Refactor authorization handlers

Renamed `ViewStudentEnrollmentsAuthorizationHandler` into `AccessOnlyOwnDataAuthorizationHandler` and made it more modular.

Core/Policy/Policies.cs

@@ -7,5 +7,10 @@ public static class Policies
     public const string IsTeacher = "IsTeacher";
     public const string IsTeacherOrAdministrator = "IsTeacherOrAdmin";
     public const string HasAdministratorPermission = "HasAdministratorPermission";
+    /// <summary>
+    /// Policy that determines whether user can view students enrollments.
+    /// Allows teachers and administrators to view all enrollments and other users to view
+    /// only their own enrollments.
+    /// </summary>
     public const string CanViewStudentEnrollments = "CanViewStudentEnrollments";
 }

EUniversity.Tests/Auth/ViewStudentEnrollmentsAuthorizationHandlerTests.cs → EUniversity.Tests/Auth/AccessOnlyOwnDataAuthorizationHandlerTests.cs

@@ -10,14 +10,14 @@
 
 namespace EUniversity.Tests.Auth;
 
-public class ViewStudentEnrollmentsAuthorizationHandlerTests
+public class AccessOnlyOwnDataAuthorizationHandlerTests
 {
     private readonly string TestUserId = Guid.NewGuid().ToString();
     private readonly string TestRouteStudentId = Guid.NewGuid().ToString();
 
     private ClaimsPrincipal GetUser(string id, params string[] roles)
     {
-        List<Claim> claims =new()
+        List<Claim> claims = new()
         {
             new(JwtClaimTypes.Subject, id)
         };
@@ -29,7 +29,7 @@ private ClaimsPrincipal GetUser(string id, params string[] roles)
         return new ClaimsPrincipal(identity);
     }
 
-    private AuthorizationHandlerContext GetHandlerContext(ClaimsPrincipal user)
+    private AuthorizationHandlerContext GetHandlerContext(ClaimsPrincipal user, params string[] roles)
     {
         RouteValueDictionary routeValues = new()
         {
@@ -43,7 +43,7 @@ private AuthorizationHandlerContext GetHandlerContext(ClaimsPrincipal user)
 
         IAuthorizationRequirement[] requirements =
         {
-            new ViewStudentEnrollmentsAuthorizationRequirement()
+            new AccessOnlyOwnDataAuthorizationRequirement(roles)
         };
 
         return new(requirements, user, httpContext);
@@ -52,12 +52,12 @@ private AuthorizationHandlerContext GetHandlerContext(ClaimsPrincipal user)
     [Test]
     [TestCase(Roles.Administrator)]
     [TestCase(Roles.Teacher)]
-    public async Task AdministratorOrTeacher_Succeeds(string role)
+    public async Task SkipRoleAccessesNotOwnData_Succeeds(string role)
     {
         // Arrange
         ClaimsPrincipal user = GetUser(TestUserId, role);
-        AuthorizationHandlerContext context = GetHandlerContext(user); 
-        ViewStudentEnrollmentsAuthorizationHandler handler = new();
+        AuthorizationHandlerContext context = GetHandlerContext(user, Roles.Administrator, Roles.Teacher); 
+        AccessOnlyOwnDataAuthorizationHandler handler = new();
 
         // Act
         await handler.HandleAsync(context);
@@ -67,12 +67,12 @@ public async Task AdministratorOrTeacher_Succeeds(string role)
     }
 
     [Test]
-    public async Task UserAccessesOwnEnrollments_Succeeds()
+    public async Task UserAccessesOwnData_Succeeds()
     {
         // Arrange
         ClaimsPrincipal user = GetUser(TestRouteStudentId);
         AuthorizationHandlerContext context = GetHandlerContext(user); 
-        ViewStudentEnrollmentsAuthorizationHandler handler = new();
+        AccessOnlyOwnDataAuthorizationHandler handler = new();
 
         // Act
         await handler.HandleAsync(context);
@@ -82,12 +82,12 @@ public async Task UserAccessesOwnEnrollments_Succeeds()
     }
 
