Bulk roles/permissions.

Author: eben-roux

README.md

@@ -5,30 +5,3 @@ An Identity and Access Management (IAM) platform.
 # Documentation
 
 Please visit the [Shuttle.Access documentation](https://www.pendel.co.za/shuttle-access/home.html) for more information
-
-- move "allow identity/password" setting to back-end
-- add description to identity (for OID scenarios)
-- logging of tokens as option
-- configuration.json:
-
-```json
-{
-    "Roles": [
-        {
-            "Name": "Admin",
-            "Description": "Administrator role",
-            "Permissions": [
-                "system://name/permission-a"
-            ]
-        },
-        {
-            "Name": "User",
-            "Description": "User role"
-        }
-    ],
-    "Permissions": [
-        "system://name/permission-a",
-        "system://name/permission-b",
-    ]
-}
-```

Shuttle.Access.Application/.package/package.nuspec

@@ -17,6 +17,7 @@
     <tags>iam identity authorization authentication security permissions</tags>
     <dependencies>
             <dependency id="Microsoft.CSharp" version="4.7.0" />
+      <dependency id="Shuttle.Access" version="7.3.0" />
       <dependency id="Shuttle.Core.Contract" version="20.0.1" />
       <dependency id="Shuttle.Core.Mediator" version="20.0.0" />
       <dependency id="Shuttle.Esb" version="20.0.0" />

Shuttle.Access.Application/ConfigureApplicationParticipant.cs

@@ -84,10 +84,7 @@ public async Task ProcessMessageAsync(IParticipantContext<ConfigureApplication>
         {
             _logger.LogDebug("[role/registration] : name = 'Administrator'");
 
-            var registerRoleMessage = new RequestResponseMessage<RegisterRole, RoleRegistered>(new()
-            {
-                Name = "Administrator"
-            });
+            var registerRoleMessage = new RequestResponseMessage<RegisterRole, RoleRegistered>(new("Administrator"));
 
             await _mediator.SendAsync(registerRoleMessage);
 

Shuttle.Access.Application/Messages/RegisterRole.cs

@@ -0,0 +1,40 @@
+using System.Collections.Generic;
+using Shuttle.Core.Contract;
+
+namespace Shuttle.Access.Application;
+
+public class RegisterRole
+{
+    private readonly List<string> _permissions = [];
+
+    public string Name { get; }
+    public bool HasMissingPermissions { get; private set; }
+    
+    public RegisterRole(string name)
+    {
+        Name = Guard.AgainstEmpty(name);
+    }
+
+    public RegisterRole AddPermissions(IEnumerable<string> permissions)
+    {
+        Guard.AgainstNull(permissions);
+
+        foreach (var permission in permissions)
+        {
+            if (!_permissions.Contains(permission))
+            {
+                _permissions.Add(permission);
+            }
+        }
+
+        return this;
+    }
+
+    public IEnumerable<string> GetPermissions() => _permissions.AsReadOnly();
+
+    public RegisterRole MissingPermissions()
+    {
+        HasMissingPermissions = true;
+        return this;
+    }
+}

Shuttle.Access.Application/RegisterRoleParticipant.cs

@@ -1,5 +1,8 @@
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
+using Shuttle.Access.DataAccess;
 using Shuttle.Access.Messages.v1;
 using Shuttle.Core.Contract;
 using Shuttle.Core.Mediator;
@@ -10,13 +13,15 @@ namespace Shuttle.Access.Application;
 
 public class RegisterRoleParticipant : IParticipant<RequestResponseMessage<RegisterRole, RoleRegistered>>
 {
+    private readonly IPermissionQuery _permissionQuery;
     private readonly IEventStore _eventStore;
     private readonly IIdKeyRepository _idKeyRepository;
 
-    public RegisterRoleParticipant(IEventStore eventStore, IIdKeyRepository idKeyRepository)
+    public RegisterRoleParticipant(IEventStore eventStore, IIdKeyRepository idKeyRepository, IPermissionQuery permissionQuery)
     {
         _eventStore = Guard.AgainstNull(eventStore);
         _idKeyRepository = Guard.AgainstNull(idKeyRepository);
+        _permissionQuery = Guard.AgainstNull(permissionQuery);
     }
 
     public async Task ProcessMessageAsync(IParticipantContext<RequestResponseMessage<RegisterRole, RoleRegistered>> context)
@@ -25,6 +30,24 @@ public async Task ProcessMessageAsync(IParticipantContext<RequestResponseMessage
 
         var message = context.Message.Request;
 
+        var permissionIds = new List<Guid>();
+
+        foreach (var permission in message.GetPermissions())
+        {
+            var permissionId = (await _permissionQuery.SearchAsync(new DataAccess.Permission.Specification().AddName(permission))).FirstOrDefault()?.Id;
+
+            if (permissionId.HasValue)
+            {
+                permissionIds.Add(permissionId.Value);
+            }
+            else
+            {
+
+                message.MissingPermissions();
+                return;
+            }
+        }
+
         var key = Role.Key(message.Name);
 
         if (await _idKeyRepository.ContainsAsync(key))
@@ -41,6 +64,14 @@ public async Task ProcessMessageAsync(IParticipantContext<RequestResponseMessage
 
         stream.Add(role.Register(message.Name));
 
