Added BASHER logic to Service controller and made some refactoring

Author: aremo-ms

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts-withCert/sample.json

@@ -94,8 +94,19 @@
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\TodoListService"
       },
-      "AppScopes": [ "ToDoList.Read", "ToDoList.Write" ]
-
+      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
+      //"AppRoles": [
+      //  {
+      //    "Types": [ "Application" ],
+      //    "Name": "ToDoList.Read.All",
+      //    "Description": "Application can only read ToDo list"
+      //  },
+      //  {
+      //    "Types": [ "Application" ],
+      //    "Name": "ToDoList.ReadWrite.All",
+      //    "Description": "Application can read and write into ToDo list"
+      //  }
+      //]
     },
     {
       "Id": "client",
@@ -114,6 +125,8 @@
       ],
       "Certificate": "the certificate will be named by application name",
       "ManualSteps": [],
+      "EnableAccessTokenIssuance": "true",
+      "EnableIdTokenIssuance": "false",
       "Sample": {
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\Client"

4-WebApp-your-API/4-1-MyOrg/AppCreationScripts/sample.json

@@ -94,7 +94,19 @@
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\TodoListService"
       },
-      "Scopes": [ "ToDoList.Read", "ToDoList.Write" ]
+      "Scopes": [ "ToDoList.Read", "ToDoList.ReadWrite" ]
+      //"AppRoles": [
+      //  {
+      //    "Types": [ "Application" ],
+      //    "Name": "ToDoList.Read.All",
+      //    "Description": "Application can only read ToDo list"
+      //  },
+      //  {
+      //    "Types": [ "Application" ],
+      //    "Name": "ToDoList.ReadWrite.All",
+      //    "Description": "Application can read and write into ToDo list"
+      //  }
+      //]
     },
     {
       "Id": "client",
@@ -112,6 +124,8 @@
         }
       ],
       "ManualSteps": [],
+      "EnableAccessTokenIssuance": "true",
+      "EnableIdTokenIssuance": "false",
       "Sample": {
         "SampleSubPath": "4-WebApp-Your-API\\4-1-MyOrg",
         "ProjectDirectory": "\\Client"

4-WebApp-your-API/4-1-MyOrg/Client/Controllers/TodoListController.cs

@@ -2,8 +2,8 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Identity.Web;
 using System.Threading.Tasks;
+using TodoListClient.Models;
 using TodoListClient.Services;
-using TodoListService.Models;
 
 namespace TodoListClient.Controllers
 {

4-WebApp-your-API/4-1-MyOrg/Client/Infrastructure/Constants.cs

@@ -4,5 +4,6 @@ public static class Constants
     {
         public const string ScopeUserImpersonation = "user_impersonation";
         public const string BearerAuthorizationScheme = "Bearer";
+        public const string ScopeClaimType = "http://schemas.microsoft.com/identity/claims/scope";
     }
 }

4-WebApp-your-API/4-1-MyOrg/TodoListService/Models/TodoItem.cs renamed to 4-WebApp-your-API/4-1-MyOrg/Client/Models/TodoItem.cs

@@ -1,4 +1,4 @@
-namespace TodoListService.Models
+namespace TodoListClient.Models
 {
     public class Todo
     {

4-WebApp-your-API/4-1-MyOrg/Client/Services/ITodoListService.cs

@@ -24,7 +24,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 
 using System.Collections.Generic;
 using System.Threading.Tasks;
-using TodoListService.Models;
+using TodoListClient.Models;
 
 namespace TodoListClient.Services
 {

4-WebApp-your-API/4-1-MyOrg/Client/Services/TodoListService.cs

@@ -12,7 +12,7 @@
 using System.Net.Http.Headers;
 using System.Text;
 using System.Threading.Tasks;
-using TodoListService.Models;
+using TodoListClient.Models;
 
 namespace TodoListClient.Services
 {

4-WebApp-your-API/4-1-MyOrg/Client/TodoListClient.csproj

@@ -18,12 +18,8 @@
   </ItemGroup>
 
   <ItemGroup>
-    <Compile Include="..\TodoListService\Models\TodoItem.cs" Link="Models\TodoItem.cs" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.24.0" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.24.0" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.0" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 

4-WebApp-your-API/4-1-MyOrg/Client/Views/TodoList/Create.cshtml

@@ -1,4 +1,4 @@
-@model TodoListService.Models.Todo
+@model TodoListClient.Models.Todo
 @{
     ViewData["Title"] = "Create";
 }