     [Test]
-    public async Task UserAccessesEnrollmentsOfAnotherUser_Fails()
+    public async Task UserAccessesDataOfAnotherUser_Fails()
     {
         // Arrange
         ClaimsPrincipal user = GetUser(TestUserId);
         AuthorizationHandlerContext context = GetHandlerContext(user); 
-        ViewStudentEnrollmentsAuthorizationHandler handler = new();
+        AccessOnlyOwnDataAuthorizationHandler handler = new();
 
         // Act
         await handler.HandleAsync(context);

EUniversity/Auth/ViewStudentEnrollmentsAuthorizationHandler.cs → EUniversity/Auth/AccessOnlyOwnDataAuthorizationHandler.cs

@@ -7,24 +7,22 @@
 namespace EUniversity.Auth;
 
 /// <summary>
-/// Authorization handler that determines whether user can view students enrollments.
-/// Allows teachers and administrators to view all enrollments and other users to view
-/// only their own enrollments.
+/// Authorization handler that allows users only access their own data.
+/// <see cref="AccessOnlyOwnDataAuthorizationRequirement" /> can contain roles
+/// that are allowed to access any data.
 /// </summary>
-public class ViewStudentEnrollmentsAuthorizationHandler :
-    AuthorizationHandler<ViewStudentEnrollmentsAuthorizationRequirement>
+public class AccessOnlyOwnDataAuthorizationHandler :
+    AuthorizationHandler<AccessOnlyOwnDataAuthorizationRequirement>
 {
-    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ViewStudentEnrollmentsAuthorizationRequirement requirement)
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AccessOnlyOwnDataAuthorizationRequirement requirement)
     {
         if (!context.User.IsAuthenticated())
         {
             context.Fail();
             return Task.CompletedTask;
         }
-        // If user is either a teacher or an administrator,
-        // he/she has an access to all enrollments
-        if (context.User.HasClaim(JwtClaimTypes.Role, Roles.Teacher) ||
-            context.User.HasClaim(JwtClaimTypes.Role, Roles.Administrator))
+        // Check if we can skip the check
+        if (requirement.SkipRoles.Any(r => context.User.HasClaim(JwtClaimTypes.Role, r)))
         {
             context.Succeed(requirement);
             return Task.CompletedTask;

EUniversity/Auth/AccessOnlyOwnDataAuthorizationRequirement.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace EUniversity.Auth;
+
+/// <summary>
+/// Requirement for <see cref="AccessOnlyOwnDataAuthorizationHandler" />.
+/// </summary>
+public class AccessOnlyOwnDataAuthorizationRequirement : IAuthorizationRequirement
+{
+    /// <summary>
+    /// Gets roles that are allowed to access any data.
+    /// </summary>
+    public IEnumerable<string> SkipRoles { get; }
+
+    public AccessOnlyOwnDataAuthorizationRequirement() : this(Enumerable.Empty<string>())
+    {
+
+    }
+
+    public AccessOnlyOwnDataAuthorizationRequirement(params string[] skipRoles) : 
+        this(skipRoles.AsEnumerable())
+    {
+
+    }
+
+    public AccessOnlyOwnDataAuthorizationRequirement(IEnumerable<string> skipRoles)
+    {
+        SkipRoles = skipRoles;
+    }
+}

EUniversity/Extensions/ServiceCollectionExtensions.cs

@@ -99,7 +99,7 @@ public static IServiceCollection AddCustomizedIdentity(this IServiceCollection s
 
     public static IServiceCollection AddCustomizedAuthorization(this IServiceCollection services, params string[] authenticationSchemes)
     {
-        services.AddTransient<IAuthorizationHandler, ViewStudentEnrollmentsAuthorizationHandler>();
+        services.AddTransient<IAuthorizationHandler, AccessOnlyOwnDataAuthorizationHandler>();
 
         return services.AddAuthorization(options =>
         {
@@ -138,7 +138,7 @@ public static IServiceCollection AddCustomizedAuthorization(this IServiceCollect
             {
                 policy.AddAuthenticationSchemes(authenticationSchemes);
                 policy.RequireAuthenticatedUser();
-                policy.AddRequirements(new ViewStudentEnrollmentsAuthorizationRequirement());
+                policy.AddRequirements(new AccessOnlyOwnDataAuthorizationRequirement(Roles.Teacher, Roles.Administrator));
             });
             options.DefaultPolicy = options.GetPolicy(Policies.Default)!;
         });