.Item1);
-            if (context.User.HasClaim(UserProfileClaimType.GameAdmin, refTuple.Item1.ToString()) &&
+            if (BaseAuthorizationHelper.HasGameScopedClaim(context.User, UserProfileClaimType.GameAdmin, refTuple.Item1) &&
                 BaseAuthorizationHelper.IsActionOwner(context, refTuple.Item2))
                 context.Succeed(requirement);
         }
         else if (context.Resource is (GameType gameType, string adminId))
         {
             BaseAuthorizationHelper.CheckHeadAdminAccess(context, requirement, gameType);
-            if (context.User.HasClaim(UserProfileClaimType.GameAdmin, gameType.ToString()) &&
+            if (BaseAuthorizationHelper.HasGameScopedClaim(context.User, UserProfileClaimType.GameAdmin, gameType) &&
                 BaseAuthorizationHelper.IsActionOwner(context, adminId))
                 context.Succeed(requirement);
         }
@@ -157,10 +157,9 @@ AdminActionType.Warning or
 
     private static void CheckActionSpecificEditPermissions(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType, AdminActionType adminActionType, string? adminId)
     {
-        var gameTypeString = gameType.ToString();
         var isOwner = BaseAuthorizationHelper.IsActionOwner(context, adminId);
-        var isModerator = context.User.HasClaim(UserProfileClaimType.Moderator, gameTypeString);
-        var isGameAdmin = context.User.HasClaim(UserProfileClaimType.GameAdmin, gameTypeString);
+        var isModerator = BaseAuthorizationHelper.HasGameScopedClaim(context.User, UserProfileClaimType.Moderator, gameType);
+        var isGameAdmin = BaseAuthorizationHelper.HasGameScopedClaim(context.User, UserProfileClaimType.GameAdmin, gameType);
 
         switch (adminActionType)
         {

src/XtremeIdiots.Portal.Web/Auth/Handlers/BaseAuthorizationHelper.cs

@@ -1,4 +1,5 @@
 using Microsoft.AspNetCore.Authorization;
+using System.Security.Claims;
 using XtremeIdiots.Portal.Repository.Abstractions.Constants.V1;
 using XtremeIdiots.Portal.Web.Auth;
 using XtremeIdiots.Portal.Web.Auth.Constants;
@@ -124,7 +125,7 @@ public static void CheckClaimTypes(AuthorizationHandlerContext context, IAuthori
     /// <param name="gameType">The game type to check permissions for</param>
     public static void CheckHeadAdminAccess(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType)
     {
-        if (context.User.HasClaim(UserProfileClaimType.HeadAdmin, gameType.ToString()))
+        if (HasGameScopedClaim(context.User, UserProfileClaimType.HeadAdmin, gameType))
             context.Succeed(requirement);
     }
 
@@ -136,10 +137,8 @@ public static void CheckHeadAdminAccess(AuthorizationHandlerContext context, IAu
     /// <param name="gameType">The game type to check permissions for</param>
     public static void CheckGameAdminAccess(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType)
     {
-        var gameTypeString = gameType.ToString();
-
-        if (context.User.HasClaim(UserProfileClaimType.HeadAdmin, gameTypeString) ||
-            context.User.HasClaim(UserProfileClaimType.GameAdmin, gameTypeString))
+        if (HasGameScopedClaim(context.User, UserProfileClaimType.HeadAdmin, gameType) ||
+            HasGameScopedClaim(context.User, UserProfileClaimType.GameAdmin, gameType))
         {
             context.Succeed(requirement);
         }
@@ -153,10 +152,8 @@ public static void CheckGameAdminAccess(AuthorizationHandlerContext context, IAu
     /// <param name="gameType">The game type to check permissions for</param>
     public static void CheckModeratorAccess(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType)
     {
-        var gameTypeString = gameType.ToString();
-
-        if (context.User.HasClaim(UserProfileClaimType.Moderator, gameTypeString) ||
-            context.User.HasClaim(UserProfileClaimType.GameAdmin, gameTypeString))
+        if (HasGameScopedClaim(context.User, UserProfileClaimType.Moderator, gameType) ||
+            HasGameScopedClaim(context.User, UserProfileClaimType.GameAdmin, gameType))
         {
             context.Succeed(requirement);
         }
@@ -342,7 +339,7 @@ public static void CheckGameTypeAndServerAccess(AuthorizationHandlerContext cont
     /// <param name="gameType">The game type to check permissions for</param>
     public static void CheckGameServerAccess(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType)
     {
-        if (context.User.HasClaim(AdditionalPermission.GameServers_Read, gameType.ToString()))
+        if (HasGameScopedClaim(context.User, AdditionalPermission.GameServers_Read, gameType))
             context.Succeed(requirement);
     }
 
@@ -392,7 +389,7 @@ public static void CheckCombinedGameServerAccess(AuthorizationHandlerContext con
     /// <param name="gameType">The game type to check permissions for</param>
     public static void CheckLiveRconAccess(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, GameType gameType)
     {
-        if (context.User.HasClaim(AdditionalPermission.GameServers_Admin_Rcon, gameType.ToString()))
+        if (HasGameScopedClaim(context.User, AdditionalPermission.GameServers_Admin_Rcon, gameType))
             context.Succeed(requirement);
     }
 
@@ -435,7 +432,7 @@ public static void CheckDirectPermissionGrant(AuthorizationHandlerContext contex
         if (resourceGameType.HasValue)
         {
             // Check game-scoped permission
-            if (context.User.HasClaim(permissionClaimType, resourceGameType.Value.ToString()))
+            if (HasGameScopedClaim(context.User, permissionClaimType, resourceGameType.Value))
                 context.Succeed(requirement);
 
             // Also check server-scoped permission if a server ID is present
@@ -451,6 +448,26 @@ public static void CheckDirectPermissionGrant(AuthorizationHandlerContext contex
             context.Succeed(requirement);
     }
 
+    /// <summary>
+    /// Checks for a game-scoped claim, including known equivalent game mappings.
+    /// </summary>
+    public static bool HasGameScopedClaim(ClaimsPrincipal user, string claimType, GameType gameType)
+    {
+        return GetEquivalentGameTypes(gameType)
+            .Any(equivalentGameType => user.HasClaim(claimType, equivalentGameType.ToString()));
+    }
+
+    private static IReadOnlyList<GameType> GetEquivalentGameTypes(GameType gameType)
+    {
+        if (gameType == GameType.CallOfDuty4)
+            return [GameType.CallOfDuty4, GameType.CallOfDuty4x];
+
+        if (gameType == GameType.CallOfDuty4x)
+            return [GameType.CallOfDuty4x, GameType.CallOfDuty4];
+
+        return [gameType];
+    }
+
     #endregion
 
     #region Utility Methods