Fixed so that a user can be removed from an application

Author: gauffininteractive

src/Server/OneTrueError.Api/AuthorizeAttribute.cs

@@ -1,11 +1,12 @@
 using System;
+using OneTrueError.Api.Core;
 
 namespace OneTrueError.Api
 {
     /// <summary>
     ///     Authorize on specific roles.
     /// </summary>
-    [AttributeUsage(AttributeTargets.Class)]
+    [AttributeUsage(AttributeTargets.Class), IgnoreField]
     public class AuthorizeRolesAttribute : Attribute
     {
         /// <summary>

src/Server/OneTrueError.Api/Core/Applications/Commands/RemoveTeamMember.cs

@@ -0,0 +1,34 @@
+using System;
+using DotNetCqs;
+
+namespace OneTrueError.Api.Core.Applications.Commands
+{
+    /// <summary>
+    ///     Remove a team member from the
+    /// </summary>
+    public class RemoveTeamMember : Command
+    {
+        /// <summary>
+        ///     Creates a new instance of <see cref="RemoveTeamMember" />.
+        /// </summary>
+        /// <param name="applicationId">Application to remove user from</param>
+        /// <param name="userToRemove">User id</param>
+        public RemoveTeamMember(int applicationId, int userToRemove)
+        {
+            if (applicationId <= 0) throw new ArgumentOutOfRangeException("applicationId");
+            if (userToRemove <= 0) throw new ArgumentOutOfRangeException("userToRemove");
+            ApplicationId = applicationId;
+            UserToRemove = userToRemove;
+        }
+
+        /// <summary>
+        ///     application to remove user from
+        /// </summary>
+        public int ApplicationId { get; private set; }
+
+        /// <summary>
+        ///     User id
+        /// </summary>
+        public int UserToRemove { get; private set; }
+    }
+}

src/Server/OneTrueError.Api/OneTrueError.Api.csproj

@@ -63,6 +63,7 @@
     <Compile Include="Core\Accounts\Events\AccountRegistered.cs" />
     <Compile Include="Core\Accounts\Events\InvitationAccepted.cs" />
     <Compile Include="Core\Accounts\Events\LoginFailed.cs" />
+    <Compile Include="Core\Applications\Commands\RemoveTeamMember.cs" />
     <Compile Include="Core\Applications\Commands\UpdateApplication.cs" />
     <Compile Include="Core\Applications\Events\UserAddedToApplication.cs" />
     <Compile Include="Core\Accounts\NamespaceDoc.cs" />

src/Server/OneTrueError.App/Core/Applications/CommandHandlers/DeleteApplicationHandler.cs

@@ -1,38 +1,42 @@
-using System.Threading.Tasks;
-using DotNetCqs;
-using Griffin.Container;
-using OneTrueError.Api.Core.Applications.Commands;
-using OneTrueError.Api.Core.Applications.Events;
-
-namespace OneTrueError.App.Core.Applications.CommandHandlers
-{
-    /// <summary>
-    ///     Handler for <see cref="DeleteApplication" />.
-    /// </summary>
-    [Component(RegisterAsSelf = true)]
-    public class DeleteApplicationHandler : ICommandHandler<DeleteApplication>
-    {
-        private readonly IEventBus _eventBus;
-        private readonly IApplicationRepository _repository;
-
-        /// <summary>
-        ///     Creates a new instance of <see cref="DeleteApplicationHandler" />.
-        /// </summary>
-        /// <param name="repository">used to delete the application</param>
-        /// <param name="eventBus">to publish ApplicationDeleted</param>
-        public DeleteApplicationHandler(IApplicationRepository repository, IEventBus eventBus)
-        {
-            _repository = repository;
-            _eventBus = eventBus;
-        }
-
+using System.Security.Claims;
+using System.Threading.Tasks;
+using DotNetCqs;
+using Griffin.Container;
+using OneTrueError.Api.Core.Applications.Commands;
+using OneTrueError.Api.Core.Applications.Events;
+using OneTrueError.Infrastructure.Security;
+
+namespace OneTrueError.App.Core.Applications.CommandHandlers
+{
+    /// <summary>
+    ///     Handler for <see cref="DeleteApplication" />.
+    /// </summary>
+    [Component(RegisterAsSelf = true)]
+    public class DeleteApplicationHandler : ICommandHandler<DeleteApplication>
+    {
+        private readonly IEventBus _eventBus;
+        private readonly IApplicationRepository _repository;
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="DeleteApplicationHandler" />.
+        /// </summary>
+        /// <param name="repository">used to delete the application</param>
+        /// <param name="eventBus">to publish ApplicationDeleted</param>
+        public DeleteApplicationHandler(IApplicationRepository repository, IEventBus eventBus)
+        {
+            _repository = repository;
+            _eventBus = eventBus;
+        }
+
         /// <inheritdoc/>
-        public async Task ExecuteAsync(DeleteApplication command)
-        {
-            var app = await _repository.GetByIdAsync(command.Id);
-            await _repository.DeleteAsync(command.Id);
-            var evt = new ApplicationDeleted {ApplicationName = app.Name, ApplicationId = app.Id, AppKey = app.AppKey};
-            await _eventBus.PublishAsync(evt);
-        }
-    }
+        public async Task ExecuteAsync(DeleteApplication command)
+        {
+            ClaimsPrincipal.Current.EnsureApplicationAdmin(command.Id);
+
+            var app = await _repository.GetByIdAsync(command.Id);
+            await _repository.DeleteAsync(command.Id);
+            var evt = new ApplicationDeleted {ApplicationName = app.Name, ApplicationId = app.Id, AppKey = app.AppKey};
+            await _eventBus.PublishAsync(evt);
+        }
+    }
 }