+        foreach (var permissionId in permissionIds)
+        {
+            if (!role.HasPermission(permissionId))
+            {
+                stream.Add(role.AddPermission(permissionId));
+            }
+        }
+
         context.Message.WithResponse(new()
         {
             Id = id,

Shuttle.Access.Application/Shuttle.Access.Application.csproj

@@ -16,17 +16,14 @@
 
 	<ItemGroup>
 		<PackageReference Include="Microsoft.CSharp" Version="4.7.0" />
+		<PackageReference Include="Shuttle.Access" Version="7.3.0" />
 		<PackageReference Include="Shuttle.Core.Contract" Version="20.0.1" />
 		<PackageReference Include="Shuttle.Core.Mediator" Version="20.0.0" />
 		<PackageReference Include="Shuttle.Esb" Version="20.0.0" />
 		<PackageReference Include="Shuttle.Recall" Version="20.0.0" />
 		<PackageReference Include="Shuttle.Recall.Sql.Storage" Version="20.0.0" />
 	</ItemGroup>
 
-	<ItemGroup>
-	  <ProjectReference Include="..\Shuttle.Access\Shuttle.Access.csproj" />
-	</ItemGroup>
-
 	<ItemGroup>
 	  <Compile Update="Resources.Designer.cs">
 	    <DesignTime>True</DesignTime>

Shuttle.Access.AspNetCore/.package/package.nuspec

@@ -17,7 +17,7 @@
     <tags>iam middleware authorization permissions</tags>
     <dependencies>
             <dependency id="Microsoft.IdentityModel.JsonWebTokens" version="8.7.0" />
-      <dependency id="Shuttle.Access" version="7.2.3" />
+      <dependency id="Shuttle.Access" version="7.3.0" />
       <dependency id="Shuttle.Core.Contract" version="20.0.1" />
     </dependencies>
   </metadata>

Shuttle.Access.AspNetCore/Authentication/RoutingAuthenticationHandler.cs

@@ -2,15 +2,20 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Shuttle.Core.Contract;
 
 namespace Shuttle.Access.AspNetCore.Authentication;
 
 public class RoutingAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
 {
+    private readonly ILogger _logger;
+    private readonly AccessOptions _accessOptions;
     public const string AuthenticationScheme = "Routing";
 
-    public RoutingAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder) : base(options, logger, encoder)
+    public RoutingAuthenticationHandler(IOptions<AccessOptions> accessOptions, IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder) : base(options, logger, encoder)
     {
+        _accessOptions = Guard.AgainstNull(Guard.AgainstNull(accessOptions).Value);
+        _logger = logger.CreateLogger(GetType());
     }
 
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()

Shuttle.Access.Messages/v1/RegisterIdentity.cs

@@ -1,6 +1,4 @@
-using System;
-
-namespace Shuttle.Access.Messages.v1;
+namespace Shuttle.Access.Messages.v1;
 
 public class RegisterIdentity
 {

Shuttle.Access.Messages/v1/RegisterRole.cs

@@ -1,6 +1,10 @@
-namespace Shuttle.Access.Messages.v1;
+using System.Collections.Generic;
+
+namespace Shuttle.Access.Messages.v1;
 
 public class RegisterRole
 {
     public string Name { get; set; } = default!;
+    public List<string> Permissions { get; set; } = [];
+    public int WaitCount { get; set; }
 }

Shuttle.Access.RestClient/.package/package.nuspec

@@ -18,8 +18,8 @@
     <dependencies>
             <dependency id="Refit" version="8.0.0" />
       <dependency id="Refit.HttpClientFactory" version="8.0.0" />
-      <dependency id="Shuttle.Access" version="7.2.3" />
-      <dependency id="Shuttle.Access.AspNetCore" version="7.2.3" />
+      <dependency id="Shuttle.Access" version="7.3.0" />
+      <dependency id="Shuttle.Access.AspNetCore" version="7.3.0" />
       <dependency id="Shuttle.Core.Contract" version="20.0.1" />
     </dependencies>
   </metadata>

Shuttle.Access.Server/v1/MessageHandlers/RoleHandler.cs

@@ -1,4 +1,5 @@
-using System.Threading.Tasks;
+using System;
+using System.Threading.Tasks;
 using Shuttle.Access.Messages.v1;
 using Shuttle.Core.Contract;
 using Shuttle.Core.Data;
@@ -34,14 +35,32 @@ public async Task ProcessMessageAsync(IHandlerContext<RegisterRole> context)
             return;
         }
 
-        var requestResponse = new RequestResponseMessage<RegisterRole, RoleRegistered>(message);
+        var registerRole = new Application.RegisterRole(message.Name);
+
+        registerRole.AddPermissions(message.Permissions);
+
+        var requestResponse = new RequestResponseMessage<Application.RegisterRole, RoleRegistered>(registerRole);
 
         using (new DatabaseContextScope())
         await using (_databaseContextFactory.Create())
         {
             await _mediator.SendAsync(requestResponse);
         }
 