4-WebApp-your-API/4-1-MyOrg/Client/Views/TodoList/Delete.cshtml

@@ -1,4 +1,4 @@
-@model TodoListService.Models.Todo
+@model TodoListClient.Models.Todo
 
 @{
     ViewData["Title"] = "Delete";

4-WebApp-your-API/4-1-MyOrg/Client/Views/TodoList/Details.cshtml

@@ -1,4 +1,4 @@
-@model TodoListService.Models.Todo
+@model TodoListClient.Models.Todo
 
 @{
     ViewData["Title"] = "Details";

4-WebApp-your-API/4-1-MyOrg/Client/Views/TodoList/Edit.cshtml

@@ -1,4 +1,4 @@
-@model TodoListService.Models.Todo
+@model TodoListClient.Models.Todo
 @{
     ViewData["Title"] = "Edit";
 }

4-WebApp-your-API/4-1-MyOrg/Client/Views/TodoList/Index.cshtml

@@ -1,4 +1,4 @@
-@model IEnumerable<TodoListService.Models.Todo>
+@model IEnumerable<TodoListClient.Models.Todo>
 
 @{
     ViewData["Title"] = "Index";

4-WebApp-your-API/4-1-MyOrg/TodoListService/Controllers/TodoListController.cs

@@ -5,9 +5,12 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Identity.Web.Resource;
+using System;
 using System.Collections.Generic;
 using System.Linq;
-using TodoListService.Models;
+using System.Security.Claims;
+using TodoListClient.Models;
+using WebApp_OpenIDConnect_DotNet.Infrastructure;
 
 namespace TodoListService.Controllers
 {
@@ -29,64 +32,151 @@ public TodoListController(IHttpContextAccessor contextAccessor)
             {
                 TodoStore.Add(1, new Todo() { Id = 1, Owner = $"{_contextAccessor.HttpContext.User.Identity.Name}", Title = "Pick up groceries" });
                 TodoStore.Add(2, new Todo() { Id = 2, Owner = $"{_contextAccessor.HttpContext.User.Identity.Name}", Title = "Finish invoice report" });
+                TodoStore.Add(3, new Todo() { Id = 3, Owner = "Other User", Title = "Rent a car" });
+                TodoStore.Add(4, new Todo() { Id = 4, Owner = "Other User", Title = "Get vaccinated" });
             }
         }
 
         // GET: api/values
         [HttpGet]
-        [RequiredScope(new string[] { "ToDoList.Read", "ToDoList.Write" })]
+        [RequiredScopeOrAppPermission(
+            AcceptedScope = new string[] { "ToDoList.Read", "ToDoList.ReadWrite" },
+            AcceptedAppPermission = new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }
+            )]
         public IEnumerable<Todo> Get()
         {
-            string owner = User.Identity.Name;
-            return TodoStore.Values.Where(x => x.Owner == owner);
+            if (IsInScopes(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
+            {
+                return TodoStore.Values.Where(x => x.Owner == User.Identity.Name);
+            }
+            else if (IsInPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
+            {
+                return TodoStore.Values;
+            }
+
+            throw new ApplicationException("It's impossible for you to be in this state in a normal situation.");
         }
 
         // GET: api/values
         [HttpGet("{id}", Name = "Get")]
-        [RequiredScope(new string[] { "ToDoList.Read", "ToDoList.Write" })]
+        [RequiredScopeOrAppPermission(
+            AcceptedScope = new string[] { "ToDoList.Read", "ToDoList.ReadWrite" },
+            AcceptedAppPermission = new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" })]
         public Todo Get(int id)
         {
-            return TodoStore.Values.FirstOrDefault(t => t.Id == id);
+            //if it only has delegated permissions
+            //then it will be t.id==id && x.Owner == owner
+            //if it has app permissions the it will return  t.id==id
+
+            if (IsInScopes(new string[] { "ToDoList.Read", "ToDoList.ReadWrite" }))
+            {
+                return TodoStore.Values.FirstOrDefault(t => t.Id == id && t.Owner == User.Identity.Name);
+            }
+            else if (IsInPermissions(new string[] { "ToDoList.Read.All", "ToDoList.ReadWrite.All" }))
+            {
+                return TodoStore.Values.FirstOrDefault(t => t.Id == id);
+            }
+
+            throw new ApplicationException("It's impossible for you to be in this state. STINKY HACKER");
         }
 