src/Server/OneTrueError.App/Core/Applications/CommandHandlers/RemoveTeamMemberHandler.cs

@@ -0,0 +1,38 @@
+using System;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using DotNetCqs;
+using Griffin.Container;
+using log4net;
+using OneTrueError.Api.Core.Applications.Commands;
+using OneTrueError.Infrastructure.Security;
+
+namespace OneTrueError.App.Core.Applications.CommandHandlers
+{
+    /// <summary>
+    ///     Remove a team member from an application
+    /// </summary>
+    [Component]
+    public class RemoveTeamMemberHandler : ICommandHandler<RemoveTeamMember>
+    {
+        private readonly IApplicationRepository _applicationRepository;
+        private readonly ILog _logger = LogManager.GetLogger(typeof(RemoveTeamMember));
+
+        /// <summary>
+        ///     Creates a new instance of <see cref="RemoveTeamMemberHandler" />.
+        /// </summary>
+        /// <param name="applicationRepository">To remove member</param>
+        public RemoveTeamMemberHandler(IApplicationRepository applicationRepository)
+        {
+            _applicationRepository = applicationRepository;
+        }
+
+        /// <inheritdoc />
+        public async Task ExecuteAsync(RemoveTeamMember command)
+        {
+            ClaimsPrincipal.Current.EnsureApplicationAdmin(command.ApplicationId);
+            await _applicationRepository.RemoveTeamMemberAsync(command.ApplicationId, command.UserToRemove);
+            _logger.Info("Removed " + command.UserToRemove + " from application " + command.ApplicationId);
+        }
+    }
+}

src/Server/OneTrueError.App/Core/Applications/IApplicationRepository.cs

@@ -78,6 +78,14 @@ public interface IApplicationRepository
         [SuppressMessage("Microsoft.Design", "CA1006:DoNotNestGenericTypesInMemberSignatures")]
         Task<IList<ApplicationTeamMember>> GetTeamMembersAsync(int applicationId);
 
+        /// <summary>
+        ///     remove a member from an application
+        /// </summary>
+        /// <param name="applicationId">app</param>
+        /// <param name="userId">user</param>
+        /// <returns>task</returns>
+        Task RemoveTeamMemberAsync(int applicationId, int userId);
+
         /// <summary>
         ///     Update application member
         /// </summary>

src/Server/OneTrueError.App/OneTrueError.App.csproj

@@ -85,6 +85,7 @@
     <Compile Include="Core\ApiKeys\IApiKeyRepository.cs" />
     <Compile Include="Core\Applications\ApplicationRole.cs" />
     <Compile Include="Core\Applications\CommandHandlers\DeleteApplicationHandler.cs" />
+    <Compile Include="Core\Applications\CommandHandlers\RemoveTeamMemberHandler.cs" />
     <Compile Include="Core\Applications\CommandHandlers\UpdateApplicationHandler.cs" />
     <Compile Include="Core\Applications\EventHandlers\UpdateTeamOnInvitationAccepted.cs" />
     <Compile Include="Core\Applications\UserApplication.cs" />

src/Server/OneTrueError.Data.Common/Security/ClaimsExtensions.cs

@@ -20,6 +20,20 @@ public static void AddUpdateCredentialClaim(this ClaimsPrincipal principal)
             principal.Identities.First().AddClaim(OneTrueClaims.UpdateIdentity);
         }
 