+        if (registerRole.HasMissingPermissions)
+        {
+            if (message.WaitCount < 5)
+            {
+                message.WaitCount++;
+
+                await context.SendAsync(message, builder => builder.Defer(DateTime.Now.AddSeconds(5)).Local());
+
+                return;
+            }
+
+            throw new UnrecoverableHandlerException("Maximum permission wait count reached.");
+        }
+
         if (requestResponse.Response != null)
         {
             await context.PublishAsync(requestResponse.Response);

Shuttle.Access.Sql/Identity/IdentityQueryFactory.cs

@@ -291,10 +291,7 @@ @IdentityId is null
     OR
     i.Id = @IdentityId
 )
-{(columns ? @"
-ORDER BY
-    i.[Name]
-" : string.Empty)}
+{(columns ? @"ORDER BY i.[Name]" : string.Empty)}
 ")
             .AddParameter(Columns.RoleName, specification.RoleName)
             .AddParameter(Columns.Name, specification.Name)

Shuttle.Access.Sql/Permission/PermissionQueryFactory.cs

@@ -142,6 +142,7 @@ INNER JOIN
     RolePermission rp ON (rp.PermissionId = p.Id)
 ")}
 {Where(specification)}
+{(columns ? "ORDER BY p.[Name]" : string.Empty)}
 ")
             .AddParameter(Columns.NameMatch, specification.NameMatch);
     }

Shuttle.Access.Tests/Participants/RegisterRoleParticipantFixture.cs

@@ -3,6 +3,7 @@
 using Moq;
 using NUnit.Framework;
 using Shuttle.Access.Application;
+using Shuttle.Access.DataAccess;
 using Shuttle.Access.Events.Role.v1;
 using Shuttle.Access.Messages.v1;
 using Shuttle.Core.Mediator;
@@ -22,14 +23,14 @@ public async Task Should_be_able_to_add_role_async()
         idKeyRepository.Setup(m => m.ContainsAsync(It.IsAny<string>(), default)).ReturnsAsync(await ValueTask.FromResult(false));
 
         var participant =
-            new RegisterRoleParticipant(eventStore, idKeyRepository.Object);
+            new RegisterRoleParticipant(eventStore, idKeyRepository.Object, new Mock<IPermissionQuery>().Object);
 
-        var addRole = new RegisterRole { Name = "role-name" };
+        var addRole = new Application.RegisterRole("role-name");
 
         var requestResponseMessage =
-            new RequestResponseMessage<RegisterRole, RoleRegistered>(addRole);
+            new RequestResponseMessage<Application.RegisterRole, RoleRegistered>(addRole);
 
-        await participant.ProcessMessageAsync(new ParticipantContext<RequestResponseMessage<RegisterRole, RoleRegistered>>(requestResponseMessage, CancellationToken.None));
+        await participant.ProcessMessageAsync(new ParticipantContext<RequestResponseMessage<Application.RegisterRole, RoleRegistered>>(requestResponseMessage, CancellationToken.None));
 
         Assert.That(requestResponseMessage.Response, Is.Not.Null);
 

Shuttle.Access.Vue/src/locales/en.json

@@ -26,6 +26,7 @@
   "last-administrator": "You cannot remove the administrator role as this identity is the last administrator.",
   "messages": {
     "invalid-credentials": "Invalid credentials.",
+    "invalid-json": "Invalid JSON.",
     "invalid-session": "Invalid session.",
     "missing-credentials": "Incomplete credentials specified.",
     "no-items": "There are no items to display.",
@@ -47,6 +48,7 @@
   "password": "Password",
   "password-mismatch": "Your new password must must the new confirmation password.",
   "permission": "Permission",
+  "permission-json": "JSON Permissions",
   "permission-required": "You do not have permission to access the requested route.",
   "permissions": "Permissions",
   "permissions-button": "permissions",
@@ -57,6 +59,7 @@
   "removed": "Removed",
   "rename": "Rename",
   "role": "Role",
+  "role-json": "JSON Roles",
   "roles": "Roles",
   "role-permissions": "Permissions",
   "role-name": "Role Name",

Shuttle.Access.Vue/src/router/index.ts

@@ -97,6 +97,14 @@ const routes: Array<RouteRecordRaw> = [
           permission: Permissions.Permissions.Manage,
         },
       },
+      {
+        path: "permission/json",
+        name: "permission-json",
+        component: () => import("../views/PermissionJson.vue"),
+        meta: {
+          permission: Permissions.Permissions.Manage,
+        },
+      },
       {
         path: ":id/rename",
         name: "permission-rename",
@@ -124,6 +132,14 @@ const routes: Array<RouteRecordRaw> = [
           permission: Permissions.Roles.Manage,
         },
       },
+      {
+        path: "role/json",
+        name: "role-json",
+        component: () => import("../views/RoleJson.vue"),
+        meta: {
+          permission: Permissions.Roles.Manage,
+        },
+      },
       {
         path: "role/:id/rename",
         name: "role-rename",