         [HttpDelete("{id}")]
-        [RequiredScope("ToDoList.Write")]
+        [RequiredScopeOrAppPermission(
+            AcceptedScope = new string[] { "ToDoList.ReadWrite" },
+            AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })]
         public void Delete(int id)
         {
-            TodoStore.Remove(id);
+
+            if (
+                (
+
+                IsInScopes(new string[] { "ToDoList.ReadWrite" }) && TodoStore.Values.Any(x => x.Id == id && x.Owner == User.Identity.Name))
+
+                ||
+
+                IsInPermissions(new string[] { "ToDoList.ReadWrite.All" })
+                )
+            {
+                TodoStore.Remove(id);
+            }
+
+            else
+            {
+                throw new ApplicationException("No idea how you've got here");
+            }
         }
 
         // POST api/values
         [HttpPost]
-        [RequiredScope("ToDoList.Write")]
+        [RequiredScopeOrAppPermission(
+            AcceptedScope = new string[] { "ToDoList.ReadWrite" },
+            AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })]
         public IActionResult Post([FromBody] Todo todo)
         {
+            var owner = HttpContext.User.Identity.Name;
+
+            if (IsInPermissions(new string[] { "ToDoList.ReadWrite.All" }))
+            {
+                //with such a permission any owner name is accepted from UI
+                owner = todo.Owner;
+            }
+            else
+            {
+                throw new ApplicationException("Somehow you've sneaked in. Impossible... Just a bug in Matrix...");
+            }
+
             int id = TodoStore.Values.OrderByDescending(x => x.Id).FirstOrDefault().Id + 1;
-            Todo todonew = new Todo() { Id = id, Owner = HttpContext.User.Identity.Name, Title = todo.Title };
+            Todo todonew = new Todo() { Id = id, Owner = owner, Title = todo.Title };
             TodoStore.Add(id, todonew);
 
             return Ok(todo);
         }
 
         // PATCH api/values
         [HttpPatch("{id}")]
-        [RequiredScope("ToDoList.Write")]
+        [RequiredScopeOrAppPermission(
+            AcceptedScope = new string[] { "ToDoList.ReadWrite" },
+            AcceptedAppPermission = new string[] { "ToDoList.ReadWrite.All" })]
         public IActionResult Patch(int id, [FromBody] Todo todo)
         {
-            if (id != todo.Id)
+            if (id != todo.Id || !TodoStore.Values.Any(x => x.Id == id))
             {
                 return NotFound();
             }
 
-            if (TodoStore.Values.FirstOrDefault(x => x.Id == id) == null)
+            if (
+                IsInScopes(new string[] { "ToDoList.ReadWrite" }) 
+                && TodoStore.Values.Any(x => x.Id == id && x.Owner == User.Identity.Name)
+                && todo.Owner == User.Identity.Name
+
+                ||
+
+                IsInPermissions(new string[] { "ToDoList.ReadWrite.All" })
+
+                )
             {
-                return NotFound();
+                TodoStore.Remove(id);
+                TodoStore.Add(id, todo);
+
+                return Ok(todo);
             }
 
-            TodoStore.Remove(id);
-            TodoStore.Add(id, todo);
+            throw new ApplicationException("You have insufficient permissions to run this patch operation.");
 
-            return Ok(todo);
+        }
+
+        //check if the permission is inside claims
+        private bool IsInPermissions(string[] permissionsNames)
+        {
+            return User.Claims.Where(c => c.Type.Equals(ClaimTypes.Role)).FirstOrDefault()
+                .Value.Split(' ').Any(v => permissionsNames.Any(p => p.Equals(v)));
+        }
+
+        //check if the scope is inside claims
+        private bool IsInScopes(string[] scopesNames)
+        {
+            return User.Claims.Where(c => c.Type.Equals(Constants.ScopeClaimType)).FirstOrDefault()
+                .Value.Split(' ').Any(v => scopesNames.Any(s => s.Equals(v)));
         }
     }
 }

4-WebApp-your-API/4-1-MyOrg/TodoListService/TodoListService.csproj

@@ -7,7 +7,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.24.0" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Client\TodoListClient.csproj" />
   </ItemGroup>
 
 </Project>