+        /// <summary>
+        ///     Throws if <see cref="IsApplicationAdmin" /> returns false.
+        /// </summary>
+        /// <param name="principal">principal to search in</param>
+        /// <param name="applicationId">application to check</param>
+        /// <returns><c>true</c> if the claim was found with the given value; otherwise <c>false</c>.</returns>
+        /// <exception cref="InvalidOperationException">Claim is not found in the identity.</exception>
+        public static void EnsureApplicationAdmin(this ClaimsPrincipal principal, int applicationId)
+        {
+            if (!IsApplicationAdmin(principal, applicationId))
+                throw new UnauthorizedAccessException(
+                    $"User {principal.Identity.Name} is not authorized to manage application {applicationId}.");
+        }
+
         /// <summary>
         ///     Get account id (<see cref="ClaimTypes.NameIdentifier" />).
         /// </summary>
@@ -94,29 +108,33 @@ public static bool IsAccount(this IPrincipal principal, int accountId)
         }
 
         /// <summary>
-        ///     Get if the <c>OneTrueClaims.ApplicationAdmin</c> claim is specified for the given application (claim value)
+        ///     Checks if the user has the <c>OneTrueClaims.ApplicationAdmin</c> claim or if user is SysAdmin or System.
         /// </summary>
         /// <param name="principal">principal to search in</param>
+        /// <param name="applicationId">Application to check</param>
         /// <returns><c>true</c> if the claim was found with the given value; otherwise <c>false</c>.</returns>
         /// <exception cref="InvalidOperationException">Claim is not found in the identity.</exception>
         public static bool IsApplicationAdmin(this ClaimsPrincipal principal, int applicationId)
         {
-            return
-                principal.FindFirst(
-                    x => (x.Type == OneTrueClaims.ApplicationAdmin) && (x.Value == applicationId.ToString())) != null;
+            return principal.HasClaim(OneTrueClaims.ApplicationAdmin, applicationId.ToString())
+                   || principal.IsInRole(OneTrueClaims.RoleSysAdmin)
+                   || principal.IsInRole(OneTrueClaims.RoleSystem);
         }
 
         /// <summary>
         ///     Get if the <c>OneTrueClaims.Application</c> claim is specified for the given application (claim value)
         /// </summary>
         /// <param name="principal">principal to search in</param>
+        /// <param name="applicationId">App to check</param>
+        /// <param name="checkSystemRoles">Check if user is in role SysAdmin or if the user is the System.</param>
         /// <returns><c>true</c> if the claim was found with the given value; otherwise <c>false</c>.</returns>
         /// <exception cref="InvalidOperationException">Claim is not found in the identity.</exception>
-        public static bool IsApplicationMember(this ClaimsPrincipal principal, int applicationId)
+        public static bool IsApplicationMember(this ClaimsPrincipal principal, int applicationId, bool checkSystemRoles = false)
         {
-            return
-                principal.FindFirst(x => (x.Type == OneTrueClaims.Application) && (x.Value == applicationId.ToString())) !=
-                null;
+            var isAdmin = principal.HasClaim(OneTrueClaims.Application, applicationId.ToString());
+            if (checkSystemRoles)
+                isAdmin = isAdmin || IsSysAdmin(principal) || principal.IsInRole(OneTrueClaims.RoleSystem);
+            return isAdmin;
         }
 
         /// <summary>

src/Server/OneTrueError.SqlServer/Core/Applications/ApplicationRepository.cs

@@ -174,5 +174,16 @@ public async Task UpdateAsync(Application entity)
         {
             await _uow.UpdateAsync(entity);
         }
+
+        public async Task RemoveTeamMemberAsync(int applicationId, int userId)
+        {
+            using (var cmd = (DbCommand)_uow.CreateCommand())
+            {
+                cmd.CommandText = "DELETE FROM ApplicationMembers WHERE ApplicationId=@appId AND AccountId = @userId";
+                cmd.AddParameter("appId", applicationId);
+                cmd.AddParameter("userId", userId);
+                await cmd.ExecuteNonQueryAsync();
+            }
+        }
     }
 }